161 lines
19 KiB
Markdown
161 lines
19 KiB
Markdown
# Tasks: Spec 425 - Entra Certified Compare Pack
|
|
|
|
**Input**: Design documents from `specs/425-entra-certified-compare-pack/`
|
|
**Prerequisites**: [spec.md](./spec.md), [plan.md](./plan.md), [checklists/requirements.md](./checklists/requirements.md)
|
|
|
|
**Tests**: Required. This spec changes runtime certification behavior and claim safety. Use focused Pest Unit/Feature tests first. Browser proof is required only if rendered UI changes.
|
|
|
|
## Test Governance Checklist
|
|
|
|
- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
|
|
- [x] New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
|
|
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
|
|
- [x] Planned validation commands cover the change without pulling in unrelated lane cost.
|
|
- [x] Browser proof is explicitly `N/A - no rendered UI surface changed` unless rendered UI changes.
|
|
- [x] Human Product Sanity and Product Surface implementation-report close-out are planned if UI changes.
|
|
- [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report.
|
|
|
|
## Phase 1: Hard Preflight
|
|
|
|
**Purpose**: Re-check the user-provided prerequisite gate before runtime implementation. Stop before code changes if this phase fails.
|
|
|
|
- [x] T001 Capture current branch, HEAD, and `git status --short` in `specs/425-entra-certified-compare-pack/implementation-report.md`.
|
|
- [x] T002 Confirm Specs 414, 415, 417, 418, 419, 420, 421, and 424 remain completed/read-only dependency context; do not edit their artifacts.
|
|
- [x] T003 Confirm `conditionalAccessPolicy` is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests.
|
|
- [x] T004 Confirm `securityDefaults` is content-backed, comparable, renderable, redacted, non-restorable, internal/operator-only, and stable-identity backed in current source/tests.
|
|
- [x] T005 Confirm current Coverage v2 ownership paths use `workspace_id`, `managed_environment_id`, and same-scope `provider_connection_id`, not `tenant_id`.
|
|
- [x] T006 Stop and report the blocker before implementation if either mandatory denominator type lacks evidence, stable identity, compare, render, redaction, or safe claim posture.
|
|
|
|
**Checkpoint**: Mandatory denominator preflight passes or implementation stops.
|
|
|
|
## Phase 2: Fixtures And Failing Tests
|
|
|
|
**Purpose**: Add focused proof before runtime changes.
|
|
|
|
- [x] T007 [P] Add Conditional Access golden fixture payloads under `apps/platform/tests/Fixtures/TenantConfiguration/Spec425/conditional-access/` for no change, state change, grant controls, included actor, excluded actor, app/resource targeting, condition, session control, volatile-only change, unsupported field, and redaction cases.
|
|
- [x] T008 [P] Add Security Defaults golden fixture payloads under `apps/platform/tests/Fixtures/TenantConfiguration/Spec425/security-defaults/` for no change, enabled true/false change, volatile-only change, missing evidence, identity blocked, and redaction cases.
|
|
- [x] T009 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php` proving the denominator is exactly `conditionalAccessPolicy` and `securityDefaults`, excludes optional Entra types, and cannot ignore a missing denominator item.
|
|
- [x] T010 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php` proving not-evaluated, pass, missing evidence blockers, stale/superseded evidence blockers, wrong-scope evidence blockers, no fallback-to-first/latest behavior, identity blockers, compare blockers, render blockers, redaction blockers, and Claim Guard blockers.
|
|
- [x] T011 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php` proving Conditional Access no-change, state, grant controls, included/excluded actors, app/resource targeting, conditions, session controls, volatile fields, unsupported fields, and raw payload hiding behavior.
|
|
- [x] T012 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php` proving enabled changes, no-change, volatile fields, missing evidence, identity blocked, raw payload hiding, and exact claim gating.
|
|
- [x] T013 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php` proving tokens, secrets, credential values, private keys, certificate material, authorization headers, cookies, raw payload, raw Graph response, and raw permission context are absent from certification output.
|
|
- [x] T014 [P] Add `apps/platform/tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php` proving exact internal/operator wording is allowed only with the explicit denominator and broad/full/restore/M365/customer claims are blocked.
|
|
- [x] T015 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php` proving the certified pack passes only when both mandatory resource types pass every criterion.
