Auth: document or align cross-tenant response codes (404 vs 403)

## Summary
Cross-tenant access handling is inconsistent:
- Single-row GET/PATCH/DELETE → **404** (secure enumeration defense)
- `listByCompany` with wrong company → **403**

Both may be intentional, but SDK clients need clarity.

## Options
1. Document the distinction in OpenAPI/README (list vs probe semantics)
2. Align list endpoints to 404 where enumeration is a concern

## Acceptance criteria
- [ ] Decision documented in OpenAPI
- [ ] Behavior consistent or explicitly differentiated with rationale

## Source
Code review backlog (2026-06-23)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth: document or align cross-tenant response codes (404 vs 403) #375

Summary

Options

Acceptance criteria

Source

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Auth: document or align cross-tenant response codes (404 vs 403) #375

Description

Summary

Options

Acceptance criteria

Source

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions