Pre-execution policy / authorization layer (evaluate before runs)

A built-in evaluate → allow / deny / defer / modify step before work is fully committed would reduce the need to gate in application code before tasks.trigger() or to model everything as a parent task with conditional triggerAndWait. Task middleware and onStartAttempt run after a run has started; queues and concurrency address throttling, not authorization. A reusable, composable pre-execution policy layer would cover that gap