Roles & permissions
Grant codenames to roles or users and check them.
Permissions are {table}.{action} codenames seeded per model. Assign them to roles (or directly to users) and check with has_perm. Superusers bypass all checks; explicit per-user denials win over role grants.
if has_perm(user_id, "article.change", &pool).await? {
// allow edit
}
Seed defaults
ensure_seeded creates Viewer / Editor / Administrator roles per tenant so the permission matrix is usable immediately.