# Feature Specification: Cross-tenant Compare and Promotion **Feature Branch**: `feat/043-cross-tenant-compare-and-promotion` **Created**: 2026-01-07 **Status**: Draft ## Purpose Enable safe cross-tenant comparison of inventory and, optionally, controlled promotion workflows. Comparison is read-only by default. Any write/promotion behavior must be explicitly gated, audited, and separately authorized. ## User Scenarios & Testing ### Scenario 1: Compare two tenants (read-only) - Given the operator has access to Tenant A and Tenant B - When they select two tenants and a set of policy types - Then they can see differences in presence and key metadata ### Scenario 2: Compare with a stable reference - Given a reference selection scope - When the operator runs comparison - Then results are stable and reproducible for that scope ### Scenario 3: Promotion is explicitly gated (optional) - Given promotion is enabled by policy - When the operator initiates promotion - Then the system requires explicit confirmation and records an audit event ## Functional Requirements - FR1: Support selecting two tenants within authorized scope. - FR2: Provide read-only diff views based on inventory metadata and stable identifiers. - FR3: Provide exportable comparison results. - FR4: If promotion is included: - require explicit enablement - require explicit confirmation per operation - record audit logs - support dry-run/preview ## Non-Functional Requirements - NFR1: Enforce tenant isolation and least privilege across tenant selection and data access. - NFR2: Comparison must not expose secrets or unsafe payload fields. ## Success Criteria - SC1: Operators can identify which tenant differs for a given policy type in under 2 minutes. - SC2: Read-only comparisons are reproducible when run again with the same scope. ## Out of Scope - Bulk remediation without preview/confirmation. ## Related Specs - Program: `specs/039-inventory-program/spec.md` - Core: `specs/040-inventory-core/spec.md` - Drift: `specs/044-drift-mvp/spec.md`