# Route Contract — Spec 080

This document defines the **expected user-facing route surfaces** and the **required 404/403 semantics**.

## Canonical Management (workspace-scoped)

All of the following are under `/admin/*` and require:
- selected workspace context
- workspace membership (non-member → 404)

Routes:
- `GET /admin/tenants`
- `GET /admin/tenants/{tenant}`
- `GET /admin/tenants/{tenant}/memberships`
- `GET /admin/tenants/{tenant}/provider-connections`
- `GET /admin/tenants/{tenant}/provider-connections/{connection}/edit`
- `GET /admin/tenants/{tenant}/required-permissions`
- (optional) `GET /admin/tenants/{tenant}/onboarding`

Identifier contract:
- `{tenant}` MUST be `Tenant.external_id` (Entra tenant GUID)

Authorization contract:
- member without capability:
  - viewing pages: allowed
  - mutating actions: 403

## Canonical Operate (tenant-scoped)

All of the following are under `/admin/t/{tenant}/*` and require:
- selected workspace context
- workspace membership
- tenant entitlement (non-entitled → 404)

Routes (contract targets for US2 tests):
- `GET /admin/t/{tenant}` (tenant dashboard root)
- `GET /admin/t/{tenant}/diagnostics` (operational diagnostics page)

## Removed Tenant-Scoped Management (must 404)

The following routes MUST NOT exist (no redirects in dev stage):
- `GET /admin/t/{tenant}/provider-connections*`
- `GET /admin/t/{tenant}/required-permissions*`
- `GET /admin/t/{tenant}/memberships*`
- `GET /admin/t/{tenant}/tenants*`

## Monitoring

- `GET /admin/operations`
- `GET /admin/operations/{run}`

Monitoring pages are DB-only at render time.