What a caller wants to do, sans identity. Actor identity flows
through a separate actor_id: &str parameter on
PolicyEngine::authorize / PolicyChecker::check — encoding
the architectural invariant that actor identity is server-authoritative
and must not be supplied by the same code path that supplies the
requested action. In the HTTP layer, the bearer-token middleware
resolves the actor and passes it independently; clients cannot
smuggle identity inside this struct.
Which kind of policy file the caller is loading. Drives the
load-time validation that catches a “wrong action in wrong file”
mistake — a graph policy with graph_list rules, or a server
policy with read rules, both compile silently as Cedar but
never match any actual request. Typing the loader makes the
mistake a load-time error.
Engine-layer policy enforcement error. Denied is the normal “policy
said no” path; Internal covers evaluation failures (malformed rule,
Cedar internal error, etc.).
Which Cedar entity an action’s policies apply to. Internal to
omnigraph-policy — drives the compile_policy_source template
and the request-time resource UID construction.