OptionalrolesRequire at least one matching role on the active identity.
Runner evaluates this as a flat OR list. If your app has role inheritance, expand the effective roles before the identity reaches Runner.
OptionaltenantTenant identity is required whenever an identity gate is present.
The field is optional only for ergonomics; omitting it still behaves as
tenant: true.
OptionaluserRequire userId in addition to tenantId.
Task-level identity gate requirement used by subtree policy and the built-in identity checker middleware.
Mentioning an identity requirement implies tenant identity by default, so
{ user: true }means tenant + user and{ roles: ["ADMIN"] }still requires tenant presence.