TenantAtlas/specs/419-m365-tcm-workload-registry-expansion/tasks.md
ahmido 5252398063 feat: expand m365 tcm workload registry (#486)
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #486
2026-06-26 22:36:24 +00:00

14 KiB

Tasks: Spec 419 - M365 TCM Workload Registry Expansion

Input: specs/419-m365-tcm-workload-registry-expansion/spec.md, specs/419-m365-tcm-workload-registry-expansion/plan.md, specs/419-m365-tcm-workload-registry-expansion/checklists/requirements.md Prerequisites: completed Specs 414, 415, 417, and 418 as read-only dependency context Tests: Required. Runtime registry/default/claim behavior must be covered with focused Pest unit and feature/static guard tests. PostgreSQL lane is required if migrations/check constraints/indexes change. Focused browser proof is required if new active registry rows/scopes render on the existing Spec 418 Coverage v2 operator surface.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for registry/default/claim behavior.
  • New or changed tests stay in Unit/Feature lanes; PostgreSQL lane is explicit only if schema/check constraints change.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default and opt-in.
  • Planned validation commands cover the change without pulling unrelated lane cost.
  • Browser proof is required for data-driven existing-surface changes, or explicitly N/A only with proof that no new rows/scopes render.
  • Human Product Sanity and Product Surface implementation-report close-out cover existing-surface data impact, or are N/A only with proof that no rendered output changed.
  • Material budget, baseline, trend, or escalation notes are recorded if test cost changes.

Phase 1: Preflight And Dependency Guard

  • T001 Capture branch, HEAD, git status --short, activated skills, and hard-gate status in specs/419-m365-tcm-workload-registry-expansion/implementation-report.md.
  • T002 Confirm specs/414-tcm-first-coverage-core-cutover/implementation-report.md, specs/415-generic-content-backed-capture/implementation-report.md, specs/417-canonical-identity-engine/, and specs/418-coverage-v2-operator-surface/ are dependency context only and must not be modified.
  • T003 Confirm current Coverage v2 registry surfaces exist: TenantConfigurationResourceType, TenantConfigurationSupportedScope, ResourceTypeRegistry, Coverage v2 enum classes, and ClaimGuard.
  • T004 Inspect current ResourceTypeRegistry::defaultDefinitions(), supported-scope definitions, migrations/check constraints, factories, and Claim Guard rules before editing.
  • T005 Record the draft-to-repo mapping for missing draft terms: no tenantpilot_internal source class, no detected_only support state, no compare_only or manual_review_required restore tier.
  • T006 Stop if Coverage v2 registry or Claim Guard is missing, or if implementation would require capture, compare, render, restore, certification, customer output, runtime docs fetch, UI activation, tenant_id, or workload-specific mini-platforms.

Phase 2: Tests First - Workloads, Manifest, And Defaults

  • T007 Add focused workload registry tests proving intune, entra, exchange, teams, security_compliance, defender, purview, tenantpilot, and unknown are accepted by the shared Coverage v2 workload enum/check path.
  • T008 Add manifest/default tests proving new non-Intune entries default to default_coverage_level = detected, default_evidence_state = not_captured, and default_claim_state = internal_only or claim_blocked.
  • T009 Add tests proving new non-Intune entries do not default to content_backed, comparable, renderable, restorable, certified, or claim_allowed.
  • T010 Add documentation status tests proving documented_resource_catalog, documented_overview_only, combined_catalog, graph_only, internal, and unknown are represented in metadata or a justified field.
  • T011 Add partial-vs-full catalog tests proving seeded/partial manifests use is_full_catalog = false or equivalent metadata and cannot be treated as full workload coverage.
  • T012 Add restore-tier default tests proving high-risk resource types use not_restorable or preview_only, never restorable.

