2.0 KiB
2.0 KiB
Feature Specification: Cross-tenant Compare and Promotion
Feature Branch: feat/043-cross-tenant-compare-and-promotion
Created: 2026-01-07
Status: Draft
Purpose
Enable safe cross-tenant comparison of inventory and, optionally, controlled promotion workflows.
Comparison is read-only by default. Any write/promotion behavior must be explicitly gated, audited, and separately authorized.
User Scenarios & Testing
Scenario 1: Compare two tenants (read-only)
- Given the operator has access to Tenant A and Tenant B
- When they select two tenants and a set of policy types
- Then they can see differences in presence and key metadata
Scenario 2: Compare with a stable reference
- Given a reference selection scope
- When the operator runs comparison
- Then results are stable and reproducible for that scope
Scenario 3: Promotion is explicitly gated (optional)
- Given promotion is enabled by policy
- When the operator initiates promotion
- Then the system requires explicit confirmation and records an audit event
Functional Requirements
- FR1: Support selecting two tenants within authorized scope.
- FR2: Provide read-only diff views based on inventory metadata and stable identifiers.
- FR3: Provide exportable comparison results.
- FR4: If promotion is included:
- require explicit enablement
- require explicit confirmation per operation
- record audit logs
- support dry-run/preview
Non-Functional Requirements
- NFR1: Enforce tenant isolation and least privilege across tenant selection and data access.
- NFR2: Comparison must not expose secrets or unsafe payload fields.
Success Criteria
- SC1: Operators can identify which tenant differs for a given policy type in under 2 minutes.
- SC2: Read-only comparisons are reproducible when run again with the same scope.
Out of Scope
- Bulk remediation without preview/confirmation.
Related Specs
- Program:
specs/039-inventory-program/spec.md - Core:
specs/040-inventory-core/spec.md - Drift:
specs/044-drift-mvp/spec.md