TenantAtlas/specs/425-entra-certified-compare-pack/tasks.md
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

19 KiB

Tasks: Spec 425 - Entra Certified Compare Pack

Input: Design documents from specs/425-entra-certified-compare-pack/
Prerequisites: spec.md, plan.md, checklists/requirements.md

Tests: Required. This spec changes runtime certification behavior and claim safety. Use focused Pest Unit/Feature tests first. Browser proof is required only if rendered UI changes.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
  • Planned validation commands cover the change without pulling in unrelated lane cost.
  • Browser proof is explicitly N/A - no rendered UI surface changed unless rendered UI changes.
  • Human Product Sanity and Product Surface implementation-report close-out are planned if UI changes.
  • Any material budget, baseline, trend, or escalation note is recorded in the implementation report.

Phase 1: Hard Preflight

Purpose: Re-check the user-provided prerequisite gate before runtime implementation. Stop before code changes if this phase fails.

  • T001 Capture current branch, HEAD, and git status --short in specs/425-entra-certified-compare-pack/implementation-report.md.
  • T002 Confirm Specs 414, 415, 417, 418, 419, 420, 421, and 424 remain completed/read-only dependency context; do not edit their artifacts.
  • T003 Confirm conditionalAccessPolicy is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests.
  • T004 Confirm securityDefaults is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests.
  • T005 Confirm current Coverage v2 ownership paths use workspace_id, managed_environment_id, and same-scope provider_connection_id, not tenant_id.
  • T006 Stop and report the blocker before implementation if either mandatory denominator type lacks evidence, stable identity, compare, render, redaction, or safe claim posture.

Checkpoint: Mandatory denominator preflight passes or implementation stops.

Phase 2: Fixtures And Failing Tests

Purpose: Add focused proof before runtime changes.

  • T007 [P] Add Conditional Access golden fixture payloads under apps/platform/tests/Fixtures/TenantConfiguration/Spec425/conditional-access/ for no change, state change, grant controls, included actor, excluded actor, app/resource targeting, condition, session control, volatile-only change, unsupported field, and redaction cases.
  • T008 [P] Add Security Defaults golden fixture payloads under apps/platform/tests/Fixtures/TenantConfiguration/Spec425/security-defaults/ for no change, enabled true/false change, volatile-only change, missing evidence, identity blocked, and redaction cases.
  • T009 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php proving the denominator is exactly conditionalAccessPolicy and securityDefaults, excludes optional Entra types, and cannot ignore a missing denominator item.
  • T010 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php proving not-evaluated, pass, missing evidence blockers, stale/superseded evidence blockers, wrong-scope evidence blockers, no fallback-to-first/latest behavior, identity blockers, compare blockers, render blockers, redaction blockers, and Claim Guard blockers.
  • T011 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php proving Conditional Access no-change, state, grant controls, included/excluded actors, app/resource targeting, conditions, session controls, volatile fields, unsupported fields, and raw payload hiding behavior.
  • T012 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php proving enabled changes, no-change, volatile fields, missing evidence, identity blocked, raw payload hiding, and exact claim gating.
  • T013 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php proving tokens, secrets, credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, and raw permission context are absent from certification output.
  • T014 [P] Add apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php proving exact internal/operator wording is allowed only with the explicit denominator and broad/full/restore/M365/customer claims are blocked.
  • T015 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php proving the certified pack passes only when both mandatory resource types pass every criterion.
  • T016 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php proving supported-scope denominator integrity, exact two-type denominator, graph fallback allowlist for securityDefaults, and non-denominator exclusions.
  • T017 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php proving exact pack claims are internal/operator-only and broad claims remain blocked.
  • T018 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php proving no restore/apply action, restore-ready state, or restorable tier is introduced.
  • T019 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php proving no customer-facing claim, Review Pack/report/export/PDF output, or customer-ready proof activation.
  • T020 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php proving Spec 425 runtime changes do not introduce tenant_id.
  • T021 [P] Add apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php proving no Entra-specific migration, table family, model, route, navigation item, Filament Resource/Page, dashboard, or mini-platform is added.
  • T022 [P] Add a fail-hard provider/Graph assertion in the focused evaluator/read-model tests proving certification evaluation makes no Graph, TCM, provider, Microsoft docs, or other remote call.

Checkpoint: New focused tests fail for missing implementation and pass after later phases.

Phase 3: Certified Scope And Denominator

Purpose: Define the exact internal/operator certified pack scope without broad claims.

