Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #492
38 KiB
Feature Specification: Spec 425 - Entra Certified Compare Pack
Feature Branch: 425-entra-certified-compare-pack
Created: 2026-07-01
Status: Draft
Input: User-provided candidate: "Spec 425 - Entra Certified Compare Pack"
Selection And Preflight
- Selected candidate: Certified Entra Core Compare Pack.
- Source: Direct user-provided Spec 425 draft in the 2026-07-01 session.
- Why selected: Spec 424 is merged at current HEAD (
2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)) and closes the directsecurityDefaultsblocker that Spec 421 deferred. This makes the exact two-type Entra denominator eligible for a certification-prep slice. - Close alternatives deferred: Exchange/Teams certified compare, Security and Compliance certified compare, customer reporting claim guard, pilot readiness, Entra restore/apply, Application, Service Principal, Role Definition, Administrative Unit, Review Pack output, and management PDF output all require separate denominators or customer/output risk decisions.
- Completed-spec guardrail result: Specs 414, 415, 417, 418, 419, 420, 421, and 424 are completed dependency context only. Their close-out history, validation results, browser proof, and task completion markers must not be rewritten by this spec.
- Current preflight evidence:
- Spec 421 implementation report records Conditional Access as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
- Spec 424 implementation report records Security Defaults as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
- Current source shows
conditionalAccessPolicyandsecurityDefaultsinCoverageSourceContractResolver,CoverageIdentityStrategyRegistry,EntraComparablePayloadNormalizer,EntraCoverageComparator,EntraRenderableSummaryBuilder, andconfig/graph_contracts.php. - Current source shows no existing
entra_core_compare_certifiedsupported scope.
- Hard implementation preflight: Before runtime code changes, implementation must re-check current source/tests and stop if either denominator item lacks content-backed evidence, stable identity, deterministic compare, operator-safe render, redaction proof, or Claim Guard safety.
Spec Candidate Check (mandatory - SPEC-GATE-001)
- Problem: TenantPilot can internally prove Conditional Access and Security Defaults are comparable/renderable, but it cannot safely say the exact Entra core compare denominator is certified without stronger pack-level proof and claim controls.
- Today's failure: Operators or release reviewers could over-read comparable/renderable support as full Entra coverage, Microsoft 365 coverage, restore readiness, customer-ready proof, or certification without denominator integrity.
- User-visible improvement: Internal operators get one exact certification result for Conditional Access plus Security Defaults, with blocker reasons and Claim Guard protection that prevent broad or restore/customer claims.
- Smallest enterprise-capable version: A DB-only, internal/operator-only certification evaluator and supported scope for exactly
conditionalAccessPolicyandsecurityDefaults, with golden fixtures, tests, and no new customer output. - Explicit non-goals: No restore/apply, no full Entra certification, no Microsoft 365 certification, no customer claim activation, no new Entra dashboard, no new Entra table family, no Application/Service Principal/Role Definition/Administrative Unit certification, no v1 compatibility, no
tenant_id. - Permanent complexity imported: One narrow derived certification evaluator or equivalent existing-scope evaluation, exact supported-scope metadata, focused fixture/test family, and Claim Guard exact wording rules. No new persisted table is allowed.
- Why now: Spec 424 unblocked Security Defaults, leaving certification claim safety as the next P0 trust gate before later customer or pilot readiness work.
- Why not local: Certification is a cross-resource pack claim. It cannot be safely represented by one row-level compare/render helper or ad hoc wording without denominator, evidence, identity, redaction, and claim guard checks.
- Approval class: Core Enterprise.
- Red flags triggered: New claim/status semantics and evaluator logic. Defense: they directly prevent unsafe certification, restore, customer, full-Entra, and M365 overclaims; scope is exactly two resource types and derived by default.
- Score: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 2 | Gesamt: 11/12
- Decision: approve.
Spec Scope Fields (mandatory)
- Scope: workspace + managed-environment scoped internal/operator evaluation over existing Coverage v2 evidence.
