Independent re-verify of PR #101 (apps object-level authz / BOLA fix) found that the billing-* routes were excluded from the object-level authz hardening, with no documented justification and no tracking issue.
Action: Confirm whether billing-* routes are (a) already covered by a separate authz layer, (b) intentionally out of scope (document why), or (c) a genuine gap that needs the same object-level + field-level authz treatment as the other apps routes.
Owner: backend-engineer (impl) after appsec-reviewer scopes object/field-level requirements. Blast-radius: payment/billing → Opus tier per model-cascade.
Source: re-verify wave on #101, deploy-window 2026-06-30. Linked: #100, #101.
Independent re-verify of PR #101 (apps object-level authz / BOLA fix) found that the
billing-*routes were excluded from the object-level authz hardening, with no documented justification and no tracking issue.Action: Confirm whether billing-* routes are (a) already covered by a separate authz layer, (b) intentionally out of scope (document why), or (c) a genuine gap that needs the same object-level + field-level authz treatment as the other apps routes.
Owner: backend-engineer (impl) after appsec-reviewer scopes object/field-level requirements. Blast-radius: payment/billing → Opus tier per model-cascade.
Source: re-verify wave on #101, deploy-window 2026-06-30. Linked: #100, #101.