Implementation Report: Spec 425 - Entra Certified Compare Pack
Preflight
- Branch:
425-entra-certified-compare-pack
- HEAD before implementation:
2cd51291 feat: complete spec 424 security defaults content-backed comparable support (#491)
- Dirty state before implementation: untracked active spec artifacts under
specs/425-entra-certified-compare-pack/
- Dirty state after implementation: modified
ClaimGuard.php, CoverageV2ReadinessReadModel.php, EntraComparablePayloadNormalizer.php, EntraRenderableSummaryBuilder.php, SupportedScopeResolver.php, TenantConfigurationSupportedScopeTest.php; untracked Spec 425 evaluator/result classes, Spec 425 tests/fixtures/support helper, and active spec artifacts under specs/425-entra-certified-compare-pack/.
- Activated skills/gates:
spec-kit-implementation-loop, pest-testing, workflows/spec-readiness-gate, repo-contracts/workspace-scope-safety, repo-contracts/rbac-action-safety, repo-contracts/evidence-anchor-contract, repo-contracts/provider-freshness-semantics, repo-contracts/customer-output-gate, repo-contracts/product-surface-gate, temporary-migrations/tcm-cutover-guard
- Candidate gate result: PASS. Scope remains the exact internal/operator
entra_core_compare_certified pack.
- Completed-spec rewrite assertion: Specs 414, 415, 417, 418, 419, 420, 421, and 424 were used as read-only dependency evidence only.
Hard Preflight Result
| Check |
Result |
Evidence |
| Conditional Access source contract |
PASS |
CoverageSourceContractResolver, config/graph_contracts.php |
| Conditional Access stable identity |
PASS |
CoverageIdentityStrategyRegistry uses graph.conditional_access_policy.v1, no derived identity |
| Conditional Access compare/render/redaction |
PASS |
EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder, Spec421 tests |
| Security Defaults source contract |
PASS |
CoverageSourceContractResolver, config/graph_contracts.php |
| Security Defaults stable identity |
PASS |
CoverageIdentityStrategyRegistry uses graph.security_defaults.v1, no derived identity |
| Security Defaults compare/render/redaction |
PASS |
EntraComparablePayloadNormalizer, EntraCoverageComparator, EntraRenderableSummaryBuilder, Spec424 tests |
| Ownership fields |
PASS |
Coverage v2 schema uses workspace_id, managed_environment_id, provider_connection_id; no tenant_id ownership path |
Product Surface Decision
- Runtime UI files changed: no Filament, Blade, route, navigation, action, dashboard, report, export, or PDF files changed.
CoverageV2ReadinessReadModel now filters the internal certified scope out of existing Coverage v2 readiness options/defaults.
- Browser proof: N/A - no new rendered route/page/action/widget/view surface was introduced; focused service/feature tests cover the existing option source, direct hidden-scope key rejection, and operator-safe render-summary behavior without browser-heavy coverage.
- Human Product Sanity: N/A - no new product surface to inspect; visible complexity remains bounded because the internal scope is hidden from existing UI option sources, rejected when passed directly to readiness UI helpers, and Device-condition render output appears only when the underlying Conditional Access payload contains device conditions.
- Visible complexity outcome: neutral; derived proof stays internal/service-first, the existing Coverage v2 filter/default cannot select the certified-pack scope, and Conditional Access device data does not add an always-visible row when absent.
- Product Surface exceptions: none
- Livewire v4 compliance: unchanged; platform remains Filament v5 on Livewire v4.
- Panel provider registration location: unchanged; Laravel provider registration remains
apps/platform/bootstrap/providers.php.
- Global search posture: unchanged; no Resource/global search behavior changed.
- Destructive/high-impact actions: none introduced.
- Asset strategy: no assets registered;
filament:assets is not newly required.
Files Changed
- Runtime services:
SupportedScopeResolver, ClaimGuard, CoverageV2ReadinessReadModel, EntraComparablePayloadNormalizer, EntraRenderableSummaryBuilder, EntraCertifiedComparePackEvaluator, EntraCertifiedComparePackResult.
- Tests and fixtures: focused Spec 425 Unit/Feature tests,
Spec425Fixtures, and golden fixtures for Conditional Access and Security Defaults, including Conditional Access device-condition coverage.
- Existing regression test update:
TenantConfigurationSupportedScopeTest now derives the default supported-scope count from SupportedScopeResolver::defaultDefinitions().
- Spec artifacts:
spec.md, plan.md, tasks.md, checklists/requirements.md, and this implementation report.
- No migrations, routes, Filament resources/pages/widgets, views, browser tests, jobs, commands, assets, config secrets, or provider clients were added.
Certification Matrix
| Resource Type |
Evidence |
Identity |
Compare |
Render |
Redaction |
Certified? |
Blocker |
conditionalAccessPolicy |
PASS |
PASS |
PASS |
PASS |
PASS |
Yes |
none |
securityDefaults |
PASS |
PASS |
PASS |
PASS |
PASS |
Yes |
none |
Claim Matrix
| Claim |
Allowed? |
Reason |
| Certified Entra Core Compare Pack: Conditional Access and Security Defaults |
Yes, internal/operator only |
Exact denominator-visible pack claim after all criteria pass |
| 100% Entra coverage |
No |
Broad overclaim |
| Entra restore-ready |
No |
Restore out of scope |
| Certified Microsoft 365 coverage |
No |
Broad overclaim |
| Customer-ready Entra proof |
No |
Customer output deferred |
Safety Proof
- No restore proof: PASS via
Spec425EntraCertifiedNoRestoreTest; no restore/apply path, restore-ready state, or restorable tier introduced.
