Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #492
113 lines
11 KiB
Markdown
113 lines
11 KiB
Markdown
# Implementation Report: Spec 425 - Entra Certified Compare Pack
|
|
|
|
## Preflight
|
|
|
|
- **Branch**: `425-entra-certified-compare-pack`
|
|
- **HEAD before implementation**: `2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)`
|
|
- **Dirty state before implementation**: untracked active spec artifacts under `specs/425-entra-certified-compare-pack/`
|
|
- **Dirty state after implementation**: modified `ClaimGuard.php`, `CoverageV2ReadinessReadModel.php`, `EntraComparablePayloadNormalizer.php`, `EntraRenderableSummaryBuilder.php`, `SupportedScopeResolver.php`, `TenantConfigurationSupportedScopeTest.php`; untracked Spec 425 evaluator/result classes, Spec 425 tests/fixtures/support helper, and active spec artifacts under `specs/425-entra-certified-compare-pack/`.
|
|
- **Activated skills/gates**: `spec-kit-implementation-loop`, `pest-testing`, `workflows/spec-readiness-gate`, `repo-contracts/workspace-scope-safety`, `repo-contracts/rbac-action-safety`, `repo-contracts/evidence-anchor-contract`, `repo-contracts/provider-freshness-semantics`, `repo-contracts/customer-output-gate`, `repo-contracts/product-surface-gate`, `temporary-migrations/tcm-cutover-guard`
|
|
- **Candidate gate result**: PASS. Scope remains the exact internal/operator `entra_core_compare_certified` pack.
|
|
- **Completed-spec rewrite assertion**: Specs 414, 415, 417, 418, 419, 420, 421, and 424 were used as read-only dependency evidence only.
|
|
|
|
## Hard Preflight Result
|
|
|
|
| Check | Result | Evidence |
|
|
|---|---|---|
|
|
| Conditional Access source contract | PASS | `CoverageSourceContractResolver`, `config/graph_contracts.php` |
|
|
| Conditional Access stable identity | PASS | `CoverageIdentityStrategyRegistry` uses `graph.conditional_access_policy.v1`, no derived identity |
|
|
| Conditional Access compare/render/redaction | PASS | `EntraComparablePayloadNormalizer`, `EntraCoverageComparator`, `EntraRenderableSummaryBuilder`, Spec421 tests |
|
|
| Security Defaults source contract | PASS | `CoverageSourceContractResolver`, `config/graph_contracts.php` |
|
|
| Security Defaults stable identity | PASS | `CoverageIdentityStrategyRegistry` uses `graph.security_defaults.v1`, no derived identity |
|
|
| Security Defaults compare/render/redaction | PASS | `EntraComparablePayloadNormalizer`, `EntraCoverageComparator`, `EntraRenderableSummaryBuilder`, Spec424 tests |
|
|
| Ownership fields | PASS | Coverage v2 schema uses `workspace_id`, `managed_environment_id`, `provider_connection_id`; no `tenant_id` ownership path |
|
|
|
|
## Product Surface Decision
|
|
|
|
- **Runtime UI files changed**: no Filament, Blade, route, navigation, action, dashboard, report, export, or PDF files changed. `CoverageV2ReadinessReadModel` now filters the internal certified scope out of existing Coverage v2 readiness options/defaults.
|
|
- **Browser proof**: N/A - no new rendered route/page/action/widget/view surface was introduced; focused service/feature tests cover the existing option source, direct hidden-scope key rejection, and operator-safe render-summary behavior without browser-heavy coverage.
|
|
- **Human Product Sanity**: N/A - no new product surface to inspect; visible complexity remains bounded because the internal scope is hidden from existing UI option sources, rejected when passed directly to readiness UI helpers, and Device-condition render output appears only when the underlying Conditional Access payload contains device conditions.
|
|
- **Visible complexity outcome**: neutral; derived proof stays internal/service-first, the existing Coverage v2 filter/default cannot select the certified-pack scope, and Conditional Access device data does not add an always-visible row when absent.
|
|
- **Product Surface exceptions**: none
|
|
- **Livewire v4 compliance**: unchanged; platform remains Filament v5 on Livewire v4.
