## Summary tenantId and decidedBy are client-supplied with no identity binding on approval API. ## Source Phase 5 review (REV-010b) — #27 added bearer auth but not identity binding. ## Acceptance criteria - [ ] Server derives tenant/decider from token or session, not request body - [ ] Cross-tenant approval attempts rejected - [ ] API contract + tests updated ## Priority P1
Summary
tenantId and decidedBy are client-supplied with no identity binding on approval API.
Source
Phase 5 review (REV-010b) — #27 added bearer auth but not identity binding.
Acceptance criteria
Priority
P1