TenantAtlas/specs/425-entra-certified-compare-pack/checklists/requirements.md
Ahmed Darrazi 39d0353e03
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m22s
feat: complete spec 425 enta certified compare pack
2026-07-02 00:55:04 +02:00

4.8 KiB

Requirements Checklist: Spec 425 - Entra Certified Compare Pack

Purpose: Validate preparation readiness for the user-provided Spec 425 candidate before implementation.
Created: 2026-07-01
Feature: spec.md

Candidate And Scope

  • Candidate is directly user-provided and does not depend on the empty auto-prep queue.
  • Completed historical specs are treated as read-only dependency evidence, not artifacts to rewrite.
  • Scope is limited to entra_core_compare_certified.
  • Certified denominator is exactly conditionalAccessPolicy plus securityDefaults.
  • Optional Entra candidates are explicitly excluded.
  • Full Entra certification is excluded.
  • Microsoft 365 certification is excluded.
  • Restore/apply certification is excluded.
  • Customer-facing proof or report activation is excluded.

Repo Truth Alignment

  • Spec 421 is recorded as the source of Conditional Access comparable/renderable support.
  • Spec 424 is recorded as the source of Security Defaults content-backed comparable/renderable support.
  • Current source preflight checked source contracts for both mandatory denominator types.
  • Current source preflight checked identity strategy for both mandatory denominator types.
  • Current source preflight checked compare/render/redaction helpers for both mandatory denominator types.
  • Current source preflight found no existing 425 spec directory before creation.
  • Current source preflight found no existing local 425 branch before creation.
  • entra_core_compare_certified is not assumed to already exist; implementation tasks require adding or confirming it.

Constitution And Product Surface

  • Spec states no tenant_id as Coverage v2 ownership truth.
  • Spec preserves workspace, managed-environment, and provider-connection scope.
  • Spec requires DB-only certification evaluation with no Graph/TCM/provider remote calls.
  • Proportionality review rejects a new persisted certification table.
  • Proportionality review allows only a narrow derived evaluator/result if existing supported-scope evaluation is insufficient.
  • Product Surface impact is conditional and bounded to the existing Coverage v2 operator surface if needed.
  • Browser proof is required if rendered UI changes.
  • Browser proof is explicitly N/A - no rendered UI surface changed if no UI files change.
  • No new primary navigation, dashboard, route, customer output, report, export, Review Pack, or PDF is allowed.
  • Completed historical spec artifacts remain read-only.

Requirement Coverage

  • Supported scope metadata requirements are defined.
  • Exact denominator integrity requirements are defined.
  • Evidence criteria are defined.
  • Evidence currentness and no fallback-to-first/latest behavior are defined.
  • Stable identity criteria are defined, and derived identity is blocked for certification.
  • Compare criteria are defined.
  • Render criteria are defined.
  • Redaction criteria are defined.
  • Claim Guard criteria are defined.
  • Explicit certification pass, not-evaluated, and blocker states are defined as derived outcomes.
  • Conditional Access certified compare fixture coverage is defined.
  • Security Defaults certified compare fixture coverage is defined.
  • Broad/full/restore/M365/customer claims are blocked.
  • No-restore and no-customer activation requirements are explicit.
  • No Entra mini-platform and no Entra-specific table family requirements are explicit.
  • RBAC/isolation expectations are explicit.
  • RBAC/isolation proof is tied to concrete service/command/route/UI invocation boundaries.

Task Readiness

  • Preflight tasks block runtime implementation if mandatory evidence, identity, compare, render, redaction, or claim posture fails.
  • Tests and fixtures are planned before or alongside implementation.
  • Unit tests cover evaluator, denominator, compare, redaction, and Claim Guard behavior.
  • Feature tests cover supported scope, denominator, certification, no restore, no customer claim, no tenant_id, and no mini-platform.
  • Browser test task is conditional on rendered UI changes.
  • Validation commands include Pint, focused unit tests, focused feature tests, conditional browser test, and git diff --check.
  • Implementation report requirements include candidate gate, dirty state, files, matrices, redaction, no-restore, no-customer, no-tenant-id, no-mini-platform, Product Surface, tests, and deferred work.

Review Outcome

  • Candidate Selection Gate: PASS.
  • Spec Readiness Gate: PASS for preparation artifacts.
  • Open questions: none that block implementation planning.
  • Hard implementation preflight remains required at T001-T006 before runtime code changes.
  • Preparation scope stops before application implementation.