Inconsistent authorization within resource

How to fix

1. Compare authorization across all operations for the resource.
2. Standardize on the intended helper or guard.
3. Document intentional differences and cover them with tests.

What it means

Different handlers for the same resource appear to use different authorization expectations.

Why it matters

Inconsistent checks create confusing access behavior and can leave one operation weaker than the others.

Common causes

• One endpoint was added later with a different guard.
• Read and write routes share a controller but not policy.
• Role checks drifted during refactoring.

Example bad pattern

Deleting a token requires admin access, but creating a token only requires membership.

Example good pattern

All token mutation endpoints require the same organization-admin check.

Related files/config

• apps/api/src
• apps/web/app/api
• packages/db/prisma/schema.prisma

Related CLI commands

• archpilot validate
• archpilot validate --ci