TenantAtlas/specs/425-entra-certified-compare-pack/spec.md
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

38 KiB

Feature Specification: Spec 425 - Entra Certified Compare Pack

Feature Branch: 425-entra-certified-compare-pack
Created: 2026-07-01
Status: Draft
Input: User-provided candidate: "Spec 425 - Entra Certified Compare Pack"

Selection And Preflight

  • Selected candidate: Certified Entra Core Compare Pack.
  • Source: Direct user-provided Spec 425 draft in the 2026-07-01 session.
  • Why selected: Spec 424 is merged at current HEAD (2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)) and closes the direct securityDefaults blocker that Spec 421 deferred. This makes the exact two-type Entra denominator eligible for a certification-prep slice.
  • Close alternatives deferred: Exchange/Teams certified compare, Security and Compliance certified compare, customer reporting claim guard, pilot readiness, Entra restore/apply, Application, Service Principal, Role Definition, Administrative Unit, Review Pack output, and management PDF output all require separate denominators or customer/output risk decisions.
  • Completed-spec guardrail result: Specs 414, 415, 417, 418, 419, 420, 421, and 424 are completed dependency context only. Their close-out history, validation results, browser proof, and task completion markers must not be rewritten by this spec.
  • Current preflight evidence:
    • Spec 421 implementation report records Conditional Access as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
    • Spec 424 implementation report records Security Defaults as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
    • Current source shows conditionalAccessPolicy and securityDefaults in CoverageSourceContractResolver, CoverageIdentityStrategyRegistry, EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder, and config/graph_contracts.php.
    • Current source shows no existing entra_core_compare_certified supported scope.
  • Hard implementation preflight: Before runtime code changes, implementation must re-check current source/tests and stop if either denominator item lacks content-backed evidence, stable identity, deterministic compare, operator-safe render, redaction proof, or Claim Guard safety.

Spec Candidate Check (mandatory - SPEC-GATE-001)

  • Problem: TenantPilot can internally prove Conditional Access and Security Defaults are comparable/renderable, but it cannot safely say the exact Entra core compare denominator is certified without stronger pack-level proof and claim controls.
  • Today's failure: Operators or release reviewers could over-read comparable/renderable support as full Entra coverage, Microsoft 365 coverage, restore readiness, customer-ready proof, or certification without denominator integrity.
  • User-visible improvement: Internal operators get one exact certification result for Conditional Access plus Security Defaults, with blocker reasons and Claim Guard protection that prevent broad or restore/customer claims.
  • Smallest enterprise-capable version: A DB-only, internal/operator-only certification evaluator and supported scope for exactly conditionalAccessPolicy and securityDefaults, with golden fixtures, tests, and no new customer output.
  • Explicit non-goals: No restore/apply, no full Entra certification, no Microsoft 365 certification, no customer claim activation, no new Entra dashboard, no new Entra table family, no Application/Service Principal/Role Definition/Administrative Unit certification, no v1 compatibility, no tenant_id.
  • Permanent complexity imported: One narrow derived certification evaluator or equivalent existing-scope evaluation, exact supported-scope metadata, focused fixture/test family, and Claim Guard exact wording rules. No new persisted table is allowed.
  • Why now: Spec 424 unblocked Security Defaults, leaving certification claim safety as the next P0 trust gate before later customer or pilot readiness work.
  • Why not local: Certification is a cross-resource pack claim. It cannot be safely represented by one row-level compare/render helper or ad hoc wording without denominator, evidence, identity, redaction, and claim guard checks.
  • Approval class: Core Enterprise.
  • Red flags triggered: New claim/status semantics and evaluator logic. Defense: they directly prevent unsafe certification, restore, customer, full-Entra, and M365 overclaims; scope is exactly two resource types and derived by default.
  • Score: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 2 | Gesamt: 11/12
  • Decision: approve.

