# Specification Quality Checklist: Spec 414 - TCM-First Coverage v2 Kernel **Purpose**: Validate specification completeness and quality before proceeding to implementation **Created**: 2026-06-25 **Feature**: `specs/414-tcm-first-coverage-core-cutover/spec.md` ## Content Quality - [x] CHK001 The spec is reframed as `TCM-First Coverage v2 Kernel`. - [x] CHK002 The folder name remains unchanged. - [x] CHK003 The previous full-cutover readiness failure is acknowledged. - [x] CHK004 The spec keeps strategic hard-cutover direction without making this slice the cutover. - [x] CHK005 The spec states Coverage v2 is inactive after Spec 414. - [x] CHK006 The spec states Coverage v1 remains active runtime truth until a later activation/cutover spec. - [x] CHK007 Mandatory sections for candidate check, scope, no-legacy posture, UI/product surface impact, proportionality, tests, user stories, requirements, success criteria, assumptions, risks, and follow-ups are completed. ## Bounded Kernel Scope - [x] CHK010 The scope is limited to value families, minimal persistence, registry, supported scope, claim guard, source class, provider provenance, and tests. - [x] CHK011 Full UI cutover is deferred. - [x] CHK012 Evidence Overview conversion is deferred. - [x] CHK013 Customer Review Workspace conversion is deferred. - [x] CHK014 Review Pack/report conversion is deferred. - [x] CHK015 Restore readiness conversion is deferred. - [x] CHK016 Full baseline/compare conversion is deferred. - [x] CHK017 Legacy runtime deletion and broad v1 test rewrite are deferred. - [x] CHK018 OperationRun-backed capture/evaluation is deferred. - [x] CHK019 TCM/Graph remote capture and generic content-backed evidence capture are deferred. - [x] CHK020 Browser proof across customer surfaces is not required unless UI scope is amended. ## Ownership And Provider Provenance - [x] CHK030 Coverage v2 internal ownership uses `workspace_id` and `managed_environment_id` where environment-owned rows exist. - [x] CHK031 `tenant_id` is prohibited as Coverage v2 internal ownership truth. - [x] CHK032 Provider-native external IDs are metadata only. - [x] CHK033 `provider_connection_id` same-workspace and same-managed-environment validation is required where stored. - [x] CHK034 Same-scope provider provenance is included in requirements and tasks. ## Source Classes And Claim Safety - [x] CHK040 Initial required registry entries are listed. - [x] CHK041 TCM-aligned Intune resource types map to `source_class = tcm`. - [x] CHK042 `notificationMessageTemplate` maps to `source_class = graph_v1_fallback`. - [x] CHK043 `roleScopeTag` maps to `source_class = graph_beta_experimental`. - [x] CHK044 Supported scopes require explicit denominator and minimum coverage level. - [x] CHK045 Beta resources are excluded by default. - [x] CHK046 Graph fallback is included only when scope allows it. - [x] CHK047 Claim guard blocks unscoped 100% claims. - [x] CHK048 Claim guard blocks beta certification by default. - [x] CHK049 Claim guard blocks non-restorable restore claims and incomplete supported-scope customer claims. - [x] CHK050 Claim guard allows only exact scope + level claims. - [x] CHK051 Kernel value-family allowed values are fixed and must not be expanded during implementation without amending artifacts. - [x] CHK052 `tenantpilot_internal` is not part of the Spec 414 initial source-class implementation scope. ## Kernel Persistence Shape - [x] CHK055 `tenant_configuration_resource_types` required fields are defined. - [x] CHK056 `tenant_configuration_supported_scopes` required fields are defined. - [x] CHK057 Required kernel definition tables are platform-seeded definitions, not workspace/environment/provider-connection-owned records. - [x] CHK058 Required kernel definitions have deterministic uniqueness and upsert-safe seed/migration semantics. - [x] CHK059 PostgreSQL lane triggers are explicit for JSONB, composite FKs, partial unique indexes, same-scope provider constraints, or other PostgreSQL-specific behavior. ## No Legacy / No Dual Truth - [x] CHK060 No compatibility shim is allowed. - [x] CHK061 No dual writes are allowed. - [x] CHK062 No fallback readers are allowed. - [x] CHK063 No v1-to-v2 translator is allowed. - [x] CHK064 No old snapshot promotion into v2 proof is allowed. - [x] CHK065 No old gap taxonomy is allowed as v2 logic. - [x] CHK066 No customer-facing dual truth is allowed. ## Product Surface And OperationRun - [x] CHK070 Product Surface Impact is `N/A - no rendered UI surface changed`. - [x] CHK071 Browser proof is `N/A - no rendered UI surface changed`. - [x] CHK072 Human Product Sanity is not required for a rendered page. - [x] CHK073 Stop-and-amend rule exists for any UI file change. - [x] CHK074 No OperationRun-producing workflow is introduced by default. - [x] CHK075 OperationRun-backed capture/evaluation is deferred to a follow-up spec. ## Task Readiness - [x] CHK080 `tasks.md` is bounded to preflight, tests, value families, minimal persistence, registry, supported scope, claim guard, boundary guards, and validation. - [x] CHK081 Tasks include unit tests for registry, supported scope, claim guard, and value families. - [x] CHK082 Tasks include feature tests for registry persistence, supported scopes, claim guard, no `tenant_id`, and same-scope provider connection validation where applicable. - [x] CHK083 Tasks include no UI surface impact validation. - [x] CHK084 Tasks include implementation report close-out. - [x] CHK085 Tasks include focused validation commands. ## Gate Results - [x] CHK090 Candidate Selection Gate result: PASS after narrowing. - [x] CHK091 Spec Readiness Gate preparation status: ready for bounded kernel implementation. - [x] CHK092 Workflow outcome: keep as inactive Coverage v2 kernel slice. ## Notes - Follow-up specs are recommendations only until explicitly prepared: 415 Generic Content-Backed Capture, 416 Canonical Identity Engine, 417 Coverage v2 Operator Surface, 418 Legacy Coverage Cutover & Removal, 419 Intune Core Comparable/Renderable Pack, 420 Certified Intune Core Coverage Pack, 421 Pilot Readiness Gate. - Supply-chain remediation, if still open, remains a release/pilot gate outside Spec 414.