fail closed term
on failure, default to denying the request
When a check fails (auth, rate limit, feature flag), the system defaults to rejecting. Better security, worse availability. Standard for auth and authz; risky for non-critical checks where the failure is just 'the rate limiter is down.'