Spec Scope Fields (mandatory)

  • Scope: workspace + managed-environment scoped internal/operator evaluation over existing Coverage v2 evidence.
  • Primary Routes: Existing Coverage v2 readiness/operator surface only if implementation needs rendered certification display. No new route is planned.
  • Data Ownership: Environment-owned Coverage v2 resource/evidence rows remain scoped by workspace_id, managed_environment_id, and same-scope provider_connection_id.
  • RBAC: Non-member workspace or managed-environment access is 404. Member without view/evaluate capability is 403. No customer-facing route.

No Legacy / No Backward Compatibility Constraint (mandatory)

TenantPilot is pre-production unless this spec explicitly records a compatibility exception.

  • Compatibility posture: canonical extension of Coverage v2; no compatibility exception.
  • Legacy aliases, fallback readers, hidden routes, duplicate UI, old labels, or historical fixtures kept?: no.
  • Why clean replacement is safe now: This spec adds a new internal certified pack concept and does not migrate legacy data or customer-facing contracts.

UI Surface Impact (mandatory - UI-COV-001)

Does this spec add, remove, rename, or materially change any reachable UI surface?

  • No UI surface impact
  • Existing page changed
  • New page/route added
  • Navigation changed
  • Filament panel/provider surface changed
  • New modal/drawer/wizard/action added
  • New table/form/state added
  • Customer-facing surface changed
  • Dangerous action changed
  • Status/evidence/review presentation changed
  • Workspace/environment context presentation changed

Default planned impact is service/config/test-only with N/A - no rendered UI surface changed. If implementation discovers that rendered certification output is necessary, amend this spec, plan, and tasks before editing UI files, then limit impact to the existing Coverage v2 internal/operator readiness or inspect surface. No new route, navigation item, dashboard, action, report, download, Review Pack output, or customer-facing surface may be added.

UI/Productization Coverage (mandatory when UI Surface Impact is not "No UI surface impact")

  • Route/page/surface: N/A unless the active artifacts are amended for rendered UI changes; then existing Coverage v2 readiness/operator surface and inspect details only.
  • Current or new page archetype: Technical Annex / internal operator evidence inspection.
  • Design depth: Internal/Hidden, because this is internal/operator certification evidence and not a customer output surface.
  • Repo-truth level: repo-verified through Specs 418, 421, and 424.
  • Existing pattern reused: Existing Coverage v2 readiness read model and inspect surface.
  • New pattern required: none.
  • Screenshot required: only if runtime UI files change; otherwise no.
  • Page audit required: no, unless implementation adds a materially new surface contrary to this spec.
  • Customer-safe review required: yes as a negative proof only: no customer-facing output or customer-ready label may appear.
  • Dangerous-action review required: no destructive/high-impact action in scope.
  • Coverage files updated or explicitly not needed:
    • docs/ui-ux-enterprise-audit/route-inventory.md
    • docs/ui-ux-enterprise-audit/design-coverage-matrix.md
    • docs/ui-ux-enterprise-audit/page-reports/...
    • docs/ui-ux-enterprise-audit/strategic-surfaces.md
    • docs/ui-ux-enterprise-audit/grouped-follow-up-candidates.md
    • docs/ui-ux-enterprise-audit/unresolved-pages.md
    • N/A - no new reachable UI surface
  • No-impact rationale when applicable: Existing surface reuse is expected; no new page, route, navigation, customer output, or action is allowed.

Product Surface Impact (mandatory for UI-affecting specs)

Reference: docs/product/standards/product-surface-contract.md.

  • Product Surface Contract applies?: conditional. The active decision is N/A - no rendered UI surface changed; the contract fields below define the only allowed amendment path if UI changes become necessary.
  • Page archetype: Technical Annex.
  • Primary user question: Is the exact Entra Core Compare denominator certified for internal compare/render claims?
  • Primary action: Inspect blockers or evidence; read-only.
  • Surface budget result: pass if reused on existing Coverage v2 surface; no new page/action/route.
  • Technical Annex / deep-link demotion: Raw payload, raw Graph response, permission context, source endpoints, operation details, IDs, source keys, unsupported field internals, and raw compare values remain hidden, collapsed, or internal-only.
  • Canonical status vocabulary: Certification state may use derived internal blocker values. Product-facing labels, if rendered, must map to Ready, Blocked, Needs attention, or Unknown and must not expose Certified Entra without the exact denominator.
  • Visible complexity impact: neutral or decreased. The pack should reduce interpretation work by presenting one exact denominator and blocker set.
  • Product Surface exceptions: none.

