TenantAtlas/specs/436-exchange-content-backed-evidence-promotion-slice-1/tasks.md
Ahmed Darrazi 053a33c172
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 7m12s
feat: promote Exchange content-backed evidence
2026-07-09 15:55:44 +02:00

15 KiB

Tasks: Exchange Content-Backed Evidence Promotion Slice 1

Input: Design documents from specs/436-exchange-content-backed-evidence-promotion-slice-1/ Prerequisites: spec.md, plan.md, checklists/requirements.md

Tests: Required. Runtime behavior changes must be covered with Pest 4 Unit and Feature tests. Browser proof is N/A - no rendered UI surface changed.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
  • Planned validation commands cover the change without pulling in unrelated lane cost.
  • Browser proof is explicitly N/A - no rendered UI surface changed.
  • Human Product Sanity and Product Surface implementation-report close-out are planned as N/A.
  • Any material budget, baseline, trend, or escalation note is recorded in the implementation report.

Phase 0 - Preflight

  • T001 Capture branch, HEAD, and git status --short in implementation-report.md.
  • T002 Confirm Spec 435 PASS/merge-ready and record prerequisite proof from specs/435-exchange-structured-output-target-normalizer-readiness/implementation-report.md.
  • T003 Confirm Specs 430-434 are completed read-only context and are not edited.
  • T004 Confirm target types are exactly transportRule, remoteDomain, and inboundConnector.
  • T005 Confirm evidence model uses existing tenant_configuration_resources and tenant_configuration_resource_evidence.
  • T006 Confirm OperationRun owner is tenant_configuration.capture and invocation operation remains runner truth only.
  • T007 Confirm no UI/routes/jobs/schedules/listeners/migration/tenant_id/target-expansion scope.

Phase 1 - Tests First: Adapter Wiring

  • T008 Add or update focused unit tests proving the Exchange adapter creates a Spec 435 ExchangePowerShellStructuredOutputEnvelope before evidence append.
  • T009 Add or update unit tests proving ExchangePowerShellEvidenceNormalizer dispatches target-specific normalizers for all three targets.
  • T010 Add static/behavioral tests proving GenericPayloadNormalizer is not used for Exchange evidence promotion.
  • T011 Add static/behavioral tests proving ExchangeTeamsComparablePayloadNormalizer is not used for Exchange evidence promotion.
  • T012 Add tests proving the generic Graph capture path remains intact and is not routed through Exchange-specific promotion.

Phase 2 - Adapter Normalizer Wiring

  • T013 Update ExchangePowerShellEvidenceCaptureAdapter to use Spec 435 structured envelope for accepted runner output.
  • T014 Update the adapter to use ExchangeTransportRuleEvidenceNormalizer through ExchangePowerShellEvidenceNormalizer for transportRule.
  • T015 Update the adapter to use ExchangeRemoteDomainEvidenceNormalizer through ExchangePowerShellEvidenceNormalizer for remoteDomain.
  • T016 Update the adapter to use ExchangeInboundConnectorEvidenceNormalizer through ExchangePowerShellEvidenceNormalizer for inboundConnector.
  • T017 Update the adapter to use ExchangePowerShellHashInputBuilder for persisted payload hashes.
  • T018 Remove or bypass the adapter's Exchange write-time dependency on GenericPayloadNormalizer.
  • T019 Remove or bypass the adapter's Exchange write-time dependency on ExchangeTeamsComparablePayloadNormalizer.

Phase 3 - OperationRun Ownership And Context

  • T020 Ensure evidence append requires OperationRunType::TenantConfigurationCapture.
  • T021 Add tests proving OperationRunType::TenantConfigurationExchangePowerShellInvocation cannot own evidence.
  • T022 Confirm no new OperationRun type is added.
  • T023 Keep OperationRun context safe and exclude raw payload, normalized payload, stdout, stderr, transcript, normalizer preview, hash preview, credential material, and provider response body.
  • T024 Use existing allowed OperationSummaryKeys only, or stop and amend the spec before adding keys.

Phase 4 - transportRule Evidence Capture

  • T025 Add focused tests where successful fake Get-TransportRule capture creates one resource row and one evidence row.
  • T026 Assert raw_payload is persisted only in tenant_configuration_resource_evidence.
  • T027 Assert target-specific normalized payload is persisted.
  • T028 Assert deterministic payload hash is persisted.
  • T029 Assert operation_run_id, workspace_id, managed_environment_id, and provider_connection_id are linked.
  • T030 Assert coverage remains content_backed only, claim state remains internal-only/customer-blocked, and persisted capture_outcome uses an existing repo-allowed value.

