For cases where we don't want to evaluate any subsequent policies (e.g. CORS OPTIONS should always be responded to immediately, even if we have a subsequent auth policy that would normally refuse a request).

This also raises some issues about policy ordering (e.g. stuff that we want at the head of the chain), but this is a first step.