TenantAtlas/specs/425-entra-certified-compare-pack/spec.md
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

422 lines
38 KiB
Markdown

# Feature Specification: Spec 425 - Entra Certified Compare Pack
**Feature Branch**: `425-entra-certified-compare-pack`
**Created**: 2026-07-01
**Status**: Draft
**Input**: User-provided candidate: "Spec 425 - Entra Certified Compare Pack"
## Selection And Preflight
- **Selected candidate**: Certified Entra Core Compare Pack.
- **Source**: Direct user-provided Spec 425 draft in the 2026-07-01 session.
- **Why selected**: Spec 424 is merged at current HEAD (`2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)`) and closes the direct `securityDefaults` blocker that Spec 421 deferred. This makes the exact two-type Entra denominator eligible for a certification-prep slice.
- **Close alternatives deferred**: Exchange/Teams certified compare, Security and Compliance certified compare, customer reporting claim guard, pilot readiness, Entra restore/apply, Application, Service Principal, Role Definition, Administrative Unit, Review Pack output, and management PDF output all require separate denominators or customer/output risk decisions.
- **Completed-spec guardrail result**: Specs 414, 415, 417, 418, 419, 420, 421, and 424 are completed dependency context only. Their close-out history, validation results, browser proof, and task completion markers must not be rewritten by this spec.
- **Current preflight evidence**:
- Spec 421 implementation report records Conditional Access as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
- Spec 424 implementation report records Security Defaults as content-backed, comparable, renderable, redacted, browser-proven, no-restore, no-certification, and no-customer-claim.
- Current source shows `conditionalAccessPolicy` and `securityDefaults` in `CoverageSourceContractResolver`, `CoverageIdentityStrategyRegistry`, `EntraComparablePayloadNormalizer`, `EntraCoverageComparator`, `EntraRenderableSummaryBuilder`, and `config/graph_contracts.php`.
- Current source shows no existing `entra_core_compare_certified` supported scope.
- **Hard implementation preflight**: Before runtime code changes, implementation must re-check current source/tests and stop if either denominator item lacks content-backed evidence, stable identity, deterministic compare, operator-safe render, redaction proof, or Claim Guard safety.
## Spec Candidate Check *(mandatory - SPEC-GATE-001)*
- **Problem**: TenantPilot can internally prove Conditional Access and Security Defaults are comparable/renderable, but it cannot safely say the exact Entra core compare denominator is certified without stronger pack-level proof and claim controls.
- **Today's failure**: Operators or release reviewers could over-read comparable/renderable support as full Entra coverage, Microsoft 365 coverage, restore readiness, customer-ready proof, or certification without denominator integrity.
- **User-visible improvement**: Internal operators get one exact certification result for Conditional Access plus Security Defaults, with blocker reasons and Claim Guard protection that prevent broad or restore/customer claims.
- **Smallest enterprise-capable version**: A DB-only, internal/operator-only certification evaluator and supported scope for exactly `conditionalAccessPolicy` and `securityDefaults`, with golden fixtures, tests, and no new customer output.
- **Explicit non-goals**: No restore/apply, no full Entra certification, no Microsoft 365 certification, no customer claim activation, no new Entra dashboard, no new Entra table family, no Application/Service Principal/Role Definition/Administrative Unit certification, no v1 compatibility, no `tenant_id`.
- **Permanent complexity imported**: One narrow derived certification evaluator or equivalent existing-scope evaluation, exact supported-scope metadata, focused fixture/test family, and Claim Guard exact wording rules. No new persisted table is allowed.
- **Why now**: Spec 424 unblocked Security Defaults, leaving certification claim safety as the next P0 trust gate before later customer or pilot readiness work.
- **Why not local**: Certification is a cross-resource pack claim. It cannot be safely represented by one row-level compare/render helper or ad hoc wording without denominator, evidence, identity, redaction, and claim guard checks.
- **Approval class**: Core Enterprise.
- **Red flags triggered**: New claim/status semantics and evaluator logic. Defense: they directly prevent unsafe certification, restore, customer, full-Entra, and M365 overclaims; scope is exactly two resource types and derived by default.
