RBAC and Scope / Account Isolation Rules
| ID | Business Rule | Status |
|---|---|---|
| BR-RBAC-001 | Every protected action must check authentication. | Confirmed |
| BR-RBAC-002 | Every protected action must check role permission. | Confirmed |
| BR-RBAC-003 | Every scoped action must check assigned school, supplier, operator, parent, or student scope. | Confirmed |
| BR-RBAC-004 | Cross-scope/account access must be denied by default. | Confirmed by technical team; Evidence Pending Attachment |
| BR-RBAC-005 | Frontend hidden controls must not be treated as authorization. | Confirmed |