In complex systems, there are often actions that suppose to only be used internally. For example, a way of user lookup by some custom key or creating a record. Currently, they can be added to policies with authorize_if always() or used only with authorized?: false.
Using a policy introduces a risk of exposing them in the API at some point. On the other hand, authorized?: false breaks the authorization circuit by not passing the current action context down the line (e.g., to nested actions).
It would be great if Ash could allow for something like internal? true on action definition. That property would be used when building APIs' actions, by raising a compilation error.