# Tasks: Exchange Content-Backed Evidence Promotion Slice 1 **Input**: Design documents from `specs/436-exchange-content-backed-evidence-promotion-slice-1/` **Prerequisites**: [spec.md](./spec.md), [plan.md](./plan.md), [checklists/requirements.md](./checklists/requirements.md) **Tests**: Required. Runtime behavior changes must be covered with Pest 4 Unit and Feature tests. Browser proof is `N/A - no rendered UI surface changed`. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented. - [x] Planned validation commands cover the change without pulling in unrelated lane cost. - [x] Browser proof is explicitly `N/A - no rendered UI surface changed`. - [x] Human Product Sanity and Product Surface implementation-report close-out are planned as N/A. - [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report. ## Phase 0 - Preflight - [x] T001 Capture branch, HEAD, and `git status --short` in `implementation-report.md`. - [x] T002 Confirm Spec 435 PASS/merge-ready and record prerequisite proof from `specs/435-exchange-structured-output-target-normalizer-readiness/implementation-report.md`. - [x] T003 Confirm Specs 430-434 are completed read-only context and are not edited. - [x] T004 Confirm target types are exactly `transportRule`, `remoteDomain`, and `inboundConnector`. - [x] T005 Confirm evidence model uses existing `tenant_configuration_resources` and `tenant_configuration_resource_evidence`. - [x] T006 Confirm OperationRun owner is `tenant_configuration.capture` and invocation operation remains runner truth only. - [x] T007 Confirm no UI/routes/jobs/schedules/listeners/migration/tenant_id/target-expansion scope. ## Phase 1 - Tests First: Adapter Wiring - [x] T008 Add or update focused unit tests proving the Exchange adapter creates a Spec 435 `ExchangePowerShellStructuredOutputEnvelope` before evidence append. - [x] T009 Add or update unit tests proving `ExchangePowerShellEvidenceNormalizer` dispatches target-specific normalizers for all three targets. - [x] T010 Add static/behavioral tests proving `GenericPayloadNormalizer` is not used for Exchange evidence promotion. - [x] T011 Add static/behavioral tests proving `ExchangeTeamsComparablePayloadNormalizer` is not used for Exchange evidence promotion. - [x] T012 Add tests proving the generic Graph capture path remains intact and is not routed through Exchange-specific promotion. ## Phase 2 - Adapter Normalizer Wiring - [x] T013 Update `ExchangePowerShellEvidenceCaptureAdapter` to use Spec 435 structured envelope for accepted runner output. - [x] T014 Update the adapter to use `ExchangeTransportRuleEvidenceNormalizer` through `ExchangePowerShellEvidenceNormalizer` for `transportRule`. - [x] T015 Update the adapter to use `ExchangeRemoteDomainEvidenceNormalizer` through `ExchangePowerShellEvidenceNormalizer` for `remoteDomain`. - [x] T016 Update the adapter to use `ExchangeInboundConnectorEvidenceNormalizer` through `ExchangePowerShellEvidenceNormalizer` for `inboundConnector`. - [x] T017 Update the adapter to use `ExchangePowerShellHashInputBuilder` for persisted payload hashes. - [x] T018 Remove or bypass the adapter's Exchange write-time dependency on `GenericPayloadNormalizer`. - [x] T019 Remove or bypass the adapter's Exchange write-time dependency on `ExchangeTeamsComparablePayloadNormalizer`. ## Phase 3 - OperationRun Ownership And Context - [x] T020 Ensure evidence append requires `OperationRunType::TenantConfigurationCapture`. - [x] T021 Add tests proving `OperationRunType::TenantConfigurationExchangePowerShellInvocation` cannot own evidence. - [x] T022 Confirm no new OperationRun type is added. - [x] T023 Keep OperationRun context safe and exclude raw payload, normalized payload, stdout, stderr, transcript, normalizer preview, hash preview, credential material, and provider response body. - [x] T024 Use existing allowed `OperationSummaryKeys` only, or stop and amend the spec before adding keys. ## Phase 4 - transportRule Evidence Capture - [x] T025 Add focused tests where successful fake `Get-TransportRule` capture creates one resource row and one evidence row. - [x] T026 Assert `raw_payload` is persisted only in `tenant_configuration_resource_evidence`. - [x] T027 Assert target-specific normalized payload is persisted. - [x] T028 Assert deterministic payload hash is persisted. - [x] T029 Assert `operation_run_id`, `workspace_id`, `managed_environment_id`, and `provider_connection_id` are linked. - [x] T030 Assert coverage remains `content_backed` only, claim state remains internal-only/customer-blocked, and persisted `capture_outcome` uses an existing repo-allowed value. ## Phase 5 - remoteDomain Evidence Capture - [x] T031 Add focused tests where successful fake `Get-RemoteDomain` capture creates content-backed evidence with stable source identity. - [x] T032 Assert domain-only identity blocks with no writer call and no evidence row. - [x] T033 Assert