Automated PR provided by Codex via Gitea API. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #486
14 KiB
14 KiB
Tasks: Spec 419 - M365 TCM Workload Registry Expansion
Input: specs/419-m365-tcm-workload-registry-expansion/spec.md, specs/419-m365-tcm-workload-registry-expansion/plan.md, specs/419-m365-tcm-workload-registry-expansion/checklists/requirements.md
Prerequisites: completed Specs 414, 415, 417, and 418 as read-only dependency context
Tests: Required. Runtime registry/default/claim behavior must be covered with focused Pest unit and feature/static guard tests. PostgreSQL lane is required if migrations/check constraints/indexes change. Focused browser proof is required if new active registry rows/scopes render on the existing Spec 418 Coverage v2 operator surface.
Test Governance Checklist
- Lane assignment is named and is the narrowest sufficient proof for registry/default/claim behavior.
- New or changed tests stay in Unit/Feature lanes; PostgreSQL lane is explicit only if schema/check constraints change.
- Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default and opt-in.
- Planned validation commands cover the change without pulling unrelated lane cost.
- Browser proof is required for data-driven existing-surface changes, or explicitly
N/Aonly with proof that no new rows/scopes render. - Human Product Sanity and Product Surface implementation-report close-out cover existing-surface data impact, or are
N/Aonly with proof that no rendered output changed. - Material budget, baseline, trend, or escalation notes are recorded if test cost changes.
Phase 1: Preflight And Dependency Guard
- T001 Capture branch, HEAD,
git status --short, activated skills, and hard-gate status inspecs/419-m365-tcm-workload-registry-expansion/implementation-report.md. - T002 Confirm
specs/414-tcm-first-coverage-core-cutover/implementation-report.md,specs/415-generic-content-backed-capture/implementation-report.md,specs/417-canonical-identity-engine/, andspecs/418-coverage-v2-operator-surface/are dependency context only and must not be modified. - T003 Confirm current Coverage v2 registry surfaces exist:
TenantConfigurationResourceType,TenantConfigurationSupportedScope,ResourceTypeRegistry, Coverage v2 enum classes, andClaimGuard. - T004 Inspect current
ResourceTypeRegistry::defaultDefinitions(), supported-scope definitions, migrations/check constraints, factories, and Claim Guard rules before editing. - T005 Record the draft-to-repo mapping for missing draft terms: no
tenantpilot_internalsource class, nodetected_onlysupport state, nocompare_onlyormanual_review_requiredrestore tier. - T006 Stop if Coverage v2 registry or Claim Guard is missing, or if implementation would require capture, compare, render, restore, certification, customer output, runtime docs fetch, UI activation,
tenant_id, or workload-specific mini-platforms.
Phase 2: Tests First - Workloads, Manifest, And Defaults
- T007 Add focused workload registry tests proving
intune,entra,exchange,teams,security_compliance,defender,purview,tenantpilot, andunknownare accepted by the shared Coverage v2 workload enum/check path. - T008 Add manifest/default tests proving new non-Intune entries default to
default_coverage_level = detected,default_evidence_state = not_captured, anddefault_claim_state = internal_onlyorclaim_blocked. - T009 Add tests proving new non-Intune entries do not default to
content_backed,comparable,renderable,restorable,certified, orclaim_allowed. - T010 Add documentation status tests proving
documented_resource_catalog,documented_overview_only,combined_catalog,graph_only,internal, andunknownare represented in metadata or a justified field. - T011 Add partial-vs-full catalog tests proving seeded/partial manifests use
is_full_catalog = falseor equivalent metadata and cannot be treated as full workload coverage. - T012 Add restore-tier default tests proving high-risk resource types use
not_restorableorpreview_only, neverrestorable.
