# Tasks: Spec 425 - Entra Certified Compare Pack **Input**: Design documents from `specs/425-entra-certified-compare-pack/` **Prerequisites**: [spec.md](./spec.md), [plan.md](./plan.md), [checklists/requirements.md](./checklists/requirements.md) **Tests**: Required. This spec changes runtime certification behavior and claim safety. Use focused Pest Unit/Feature tests first. Browser proof is required only if rendered UI changes. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented. - [x] Planned validation commands cover the change without pulling in unrelated lane cost. - [x] Browser proof is explicitly `N/A - no rendered UI surface changed` unless rendered UI changes. - [x] Human Product Sanity and Product Surface implementation-report close-out are planned if UI changes. - [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report. ## Phase 1: Hard Preflight **Purpose**: Re-check the user-provided prerequisite gate before runtime implementation. Stop before code changes if this phase fails. - [x] T001 Capture current branch, HEAD, and `git status --short` in `specs/425-entra-certified-compare-pack/implementation-report.md`. - [x] T002 Confirm Specs 414, 415, 417, 418, 419, 420, 421, and 424 remain completed/read-only dependency context; do not edit their artifacts. - [x] T003 Confirm `conditionalAccessPolicy` is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests. - [x] T004 Confirm `securityDefaults` is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests. - [x] T005 Confirm current Coverage v2 ownership paths use `workspace_id`, `managed_environment_id`, and same-scope `provider_connection_id`, not `tenant_id`. - [x] T006 Stop and report the blocker before implementation if either mandatory denominator type lacks evidence, stable identity, compare, render, redaction, or safe claim posture. **Checkpoint**: Mandatory denominator preflight passes or implementation stops. ## Phase 2: Fixtures And Failing Tests **Purpose**: Add focused proof before runtime changes. - [x] T007 [P] Add Conditional Access golden fixture payloads under `apps/platform/tests/Fixtures/TenantConfiguration/Spec425/conditional-access/` for no change, state change, grant controls, included actor, excluded actor, app/resource targeting, condition, session control, volatile-only change, unsupported field, and redaction cases. - [x] T008 [P] Add Security Defaults golden fixture payloads under `apps/platform/tests/Fixtures/TenantConfiguration/Spec425/security-defaults/` for no change, enabled true/false change, volatile-only change, missing evidence, identity blocked, and redaction cases. - [x] T009 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php` proving the denominator is exactly `conditionalAccessPolicy` and `securityDefaults`, excludes optional Entra types, and cannot ignore a missing denominator item. - [x] T010 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php` proving not-evaluated, pass, missing evidence blockers, stale/superseded evidence blockers, wrong-scope evidence blockers, no fallback-to-first/latest behavior, identity blockers, compare blockers, render blockers, redaction blockers, and Claim Guard blockers. - [x] T011 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php` proving Conditional Access no-change, state, grant controls, included/excluded actors, app/resource targeting, conditions, session controls, volatile fields, unsupported fields, and raw payload hiding behavior. - [x] T012 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php` proving enabled changes, no-change, volatile fields, missing evidence, identity blocked, raw payload hiding, and exact claim gating. - [x] T013 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php` proving tokens, secrets, credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, and raw permission context are absent from certification output. - [x] T014 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php` proving exact internal/operator wording is allowed only with the explicit denominator and broad/full/restore/M365/customer claims are blocked. - [x] T015 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php` proving the certified pack passes only when both mandatory resource types pass every criterion. - [x] T016 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php` proving supported-scope denominator integrity, exact two-type denominator, graph fallback allowlist for `securityDefaults`, and non-denominator exclusions. - [x] T017 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php` proving exact pack claims are internal/operator-only and broad claims remain blocked. - [x] T018 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php` proving no restore/apply action, restore-ready state, or restorable tier is introduced. - [x] T019 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php` proving no customer-facing claim, Review Pack/report/export/PDF output, or customer-ready proof activation. - [x] T020 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php` proving Spec 425 runtime changes do not introduce `tenant_id`. - [x] T021 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php` proving no Entra-specific migration, table family, model, route, navigation item, Filament Resource/Page, dashboard, or mini-platform is added. - [x] T022 [P] Add a fail-hard provider/Graph assertion in the focused evaluator/read-model tests proving certification evaluation makes no Graph, TCM, provider, Microsoft docs, or other remote