A client reported that users on a new account type could access a restricted endpoint. I cross-referenced the SOW to confirm the intended access rules, then traced the API flow to identify the right enforcement point. I found an existing authorization pattern in the codebase and extended it to cover this case, closing off unauthorized access.