# Requirements Checklist: Spec 423 - Security and Compliance Readiness Pack **Purpose**: Validate that the Spec 423 artifacts are ready for implementation without widening scope beyond bounded Coverage v2 compare/render/readiness support. **Created**: 2026-06-30 **Feature**: [spec.md](../spec.md) ## Scope and Candidate Fit - [x] CHK001 The selected candidate is explicitly Spec 423 - Security and Compliance Readiness Pack. - [x] CHK002 The spec explains why the active auto-prep queue being empty does not block this user-promoted candidate. - [x] CHK003 The spec states the smallest viable slice as DB-only compare/render/readiness over existing content-backed Coverage v2 evidence. - [x] CHK004 The mandatory first resource types are limited to `retentionCompliancePolicy`, `labelPolicy`, and `dlpCompliancePolicy`. - [x] CHK005 Optional resource types `autoSensitivityLabelPolicy`, `protectionAlert`, and `complianceTag` are evidence-gated and test-gated. - [x] CHK006 Explicit non-goals exclude restore/apply, certification, legal/regulatory attestation, customer reports, Review Pack output, new capture/source contracts, new routes/navigation/dashboards, new tables, live provider calls, and a Security/Purview mini-platform. ## Existing Evidence and Ownership - [x] CHK007 The spec and plan identify existing Coverage v2 registry/read-model truth as the implementation base. - [x] CHK008 The implementation tasks require an evidence-promotion matrix for all six candidate resource types before runtime work. - [x] CHK009 Ownership is workspace/environment/provider-connection scoped and does not introduce `tenant_id`. - [x] CHK010 Related completed Specs 414, 415, and 417-422 are treated as read-only context. ## Compare, Render, and Readiness Semantics - [x] CHK011 Compare labels are bounded to `added`, `removed`, `changed`, `unchanged`, `ignored_volatile`, `redacted`, `unsupported_field`, and `manual_review_required`. - [x] CHK012 Importance labels are derived and bounded to `critical`, `important`, `informational`, and `manual_review_required`. - [x] CHK013 Readiness labels are derived, non-persisted, and bounded to the seven states listed in the spec. - [x] CHK014 Readiness wording cannot imply restore readiness, certification readiness, legal readiness, customer readiness, or Microsoft tenant mutation readiness. - [x] CHK015 Unsupported or high-risk fields require redaction, unsupported-field handling, or manual-review handling rather than raw default output. ## Safety, Claims, and Redaction - [x] CHK016 Claim Guard allows only scoped internal/operator comparable/renderable/readiness claims for selected Security and Compliance evidence. - [x] CHK017 Claim Guard blocks restore-ready, apply-ready, certified, legal/regulatory, customer-facing, Review Pack, broad Security and Compliance, broad Purview, and 100 percent coverage claims. - [x] CHK018 Default-visible summaries hide raw JSON, provider responses, secrets, fingerprints, incident/content payloads, and internal debug fields. - [x] CHK019 Render/compare/readiness paths are DB-only and cannot call Graph, TCM, HTTP, live providers, or Microsoft documentation. - [x] CHK020 Selected resource types remain non-restorable and no destructive/high-impact action becomes reachable. ## Product Surface Contract - [x] CHK021 The UI Surface Impact section identifies only existing internal/operator Coverage v2 status/evidence/review presentation changes. - [x] CHK022 The Product Surface plan classifies the page archetype as Technical Annex / read-only evidence inspection. - [x] CHK023 No new route, navigation entry, modal, wizard, table, dashboard, panel provider, customer surface, or action is planned. - [x] CHK024 Browser proof is required if rendered output changes; otherwise the implementation report must record exact `N/A - no rendered UI surface changed`. - [x] CHK025 Human Product Sanity must verify that an internal operator can decide manual-review need without raw payloads or overclaim. - [x] CHK026 Product Surface exceptions are `none` unless implementation amends the spec/plan before runtime UI work. ## Filament, Livewire, and Deployment - [x] CHK027 Livewire v4 and Filament v5 posture is explicit. - [x] CHK028 Panel provider registration location is `apps/platform/bootstrap/providers.php`, with no panel change planned. - [x] CHK029 Global search posture is no resource/global search change. - [x] CHK030 Asset strategy is no new assets unless later amended. - [x] CHK031 Deployment impact is expected to be no migrations, env vars, queues, scheduler, storage, or assets. ## Testing and Review Readiness - [x] CHK032 Tasks include tests for mandatory type normalization, compare labels, render summaries, readiness states, redaction, Claim Guard, RBAC, no remote calls, and no overclaim. - [x] CHK033 Tasks include optional type defer/promotion rules with evidence and test gates. - [x] CHK034 Tasks include implementation-report close-out fields for promoted/deferred type matrix, Product Surface proof, Filament/Livewire posture, deployment impact, no `tenant_id`, no completed-spec rewrites, no remote calls, and no mini-platform. - [x] CHK035 Stop conditions require spec/plan amendment before widening scope. - [x] CHK036 Preparation analysis finds no unresolved placeholders, contradiction between spec/plan/tasks, or missing hard-gate artifact. ## Review Outcome - [x] CHK037 Ready for implementation without scope change. - [ ] CHK038 Ready only after checklist items are corrected. - [ ] CHK039 Blocked pending user/product/legal/security decision.