- Primary Routes: Existing Coverage v2 readiness/operator surface only if implementation needs rendered certification display. No new route is planned.
- Data Ownership: Environment-owned Coverage v2 resource/evidence rows remain scoped by
workspace_id,managed_environment_id, and same-scopeprovider_connection_id. - RBAC: Non-member workspace or managed-environment access is 404. Member without view/evaluate capability is 403. No customer-facing route.
No Legacy / No Backward Compatibility Constraint (mandatory)
TenantPilot is pre-production unless this spec explicitly records a compatibility exception.
- Compatibility posture: canonical extension of Coverage v2; no compatibility exception.
- Legacy aliases, fallback readers, hidden routes, duplicate UI, old labels, or historical fixtures kept?: no.
- Why clean replacement is safe now: This spec adds a new internal certified pack concept and does not migrate legacy data or customer-facing contracts.
UI Surface Impact (mandatory - UI-COV-001)
Does this spec add, remove, rename, or materially change any reachable UI surface?
- No UI surface impact
- Existing page changed
- New page/route added
- Navigation changed
- Filament panel/provider surface changed
- New modal/drawer/wizard/action added
- New table/form/state added
- Customer-facing surface changed
- Dangerous action changed
- Status/evidence/review presentation changed
- Workspace/environment context presentation changed
Default planned impact is service/config/test-only with N/A - no rendered UI surface changed. If implementation discovers that rendered certification output is necessary, amend this spec, plan, and tasks before editing UI files, then limit impact to the existing Coverage v2 internal/operator readiness or inspect surface. No new route, navigation item, dashboard, action, report, download, Review Pack output, or customer-facing surface may be added.
UI/Productization Coverage (mandatory when UI Surface Impact is not "No UI surface impact")
- Route/page/surface: N/A unless the active artifacts are amended for rendered UI changes; then existing Coverage v2 readiness/operator surface and inspect details only.
- Current or new page archetype: Technical Annex / internal operator evidence inspection.
- Design depth: Internal/Hidden, because this is internal/operator certification evidence and not a customer output surface.
- Repo-truth level: repo-verified through Specs 418, 421, and 424.
- Existing pattern reused: Existing Coverage v2 readiness read model and inspect surface.
- New pattern required: none.
- Screenshot required: only if runtime UI files change; otherwise no.
- Page audit required: no, unless implementation adds a materially new surface contrary to this spec.
- Customer-safe review required: yes as a negative proof only: no customer-facing output or customer-ready label may appear.
- Dangerous-action review required: no destructive/high-impact action in scope.
- Coverage files updated or explicitly not needed:
docs/ui-ux-enterprise-audit/route-inventory.mddocs/ui-ux-enterprise-audit/design-coverage-matrix.mddocs/ui-ux-enterprise-audit/page-reports/...docs/ui-ux-enterprise-audit/strategic-surfaces.mddocs/ui-ux-enterprise-audit/grouped-follow-up-candidates.mddocs/ui-ux-enterprise-audit/unresolved-pages.mdN/A - no new reachable UI surface
- No-impact rationale when applicable: Existing surface reuse is expected; no new page, route, navigation, customer output, or action is allowed.
Product Surface Impact (mandatory for UI-affecting specs)
Reference: docs/product/standards/product-surface-contract.md.
- Product Surface Contract applies?: conditional. The active decision is
N/A - no rendered UI surface changed; the contract fields below define the only allowed amendment path if UI changes become necessary. - Page archetype: Technical Annex.
- Primary user question: Is the exact Entra Core Compare denominator certified for internal compare/render claims?
- Primary action: Inspect blockers or evidence; read-only.
- Surface budget result: pass if reused on existing Coverage v2 surface; no new page/action/route.
- Technical Annex / deep-link demotion: Raw payload, raw Graph response, permission context, source endpoints, operation details, IDs, source keys, unsupported field internals, and raw compare values remain hidden, collapsed, or internal-only.