Browser Verification Plan (mandatory)

  • Browser proof required?: yes if runtime UI files or rendered certification output change; no otherwise.
  • No-browser rationale: N/A - no rendered UI surface changed if implementation is service/config/test only.
  • Focused path when required: Existing Coverage v2 readiness/operator route with seeded workspace, managed environment, provider connection, Conditional Access evidence, and Security Defaults evidence.
  • Primary interaction to execute: Load the existing route as an authorized internal operator, inspect the certified pack state, verify exact denominator, blockers/no blockers, no restore-ready claim, no full Entra/M365 claim, internal/operator-only label, raw payload absence, and no console/Livewire/Filament errors.
  • Console, Livewire, Filament, network, and 500-error checks: planned if browser proof is required.
  • Full-suite failure triage: Unrelated failures must be documented separately if focused proof is green.

Human Product Sanity Check (mandatory)

  • Required?: yes if rendered UI changes; otherwise no.
  • No-human-sanity rationale: N/A - no rendered UI surface changed if service/config/test only.
  • Reviewer questions: Is the exact denominator visible? Is it impossible to confuse this with full Entra, M365, restore-ready, or customer-ready proof? Are raw/technical details demoted? Is there one read-only next action? Is visible complexity not worse?
  • Planned result location: implementation-report.

Product Surface Merge Gate Checklist (mandatory)

  • No-legacy posture or approved exception recorded.
  • Product Surface Impact is completed or N/A is justified.
  • Browser proof is completed or N/A - no rendered UI surface changed is justified.
  • Human Product Sanity is completed or not applicable with rationale.
  • Product Surface exceptions are documented or none.
  • Implementation report will state Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, and visible complexity outcome.

Cross-Cutting / Shared Pattern Reuse (mandatory)

  • Cross-cutting feature?: yes.
  • Interaction class(es): status messaging, evidence inspection, claim wording, redaction.
  • Systems touched: Coverage v2 resource/evidence/read model, supported scopes, Claim Guard, redactor, typed Entra compare/render helpers.
  • Existing pattern(s) to extend: SupportedScopeResolver, ClaimGuard, CoveragePayloadRedactor, CoverageV2ReadinessReadModel, EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder.
  • Shared contract / presenter / builder / renderer to reuse: Existing Coverage v2 and Entra helper family. Do not create an Entra mini-platform.
  • Why the existing shared path is sufficient or insufficient: Existing paths already prove evidence, identity, compare, render, and claim safety for the two resource types. A narrow pack evaluator is needed only to compose the exact denominator and certification criteria.
  • Allowed deviation and why: A small derived EntraCertifiedComparePackEvaluator or equivalent existing-scope evaluator is allowed if existing classes do not already produce pack-level certification state.
  • Consistency impact: Claim and blocker wording must remain aligned with Coverage v2 states and Claim Guard.
  • Review focus: Prevent broad claims, restore implications, raw payload exposure, tenant_id, and Entra-specific table/platform drift.

OperationRun UX Impact (mandatory when touched)

  • Touches OperationRun start/completion/link UX?: no.
  • Shared OperationRun UX contract/layer reused: N/A.
  • Delegated start/completion UX behaviors: N/A.
  • Local surface-owned behavior that remains: N/A.
  • Queued DB-notification policy: N/A.
  • Terminal notification path: N/A.
  • Exception required?: none.

Certification evaluation is DB-only and must not create a new OperationRun. If implementation discovers that evaluation must become a batch job, stop and amend this spec before continuing.

Provider Boundary / Platform Core Check (mandatory when touched)

  • Shared provider/platform boundary touched?: yes.
  • Boundary classification: mixed. Resource identifiers and Graph/TCM source contracts are provider-owned; certification denominator, coverage level, claim guard, redaction, and workspace/environment/provider scope are platform-core Coverage v2 concerns.
  • Seams affected: supported scopes, resource-type registry metadata, evidence rows, identity strategy, typed Entra compare/render helpers, Claim Guard.
  • Neutral platform terms preserved or introduced: coverage, evidence, identity, claim, supported scope, resource type, managed environment, provider connection.
  • Provider-specific semantics retained and why: conditionalAccessPolicy and securityDefaults are the exact Microsoft Entra resource types in the denominator.
  • Why this does not deepen provider coupling accidentally: No provider-native tenant ID ownership, no new Entra table family, no Entra dashboard, no provider framework, no customer output, and no restore/apply support.
  • Follow-up path: Additional Entra resource types, Entra restore, customer reporting, and M365-wide certification require separate specs.

UI / Surface Guardrail Impact (mandatory when operator-facing surfaces are changed)

Surface / Change Operator-facing surface change? Native vs Custom Shared-Family Relevance State Layers Touched Exception Needed? Low-Impact / N/A Note
Existing Coverage v2 readiness / inspect surface conditional Existing Filament/Coverage v2 surface status/evidence/claim display read model, inspect details no Browser proof only if rendered UI files change

Decision-First Surface Role (mandatory when operator-facing surfaces are changed)

Surface Decision Role Human-in-the-loop Moment Immediately Visible for First Decision On-Demand Detail / Evidence Why This Is Primary or Why Not Workflow Alignment Attention-load Reduction
Existing Coverage v2 readiness / inspect surface Tertiary Evidence / Diagnostics Surface Release reviewer verifies a certification claim is safe Pack state, exact denominator, blocker summary, no-restore/customer scope source contract, evidence hash, unsupported/redacted fields Not primary; supports internal proof review Extends Coverage v2 technical annex One pack result replaces manual row-by-row inference

Audience-Aware Disclosure (mandatory when operator-facing surfaces are changed)

Surface Audience Modes In Scope Decision-First Default-Visible Content Operator Diagnostics Support / Raw Evidence One Dominant Next Action Hidden / Gated By Default Duplicate-Truth Prevention
Existing Coverage v2 readiness / inspect surface operator-MSP, support-platform Certified pack state, exact denominator, blocker/no blocker, no-restore warning evidence/identity/claim state, source contract, redaction result raw payload, raw Graph response, permission context, source endpoints Inspect blockers raw payload and provider diagnostics Certification claim appears once with denominator

UI/UX Surface Classification (mandatory when operator-facing surfaces are changed)

Surface Action Surface Class Surface Type Likely Next Operator Action Primary Inspect/Open Model Row Click Secondary Actions Placement Destructive Actions Placement Canonical Collection Route Canonical Detail Route Scope Signals Canonical Noun Critical Truth Visible by Default Exception Type / Justification
Existing Coverage v2 readiness / inspect surface List / Table / Detail Technical Annex Inspect blockers Existing inspect affordance existing behavior Existing details/technical disclosure none existing Coverage v2 route existing inspect/modal workspace + managed environment Certified Entra Core Compare Pack exact denominator and blocker state none

Operator Surface Contract (mandatory when operator-facing surfaces are changed)

Surface Primary Persona Decision / Operator Action Supported Surface Type Primary Operator Question Default-visible Information Diagnostics-only Information Status Dimensions Used Mutation Scope Primary Actions Dangerous Actions
Existing Coverage v2 readiness / inspect surface internal operator / release reviewer Decide whether internal certified pack wording is safe Technical Annex Is the exact pack certified for compare/render? pack state, denominator, blockers, internal-only/no-restore labels raw payload, source metadata, OperationRun links, permission context certification, evidence, identity, compare, render, redaction, claim read-only Inspect blockers none

Proportionality Review (mandatory when structural complexity is introduced)

