# Specification Quality Checklist: Spec 417 - Canonical Identity Engine ## Candidate And Scope - [x] Candidate is user-provided, not auto-selected from an empty active candidate queue. - [x] Spec 414 is completed/validated dependency context only. - [x] Spec 415 is completed/validated dependency context only. - [x] No existing `417-canonical-identity-engine` spec or branch was found before creation. - [x] Scope is limited to Coverage v2 canonical identity for captured resources. - [x] No Coverage v2 customer/operator activation is included. - [x] No compare, render, restore, certification, or full TCM catalog import is included. ## Ownership And Isolation - [x] Internal scope truth is `workspace_id`, `managed_environment_id`, and `provider_connection_id`. - [x] Provider connection same-scope validation is required. - [x] External Microsoft/Entra tenant IDs remain metadata only. - [x] `tenant_id` is forbidden as Coverage v2 ownership truth. - [x] Cross-workspace identity collisions cannot merge. - [x] Cross-managed-environment identity collisions cannot merge. - [x] Cross-provider identity collisions cannot merge. ## Identity Requirements - [x] Initial eight Coverage v2 resource types are listed. - [x] Identity strategy fields are defined. - [x] Stable provider/Graph/TCM IDs are preferred. - [x] Source/composite fallback behavior is defined. - [x] Display-name-only stable identity is forbidden. - [x] Existing `IdentityState` values are used. - [x] Canonical key-kind values are bounded. - [x] Existing `canonical_resource_key` duplicate-truth risk is addressed. - [x] Missing external ID behavior is explicit. - [x] Unsupported identity behavior is explicit. - [x] Beta/experimental identity cannot certify by default. ## Claim And Evidence Safety - [x] Claim Guard blocks `identity_conflict`. - [x] Claim Guard blocks or limits `missing_external_id`. - [x] Claim Guard blocks `unsupported_identity`. - [x] Claim Guard limits or blocks `derived` unless explicitly allowed. - [x] OperationRun execution truth remains separate from identity/evidence/customer proof. - [x] Evidence payload truth remains append-only evidence, not customer proof by default. - [x] No fallback-to-latest evidence behavior is allowed. ## Diagnostics And Redaction - [x] Secondary keys are diagnostic metadata only. - [x] Conflict diagnostics are bounded. - [x] Raw payloads and full provider responses are forbidden in diagnostics. - [x] Tokens, credentials, cookies, authorization headers, private keys, certificates, passwords, and unredacted PII are forbidden in diagnostics, OperationRun context/messages, and audit metadata. ## No Legacy / No Product Surface - [x] No v1-to-v2 identity adapter is allowed. - [x] No old snapshot identity promotion is allowed. - [x] No old v1 gap taxonomy is active v2 runtime truth. - [x] No dual write or fallback reader is allowed. - [x] No reachable UI surface changes are allowed. - [x] Browser proof is `N/A - no rendered UI surface changed`. - [x] Product Surface exceptions are `none`. - [x] Completed historical specs must not be rewritten. ## Tests And Readiness - [x] Unit test targets are identified. - [x] Feature test targets are identified. - [x] PostgreSQL-lane trigger is identified for migrations/indexes/constraints/JSONB. - [x] No browser/heavy-governance lane is planned. - [x] Validation commands are listed. - [x] Implementation report close-out fields are defined. ## Gate Results - [x] Candidate Selection Gate: PASS. - [x] Spec Readiness Gate: PASS for preparation; implementation must still follow `tasks.md`.