Expand description
Pure deny-overrides resolver with user > role > department specificity.
The function is intentionally synchronous and free of I/O so it can be
reused by the in-process default hook, the template’s webhook handler,
and unit tests without setup. Callers fetch AccessRules plus the
default_included sentinel from
super::repository::AccessControlRepository and pass them in.