- authorization
	- "what are you allowed to do?"
	- role checks (require_admin today)
	- room for growth: require_role, require_permission, per-resource checks (owner-of), B2B approval workflows, per-app permissions for marketplace apps