# Requirements Checklist: Spec 402 - Resource Policy & Authorization Proof Matrix **Purpose**: Validate preparation quality for Spec 402 before implementation starts. **Created**: 2026-06-23 **Feature**: `specs/402-resource-policy-authorization-proof-matrix/spec.md` ## Candidate Selection - [x] The selected candidate was directly provided by the operator. - [x] The candidate is linked to the Spec 400 P1 resource-policy matrix condition. - [x] `docs/product/spec-candidates.md` was reviewed and currently reports no safe automatic next-best-prep target. - [x] Close alternatives are deferred instead of hidden inside the primary scope. - [x] The target does not reopen completed Specs 400 or 401. - [x] No existing `specs/402-resource-policy-authorization-proof-matrix/` package existed before preparation. - [x] Existing unrelated `402-screwfast-website-rebuild` branch collision is documented as context. ## Scope Quality - [x] The spec is bounded to existing resource authorization proof and minimal hardening. - [x] No new roles, permission product model, product surfaces, navigation, migrations, or broad RBAC redesign are included. - [x] Admin and system panels are both explicitly in scope. - [x] Workspace/environment isolation is explicitly in scope. - [x] System/admin separation is explicitly in scope. - [x] Global search, bulk actions, relation managers, controller-backed downloads/exports, and direct invocation are explicitly in scope. - [x] Customer/reviewer boundary proof is included only where existing surfaces/tests represent that access. - [x] Evidence currentness, management PDF staging validation, governance lifecycle, JSONB migration, and full browser audit are deferred. ## Constitution And Product Surface - [x] Spec Candidate Check is filled out. - [x] Approval class is exactly one class: Core Enterprise. - [x] Score is recorded and above the minimum threshold. - [x] Proportionality Review is completed because the matrix is a review artifact. - [x] No runtime source of truth, persisted table, status family, enum, taxonomy, or framework is introduced. - [x] Product Surface Contract is referenced because existing rendered authorization behavior may change. - [x] UI Surface Impact is classified as existing-surface authorization hardening only. - [x] Browser proof is required for representative rendered authorization behavior. - [x] Human Product Sanity is required for changed rendered authorization behavior. - [x] Completed-spec rewrite guardrail is explicit. ## Plan Quality - [x] Plan identifies Laravel, Filament, Livewire, Pest, and Sail versions from repo context. - [x] Plan names panel provider registration location. - [x] Plan names likely affected repository surfaces. - [x] Plan requires matrix-first work before adding policies or hardening code. - [x] Plan distinguishes policies, gates/capabilities, scoped queries, global search, bulk actions, relation managers, controller routes, and system-panel capability middleware. - [x] Plan requires existing capability services to remain authoritative where they already define product semantics. - [x] Plan forbids cosmetic policy generation. - [x] Plan includes rollout/deployment impact and expects no migrations/env/assets/queues/storage changes. ## Task Quality - [x] Tasks are ordered by preparation, inventory, matrix, gap classification, tests, hardening, browser proof, and report close-out. - [x] Tasks require negative tests for every fixed authorization gap. - [x] Tasks include direct route/resource access tests. - [x] Tasks include cross-workspace denial tests. - [x] Tasks include system/admin separation tests. - [x] Tasks include Filament action execution authorization tests. - [x] Tasks include relation manager, bulk action, global search, and controller/download/export proof tasks. - [x] Tasks include focused browser proof and explicitly forbid claiming full browser audit. - [x] Tasks include dirty-state protocol before and after implementation. - [x] Tasks include final implementation report sections A through M. ## Open Questions And Readiness - [x] No open question blocks implementation preparation. - [x] Product-ambiguous authorization decisions are required to be deferred rather than invented. - [x] Spec Readiness Gate can pass after artifact analysis. - [x] Candidate Selection Gate can pass as a manual operator-promoted candidate. ## Review Outcome - [x] Review outcome class: `acceptable-special-case` for a bounded authorization proof matrix. - [x] Workflow outcome: `keep`. - [x] Final note location: future implementation report `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md`.