Phase 3: Tests First - Representative Resource Types
- T013 Add Entra registry tests for
conditionalAccessPolicy,securityDefaults,application,servicePrincipal,roleDefinition, andadministrativeUnit. - T014 Add Exchange registry tests for
transportRule,acceptedDomain,sharedMailbox,remoteDomain,mailboxPlan, andorganizationConfig. - T015 Add Teams registry tests for
appPermissionPolicy,appSetupPolicy,meetingPolicy,messagingPolicy,teamsUpdateManagementPolicy, andvoiceRoute. - T016 Add Security and Compliance registry tests for
labelPolicy,retentionCompliancePolicy,dlpCompliancePolicyor repo-canonical equivalent,autoSensitivityLabelPolicy,protectionAlert, andcomplianceTag. - T017 Add Defender/Purview workload status tests proving they are represented under
tenant_configuration_supported_scopes.metadata.workload_documentation_status.defenderand.purviewon the aggregate M365 planning scope, and are not represented as fake certified resource types.
Phase 4: Tests First - Supported Scopes And Claim Guard
- T018 Add supported-scope tests for
m365_tcm_registry_detected,entra_tcm_registry_detected,exchange_tcm_registry_detected,teams_tcm_registry_detected,security_compliance_tcm_registry_detected,m365_tcm_generic_future, andm365_tcm_certified_none, including proof that new planning scopes do not accidentally become the existing Coverage v2 operator surface default scope. - T019 Add tests proving forbidden scopes do not exist:
m365_full_coverage,m365_certified,all_microsoft_365_supported,full_tenant_coverage, andfull_m365_restore_ready. - T020 Add Claim Guard tests blocking
100% Microsoft 365 coverage,Full M365 coverage,Certified M365 coverage,Restore-ready M365 coverage,Complete tenant coverage,All Microsoft 365 resources supported, andAll TCM resources certified. - T021 Add Claim Guard tests proving internal registry-only percent wording is allowed only when explicitly denominator-scoped, for example seeded Entra registry entries.
Phase 5: Tests First - No Runtime Capture, No Tenant ID, No Mini-Platform
- T022 Add static/feature guard proving no Graph/TCM/provider remote call path or runtime Microsoft documentation fetch is introduced by Spec 419.
- T023 Add guard proving no capture job, scheduler sync, queue sync, capture/start action, restore/apply action, publish/export action, or certification action is added.
- T024 Add guard proving registry sync/seed does not create concrete
TenantConfigurationResourceorTenantConfigurationResourceEvidencerows. - T025 Add schema/source guard proving no
tenant_idis introduced as Coverage v2 ownership truth. - T026 Add guard proving no workload-specific tables/classes/engines are introduced for Entra, Exchange, Teams, Security and Compliance, Defender, or Purview.
- T027 Add guard proving no v1 gap taxonomy, v1-to-v2 adapter, fallback reader, old snapshot promotion, dual write, or customer-facing dual truth appears.
Phase 6: Workload Enum And Registry Metadata
- T028 Expand or confirm
apps/platform/app/Support/TenantConfiguration/Workload.phpvalues and related database check constraints for the required workload set. - T029 Prefer existing JSONB
metadatafordocumentation_status,catalog_source,catalog_last_reviewed_at,source_aliases,risk_tier,default_restore_posture,is_full_catalog, andcatalog_import_batch. - T030 If documentation status or catalog metadata needs a dedicated column/constraint, add a narrow reversible migration and record the proportionality reason in the implementation report.
- T031 Ensure enum/check-constraint additions are mirrored across model casts, migrations, factories, tests, and any registry sync path.
Phase 7: Resource Type Manifest / Registry Expansion
- T032 Update
ResourceTypeRegistry::defaultDefinitions()or repo-equivalent static manifest/config with M365 representative entries. - T033 Ensure TCM-documented entries use
source_class = tcm. - T034 Ensure all new non-Intune entries use conservative defaults: support
out_of_scopeunless a new state is justified, coveragedetected, evidencenot_captured, claiminternal_onlyorclaim_blocked, restorenot_restorableorpreview_only. - T035 Add Entra representative entries with high-risk defaults for Conditional Access, Security Defaults, and role definitions.
- T036 Add Exchange representative entries with high-risk defaults for transport rules and organization configuration.
- T037 Add Teams representative entries with manual-review/preview-only defaults.
- T038 Add Security and Compliance representative entries with high-risk defaults for labels, retention, DLP, and auto-sensitivity label policies.
