TenantAtlas/specs/425-entra-certified-compare-pack/implementation-report.md
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

11 KiB

Implementation Report: Spec 425 - Entra Certified Compare Pack

Preflight

  • Branch: 425-entra-certified-compare-pack
  • HEAD before implementation: 2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)
  • Dirty state before implementation: untracked active spec artifacts under specs/425-entra-certified-compare-pack/
  • Dirty state after implementation: modified ClaimGuard.php, CoverageV2ReadinessReadModel.php, EntraComparablePayloadNormalizer.php, EntraRenderableSummaryBuilder.php, SupportedScopeResolver.php, TenantConfigurationSupportedScopeTest.php; untracked Spec 425 evaluator/result classes, Spec 425 tests/fixtures/support helper, and active spec artifacts under specs/425-entra-certified-compare-pack/.
  • Activated skills/gates: spec-kit-implementation-loop, pest-testing, workflows/spec-readiness-gate, repo-contracts/workspace-scope-safety, repo-contracts/rbac-action-safety, repo-contracts/evidence-anchor-contract, repo-contracts/provider-freshness-semantics, repo-contracts/customer-output-gate, repo-contracts/product-surface-gate, temporary-migrations/tcm-cutover-guard
  • Candidate gate result: PASS. Scope remains the exact internal/operator entra_core_compare_certified pack.
  • Completed-spec rewrite assertion: Specs 414, 415, 417, 418, 419, 420, 421, and 424 were used as read-only dependency evidence only.

Hard Preflight Result

Check Result Evidence
Conditional Access source contract PASS CoverageSourceContractResolver, config/graph_contracts.php
Conditional Access stable identity PASS CoverageIdentityStrategyRegistry uses graph.conditional_access_policy.v1, no derived identity
Conditional Access compare/render/redaction PASS EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder, Spec421 tests
Security Defaults source contract PASS CoverageSourceContractResolver, config/graph_contracts.php
Security Defaults stable identity PASS CoverageIdentityStrategyRegistry uses graph.security_defaults.v1, no derived identity
Security Defaults compare/render/redaction PASS EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder, Spec424 tests
Ownership fields PASS Coverage v2 schema uses workspace_id, managed_environment_id, provider_connection_id; no tenant_id ownership path

Product Surface Decision

  • Runtime UI files changed: no Filament, Blade, route, navigation, action, dashboard, report, export, or PDF files changed. CoverageV2ReadinessReadModel now filters the internal certified scope out of existing Coverage v2 readiness options/defaults.
  • Browser proof: N/A - no new rendered route/page/action/widget/view surface was introduced; focused service/feature tests cover the existing option source, direct hidden-scope key rejection, and operator-safe render-summary behavior without browser-heavy coverage.
  • Human Product Sanity: N/A - no new product surface to inspect; visible complexity remains bounded because the internal scope is hidden from existing UI option sources, rejected when passed directly to readiness UI helpers, and Device-condition render output appears only when the underlying Conditional Access payload contains device conditions.
  • Visible complexity outcome: neutral; derived proof stays internal/service-first, the existing Coverage v2 filter/default cannot select the certified-pack scope, and Conditional Access device data does not add an always-visible row when absent.
  • Product Surface exceptions: none
  • Livewire v4 compliance: unchanged; platform remains Filament v5 on Livewire v4.
  • Panel provider registration location: unchanged; Laravel provider registration remains apps/platform/bootstrap/providers.php.
  • Global search posture: unchanged; no Resource/global search behavior changed.
  • Destructive/high-impact actions: none introduced.
  • Asset strategy: no assets registered; filament:assets is not newly required.

Files Changed

  • Runtime services: SupportedScopeResolver, ClaimGuard, CoverageV2ReadinessReadModel, EntraComparablePayloadNormalizer, EntraRenderableSummaryBuilder, EntraCertifiedComparePackEvaluator, EntraCertifiedComparePackResult.
  • Tests and fixtures: focused Spec 425 Unit/Feature tests, Spec425Fixtures, and golden fixtures for Conditional Access and Security Defaults, including Conditional Access device-condition coverage.
  • Existing regression test update: TenantConfigurationSupportedScopeTest now derives the default supported-scope count from SupportedScopeResolver::defaultDefinitions().
  • Spec artifacts: spec.md, plan.md, tasks.md, checklists/requirements.md, and this implementation report.
  • No migrations, routes, Filament resources/pages/widgets, views, browser tests, jobs, commands, assets, config secrets, or provider clients were added.

