# Requirements Checklist: Spec 424 - Security Defaults Content-Backed Comparable Support **Purpose**: Preparation-readiness checklist for Spec 424 before implementation. **Created**: 2026-06-30 **Feature**: [Spec 424](../spec.md) ## Candidate and Scope - [x] CHK001 The selected candidate is directly user-provided and not auto-selected from the empty active queue. - [x] CHK002 Related completed specs are marked read-only context and are not reopened. - [x] CHK003 Scope is limited to `securityDefaults`. - [x] CHK004 Certification, restore/apply, customer output, Review Pack/report/export, dashboards, routes, and additional Entra types are explicitly out of scope. - [x] CHK005 Candidate Selection Gate passes with repo-truth deviations documented. ## Repo Truth Alignment - [x] CHK006 Current registry-only/out-of-scope Security Defaults state is documented. - [x] CHK007 Missing source-contract mapping is documented. - [x] CHK008 Missing graph contract entry is documented. - [x] CHK009 Missing identity strategy is documented. - [x] CHK010 Existing Entra helper support for Conditional Access only is documented. - [x] CHK011 Draft-to-repo deviations for restore tier, resource class, capture outcomes, and source class are documented. ## Constitution and Product Surface - [x] CHK012 No `tenant_id` ownership truth is allowed. - [x] CHK013 Workspace, managed-environment, and provider-connection ownership is required. - [x] CHK014 Graph calls must go through the repo graph contract and `GraphClientInterface`. - [x] CHK015 Proportionality review is complete. - [x] CHK016 Product Surface Contract handling is complete for existing rendered Coverage v2 output. - [x] CHK017 Browser proof and Human Product Sanity are required if rendered output changes, or exact N/A proof is required. - [x] CHK018 No new UI route/navigation/action/customer surface is allowed without amending artifacts. ## Requirements Coverage - [x] CHK019 Source contract and missing-contract behavior are specified. - [x] CHK020 Capture/evidence persistence requirements are specified. - [x] CHK021 Identity requirements are specified. - [x] CHK022 Typed normalization requirements are specified. - [x] CHK023 Compare requirements are specified. - [x] CHK024 Render requirements are specified. - [x] CHK025 Claim Guard requirements are specified. - [x] CHK026 RBAC/scope requirements are specified. - [x] CHK027 Redaction/no-raw-payload requirements are specified. - [x] CHK028 No restore/certification/customer claim requirements are specified. - [x] CHK029 Supported-scope restrictions are specified. ## Task Readiness - [x] CHK030 Tasks include preflight before runtime implementation. - [x] CHK031 Tasks are ordered by dependency. - [x] CHK032 Tasks include tests before or alongside implementation. - [x] CHK033 Tasks include validation and implementation-report close-out. - [x] CHK034 Tasks include browser/no-browser and Human Product Sanity handling. - [x] CHK035 Tasks include no completed-spec rewrite proof. ## Review Outcome - [x] CHK036 Review outcome class: acceptable-special-case for preparation. - [x] CHK037 Workflow outcome: keep. - [x] CHK038 No blocking open question remains before implementation; source-contract viability is an implementation preflight gate with safe blocked behavior.