|
|
- [x] T016 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php` proving supported-scope denominator integrity, exact two-type denominator, graph fallback allowlist for `securityDefaults`, and non-denominator exclusions.
|
|
- [x] T017 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php` proving exact pack claims are internal/operator-only and broad claims remain blocked.
|
|
- [x] T018 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php` proving no restore/apply action, restore-ready state, or restorable tier is introduced.
|
|
- [x] T019 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php` proving no customer-facing claim, Review Pack/report/export/PDF output, or customer-ready proof activation.
|
|
- [x] T020 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php` proving Spec 425 runtime changes do not introduce `tenant_id`.
|
|
- [x] T021 [P] Add `apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php` proving no Entra-specific migration, table family, model, route, navigation item, Filament Resource/Page, dashboard, or mini-platform is added.
|
|
- [x] T022 [P] Add a fail-hard provider/Graph assertion in the focused evaluator/read-model tests proving certification evaluation makes no Graph, TCM, provider, Microsoft docs, or other remote call.
|
|
|
|
**Checkpoint**: New focused tests fail for missing implementation and pass after later phases.
|
|
|
|
## Phase 3: Certified Scope And Denominator
|
|
|
|
**Purpose**: Define the exact internal/operator certified pack scope without broad claims.
|
|
|
|
- [x] T023 Update `apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php` to add `entra_core_compare_certified` with description, workload `entra`, display name `Certified Entra Core Compare Pack`, denominator `conditionalAccessPolicy` and `securityDefaults`, minimum coverage level `certified`, `allow_beta = false`, claim label, `customer_claims_allowed = false`, and metadata documenting internal/operator-only posture.
|
|
- [x] T024 In `SupportedScopeResolver.php`, encode the `securityDefaults` Graph v1 fallback allowance explicitly, preferably with metadata allowlist such as `graph_fallback_allowlist = ["securityDefaults"]`; do not make broad graph fallback claims customer-claimable.
|
|
- [x] T025 Ensure `apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php` does not mark optional Entra resource types as certified, customer-claimable, or restore-ready.
|
|
- [x] T026 Ensure the denominator definition cannot silently include `application`, `servicePrincipal`, `roleDefinition`, `administrativeUnit`, `authenticationMethodsPolicy`, `identityProtectionPolicy`, `authorizationPolicy`, `crossTenantAccessPolicy`, `accessReview`, or PIM resources.
|
|
|
|
**Checkpoint**: Supported scope exists and denominator integrity tests pass.
|
|
|
|
## Phase 4: Certification Evaluator
|
|
|
|
**Purpose**: Derive certification from existing Coverage v2 truth without new persistence.
|
|
|
|
- [x] T027 Add `apps/platform/app/Services/TenantConfiguration/EntraCertifiedComparePackEvaluator.php` only if existing supported-scope evaluation cannot produce the required certification matrix.
|
|
- [x] T028 If a result carrier is needed, add a narrow non-persisted result class under `apps/platform/app/Services/TenantConfiguration/` and keep certification states derived strings rather than a persisted enum/status family, including `certification_not_evaluated`, `certification_passed`, `certification_blocked_missing_evidence`, `certification_blocked_identity`, `certification_blocked_compare`, `certification_blocked_render`, `certification_blocked_redaction`, and `certification_blocked_claim_guard`.
|
|
- [x] T029 Implement exact denominator loading in the evaluator with same workspace, managed-environment, and provider-connection scope checks.
|
|
- [x] T030 Implement evidence criteria checks: current same-scope content-backed evidence, append-only evidence row, raw payload present, normalized payload present, deterministic payload hash, source class, source contract, captured timestamp, operation run linkage when capture was operation-backed, stale/superseded/missing-currentness blockers, and no fallback to first/latest or wrong-scope evidence.
|
|
- [x] T031 Implement identity criteria checks requiring `IdentityState::Stable` and blocking `derived`, `identity_conflict`, `missing_external_id`, and `unsupported_identity`.
|
|
- [x] T032 Implement compare criteria checks by reusing `EntraCoverageComparator` and proving material, volatile, unsupported, and redacted paths are classified deterministically.