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 2 | **Gesamt: 11/12**
- **Decision**: approve.
## Spec Scope Fields *(mandatory)*
- **Scope**: workspace + managed-environment scoped internal/operator evaluation over existing Coverage v2 evidence.
- **Primary Routes**: Existing Coverage v2 readiness/operator surface only if implementation needs rendered certification display. No new route is planned.
- **Data Ownership**: Environment-owned Coverage v2 resource/evidence rows remain scoped by `workspace_id`, `managed_environment_id`, and same-scope `provider_connection_id`.
- **RBAC**: Non-member workspace or managed-environment access is 404. Member without view/evaluate capability is 403. No customer-facing route.
## No Legacy / No Backward Compatibility Constraint *(mandatory)*
TenantPilot is pre-production unless this spec explicitly records a compatibility exception.
- **Compatibility posture**: canonical extension of Coverage v2; no compatibility exception.
- **Legacy aliases, fallback readers, hidden routes, duplicate UI, old labels, or historical fixtures kept?**: no.
- **Why clean replacement is safe now**: This spec adds a new internal certified pack concept and does not migrate legacy data or customer-facing contracts.
## UI Surface Impact *(mandatory - UI-COV-001)*
Does this spec add, remove, rename, or materially change any reachable UI surface?
- [x] No UI surface impact
- [ ] Existing page changed
- [ ] New page/route added
- [ ] Navigation changed
- [ ] Filament panel/provider surface changed
- [ ] New modal/drawer/wizard/action added
- [ ] New table/form/state added
- [ ] Customer-facing surface changed
- [ ] Dangerous action changed
- [ ] Status/evidence/review presentation changed
- [ ] Workspace/environment context presentation changed
Default planned impact is service/config/test-only with `N/A - no rendered UI surface changed`. If implementation discovers that rendered certification output is necessary, amend this spec, plan, and tasks before editing UI files, then limit impact to the existing Coverage v2 internal/operator readiness or inspect surface. No new route, navigation item, dashboard, action, report, download, Review Pack output, or customer-facing surface may be added.
## UI/Productization Coverage *(mandatory when UI Surface Impact is not "No UI surface impact")*
- **Route/page/surface**: N/A unless the active artifacts are amended for rendered UI changes; then existing Coverage v2 readiness/operator surface and inspect details only.
- **Current or new page archetype**: Technical Annex / internal operator evidence inspection.
- **Design depth**: Internal/Hidden, because this is internal/operator certification evidence and not a customer output surface.
- **Repo-truth level**: repo-verified through Specs 418, 421, and 424.
- **Existing pattern reused**: Existing Coverage v2 readiness read model and inspect surface.
- **New pattern required**: none.
- **Screenshot required**: only if runtime UI files change; otherwise no.
- **Page audit required**: no, unless implementation adds a materially new surface contrary to this spec.
- **Customer-safe review required**: yes as a negative proof only: no customer-facing output or customer-ready label may appear.
- **Dangerous-action review required**: no destructive/high-impact action in scope.
- **Coverage files updated or explicitly not needed**:
- [ ] `docs/ui-ux-enterprise-audit/route-inventory.md`
- [ ] `docs/ui-ux-enterprise-audit/design-coverage-matrix.md`
- [ ] `docs/ui-ux-enterprise-audit/page-reports/...`
- [ ] `docs/ui-ux-enterprise-audit/strategic-surfaces.md`
- [ ] `docs/ui-ux-enterprise-audit/grouped-follow-up-candidates.md`
- [ ] `docs/ui-ux-enterprise-audit/unresolved-pages.md`
- [x] `N/A - no new reachable UI surface`
- **No-impact rationale when applicable**: Existing surface reuse is expected; no new page, route, navigation, customer output, or action is allowed.
## Product Surface Impact *(mandatory for UI-affecting specs)*
Reference: `docs/product/standards/product-surface-contract.md`.
- **Product Surface Contract applies?**: conditional. The active decision is `N/A - no rendered UI surface changed`; the contract fields below define the only allowed amendment path if UI changes become necessary.
- **Page archetype**: Technical Annex.