  • New source of truth?: no. Certification is derived from existing Coverage v2 evidence, identity, compare, render, redaction, supported scope, and Claim Guard truth.
  • New persisted entity/table/artifact?: no.
  • New abstraction?: yes, if implementation adds a narrow pack evaluator service or value object.
  • New enum/state/reason family?: derived blocker states may be introduced as service-local values. Do not add a persisted enum/status family unless the spec is amended.
  • New cross-domain UI framework/taxonomy?: no.
  • Current operator problem: Release reviewers need a safe internal certification claim for the exact Entra denominator without overclaiming restore, customer proof, or full workload coverage.
  • Existing structure is insufficient because: Row-level compare/render helpers do not prove denominator integrity, exact pack success/failure, or claim wording safety across both mandatory resource types.
  • Narrowest correct implementation: One exact pack definition plus derived evaluator and tests; reuse existing Coverage v2/Claim Guard/redaction helpers; no persistence and no new UI framework.
  • Ownership cost: Focused evaluator, fixtures, and tests must be maintained when either denominator type changes.
  • Alternative intentionally rejected: Marking each resource type certified independently without a pack evaluator; that would allow one denominator item to fail silently or claims to overreach.
  • Release truth: Current-release internal/operator certification proof only.

Compatibility posture

This feature assumes a pre-production environment. Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope.

Testing / Lane / Runtime Impact (mandatory for runtime behavior changes)

  • Test purpose / classification: Unit for evaluator, denominator, compare fixtures, render/redaction, and Claim Guard. Feature for supported scope, exact denominator, RBAC/scope, no restore/customer/tenant_id/mini-platform, and non-denominator exclusions. Browser only if rendered UI changes.
  • Validation lane(s): fast-feedback for unit/feature; browser only if UI changes.
  • Why this classification and these lanes are sufficient: Certification behavior is derived, deterministic, and DB-only. Browser proof is required only for rendered product-surface changes.
  • New or expanded test families: Spec425 TenantConfiguration tests and optional browser smoke if UI changes.
  • Fixture / helper cost impact: Add focused golden fixtures for Conditional Access and Security Defaults only; avoid broad workspace/provider default helpers.
  • Heavy-family visibility / justification: none unless browser proof is triggered.
  • Special surface test profile: technical-annex Coverage v2 surface if UI changes; otherwise N/A.
  • Standard-native relief or required special coverage: ordinary service/feature coverage unless UI changes.
  • Reviewer handoff: verify exact denominator, no broad claims, no restore/customer output, no raw payloads, stable identity, no tenant_id, no Entra mini-platform, and narrow validation commands.
  • Budget / baseline / trend impact: none expected.
  • Escalation needed: document-in-feature if a bounded UI no-impact decision is used; reject-or-split if restore/customer/full-Entra scope appears.
  • Active feature PR close-out entry: Guardrail / Exception / Smoke Coverage.
  • Planned validation commands:
    • cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent
    • cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 unit tests>
    • cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 feature tests>
    • cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 browser test> if UI changes
    • git diff --check

User Scenarios & Testing (mandatory)

User Story 1 - Certify the Exact Entra Core Compare Denominator (Priority: P1)

As an internal release reviewer, I need one derived certification result for the exact Entra Core Compare Pack so I can safely approve only exact pack wording when both mandatory types meet evidence, identity, compare, render, redaction, and claim criteria.

Why this priority: This is the core certification gate and prevents false certification when either mandatory type fails.

Independent Test: A focused evaluator test can seed valid Conditional Access and Security Defaults evidence and prove the pack passes only when both mandatory types pass.

Acceptance Scenarios:

  1. Given both denominator types have content-backed evidence, stable identity, deterministic compare, safe render, redaction proof, and allowed exact internal wording, When the pack is evaluated, Then the pack returns certification_passed.
  2. Given either conditionalAccessPolicy or securityDefaults is missing, blocked, identity-unstable, non-renderable, or redaction-unsafe, When the pack is evaluated, Then the pack returns the matching blocker state and does not certify.
  3. Given optional Entra types exist in the registry, When the pack denominator is evaluated, Then only conditionalAccessPolicy and securityDefaults are included.

User Story 2 - Block Unsafe Certification Claims (Priority: P1)

As a product/release reviewer, I need Claim Guard to allow only exact internal/operator pack wording and block broad Entra, M365, restore, customer-ready, legal/regulatory, and full-tenant proof wording.