|
|
- [x] T033 Implement render criteria checks by reusing `EntraRenderableSummaryBuilder` and requiring operator-safe summaries for both denominator types.
|
|
- [x] T034 Implement redaction criteria checks by reusing `CoveragePayloadRedactor` and asserting no sensitive raw values appear in evaluator/render/claim output.
|
|
- [x] T035 Implement Claim Guard criteria checks by requiring exact internal/operator pack wording and explicit denominator visibility.
|
|
- [x] T036 Ensure missing mandatory denominator items, failed mandatory criteria, unsupported fields that would make certification ambiguous, and non-deterministic compare output produce explicit blocker states rather than warnings.
|
|
- [x] T037 Ensure evaluator execution is DB-only and does not call `ProviderGateway`, `GraphClientInterface`, TCM, Microsoft docs, HTTP, queued jobs, or OperationRun creation.
|
|
|
|
**Checkpoint**: Evaluator unit and feature tests pass.
|
|
|
|
## Phase 5: Claim Guard Exact Wording
|
|
|
|
**Purpose**: Allow exact internal/operator certification wording while blocking overclaims.
|
|
|
|
- [x] T038 Update `apps/platform/app/Services/TenantConfiguration/ClaimGuard.php` to allow exact internal/operator visible wording only for `Certified Entra Core Compare Pack: Conditional Access and Security Defaults`; the bare pack label may exist only as internal scope metadata or a diagnostic row heading when the same visible context includes the denominator.
|
|
- [x] T039 Require exact denominator visibility for any certified pack wording; block or limit certification wording that omits the denominator.
|
|
- [x] T040 Block forbidden wording: `Certified Entra coverage`, `100% Entra coverage`, `Full Entra coverage`, `Entra restore-ready`, `Certified Microsoft 365 coverage`, `Customer-ready Entra proof`, `Full tenant security proof`, legal/regulatory attestation claims, and Review Pack/report proof claims.
|
|
- [x] T041 Keep Claim Guard default behavior conservative for all non-425 claims; do not weaken existing Spec 421, 422, 423, or 424 claim-blocking behavior.
|
|
|
|
**Checkpoint**: Unit and feature Claim Guard tests pass.
|
|
|
|
## Phase 6: Product Surface Decision
|
|
|
|
**Purpose**: Keep UI scope bounded and browser-proof only if rendered UI changes.
|
|
|
|
- [x] T042 Determine whether the certification pack result can remain service/config/test-only. If yes, record `N/A - no rendered UI surface changed` in `implementation-report.md`.
|
|
- [x] T043 If rendered UI changes are necessary, amend `spec.md`, `plan.md`, and this `tasks.md` before editing UI files with exact affected surfaces, Product Surface decisions, browser proof path, and Human Product Sanity criteria. N/A - no rendered UI surface changed.
|
|
- [x] T044 If UI changes proceed after amendment, update only the existing Coverage v2 readiness/read-model/inspect path; do not add a new route, navigation item, dashboard, customer output, report/export/PDF, restore action, or primary Entra surface. N/A - no rendered UI surface changed.
|
|
- [x] T045 If UI changes proceed after amendment, add `apps/platform/tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php` proving certified pack state, exact denominator, internal/operator-only label, no restore-ready/full-Entra/M365/customer claim, no raw payload/secrets, and no console/Livewire/Filament errors. N/A - no rendered UI surface changed.
|
|
|
|
**Checkpoint**: Product Surface decision is explicit and not contradicted by changed files.
|
|
|
|
## Phase 7: Architecture And Safety Guards
|
|
|
|
**Purpose**: Prove no hidden scope expansion or ownership drift.
|
|
|
|
- [x] T046 Ensure no migration creates `entra_certifications`, `certified_entra_resources`, or any Entra-specific certification table family.
|
|
- [x] T047 Ensure no code introduces `tenant_id` as Coverage v2 ownership truth, compatibility alias, fallback reader, dual-write target, or parallel scope key.
|
|
- [x] T048 Ensure no restore/apply, preview restore, assisted restore, or restore-readiness code path is introduced.
|
|
- [x] T049 Ensure no customer output, Review Pack, rendered report, management PDF, export/download, legal/regulatory attestation, or customer-ready proof path is introduced.
