# Implementation Report: Spec 414 - TCM-First Coverage v2 Kernel ## Preflight - Branch: `414-tcm-first-coverage-core-cutover` - Starting HEAD: `fdd9eb2e feat: add focused pilot gate recheck (#480)` - Starting dirty state: `.specify/memory/constitution.md` modified; `specs/414-tcm-first-coverage-core-cutover/` untracked. - Dirty-state assessment: active Spec 414 preparation artifacts only; no runtime code was dirty before implementation. ## Scope Close-Out - Kernel status: inactive Coverage v2 kernel only. - Kernel tables: `tenant_configuration_resource_types`, `tenant_configuration_supported_scopes`. - Kernel models: `TenantConfigurationResourceType`, `TenantConfigurationSupportedScope`. - Kernel services: `ResourceTypeRegistry`, `SupportedScopeResolver`, `ClaimGuard`. - Kernel value families: `SourceClass`, `Workload`, `ResourceClass`, `SupportState`, `CoverageLevel`, `EvidenceState`, `IdentityState`, `ClaimState`, `RestoreTier`. - Runtime UI impact: none. - Browser proof: `N/A - no rendered UI surface changed`. - Human Product Sanity: `N/A - no rendered UI surface changed`; workflow sanity result is that the slice remains inactive and does not create customer-facing dual truth. - OperationRun impact: none. - Remote provider calls: none. - Legacy compatibility: no v1-to-v2 adapter, fallback reader, dual write, old snapshot promotion, or old gap-taxonomy runtime dependency introduced. - Optional concrete resource/evidence tables: deferred; the required definition tables and service tests prove the kernel scope without environment-owned observation rows. - Provider provenance: required definition tables intentionally omit `workspace_id`, `managed_environment_id`, and `provider_connection_id`; provider-native tenant IDs remain outside Coverage v2 ownership schema. - `tenant_id` proof: required Coverage v2 tables omit `tenant_id` and any provider-native tenant identifier columns. - Policy posture: no policies were added because the new models are inactive platform-seeded definitions with no route, Filament resource, API, or mutation surface. Later activation must add policy/authorization coverage before exposure. ## Manual Review Finding Remediation - PASS: Supported-scope denominator integrity is fail-closed. `SupportedScopeResolver` now rejects unknown canonical resource types instead of silently shrinking the denominator before completeness checks. - PASS: Denominator fail-closed behavior is covered in both unit and feature lanes, including persisted supported-scope rows. - PASS: Spec 414 migration seed semantics are frozen in the migration and no longer depend on mutable runtime registry/resolver services or enum value lists. - PASS: A focused schema guard verifies the historical migration does not import `App\Services\TenantConfiguration\*` or `App\Support\TenantConfiguration\*` runtime defaults. - PASS: Coverage v2 factories now emit JSONB object-shaped `metadata`, matching the PostgreSQL object check constraints. ## Product Surface Close-Out - Livewire v4 compliance: Livewire 4.1.4 confirmed; no Livewire code changed. - Provider registration location: no panel provider change; Laravel 12 providers remain in `apps/platform/bootstrap/providers.php`. - Global search posture: no Filament resource or global search change. - Destructive/high-impact actions: none introduced. - Asset strategy: no assets registered; `filament:assets` is not required for this spec. - Visible complexity outcome: neutral; no rendered product surface changed. - Deployment impact: additive migrations for inactive kernel definition tables only; no env vars, queues, scheduler, storage, or asset step. ## Validation - PASS: `cd apps/platform && ./vendor/bin/sail bin pint app/Services/TenantConfiguration/SupportedScopeResolver.php database/migrations/2026_06_25_000414_create_tenant_configuration_kernel_tables.php tests/Unit/Support/TenantConfiguration/SupportedScopeResolverTest.php tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php tests/Feature/TenantConfiguration/TenantConfigurationKernelSchemaTest.php --format agent` - PASS: `cd apps/platform && ./vendor/bin/sail bin pint database/factories/TenantConfigurationResourceTypeFactory.php database/factories/TenantConfigurationSupportedScopeFactory.php tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php --format agent` - PASS: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration` (14 tests, 40 assertions) - PASS: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration` (11 passed, 1 PostgreSQL-only skipped, 43 assertions) - NOTE: `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml --filter=TenantConfiguration` matched no tests in this repo. - PASS: `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration` (12 tests, 48 assertions) - PASS: `git diff --check` - PASS: untracked implementation-file whitespace check via `git diff --no-index --check /dev/null ` ## Final Dirty State - `.specify/memory/constitution.md` - `apps/platform/app/Models/TenantConfigurationResourceType.php` - `apps/platform/app/Models/TenantConfigurationSupportedScope.php` - `apps/platform/app/Services/TenantConfiguration/*` - `apps/platform/app/Support/TenantConfiguration/*` - `apps/platform/database/factories/TenantConfigurationResourceTypeFactory.php` - `apps/platform/database/factories/TenantConfigurationSupportedScopeFactory.php` - `apps/platform/database/migrations/2026_06_25_000414_create_tenant_configuration_kernel_tables.php` - `apps/platform/tests/Feature/TenantConfiguration/*` - `apps/platform/tests/Unit/Support/TenantConfiguration/*` - `specs/414-tcm-first-coverage-core-cutover/*` ## Follow-Up Candidates - Spec 415 - Generic Content-Backed Capture. - Spec 416 - Canonical Identity Engine. - Spec 417 - Coverage v2 Operator Surface. - Spec 418 - Legacy Coverage Cutover & Removal. - Spec 419 - Intune Core Comparable/Renderable Pack. - Spec 420 - Certified Intune Core Coverage Pack.