- **Primary user question**: Is the exact Entra Core Compare denominator certified for internal compare/render claims?
- **Primary action**: Inspect blockers or evidence; read-only.
- **Surface budget result**: pass if reused on existing Coverage v2 surface; no new page/action/route.
- **Technical Annex / deep-link demotion**: Raw payload, raw Graph response, permission context, source endpoints, operation details, IDs, source keys, unsupported field internals, and raw compare values remain hidden, collapsed, or internal-only.
- **Canonical status vocabulary**: Certification state may use derived internal blocker values. Product-facing labels, if rendered, must map to `Ready`, `Blocked`, `Needs attention`, or `Unknown` and must not expose `Certified Entra` without the exact denominator.
- **Visible complexity impact**: neutral or decreased. The pack should reduce interpretation work by presenting one exact denominator and blocker set.
- **Product Surface exceptions**: none.
## Browser Verification Plan *(mandatory)*
- **Browser proof required?**: yes if runtime UI files or rendered certification output change; no otherwise.
- **No-browser rationale**: `N/A - no rendered UI surface changed` if implementation is service/config/test only.
- **Focused path when required**: Existing Coverage v2 readiness/operator route with seeded workspace, managed environment, provider connection, Conditional Access evidence, and Security Defaults evidence.
- **Primary interaction to execute**: Load the existing route as an authorized internal operator, inspect the certified pack state, verify exact denominator, blockers/no blockers, no restore-ready claim, no full Entra/M365 claim, internal/operator-only label, raw payload absence, and no console/Livewire/Filament errors.
- **Console, Livewire, Filament, network, and 500-error checks**: planned if browser proof is required.
- **Full-suite failure triage**: Unrelated failures must be documented separately if focused proof is green.
## Human Product Sanity Check *(mandatory)*
- **Required?**: yes if rendered UI changes; otherwise no.
- **No-human-sanity rationale**: `N/A - no rendered UI surface changed` if service/config/test only.
- **Reviewer questions**: Is the exact denominator visible? Is it impossible to confuse this with full Entra, M365, restore-ready, or customer-ready proof? Are raw/technical details demoted? Is there one read-only next action? Is visible complexity not worse?
- **Planned result location**: implementation-report.
## Product Surface Merge Gate Checklist *(mandatory)*
- [x] No-legacy posture or approved exception recorded.
- [x] Product Surface Impact is completed or `N/A` is justified.
- [x] Browser proof is completed or `N/A - no rendered UI surface changed` is justified.
- [x] Human Product Sanity is completed or not applicable with rationale.
- [x] Product Surface exceptions are documented or `none`.
- [x] Implementation report will state Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, and visible complexity outcome.
## Cross-Cutting / Shared Pattern Reuse *(mandatory)*
- **Cross-cutting feature?**: yes.
- **Interaction class(es)**: status messaging, evidence inspection, claim wording, redaction.
- **Systems touched**: Coverage v2 resource/evidence/read model, supported scopes, Claim Guard, redactor, typed Entra compare/render helpers.
- **Existing pattern(s) to extend**: `SupportedScopeResolver`, `ClaimGuard`, `CoveragePayloadRedactor`, `CoverageV2ReadinessReadModel`, `EntraComparablePayloadNormalizer`, `EntraCoverageComparator`, `EntraRenderableSummaryBuilder`.
- **Shared contract / presenter / builder / renderer to reuse**: Existing Coverage v2 and Entra helper family. Do not create an Entra mini-platform.
- **Why the existing shared path is sufficient or insufficient**: Existing paths already prove evidence, identity, compare, render, and claim safety for the two resource types. A narrow pack evaluator is needed only to compose the exact denominator and certification criteria.
- **Allowed deviation and why**: A small derived `EntraCertifiedComparePackEvaluator` or equivalent existing-scope evaluator is allowed if existing classes do not already produce pack-level certification state.
- **Consistency impact**: Claim and blocker wording must remain aligned with Coverage v2 states and Claim Guard.
- **Review focus**: Prevent broad claims, restore implications, raw payload exposure, `tenant_id`, and Entra-specific table/platform drift.
