TST-08: Manual validation slice B - authz, cross-user isolation, error contracts

docs/MANUAL_TEST_CHECKLIST.md

@@ -427,3 +427,22 @@ Slice checks:
 5. Starter-pack idempotency/conflict confirmation (already-covered, keep monitoring):
    - apply the same pack twice and verify no duplicates
    - execute a known conflict path and verify dry-run conflict report with no mutation
+
+## P. Authz Policy, Cross-User Isolation, and API Error Contracts (Slice B, `#131`)
+
+Status:
+- active; comprehensive two-user authz matrix covering all controller families
+
+Goal:
+- validate authorization enforcement, cross-user data isolation, and error payload contracts across all protected API surfaces
+
+Full checklist:
+- `docs/testing/manual-validation-b-authz-contracts.md`
+
+Summary scope:
+1. Unauthenticated access denial (401) on all `[Authorize]` controller families (B-01 to B-32)
+2. Cross-user board-scoped isolation: UserB cannot access UserA's boards/columns/cards/labels/comments/webhooks/starter-packs/exports/audit (B-40 to B-60)
+3. Cross-user non-board-scoped isolation: captures/chat/proposals/archive/notifications/queue/workspace return only the authenticated user's data (B-70 to B-81)
+4. True-missing vs cross-user denial indistinguishability (B-90 to B-96)
+5. Error payload contract verification for auth/validation/sandbox paths (B-100 to B-110)
+6. Advanced controller families: ops/logs/users/abuse/llm-quota/agents/knowledge/webhooks/external-imports (B-130 to B-175)