docs(architecture): refresh hardening status

docs/audience-scoping-backlog.md

@@ -1,7 +1,7 @@
 # Audience Scoping Backlog
 
 **Date:** 2026-03-30
-**Purpose:** Collect the remaining audience-scoping work into a single batch backlog so the small auth-hardening slices can be finished before broader architecture work starts.
+**Purpose:** Historical record of the audience-scoping hardening batch and its exit state before larger architecture work begins.
 
 ## Status Snapshot
 
@@ -19,7 +19,10 @@
 - `project.isImageGenConfigured`, `project.isDalleConfigured`: covered as authenticated low-risk configuration checks
 - `notification` self-service and manager boundaries: auth-covered across list, unread counts, reminders, deletes, broadcasts, task creation, and assignment boundaries
 - `assistant-tools` parity metadata: descriptions and parity assertions now match narrowed router audiences for resource overview, controller-only, self-service, and manager broadcast/task tools
-- `comment` architecture phase 1: generic free-form entity comments replaced by an explicit supported-entity registry, currently limited to `estimate` with controller/manager/admin access plus entity-aware checks on list/count/create/resolve/delete
+- `comment` entity support now uses an explicit supported-entity registry with:
+  - `estimate` visibility for controller, manager, and admin
+  - `resource` visibility aligned to resource detail ownership and staff-access rules
+  - entity-scoped mention candidate lookup instead of the narrower assignment user directory
 
 ### Dirty Files To Avoid Mixing Into This Batch
 
@@ -30,7 +33,7 @@
 
 These files already have unrelated local edits. Audience parity work that would normally touch them should be deferred or handled through adjacent files and dedicated follow-up tests.
 
-## Remaining Categories
+## Final Batch Outcome
 
 ### Completed In This Batch
 
@@ -41,14 +44,17 @@ These files already have unrelated local edits. Audience parity work that would
 - `packages/api/src/router/resource.ts` -> `importSkillMatrix`
 - `packages/api/src/router/project.ts` -> `isImageGenConfigured`, `isDalleConfigured`
 
-### No Further Small Slices Currently Ready
+### No Further Small Slices Remain In This Batch
 
-- the previously identified small hardening and tests/docs candidates have been completed, including the notification auth follow-up and assistant tool parity metadata cleanup
-- the remaining audience work is now architectural (`comment.ts`) or depends on broader policy decisions rather than another ready-made auth slice
+- the previously identified small hardening and tests/docs candidates were completed, including the notification auth follow-up and assistant tool parity metadata cleanup
+- the formerly architectural `comment` follow-up is also completed through explicit entity onboarding and mention-audience alignment
+- no additional audience-scoping slice remains that is both small and isolated enough to justify another batch before larger architecture work
 
-## Recommended Next Order
+## Next Major Themes
 
-1. extend the comment entity registry only when a second real consumer exists and its backing audience is explicitly documented
+1. convert the still-open runtime secret model away from application-database centric storage
+2. add broader authorization regression coverage and long-lived guardrails around the narrowed route audiences
+3. reduce oversized routers and UI ownership surfaces so audience rules stay reviewable
 
 ## Slice Definition
 
@@ -67,3 +73,8 @@ Each “ready now” slice should follow the same template:
 - every formerly `ready now` route now has router-level authorization coverage or explicit low-risk documentation
 - the access matrix documents all low-risk exceptions explicitly
 - larger architecture work starts only after this batch is either completed or intentionally deferred
+
+Status:
+
+- this batch is complete
+- keep this file as a historical artifact, not as an active backlog