## OperationRun UX Impact *(mandatory when touched)*
- **Touches OperationRun start/completion/link UX?**: no.
- **Shared OperationRun UX contract/layer reused**: N/A.
- **Delegated start/completion UX behaviors**: N/A.
- **Local surface-owned behavior that remains**: N/A.
- **Queued DB-notification policy**: N/A.
- **Terminal notification path**: N/A.
- **Exception required?**: none.
Certification evaluation is DB-only and must not create a new `OperationRun`. If implementation discovers that evaluation must become a batch job, stop and amend this spec before continuing.
## Provider Boundary / Platform Core Check *(mandatory when touched)*
- **Shared provider/platform boundary touched?**: yes.
- **Boundary classification**: mixed. Resource identifiers and Graph/TCM source contracts are provider-owned; certification denominator, coverage level, claim guard, redaction, and workspace/environment/provider scope are platform-core Coverage v2 concerns.
- **Seams affected**: supported scopes, resource-type registry metadata, evidence rows, identity strategy, typed Entra compare/render helpers, Claim Guard.
- **Neutral platform terms preserved or introduced**: coverage, evidence, identity, claim, supported scope, resource type, managed environment, provider connection.
- **Provider-specific semantics retained and why**: `conditionalAccessPolicy` and `securityDefaults` are the exact Microsoft Entra resource types in the denominator.
- **Why this does not deepen provider coupling accidentally**: No provider-native tenant ID ownership, no new Entra table family, no Entra dashboard, no provider framework, no customer output, and no restore/apply support.
- **Follow-up path**: Additional Entra resource types, Entra restore, customer reporting, and M365-wide certification require separate specs.
## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed)*
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | conditional | Existing Filament/Coverage v2 surface | status/evidence/claim display | read model, inspect details | no | Browser proof only if rendered UI files change |
## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | Tertiary Evidence / Diagnostics Surface | Release reviewer verifies a certification claim is safe | Pack state, exact denominator, blocker summary, no-restore/customer scope | source contract, evidence hash, unsupported/redacted fields | Not primary; supports internal proof review | Extends Coverage v2 technical annex | One pack result replaces manual row-by-row inference |
## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)*
| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | operator-MSP, support-platform | Certified pack state, exact denominator, blocker/no blocker, no-restore warning | evidence/identity/claim state, source contract, redaction result | raw payload, raw Graph response, permission context, source endpoints | Inspect blockers | raw payload and provider diagnostics | Certification claim appears once with denominator |
## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | List / Table / Detail | Technical Annex | Inspect blockers | Existing inspect affordance | existing behavior | Existing details/technical disclosure | none | existing Coverage v2 route | existing inspect/modal | workspace + managed environment | Certified Entra Core Compare Pack | exact denominator and blocker state | none |
## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| Existing Coverage v2 readiness / inspect surface | internal operator / release reviewer | Decide whether internal certified pack wording is safe | Technical Annex | Is the exact pack certified for compare/render? | pack state, denominator, blockers, internal-only/no-restore labels | raw payload, source metadata, OperationRun links, permission context | certification, evidence, identity, compare, render, redaction, claim | read-only | Inspect blockers | none |
## Proportionality Review *(mandatory when structural complexity is introduced)*
- **New source of truth?**: no. Certification is derived from existing Coverage v2 evidence, identity, compare, render, redaction, supported scope, and Claim Guard truth.
- **New persisted entity/table/artifact?**: no.
- **New abstraction?**: yes, if implementation adds a narrow pack evaluator service or value object.
- **New enum/state/reason family?**: derived blocker states may be introduced as service-local values. Do not add a persisted enum/status family unless the spec is amended.
- **New cross-domain UI framework/taxonomy?**: no.
- **Current operator problem**: Release reviewers need a safe internal certification claim for the exact Entra denominator without overclaiming restore, customer proof, or full workload coverage.
- **Existing structure is insufficient because**: Row-level compare/render helpers do not prove denominator integrity, exact pack success/failure, or claim wording safety across both mandatory resource types.