display-only identity blocks with no writer call and no evidence row. - [x] T034 Assert duplicate identity blocks with no evidence row. - [x] T035 Assert conflicting identity blocks with no evidence row. - [x] T036 Assert raw payload, normalized payload, deterministic hash, OperationRun link, repo-allowed persisted `capture_outcome`, and content-backed-only state for successful stable identity. ## Phase 6 - inboundConnector Evidence Capture - [x] T037 Add focused tests where successful fake `Get-InboundConnector` capture creates content-backed evidence with stable connector identity. - [x] T038 Assert missing connector identity blocks with no evidence row. - [x] T039 Assert duplicate identity blocks with no evidence row. - [x] T040 Assert protected config sentinels do not enter OperationRun context/logs/summaries. - [x] T041 Assert raw payload, normalized payload, deterministic hash, OperationRun link, repo-allowed persisted `capture_outcome`, and content-backed-only state for successful stable identity. ## Phase 7 - Append-Only Evidence - [x] T042 Add feature tests proving existing evidence is not overwritten. - [x] T043 Add feature tests proving a second successful capture inserts a new evidence row. - [x] T044 Assert `latest_evidence_id`, `latest_payload_hash`, and `latest_captured_at` update according to repo pattern. - [x] T045 Assert prior payload hash and payload columns are not mutated. ## Phase 8 - Hash Determinism - [x] T046 Add unit tests proving the same material normalized payload produces the same hash. - [x] T047 Add unit tests proving material changes change the hash. - [x] T048 Add unit tests proving volatile changes do not change the hash. - [x] T049 Add unit tests proving provider ordering does not change hash when order is not meaningful. - [x] T050 Assert target type, source surface, command contract, payload shape version, and normalizer version participate in hash input according to Spec 435. ## Phase 9 - Readiness Failure Blocking - [x] T051 Add tests proving missing credential readiness blocks with no evidence. - [x] T052 Add tests proving client-secret readiness blocks with no evidence. - [x] T053 Add tests proving missing permission readiness blocks with no evidence. - [x] T054 Add tests proving stale permission evidence blocks with no evidence. - [x] T055 Add tests proving wrong-scope permission evidence blocks with no evidence. - [x] T056 Add tests proving runtime readiness failure blocks with no evidence. - [x] T057 Add tests proving provider scope failure and unsupported provider capability both block with no evidence. ## Phase 10 - Output Failure Blocking - [x] T058 Add tests proving authentication failure blocks with no evidence. - [x] T059 Add tests proving authorization/permission failure blocks with no evidence. - [x] T060 Add tests proving source unavailable blocks with no evidence. - [x] T061 Add tests proving malformed output blocks with no evidence. - [x] T062 Add tests proving scalar output blocks with no evidence. - [x] T063 Add tests proving warning-prefixed output blocks with no evidence. - [x] T064 Add tests proving binary/non-UTF8 output blocks with no evidence. - [x] T065 Add tests proving oversized output blocks with no evidence. - [x] T066 Add tests proving non-zero exit blocks with no evidence. - [x] T067 Add tests proving timeout blocks with no evidence and failure outcomes do not persist adapter-only outcome labels outside existing repo-allowed evidence values. ## Phase 11 - Identity Blocking - [x] T068 Add tests proving missing identity blocks. - [x] T069 Add tests proving duplicate identity blocks. - [x] T070 Add tests proving conflicting identity blocks. - [x] T071 Add tests proving display-name-only blocks. - [x] T072 Add tests proving derived-only unproven identity blocks. - [x] T073 Assert the writer is not called on unsafe identity. ## Phase 12 - Empty Collection Policy - [x] T074 Add tests proving empty collection produces zero-item summary. - [x] T075 Assert empty collection creates no resource row. - [x] T076 Assert empty collection creates no evidence row. - [x] T077 Assert permission denied and source unavailable are not treated as empty. - [x] T078 Assert malformed output and partial output are not treated as empty or success. ## Phase 13 - Redaction - [x] T079 Add tests proving raw payload exists only in evidence storage. - [x] T080 Add tests proving OperationRun context is sanitized. - [x] T081 Add tests proving no raw stdout/stderr in context. - [x] T082 Add tests proving no normalizer/hash preview in context. - [x] T083 Add tests proving no credential material in context/logs/results. - [x] T084 Add tests proving no provider payload in summaries. - [x] T085 Add guard/static tests proving no customer output path is touched. ## Phase 14 - Content-Only Guard And No Promotion - [x] T086 Assert coverage max level is `content_backed`. - [x] T087 Assert no comparable