# Policy Behavior Invariants

## Invariants
- Equivalent policy inputs produce equivalent policy decisions.
- Token decision fallback behavior remains stable until explicitly revised.
- Provider semantics are explicit:
  - `InternalJwt`: standard identity permission evaluation.
  - `AzureAd` and `Google`: policy permission must remain within `identity.*` scope.
- Service transport contracts remain stable during domain extraction.

## Validation Approach
- Capture pre/post decision examples for policy and token flows.
- Validate delegation path: service orchestrates, domain decides.