  • T023 Update apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php to add entra_core_compare_certified with description, workload entra, display name Certified Entra Core Compare Pack, denominator conditionalAccessPolicy and securityDefaults, minimum coverage level certified, allow_beta = false, claim label, customer_claims_allowed = false, and metadata documenting internal/operator-only posture.
  • T024 In SupportedScopeResolver.php, encode the securityDefaults Graph v1 fallback allowance explicitly, preferably with metadata allowlist such as graph_fallback_allowlist = ["securityDefaults"]; do not make broad graph fallback claims customer-claimable.
  • T025 Ensure apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php does not mark optional Entra resource types as certified, customer-claimable, or restore-ready.
  • T026 Ensure the denominator definition cannot silently include application, servicePrincipal, roleDefinition, administrativeUnit, authenticationMethodsPolicy, identityProtectionPolicy, authorizationPolicy, crossTenantAccessPolicy, accessReview, or PIM resources.

Checkpoint: Supported scope exists and denominator integrity tests pass.

Phase 4: Certification Evaluator

Purpose: Derive certification from existing Coverage v2 truth without new persistence.

  • T027 Add apps/platform/app/Services/TenantConfiguration/EntraCertifiedComparePackEvaluator.php only if existing supported-scope evaluation cannot produce the required certification matrix.
  • T028 If a result carrier is needed, add a narrow non-persisted result class under apps/platform/app/Services/TenantConfiguration/ and keep certification states derived strings rather than a persisted enum/status family, including certification_not_evaluated, certification_passed, certification_blocked_missing_evidence, certification_blocked_identity, certification_blocked_compare, certification_blocked_render, certification_blocked_redaction, and certification_blocked_claim_guard.
  • T029 Implement exact denominator loading in the evaluator with same workspace, managed-environment, and provider-connection scope checks.
  • T030 Implement evidence criteria checks: current same-scope content-backed evidence, append-only evidence row, raw payload present, normalized payload present, deterministic payload hash, source class, source contract, captured timestamp, operation run linkage when capture was operation-backed, stale/superseded/missing-currentness blockers, and no fallback to first/latest or wrong-scope evidence.
  • T031 Implement identity criteria checks requiring IdentityState::Stable and blocking derived, identity_conflict, missing_external_id, and unsupported_identity.
  • T032 Implement compare criteria checks by reusing EntraCoverageComparator and proving material, volatile, unsupported, and redacted paths are classified deterministically.
  • T033 Implement render criteria checks by reusing EntraRenderableSummaryBuilder and requiring operator-safe summaries for both denominator types.
  • T034 Implement redaction criteria checks by reusing CoveragePayloadRedactor and asserting no sensitive raw values appear in evaluator/render/claim output.
  • T035 Implement Claim Guard criteria checks by requiring exact internal/operator pack wording and explicit denominator visibility.
  • T036 Ensure missing mandatory denominator items, failed mandatory criteria, unsupported fields that would make certification ambiguous, and non-deterministic compare output produce explicit blocker states rather than warnings.
  • T037 Ensure evaluator execution is DB-only and does not call ProviderGateway, GraphClientInterface, TCM, Microsoft docs, HTTP, queued jobs, or OperationRun creation.

Checkpoint: Evaluator unit and feature tests pass.

Phase 5: Claim Guard Exact Wording

Purpose: Allow exact internal/operator certification wording while blocking overclaims.

  • T038 Update apps/platform/app/Services/TenantConfiguration/ClaimGuard.php to allow exact internal/operator visible wording only for Certified Entra Core Compare Pack: Conditional Access and Security Defaults; the bare pack label may exist only as internal scope metadata or a diagnostic row heading when the same visible context includes the denominator.
  • T039 Require exact denominator visibility for any certified pack wording; block or limit certification wording that omits the denominator.
  • T040 Block forbidden wording: Certified Entra coverage, 100% Entra coverage, Full Entra coverage, Entra restore-ready, Certified Microsoft 365 coverage, Customer-ready Entra proof, Full tenant security proof, legal/regulatory attestation claims, and Review Pack/report proof claims.
  • T041 Keep Claim Guard default behavior conservative for all non-425 claims; do not weaken existing Spec 421, 422, 423, or 424 claim-blocking behavior.

Checkpoint: Unit and feature Claim Guard tests pass.

Phase 6: Product Surface Decision

Purpose: Keep UI scope bounded and browser-proof only if rendered UI changes.

