19 KiB
Tasks: Spec 425 - Entra Certified Compare Pack
Input: Design documents from specs/425-entra-certified-compare-pack/
Prerequisites: spec.md, plan.md, checklists/requirements.md
Tests: Required. This spec changes runtime certification behavior and claim safety. Use focused Pest Unit/Feature tests first. Browser proof is required only if rendered UI changes.
Test Governance Checklist
- Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
- Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
- Planned validation commands cover the change without pulling in unrelated lane cost.
- Browser proof is explicitly
N/A - no rendered UI surface changedunless rendered UI changes. - Human Product Sanity and Product Surface implementation-report close-out are planned if UI changes.
- Any material budget, baseline, trend, or escalation note is recorded in the implementation report.
Phase 1: Hard Preflight
Purpose: Re-check the user-provided prerequisite gate before runtime implementation. Stop before code changes if this phase fails.
- T001 Capture current branch, HEAD, and
git status --shortinspecs/425-entra-certified-compare-pack/implementation-report.md. - T002 Confirm Specs 414, 415, 417, 418, 419, 420, 421, and 424 remain completed/read-only dependency context; do not edit their artifacts.
- T003 Confirm
conditionalAccessPolicyis content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests. - T004 Confirm
securityDefaultsis content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests. - T005 Confirm current Coverage v2 ownership paths use
workspace_id,managed_environment_id, and same-scopeprovider_connection_id, nottenant_id. - T006 Stop and report the blocker before implementation if either mandatory denominator type lacks evidence, stable identity, compare, render, redaction, or safe claim posture.
Checkpoint: Mandatory denominator preflight passes or implementation stops.
Phase 2: Fixtures And Failing Tests
Purpose: Add focused proof before runtime changes.
- T007 [P] Add Conditional Access golden fixture payloads under
apps/platform/tests/Fixtures/TenantConfiguration/Spec425/conditional-access/for no change, state change, grant controls, included actor, excluded actor, app/resource targeting, condition, session control, volatile-only change, unsupported field, and redaction cases. - T008 [P] Add Security Defaults golden fixture payloads under
apps/platform/tests/Fixtures/TenantConfiguration/Spec425/security-defaults/for no change, enabled true/false change, volatile-only change, missing evidence, identity blocked, and redaction cases. - T009 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.phpproving the denominator is exactlyconditionalAccessPolicyandsecurityDefaults, excludes optional Entra types, and cannot ignore a missing denominator item. - T010 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.phpproving not-evaluated, pass, missing evidence blockers, stale/superseded evidence blockers, wrong-scope evidence blockers, no fallback-to-first/latest behavior, identity blockers, compare blockers, render blockers, redaction blockers, and Claim Guard blockers. - T011 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.phpproving Conditional Access no-change, state, grant controls, included/excluded actors, app/resource targeting, conditions, session controls, volatile fields, unsupported fields, and raw payload hiding behavior. - T012 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.phpproving enabled changes, no-change, volatile fields, missing evidence, identity blocked, raw payload hiding, and exact claim gating. - T013 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.phpproving tokens, secrets, credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, and raw permission context are absent from certification output. - T014 [P] Add
apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.phpproving exact internal/operator wording is allowed only with the explicit denominator and broad/full/restore/M365/customer claims are blocked. - T015 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.phpproving the certified pack passes only when both mandatory resource types pass every criterion. - T016 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.phpproving supported-scope denominator integrity, exact two-type denominator, graph fallback allowlist forsecurityDefaults, and non-denominator exclusions. - T017 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.phpproving exact pack claims are internal/operator-only and broad claims remain blocked. - T018 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.phpproving no restore/apply action, restore-ready state, or restorable tier is introduced. - T019 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.phpproving no customer-facing claim, Review Pack/report/export/PDF output, or customer-ready proof activation. - T020 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.phpproving Spec 425 runtime changes do not introducetenant_id. - T021 [P] Add
apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.phpproving no Entra-specific migration, table family, model, route, navigation item, Filament Resource/Page, dashboard, or mini-platform is added. - T022 [P] Add a fail-hard provider/Graph assertion in the focused evaluator/read-model tests proving certification evaluation makes no Graph, TCM, provider, Microsoft docs, or other remote call.
Checkpoint: New focused tests fail for missing implementation and pass after later phases.
Phase 3: Certified Scope And Denominator
Purpose: Define the exact internal/operator certified pack scope without broad claims.