- Canonical status vocabulary: Certification state may use derived internal blocker values. Product-facing labels, if rendered, must map to
Ready,Blocked,Needs attention, orUnknownand must not exposeCertified Entrawithout the exact denominator. - Visible complexity impact: neutral or decreased. The pack should reduce interpretation work by presenting one exact denominator and blocker set.
- Product Surface exceptions: none.
Browser Verification Plan (mandatory)
- Browser proof required?: yes if runtime UI files or rendered certification output change; no otherwise.
- No-browser rationale:
N/A - no rendered UI surface changedif implementation is service/config/test only. - Focused path when required: Existing Coverage v2 readiness/operator route with seeded workspace, managed environment, provider connection, Conditional Access evidence, and Security Defaults evidence.
- Primary interaction to execute: Load the existing route as an authorized internal operator, inspect the certified pack state, verify exact denominator, blockers/no blockers, no restore-ready claim, no full Entra/M365 claim, internal/operator-only label, raw payload absence, and no console/Livewire/Filament errors.
- Console, Livewire, Filament, network, and 500-error checks: planned if browser proof is required.
- Full-suite failure triage: Unrelated failures must be documented separately if focused proof is green.
Human Product Sanity Check (mandatory)
- Required?: yes if rendered UI changes; otherwise no.
- No-human-sanity rationale:
N/A - no rendered UI surface changedif service/config/test only. - Reviewer questions: Is the exact denominator visible? Is it impossible to confuse this with full Entra, M365, restore-ready, or customer-ready proof? Are raw/technical details demoted? Is there one read-only next action? Is visible complexity not worse?
- Planned result location: implementation-report.
Product Surface Merge Gate Checklist (mandatory)
- No-legacy posture or approved exception recorded.
- Product Surface Impact is completed or
N/Ais justified. - Browser proof is completed or
N/A - no rendered UI surface changedis justified. - Human Product Sanity is completed or not applicable with rationale.
- Product Surface exceptions are documented or
none. - Implementation report will state Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, and visible complexity outcome.
Cross-Cutting / Shared Pattern Reuse (mandatory)
- Cross-cutting feature?: yes.
- Interaction class(es): status messaging, evidence inspection, claim wording, redaction.
- Systems touched: Coverage v2 resource/evidence/read model, supported scopes, Claim Guard, redactor, typed Entra compare/render helpers.
- Existing pattern(s) to extend:
SupportedScopeResolver,ClaimGuard,CoveragePayloadRedactor,CoverageV2ReadinessReadModel,EntraComparablePayloadNormalizer,EntraCoverageComparator,EntraRenderableSummaryBuilder. - Shared contract / presenter / builder / renderer to reuse: Existing Coverage v2 and Entra helper family. Do not create an Entra mini-platform.
- Why the existing shared path is sufficient or insufficient: Existing paths already prove evidence, identity, compare, render, and claim safety for the two resource types. A narrow pack evaluator is needed only to compose the exact denominator and certification criteria.
- Allowed deviation and why: A small derived
EntraCertifiedComparePackEvaluatoror equivalent existing-scope evaluator is allowed if existing classes do not already produce pack-level certification state. - Consistency impact: Claim and blocker wording must remain aligned with Coverage v2 states and Claim Guard.
- Review focus: Prevent broad claims, restore implications, raw payload exposure,
tenant_id, and Entra-specific table/platform drift.
OperationRun UX Impact (mandatory when touched)
- Touches OperationRun start/completion/link UX?: no.
- Shared OperationRun UX contract/layer reused: N/A.
- Delegated start/completion UX behaviors: N/A.
- Local surface-owned behavior that remains: N/A.
- Queued DB-notification policy: N/A.
- Terminal notification path: N/A.
- Exception required?: none.
Certification evaluation is DB-only and must not create a new OperationRun. If implementation discovers that evaluation must become a batch job, stop and amend this spec before continuing.