Phase 5 - remoteDomain Evidence Capture

  • T031 Add focused tests where successful fake Get-RemoteDomain capture creates content-backed evidence with stable source identity.
  • T032 Assert domain-only identity blocks with no writer call and no evidence row.
  • T033 Assert display-only identity blocks with no writer call and no evidence row.
  • T034 Assert duplicate identity blocks with no evidence row.
  • T035 Assert conflicting identity blocks with no evidence row.
  • T036 Assert raw payload, normalized payload, deterministic hash, OperationRun link, repo-allowed persisted capture_outcome, and content-backed-only state for successful stable identity.

Phase 6 - inboundConnector Evidence Capture

  • T037 Add focused tests where successful fake Get-InboundConnector capture creates content-backed evidence with stable connector identity.
  • T038 Assert missing connector identity blocks with no evidence row.
  • T039 Assert duplicate identity blocks with no evidence row.
  • T040 Assert protected config sentinels do not enter OperationRun context/logs/summaries.
  • T041 Assert raw payload, normalized payload, deterministic hash, OperationRun link, repo-allowed persisted capture_outcome, and content-backed-only state for successful stable identity.

Phase 7 - Append-Only Evidence

  • T042 Add feature tests proving existing evidence is not overwritten.
  • T043 Add feature tests proving a second successful capture inserts a new evidence row.
  • T044 Assert latest_evidence_id, latest_payload_hash, and latest_captured_at update according to repo pattern.
  • T045 Assert prior payload hash and payload columns are not mutated.

Phase 8 - Hash Determinism

  • T046 Add unit tests proving the same material normalized payload produces the same hash.
  • T047 Add unit tests proving material changes change the hash.
  • T048 Add unit tests proving volatile changes do not change the hash.
  • T049 Add unit tests proving provider ordering does not change hash when order is not meaningful.
  • T050 Assert target type, source surface, command contract, payload shape version, and normalizer version participate in hash input according to Spec 435.

Phase 9 - Readiness Failure Blocking

  • T051 Add tests proving missing credential readiness blocks with no evidence.
  • T052 Add tests proving client-secret readiness blocks with no evidence.
  • T053 Add tests proving missing permission readiness blocks with no evidence.
  • T054 Add tests proving stale permission evidence blocks with no evidence.
  • T055 Add tests proving wrong-scope permission evidence blocks with no evidence.
  • T056 Add tests proving runtime readiness failure blocks with no evidence.
  • T057 Add tests proving provider scope failure and unsupported provider capability both block with no evidence.

Phase 10 - Output Failure Blocking

  • T058 Add tests proving authentication failure blocks with no evidence.
  • T059 Add tests proving authorization/permission failure blocks with no evidence.
  • T060 Add tests proving source unavailable blocks with no evidence.
  • T061 Add tests proving malformed output blocks with no evidence.
  • T062 Add tests proving scalar output blocks with no evidence.
  • T063 Add tests proving warning-prefixed output blocks with no evidence.
  • T064 Add tests proving binary/non-UTF8 output blocks with no evidence.
  • T065 Add tests proving oversized output blocks with no evidence.
  • T066 Add tests proving non-zero exit blocks with no evidence.
  • T067 Add tests proving timeout blocks with no evidence and failure outcomes do not persist adapter-only outcome labels outside existing repo-allowed evidence values.

Phase 11 - Identity Blocking

  • T068 Add tests proving missing identity blocks.
  • T069 Add tests proving duplicate identity blocks.
  • T070 Add tests proving conflicting identity blocks.
  • T071 Add tests proving display-name-only blocks.
  • T072 Add tests proving derived-only unproven identity blocks.
  • T073 Assert the writer is not called on unsafe identity.

Phase 12 - Empty Collection Policy

  • T074 Add tests proving empty collection produces zero-item summary.
  • T075 Assert empty collection creates no resource row.
  • T076 Assert empty collection creates no evidence row.
  • T077 Assert permission denied and source unavailable are not treated as empty.
  • T078 Assert malformed output and partial output are not treated as empty or success.

Phase 13 - Redaction

  • T079 Add tests proving raw payload exists only in evidence storage.
  • T080 Add tests proving OperationRun context is sanitized.
  • T081 Add tests proving no raw stdout/stderr in context.
  • T082 Add tests proving no normalizer/hash preview in context.
  • T083 Add tests proving no credential material in context/logs/results.
  • T084 Add tests proving no provider payload in summaries.
  • T085 Add guard/static tests proving no customer output path is touched.

