# Permission Enforcement Map

## Enforcement Points

- `identity.token.issue` evaluated at token issuance handler.
- Session refresh guarded by edge session validation policy.

## Guardrail

- Permission checks happen at BFF entrypoints before downstream calls.
- Authorization decisions are explicit and traceable at edge boundaries.