Authorization
Trust boundaries between clients, APIs, agents, and project resources.
Conversation flows cross user, service, and project boundaries.
User-scoped calls use bearer auth. Project-scoped operations also check membership, role, and resource access.