# Students Module Governance This module must follow the Phase 9 boundary rules. Required checks: - SchoolContext for scoped operations. - No direct HTTP/global state in domain services. - Controller layer delegates to contracts. - Wrong-school access tests for scoped data. - Sensitive data is permission-controlled. - New routes appear in route inventory and OpenAPI. Owner information lives in `docs/architecture/module-ownership.md` and `.github/CODEOWNERS`.