STRATT’s auth layer (TASKSET 21) enforces RBAC permissions as warnings, not errors. When stratt publish detects the user lacks author role, it warns but proceeds. When stratt gate approve detects missing reviewer role, it warns but records the approval.
Key learning: Ship permissions as advisory first, enforcing later. This gives teams time to set up auth (stratt auth login) without breaking existing workflows. The enforcement switch is trivial — change out.warn(authError) to process.exit(EXIT.VALIDATION_FAIL) — but the migration path matters more than the code. Users who already have tokens see no change; users who don’t get a warning they can act on.
Applicable pattern: For any access control system in a CLI tool, the progression should be: (1) ship auth infrastructure silently, (2) add advisory warnings, (3) add opt-in enforcement (--require-auth flag), (4) default to enforcing with opt-out (--skip-auth). Each stage is a single commit.
