Al questions

1.  Do we accept a STAGE request if the token has only storage.read claims?
2.  If not, must all claims in the token be storage.stage to be accepted?
3.  Just like with read or write, where a claim should override any ACLs, I would imagine a stage claim should override any staging restrictions for the user. 

Discussed already in the email thread and agreed on storage.stage behavior (dCache & CTA / EOS)

FIXME: missing / lost notes - answers

1. yes
2. no, per file results defined in the TAPE REST API specification
3. preference to verify just capability (implementation may decide to keep mapping & identity validation, but there should be a way to configure access to look like just capability based)