Decide whether a caller may run an op (per the rule), whether to scope the query to their own rows, and the honest
deny status. FAIL-CLOSED: an owner op with no principal is 401 (the wire must enforce what x-suluk-access
claims — a null-scoped empty 200 would let the facet lie); admin with no principal is 401, signed-in-non-admin is
403; none hard-denies 403. A signed-in owner is scoped to their rows; an admin sees all.
Decide whether a caller may run an op (per the rule), whether to scope the query to their own rows, and the honest deny status. FAIL-CLOSED: an
ownerop with no principal is 401 (the wire must enforce whatx-suluk-accessclaims — a null-scoped empty 200 would let the facet lie);adminwith no principal is 401, signed-in-non-admin is 403;nonehard-denies 403. A signed-in owner is scoped to their rows; an admin sees all.