TenantAtlas/specs/436-exchange-content-backed-evidence-promotion-slice-1/checklists/requirements.md
ahmido 30a6733f78 Spec 436: Exchange content-backed evidence promotion (#503)
Summary: Wire Exchange PowerShell evidence capture through Spec 435 structured envelopes, target normalizers, and hash builder for transportRule, remoteDomain, and inboundConnector; preserve append-only internal content-backed evidence with fail-closed readiness, output, identity, and redaction behavior; add Spec 436 artifacts and focused coverage. Validation: php artisan test --filter=Spec436 --compact PASS, 28 tests / 307 assertions; git diff --cached --check PASS before commit. Product/Ops: Livewire v4 unchanged; provider registration unchanged under apps/platform/bootstrap/providers.php; global search unchanged; no destructive/high-impact actions; no assets/browser/UI/deployment impact.
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #503
2026-07-09 14:03:10 +00:00

6.6 KiB

Requirements Checklist: Exchange Content-Backed Evidence Promotion Slice 1

Purpose: Validate Spec 436 scope, prerequisites, safety gates, no-promotion posture, and preparation completeness before implementation. Created: 2026-07-08 Feature: spec.md

Prerequisites

  • Spec 435 PASS/merge-ready is required.
  • Spec 435 structured output envelope exists.
  • Spec 435 normalizers exist.
  • Spec 435 hash builder exists.
  • Spec 434 adapter boundary exists.
  • Spec 433 readiness exists.
  • Spec 432 runner boundary exists.
  • Spec 430 command contracts exist.

Scope

  • Only transportRule.
  • Only remoteDomain.
  • Only inboundConnector.
  • No outboundConnector.
  • No acceptedDomain.
  • No organizationConfig.
  • No Teams.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No UI.
  • No jobs/schedules/listeners.
  • No migration.

OperationRun

  • Uses tenant_configuration.capture.
  • Invocation operation remains runner truth only.
  • No new OperationRun type.
  • Safe context only.
  • Existing summary keys or tested/amended narrow keys.
  • No raw payload.
  • No normalizer/hash preview.
  • No raw stdout/stderr.
  • No credential material.

Evidence

  • Append-only evidence.
  • Raw payload in evidence store only.
  • Raw payload is structured provider item/envelope.
  • Raw stdout/stderr is not evidence.
  • Normalized payload persisted.
  • Payload hash persisted.
  • Persisted capture_outcome uses existing repo-allowed evidence outcome values.
  • OperationRun linked.
  • workspace_id set.
  • managed_environment_id set.
  • provider_connection_id set.
  • No tenant_id.

Normalizer / Hash

  • Uses Spec 435 target normalizers.
  • Uses Spec 435 hash builder.
  • Does not use GenericPayloadNormalizer.
  • Does not use ExchangeTeamsComparablePayloadNormalizer.
  • transportRule normalized deterministically.
  • remoteDomain normalized deterministically.
  • inboundConnector normalized deterministically.
  • Volatile fields excluded/demoted.
  • Sensitive fields handled.
  • Collection order deterministic.
  • Hash deterministic.

Identity

  • CanonicalIdentityResolver used directly or through Spec 434 identity gate.
  • Stable identity required by default.
  • Display-name-only stable identity impossible.
  • remoteDomain domain-only identity blocked.
  • inboundConnector missing connector identity blocked.
  • Duplicate identity blocks.
  • Conflicting identity blocks.
  • Missing identity blocks.
  • Writer not called on unsafe identity.

Blocking

  • Missing credential readiness blocks.
  • Client secret blocks.
  • Missing permission readiness blocks.
  • Wrong-scope permission blocks.
  • Stale permission blocks.
  • Unsupported provider capability blocks.
  • Auth failure blocks.
  • Permission failure blocks.
  • Source unavailable blocks.
  • Malformed output blocks.
  • Source unavailable is not treated as empty collection.
  • Partial output is not treated as empty collection or success.
  • Empty collection creates no fake evidence.

Redaction

  • No raw payload in OperationRun.
  • No raw stdout/stderr in OperationRun.
  • No normalizer/hash preview in OperationRun.
  • No credential material.
  • No provider payload in summaries.
  • No customer output.

No Promotion

  • Coverage max level content_backed.
  • Claim state internal-only/customer-blocked.
  • No comparable state.
  • No renderable state.
  • No certified state.
  • No restore-ready state.
  • No customer-ready state.
  • No report output.
  • No Review Pack output.

Product Surface / Trigger

  • No routes.
  • No Filament pages.
  • No Livewire components.
  • No navigation.
  • No asset changes.
  • No global search changes.
  • No provider registration changes.
  • No destructive UI actions.
  • No job trigger.
  • No schedule trigger.
  • No listener trigger.
  • Browser N/A.

Architecture

  • Uses Coverage v2 evidence architecture.
  • Uses Spec 434 adapter.
  • Uses Spec 435 normalizers/hash builder.
  • Uses Spec 433 readiness evaluator.
  • Uses Spec 432 runner boundary.
  • No Graph gateway fallback.
  • No fake Graph endpoint.
  • No Exchange-specific evidence table.
  • No tenant_id ownership truth.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.
  • No migration.

Product Surface Contract

  • CHK034 The spec references docs/product/standards/product-surface-contract.md.
  • CHK035 No-legacy posture is explicit.
  • CHK036 Product Surface Impact records N/A values with rationale.
  • CHK037 Browser proof is N/A - no rendered UI surface changed.
  • CHK038 Human Product Sanity is N/A.
  • CHK039 Implementation report will include Livewire v4, provider registration, global search, destructive/high-impact action, asset, tests/browser, deployment, no completed-spec rewrite, and follow-up fields.
  • CHK040 Completed historical specs were not rewritten.

Validation

  • Focused unit tests pass.
  • Focused feature tests pass.
  • Regressions pass.
  • Pint passes.
  • git diff --check passes.
  • git status --short documented.

Review Outcome

  • Preparation review outcome class: acceptable-special-case.
  • Preparation workflow outcome: keep.
  • Final note location: implementation report.

Final Candidate Gate

Preparation result: PASS.

Implementation PASS requires all runtime validation items above to be checked with evidence. PASS WITH CONDITIONS is allowed only for bounded follow-ups that do not weaken evidence integrity, identity safety, normalization determinism, redaction, readiness gating, no-promotion posture, no-product-surface posture, ownership, or no-mini-platform posture.

FAIL if Spec 435 is not merge-ready, credential/permission gates can be bypassed, fake evidence is created, permission denied is treated as empty data, malformed output is treated as success, unsafe identity creates evidence, raw stdout/stderr is treated as evidence, raw payload leaks outside evidence storage, OperationRun stores raw provider output or normalizer/hash preview, coverage promotes to comparable/renderable/certified, restore/customer claims appear, UI/routes/jobs/schedules/listeners are added, migration is added without amendment, tenant_id ownership truth is introduced, an Exchange-specific evidence table appears, or tests do not prove content-backed evidence safety.