Provider Boundary / Platform Core Check (mandatory when touched)
- Shared provider/platform boundary touched?: yes.
- Boundary classification: mixed. Resource identifiers and Graph/TCM source contracts are provider-owned; certification denominator, coverage level, claim guard, redaction, and workspace/environment/provider scope are platform-core Coverage v2 concerns.
- Seams affected: supported scopes, resource-type registry metadata, evidence rows, identity strategy, typed Entra compare/render helpers, Claim Guard.
- Neutral platform terms preserved or introduced: coverage, evidence, identity, claim, supported scope, resource type, managed environment, provider connection.
- Provider-specific semantics retained and why:
conditionalAccessPolicyandsecurityDefaultsare the exact Microsoft Entra resource types in the denominator. - Why this does not deepen provider coupling accidentally: No provider-native tenant ID ownership, no new Entra table family, no Entra dashboard, no provider framework, no customer output, and no restore/apply support.
- Follow-up path: Additional Entra resource types, Entra restore, customer reporting, and M365-wide certification require separate specs.
UI / Surface Guardrail Impact (mandatory when operator-facing surfaces are changed)
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / N/A Note |
|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | conditional | Existing Filament/Coverage v2 surface | status/evidence/claim display | read model, inspect details | no | Browser proof only if rendered UI files change |
Decision-First Surface Role (mandatory when operator-facing surfaces are changed)
| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | Tertiary Evidence / Diagnostics Surface | Release reviewer verifies a certification claim is safe | Pack state, exact denominator, blocker summary, no-restore/customer scope | source contract, evidence hash, unsupported/redacted fields | Not primary; supports internal proof review | Extends Coverage v2 technical annex | One pack result replaces manual row-by-row inference |
Audience-Aware Disclosure (mandatory when operator-facing surfaces are changed)
| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | operator-MSP, support-platform | Certified pack state, exact denominator, blocker/no blocker, no-restore warning | evidence/identity/claim state, source contract, redaction result | raw payload, raw Graph response, permission context, source endpoints | Inspect blockers | raw payload and provider diagnostics | Certification claim appears once with denominator |
UI/UX Surface Classification (mandatory when operator-facing surfaces are changed)
| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | List / Table / Detail | Technical Annex | Inspect blockers | Existing inspect affordance | existing behavior | Existing details/technical disclosure | none | existing Coverage v2 route | existing inspect/modal | workspace + managed environment | Certified Entra Core Compare Pack | exact denominator and blocker state | none |
Operator Surface Contract (mandatory when operator-facing surfaces are changed)
| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | internal operator / release reviewer | Decide whether internal certified pack wording is safe | Technical Annex | Is the exact pack certified for compare/render? | pack state, denominator, blockers, internal-only/no-restore labels | raw payload, source metadata, OperationRun links, permission context | certification, evidence, identity, compare, render, redaction, claim | read-only | Inspect blockers | none |
Proportionality Review (mandatory when structural complexity is introduced)
- New source of truth?: no. Certification is derived from existing Coverage v2 evidence, identity, compare, render, redaction, supported scope, and Claim Guard truth.
- New persisted entity/table/artifact?: no.
- New abstraction?: yes, if implementation adds a narrow pack evaluator service or value object.
- New enum/state/reason family?: derived blocker states may be introduced as service-local values. Do not add a persisted enum/status family unless the spec is amended.
- New cross-domain UI framework/taxonomy?: no.
- Current operator problem: Release reviewers need a safe internal certification claim for the exact Entra denominator without overclaiming restore, customer proof, or full workload coverage.
- Existing structure is insufficient because: Row-level compare/render helpers do not prove denominator integrity, exact pack success/failure, or claim wording safety across both mandatory resource types.
- Narrowest correct implementation: One exact pack definition plus derived evaluator and tests; reuse existing Coverage v2/Claim Guard/redaction helpers; no persistence and no new UI framework.