Why this priority: Certification wording is the biggest risk in this spec.

Independent Test: Claim Guard tests can evaluate allowed and forbidden statements without UI or provider calls.

Acceptance Scenarios:

  1. Given the exact wording "Certified Entra Core Compare Pack: Conditional Access and Security Defaults", When Claim Guard evaluates it for internal/operator use and the evaluator has passed, Then the wording is allowed as internal/operator-only.
  2. Given "Certified Entra coverage", "100% Entra coverage", "Entra restore-ready", "Certified Microsoft 365 coverage", or "Customer-ready Entra proof", When Claim Guard evaluates the claim, Then the claim is blocked.
  3. Given exact pack wording without explicit denominator, When Claim Guard evaluates the claim, Then the claim is blocked or limited until the denominator is included.

User Story 3 - Preserve Safety Boundaries (Priority: P2)

As a platform reviewer, I need proof that certification does not introduce restore/apply behavior, customer output, raw payload display, tenant_id, remote calls, or an Entra-specific mini-platform.

Why this priority: The pack is high risk if certification creates hidden product or architecture expansion.

Independent Test: Feature/static tests can assert no restore/customer/tenant_id/mini-platform artifacts and no provider calls during evaluation.

Acceptance Scenarios:

  1. Given certification evaluation runs, When the evaluator executes, Then no Graph, TCM, provider, or remote call is made.
  2. Given runtime files are scanned, When Spec 425 changes are inspected, Then no tenant_id, Entra-specific table family, restore/apply action, new route/navigation/dashboard, or customer output path is introduced.
  3. Given render output is evaluated, When summaries are inspected, Then raw payload, raw Graph response, credentials, secrets, authorization headers, cookies, certificate material, private keys, and raw permission context are absent.

Edge Cases

  • One denominator type has no current same-scope evidence for the evaluated workspace, managed environment, provider connection, and resource type.
  • One denominator type has current same-scope evidence but identity_state is not stable.
  • One denominator type has evidence from the wrong workspace, managed environment, or provider connection.
  • Evidence is stale, superseded, missing an expected anchor/currentness marker, or would require fallback to first/latest outside the explicit evaluation scope.
  • Conditional Access compare detects only volatile changes.
  • Conditional Access compare detects unsupported fields.
  • Security Defaults enabled changes from null to a boolean.
  • Claim Guard exact pack wording is attempted before evaluator pass.
  • A non-denominator Entra type is renderable but must remain non-certified.
  • UI implementation becomes necessary after the initial no-new-surface plan.

Requirements (mandatory)