Phase 3: Tests First - Representative Resource Types

  • T013 Add Entra registry tests for conditionalAccessPolicy, securityDefaults, application, servicePrincipal, roleDefinition, and administrativeUnit.
  • T014 Add Exchange registry tests for transportRule, acceptedDomain, sharedMailbox, remoteDomain, mailboxPlan, and organizationConfig.
  • T015 Add Teams registry tests for appPermissionPolicy, appSetupPolicy, meetingPolicy, messagingPolicy, teamsUpdateManagementPolicy, and voiceRoute.
  • T016 Add Security and Compliance registry tests for labelPolicy, retentionCompliancePolicy, dlpCompliancePolicy or repo-canonical equivalent, autoSensitivityLabelPolicy, protectionAlert, and complianceTag.
  • T017 Add Defender/Purview workload status tests proving they are represented under tenant_configuration_supported_scopes.metadata.workload_documentation_status.defender and .purview on the aggregate M365 planning scope, and are not represented as fake certified resource types.

Phase 4: Tests First - Supported Scopes And Claim Guard

  • T018 Add supported-scope tests for m365_tcm_registry_detected, entra_tcm_registry_detected, exchange_tcm_registry_detected, teams_tcm_registry_detected, security_compliance_tcm_registry_detected, m365_tcm_generic_future, and m365_tcm_certified_none, including proof that new planning scopes do not accidentally become the existing Coverage v2 operator surface default scope.
  • T019 Add tests proving forbidden scopes do not exist: m365_full_coverage, m365_certified, all_microsoft_365_supported, full_tenant_coverage, and full_m365_restore_ready.
  • T020 Add Claim Guard tests blocking 100% Microsoft 365 coverage, Full M365 coverage, Certified M365 coverage, Restore-ready M365 coverage, Complete tenant coverage, All Microsoft 365 resources supported, and All TCM resources certified.
  • T021 Add Claim Guard tests proving internal registry-only percent wording is allowed only when explicitly denominator-scoped, for example seeded Entra registry entries.

Phase 5: Tests First - No Runtime Capture, No Tenant ID, No Mini-Platform

  • T022 Add static/feature guard proving no Graph/TCM/provider remote call path or runtime Microsoft documentation fetch is introduced by Spec 419.
  • T023 Add guard proving no capture job, scheduler sync, queue sync, capture/start action, restore/apply action, publish/export action, or certification action is added.
  • T024 Add guard proving registry sync/seed does not create concrete TenantConfigurationResource or TenantConfigurationResourceEvidence rows.
  • T025 Add schema/source guard proving no tenant_id is introduced as Coverage v2 ownership truth.
  • T026 Add guard proving no workload-specific tables/classes/engines are introduced for Entra, Exchange, Teams, Security and Compliance, Defender, or Purview.
  • T027 Add guard proving no v1 gap taxonomy, v1-to-v2 adapter, fallback reader, old snapshot promotion, dual write, or customer-facing dual truth appears.

Phase 6: Workload Enum And Registry Metadata

  • T028 Expand or confirm apps/platform/app/Support/TenantConfiguration/Workload.php values and related database check constraints for the required workload set.
  • T029 Prefer existing JSONB metadata for documentation_status, catalog_source, catalog_last_reviewed_at, source_aliases, risk_tier, default_restore_posture, is_full_catalog, and catalog_import_batch.
  • T030 If documentation status or catalog metadata needs a dedicated column/constraint, add a narrow reversible migration and record the proportionality reason in the implementation report.
  • T031 Ensure enum/check-constraint additions are mirrored across model casts, migrations, factories, tests, and any registry sync path.

Phase 7: Resource Type Manifest / Registry Expansion

  • T032 Update ResourceTypeRegistry::defaultDefinitions() or repo-equivalent static manifest/config with M365 representative entries.
  • T033 Ensure TCM-documented entries use source_class = tcm.
  • T034 Ensure all new non-Intune entries use conservative defaults: support out_of_scope unless a new state is justified, coverage detected, evidence not_captured, claim internal_only or claim_blocked, restore not_restorable or preview_only.
  • T035 Add Entra representative entries with high-risk defaults for Conditional Access, Security Defaults, and role definitions.
  • T036 Add Exchange representative entries with high-risk defaults for transport rules and organization configuration.
  • T037 Add Teams representative entries with manual-review/preview-only defaults.
  • T038 Add Security and Compliance representative entries with high-risk defaults for labels, retention, DLP, and auto-sensitivity label policies.
  • T039 Represent Defender and Purview through tenant_configuration_supported_scopes.metadata.workload_documentation_status on the aggregate M365 planning scope without inventing fake certified resource types.
  • T040 Ensure aliases such as dataLossPreventionPolicy vs dlpCompliancePolicy are source aliases, not duplicate canonical types, unless implementation documents a reason.