- T023 Update
apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.phpto addentra_core_compare_certifiedwith description, workloadentra, display nameCertified Entra Core Compare Pack, denominatorconditionalAccessPolicyandsecurityDefaults, minimum coverage levelcertified,allow_beta = false, claim label,customer_claims_allowed = false, and metadata documenting internal/operator-only posture. - T024 In
SupportedScopeResolver.php, encode thesecurityDefaultsGraph v1 fallback allowance explicitly, preferably with metadata allowlist such asgraph_fallback_allowlist = ["securityDefaults"]; do not make broad graph fallback claims customer-claimable. - T025 Ensure
apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.phpdoes not mark optional Entra resource types as certified, customer-claimable, or restore-ready. - T026 Ensure the denominator definition cannot silently include
application,servicePrincipal,roleDefinition,administrativeUnit,authenticationMethodsPolicy,identityProtectionPolicy,authorizationPolicy,crossTenantAccessPolicy,accessReview, or PIM resources.
Checkpoint: Supported scope exists and denominator integrity tests pass.
Phase 4: Certification Evaluator
Purpose: Derive certification from existing Coverage v2 truth without new persistence.
- T027 Add
apps/platform/app/Services/TenantConfiguration/EntraCertifiedComparePackEvaluator.phponly if existing supported-scope evaluation cannot produce the required certification matrix. - T028 If a result carrier is needed, add a narrow non-persisted result class under
apps/platform/app/Services/TenantConfiguration/and keep certification states derived strings rather than a persisted enum/status family, includingcertification_not_evaluated,certification_passed,certification_blocked_missing_evidence,certification_blocked_identity,certification_blocked_compare,certification_blocked_render,certification_blocked_redaction, andcertification_blocked_claim_guard. - T029 Implement exact denominator loading in the evaluator with same workspace, managed-environment, and provider-connection scope checks.
- T030 Implement evidence criteria checks: current same-scope content-backed evidence, append-only evidence row, raw payload present, normalized payload present, deterministic payload hash, source class, source contract, captured timestamp, operation run linkage when capture was operation-backed, stale/superseded/missing-currentness blockers, and no fallback to first/latest or wrong-scope evidence.
- T031 Implement identity criteria checks requiring
IdentityState::Stableand blockingderived,identity_conflict,missing_external_id, andunsupported_identity. - T032 Implement compare criteria checks by reusing
EntraCoverageComparatorand proving material, volatile, unsupported, and redacted paths are classified deterministically. - T033 Implement render criteria checks by reusing
EntraRenderableSummaryBuilderand requiring operator-safe summaries for both denominator types. - T034 Implement redaction criteria checks by reusing
CoveragePayloadRedactorand asserting no sensitive raw values appear in evaluator/render/claim output. - T035 Implement Claim Guard criteria checks by requiring exact internal/operator pack wording and explicit denominator visibility.
- T036 Ensure missing mandatory denominator items, failed mandatory criteria, unsupported fields that would make certification ambiguous, and non-deterministic compare output produce explicit blocker states rather than warnings.
- T037 Ensure evaluator execution is DB-only and does not call
ProviderGateway,GraphClientInterface, TCM, Microsoft docs, HTTP, queued jobs, or OperationRun creation.
Checkpoint: Evaluator unit and feature tests pass.
Phase 5: Claim Guard Exact Wording
Purpose: Allow exact internal/operator certification wording while blocking overclaims.
- T038 Update
apps/platform/app/Services/TenantConfiguration/ClaimGuard.phpto allow exact internal/operator visible wording only forCertified Entra Core Compare Pack: Conditional Access and Security Defaults; the bare pack label may exist only as internal scope metadata or a diagnostic row heading when the same visible context includes the denominator. - T039 Require exact denominator visibility for any certified pack wording; block or limit certification wording that omits the denominator.
- T040 Block forbidden wording:
Certified Entra coverage,100% Entra coverage,Full Entra coverage,Entra restore-ready,Certified Microsoft 365 coverage,Customer-ready Entra proof,Full tenant security proof, legal/regulatory attestation claims, and Review Pack/report proof claims. - T041 Keep Claim Guard default behavior conservative for all non-425 claims; do not weaken existing Spec 421, 422, 423, or 424 claim-blocking behavior.
Checkpoint: Unit and feature Claim Guard tests pass.
Phase 6: Product Surface Decision
Purpose: Keep UI scope bounded and browser-proof only if rendered UI changes.