|
|
- **Panel provider registration location**: unchanged; Laravel provider registration remains `apps/platform/bootstrap/providers.php`.
|
|
- **Global search posture**: unchanged; no Resource/global search behavior changed.
|
|
- **Destructive/high-impact actions**: none introduced.
|
|
- **Asset strategy**: no assets registered; `filament:assets` is not newly required.
|
|
|
|
## Files Changed
|
|
|
|
- Runtime services: `SupportedScopeResolver`, `ClaimGuard`, `CoverageV2ReadinessReadModel`, `EntraComparablePayloadNormalizer`, `EntraRenderableSummaryBuilder`, `EntraCertifiedComparePackEvaluator`, `EntraCertifiedComparePackResult`.
|
|
- Tests and fixtures: focused Spec 425 Unit/Feature tests, `Spec425Fixtures`, and golden fixtures for Conditional Access and Security Defaults, including Conditional Access device-condition coverage.
|
|
- Existing regression test update: `TenantConfigurationSupportedScopeTest` now derives the default supported-scope count from `SupportedScopeResolver::defaultDefinitions()`.
|
|
- Spec artifacts: `spec.md`, `plan.md`, `tasks.md`, `checklists/requirements.md`, and this implementation report.
|
|
- No migrations, routes, Filament resources/pages/widgets, views, browser tests, jobs, commands, assets, config secrets, or provider clients were added.
|
|
|
|
## Certification Matrix
|
|
|
|
| Resource Type | Evidence | Identity | Compare | Render | Redaction | Certified? | Blocker |
|
|
|---|---|---|---|---|---|---|---|
|
|
| `conditionalAccessPolicy` | PASS | PASS | PASS | PASS | PASS | Yes | none |
|
|
| `securityDefaults` | PASS | PASS | PASS | PASS | PASS | Yes | none |
|
|
|
|
## Claim Matrix
|
|
|
|
| Claim | Allowed? | Reason |
|
|
|---|---|---|
|
|
| Certified Entra Core Compare Pack: Conditional Access and Security Defaults | Yes, internal/operator only | Exact denominator-visible pack claim after all criteria pass |
|
|
| 100% Entra coverage | No | Broad overclaim |
|
|
| Entra restore-ready | No | Restore out of scope |
|
|
| Certified Microsoft 365 coverage | No | Broad overclaim |
|
|
| Customer-ready Entra proof | No | Customer output deferred |
|
|
|
|
## Safety Proof
|
|
|
|
- **No restore proof**: PASS via `Spec425EntraCertifiedNoRestoreTest`; no restore/apply path, restore-ready state, or restorable tier introduced.
|
|
- **No customer-claim proof**: PASS via `Spec425EntraCertifiedNoCustomerClaimTest`; no Review Pack/report/export/PDF/customer-ready proof activation.
|
|
- **No `tenant_id` proof**: PASS via `Spec425EntraCertifiedNoTenantIdTest`; evaluator and supported-scope changes stay on `workspace_id`, `managed_environment_id`, and `provider_connection_id`.
|
|
- **No mini-platform proof**: PASS via `Spec425EntraCertifiedNoMiniPlatformTest`; no Entra-specific migration, route, navigation, Filament surface, dashboard, or table family.
|
|
- **No remote-call proof**: PASS via fail-hard Graph binding and `assertNoOutboundHttp` in `Spec425EntraCertifiedComparePackTest`; evaluator is DB-only.
|
|
- **Provider scope proof**: PASS; evaluator rejects provider connections outside the managed environment scope.
|
|
- **Route/command 404/403 proof**: N/A; Spec 425 adds no route, command, job, or UI invocation boundary. The pure service requires explicit managed-environment and provider-connection inputs and still proves same-scope rejection for wrong provider connections.
|
|
|
|
## Validation
|
|
|
|
- `php -l` on modified Spec 425 runtime/test files - PASS.
|
|
- `find apps/platform/tests/Fixtures/TenantConfiguration/Spec425 -name '*.json' -print0 | xargs -0 -n 1 php -r '...'` - PASS; 19 fixtures decoded.
|
|
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - PASS.
