# Requirements Checklist: Workspace-first RBAC & Environment Access Scoping

## Scope and problem framing

- [x] The package describes the real repo problem as dual role-bearing authorization truth, not generic missing RBAC.
- [x] The package keeps `WorkspaceMembership` as the only role-bearing truth.
- [x] The package treats the current `ManagedEnvironmentMembership` semantics as a narrow access-scope overlay or in-place successor only.
- [x] The package keeps environment scope optional and narrowing-only.
- [x] The package does not absorb provider capability, source taxonomy, copy/localization, or cutover-guardrail work from adjacent specs.

## Repo-truth anchoring

- [x] The package reflects the current repo term `ManagedEnvironmentMembership` rather than the stale raw-candidate term `TenantMembership`.
- [x] The package references the existing workspace-first seams: `WorkspaceMembership`, `WorkspaceCapabilityResolver`, and `WorkspaceContext`.
- [x] The package references the current environment-owned seams that must be retargeted: `CapabilityResolver`, `User::canAccessTenant()`, key policies, and the tenant-membership Filament surfaces.
- [x] The package keeps `OperationRun` authorization split between workspace-bound and environment-bound runs.

## Authorization contract

- [x] Non-membership or out-of-scope access remains `404`.
- [x] In-scope members missing capability remain `403`.
- [x] Provider capability and operability remain downstream gates after local RBAC passes.
- [x] No scope row can grant access without workspace membership.
- [x] No second role selector survives on the managed-environment access-scope surface.
- [x] Touched searchable-resource results remain non-member-safe and out-of-scope-safe.
- [x] Denied-access diagnostics are modeled as derived, boundary-safe logging rather than new persisted truth.

## Filament and UI guardrails

- [x] Filament remains v5 on Livewire v4.
- [x] Provider registration remains in `apps/platform/bootstrap/providers.php`.
- [x] Touched destructive actions remain `->action(...)` plus `->requiresConfirmation()`.
- [x] `ProviderConnectionResource` remains non-globally-searchable and no touched searchable resource loses its valid View or Edit destination.
- [x] Asset strategy remains unchanged and does not introduce new `filament:assets` requirements beyond existing deployment expectations.

## Testing and readiness

- [x] The package defines bounded proof through unit, feature, and one browser smoke.
- [x] The same validation commands appear in `spec.md`, `plan.md`, and `quickstart.md`.
- [x] The package states that Specs `280`, `281`, and `283` are external prerequisites for runtime implementation.
- [x] The package stays prep-only and does not claim implementation has already landed.

## Outcome

- **Review outcome class**: `blocked-by-prerequisites`
- **Workflow outcome**: `keep`
- **Test-governance outcome**: `keep`
- **Readiness note**: implementation is externally gated until Specs `280`, `281`, and `283` are present on the branch