|
|
- [x] T050 Ensure no new Filament Resource/Page/Widget, route, navigation item, dashboard, or primary Entra surface is introduced.
|
|
- [x] T051 Add or extend focused feature/service tests proving non-member access remains deny-as-not-found (404), member without capability remains 403, provider connection scope remains same workspace/environment, and pure service-only evaluation uses explicit same-scope inputs where any service, command, route, or UI invocation boundary exists.
|
|
|
|
**Checkpoint**: No-overreach feature/static tests pass.
|
|
|
|
## Phase 8: Implementation Report And Validation
|
|
|
|
**Purpose**: Close the prep-defined evidence contract for implementation.
|
|
|
|
- [x] T052 Create `specs/425-entra-certified-compare-pack/implementation-report.md` with candidate gate result, dirty state before/after, files changed, certified denominator, evaluator matrix, claim matrix, redaction proof, no-restore proof, no-customer-claim proof, no-tenant_id proof, no-mini-platform proof, Product Surface decision, tests run, deferred work, and final gate result.
|
|
- [x] T053 Complete the certification matrix in `implementation-report.md` for `conditionalAccessPolicy` and `securityDefaults`.
|
|
- [x] T054 Complete the claim matrix in `implementation-report.md` for exact denominator-visible pack claim, 100 percent Entra, restore-ready, Microsoft 365 certified, and customer-ready proof.
|
|
- [x] T055 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
|
|
- [x] T056 Run focused unit tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/EntraCertifiedPackEvaluatorTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedPackClaimGuardTest.php tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedRenderRedactionTest.php tests/Unit/Support/TenantConfiguration/EntraCertifiedDenominatorTest.php`.
|
|
- [x] T057 Run focused feature tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec425EntraCertifiedComparePackTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedClaimGuardFeatureTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoRestoreTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoCustomerClaimTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedNoMiniPlatformTest.php tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php`.
|
|
- [x] T058 If UI changed, run focused browser test: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec425EntraCertifiedComparePackOperatorSurfaceSmokeTest.php`. N/A - no rendered UI surface changed.
|
|
- [x] T059 Run `git diff --check`.
|
|
- [x] T060 Record any failed validation exactly in `implementation-report.md`; do not weaken certification, denominator, claim, redaction, ownership, no-restore, or no-mini-platform criteria to make tests pass.
|
|
|
|
**Checkpoint**: Focused validation passes or exact failures are documented.
|
|
|
|
## Dependencies & Execution Order
|
|
|
|
- Phase 1 blocks all runtime implementation.
|
|
- Phase 2 tests should be added before or alongside Phases 3-5 implementation.
|
|
- Phase 3 scope definition blocks evaluator pass behavior.
|
|
- Phase 4 evaluator depends on existing Coverage v2 evidence/identity/compare/render helpers.
|
|
- Phase 5 Claim Guard updates depend on exact pack wording from the spec.
|
|
- Phase 6 must complete before any runtime UI edits.
|
|
- Phase 8 completes after all implementation tasks and validation.
|
|
|
|
## Parallel Opportunities
|
|
|
|
- T007-T014 can run in parallel after preflight because they touch different fixture/test files.
|
|
- T015-T022 can run in parallel after preflight because they touch different feature test files.
|
|
- T023-T026 should be coordinated because they share supported-scope/registry behavior.
|
|
- T027-T037 should be sequential within evaluator implementation.
|
|
- T046-T051 can run in parallel with final static/feature guard hardening once implementation files stabilize.
|
|
|
|
## Stop Conditions
|
|
|
|
- A mandatory denominator type cannot satisfy evidence, stable identity, compare, render, redaction, or claim criteria.
|
|
- The denominator changes from exactly `conditionalAccessPolicy` plus `securityDefaults`.
|
|
- Any restore/apply, customer output, Review Pack/report/PDF/export, full Entra/M365 certification, or legal/regulatory attestation scope appears.
|
|
- A new Entra-specific table family, dashboard, route, navigation item, primary surface, or mini-platform appears.
|
|
- `tenant_id` is introduced as platform-core ownership truth or compatibility/fallback path.
|
|
- Certification evaluation requires remote calls, queues, or a new OperationRun.
|
|
- Raw payloads or sensitive values become default-visible or leak into reports/logs/notifications.
|