state. - [x] T088 Assert no renderable state. - [x] T089 Assert no certified state. - [x] T090 Assert no restore-ready state. - [x] T091 Assert no customer-ready/customer-claimable state. ## Phase 15 - No Product Surface / Trigger - [x] T092 Add or update guard tests proving no route changed or added. - [x] T093 Add or update guard tests proving no Filament page/resource/widget changed or added. - [x] T094 Add or update guard tests proving no Livewire component changed or added. - [x] T095 Add or update guard tests proving no navigation, asset, global search, or provider registration change. - [x] T096 Add or update guard tests proving no destructive UI action exists. - [x] T097 Add or update guard tests proving no job, schedule, listener, console trigger, report, Review Pack, or PDF output was added. - [x] T098 Record browser proof as `N/A - no rendered UI surface changed`. ## Phase 16 - No Tenant / Mini-Platform - [x] T099 Assert no `tenant_id` ownership column/path is introduced. - [x] T100 Assert no Exchange-specific evidence table exists. - [x] T101 Assert no Exchange dashboard, legacy shim, fallback reader, or separate Exchange mini-platform exists. - [x] T102 Assert no migration file was added. ## Phase 17 - Regression Tests - [x] T103 Run Spec 435 regression tests. - [x] T104 Run Spec 434 regression tests. - [x] T105 Run Spec 433 regression tests. - [x] T106 Run Spec 432 regression tests. - [x] T107 Run Spec 431 regression tests. - [x] T108 Run Spec 430 regression tests. - [x] T109 Run Spec 415 regression tests. - [x] T110 Run Spec 417 regression tests. - [x] T111 Run Spec 419 regression tests if available. - [x] T112 Run Spec 420 regression tests. - [x] T113 Run Spec 426 regression tests. - [x] T114 Run Spec 427 regression tests. - [x] T115 Run `ProviderCapabilityRegistryTest` or repo equivalent. ## Phase 18 - Validation - [x] T116 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` or document fallback if Sail fails. - [x] T117 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec436 --compact` or document fallback if Sail fails. - [x] T118 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec435 --compact` or document fallback if Sail fails. - [x] T119 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec434 --compact` or document fallback if Sail fails. - [x] T120 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec433 --compact` or document fallback if Sail fails. - [x] T121 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter='Spec432|Spec431|Spec430' --compact` or document fallback if Sail fails. - [x] T122 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter='Spec415|Spec417|Spec419|Spec420|Spec426|Spec427' --compact` or document fallback if Sail fails. - [x] T123 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter='ProviderCapabilityRegistryTest|ProviderCapabilityEvaluationTest' --compact` or document fallback if Sail fails. - [x] T124 Run `git diff --check`. - [x] T125 Run `git status --short`. ## Phase 19 - Implementation Report - [x] T126 Record candidate gate result. - [x] T127 Record branch, HEAD, and dirty state before/after. - [x] T128 Record files changed. - [x] T129 Record Spec 435 prerequisite proof. - [x] T130 Complete target type outcomes matrix. - [x] T131 Record OperationRun proof. - [x] T132 Record evidence persistence proof, including persisted `capture_outcome` value proof. - [x] T133 Record append-only and latest pointer proof. - [x] T134 Record raw payload location proof. - [x] T135 Record structured envelope proof. - [x] T136 Record normalizer integration proof. - [x] T137 Record hash proof. - [x] T138 Record identity proof. - [x] T139 Record credential/permission/runtime readiness proof. - [x] T140 Record failure blocking proof. - [x] T141 Record redaction proof. - [x] T142 Record no `GenericPayloadNormalizer` proof. - [x] T143 Record no `ExchangeTeamsComparablePayloadNormalizer` proof. - [x] T144 Record no Graph gateway/fake endpoint proof. - [x] T145 Record no promotion/restore/customer proof. - [x] T146 Record no UI/trigger proof. - [x] T147 Record no `tenant_id` and no mini-platform proof. - [x] T148 Record tests run and deferred work. ## Dependencies And Ordering - T001-T007 must complete before runtime edits. - T008-T012 should be written before T013-T019. - T020-T024 must pass before evidence persistence tasks are considered complete. - Target-specific phases can be worked independently after adapter wiring, but append-only/no-promotion validations must run after all successful-target paths exist. - Phase 17-19 are final validation and report tasks. ## Parallelization Notes - Unit tests for hash determinism, identity blockers, and target normalizers can run in parallel if they touch separate files. - Feature tests for each target can run in parallel after shared fixtures are in place. - No UI/browser work is parallelizable because it is out of scope.