4.8 KiB
4.8 KiB
Requirements Checklist: Spec 425 - Entra Certified Compare Pack
Purpose: Validate preparation readiness for the user-provided Spec 425 candidate before implementation.
Created: 2026-07-01
Feature: spec.md
Candidate And Scope
- Candidate is directly user-provided and does not depend on the empty auto-prep queue.
- Completed historical specs are treated as read-only dependency evidence, not artifacts to rewrite.
- Scope is limited to
entra_core_compare_certified. - Certified denominator is exactly
conditionalAccessPolicyplussecurityDefaults. - Optional Entra candidates are explicitly excluded.
- Full Entra certification is excluded.
- Microsoft 365 certification is excluded.
- Restore/apply certification is excluded.
- Customer-facing proof or report activation is excluded.
Repo Truth Alignment
- Spec 421 is recorded as the source of Conditional Access comparable/renderable support.
- Spec 424 is recorded as the source of Security Defaults content-backed comparable/renderable support.
- Current source preflight checked source contracts for both mandatory denominator types.
- Current source preflight checked identity strategy for both mandatory denominator types.
- Current source preflight checked compare/render/redaction helpers for both mandatory denominator types.
- Current source preflight found no existing
425spec directory before creation. - Current source preflight found no existing local
425branch before creation. entra_core_compare_certifiedis not assumed to already exist; implementation tasks require adding or confirming it.
Constitution And Product Surface
- Spec states no
tenant_idas Coverage v2 ownership truth. - Spec preserves workspace, managed-environment, and provider-connection scope.
- Spec requires DB-only certification evaluation with no Graph/TCM/provider remote calls.
- Proportionality review rejects a new persisted certification table.
- Proportionality review allows only a narrow derived evaluator/result if existing supported-scope evaluation is insufficient.
- Product Surface impact is conditional and bounded to the existing Coverage v2 operator surface if needed.
- Browser proof is required if rendered UI changes.
- Browser proof is explicitly
N/A - no rendered UI surface changedif no UI files change. - No new primary navigation, dashboard, route, customer output, report, export, Review Pack, or PDF is allowed.
- Completed historical spec artifacts remain read-only.
Requirement Coverage
- Supported scope metadata requirements are defined.
- Exact denominator integrity requirements are defined.
- Evidence criteria are defined.
- Evidence currentness and no fallback-to-first/latest behavior are defined.
- Stable identity criteria are defined, and derived identity is blocked for certification.
- Compare criteria are defined.
- Render criteria are defined.
- Redaction criteria are defined.
- Claim Guard criteria are defined.
- Explicit certification pass, not-evaluated, and blocker states are defined as derived outcomes.
- Conditional Access certified compare fixture coverage is defined.
- Security Defaults certified compare fixture coverage is defined.
- Broad/full/restore/M365/customer claims are blocked.
- No-restore and no-customer activation requirements are explicit.
- No Entra mini-platform and no Entra-specific table family requirements are explicit.
- RBAC/isolation expectations are explicit.
- RBAC/isolation proof is tied to concrete service/command/route/UI invocation boundaries.
Task Readiness
- Preflight tasks block runtime implementation if mandatory evidence, identity, compare, render, redaction, or claim posture fails.
- Tests and fixtures are planned before or alongside implementation.
- Unit tests cover evaluator, denominator, compare, redaction, and Claim Guard behavior.
- Feature tests cover supported scope, denominator, certification, no restore, no customer claim, no
tenant_id, and no mini-platform. - Browser test task is conditional on rendered UI changes.
- Validation commands include Pint, focused unit tests, focused feature tests, conditional browser test, and
git diff --check. - Implementation report requirements include candidate gate, dirty state, files, matrices, redaction, no-restore, no-customer, no-tenant-id, no-mini-platform, Product Surface, tests, and deferred work.
Review Outcome
- Candidate Selection Gate: PASS.
- Spec Readiness Gate: PASS for preparation artifacts.
- Open questions: none that block implementation planning.
- Hard implementation preflight remains required at T001-T006 before runtime code changes.
- Preparation scope stops before application implementation.