- Ownership cost: Focused evaluator, fixtures, and tests must be maintained when either denominator type changes.
- Alternative intentionally rejected: Marking each resource type
certifiedindependently without a pack evaluator; that would allow one denominator item to fail silently or claims to overreach. - Release truth: Current-release internal/operator certification proof only.
Compatibility posture
This feature assumes a pre-production environment. Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope.
Testing / Lane / Runtime Impact (mandatory for runtime behavior changes)
- Test purpose / classification: Unit for evaluator, denominator, compare fixtures, render/redaction, and Claim Guard. Feature for supported scope, exact denominator, RBAC/scope, no restore/customer/tenant_id/mini-platform, and non-denominator exclusions. Browser only if rendered UI changes.
- Validation lane(s): fast-feedback for unit/feature; browser only if UI changes.
- Why this classification and these lanes are sufficient: Certification behavior is derived, deterministic, and DB-only. Browser proof is required only for rendered product-surface changes.
- New or expanded test families: Spec425 TenantConfiguration tests and optional browser smoke if UI changes.
- Fixture / helper cost impact: Add focused golden fixtures for Conditional Access and Security Defaults only; avoid broad workspace/provider default helpers.
- Heavy-family visibility / justification: none unless browser proof is triggered.
- Special surface test profile: technical-annex Coverage v2 surface if UI changes; otherwise N/A.
- Standard-native relief or required special coverage: ordinary service/feature coverage unless UI changes.
- Reviewer handoff: verify exact denominator, no broad claims, no restore/customer output, no raw payloads, stable identity, no
tenant_id, no Entra mini-platform, and narrow validation commands. - Budget / baseline / trend impact: none expected.
- Escalation needed: document-in-feature if a bounded UI no-impact decision is used; reject-or-split if restore/customer/full-Entra scope appears.
- Active feature PR close-out entry: Guardrail / Exception / Smoke Coverage.
- Planned validation commands:
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agentcd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 unit tests>cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 feature tests>cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 browser test>if UI changesgit diff --check
User Scenarios & Testing (mandatory)
User Story 1 - Certify the Exact Entra Core Compare Denominator (Priority: P1)
As an internal release reviewer, I need one derived certification result for the exact Entra Core Compare Pack so I can safely approve only exact pack wording when both mandatory types meet evidence, identity, compare, render, redaction, and claim criteria.
Why this priority: This is the core certification gate and prevents false certification when either mandatory type fails.
Independent Test: A focused evaluator test can seed valid Conditional Access and Security Defaults evidence and prove the pack passes only when both mandatory types pass.
Acceptance Scenarios:
- Given both denominator types have content-backed evidence, stable identity, deterministic compare, safe render, redaction proof, and allowed exact internal wording, When the pack is evaluated, Then the pack returns
certification_passed. - Given either
conditionalAccessPolicyorsecurityDefaultsis missing, blocked, identity-unstable, non-renderable, or redaction-unsafe, When the pack is evaluated, Then the pack returns the matching blocker state and does not certify. - Given optional Entra types exist in the registry, When the pack denominator is evaluated, Then only
conditionalAccessPolicyandsecurityDefaultsare included.
User Story 2 - Block Unsafe Certification Claims (Priority: P1)
As a product/release reviewer, I need Claim Guard to allow only exact internal/operator pack wording and block broad Entra, M365, restore, customer-ready, legal/regulatory, and full-tenant proof wording.
Why this priority: Certification wording is the biggest risk in this spec.
Independent Test: Claim Guard tests can evaluate allowed and forbidden statements without UI or provider calls.
Acceptance Scenarios:
- Given the exact wording "Certified Entra Core Compare Pack: Conditional Access and Security Defaults", When Claim Guard evaluates it for internal/operator use and the evaluator has passed, Then the wording is allowed as internal/operator-only.
- Given "Certified Entra coverage", "100% Entra coverage", "Entra restore-ready", "Certified Microsoft 365 coverage", or "Customer-ready Entra proof", When Claim Guard evaluates the claim, Then the claim is blocked.
