profile-scoped ACL policy and redaction

docs/cmis-profiled-access-points-implementation.md

@@ -105,6 +105,21 @@ These routes delegate to existing engine services:
 Read-only profiles reject the same mutations with CMIS-shaped authorization
 diagnostics before touching engine services.
 
+## ACL And Redaction Slice
+
+The Browser Binding adapter now projects profile-derived ACLs through
+`GET /cmis/{access_point_id}/browser/acl/{object_id}`. ACL entries are derived
+from the access profile and actor context:
+
+- visible objects grant the current actor `cmis:read`,
+- authoring profiles also project `cmis:write` and `cmis:delete`,
+- public objects include a read-only `anyone` ACE,
+- hidden objects return `not found` rather than partial metadata.
+
+Relationship listings and change logs now apply the same asset visibility gates
+as object reads. This prevents indirect leakage of confidential or restricted
+asset IDs through relationship targets or audit-backed change entries.
+
 Route-level tests are present but skip when the optional FastAPI/httpx service
 dependencies are not installed. Runtime-level Browser Binding tests cover the
 same behavior in the default Python test suite.