Phase 8: Supported Scope Planning

  • T041 Add or update supported-scope planning entries required by spec.md, preserving the existing operator-surface default scope unless the changed default is explicitly covered by Product Surface/browser proof.
  • T042 Ensure scope metadata marks registry-only/detected planning status and customer_claims_allowed = false for broad M365 scopes.
  • T043 Ensure m365_tcm_certified_none explicitly states no M365-wide certified scope exists.
  • T044 Ensure m365_tcm_generic_future is marked future-only and cannot imply active generic capture.

Phase 9: Claim Guard Expansion

  • T045 Update ClaimGuard or repo-equivalent claim-safety path to block broad M365, certified, restore-ready, complete-tenant, all-resource, and unscoped percent claims.
  • T046 Allow only explicit internal/operator registry-only denominator-scoped wording when supported by scope metadata.
  • T047 Ensure Claim Guard results for new workloads never imply content-backed, comparable, renderable, restorable, certified, or customer-ready coverage by default.

Phase 10: Product Surface Data-Impact And Deployment Review

  • T048 Confirm no UI route, Filament page/provider, navigation entry, Blade view, Livewire component, action, report, download, customer output, or rendered label changed; document any existing Spec 418 operator-surface data impact from active registry rows/scopes.
  • T049 Run focused existing-surface feature/browser proof if new rows/scopes render: workload filters/scope options are intentional, registry-only status is clear, no broad M365 coverage label appears, no capture/restore/certify/report/download action appears, and no console/Livewire/500 errors appear.
  • T050 If any runtime UI code, route, navigation, action, report, download, customer output, or rendered label change is required beyond data-driven existing registry rows, stop and amend spec.md, plan.md, and tasks.md before runtime UI edits.
  • T051 Document deployment impact: migrations/check constraints if changed, no env vars, no queues, no scheduler, no storage, no assets, no filament:assets requirement unless scope is amended.
  • T052 Document staging validation expectations for schema/registry changes before production promotion.

Phase 11: Validation And Close-Out

  • T053 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T054 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/TenantConfiguration/Spec419M365WorkloadRegistryTest.php tests/Unit/Support/TenantConfiguration/Spec419M365ClaimGuardTest.php.
  • T055 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php.
  • T056 If active registry rows/scopes render on the existing Spec 418 surface, run cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec419M365RegistryOperatorSurfaceSmokeTest.php or the repo-equivalent focused browser smoke path.
  • T057 If migrations/check constraints/indexes changed, run cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php.
  • T058 Run git diff --check.
  • T059 Complete specs/419-m365-tcm-workload-registry-expansion/implementation-report.md with candidate gate result, dirty state before/after, files changed, workload matrix, representative type matrix, full-vs-partial catalog decision, Claim Guard proof, restore tier proof, no-runtime-capture proof, no-tenant_id proof, no-mini-platform proof, Product Surface data-impact decision, tests/browser proof run or N/A proof, deployment impact, and deferred work.
  • T060 Confirm no completed historical spec was rewritten or stripped of close-out, validation, task, smoke, browser, or review history.

Stop Conditions

Stop and update spec.md, plan.md, and tasks.md before continuing if any of these appear:

  • Capture, compare, render, restore, apply, certification, customer output, Review Pack/report, broad M365 dashboard, or customer-facing claim activation is needed.
  • Graph/TCM/provider remote calls or runtime Microsoft documentation fetch are needed.
  • UI route/page/navigation/action/rendered label changes are needed beyond the existing data-driven registry display.
  • Existing Coverage v2 operator surface default scope would change without explicit Product Surface/browser proof.
  • A partial catalog cannot be labeled as partial.
  • A new source/support/restore enum value is needed without proportionality proof.
  • tenant_id appears as Coverage v2 ownership truth.
  • A workload-specific table, model, engine, or mini-platform is introduced.
  • A broad M365/certified/restore-ready/all-resource claim must be allowed.