docs: define staff check-in flow

docs/security-notes.md

@@ -20,6 +20,7 @@ Controls:
 - collect only data required to manage the reservation;
 - do not expose reservation personal data through public APIs;
 - do not include personal data in QR codes;
+- keep check-in preview and confirmation responses limited to operational admission data;
 - avoid logging request bodies from booking and confirmation endpoints;
 - avoid logging raw tokens;
 - restrict admin access to staff users who need it.
@@ -56,12 +57,27 @@ QR codes must not contain:
 
 The check-in endpoint resolves the token server-side and returns only the minimum information staff need.
 
+## Check-In Security
+
+Check-in is performed by authenticated staff or admin users through a mobile-friendly web page.
+
+Controls:
+
+- require staff authentication for QR verification preview and check-in confirmation;
+- allow QR scanning and manual token entry in the staff interface;
+- validate every token server-side;
+- require the reservation to be confirmed before check-in;
+- reject duplicate check-in attempts;
+- store successful check-in timestamp and staff user;
+- return clear validation states without exposing unnecessary personal data;
+- do not log raw QR tokens.
+
 ## Authentication and Authorization
 
 Required controls:
 
 - Django admin requires authenticated staff accounts;
-- check-in verification requires authenticated staff or an authenticated scanning client;
+- check-in verification preview and confirmation require authenticated staff or admin users;
 - staff permissions should separate content management from operational check-in when practical;
 - public APIs must not allow clients to set protected fields such as reservation status, token values, or check-in state.