# Specification Quality Checklist: Provider Connection Scope & Microsoft Profile Extraction **Purpose**: Validate package completeness, boundedness, and readiness before implementation **Created**: 2026-05-07 **Feature**: [spec.md](../spec.md) ## Content Quality - [x] The package stays on reserved slot `281` and does not silently absorb Spec `280` or Specs `282`-`287`. - [x] The stale candidate wording about `provider_connections.tenant_id` is explicitly corrected to current repo truth. - [x] The package explicitly documents the second candidate deviation: the raw `provider_key` / `external_account_id` / `provider_metadata` / run-context proposal is narrowed to existing repo truth through `target_scope`, `effective_client_identity`, nested `provider_context`, and existing provider-owned metadata. - [x] The package stays focused on the verified provider-boundary hotspot instead of reading like a speculative provider-platform rewrite. - [x] No new provider-profile table, registry, capability engine, or artifact taxonomy is pulled into scope. - [x] `plan.md`, `research.md`, `data-model.md`, `quickstart.md`, and the contract artifact all describe the same bounded slice. ## Requirement Completeness - [x] No `[NEEDS CLARIFICATION]` markers remain in `spec.md`, `plan.md`, `research.md`, `data-model.md`, or `quickstart.md`. - [x] Requirements remain testable and bounded to the current provider-connection, target-scope, identity-resolution, onboarding, and operation-start seams. - [x] Shared `target_scope` fields are explicit and neutral across the package. - [x] Provider-specific Microsoft detail is explicitly nested under provider-owned profile or context disclosure instead of shared contract truth. - [x] Scope boundaries, assumptions, risks, and deferred adjacent candidates remain explicit. ## Repo Truth Anchoring - [x] The package reflects that `ProviderConnection` already belongs to `ManagedEnvironment` via `managed_environment_id`. - [x] The package reflects that current platform-core seams still leak Microsoft semantics through `tenantContext` and `target_scope.entra_tenant_id`. - [x] The package reflects that `config/provider_boundaries.php` already classifies provider identity, connection resolution, and operation-start seams as platform-core follow-up hotspots. - [x] The package reflects that `ProviderConnectionResource` exists with `Create`, `View`, and `Edit` pages and remains non-globally-searchable. - [x] The package reflects that `ManagedTenantOnboardingWizard` and managed-environment related-context seams already reuse provider summaries and therefore need one summary contract. ## Feature Readiness - [x] Filament v5 and Livewire v4 expectations remain explicit across the package. - [x] Provider registration location remains explicit as `apps/platform/bootstrap/providers.php`. - [x] `ProviderConnectionResource` global-search status and touched searchable-surface notes remain explicit. - [x] Destructive action confirmation and authorization expectations remain explicit for touched provider-connection mutations. - [x] The unchanged asset strategy and deployment note remain explicit. - [x] The test strategy and minimal proving commands are explicit and aligned across artifacts. - [x] The Candidate Selection Gate still explains why `281` is chosen now and why `282`-`287` are deferred. - [x] The Completed-Spec Guardrail still keeps `279` and `280` separate from this package. ## Artifact Alignment - [x] `research.md` records the same bounded extraction decisions reflected in `plan.md`. - [x] `data-model.md` models the same neutral `target_scope`, provider-context, effective-client-identity, onboarding, and run-context contracts reflected in the plan and contract file. - [x] `quickstart.md` uses the same bounded reviewer flow and proof commands as `plan.md`. - [x] `contracts/provider-connection-scope.logical.openapi.yaml` models the same shared summary, identity-resolution, provider-profile, onboarding-readiness, and operation-start contracts described in the plan. - [x] Canonical proof commands match across `spec.md`, `plan.md`, and `quickstart.md`. ## Test Governance - [x] Planned proof stays bounded to focused feature coverage, one browser smoke, and the existing guard concept for Microsoft-shaped shared-contract leaks. - [x] No new heavy-governance family or broad browser matrix is introduced. - [x] Workspace, managed-environment, provider-connection, and optional credential fixture cost is acknowledged instead of hidden. - [x] Reviewer handoff includes exact minimal validation commands and concrete stop questions. ## Notes - Reviewed against `.specify/memory/constitution.md`, `specs/279-workspace-managed-environment-core/spec.md`, `specs/280-workspace-tenancy-environment-routing/spec.md`, `apps/platform/app/Models/ProviderConnection.php`, `apps/platform/app/Filament/Resources/ProviderConnectionResource.php`, `apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php`, `apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php`, `apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php`, `apps/platform/app/Filament/Resources/TenantResource.php`, `apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php`, `apps/platform/app/Services/Providers/ProviderConnectionResolver.php`, `apps/platform/app/Services/Providers/ProviderConnectionResolution.php`, `apps/platform/app/Services/Providers/ProviderIdentityResolver.php`, `apps/platform/app/Services/Providers/ProviderIdentityResolution.php`, `apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php`, `apps/platform/app/Services/Providers/ProviderOperationStartGate.php`, `apps/platform/app/Services/Providers/CredentialManager.php`, `apps/platform/app/Services/Providers/AdminConsentUrlFactory.php`, `apps/platform/app/Services/Providers/ProviderGateway.php`, `apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeDescriptor.php`, `apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeNormalizer.php`, `apps/platform/app/Support/Providers/TargetScope/ProviderConnectionSurfaceSummary.php`, `apps/platform/app/Support/Providers/TargetScope/ProviderIdentityContextMetadata.php`, `apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php`, and `apps/platform/config/provider_boundaries.php` on 2026-05-07. - No application implementation, test execution, or runtime validation was performed while preparing this package. ## Review Outcome - **Outcome class**: `implementation-ready` - **Workflow outcome**: `keep` - **Test-governance outcome**: `keep` - **Reason**: The package turns the ready spec into an implementation-ready plan set that neutralizes shared provider-connection and target-scope contracts, confines Microsoft profile detail to provider-owned seams, and keeps all adjacent routing, taxonomy, RBAC, copy, and quality-gate work deferred.