TenantAtlas/specs/425-entra-certified-compare-pack/checklists/requirements.md
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

80 lines
4.8 KiB
Markdown

# Requirements Checklist: Spec 425 - Entra Certified Compare Pack
**Purpose**: Validate preparation readiness for the user-provided Spec 425 candidate before implementation.
**Created**: 2026-07-01
**Feature**: [spec.md](../spec.md)
## Candidate And Scope
- [x] Candidate is directly user-provided and does not depend on the empty auto-prep queue.
- [x] Completed historical specs are treated as read-only dependency evidence, not artifacts to rewrite.
- [x] Scope is limited to `entra_core_compare_certified`.
- [x] Certified denominator is exactly `conditionalAccessPolicy` plus `securityDefaults`.
- [x] Optional Entra candidates are explicitly excluded.
- [x] Full Entra certification is excluded.
- [x] Microsoft 365 certification is excluded.
- [x] Restore/apply certification is excluded.
- [x] Customer-facing proof or report activation is excluded.
## Repo Truth Alignment
- [x] Spec 421 is recorded as the source of Conditional Access comparable/renderable support.
- [x] Spec 424 is recorded as the source of Security Defaults content-backed comparable/renderable support.
- [x] Current source preflight checked source contracts for both mandatory denominator types.
- [x] Current source preflight checked identity strategy for both mandatory denominator types.
- [x] Current source preflight checked compare/render/redaction helpers for both mandatory denominator types.
- [x] Current source preflight found no existing `425` spec directory before creation.
- [x] Current source preflight found no existing local `425` branch before creation.
- [x] `entra_core_compare_certified` is not assumed to already exist; implementation tasks require adding or confirming it.
## Constitution And Product Surface
- [x] Spec states no `tenant_id` as Coverage v2 ownership truth.
- [x] Spec preserves workspace, managed-environment, and provider-connection scope.
- [x] Spec requires DB-only certification evaluation with no Graph/TCM/provider remote calls.
- [x] Proportionality review rejects a new persisted certification table.
- [x] Proportionality review allows only a narrow derived evaluator/result if existing supported-scope evaluation is insufficient.
- [x] Product Surface impact is conditional and bounded to the existing Coverage v2 operator surface if needed.
- [x] Browser proof is required if rendered UI changes.
- [x] Browser proof is explicitly `N/A - no rendered UI surface changed` if no UI files change.
- [x] No new primary navigation, dashboard, route, customer output, report, export, Review Pack, or PDF is allowed.
- [x] Completed historical spec artifacts remain read-only.
## Requirement Coverage
- [x] Supported scope metadata requirements are defined.
- [x] Exact denominator integrity requirements are defined.
- [x] Evidence criteria are defined.
- [x] Evidence currentness and no fallback-to-first/latest behavior are defined.
- [x] Stable identity criteria are defined, and derived identity is blocked for certification.
- [x] Compare criteria are defined.
- [x] Render criteria are defined.
- [x] Redaction criteria are defined.
- [x] Claim Guard criteria are defined.
- [x] Explicit certification pass, not-evaluated, and blocker states are defined as derived outcomes.
- [x] Conditional Access certified compare fixture coverage is defined.
- [x] Security Defaults certified compare fixture coverage is defined.
- [x] Broad/full/restore/M365/customer claims are blocked.
- [x] No-restore and no-customer activation requirements are explicit.
- [x] No Entra mini-platform and no Entra-specific table family requirements are explicit.
- [x] RBAC/isolation expectations are explicit.
- [x] RBAC/isolation proof is tied to concrete service/command/route/UI invocation boundaries.
## Task Readiness
- [x] Preflight tasks block runtime implementation if mandatory evidence, identity, compare, render, redaction, or claim posture fails.
- [x] Tests and fixtures are planned before or alongside implementation.
- [x] Unit tests cover evaluator, denominator, compare, redaction, and Claim Guard behavior.
- [x] Feature tests cover supported scope, denominator, certification, no restore, no customer claim, no `tenant_id`, and no mini-platform.
- [x] Browser test task is conditional on rendered UI changes.
- [x] Validation commands include Pint, focused unit tests, focused feature tests, conditional browser test, and `git diff --check`.
- [x] Implementation report requirements include candidate gate, dirty state, files, matrices, redaction, no-restore, no-customer, no-tenant-id, no-mini-platform, Product Surface, tests, and deferred work.
## Review Outcome
- [x] Candidate Selection Gate: PASS.
- [x] Spec Readiness Gate: PASS for preparation artifacts.
- [x] Open questions: none that block implementation planning.
- [x] Hard implementation preflight remains required at T001-T006 before runtime code changes.
- [x] Preparation scope stops before application implementation.