ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
5ceecdeb62
TenantAtlas/specs/417-canonical-identity-engine/checklists/requirements.md
Ahmed Darrazi 5ceecdeb62
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 6m40s
Details
feat: implement canonical identity engine
2026-06-26 08:46:18 +02:00

3.5 KiB
Raw Blame History

Specification Quality Checklist: Spec 417 - Canonical Identity Engine

Candidate And Scope

  • Candidate is user-provided, not auto-selected from an empty active candidate queue.
  • Spec 414 is completed/validated dependency context only.
  • Spec 415 is completed/validated dependency context only.
  • No existing 417-canonical-identity-engine spec or branch was found before creation.
  • Scope is limited to Coverage v2 canonical identity for captured resources.
  • No Coverage v2 customer/operator activation is included.
  • No compare, render, restore, certification, or full TCM catalog import is included.

Ownership And Isolation

  • Internal scope truth is workspace_id, managed_environment_id, and provider_connection_id.
  • Provider connection same-scope validation is required.
  • External Microsoft/Entra tenant IDs remain metadata only.
  • tenant_id is forbidden as Coverage v2 ownership truth.
  • Cross-workspace identity collisions cannot merge.
  • Cross-managed-environment identity collisions cannot merge.
  • Cross-provider identity collisions cannot merge.

Identity Requirements

  • Initial eight Coverage v2 resource types are listed.
  • Identity strategy fields are defined.
  • Stable provider/Graph/TCM IDs are preferred.
  • Source/composite fallback behavior is defined.
  • Display-name-only stable identity is forbidden.
  • Existing IdentityState values are used.
  • Canonical key-kind values are bounded.
  • Existing canonical_resource_key duplicate-truth risk is addressed.
  • Missing external ID behavior is explicit.
  • Unsupported identity behavior is explicit.
  • Beta/experimental identity cannot certify by default.

Claim And Evidence Safety

  • Claim Guard blocks identity_conflict.
  • Claim Guard blocks or limits missing_external_id.
  • Claim Guard blocks unsupported_identity.
  • Claim Guard limits or blocks derived unless explicitly allowed.
  • OperationRun execution truth remains separate from identity/evidence/customer proof.
  • Evidence payload truth remains append-only evidence, not customer proof by default.
  • No fallback-to-latest evidence behavior is allowed.

Diagnostics And Redaction

  • Secondary keys are diagnostic metadata only.
  • Conflict diagnostics are bounded.
  • Raw payloads and full provider responses are forbidden in diagnostics.
  • Tokens, credentials, cookies, authorization headers, private keys, certificates, passwords, and unredacted PII are forbidden in diagnostics, OperationRun context/messages, and audit metadata.

No Legacy / No Product Surface

  • No v1-to-v2 identity adapter is allowed.
  • No old snapshot identity promotion is allowed.
  • No old v1 gap taxonomy is active v2 runtime truth.
  • No dual write or fallback reader is allowed.
  • No reachable UI surface changes are allowed.
  • Browser proof is N/A - no rendered UI surface changed.
  • Product Surface exceptions are none.
  • Completed historical specs must not be rewritten.

Tests And Readiness

  • Unit test targets are identified.
  • Feature test targets are identified.
  • PostgreSQL-lane trigger is identified for migrations/indexes/constraints/JSONB.
  • No browser/heavy-governance lane is planned.
  • Validation commands are listed.
  • Implementation report close-out fields are defined.

Gate Results

  • Candidate Selection Gate: PASS.
  • Spec Readiness Gate: PASS for preparation; implementation must still follow tasks.md.