TenantAtlas/specs/433-exchange-credential-permission-evidence-support/checklists/requirements.md
Ahmed Darrazi 158071bfb4
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 5m4s
feat: add Exchange credential permission evidence readiness
2026-07-08 01:53:53 +02:00

10 KiB

Requirements Checklist: Exchange Credential and Permission Evidence Support

Purpose: Preparation and implementation-readiness checklist for Spec 433. Created: 2026-07-07 Feature: specs/433-exchange-credential-permission-evidence-support/spec.md

This checklist is a preparation gate now and an implementation close-out checklist later. Completed Specs 429-432 are read-only context and must not be rewritten to satisfy this checklist.

Candidate Selection Gate

  • Selected candidate is directly provided by the user.
  • docs/product/spec-candidates.md auto-prep queue was checked and is empty/manual-only.
  • Roadmap relationship to Specs 429-434 is recorded.
  • No existing specs/433-* package was present before preparation.
  • Specs 429-432 completed-spec guardrail result is recorded.
  • Smallest viable slice is backend credential/permission evidence readiness only.
  • Close alternatives are deferred as follow-up specs.
  • Candidate Selection Gate result is PASS.

Spec Package

  • spec.md exists.
  • plan.md exists.
  • tasks.md exists.
  • checklists/requirements.md exists.
  • implementation-report.md is created by the later implementation loop.
  • Proportionality review exists in spec and plan.
  • Product Surface impact for existing provider capability/readiness surfaces is recorded.
  • Focused browser proof is planned for existing provider capability/readiness surfaces.

Prerequisites

  • Spec 432 implementation report records PASS.
  • Spec 432 runner boundary exists.
  • Spec 432 credential resolver exists.
  • Spec 432 permission evaluator exists.
  • Spec 432 no-evidence/no-UI/no-migration/no-tenant-id proof is recorded.
  • Implementation confirms Spec 432 has no open merge-blocking runtime safety finding at start.
  • Implementation confirms dirty state is safe before code changes.

Scope

  • Credential evidence support only.
  • Permission evidence support only.
  • Combined readiness support only.
  • No Exchange provider calls.
  • No PowerShell execution.
  • No tenant configuration evidence.
  • No content-backed evidence.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No new UI/routes/jobs/schedules/listeners.
  • No tenant_id ownership truth.

Data Model

  • Existing ProviderCredential metadata is proven sufficient, or a provider-agnostic migration is justified.
  • Existing ManagedEnvironmentPermission fields/details are proven sufficient, or a provider-agnostic migration is justified.
  • Current managed_environment_id + permission_key uniqueness and provider-connection scope through details are addressed.
  • If migration is required, spec.md and plan.md are updated before schema code is added. N/A - no migration was needed.
  • Migration, if present, is provider-agnostic. N/A - no migration was added.
  • No Exchange-specific credential table.
  • No Exchange-specific permission table.
  • No secret material columns.
  • No private key columns.
  • No certificate password columns.
  • No client secret columns.
  • No token columns.
  • No raw provider payload columns.
  • No UI state columns.
  • No tenant_id ownership column.

Credential Evidence

  • client_secret credentials block.
  • Missing credential blocks.
  • Expired credential blocks.
  • Inaccessible credential blocks distinctly from missing/expired when repo-observable, or collapses to a tested safe blocker.
  • Unsupported credential blocks.
  • Wrong-scope credential blocks where scope can be evaluated.
  • Unvalidated credential blocks where validation metadata is required.
  • Unknown credential kind blocks.
  • Certificate is supported safely or explicitly blocked.
  • Federated credential is supported safely or explicitly blocked.
  • Managed identity is supported safely or explicitly blocked.
  • Credential material never reaches OperationRun context, logs, returned envelopes, tests, or persisted metadata.

Permission Evidence

  • Exchange.ManageAsApp or repo-canonical equivalent is represented.
  • Admin consent alone is insufficient.
  • Missing evidence blocks.
  • Unvalidated evidence blocks.
  • Stale evidence blocks.
  • Wrong workspace evidence blocks.
  • Wrong managed-environment evidence blocks.
  • Wrong provider-connection evidence blocks.
  • Unsupported provider evidence blocks.
  • Revoked or absent evidence blocks.
  • Currentness threshold is configurable or the fixed threshold is justified and tested.
  • Source metadata is represented or proven safely in existing details.
  • Observed/captured/verified metadata is represented or proven safely in existing details.
  • Current scoped verified evidence passes permission gate.