- No customer-claim proof: PASS via
Spec425EntraCertifiedNoCustomerClaimTest; no Review Pack/report/export/PDF/customer-ready proof activation.
- No
tenant_id proof: PASS via Spec425EntraCertifiedNoTenantIdTest; evaluator and supported-scope changes stay on workspace_id, managed_environment_id, and provider_connection_id.
- No mini-platform proof: PASS via
Spec425EntraCertifiedNoMiniPlatformTest; no Entra-specific migration, route, navigation, Filament surface, dashboard, or table family.
- No remote-call proof: PASS via fail-hard Graph binding and
assertNoOutboundHttp in Spec425EntraCertifiedComparePackTest; evaluator is DB-only.
- Provider scope proof: PASS; evaluator rejects provider connections outside the managed environment scope.
- Route/command 404/403 proof: N/A; Spec 425 adds no route, command, job, or UI invocation boundary. The pure service requires explicit managed-environment and provider-connection inputs and still proves same-scope rejection for wrong provider connections.
Validation
php -l on modified Spec 425 runtime/test files - PASS.
find apps/platform/tests/Fixtures/TenantConfiguration/Spec425 -name '*.json' -print0 | xargs -0 -n 1 php -r '...' - PASS; 19 fixtures decoded.
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent - PASS.
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php - PASS, 32 tests / 118 assertions.
- Earlier combined Spec 425 feature command from
tasks.md - FAILED by environment signal 9 before result output; no test failure details were produced. Fix-up validation keeps the same split strategy to avoid aggregate signal-9 noise.
- Split Spec 425 feature validation:
Spec425EntraCertifiedComparePackTest.php - PASS, 8 tests / 23 assertions.
Spec425EntraCertifiedClaimGuardFeatureTest.php, Spec425EntraCertifiedNoRestoreTest.php, Spec425EntraCertifiedNoCustomerClaimTest.php - PASS, 7 tests / 17 assertions.
Spec425EntraCertifiedNoTenantIdTest.php, Spec425EntraCertifiedNoMiniPlatformTest.php, Spec425EntraCertifiedDenominatorFeatureTest.php - PASS, 5 tests / 23 assertions.
- Total focused Spec 425 feature split - PASS, 20 tests / 63 assertions.
- Related resolver/readiness regressions:
SupportedScopeResolverTest.php, TenantConfigurationSupportedScopeTest.php, CoverageV2ReadinessPageTest.php - PASS, 19 tests / 156 assertions.
- Related ClaimGuard/Entra/SecurityDefaults regressions:
ClaimGuardTest.php, Spec421EntraClaimGuardTest.php, Spec421EntraComparableDiffTest.php, Spec424SecurityDefaultsTypedSemanticsTest.php, Spec424SecurityDefaultsSourceContractTest.php, TenantConfigurationClaimGuardFeatureTest.php, Spec421EntraComparableRenderableTest.php, Spec421EntraCoverageLevelPromotionTest.php, Spec421EntraNoRestoreNoCertificationTest.php, Spec424SecurityDefaultsCaptureReadinessTest.php - PASS, 61 tests / 285 assertions.
- Earlier combined related feature regression command - FAILED by environment signal 9 before complete output; isolated failure was the expected supported-scope default count increase.
- Split related feature regression validation:
TenantConfigurationSupportedScopeTest.php - PASS, 4 tests / 13 assertions after deriving the default count from the resolver.
TenantConfigurationClaimGuardFeatureTest.php, Spec421EntraComparableRenderableTest.php - PASS, 5 tests / 20 assertions.
Spec421EntraCoverageLevelPromotionTest.php, Spec421EntraNoRestoreNoCertificationTest.php, Spec424SecurityDefaultsCaptureReadinessTest.php - PASS, 12 tests / 108 assertions.
git diff --check - PASS.
- Browser validation: N/A - no new rendered route/page/action/widget/view surface; no browser-heavy coverage added.
Deployment Impact
- Staging/production validation: required gate remains Staging before Production.
- Migrations: none.
- Environment variables/secrets: none.
- Queues/scheduler/workers: none.
- Storage/volumes: none.
- Assets: none; no new
filament:assets requirement beyond existing deployment process.
- Operational command: deploy/release should run the existing idempotent
tenant-configuration:sync-defaults path so the new entra_core_compare_certified supported scope is present outside tests.
- Rollback/forward: rollback removes only derived evaluator availability and the supported-scope default from code; no schema rollback needed.
Final Gate Result
PASS. Spec 425 remains exact-denominator, internal/operator-only, DB-only, non-restorable, non-customer-facing, workspace-scoped, and free of new routes, actions, dashboards, reports, exports, PDFs, jobs, commands, migrations, and customer output. Conditional Access device conditions are now covered by compare/render proof, the exact resource_type_denominator metadata key is present, and the internal certified scope is hidden from and rejected by existing Coverage v2 readiness option/default/inspect paths.
Deferred Work
- Broader Entra, Microsoft 365, restore/apply, customer output, report/PDF/review-pack claims remain separate-spec candidates.