- **Narrowest correct implementation**: One exact pack definition plus derived evaluator and tests; reuse existing Coverage v2/Claim Guard/redaction helpers; no persistence and no new UI framework.
- **Ownership cost**: Focused evaluator, fixtures, and tests must be maintained when either denominator type changes.
- **Alternative intentionally rejected**: Marking each resource type `certified` independently without a pack evaluator; that would allow one denominator item to fail silently or claims to overreach.
- **Release truth**: Current-release internal/operator certification proof only.
### Compatibility posture
This feature assumes a pre-production environment. Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope.
## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
- **Test purpose / classification**: Unit for evaluator, denominator, compare fixtures, render/redaction, and Claim Guard. Feature for supported scope, exact denominator, RBAC/scope, no restore/customer/tenant_id/mini-platform, and non-denominator exclusions. Browser only if rendered UI changes.
- **Validation lane(s)**: fast-feedback for unit/feature; browser only if UI changes.
- **Why this classification and these lanes are sufficient**: Certification behavior is derived, deterministic, and DB-only. Browser proof is required only for rendered product-surface changes.
- **New or expanded test families**: Spec425 TenantConfiguration tests and optional browser smoke if UI changes.
- **Fixture / helper cost impact**: Add focused golden fixtures for Conditional Access and Security Defaults only; avoid broad workspace/provider default helpers.
- **Heavy-family visibility / justification**: none unless browser proof is triggered.
- **Special surface test profile**: technical-annex Coverage v2 surface if UI changes; otherwise N/A.
- **Standard-native relief or required special coverage**: ordinary service/feature coverage unless UI changes.
- **Reviewer handoff**: verify exact denominator, no broad claims, no restore/customer output, no raw payloads, stable identity, no `tenant_id`, no Entra mini-platform, and narrow validation commands.
- **Budget / baseline / trend impact**: none expected.
- **Escalation needed**: document-in-feature if a bounded UI no-impact decision is used; reject-or-split if restore/customer/full-Entra scope appears.
- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage.
- **Planned validation commands**:
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 unit tests>`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 feature tests>`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact <focused Spec425 browser test>` if UI changes
- `git diff --check`
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Certify the Exact Entra Core Compare Denominator (Priority: P1)
As an internal release reviewer, I need one derived certification result for the exact Entra Core Compare Pack so I can safely approve only exact pack wording when both mandatory types meet evidence, identity, compare, render, redaction, and claim criteria.
**Why this priority**: This is the core certification gate and prevents false certification when either mandatory type fails.
**Independent Test**: A focused evaluator test can seed valid Conditional Access and Security Defaults evidence and prove the pack passes only when both mandatory types pass.
**Acceptance Scenarios**:
1. **Given** both denominator types have content-backed evidence, stable identity, deterministic compare, safe render, redaction proof, and allowed exact internal wording, **When** the pack is evaluated, **Then** the pack returns `certification_passed`.
2. **Given** either `conditionalAccessPolicy` or `securityDefaults` is missing, blocked, identity-unstable, non-renderable, or redaction-unsafe, **When** the pack is evaluated, **Then** the pack returns the matching blocker state and does not certify.
3. **Given** optional Entra types exist in the registry, **When** the pack denominator is evaluated, **Then** only `conditionalAccessPolicy` and `securityDefaults` are included.
---
### User Story 2 - Block Unsafe Certification Claims (Priority: P1)
As a product/release reviewer, I need Claim Guard to allow only exact internal/operator pack wording and block broad Entra, M365, restore, customer-ready, legal/regulatory, and full-tenant proof wording.
**Why this priority**: Certification wording is the biggest risk in this spec.
**Independent Test**: Claim Guard tests can evaluate allowed and forbidden statements without UI or provider calls.
**Acceptance Scenarios**:
1. **Given** the exact wording "Certified Entra Core Compare Pack: Conditional Access and Security Defaults", **When** Claim Guard evaluates it for internal/operator use and the evaluator has passed, **Then** the wording is allowed as internal/operator-only.
2. **Given** "Certified Entra coverage", "100% Entra coverage", "Entra restore-ready", "Certified Microsoft 365 coverage", or "Customer-ready Entra proof", **When** Claim Guard evaluates the claim, **Then** the claim is blocked.
