Extract a { scopes } principal from a Better Auth session. Null/undefined session ⇒ anonymous (no scopes).
Beyond the user/apiKey scopes, it encodes MFA + org state AS scopes (Phase 1): a 2FA-cleared session gains
mfa:verified, and each org membership contributes org:<id>:<scope> (explicit + role-mapped) — so a route
gates 2FA/tenancy through the same scope check enforceAccess already does, no richer Principal type required.
Extract a { scopes } principal from a Better Auth session. Null/undefined session ⇒ anonymous (no scopes). Beyond the user/apiKey scopes, it encodes MFA + org state AS scopes (Phase 1): a 2FA-cleared session gains
mfa:verified, and each org membership contributesorg:<id>:<scope>(explicit + role-mapped) — so a route gates 2FA/tenancy through the same scope check enforceAccess already does, no richer Principal type required.