Another random question while I'm here - is there a way to see specifically why an action was denied (or, I guess, where it hit it's first deny)? I'm imagining an engineer creating a policy, getting an unexpected deny, and then having trouble parsing through all the policies to know where the action was blocked

Yes! If you set the includeMeta flag in the request it will tell you which rule matched. You can also turn on the audit logging on the PDP instance to have it logged there also

awesome, thanks!

Also, when running tests you can use

--verbose

to get an execution trace that should help explain test failures

is

includeMeta

in the docs somewhere?

Yup can you see it in the API call https://docs.cerbos.dev/cerbos/latest/api/index.html#check-resources