3. **Given** exact pack wording without explicit denominator, **When** Claim Guard evaluates the claim, **Then** the claim is blocked or limited until the denominator is included.
---
### User Story 3 - Preserve Safety Boundaries (Priority: P2)
As a platform reviewer, I need proof that certification does not introduce restore/apply behavior, customer output, raw payload display, `tenant_id`, remote calls, or an Entra-specific mini-platform.
**Why this priority**: The pack is high risk if certification creates hidden product or architecture expansion.
**Independent Test**: Feature/static tests can assert no restore/customer/tenant_id/mini-platform artifacts and no provider calls during evaluation.
**Acceptance Scenarios**:
1. **Given** certification evaluation runs, **When** the evaluator executes, **Then** no Graph, TCM, provider, or remote call is made.
2. **Given** runtime files are scanned, **When** Spec 425 changes are inspected, **Then** no `tenant_id`, Entra-specific table family, restore/apply action, new route/navigation/dashboard, or customer output path is introduced.
3. **Given** render output is evaluated, **When** summaries are inspected, **Then** raw payload, raw Graph response, credentials, secrets, authorization headers, cookies, certificate material, private keys, and raw permission context are absent.
### Edge Cases
- One denominator type has no current same-scope evidence for the evaluated workspace, managed environment, provider connection, and resource type.
- One denominator type has current same-scope evidence but `identity_state` is not `stable`.
- One denominator type has evidence from the wrong workspace, managed environment, or provider connection.
- Evidence is stale, superseded, missing an expected anchor/currentness marker, or would require fallback to first/latest outside the explicit evaluation scope.
- Conditional Access compare detects only volatile changes.
- Conditional Access compare detects unsupported fields.
- Security Defaults `enabled` changes from `null` to a boolean.
- Claim Guard exact pack wording is attempted before evaluator pass.
- A non-denominator Entra type is renderable but must remain non-certified.
- UI implementation becomes necessary after the initial no-new-surface plan.
## Requirements *(mandatory)*
### Functional Requirements
- **FR-425-001**: The system MUST define the canonical internal pack name `entra_core_compare_certified`.
- **FR-425-002**: The system MUST define the human label `Certified Entra Core Compare Pack`.
- **FR-425-003**: The certified denominator MUST be exactly `conditionalAccessPolicy` and `securityDefaults`.
- **FR-425-004**: The denominator MUST fail certification if either mandatory type is missing, blocked, incomplete, or downgraded to warning.
- **FR-425-005**: The pack MUST exclude `application`, `servicePrincipal`, `roleDefinition`, `administrativeUnit`, `authenticationMethodsPolicy`, `identityProtectionPolicy`, `authorizationPolicy`, `crossTenantAccessPolicy`, `accessReview`, PIM resources, and all optional candidates.
- **FR-425-006**: The evaluator MUST require append-only current same-scope content-backed evidence with `raw_payload`, `normalized_payload`, deterministic `payload_hash`, source class, source contract, `captured_at`, and operation run linkage where capture was operation-backed.
- **FR-425-007**: The evaluator MUST require `identity_state = stable`.
- **FR-425-008**: The evaluator MUST block certification for `identity_conflict`, `missing_external_id`, `unsupported_identity`, and `derived`.
- **FR-425-009**: The evaluator MUST require deterministic typed compare support for both denominator types.
- **FR-425-010**: Conditional Access compare proof MUST cover policy state, included/excluded users/groups/roles, included/excluded apps/resources, conditions, grant controls, session controls, named locations when present, client app/device/platform conditions when present, volatile fields, and unsupported fields.
- **FR-425-011**: Security Defaults compare proof MUST cover enabled state, source identity, captured timestamp/evidence state, claim state, volatile fields, missing evidence, and identity blockers.
- **FR-425-012**: The evaluator MUST require operator-safe render summaries for both denominator types.
- **FR-425-013**: Render output MUST be understandable without default raw provider JSON.
- **FR-425-014**: Render/redaction output MUST hide tokens, secrets, password credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, raw permission context, and unredacted credentials.