Functional Requirements

  • FR-425-001: The system MUST define the canonical internal pack name entra_core_compare_certified.
  • FR-425-002: The system MUST define the human label Certified Entra Core Compare Pack.
  • FR-425-003: The certified denominator MUST be exactly conditionalAccessPolicy and securityDefaults.
  • FR-425-004: The denominator MUST fail certification if either mandatory type is missing, blocked, incomplete, or downgraded to warning.
  • FR-425-005: The pack MUST exclude application, servicePrincipal, roleDefinition, administrativeUnit, authenticationMethodsPolicy, identityProtectionPolicy, authorizationPolicy, crossTenantAccessPolicy, accessReview, PIM resources, and all optional candidates.
  • FR-425-006: The evaluator MUST require append-only current same-scope content-backed evidence with raw_payload, normalized_payload, deterministic payload_hash, source class, source contract, captured_at, and operation run linkage where capture was operation-backed.
  • FR-425-007: The evaluator MUST require identity_state = stable.
  • FR-425-008: The evaluator MUST block certification for identity_conflict, missing_external_id, unsupported_identity, and derived.
  • FR-425-009: The evaluator MUST require deterministic typed compare support for both denominator types.
  • FR-425-010: Conditional Access compare proof MUST cover policy state, included/excluded users/groups/roles, included/excluded apps/resources, conditions, grant controls, session controls, named locations when present, client app/device/platform conditions when present, volatile fields, and unsupported fields.
  • FR-425-011: Security Defaults compare proof MUST cover enabled state, source identity, captured timestamp/evidence state, claim state, volatile fields, missing evidence, and identity blockers.
  • FR-425-012: The evaluator MUST require operator-safe render summaries for both denominator types.
  • FR-425-013: Render output MUST be understandable without default raw provider JSON.
  • FR-425-014: Render/redaction output MUST hide tokens, secrets, password credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, raw permission context, and unredacted credentials.
  • FR-425-015: Unsupported fields MUST remain diagnostics-only and MUST NOT silently produce certification.
  • FR-425-016: Claim Guard MUST allow exact internal/operator certification wording only after the exact pack passes.
  • FR-425-017: Claim Guard MUST block full Entra, 100 percent Entra, M365 certified, restore-ready, customer-ready proof, full tenant security proof, legal/regulatory attestation, and Review Pack/report output claims.
  • FR-425-018: Any visible certified pack claim MUST include the exact denominator.
  • FR-425-019: The supported scope entra_core_compare_certified MUST be internal/operator-only by default and customer-claim disabled.
  • FR-425-020: The supported scope MUST use required_minimum_coverage_level = certified.
  • FR-425-021: Because securityDefaults is currently Graph v1 fallback, any graph fallback allowance MUST be explicit, type-bounded to securityDefaults, and non-customer-claimable.
  • FR-425-022: Certification state SHOULD be derived from existing Coverage v2 truth. New persisted certification tables are forbidden.
  • FR-425-023: No Graph, TCM, provider, Microsoft docs, or remote call may occur during certification evaluation.
  • FR-425-024: Evaluation through any route, command, service, or UI path MUST enforce workspace, managed-environment, provider-connection, and capability scope.
  • FR-425-025: No restore/apply action, restore readiness, customer output, Review Pack/report/export/PDF output, new dashboard, new primary navigation, or new Entra mini-platform may be introduced.
  • FR-425-026: No Coverage v2 ownership field, new persistence path, compatibility alias, dual-write target, fallback reader, or parallel scope key may use tenant_id.
  • FR-425-027: Implementation close-out MUST include candidate gate result, dirty state before/after, files changed, certified denominator, certification matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, and deferred work.
  • FR-425-028: The supported scope metadata MUST include description, workload = entra, exact resource_type_denominator, allow_beta = false, explicit graph fallback policy, claim label, and customer_claims_allowed = false.
  • FR-425-029: Derived certification state output MUST include or map to certification_not_evaluated, certification_passed, certification_blocked_missing_evidence, certification_blocked_identity, certification_blocked_compare, certification_blocked_render, certification_blocked_redaction, and certification_blocked_claim_guard.
  • FR-425-030: Certification evidence selection MUST NOT fallback to first/latest evidence outside the explicit workspace, managed-environment, provider-connection, resource-type, and currentness scope. Missing, stale, superseded, wrong-scope, or ambiguous evidence MUST block certification.

UI Action Matrix (mandatory when Filament is changed)

N/A. No new Filament Resource, RelationManager, Page, action, bulk action, destructive action, or global search behavior is planned. If implementation changes Filament/UI runtime files, this spec and plan must be amended before those edits.

Key Entities / Concepts (include if feature involves data)

  • Certified pack: Derived internal/operator pack result for entra_core_compare_certified.
  • Denominator: Exact two-resource set: conditionalAccessPolicy, securityDefaults.
  • Certification evaluator: Derived DB-only evaluator that composes evidence, identity, compare, render, redaction, and claim criteria.
  • Certification blocker: Derived reason such as missing evidence, identity blocked, compare blocked, render blocked, redaction blocked, or Claim Guard blocked.
  • Supported scope: Existing Coverage v2 supported-scope mechanism carrying the pack key and denominator metadata.