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php` - PASS, 32 tests / 118 assertions.
|
|
- Earlier combined Spec 425 feature command from `tasks.md` - FAILED by environment signal 9 before result output; no test failure details were produced. Fix-up validation keeps the same split strategy to avoid aggregate signal-9 noise.
|
|
- Split Spec 425 feature validation:
|
|
- `Spec425EntraCertifiedComparePackTest.php` - PASS, 8 tests / 23 assertions.
|
|
- `Spec425EntraCertifiedClaimGuardFeatureTest.php`, `Spec425EntraCertifiedNoRestoreTest.php`, `Spec425EntraCertifiedNoCustomerClaimTest.php` - PASS, 7 tests / 17 assertions.
|
|
- `Spec425EntraCertifiedNoTenantIdTest.php`, `Spec425EntraCertifiedNoMiniPlatformTest.php`, `Spec425EntraCertifiedDenominatorFeatureTest.php` - PASS, 5 tests / 23 assertions.
|
|
- Total focused Spec 425 feature split - PASS, 20 tests / 63 assertions.
|
|
- Related resolver/readiness regressions: `SupportedScopeResolverTest.php`, `TenantConfigurationSupportedScopeTest.php`, `CoverageV2ReadinessPageTest.php` - PASS, 19 tests / 156 assertions.
|
|
- Related ClaimGuard/Entra/SecurityDefaults regressions: `ClaimGuardTest.php`, `Spec421EntraClaimGuardTest.php`, `Spec421EntraComparableDiffTest.php`, `Spec424SecurityDefaultsTypedSemanticsTest.php`, `Spec424SecurityDefaultsSourceContractTest.php`, `TenantConfigurationClaimGuardFeatureTest.php`, `Spec421EntraComparableRenderableTest.php`, `Spec421EntraCoverageLevelPromotionTest.php`, `Spec421EntraNoRestoreNoCertificationTest.php`, `Spec424SecurityDefaultsCaptureReadinessTest.php` - PASS, 61 tests / 285 assertions.
|
|
- Earlier combined related feature regression command - FAILED by environment signal 9 before complete output; isolated failure was the expected supported-scope default count increase.
|
|
- Split related feature regression validation:
|
|
- `TenantConfigurationSupportedScopeTest.php` - PASS, 4 tests / 13 assertions after deriving the default count from the resolver.
|
|
- `TenantConfigurationClaimGuardFeatureTest.php`, `Spec421EntraComparableRenderableTest.php` - PASS, 5 tests / 20 assertions.
|
|
- `Spec421EntraCoverageLevelPromotionTest.php`, `Spec421EntraNoRestoreNoCertificationTest.php`, `Spec424SecurityDefaultsCaptureReadinessTest.php` - PASS, 12 tests / 108 assertions.
|
|
- `git diff --check` - PASS.
|
|
- Browser validation: N/A - no new rendered route/page/action/widget/view surface; no browser-heavy coverage added.
|
|
|
|
## Deployment Impact
|
|
|
|
- **Staging/production validation**: required gate remains Staging before Production.
|
|
- **Migrations**: none.
|
|
- **Environment variables/secrets**: none.
|
|
- **Queues/scheduler/workers**: none.
|
|
- **Storage/volumes**: none.
|
|
- **Assets**: none; no new `filament:assets` requirement beyond existing deployment process.
|
|
- **Operational command**: deploy/release should run the existing idempotent `tenant-configuration:sync-defaults` path so the new `entra_core_compare_certified` supported scope is present outside tests.
|
|
- **Rollback/forward**: rollback removes only derived evaluator availability and the supported-scope default from code; no schema rollback needed.
|
|
|
|
## Final Gate Result
|
|
|
|
PASS. Spec 425 remains exact-denominator, internal/operator-only, DB-only, non-restorable, non-customer-facing, workspace-scoped, and free of new routes, actions, dashboards, reports, exports, PDFs, jobs, commands, migrations, and customer output. Conditional Access device conditions are now covered by compare/render proof, the exact `resource_type_denominator` metadata key is present, and the internal certified scope is hidden from and rejected by existing Coverage v2 readiness option/default/inspect paths.
|
|
|
|
## Deferred Work
|
|
|
|
- Broader Entra, Microsoft 365, restore/apply, customer output, report/PDF/review-pack claims remain separate-spec candidates.
|