- T042 Determine whether the certification pack result can remain service/config/test-only. If yes, record
N/A - no rendered UI surface changedinimplementation-report.md. - T043 If rendered UI changes are necessary, amend
spec.md,plan.md, and thistasks.mdbefore editing UI files with exact affected surfaces, Product Surface decisions, browser proof path, and Human Product Sanity criteria. N/A - no rendered UI surface changed. - T044 If UI changes proceed after amendment, update only the existing Coverage v2 readiness/read-model/inspect path; do not add a new route, navigation item, dashboard, customer output, report/export/PDF, restore action, or primary Entra surface. N/A - no rendered UI surface changed.
- T045 If UI changes proceed after amendment, add
apps/platform/tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.phpproving certified pack state, exact denominator, internal/operator-only label, no restore-ready/full-Entra/M365/customer claim, no raw payload/secrets, and no console/Livewire/Filament errors. N/A - no rendered UI surface changed.
Checkpoint: Product Surface decision is explicit and not contradicted by changed files.
Phase 7: Architecture And Safety Guards
Purpose: Prove no hidden scope expansion or ownership drift.
- T046 Ensure no migration creates
entra_certifications,certified_entra_resources, or any Entra-specific certification table family. - T047 Ensure no code introduces
tenant_idas Coverage v2 ownership truth, compatibility alias, fallback reader, dual-write target, or parallel scope key. - T048 Ensure no restore/apply, preview restore, assisted restore, or restore-readiness code path is introduced.
- T049 Ensure no customer output, Review Pack, rendered report, management PDF, export/download, legal/regulatory attestation, or customer-ready proof path is introduced.
- T050 Ensure no new Filament Resource/Page/Widget, route, navigation item, dashboard, or primary Entra surface is introduced.
- T051 Add or extend focused feature/service tests proving non-member access remains deny-as-not-found (404), member without capability remains 403, provider connection scope remains same workspace/environment, and pure service-only evaluation uses explicit same-scope inputs where any service, command, route, or UI invocation boundary exists.
Checkpoint: No-overreach feature/static tests pass.
Phase 8: Implementation Report And Validation
Purpose: Close the prep-defined evidence contract for implementation.
- T052 Create
specs/425-entra-certified-compare-pack/implementation-report.mdwith candidate gate result, dirty state before/after, files changed, certified denominator, evaluator matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, deferred work, and final gate result. - T053 Complete the certification matrix in
implementation-report.mdforconditionalAccessPolicyandsecurityDefaults. - T054 Complete the claim matrix in
implementation-report.mdfor exact denominator-visible pack claim, 100 percent Entra, restore-ready, Microsoft 365 certified, and customer-ready proof. - T055 Run
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent. - T056 Run focused unit tests:
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php. - T057 Run focused feature tests:
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php. - T058 If UI changed, run focused browser test:
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php. N/A - no rendered UI surface changed. - T059 Run
git diff --check. - T060 Record any failed validation exactly in
implementation-report.md; do not weaken certification, denominator, claim, redaction, ownership, no-restore, or no-mini-platform criteria to make tests pass.
Checkpoint: Focused validation passes or exact failures are documented.
Dependencies & Execution Order
- Phase 1 blocks all runtime implementation.
- Phase 2 tests should be added before or alongside Phases 3-5 implementation.
- Phase 3 scope definition blocks evaluator pass behavior.
- Phase 4 evaluator depends on existing Coverage v2 evidence/identity/compare/render helpers.
- Phase 5 Claim Guard updates depend on exact pack wording from the spec.
- Phase 6 must complete before any runtime UI edits.
- Phase 8 completes after all implementation tasks and validation.
Parallel Opportunities
- T007-T014 can run in parallel after preflight because they touch different fixture/test files.
- T015-T022 can run in parallel after preflight because they touch different feature test files.
- T023-T026 should be coordinated because they share supported-scope/registry behavior.
- T027-T037 should be sequential within evaluator implementation.
- T046-T051 can run in parallel with final static/feature guard hardening once implementation files stabilize.
Stop Conditions
- A mandatory denominator type cannot satisfy evidence, stable identity, compare, render, redaction, or claim criteria.
- The denominator changes from exactly
conditionalAccessPolicyplussecurityDefaults. - Any restore/apply, customer output, Review Pack/report/PDF/export, full Entra/M365 certification, or legal/regulatory attestation scope appears.
- A new Entra-specific table family, dashboard, route, navigation item, primary surface, or mini-platform appears.
tenant_idis introduced as platform-core ownership truth or compatibility/fallback path.- Certification evaluation requires remote calls, queues, or a new OperationRun.
- Raw payloads or sensitive values become default-visible or leak into reports/logs/notifications.