Success Criteria (mandatory)

Measurable Outcomes

  • SC-425-001: Focused tests prove the denominator contains exactly two resource types and fails when either is absent.
  • SC-425-002: Focused tests prove certification passes only when both denominator types meet all evidence, identity, compare, render, redaction, and claim criteria.
  • SC-425-003: Focused tests prove all forbidden broad, restore, M365, customer, and legal/regulatory claims are blocked.
  • SC-425-004: Focused tests prove raw payloads and sensitive values are absent from render/claim output.
  • SC-425-005: Focused feature/static tests prove no restore/apply, customer output, tenant_id, Entra-specific table family, new route/navigation/dashboard, or mini-platform is introduced.
  • SC-425-006: Focused validation commands and git diff --check pass, or exact failures are documented.

Acceptance Criteria

  • AC-425-001: entra_core_compare_certified exists as an internal/operator supported scope or equivalent existing scope metadata.
  • AC-425-002: The certified denominator is exactly conditionalAccessPolicy and securityDefaults.
  • AC-425-003: Certification passes only when both mandatory denominator types pass all required criteria.
  • AC-425-004: Certification produces explicit blocker states and does not downgrade mandatory failures to warnings.
  • AC-425-005: Claim Guard allows exact internal/operator pack wording only and blocks full Entra, M365, restore, customer-ready, and broad proof claims.
  • AC-425-006: Raw payload, secrets, credential values, authorization headers, cookies, certificate/private-key material, and raw permission context are hidden.
  • AC-425-007: Certification evaluation is DB-only and makes no provider/Graph/TCM calls.
  • AC-425-008: No restore/apply, customer output, full Entra/M365 certification, new dashboard, new navigation, new route, tenant_id, or Entra mini-platform is introduced.
  • AC-425-009: If UI changes are made, focused browser proof and Human Product Sanity pass.

Assumptions

  • Current HEAD includes Spec 424 completion and its Security Defaults support.
  • Conditional Access and Security Defaults evidence remains represented by existing Coverage v2 resource/evidence rows.
  • coverage_level = certified may be derived for pack evaluation; resource evidence rows do not need to be mutated to certified unless the implementation proves existing supported-scope evaluation already persists such summaries.
  • allow_graph_fallback = true for this pack is acceptable only because securityDefaults is explicitly listed, Graph v1-backed, non-beta, and internal/operator-only.
  • Existing fixtures or inline payloads from Specs 421 and 424 can be reused as the basis for golden fixtures.

Open Questions

None blocking. If implementation discovers that certification must be persisted, queued, customer-rendered, or restore-aware, stop and amend the spec before continuing.

Risks

Risk Severity Mitigation
Certified compare misunderstood as restore-ready High Claim Guard, no-restore proof, visible no-restore wording if rendered
Certified pack misunderstood as full Entra coverage High Exact denominator required everywhere
Security Defaults regression reopens blocker High Mandatory denominator and missing-evidence tests
Raw/secrets leak through render High Redaction unit/feature tests
Certification becomes separate mini-platform High No Entra table family, no dashboard, no new route/navigation
Customer-facing claims sneak in High Claim Guard and no-customer-output tests
tenant_id returns High Static/schema tests and implementation report proof
Remote calls during evaluation High Fail-hard provider client tests

Follow-Up Spec Candidates

  • Spec 426 - Exchange/Teams Certified Compare Pack.
  • Spec 427 - Security and Compliance Compare Pack.
  • Spec 428 - M365 Customer Reporting Claim Guard Pack.
  • Spec 429 - M365 Pilot Readiness Gate.
  • Entra restore/apply.
  • Full Entra certified coverage.
  • Application/ServicePrincipal/RoleDefinition/AdministrativeUnit certification.
  • Customer-facing Entra reports.
  • Review Pack output.
  • Management PDF output.
  • M365-wide certification.

Required Implementation Report Matrices

Certification Matrix

Resource Type Evidence Identity Compare Render Redaction Certified? Blocker
conditionalAccessPolicy
securityDefaults

Claim Matrix

Claim Allowed? Reason
Certified Entra Core Compare Pack: Conditional Access and Security Defaults Yes, internal/operator only Exact denominator
100% Entra coverage No Broad overclaim
Entra restore-ready No Restore out of scope
Certified Microsoft 365 coverage No Broad overclaim
Customer-ready Entra proof No Customer output deferred