Enforce Automatic Role-Based Data Scoping on All Report Queries

• Given a coordinator authenticated under local association A, when they access any dashboard metric, then only data attributable to local association A is returned
• Given an organization administrator, when they access dashboard metrics, then data from all associations and regions within the organization is included
• Given a user's scope changes (e.g., role updated by admin), when they next load the dashboard, then the new scope is applied and previously cached data for the old scope is not served
• Given a coordinator attempts to manipulate the filter widget to select an out-of-scope area, when the request is processed, then the Coordinator Report Service enforces the scope boundary and returns only authorized data
• Given two coordinators with different scopes are logged in simultaneously, when each views the dashboard, then each sees exclusively their own scoped data with no cross-contamination
• Given the scope key is computed, when the result is cached, then the cache key includes the scope identifier so different users with different scopes cannot access each other's cached results

With 1,400 local associations and multiple coordinators, data isolation is a critical compliance and privacy requirement. A coordinator must never see peer mentor activity data from a competing local association. Automatic scoping enforced at the service layer — rather than relying on UI restrictions alone — ensures data integrity, builds user trust, and meets organizational data governance requirements. Failures here could expose sensitive peer mentor information and undermine confidence in the entire reporting system.

• Coordinator Report Service service
• Report Scope Resolver service
• Coordinator Stats Repository data
• Coordinator Dashboard Screen ui