Authorization
OpenFGA roles: owner, admin, member.
Authorization uses OpenFGA with a versioned model in authz/openfga/. Organization relations inherit: owner implies admin implies member for checks.
| Relation | Typical use |
|---|---|
| owner | Transfer ownership, full org control |
| admin | Members, billing, invites, purchases |
| member | Trials, chat, token consumption |
Agent-level tuples exist for future fine-grained ACLs. Phase 0 derives agent access from organization membership.
