Authorization

OpenFGA roles: owner, admin, member.

Authorization uses OpenFGA with a versioned model in authz/openfga/. Organization relations inherit: owner implies admin implies member for checks.

RelationTypical use
ownerTransfer ownership, full org control
adminMembers, billing, invites, purchases
memberTrials, chat, token consumption

Agent-level tuples exist for future fine-grained ACLs. Phase 0 derives agent access from organization membership.