Feature Request: Tag-scoped/Group-based RBAC (limit query rights by allowed tags/groups)

Current RBAC is environment-level (read/query/carve). We need finer-grained authorization so a user can run queries only against nodes matching an allowed set of tags. Minimal ask: per-user (or role) allowlist of tags per environment, enforced at query/carve submission (and optionally in list/views). This reduces blast radius and aligns access with ownership boundaries.