TenantAtlas/specs/047-inventory-foundations-nodes/checklists/requirements.md

Requirements Checklist — Foundations in Inventory (047)

Constitution Gates

• Tenant isolation: all foundation sync reads/writes are scoped to Tenant::current()/tenant_id (no leakage).
• No snapshot/backup side effects: Inventory sync must not write to policy_versions/backup_* tables.
• Config-driven types: foundation types are sourced from config('tenantpilot.foundation_types') only (no hardcoded lists).
• No UI Graph calls: Inventory/Dependencies UI must render using DB-only resolution (no runtime Graph/Entra lookups).
• Idempotency: re-running sync does not create duplicates; last_seen_at/last_seen_run_id update deterministically.
• Data minimization: foundation meta_jsonb is sanitized (stored == InventoryMetaSanitizer::sanitize(stored)).
• Observability: InventorySyncRun observed/upserted counts include foundations when enabled, exclude when disabled.
• Tests exist and were executed (targeted at minimum).

Feature 047 Functional Coverage

• FR-001 Foundation types MVP are synced when include_foundations=true (roleScopeTag, assignmentFilter, notificationMessageTemplate).
• FR-002 include_foundations=false produces no foundation node sync side effects.
• FR-003 Foundation nodes stored as InventoryItems with stable identity (tenant_id + policy_type + external_id).
• FR-004 Inventory Coverage UI shows Policies + Foundations.
• FR-COV-DEP: Coverage shows deterministic Dependencies support column (✅/—) derived from existing capabilities (no Graph calls).
• FR-005 Inventory Items UI can filter/browse foundations.

Test Gates

• T020/T021: include_foundations on/off behavior is covered by feature tests.
• T023: foundation meta_jsonb sanitized invariant (no payload dump).
• T024: run counts include/exclude foundations (deterministic setup).
• Pint run (T020) and targeted tests run (T021).