# Route Contract — Spec 083

This contract defines the **Required Permissions** routes and their **404/403 semantics**.

## Canonical management surface (must exist)

- `GET /admin/tenants/{tenant}/required-permissions`

Identifier contract:
- `{tenant}` is `Tenant.external_id` (Entra tenant GUID)

Authorization contract:
- Not authenticated → handled by Filament auth middleware
- Workspace not selected → 404 (deny-as-not-found)
- Not a workspace member → 404
- Workspace member but **not tenant-entitled** (no `tenant_memberships` row) → 404
- Tenant-entitled (including read-only) → 200

Action contract:
- This page is read-only. Any mutations are only linked to and executed on other surfaces.
- Mutations on other surfaces must enforce capability checks server-side (missing capability → 403).
- "Re-run verification" links canonical to the start-verification surface: `GET /admin/onboarding` (generated via route helper, not hardcoded legacy paths).

## Removed tenant-plane route (must 404)

The following route MUST NOT exist and MUST return 404 (no redirects, no aliases):
- `GET /admin/t/{tenant}/required-permissions`