Can vs require

Use can(...) when you only need a yes or no answer. Use require(...) when you want Policy to throw on denial.

import { policy } from "@layeron/modules"

const appPolicy = policy({
  name: "app",
  rules: [{
    id: "admin-delete",
    effect: "allow",
    subjects: ["role:admin"],
    actions: ["document.delete"],
    resources: ["document:*"],
  }],
})

if (await appPolicy.can({
  subject: { kind: "user", id: "user_1", roles: ["admin"] },
  action: "document.delete",
  resource: { type: "document", id: "doc_123" },
})) {
  // continue
}

await appPolicy.require({
  subject: { kind: "user", id: "user_1", roles: ["admin"] },
  action: "document.delete",
  resource: { type: "document", id: "doc_123" },
})

can(...) is useful for branch logic. require(...) is useful when you want to fail fast.