backend/app/api/endpoints/l1.py

@@ -48,6 +48,15 @@ def _to_response(session: L1WalkSession) -> WalkSessionResponse:
 async def _get_session_or_404(
     db: AsyncSession, session_id: UUID, user: User
 ) -> L1WalkSession:
+    """Fetch a session by id, scoped to the caller's account.
+
+    Phase 1 policy (per spec §7.9): sessions are account-scoped, not
+    user-scoped. Any L1 or coverage engineer in the same account can
+    step/note/resolve/escalate any session — supports team coverage
+    (e.g., L1 hands off mid-shift; coverage engineer takes over a call).
+    For a stricter "creator-only" policy, add
+    ``created_by_user_id == user.id`` here.
+    """
     session = await db.get(L1WalkSession, session_id)
     if session is None or session.account_id != user.account_id:
         raise HTTPException(