Combined Readiness

  • Credential evidence is required.
  • Permission evidence is required.
  • Currentness is required.
  • Correct workspace, managed-environment, and provider-connection scope is required.
  • Provider support is required.
  • Safe blocker states are returned.
  • ready_for_live_invocation or repo-canonical pass state does not create evidence.
  • Readiness pass does not imply customer-ready/product-ready state.
  • Provider capability and runner gate consume the same readiness truth or repo-canonical equivalent.

Provider Capability

  • exchange_powershell_invoke is Supported only when combined readiness passes.
  • Admin consent alone is not Supported.
  • client_secret alone is not Supported.
  • Missing credential evidence is not Supported.
  • Missing permission evidence is not Supported.
  • Stale permission evidence is not Supported.
  • Wrong-scope permission evidence is not Supported.
  • Capability status values remain repo-canonical or any new value has proportionality review.

Runner Gate Integration

  • Spec 432 production runner gate consumes combined readiness before process execution.
  • Disabled default and production-runner config gates remain intact.
  • OperationRun context stores only safe readiness/blocker state.
  • No credential material in OperationRun context.
  • No raw permission payload in OperationRun context.
  • No raw provider payload in OperationRun context.
  • No new OperationRun type unless justified in spec/plan before implementation continues.

Redaction

  • No private key.
  • No certificate password.
  • No client secret.
  • No token.
  • No auth header.
  • No raw vault secret.
  • No raw provider permission response.
  • Sensitive metadata is redacted according to repo policy.
  • Secret-like exception messages are sanitized.

No Promotion

  • No TenantConfigurationResourceEvidence rows.
  • No raw Exchange payload.
  • No normalized Exchange payload.
  • No content-backed state.
  • No comparable state.
  • No renderable state.
  • No certified state.
  • No restore-ready state.
  • No customer-ready state.
  • No report output.
  • No Review Pack/PDF output.

Product Surface / Trigger

  • Product Surface impact is limited to existing provider capability/readiness surfaces.
  • Focused browser proof plan covers existing provider capability/readiness surfaces.
  • Existing provider capability/readiness surfaces stay canonical, redacted, and free of raw credential/permission/provider/OperationRun payloads by default.
  • No routes added or changed.
  • No new Filament pages/resources/widgets/actions added or changed.
  • No Livewire components added or changed.
  • No navigation added or changed.
  • No asset changes.
  • No global search changes.
  • No credential management UI.
  • No permission management UI.
  • No job trigger.
  • No schedule trigger.
  • No listener trigger.
  • No console trigger for Exchange PowerShell.

Architecture

  • Uses provider credential/reference architecture.
  • Uses ManagedEnvironmentPermission or repo-canonical permission evidence architecture.
  • Uses provider capability evaluator.
  • Uses Spec 432 runner gate.
  • No tenant_id ownership truth.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.
  • No dual write.
  • No generic provider framework introduced from a single Exchange use case.

Validation

  • Focused Spec 433 unit tests pass.
  • Focused Spec 433 feature tests pass.
  • Migration/PostgreSQL tests pass if migration exists. N/A - no migration was added; Sail migration check reported nothing to migrate.
  • Spec 432 regression tests pass.
  • Spec 431 regression tests pass.
  • Spec 430 regression tests pass.
  • Selected Spec 426/427/417/419/420 regressions pass where available.
  • Provider capability registry/evaluator regressions pass.
  • Focused browser proof for existing provider capability/readiness surfaces passes.
  • Human Product Sanity for existing provider capability/readiness surfaces is documented.
  • Pint passes.
  • git diff --check passes.
  • Final git status --short is documented.

Implementation Report Required Matrices

  • Credential kind matrix.
  • Permission evidence matrix.
  • Migration/no-migration matrix.
  • No-promotion matrix.
  • Product Surface proof, browser proof, and Human Product Sanity close-out.
  • Livewire v4 / provider registration / global search / destructive action / asset / deployment impact close-out.
  • No completed-spec rewrite assertion.

Final Candidate Gate

Preparation result: PASS.

Implementation PASS requires all applicable unchecked runtime items above to be checked with evidence. PASS WITH CONDITIONS is allowed only when remaining conditions do not weaken credential safety, permission evidence safety, provider capability accuracy, runner gate safety, redaction, ownership, no-evidence posture, no-claim posture, or no-mini-platform posture.

FAIL if client-secret enables Exchange PowerShell, admin consent alone enables exchange_powershell_invoke, unsupported/stale/wrong-scope evidence passes, credential material is stored or logged, provider capability overclaims Supported, Exchange provider calls occur, PowerShell execution occurs, tenant configuration evidence is created, new UI/routes/jobs/schedules/listeners are added, existing provider readiness surfaces default-render raw payloads, tenant_id ownership truth is introduced, or tests do not prove credential/permission evidence safety.