# Requirements Checklist: Spec 419 - M365 TCM Workload Registry Expansion ## Preparation Checklist - [x] Candidate is user-provided, not auto-selected from the empty active candidate queue. - [x] Spec 414 is completed/validated dependency context only. - [x] Spec 415 is completed/validated dependency context only. - [x] Spec 417 is completed/validated dependency context only. - [x] Spec 418 is completed/validated dependency context only. - [x] No existing `specs/419-*` package was found before creation. - [x] Existing Coverage v2 registry, supported scopes, enums, `ResourceTypeRegistry`, and `ClaimGuard` were verified as repo truth. - [x] Draft-to-repo deviations are documented. - [x] No application implementation was performed during preparation. ## Scope Checklist - [x] Scope is registry expansion only. - [x] No capture implementation is in scope. - [x] No compare/render/restore/certification is in scope. - [x] No customer-facing claims are in scope. - [x] No new primary navigation or UI route is in scope. - [x] No domain-specific mini-platform is in scope. - [x] No runtime Microsoft docs fetch is in scope. ## Product Surface Checklist - [x] UI Surface Impact records existing Spec 418 operator-surface data impact without runtime UI code scope. - [x] Product Surface Impact covers data-driven existing-surface impact. - [x] Browser proof is required if active rows/scopes render, or N/A only with proof that no rendered output changed. - [x] Human Product Sanity is required if active rows/scopes render, or N/A only with proof that no rendered output changed. - [x] Product Surface exceptions are `none`. - [x] Stop-and-amend rule exists for any runtime UI file, route, navigation, action, report, download, or rendered label change beyond data-driven existing registry display. ## Workload Requirements Specified - [x] Entra workload registration is required. - [x] Exchange workload registration is required. - [x] Teams workload registration is required. - [x] Security and Compliance workload registration is required. - [x] Defender safe overview/combined representation is required. - [x] Purview safe overview/combined representation is required. - [x] Defender/Purview representation uses aggregate supported-scope metadata, not fake certified resource types. - [x] `tenantpilot` and `unknown` workload posture is covered. ## Resource Type Requirements Specified - [x] Entra representative entries are listed. - [x] Exchange representative entries are listed. - [x] Teams representative entries are listed. - [x] Security and Compliance representative entries are listed. - [x] Defender/Purview uncertainty is explicit. - [x] Full vs seeded/partial catalog decision is explicit. - [x] Partial list must not be presented as full. ## Source / Support State Requirements Specified - [x] TCM entries use `source_class = tcm`. - [x] Current repo source classes remain authoritative unless amended with proportionality proof. - [x] New non-Intune entries default to detected/registry-only. - [x] No new entry defaults to content-backed. - [x] No new entry defaults to comparable. - [x] No new entry defaults to renderable. - [x] No new entry defaults to certified. - [x] No new entry defaults to restore-ready. - [x] Existing repo restore tiers are mapped safely: `not_restorable` or `preview_only`, never `restorable`. ## Supported Scope Requirements Specified - [x] Registry-only M365 detected scope is required. - [x] Per-workload registry detected scopes are required. - [x] Future generic scope is clearly future-only. - [x] Certified M365 scope is explicitly none. - [x] Broad full/certified M365 scope names are forbidden. ## Claim Guard Requirements Specified - [x] Broad M365 coverage claims must be blocked. - [x] Certified M365 claims must be blocked. - [x] Restore-ready M365 claims must be blocked. - [x] Registry-only claims are internal/operator and denominator-scoped. - [x] Percent claims require explicit denominator and registry-only wording. ## No Runtime Capture Requirements Specified - [x] No Graph/TCM calls may be added. - [x] No runtime Microsoft docs fetch may be added. - [x] No capture job/action may be added. - [x] No concrete resources/evidence may be created by registry expansion. - [x] No OperationRun-producing workflow is planned. ## No Legacy / Ownership Requirements Specified - [x] No `tenant_id`. - [x] No old gap taxonomy. - [x] No v1-to-v2 adapter. - [x] No fallback reader. - [x] No dual writes. - [x] Provider-native tenant/directory/account IDs remain metadata only. ## Test Requirements Specified - [x] Unit tests cover workloads, manifest/defaults, claims, restore tiers, documentation status, and partial-vs-full catalog behavior. - [x] Feature/static guards cover registry/scopes/no-overclaim/no-capture/no-mini-platform/no-tenant-id. - [x] No real Graph/TCM/provider calls are allowed. - [x] Test lane impact is documented. - [x] Browser proof is required if active rows/scopes render on the existing Spec 418 operator surface. ## Future Implementation Gate - [x] M365 workload registry expansion exists. - [x] New workload entries are registry-only/detected by default. - [x] Representative resource types exist. - [x] Full vs partial catalog status is explicit. - [x] Claim Guard blocks broad M365/certified/restore claims. - [x] No runtime capture is added. - [x] No customer-facing claim is activated. - [x] No `tenant_id` is introduced. - [x] No mini-platform tables/classes are introduced. - [x] Focused tests pass. - [x] Product Surface data-impact decision is confirmed, including browser/Human Product Sanity proof or exact N/A proof. ## Spec Readiness Gate - [x] `spec.md` exists. - [x] `plan.md` exists. - [x] `tasks.md` exists. - [x] Requirements are bounded and testable. - [x] Plan identifies likely affected repo surfaces. - [x] Tasks are ordered, small, verifiable, and include validation. - [x] Product Surface, RBAC/no-UI, workspace/provider isolation, OperationRun/no-run, evidence/result truth, provider boundary, no-legacy, and test governance are addressed. - [x] No open question blocks safe implementation. ## Gate Results - [x] Candidate Selection Gate: PASS. - [x] Spec Readiness Gate: PASS for preparation; implementation must still follow `tasks.md`.