  • T042 Determine whether the certification pack result can remain service/config/test-only. If yes, record N/A - no rendered UI surface changed in implementation-report.md.
  • T043 If rendered UI changes are necessary, amend spec.md, plan.md, and this tasks.md before editing UI files with exact affected surfaces, Product Surface decisions, browser proof path, and Human Product Sanity criteria. N/A - no rendered UI surface changed.
  • T044 If UI changes proceed after amendment, update only the existing Coverage v2 readiness/read-model/inspect path; do not add a new route, navigation item, dashboard, customer output, report/export/PDF, restore action, or primary Entra surface. N/A - no rendered UI surface changed.
  • T045 If UI changes proceed after amendment, add apps/platform/tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php proving certified pack state, exact denominator, internal/operator-only label, no restore-ready/full-Entra/M365/customer claim, no raw payload/secrets, and no console/Livewire/Filament errors. N/A - no rendered UI surface changed.

Checkpoint: Product Surface decision is explicit and not contradicted by changed files.

Phase 7: Architecture And Safety Guards

Purpose: Prove no hidden scope expansion or ownership drift.

  • T046 Ensure no migration creates entra_certifications, certified_entra_resources, or any Entra-specific certification table family.
  • T047 Ensure no code introduces tenant_id as Coverage v2 ownership truth, compatibility alias, fallback reader, dual-write target, or parallel scope key.
  • T048 Ensure no restore/apply, preview restore, assisted restore, or restore-readiness code path is introduced.
  • T049 Ensure no customer output, Review Pack, rendered report, management PDF, export/download, legal/regulatory attestation, or customer-ready proof path is introduced.
  • T050 Ensure no new Filament Resource/Page/Widget, route, navigation item, dashboard, or primary Entra surface is introduced.
  • T051 Add or extend focused feature/service tests proving non-member access remains deny-as-not-found (404), member without capability remains 403, provider connection scope remains same workspace/environment, and pure service-only evaluation uses explicit same-scope inputs where any service, command, route, or UI invocation boundary exists.

Checkpoint: No-overreach feature/static tests pass.

Phase 8: Implementation Report And Validation

Purpose: Close the prep-defined evidence contract for implementation.

  • T052 Create specs/425-entra-certified-compare-pack/implementation-report.md with candidate gate result, dirty state before/after, files changed, certified denominator, evaluator matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, deferred work, and final gate result.
  • T053 Complete the certification matrix in implementation-report.md for conditionalAccessPolicy and securityDefaults.
  • T054 Complete the claim matrix in implementation-report.md for exact denominator-visible pack claim, 100 percent Entra, restore-ready, Microsoft 365 certified, and customer-ready proof.
  • T055 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T056 Run focused unit tests: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php.
  • T057 Run focused feature tests: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php.
  • T058 If UI changed, run focused browser test: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php. N/A - no rendered UI surface changed.
  • T059 Run git diff --check.
  • T060 Record any failed validation exactly in implementation-report.md; do not weaken certification, denominator, claim, redaction, ownership, no-restore, or no-mini-platform criteria to make tests pass.

Checkpoint: Focused validation passes or exact failures are documented.

Dependencies & Execution Order

  • Phase 1 blocks all runtime implementation.
  • Phase 2 tests should be added before or alongside Phases 3-5 implementation.
  • Phase 3 scope definition blocks evaluator pass behavior.
  • Phase 4 evaluator depends on existing Coverage v2 evidence/identity/compare/render helpers.
  • Phase 5 Claim Guard updates depend on exact pack wording from the spec.
  • Phase 6 must complete before any runtime UI edits.
  • Phase 8 completes after all implementation tasks and validation.

Parallel Opportunities

  • T007-T014 can run in parallel after preflight because they touch different fixture/test files.
  • T015-T022 can run in parallel after preflight because they touch different feature test files.
  • T023-T026 should be coordinated because they share supported-scope/registry behavior.
  • T027-T037 should be sequential within evaluator implementation.
  • T046-T051 can run in parallel with final static/feature guard hardening once implementation files stabilize.

Stop Conditions

  • A mandatory denominator type cannot satisfy evidence, stable identity, compare, render, redaction, or claim criteria.
  • The denominator changes from exactly conditionalAccessPolicy plus securityDefaults.
  • Any restore/apply, customer output, Review Pack/report/PDF/export, full Entra/M365 certification, or legal/regulatory attestation scope appears.
  • A new Entra-specific table family, dashboard, route, navigation item, primary surface, or mini-platform appears.
  • tenant_id is introduced as platform-core ownership truth or compatibility/fallback path.
  • Certification evaluation requires remote calls, queues, or a new OperationRun.
  • Raw payloads or sensitive values become default-visible or leak into reports/logs/notifications.