Protect REST endpoints with RBAC Rule: every authenticated route on a MUST carry an access-scope decorator. If you add a route without one, the IDOR/permission bypass is on you. Decision succeeds if the user has the scope globally OR in the project named in the URL . ignores project relations entirely. Both decorators come from . The middleware lives in ( ) and resolves access via in . Apply the decorator Conventions: - One decorator per route, placed directly under the HTTP-method decorator. - Use the most specific scope that fits. Reuse for state-changing actions like / / unless the resourc…