TenantAtlas/specs/083-required-permissions-hardening/contracts/routes.md

Route Contract — Spec 083

This contract defines the Required Permissions routes and their 404/403 semantics.

Canonical management surface (must exist)

• GET /admin/tenants/{tenant}/required-permissions

Identifier contract:

• {tenant} is Tenant.external_id (Entra tenant GUID)

Authorization contract:

• Not authenticated → handled by Filament auth middleware
• Workspace not selected → 404 (deny-as-not-found)
• Not a workspace member → 404
• Workspace member but not tenant-entitled (no tenant_memberships row) → 404
• Tenant-entitled (including read-only) → 200

Action contract:

• This page is read-only. Any mutations are only linked to and executed on other surfaces.
• Mutations on other surfaces must enforce capability checks server-side (missing capability → 403).
• "Re-run verification" links canonical to the start-verification surface: GET /admin/onboarding (generated via route helper, not hardcoded legacy paths).

Removed tenant-plane route (must 404)

The following route MUST NOT exist and MUST return 404 (no redirects, no aliases):

• GET /admin/t/{tenant}/required-permissions