# Requirements Checklist: Spec 425 - Entra Certified Compare Pack **Purpose**: Validate preparation readiness for the user-provided Spec 425 candidate before implementation. **Created**: 2026-07-01 **Feature**: [spec.md](../spec.md) ## Candidate And Scope - [x] Candidate is directly user-provided and does not depend on the empty auto-prep queue. - [x] Completed historical specs are treated as read-only dependency evidence, not artifacts to rewrite. - [x] Scope is limited to `entra_core_compare_certified`. - [x] Certified denominator is exactly `conditionalAccessPolicy` plus `securityDefaults`. - [x] Optional Entra candidates are explicitly excluded. - [x] Full Entra certification is excluded. - [x] Microsoft 365 certification is excluded. - [x] Restore/apply certification is excluded. - [x] Customer-facing proof or report activation is excluded. ## Repo Truth Alignment - [x] Spec 421 is recorded as the source of Conditional Access comparable/renderable support. - [x] Spec 424 is recorded as the source of Security Defaults content-backed comparable/renderable support. - [x] Current source preflight checked source contracts for both mandatory denominator types. - [x] Current source preflight checked identity strategy for both mandatory denominator types. - [x] Current source preflight checked compare/render/redaction helpers for both mandatory denominator types. - [x] Current source preflight found no existing `425` spec directory before creation. - [x] Current source preflight found no existing local `425` branch before creation. - [x] `entra_core_compare_certified` is not assumed to already exist; implementation tasks require adding or confirming it. ## Constitution And Product Surface - [x] Spec states no `tenant_id` as Coverage v2 ownership truth. - [x] Spec preserves workspace, managed-environment, and provider-connection scope. - [x] Spec requires DB-only certification evaluation with no Graph/TCM/provider remote calls. - [x] Proportionality review rejects a new persisted certification table. - [x] Proportionality review allows only a narrow derived evaluator/result if existing supported-scope evaluation is insufficient. - [x] Product Surface impact is conditional and bounded to the existing Coverage v2 operator surface if needed. - [x] Browser proof is required if rendered UI changes. - [x] Browser proof is explicitly `N/A - no rendered UI surface changed` if no UI files change. - [x] No new primary navigation, dashboard, route, customer output, report, export, Review Pack, or PDF is allowed. - [x] Completed historical spec artifacts remain read-only. ## Requirement Coverage - [x] Supported scope metadata requirements are defined. - [x] Exact denominator integrity requirements are defined. - [x] Evidence criteria are defined. - [x] Evidence currentness and no fallback-to-first/latest behavior are defined. - [x] Stable identity criteria are defined, and derived identity is blocked for certification. - [x] Compare criteria are defined. - [x] Render criteria are defined. - [x] Redaction criteria are defined. - [x] Claim Guard criteria are defined. - [x] Explicit certification pass, not-evaluated, and blocker states are defined as derived outcomes. - [x] Conditional Access certified compare fixture coverage is defined. - [x] Security Defaults certified compare fixture coverage is defined. - [x] Broad/full/restore/M365/customer claims are blocked. - [x] No-restore and no-customer activation requirements are explicit. - [x] No Entra mini-platform and no Entra-specific table family requirements are explicit. - [x] RBAC/isolation expectations are explicit. - [x] RBAC/isolation proof is tied to concrete service/command/route/UI invocation boundaries. ## Task Readiness - [x] Preflight tasks block runtime implementation if mandatory evidence, identity, compare, render, redaction, or claim posture fails. - [x] Tests and fixtures are planned before or alongside implementation. - [x] Unit tests cover evaluator, denominator, compare, redaction, and Claim Guard behavior. - [x] Feature tests cover supported scope, denominator, certification, no restore, no customer claim, no `tenant_id`, and no mini-platform. - [x] Browser test task is conditional on rendered UI changes. - [x] Validation commands include Pint, focused unit tests, focused feature tests, conditional browser test, and `git diff --check`. - [x] Implementation report requirements include candidate gate, dirty state, files, matrices, redaction, no-restore, no-customer, no-tenant-id, no-mini-platform, Product Surface, tests, and deferred work. ## Review Outcome - [x] Candidate Selection Gate: PASS. - [x] Spec Readiness Gate: PASS for preparation artifacts. - [x] Open questions: none that block implementation planning. - [x] Hard implementation preflight remains required at T001-T006 before runtime code changes. - [x] Preparation scope stops before application implementation.