Phase 14 - Content-Only Guard And No Promotion

  • T086 Assert coverage max level is content_backed.
  • T087 Assert no comparable state.
  • T088 Assert no renderable state.
  • T089 Assert no certified state.
  • T090 Assert no restore-ready state.
  • T091 Assert no customer-ready/customer-claimable state.

Phase 15 - No Product Surface / Trigger

  • T092 Add or update guard tests proving no route changed or added.
  • T093 Add or update guard tests proving no Filament page/resource/widget changed or added.
  • T094 Add or update guard tests proving no Livewire component changed or added.
  • T095 Add or update guard tests proving no navigation, asset, global search, or provider registration change.
  • T096 Add or update guard tests proving no destructive UI action exists.
  • T097 Add or update guard tests proving no job, schedule, listener, console trigger, report, Review Pack, or PDF output was added.
  • T098 Record browser proof as N/A - no rendered UI surface changed.

Phase 16 - No Tenant / Mini-Platform

  • T099 Assert no tenant_id ownership column/path is introduced.
  • T100 Assert no Exchange-specific evidence table exists.
  • T101 Assert no Exchange dashboard, legacy shim, fallback reader, or separate Exchange mini-platform exists.
  • T102 Assert no migration file was added.

Phase 17 - Regression Tests

  • T103 Run Spec 435 regression tests.
  • T104 Run Spec 434 regression tests.
  • T105 Run Spec 433 regression tests.
  • T106 Run Spec 432 regression tests.
  • T107 Run Spec 431 regression tests.
  • T108 Run Spec 430 regression tests.
  • T109 Run Spec 415 regression tests.
  • T110 Run Spec 417 regression tests.
  • T111 Run Spec 419 regression tests if available.
  • T112 Run Spec 420 regression tests.
  • T113 Run Spec 426 regression tests.
  • T114 Run Spec 427 regression tests.
  • T115 Run ProviderCapabilityRegistryTest or repo equivalent.

Phase 18 - Validation

  • T116 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent or document fallback if Sail fails.
  • T117 Run cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec436 --compact or document fallback if Sail fails.
  • T118 Run cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec435 --compact or document fallback if Sail fails.
  • T119 Run cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec434 --compact or document fallback if Sail fails.
  • T120 Run cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec433 --compact or document fallback if Sail fails.
  • T121 Run cd apps/platform && ./vendor/bin/sail artisan test --filter='Spec432|Spec431|Spec430' --compact or document fallback if Sail fails.
  • T122 Run cd apps/platform && ./vendor/bin/sail artisan test --filter='Spec415|Spec417|Spec419|Spec420|Spec426|Spec427' --compact or document fallback if Sail fails.
  • T123 Run cd apps/platform && ./vendor/bin/sail artisan test --filter='ProviderCapabilityRegistryTest|ProviderCapabilityEvaluationTest' --compact or document fallback if Sail fails.
  • T124 Run git diff --check.
  • T125 Run git status --short.

Phase 19 - Implementation Report

  • T126 Record candidate gate result.
  • T127 Record branch, HEAD, and dirty state before/after.
  • T128 Record files changed.
  • T129 Record Spec 435 prerequisite proof.
  • T130 Complete target type outcomes matrix.
  • T131 Record OperationRun proof.
  • T132 Record evidence persistence proof, including persisted capture_outcome value proof.
  • T133 Record append-only and latest pointer proof.
  • T134 Record raw payload location proof.
  • T135 Record structured envelope proof.
  • T136 Record normalizer integration proof.
  • T137 Record hash proof.
  • T138 Record identity proof.
  • T139 Record credential/permission/runtime readiness proof.
  • T140 Record failure blocking proof.
  • T141 Record redaction proof.
  • T142 Record no GenericPayloadNormalizer proof.
  • T143 Record no ExchangeTeamsComparablePayloadNormalizer proof.
  • T144 Record no Graph gateway/fake endpoint proof.
  • T145 Record no promotion/restore/customer proof.
  • T146 Record no UI/trigger proof.
  • T147 Record no tenant_id and no mini-platform proof.
  • T148 Record tests run and deferred work.

Dependencies And Ordering

  • T001-T007 must complete before runtime edits.
  • T008-T012 should be written before T013-T019.
  • T020-T024 must pass before evidence persistence tasks are considered complete.
  • Target-specific phases can be worked independently after adapter wiring, but append-only/no-promotion validations must run after all successful-target paths exist.
  • Phase 17-19 are final validation and report tasks.

Parallelization Notes

  • Unit tests for hash determinism, identity blockers, and target normalizers can run in parallel if they touch separate files.
  • Feature tests for each target can run in parallel after shared fixtures are in place.
  • No UI/browser work is parallelizable because it is out of scope.