security model

# Security Model

- SAT JWTs enforce issuer/audience/scope checks.
- RST tokens are opaque, hashed server-side, and revocable.
- Artifact links are short-lived signed GET URLs.
- Tenant isolation and RBAC are enforced server-side.
- Usage and audit tables are append-only.