# Contracts — Routes & Semantics (077) **Spec**: [specs/077-workspace-nav-monitoring-hub/spec.md](../spec.md) This feature is an admin UI/navigation refactor. Contracts are expressed as web route semantics + access rules. ## Canonical routes ### Workspace context - `GET /admin/choose-workspace` - Purpose: select active workspace context - Access: authenticated user - Visibility: shows only workspaces where the user is a member - `POST /admin/switch-workspace` - Purpose: update workspace context - Access: authenticated user - Security: - If user is not a member of the selected workspace → 404 (deny-as-not-found) ### Workspace management (CRUD) - `GET /admin/workspaces` - `GET /admin/workspaces/{workspace}` - `GET /admin/workspaces/{workspace}/edit` - `GET /admin/workspaces/create` Contract semantics: - Index lists only workspaces the user is a member of. - If user attempts to access a workspace record they are not a member of → 404 (deny-as-not-found) - If user is a member but lacks the required capability for a protected action/screen (create/edit/membership management) → 403 - If user is authorized → normal Filament behavior ### Monitoring hub — Operations - `GET /admin/operations` - Canonical operations index (tenantless URL) - Behavior: - If tenant context is active: default filter state = current tenant (removable) - If tenant context is not active: workspace-wide list - `GET /admin/operations/{run}` - Canonical run deep link - Security: - If run belongs to a workspace the user is not a member of → 404 ### Monitoring hub — Reserved surfaces (placeholders) - `GET /admin/alerts` - Reserved placeholder page - Access: workspace members (workspace context required) - `GET /admin/audit-log` - Reserved placeholder page - Access: workspace members (workspace context required) ## Status code rules (summary) - Non-member / not entitled to the workspace scope → 404 - Member but missing capability (workspace-scoped protected actions) → 403 ## Non-leakage requirements - Global search must not list inaccessible workspaces/tenants/runs. - Navigation labels and groups must not imply the existence of admin-only surfaces.