- Given exact pack wording without explicit denominator, When Claim Guard evaluates the claim, Then the claim is blocked or limited until the denominator is included.
User Story 3 - Preserve Safety Boundaries (Priority: P2)
As a platform reviewer, I need proof that certification does not introduce restore/apply behavior, customer output, raw payload display, tenant_id, remote calls, or an Entra-specific mini-platform.
Why this priority: The pack is high risk if certification creates hidden product or architecture expansion.
Independent Test: Feature/static tests can assert no restore/customer/tenant_id/mini-platform artifacts and no provider calls during evaluation.
Acceptance Scenarios:
- Given certification evaluation runs, When the evaluator executes, Then no Graph, TCM, provider, or remote call is made.
- Given runtime files are scanned, When Spec 425 changes are inspected, Then no
tenant_id, Entra-specific table family, restore/apply action, new route/navigation/dashboard, or customer output path is introduced. - Given render output is evaluated, When summaries are inspected, Then raw payload, raw Graph response, credentials, secrets, authorization headers, cookies, certificate material, private keys, and raw permission context are absent.
Edge Cases
- One denominator type has no current same-scope evidence for the evaluated workspace, managed environment, provider connection, and resource type.
- One denominator type has current same-scope evidence but
identity_stateis notstable. - One denominator type has evidence from the wrong workspace, managed environment, or provider connection.
- Evidence is stale, superseded, missing an expected anchor/currentness marker, or would require fallback to first/latest outside the explicit evaluation scope.
- Conditional Access compare detects only volatile changes.
- Conditional Access compare detects unsupported fields.
- Security Defaults
enabledchanges fromnullto a boolean. - Claim Guard exact pack wording is attempted before evaluator pass.
- A non-denominator Entra type is renderable but must remain non-certified.
- UI implementation becomes necessary after the initial no-new-surface plan.
Requirements (mandatory)
Functional Requirements
- FR-425-001: The system MUST define the canonical internal pack name
entra_core_compare_certified. - FR-425-002: The system MUST define the human label
Certified Entra Core Compare Pack. - FR-425-003: The certified denominator MUST be exactly
conditionalAccessPolicyandsecurityDefaults. - FR-425-004: The denominator MUST fail certification if either mandatory type is missing, blocked, incomplete, or downgraded to warning.
- FR-425-005: The pack MUST exclude
application,servicePrincipal,roleDefinition,administrativeUnit,authenticationMethodsPolicy,identityProtectionPolicy,authorizationPolicy,crossTenantAccessPolicy,accessReview, PIM resources, and all optional candidates. - FR-425-006: The evaluator MUST require append-only current same-scope content-backed evidence with
raw_payload,normalized_payload, deterministicpayload_hash, source class, source contract,captured_at, and operation run linkage where capture was operation-backed. - FR-425-007: The evaluator MUST require
identity_state = stable. - FR-425-008: The evaluator MUST block certification for
identity_conflict,missing_external_id,unsupported_identity, andderived. - FR-425-009: The evaluator MUST require deterministic typed compare support for both denominator types.
- FR-425-010: Conditional Access compare proof MUST cover policy state, included/excluded users/groups/roles, included/excluded apps/resources, conditions, grant controls, session controls, named locations when present, client app/device/platform conditions when present, volatile fields, and unsupported fields.
- FR-425-011: Security Defaults compare proof MUST cover enabled state, source identity, captured timestamp/evidence state, claim state, volatile fields, missing evidence, and identity blockers.
- FR-425-012: The evaluator MUST require operator-safe render summaries for both denominator types.
- FR-425-013: Render output MUST be understandable without default raw provider JSON.
- FR-425-014: Render/redaction output MUST hide tokens, secrets, password credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, raw permission context, and unredacted credentials.
- FR-425-015: Unsupported fields MUST remain diagnostics-only and MUST NOT silently produce certification.
