# Requirements Checklist: Spec 421 - Entra Core Comparable / Renderable Pack **Purpose**: Validate preparation completeness and quality before implementation. This checklist validates `spec.md`, `plan.md`, and `tasks.md`; it does not mark implementation work complete. **Created**: 2026-06-27 **Feature**: `specs/421-entra-core-comparable-renderable-pack/spec.md` ## Preparation Checklist - [x] Candidate is user-provided, not auto-selected from the empty active candidate queue. - [x] Spec 421 did not already exist in `specs/` before creation. - [x] No existing local/remote `421-entra-core-comparable-renderable-pack` branch was found before creation. - [x] Specs 414, 415, 417, 418, 419, and 420 are read-only dependency context only. - [x] Current repo truth for Coverage v2 registry, generic evidence, canonical identity, Claim Guard, redaction, OperationRun, and existing operator surface was checked. - [x] Draft-to-repo deviations are documented. - [x] No application implementation was performed during preparation. ## Candidate Scope Checklist - [x] Scope is bounded to selected Entra comparable/renderable support. - [x] `conditionalAccessPolicy` is the mandatory evidence-backed first promotion path. - [x] `securityDefaults` and optional Entra types are evidence-gated instead of assumed content-backed. - [x] No capture expansion, source contract creation, restore, certification, customer output, report/download, or new UI start action is in scope. - [x] No Entra-specific table family, persisted compare history, mini-platform, provider framework, or `tenant_id` is in scope. ## Product Surface Checklist - [x] UI Surface Impact records existing Coverage v2 operator-surface rendering impact. - [x] Product Surface Contract is referenced and applied. - [x] Page archetype, primary question, primary action, surface budget, Technical Annex demotion, canonical vocabulary, visible complexity, and exceptions are recorded. - [x] Browser proof is required if rendered output changes, or `N/A - no rendered UI surface changed` must be justified. - [x] Human Product Sanity is required if rendered output changes, or N/A must be justified. - [x] Product Surface exceptions are `none`. - [x] Stop-and-amend rule exists for any new route, navigation, action, dashboard, customer output, report, download, restore/certify control, or broader UI scope. ## OperationRun / RBAC / Scope Checklist - [x] No new OperationRun type or start/completion/link UX is planned. - [x] Existing OperationRun references remain diagnostic only if rendered. - [x] Existing Coverage v2 read authorization applies. - [x] Non-member or wrong workspace/environment scope denies as not found. - [x] Established member without capability denies as forbidden. - [x] Provider connection scope must match workspace and managed environment. ## Evidence / Compare / Render Checklist - [x] Promotion requires content-backed evidence and focused tests. - [x] Missing-evidence types remain unpromoted with blockers/deferred reasons. - [x] Compare classifications are explicit and deterministic. - [x] Derived importance labels are non-persisted compare output only. - [x] Volatile fields, null/empty handling, stable ordering, redaction, and unsupported fields are addressed. - [x] Render output hides raw payloads and secrets by default. - [x] Credential-related values render only as safe summaries if applicable. ## Claim / Customer Output Checklist - [x] Scoped internal comparable/renderable claims are allowed only when proven. - [x] Certified, restore-ready, customer-ready, full, all-resource, and 100 percent Entra/M365 claims are blocked. - [x] No customer-facing route, Review Pack, management report, PDF, export, download, or customer-safe proof is in scope. - [x] Customer output gate remains N/A/no output for this spec. ## Testing Checklist - [x] Unit tests are planned for normalization, compare, render, redaction, and Claim Guard. - [x] Feature tests are planned for evidence-gated promotion, RBAC/scope, no restore/certification, no tenant_id, no mini-platform, and no overclaim. - [x] Browser proof is conditional on rendered output changes. - [x] No live Graph/TCM/provider call is required for tests. - [x] Validation commands are listed. ## Spec Readiness Checklist - [x] Problem statement, product value, user stories, requirements, acceptance criteria, success criteria, assumptions, risks, and open questions are present. - [x] Plan identifies likely affected repo surfaces and does not require application implementation during preparation. - [x] Tasks are ordered, bounded, verifiable, and include validation and close-out tasks. - [x] RBAC, workspace/managed-environment isolation, OperationRun semantics, evidence/result truth, Product Surface, provider boundary, test governance, and proportionality are addressed. - [x] No open question blocks the narrowed implementation-ready slice. ## Review Outcome - [x] Review outcome class: acceptable-special-case for preparation. - [x] Workflow outcome: keep. - [x] Remaining condition: implementation must document any non-promoted Entra type as a blocker/deferred result instead of expanding capture scope.