# Requirements Checklist: Spec 420 - M365 Generic Evidence Coverage Pack ## Preparation Checklist - [x] Candidate is user-provided, not auto-selected from the empty active candidate queue. - [x] Spec 414 is read-only dependency context only. - [x] Spec 415 is read-only dependency context only. - [x] Spec 417 is read-only dependency context only. - [x] Spec 418 is read-only dependency context only. - [x] Spec 419 is read-only dependency context only. - [x] No existing `specs/420-*` package or branch was found before creation. - [x] Existing Coverage v2 resource/evidence tables, registry, source resolver, capture service, identity resolver, Claim Guard, OperationRun service, and M365 registry rows were verified as repo truth. - [x] Draft-to-repo deviations are documented. - [x] No application implementation was performed during preparation. ## Candidate Scope Checklist - [x] Selected first pack is bounded to `conditionalAccessPolicy`, `acceptedDomain`, `appPermissionPolicy`, and `dlpCompliancePolicy`. - [x] At least one enabled capture path is planned only when backed by an explicit repo-real contract. - [x] Missing-contract paths are first-class requirements, not implementation failures. - [x] No compare/render/restore/certification/customer output is in scope. - [x] No new UI start action, route, navigation entry, dashboard, report, download, or customer surface is in scope. - [x] No workload-specific mini-platform is in scope. ## Product Surface Checklist - [x] UI Surface Impact records existing Spec 418 operator-surface data impact without runtime UI code scope. - [x] Product Surface Impact covers data-driven existing-surface impact. - [x] Browser proof is required if captured/blocked M365 data renders, or N/A only with proof that no rendered output changed. - [x] Human Product Sanity is required if captured/blocked M365 data renders, or N/A only with proof. - [x] Product Surface exceptions are `none`. - [x] Stop-and-amend rule exists for any runtime UI file, route, navigation, action, report, download, customer output, or rendered-label change beyond existing data-driven display. ## OperationRun / RBAC / Scope Checklist - [x] Existing `tenant_configuration.capture` operation type is reused by default. - [x] New `tenant_configuration.m365_capture` is rejected unless proportionality review is amended. - [x] OperationRunService owns status/outcome transitions. - [x] Summary counts remain flat numeric-only and use existing keys. - [x] Non-member and missing environment entitlement deny as not found. - [x] Missing capture capability and readonly denial return 403 after membership is established. - [x] Provider connection scope must match workspace and managed environment before run creation and job provider work. ## Evidence / Identity / Claim Checklist - [x] Captured evidence must persist raw payload, normalized payload, payload hash, source metadata, permission context, and OperationRun link. - [x] Missing contracts must not create fake evidence. - [x] CanonicalIdentityResolver must be used. - [x] Display-name-only identity is forbidden as stable identity. - [x] Identity conflicts and unsafe derived identity block customer-facing claims. - [x] Claim Guard blocks broad M365, certified, restore-ready, customer-ready, complete tenant, all-resource, and unscoped 100% claims. - [x] Generic captured evidence does not imply comparable, renderable, restorable, certified, or customer-ready. ## Source Contract / Provider Boundary Checklist - [x] Provider calls must go through `GraphClientInterface` and existing provider gateway/contract paths. - [x] `conditionalAccessPolicy` capture depends on explicit repo-real source contract mapping. - [x] `acceptedDomain`, `appPermissionPolicy`, and `dlpCompliancePolicy` remain missing-contract blockers for Spec 420; adding contracts for those three types requires an amended package or follow-up spec. - [x] Endpoint guessing from canonical type strings or source aliases is forbidden. - [x] Runtime Microsoft docs scraping is forbidden. - [x] Provider-native tenant/directory/account IDs remain metadata only. ## No Legacy / Ownership Checklist - [x] No `tenant_id`. - [x] No old gap taxonomy. - [x] No v1-to-v2 adapter. - [x] No fallback reader. - [x] No dual writes. - [x] No old snapshot promotion. - [x] No customer-facing dual truth. ## Test Requirements Checklist - [x] Unit tests cover source contracts, eligibility, normalization/hash, identity strategy, Claim Guard, and redaction. - [x] Feature tests cover capture persistence, OperationRun, authorization, provider scope, no-overclaim, no-legacy, and no-tenant-id. - [x] No real Graph/TCM/provider calls are allowed in tests. - [x] Test lane impact is documented. - [x] PostgreSQL lane is required if migrations/check constraints/indexes change. - [x] Browser proof is required if existing Spec 418 operator surface renders captured/blocked M365 data. ## Spec Readiness Gate - [x] `spec.md` exists. - [x] `plan.md` exists. - [x] `tasks.md` exists. - [x] Requirements are bounded and testable. - [x] Plan identifies likely affected repo surfaces. - [x] Tasks are ordered, small, verifiable, and include validation. - [x] Product Surface, RBAC, workspace/provider isolation, OperationRun, evidence/result truth, provider boundary, no-legacy, and test governance are addressed. - [x] No open question blocks safe implementation. ## Gate Results - [x] Candidate Selection Gate: PASS for direct user-provided candidate. - [x] Spec Readiness Gate: PASS for preparation; implementation must still follow `tasks.md`.