Acceptance Criteria
| ID | Acceptance Criterion | Status |
|---|---|---|
| AC-AUTH-001 | Valid users can login and receive role-scoped access. | Needs Evidence |
| AC-RBAC-001 | Unauthorized role access is denied. | Needs Evidence |
| AC-TENANT-001 | Cross-school, cross-supplier, and cross-operator access is denied. | Needs Evidence |
| AC-BCK-001 | Restore test date and result are documented. | Needs Evidence |
| AC-PAY-001 | Duplicate payment/webhook does not duplicate financial effect. | Needs Confirmation |
| AC-API-001 | OpenAPI draft is reviewed against backend runtime routes. | Needs Technical Verification |