CMIS authoring operations

docs/cmis-profiled-access-points-implementation.md

@@ -85,6 +85,26 @@ object reads, content stream descriptors, a constrained document query subset,
 relationship objects, and audit-backed change entries. Unsupported query
 grammar returns structured diagnostics.
 
+## Governed Authoring Slice
+
+The Browser Binding adapter now exposes selected mutation routes for profiles
+that allow authoring:
+
+- `POST /cmis/{access_point_id}/browser/document`
+- `POST /cmis/{access_point_id}/browser/object/{object_id}/properties`
+- `POST /cmis/{access_point_id}/browser/object/{object_id}/content`
+- `POST /cmis/{access_point_id}/browser/object/{object_id}/delete`
+
+These routes delegate to existing engine services:
+
+- document creation uses `AssetRegistryService.create_asset`,
+- property updates add governed metadata records,
+- content stream updates add asset representations and content-change versions,
+- delete requests transition the asset lifecycle to `delete_requested`.
+
+Read-only profiles reject the same mutations with CMIS-shaped authorization
+diagnostics before touching engine services.
+
 Route-level tests are present but skip when the optional FastAPI/httpx service
 dependencies are not installed. Runtime-level Browser Binding tests cover the
 same behavior in the default Python test suite.