Workspace policies — author once, bind everywhere
A new Policies surface in every workspace: name a reusable IAM-style policy, then bind it to API keys and roles. Edit the policy once and every binding picks up the change.
Permissions used to be authored inline on every API key and role. Now they live as first-class workspace resources at Workspace → Policies. Each policy is a named, reusable list of statements — same { effect, actions, resources } shape you already know — that you bind to the things that need it.
The new API key creation flow is a dedicated stepper page: pick a name and description, bind one or more managed policies, review the merged effective policy, then mint the key. The cramped modal is gone. Keys can be re-bound to a different policy set without rotating the token via PATCH /v1/workspaces/:slug/api-keys/:id/bindings.
Custom roles can also bind to a managed policy instead of carrying their own action list — useful when you want the same permission set on a few different roles, or when you want deny statements that the simplified role view doesn't expose. System roles (owner / admin / member) stay catalog-managed.
Deleting a policy unbinds every API key and role that referenced it: API keys fall back to deny-all, roles fall back to the inline policy they had before binding. The delete confirmation tells you up front how many of each will be affected.