Deny overrides allow

Use deny rules when one exception should override a broader grant.

import { policy } from "@layeron/modules"

const appPolicy = policy({
  name: "app",
  rules: [
    {
      id: "allow-support-read",
      effect: "allow",
      subjects: ["role:support"],
      actions: ["ticket.read"],
      resources: ["ticket:*"],
    },
    {
      id: "deny-sensitive-tickets",
      effect: "deny",
      subjects: ["role:support"],
      actions: ["ticket.read"],
      resources: ["ticket:sensitive-*"],
    },
  ],
})

const decision = await appPolicy.evaluate({
  subject: {
    kind: "user",
    id: "user_1",
    roles: ["support"],
  },
  action: "ticket.read",
  resource: {
    type: "ticket",
    id: "sensitive-123",
  },
})

When both rules match, the deny rule wins.