- FR-425-016: Claim Guard MUST allow exact internal/operator certification wording only after the exact pack passes.
- FR-425-017: Claim Guard MUST block full Entra, 100 percent Entra, M365 certified, restore-ready, customer-ready proof, full tenant security proof, legal/regulatory attestation, and Review Pack/report output claims.
- FR-425-018: Any visible certified pack claim MUST include the exact denominator.
- FR-425-019: The supported scope
entra_core_compare_certifiedMUST be internal/operator-only by default and customer-claim disabled. - FR-425-020: The supported scope MUST use
required_minimum_coverage_level = certified. - FR-425-021: Because
securityDefaultsis currently Graph v1 fallback, any graph fallback allowance MUST be explicit, type-bounded tosecurityDefaults, and non-customer-claimable. - FR-425-022: Certification state SHOULD be derived from existing Coverage v2 truth. New persisted certification tables are forbidden.
- FR-425-023: No Graph, TCM, provider, Microsoft docs, or remote call may occur during certification evaluation.
- FR-425-024: Evaluation through any route, command, service, or UI path MUST enforce workspace, managed-environment, provider-connection, and capability scope.
- FR-425-025: No restore/apply action, restore readiness, customer output, Review Pack/report/export/PDF output, new dashboard, new primary navigation, or new Entra mini-platform may be introduced.
- FR-425-026: No Coverage v2 ownership field, new persistence path, compatibility alias, dual-write target, fallback reader, or parallel scope key may use
tenant_id. - FR-425-027: Implementation close-out MUST include candidate gate result, dirty state before/after, files changed, certified denominator, certification matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, and deferred work.
- FR-425-028: The supported scope metadata MUST include description,
workload = entra, exactresource_type_denominator,allow_beta = false, explicit graph fallback policy, claim label, andcustomer_claims_allowed = false. - FR-425-029: Derived certification state output MUST include or map to
certification_not_evaluated,certification_passed,certification_blocked_missing_evidence,certification_blocked_identity,certification_blocked_compare,certification_blocked_render,certification_blocked_redaction, andcertification_blocked_claim_guard. - FR-425-030: Certification evidence selection MUST NOT fallback to first/latest evidence outside the explicit workspace, managed-environment, provider-connection, resource-type, and currentness scope. Missing, stale, superseded, wrong-scope, or ambiguous evidence MUST block certification.
UI Action Matrix (mandatory when Filament is changed)
N/A. No new Filament Resource, RelationManager, Page, action, bulk action, destructive action, or global search behavior is planned. If implementation changes Filament/UI runtime files, this spec and plan must be amended before those edits.
Key Entities / Concepts (include if feature involves data)
- Certified pack: Derived internal/operator pack result for
entra_core_compare_certified. - Denominator: Exact two-resource set:
conditionalAccessPolicy,securityDefaults. - Certification evaluator: Derived DB-only evaluator that composes evidence, identity, compare, render, redaction, and claim criteria.
- Certification blocker: Derived reason such as missing evidence, identity blocked, compare blocked, render blocked, redaction blocked, or Claim Guard blocked.
- Supported scope: Existing Coverage v2 supported-scope mechanism carrying the pack key and denominator metadata.
Success Criteria (mandatory)
Measurable Outcomes
- SC-425-001: Focused tests prove the denominator contains exactly two resource types and fails when either is absent.
- SC-425-002: Focused tests prove certification passes only when both denominator types meet all evidence, identity, compare, render, redaction, and claim criteria.
- SC-425-003: Focused tests prove all forbidden broad, restore, M365, customer, and legal/regulatory claims are blocked.
- SC-425-004: Focused tests prove raw payloads and sensitive values are absent from render/claim output.
- SC-425-005: Focused feature/static tests prove no restore/apply, customer output,
tenant_id, Entra-specific table family, new route/navigation/dashboard, or mini-platform is introduced. - SC-425-006: Focused validation commands and
git diff --checkpass, or exact failures are documented.
