Keep rules specific (avoid global "*" when possible).
The compiled fast-path is enabled automatically; it is always equivalent to
the authoritative interpreter for all combining algorithms (deny-overrides,
permit-overrides, first-applicable). No configuration is required.
Cache expensive context derivations outside of Guard calls.
Use smart sampling to reduce log volume while keeping critical events (deny, permit_with_obligations).
Bound log record size with max_env_bytes; prefer as_json=True for cheaper formatting.
Prefer JSON logging to reduce formatting overhead in hot paths.
Use evaluate_batch_async / evaluate_batch_sync when you need to check
multiple actions for the same user at once (e.g., rendering a UI with
enabled/disabled buttons). Requests run concurrently via asyncio.gather,
so the wall-clock time equals the slowest individual check rather than the
sum of all checks.
Set timeout on batch calls when individual checks may hit a slow external
provider (SpiceDB, OpenFGA). Use timeout=N to bound total wall-clock time;
asyncio.TimeoutError is raised on expiry — catch it and return a safe fallback
rather than letting the request hang indefinitely.