# Permission Enforcement Map

## Enforcement Points

- `identity.token.issue` evaluated via thalos-service policy contract before token issuance.
- Session refresh guarded by edge session validation policy.

## Guardrail

- Permission checks happen at BFF entrypoints using thalos-service policy responses.
- Authorization decisions are explicit and traceable at edge boundaries.
- Auth failure payload shape is standardized as `{ code, message, correlationId }`.
- HTTP semantics:
  - `401`: no valid session or failed session issuance/refresh.
  - `403`: authenticated but denied by permission policy.