# Specification Quality Checklist: RBAC Role Matrix & Access Boundary Audit

**Purpose**: Validate specification completeness and quality before implementation planning/implementation.  
**Created**: 2026-05-15  
**Feature**: [spec.md](../spec.md)

## Content Quality

- [x] No application implementation was performed during preparation.
- [x] Focus is on security, trust, auditability, and boundary correctness.
- [x] The spec is repo-based and names the current evidence anchors.
- [x] All mandatory repo-specific sections are completed or explicitly marked N/A.
- [x] The candidate check required by SPEC-GATE-001 is completed.
- [x] Candidate selection rationale and completed-spec guardrail result are recorded.

## Requirement Completeness

- [x] No `[NEEDS CLARIFICATION]` markers remain.
- [x] Functional requirements are testable and boundary-oriented.
- [x] Acceptance criteria cover role inventory, owner-only contradictions, panel boundaries, workspace isolation, environment isolation, sensitive actions, and no RBAC redesign.
- [x] Edge cases are identified.
- [x] Scope is clearly bounded to audit-first minimal hardening.
- [x] Dependencies and assumptions are identified.

## Constitution Alignment

- [x] Workspace isolation and managed-environment isolation are explicit.
- [x] RBAC-UX server-side source-of-truth rules are explicit.
- [x] 404 vs 403 semantics are explicit.
- [x] Capability registry usage is explicit.
- [x] Test governance and lane classification are explicit.
- [x] Proportionality review confirms no new persisted truth, role model, table, enum/status family, or broad framework is planned.

## Feature Readiness

- [x] `spec.md` exists.
- [x] `plan.md` exists.
- [x] `tasks.md` exists.
- [x] Tasks are ordered by read-only inventory, classification, tests first, minimal fixes, validation, and close-out.
- [x] Tasks include focused tests and validation commands.
- [x] Follow-up candidates are listed instead of hidden in scope.
- [x] Related completed specs are treated as context only and are not modified.

## Notes

- Preparation found a repo-real path correction: `WorkspaceRoleCapabilityMap.php` is under `apps/platform/app/Services/Auth/`, not `apps/platform/app/Support/Auth/`.
- Preparation found a high-risk static contradiction to verify during implementation: Manager currently receives `WORKSPACE_MEMBERSHIP_MANAGE` and `TENANT_MEMBERSHIP_MANAGE`, while the Constitution says Manager must not manage tenant memberships.
- Preparation did not modify application code, tests, migrations, resources, routes, policies, models, services, jobs, views, or assets.