call. **Checkpoint**: New focused tests fail for missing implementation and pass after later phases. ## Phase 3: Certified Scope And Denominator **Purpose**: Define the exact internal/operator certified pack scope without broad claims. - [x] T023 Update `apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php` to add `entra_core_compare_certified` with description, workload `entra`, display name `Certified Entra Core Compare Pack`, denominator `conditionalAccessPolicy` and `securityDefaults`, minimum coverage level `certified`, `allow_beta = false`, claim label, `customer_claims_allowed = false`, and metadata documenting internal/operator-only posture. - [x] T024 In `SupportedScopeResolver.php`, encode the `securityDefaults` Graph v1 fallback allowance explicitly, preferably with metadata allowlist such as `graph_fallback_allowlist = ["securityDefaults"]`; do not make broad graph fallback claims customer-claimable. - [x] T025 Ensure `apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php` does not mark optional Entra resource types as certified, customer-claimable, or restore-ready. - [x] T026 Ensure the denominator definition cannot silently include `application`, `servicePrincipal`, `roleDefinition`, `administrativeUnit`, `authenticationMethodsPolicy`, `identityProtectionPolicy`, `authorizationPolicy`, `crossTenantAccessPolicy`, `accessReview`, or PIM resources. **Checkpoint**: Supported scope exists and denominator integrity tests pass. ## Phase 4: Certification Evaluator **Purpose**: Derive certification from existing Coverage v2 truth without new persistence. - [x] T027 Add `apps/platform/app/Services/TenantConfiguration/EntraCertifiedComparePackEvaluator.php` only if existing supported-scope evaluation cannot produce the required certification matrix. - [x] T028 If a result carrier is needed, add a narrow non-persisted result class under `apps/platform/app/Services/TenantConfiguration/` and keep certification states derived strings rather than a persisted enum/status family, including `certification_not_evaluated`, `certification_passed`, `certification_blocked_missing_evidence`, `certification_blocked_identity`, `certification_blocked_compare`, `certification_blocked_render`, `certification_blocked_redaction`, and `certification_blocked_claim_guard`. - [x] T029 Implement exact denominator loading in the evaluator with same workspace, managed-environment, and provider-connection scope checks. - [x] T030 Implement evidence criteria checks: current same-scope content-backed evidence, append-only evidence row, raw payload present, normalized payload present, deterministic payload hash, source class, source contract, captured timestamp, operation run linkage when capture was operation-backed, stale/superseded/missing-currentness blockers, and no fallback to first/latest or wrong-scope evidence. - [x] T031 Implement identity criteria checks requiring `IdentityState::Stable` and blocking `derived`, `identity_conflict`, `missing_external_id`, and `unsupported_identity`. - [x] T032 Implement compare criteria checks by reusing `EntraCoverageComparator` and proving material, volatile, unsupported, and redacted paths are classified deterministically. - [x] T033 Implement render criteria checks by reusing `EntraRenderableSummaryBuilder` and requiring operator-safe summaries for both denominator types. - [x] T034 Implement redaction criteria checks by reusing `CoveragePayloadRedactor` and asserting no sensitive raw values appear in evaluator/render/claim output. - [x] T035 Implement Claim Guard criteria checks by requiring exact internal/operator pack wording and explicit denominator visibility. - [x] T036 Ensure missing mandatory denominator items, failed mandatory criteria, unsupported fields that would make certification ambiguous, and non-deterministic compare output produce explicit blocker states rather than warnings. - [x] T037 Ensure evaluator execution is DB-only and does not call `ProviderGateway`, `GraphClientInterface`, TCM, Microsoft docs, HTTP, queued jobs, or OperationRun creation. **Checkpoint**: Evaluator unit and feature tests pass. ## Phase 5: Claim Guard Exact Wording **Purpose**: Allow exact internal/operator certification wording while blocking overclaims. - [x] T038 Update `apps/platform/app/Services/TenantConfiguration/ClaimGuard.php` to allow exact internal/operator visible wording only for `Certified Entra Core Compare Pack: Conditional Access and Security Defaults`; the bare pack label may exist only as internal scope metadata or a diagnostic row heading when the same visible context includes the denominator. - [x] T039 Require exact denominator visibility for any certified pack wording; block or limit certification wording that omits the denominator. - [x] T040 Block forbidden wording: `Certified Entra coverage`, `100% Entra coverage`, `Full Entra coverage`, `Entra restore-ready`, `Certified Microsoft 365 coverage`, `Customer-ready Entra proof`, `Full tenant security proof`, legal/regulatory attestation claims, and Review Pack/report proof claims. - [x] T041 Keep Claim Guard default behavior conservative for all non-425 claims; do not weaken existing Spec 421, 422, 423, or 424 claim-blocking behavior. **Checkpoint**: Unit and feature Claim Guard tests pass. ## Phase 6: Product Surface Decision **Purpose**: Keep UI scope bounded and browser-proof only if rendered UI changes. - [x] T042 Determine whether the certification pack result can remain service/config/test-only. If yes, record `N/A - no rendered UI surface changed` in `implementation-report.md`. - [x] T043 If rendered UI changes are necessary, amend `spec.md`, `plan.md`, and this `tasks.md` before editing UI files with exact affected surfaces, Product Surface decisions, browser proof path, and Human Product Sanity criteria. N/A - no rendered UI surface changed. - [x] T044 If UI changes proceed after amendment, update only the existing Coverage v2 readiness/read-model/inspect path; do not add a new route, navigation item, dashboard, customer output, report/export/PDF, restore action, or primary Entra surface. N/A - no rendered UI surface changed. - [x] T045 If UI changes proceed after amendment, add `apps/platform/tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php` proving certified pack state, exact denominator, internal/operator-only label, no restore-ready/full-Entra/M365/customer claim, no raw payload/secrets, and no console/Livewire/Filament errors. N/A - no rendered UI surface changed. **Checkpoint**: Product Surface decision is explicit and not contradicted by changed files. ## Phase 7: Architecture And Safety Guards **Purpose**: Prove no hidden scope expansion or ownership drift. - [x] T046 Ensure no migration creates `entra_certifications`, `certified_entra_resources`, or any Entra-specific certification table family. - [x] T047 Ensure no code introduces `tenant_id` as Coverage v2 ownership truth, compatibility alias, fallback reader, dual-write target, or parallel scope key. - [x] T048 Ensure no restore/apply, preview restore, assisted restore, or restore-readiness code path is introduced. - [x] T049 Ensure no customer output, Review Pack, rendered report, management PDF, export/download, legal/regulatory attestation, or customer-ready proof path is introduced. - [x] T050 Ensure no new Filament Resource/Page/Widget, route, navigation item, dashboard, or primary Entra surface is introduced. - [x] T051 Add or extend focused feature/service tests proving non-member access remains deny-as-not-found (404), member without capability remains 403, provider connection scope remains same workspace/environment, and pure service-only evaluation uses explicit same-scope inputs where any service, command, route, or UI invocation boundary exists. **Checkpoint**: No-overreach feature/static tests pass. ## Phase 8: Implementation Report And Validation **Purpose**: Close the prep-defined evidence contract for implementation. - [x] T052 Create `specs/425-entra-certified-compare-pack/implementation-report.md` with candidate gate result, dirty state before/after, files changed, certified denominator, evaluator matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, deferred work, and final gate result. - [x] T053 Complete the certification matrix in `implementation-report.md` for `conditionalAccessPolicy` and `securityDefaults`. - [x] T054 Complete the claim matrix in `implementation-report.md` for exact denominator-visible pack claim, 100 percent Entra, restore-ready, Microsoft 365 certified, and customer-ready proof. - [x] T055 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`. - [x] T056 Run focused unit tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php`. - [x] T057 Run focused feature tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php`. - [x] T058 If UI changed, run focused browser test: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php`. N/A - no rendered UI surface changed. - [x] T059 Run `git diff --check`. - [x] T060 Record any failed validation exactly in `implementation-report.md`; do not weaken certification, denominator, claim, redaction, ownership, no-restore, or no-mini-platform criteria to make tests pass. **Checkpoint**: Focused validation passes or exact failures are documented. ## Dependencies & Execution Order - Phase 1 blocks all runtime implementation. - Phase 2 tests should be added before or alongside Phases 3-5 implementation. - Phase 3 scope definition blocks evaluator pass behavior. - Phase 4 evaluator depends on existing Coverage v2 evidence/identity/compare/render helpers. - Phase 5 Claim Guard updates depend on exact pack wording from the spec. - Phase 6 must complete before any runtime UI edits. - Phase 8 completes after all implementation tasks and validation. ## Parallel Opportunities - T007-T014 can run in parallel after preflight because they touch different fixture/test files. - T015-T022 can run in parallel after preflight because they touch different feature test files. - T023-T026 should be coordinated because they share supported-scope/registry behavior. - T027-T037 should be sequential within evaluator implementation. - T046-T051 can run in parallel with final static/feature guard hardening once implementation files stabilize. ## Stop Conditions - A mandatory denominator type cannot satisfy evidence, stable identity, compare, render, redaction, or claim criteria. - The denominator changes from exactly `conditionalAccessPolicy` plus `securityDefaults`. - Any restore/apply, customer output, Review Pack/report/PDF/export, full Entra/M365 certification, or legal/regulatory attestation scope appears. - A new Entra-specific table family, dashboard, route, navigation item, primary surface, or mini-platform appears. - `tenant_id` is introduced as platform-core ownership truth or compatibility/fallback path. - Certification evaluation requires remote calls, queues, or a new OperationRun. - Raw payloads or sensitive values become default-visible or leak into reports/logs/notifications.