Child of #2962, sequenced AFTER the auth generator (policies need a currentUser to authorize). Framework-core: wheels.Policy base + authorize()/can()/policyScope() controller+view mixins. Cross-engine constraint: mixin helpers must be public with $-prefixed internals (Invariant 7). Key design call: default-deny vs default-allow when no policy exists — Pundit denies, Laravel's before() foot-gun allows; recommendation on the parent: default-deny.
Child of #2962, sequenced AFTER the auth generator (policies need a currentUser to authorize). Framework-core: wheels.Policy base + authorize()/can()/policyScope() controller+view mixins. Cross-engine constraint: mixin helpers must be public with $-prefixed internals (Invariant 7). Key design call: default-deny vs default-allow when no policy exists — Pundit denies, Laravel's before() foot-gun allows; recommendation on the parent: default-deny.