- T039 Represent Defender and Purview through
tenant_configuration_supported_scopes.metadata.workload_documentation_statuson the aggregate M365 planning scope without inventing fake certified resource types. - T040 Ensure aliases such as
dataLossPreventionPolicyvsdlpCompliancePolicyare source aliases, not duplicate canonical types, unless implementation documents a reason.
Phase 8: Supported Scope Planning
- T041 Add or update supported-scope planning entries required by
spec.md, preserving the existing operator-surface default scope unless the changed default is explicitly covered by Product Surface/browser proof. - T042 Ensure scope metadata marks registry-only/detected planning status and
customer_claims_allowed = falsefor broad M365 scopes. - T043 Ensure
m365_tcm_certified_noneexplicitly states no M365-wide certified scope exists. - T044 Ensure
m365_tcm_generic_futureis marked future-only and cannot imply active generic capture.
Phase 9: Claim Guard Expansion
- T045 Update
ClaimGuardor repo-equivalent claim-safety path to block broad M365, certified, restore-ready, complete-tenant, all-resource, and unscoped percent claims. - T046 Allow only explicit internal/operator registry-only denominator-scoped wording when supported by scope metadata.
- T047 Ensure Claim Guard results for new workloads never imply content-backed, comparable, renderable, restorable, certified, or customer-ready coverage by default.
Phase 10: Product Surface Data-Impact And Deployment Review
- T048 Confirm no UI route, Filament page/provider, navigation entry, Blade view, Livewire component, action, report, download, customer output, or rendered label changed; document any existing Spec 418 operator-surface data impact from active registry rows/scopes.
- T049 Run focused existing-surface feature/browser proof if new rows/scopes render: workload filters/scope options are intentional, registry-only status is clear, no broad M365 coverage label appears, no capture/restore/certify/report/download action appears, and no console/Livewire/500 errors appear.
- T050 If any runtime UI code, route, navigation, action, report, download, customer output, or rendered label change is required beyond data-driven existing registry rows, stop and amend
spec.md,plan.md, andtasks.mdbefore runtime UI edits. - T051 Document deployment impact: migrations/check constraints if changed, no env vars, no queues, no scheduler, no storage, no assets, no
filament:assetsrequirement unless scope is amended. - T052 Document staging validation expectations for schema/registry changes before production promotion.
Phase 11: Validation And Close-Out
- T053 Run
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent. - T054 Run
cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/TenantConfiguration/Spec419M365WorkloadRegistryTest.php tests/Unit/Support/TenantConfiguration/Spec419M365ClaimGuardTest.php. - T055 Run
cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php. - T056 If active registry rows/scopes render on the existing Spec 418 surface, run
cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec419M365RegistryOperatorSurfaceSmokeTest.phpor the repo-equivalent focused browser smoke path. - T057 If migrations/check constraints/indexes changed, run
cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php. - T058 Run
git diff --check. - T059 Complete
specs/419-m365-tcm-workload-registry-expansion/implementation-report.mdwith candidate gate result, dirty state before/after, files changed, workload matrix, representative type matrix, full-vs-partial catalog decision, Claim Guard proof, restore tier proof, no-runtime-capture proof, no-tenant_id proof, no-mini-platform proof, Product Surface data-impact decision, tests/browser proof run or N/A proof, deployment impact, and deferred work. - T060 Confirm no completed historical spec was rewritten or stripped of close-out, validation, task, smoke, browser, or review history.
Stop Conditions
Stop and update spec.md, plan.md, and tasks.md before continuing if any of these appear:
- Capture, compare, render, restore, apply, certification, customer output, Review Pack/report, broad M365 dashboard, or customer-facing claim activation is needed.
- Graph/TCM/provider remote calls or runtime Microsoft documentation fetch are needed.
- UI route/page/navigation/action/rendered label changes are needed beyond the existing data-driven registry display.
- Existing Coverage v2 operator surface default scope would change without explicit Product Surface/browser proof.
- A partial catalog cannot be labeled as partial.
- A new source/support/restore enum value is needed without proportionality proof.
tenant_idappears as Coverage v2 ownership truth.- A workload-specific table, model, engine, or mini-platform is introduced.
- A broad M365/certified/restore-ready/all-resource claim must be allowed.