Owner only

Use owner checks when a resource belongs to one user.

import { policy } from "@layeron/modules"

const appPolicy = policy({
  name: "app",
  rules: [{
    id: "owner-can-read",
    effect: "allow",
    actions: ["invoice.read"],
    resources: ["invoice:*"],
    conditions: {
      owner: "subject",
    },
  }],
})

const decision = await appPolicy.evaluate({
  subject: {
    kind: "user",
    id: "user_1",
  },
  action: "invoice.read",
  resource: {
    type: "invoice",
    id: "inv_123",
    ownerId: "user_1",
  },
})

This pattern fits personal files, invoices, private notes, and user-owned objects.