Acceptance Criteria
- AC-425-001:
entra_core_compare_certifiedexists as an internal/operator supported scope or equivalent existing scope metadata. - AC-425-002: The certified denominator is exactly
conditionalAccessPolicyandsecurityDefaults. - AC-425-003: Certification passes only when both mandatory denominator types pass all required criteria.
- AC-425-004: Certification produces explicit blocker states and does not downgrade mandatory failures to warnings.
- AC-425-005: Claim Guard allows exact internal/operator pack wording only and blocks full Entra, M365, restore, customer-ready, and broad proof claims.
- AC-425-006: Raw payload, secrets, credential values, authorization headers, cookies, certificate/private-key material, and raw permission context are hidden.
- AC-425-007: Certification evaluation is DB-only and makes no provider/Graph/TCM calls.
- AC-425-008: No restore/apply, customer output, full Entra/M365 certification, new dashboard, new navigation, new route,
tenant_id, or Entra mini-platform is introduced. - AC-425-009: If UI changes are made, focused browser proof and Human Product Sanity pass.
Assumptions
- Current HEAD includes Spec 424 completion and its Security Defaults support.
- Conditional Access and Security Defaults evidence remains represented by existing Coverage v2 resource/evidence rows.
coverage_level = certifiedmay be derived for pack evaluation; resource evidence rows do not need to be mutated tocertifiedunless the implementation proves existing supported-scope evaluation already persists such summaries.allow_graph_fallback = truefor this pack is acceptable only becausesecurityDefaultsis explicitly listed, Graph v1-backed, non-beta, and internal/operator-only.- Existing fixtures or inline payloads from Specs 421 and 424 can be reused as the basis for golden fixtures.
Open Questions
None blocking. If implementation discovers that certification must be persisted, queued, customer-rendered, or restore-aware, stop and amend the spec before continuing.
Risks
| Risk | Severity | Mitigation |
|---|---|---|
| Certified compare misunderstood as restore-ready | High | Claim Guard, no-restore proof, visible no-restore wording if rendered |
| Certified pack misunderstood as full Entra coverage | High | Exact denominator required everywhere |
| Security Defaults regression reopens blocker | High | Mandatory denominator and missing-evidence tests |
| Raw/secrets leak through render | High | Redaction unit/feature tests |
| Certification becomes separate mini-platform | High | No Entra table family, no dashboard, no new route/navigation |
| Customer-facing claims sneak in | High | Claim Guard and no-customer-output tests |
tenant_id returns |
High | Static/schema tests and implementation report proof |
| Remote calls during evaluation | High | Fail-hard provider client tests |
Follow-Up Spec Candidates
- Spec 426 - Exchange/Teams Certified Compare Pack.
- Spec 427 - Security and Compliance Compare Pack.
- Spec 428 - M365 Customer Reporting Claim Guard Pack.
- Spec 429 - M365 Pilot Readiness Gate.
- Entra restore/apply.
- Full Entra certified coverage.
- Application/ServicePrincipal/RoleDefinition/AdministrativeUnit certification.
- Customer-facing Entra reports.
- Review Pack output.
- Management PDF output.
- M365-wide certification.
Required Implementation Report Matrices
Certification Matrix
| Resource Type | Evidence | Identity | Compare | Render | Redaction | Certified? | Blocker |
|---|---|---|---|---|---|---|---|
conditionalAccessPolicy |
|||||||
securityDefaults |
Claim Matrix
| Claim | Allowed? | Reason |
|---|---|---|
| Certified Entra Core Compare Pack: Conditional Access and Security Defaults | Yes, internal/operator only | Exact denominator |
| 100% Entra coverage | No | Broad overclaim |
| Entra restore-ready | No | Restore out of scope |
| Certified Microsoft 365 coverage | No | Broad overclaim |
| Customer-ready Entra proof | No | Customer output deferred |