The ADR-0036 verification endpoint and integration note are live
Both Platform action items from ADR-0036 shipped today (platform repo commit 0b6649c), so Finance does not need to wait on acceptance mechanics to start integrating.
GET /api/auth/operator-session is live on the Platform deploy: forward the incoming request's cookies, get back a stable { authorized, signedIn, user } verdict with Cache-Control: no-store. signedIn: false means redirect to Platform sign-in with a return URL; signedIn: true with authorized: false means render forbidden; authorized: true carries the operator's user identity and nothing else. Key off authorized only; the predicate behind it (SuperAdmin membership today) can evolve without the response shape changing.
The integration note lives at docs/operator-auth-rail.md in the platform repo: request and response shapes, the redirect convention (<platform-origin>/sign-in?redirect=<return-url>), a Next.js middleware sketch, cache guidance (per-request by design; a positive verdict may be cached in memory for up to 60 seconds), and the local-dev caveat that the cookie is host-scoped outside production.
The remaining items on the ADR are Finance's: the acknowledges: [ADR-0036] reply on this thread, and the dashboard integration that retires the interim token gate, confirmed by reply memo when done.