- **FR-425-015**: Unsupported fields MUST remain diagnostics-only and MUST NOT silently produce certification.
- **FR-425-016**: Claim Guard MUST allow exact internal/operator certification wording only after the exact pack passes.
- **FR-425-017**: Claim Guard MUST block full Entra, 100 percent Entra, M365 certified, restore-ready, customer-ready proof, full tenant security proof, legal/regulatory attestation, and Review Pack/report output claims.
- **FR-425-018**: Any visible certified pack claim MUST include the exact denominator.
- **FR-425-019**: The supported scope `entra_core_compare_certified` MUST be internal/operator-only by default and customer-claim disabled.
- **FR-425-020**: The supported scope MUST use `required_minimum_coverage_level = certified`.
- **FR-425-021**: Because `securityDefaults` is currently Graph v1 fallback, any graph fallback allowance MUST be explicit, type-bounded to `securityDefaults`, and non-customer-claimable.
- **FR-425-022**: Certification state SHOULD be derived from existing Coverage v2 truth. New persisted certification tables are forbidden.
- **FR-425-023**: No Graph, TCM, provider, Microsoft docs, or remote call may occur during certification evaluation.
- **FR-425-024**: Evaluation through any route, command, service, or UI path MUST enforce workspace, managed-environment, provider-connection, and capability scope.
- **FR-425-025**: No restore/apply action, restore readiness, customer output, Review Pack/report/export/PDF output, new dashboard, new primary navigation, or new Entra mini-platform may be introduced.
- **FR-425-026**: No Coverage v2 ownership field, new persistence path, compatibility alias, dual-write target, fallback reader, or parallel scope key may use `tenant_id`.
- **FR-425-027**: Implementation close-out MUST include candidate gate result, dirty state before/after, files changed, certified denominator, certification matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, and deferred work.
- **FR-425-028**: The supported scope metadata MUST include description, `workload = entra`, exact `resource_type_denominator`, `allow_beta = false`, explicit graph fallback policy, claim label, and `customer_claims_allowed = false`.
- **FR-425-029**: Derived certification state output MUST include or map to `certification_not_evaluated`, `certification_passed`, `certification_blocked_missing_evidence`, `certification_blocked_identity`, `certification_blocked_compare`, `certification_blocked_render`, `certification_blocked_redaction`, and `certification_blocked_claim_guard`.
- **FR-425-030**: Certification evidence selection MUST NOT fallback to first/latest evidence outside the explicit workspace, managed-environment, provider-connection, resource-type, and currentness scope. Missing, stale, superseded, wrong-scope, or ambiguous evidence MUST block certification.
## UI Action Matrix *(mandatory when Filament is changed)*
N/A. No new Filament Resource, RelationManager, Page, action, bulk action, destructive action, or global search behavior is planned. If implementation changes Filament/UI runtime files, this spec and plan must be amended before those edits.
### Key Entities / Concepts *(include if feature involves data)*
- **Certified pack**: Derived internal/operator pack result for `entra_core_compare_certified`.
- **Denominator**: Exact two-resource set: `conditionalAccessPolicy`, `securityDefaults`.
- **Certification evaluator**: Derived DB-only evaluator that composes evidence, identity, compare, render, redaction, and claim criteria.
- **Certification blocker**: Derived reason such as missing evidence, identity blocked, compare blocked, render blocked, redaction blocked, or Claim Guard blocked.
- **Supported scope**: Existing Coverage v2 supported-scope mechanism carrying the pack key and denominator metadata.
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-425-001**: Focused tests prove the denominator contains exactly two resource types and fails when either is absent.
- **SC-425-002**: Focused tests prove certification passes only when both denominator types meet all evidence, identity, compare, render, redaction, and claim criteria.
- **SC-425-003**: Focused tests prove all forbidden broad, restore, M365, customer, and legal/regulatory claims are blocked.
- **SC-425-004**: Focused tests prove raw payloads and sensitive values are absent from render/claim output.
- **SC-425-005**: Focused feature/static tests prove no restore/apply, customer output, `tenant_id`, Entra-specific table family, new route/navigation/dashboard, or mini-platform is introduced.
