Integrating security into the development process is critical for the proper functioning of an application. API gateways, RBAC systems, service mesh sidecars etc. can all provide some elements of security but the final arbiter of who can do what and under what circumstances must be the responsibility of the domain model.

One critical aspect of application security is being able to test the application’s security constraints as part of the normal domain logic, and asserting about it as part …