Certification Matrix

Resource Type Evidence Identity Compare Render Redaction Certified? Blocker
conditionalAccessPolicy PASS PASS PASS PASS PASS Yes none
securityDefaults PASS PASS PASS PASS PASS Yes none

Claim Matrix

Claim Allowed? Reason
Certified Entra Core Compare Pack: Conditional Access and Security Defaults Yes, internal/operator only Exact denominator-visible pack claim after all criteria pass
100% Entra coverage No Broad overclaim
Entra restore-ready No Restore out of scope
Certified Microsoft 365 coverage No Broad overclaim
Customer-ready Entra proof No Customer output deferred

Safety Proof

  • No restore proof: PASS via Spec425EntraCertifiedNoRestoreTest; no restore/apply path, restore-ready state, or restorable tier introduced.
  • No customer-claim proof: PASS via Spec425EntraCertifiedNoCustomerClaimTest; no Review Pack/report/export/PDF/customer-ready proof activation.
  • No tenant_id proof: PASS via Spec425EntraCertifiedNoTenantIdTest; evaluator and supported-scope changes stay on workspace_id, managed_environment_id, and provider_connection_id.
  • No mini-platform proof: PASS via Spec425EntraCertifiedNoMiniPlatformTest; no Entra-specific migration, route, navigation, Filament surface, dashboard, or table family.
  • No remote-call proof: PASS via fail-hard Graph binding and assertNoOutboundHttp in Spec425EntraCertifiedComparePackTest; evaluator is DB-only.
  • Provider scope proof: PASS; evaluator rejects provider connections outside the managed environment scope.
  • Route/command 404/403 proof: N/A; Spec 425 adds no route, command, job, or UI invocation boundary. The pure service requires explicit managed-environment and provider-connection inputs and still proves same-scope rejection for wrong provider connections.

Validation

  • php -l on modified Spec 425 runtime/test files - PASS.
  • find apps/platform/tests/Fixtures/TenantConfiguration/Spec425 -name '*.json' -print0 | xargs -0 -n 1 php -r '...' - PASS; 19 fixtures decoded.
  • cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent - PASS.
  • cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php - PASS, 32 tests / 118 assertions.
  • Earlier combined Spec 425 feature command from tasks.md - FAILED by environment signal 9 before result output; no test failure details were produced. Fix-up validation keeps the same split strategy to avoid aggregate signal-9 noise.
  • Split Spec 425 feature validation:
    • Spec425EntraCertifiedComparePackTest.php - PASS, 8 tests / 23 assertions.
    • Spec425EntraCertifiedClaimGuardFeatureTest.php, Spec425EntraCertifiedNoRestoreTest.php, Spec425EntraCertifiedNoCustomerClaimTest.php - PASS, 7 tests / 17 assertions.
    • Spec425EntraCertifiedNoTenantIdTest.php, Spec425EntraCertifiedNoMiniPlatformTest.php, Spec425EntraCertifiedDenominatorFeatureTest.php - PASS, 5 tests / 23 assertions.
    • Total focused Spec 425 feature split - PASS, 20 tests / 63 assertions.
  • Related resolver/readiness regressions: SupportedScopeResolverTest.php, TenantConfigurationSupportedScopeTest.php, CoverageV2ReadinessPageTest.php - PASS, 19 tests / 156 assertions.
  • Related ClaimGuard/Entra/SecurityDefaults regressions: ClaimGuardTest.php, Spec421EntraClaimGuardTest.php, Spec421EntraComparableDiffTest.php, Spec424SecurityDefaultsTypedSemanticsTest.php, Spec424SecurityDefaultsSourceContractTest.php, TenantConfigurationClaimGuardFeatureTest.php, Spec421EntraComparableRenderableTest.php, Spec421EntraCoverageLevelPromotionTest.php, Spec421EntraNoRestoreNoCertificationTest.php, Spec424SecurityDefaultsCaptureReadinessTest.php - PASS, 61 tests / 285 assertions.
  • Earlier combined related feature regression command - FAILED by environment signal 9 before complete output; isolated failure was the expected supported-scope default count increase.
  • Split related feature regression validation:
    • TenantConfigurationSupportedScopeTest.php - PASS, 4 tests / 13 assertions after deriving the default count from the resolver.
    • TenantConfigurationClaimGuardFeatureTest.php, Spec421EntraComparableRenderableTest.php - PASS, 5 tests / 20 assertions.
    • Spec421EntraCoverageLevelPromotionTest.php, Spec421EntraNoRestoreNoCertificationTest.php, Spec424SecurityDefaultsCaptureReadinessTest.php - PASS, 12 tests / 108 assertions.
  • git diff --check - PASS.
  • Browser validation: N/A - no new rendered route/page/action/widget/view surface; no browser-heavy coverage added.

Deployment Impact

  • Staging/production validation: required gate remains Staging before Production.
  • Migrations: none.
  • Environment variables/secrets: none.
  • Queues/scheduler/workers: none.
  • Storage/volumes: none.
  • Assets: none; no new filament:assets requirement beyond existing deployment process.
  • Operational command: deploy/release should run the existing idempotent tenant-configuration:sync-defaults path so the new entra_core_compare_certified supported scope is present outside tests.
  • Rollback/forward: rollback removes only derived evaluator availability and the supported-scope default from code; no schema rollback needed.

Final Gate Result

PASS. Spec 425 remains exact-denominator, internal/operator-only, DB-only, non-restorable, non-customer-facing, workspace-scoped, and free of new routes, actions, dashboards, reports, exports, PDFs, jobs, commands, migrations, and customer output. Conditional Access device conditions are now covered by compare/render proof, the exact resource_type_denominator metadata key is present, and the internal certified scope is hidden from and rejected by existing Coverage v2 readiness option/default/inspect paths.

Deferred Work

  • Broader Entra, Microsoft 365, restore/apply, customer output, report/PDF/review-pack claims remain separate-spec candidates.