- **SC-425-006**: Focused validation commands and `git diff --check` pass, or exact failures are documented.
## Acceptance Criteria
- **AC-425-001**: `entra_core_compare_certified` exists as an internal/operator supported scope or equivalent existing scope metadata.
- **AC-425-002**: The certified denominator is exactly `conditionalAccessPolicy` and `securityDefaults`.
- **AC-425-003**: Certification passes only when both mandatory denominator types pass all required criteria.
- **AC-425-004**: Certification produces explicit blocker states and does not downgrade mandatory failures to warnings.
- **AC-425-005**: Claim Guard allows exact internal/operator pack wording only and blocks full Entra, M365, restore, customer-ready, and broad proof claims.
- **AC-425-006**: Raw payload, secrets, credential values, authorization headers, cookies, certificate/private-key material, and raw permission context are hidden.
- **AC-425-007**: Certification evaluation is DB-only and makes no provider/Graph/TCM calls.
- **AC-425-008**: No restore/apply, customer output, full Entra/M365 certification, new dashboard, new navigation, new route, `tenant_id`, or Entra mini-platform is introduced.
- **AC-425-009**: If UI changes are made, focused browser proof and Human Product Sanity pass.
## Assumptions
- Current HEAD includes Spec 424 completion and its Security Defaults support.
- Conditional Access and Security Defaults evidence remains represented by existing Coverage v2 resource/evidence rows.
- `coverage_level = certified` may be derived for pack evaluation; resource evidence rows do not need to be mutated to `certified` unless the implementation proves existing supported-scope evaluation already persists such summaries.
- `allow_graph_fallback = true` for this pack is acceptable only because `securityDefaults` is explicitly listed, Graph v1-backed, non-beta, and internal/operator-only.
- Existing fixtures or inline payloads from Specs 421 and 424 can be reused as the basis for golden fixtures.
## Open Questions
None blocking. If implementation discovers that certification must be persisted, queued, customer-rendered, or restore-aware, stop and amend the spec before continuing.
## Risks
| Risk | Severity | Mitigation |
|---|---:|---|
| Certified compare misunderstood as restore-ready | High | Claim Guard, no-restore proof, visible no-restore wording if rendered |
| Certified pack misunderstood as full Entra coverage | High | Exact denominator required everywhere |
| Security Defaults regression reopens blocker | High | Mandatory denominator and missing-evidence tests |
| Raw/secrets leak through render | High | Redaction unit/feature tests |
| Certification becomes separate mini-platform | High | No Entra table family, no dashboard, no new route/navigation |
| Customer-facing claims sneak in | High | Claim Guard and no-customer-output tests |
| `tenant_id` returns | High | Static/schema tests and implementation report proof |
| Remote calls during evaluation | High | Fail-hard provider client tests |
## Follow-Up Spec Candidates
- Spec 426 - Exchange/Teams Certified Compare Pack.
- Spec 427 - Security and Compliance Compare Pack.
- Spec 428 - M365 Customer Reporting Claim Guard Pack.
- Spec 429 - M365 Pilot Readiness Gate.
- Entra restore/apply.
- Full Entra certified coverage.
- Application/ServicePrincipal/RoleDefinition/AdministrativeUnit certification.
- Customer-facing Entra reports.
- Review Pack output.
- Management PDF output.
- M365-wide certification.
## Required Implementation Report Matrices
### Certification Matrix
| Resource Type | Evidence | Identity | Compare | Render | Redaction | Certified? | Blocker |
|---|---|---|---|---|---|---|---|
| `conditionalAccessPolicy` | | | | | | | |
| `securityDefaults` | | | | | | | |
### Claim Matrix
| Claim | Allowed? | Reason |
|---|---|---|
| Certified Entra Core Compare Pack: Conditional Access and Security Defaults | Yes, internal/operator only | Exact denominator |
| 100% Entra coverage | No | Broad overclaim |
| Entra restore-ready | No | Restore out of scope |
| Certified Microsoft 365 coverage | No | Broad overclaim |
| Customer-ready Entra proof | No | Customer output deferred |