# Requirements Checklist: Spec 418 - Coverage v2 Operator Surface ## Candidate And Dependencies - [x] Candidate is user-provided, not auto-selected from an empty active candidate queue. - [x] Spec 414 is completed/validated dependency context only. - [x] Spec 415 is completed/validated dependency context only. - [x] Spec 417 is completed/validated dependency context only. - [x] No existing `418-coverage-v2-operator-surface` spec directory was found before creation. - [x] Scope is limited to one internal operator readiness surface. - [x] No application implementation was performed during preparation. ## Scope - [x] Spec 418 depends on Coverage v2 kernel/capture/identity. - [x] Spec 418 adds one operator-only read surface. - [x] Spec 418 does not activate customer-facing Coverage v2 truth. - [x] Spec 418 does not convert Evidence Overview, Review Packs, Reports, Restore, Baseline Compare, or Customer Review Workspace. - [x] Spec 418 does not add capture/start actions. - [x] Deferred Coverage v2 cutover/removal and customer activation are listed as follow-up work. ## Product Surface - [x] Product Surface Impact is declared. - [x] Surface is Secondary Context Surface. - [x] Surface is Read-only Registry / Report Surface. - [x] Surface is Native Surface unless implementation documents an approved exception. - [x] Inspect/open model uses a linked primary column instead of a duplicate View/Inspect row action. - [x] Primary operator question is explicit. - [x] Default-visible truth is explicit. - [x] Diagnostics are secondary/disclosed. - [x] Raw/support evidence is hidden. - [x] Browser proof is required. - [x] Product Surface table-count exception is documented and internal-only. - [x] Product Surface table-count exception is classified as a PSC Technical Annex surface-budget exception, with UI-EX-001 remaining `none` for native Filament implementation. - [x] Human Product Sanity questions are explicit. - [x] `docs/product/standards/list-surface-review-checklist.md` is required for implementation close-out. ## Ownership / RBAC - [x] No `tenant_id` internal ownership. - [x] Surface scopes by workspace and managed environment. - [x] Provider connection filters are same-scope. - [x] Non-member gets 404. - [x] No environment entitlement gets 404. - [x] Member without capability gets 403. - [x] Authorized actor can view. - [x] Workspace-wide aggregation, if implemented, is limited to entitled environments. ## Data / Render - [x] Page render is DB-only. - [x] No Graph/TCM/provider calls during render. - [x] No capture action. - [x] No remote calls in table columns, badges, filters, or diagnostics. - [x] No persisted UI-only summary table unless the spec is amended with proportionality proof. - [x] Narrow indexes are allowed only with documented query path. - [x] Top activation blocker ordering is deterministic. ## Vocabulary - [x] Shows Coverage level. - [x] Shows Evidence state. - [x] Shows Identity state. - [x] Shows Claim state. - [x] Shows Source class. - [x] Shows Supported scope. - [x] Status-like rendered values use `BadgeCatalog`/`BadgeRenderer` or a central BadgeDomain mapping. - [x] Does not show Evidence gaps. - [x] Does not show Raw gaps. - [x] Does not show Primary gaps. - [x] Does not show policy_record_missing. - [x] Does not show foundation_not_policy_backed. - [x] Does not show meta_fallback. - [x] Does not show ambiguous_match. - [x] Does not show old v1 gap reason codes as active UI truth. ## Claim Safety - [x] No unscoped 100% claim. - [x] No broad Microsoft 365 coverage claim. - [x] No certified claim unless exact internal guard allows and the label remains internal. - [x] No restore-ready claim. - [x] No customer-ready proof claim. - [x] Claim state labels are internal/operator-facing. ## Redaction - [x] Raw payload hidden. - [x] Normalized payload hidden by default. - [x] Permission context raw JSON hidden. - [x] Tokens, secrets, authorization headers, cookies, private keys, certificates, raw provider responses, stack traces, and PII absent. - [x] OperationRun diagnostics are secondary and authorized. - [x] Evidence hash is allowed if safe. ## Tests - [x] Unit tests cover read model, summary, blockers, display mapping, and no-old-label emissions. - [x] Feature tests cover authorization, render, redaction, no-legacy, no-remote, OperationRun links, and provider scope. - [x] Browser smoke covers rendered UI. - [x] No real Graph/TCM/provider calls are allowed. - [x] Test lane impact is documented. ## Spec Readiness Gate - [x] `spec.md` exists. - [x] `plan.md` exists. - [x] `tasks.md` exists. - [x] Requirements are bounded and testable. - [x] Plan identifies likely affected repo surfaces. - [x] Tasks are ordered, small, verifiable, and include validation. - [x] Product Surface, RBAC, workspace/provider isolation, OperationRun, evidence, provider boundary, no-legacy, and test governance are addressed. - [x] No open question blocks safe implementation. ## Gate Results - [x] Candidate Selection Gate: PASS. - [x] Spec Readiness Gate: PASS for preparation; implementation must still follow `tasks.md`.