# Permission Enforcement Map

## Enforcement Points

- `identity.token.issue` evaluated via thalos-service policy contract before token issuance.
- Session refresh guarded by edge session validation policy.

## Guardrail

- Permission checks happen at BFF entrypoints using thalos-service policy responses.
- Authorization decisions are explicit and traceable at edge boundaries.