6.1 KiB
Requirements Checklist: Exchange Structured Output and Target Normalizer Readiness
Purpose: Preparation and implementation-readiness checklist for Spec 435.
Created: 2026-07-08
Feature: specs/435-exchange-structured-output-target-normalizer-readiness/spec.md
Prerequisites
- Spec 434 merge-ready proof is required before implementation.
- Spec 434 adapter boundary, identity hard-stop, content-only writer guard, empty collection no-fake-evidence policy, generic Graph preservation, no UI, no migration, and no
tenant_idare recorded as prerequisite proof. - Spec 433 credential/permission readiness, client-secret blocking, scoped/current
Exchange.ManageAsApp, combined readiness, provider capability support, and runner-gate consumption are recorded as prerequisite proof. - Spec 432 runner boundary, process executor abstraction, output guard, timeout/concurrency guards, sanitized OperationRun context, no raw stdout/stderr outside approved paths, no UI, no migration, and no
tenant_idare recorded as prerequisite proof. - Spec 430 command contracts exist for
Get-TransportRule,Get-RemoteDomain, andGet-InboundConnector.
Scope
- Structured output only.
- Normalizer readiness only.
- Targets limited to
transportRule,remoteDomain, andinboundConnector. - No evidence rows.
- No content-backed promotion.
- No compare/render.
- No certification.
- No restore.
- No customer claim.
- No UI.
- No jobs/schedules/listeners.
- No migration.
- No
tenant_id.
Structured Output
- Structured envelope requirement exists.
- Raw stdout/stderr exclusion requirement exists.
- Shape states are defined or mapped to repo-canonical equivalents.
- Malformed output must block.
- Scalar output must block.
- Warning-prefixed output must block or classify safely.
- Binary/non-UTF8 output must block.
- Oversized output must block.
- Non-zero exit must block.
- Timeout must block.
- Empty collection is distinguishable from failure states.
Target Normalizers
transportRulereadiness is required.remoteDomainreadiness must complete or explicitly block.inboundConnectorreadiness must complete or explicitly block.- Volatile fields must be handled.
- Sensitive fields must be handled.
- Ordering must be deterministic.
- Hash input rules must be defined.
- Normalized payload previews are test-only/in-memory and not persisted.
Identity
- Stable identity rules are required.
- Display-name-only identity must block.
- Derived/domain-only identity must block unless proven safe.
- Duplicate identity must block.
- Missing identity must block.
- Unsupported identity must block.
- Identity-unproven state must block.
- Explicit blocker states are required.
Redaction
transportRulesensitive fields must be classified.remoteDomainsensitive fields must be classified.inboundConnectorIPs, hosts, certificate names, comments, and routing metadata must be protected or potentially sensitive.- Protected config must not enter OperationRun context/logs/summaries.
- Credential material must be absent.
- Customer output must remain absent.
Hash
- Hash input determinism is required.
- Material changes must be detected.
- Volatile changes must be ignored.
- Provider ordering must be handled deterministically where order is not meaningful.
- Target type and normalizer version handling are required.
- Hash input must exclude raw output, OperationRun context, runtime timestamps, PowerShell session metadata, credential metadata, and permission metadata.
Empty Collection
- Empty collection must be distinguished from failures.
- Empty collection must create no resource row.
- Empty collection must create no evidence row.
- Durable collection proof is deferred.
No Promotion
- No
tenant_configuration_resource_evidencerows. - No raw Exchange payload persisted as evidence.
- No normalized Exchange payload persisted as evidence.
- No content-backed state.
- No comparable state.
- No renderable state.
- No certified state.
- No restore-ready state.
- No customer-ready state.
Product Surface / Trigger
- No routes.
- No Filament pages/resources/widgets.
- No Livewire components.
- No Blade views.
- No navigation.
- No asset changes.
- No global search changes.
- No job trigger.
- No schedule trigger.
- No listener trigger.
- Browser N/A.
Architecture
- Uses existing Exchange adapter/readiness architecture.
- No migration.
- No
tenant_idownership truth. - No Exchange-specific evidence table.
- No Exchange mini-platform.
- No legacy shim.
- No fallback reader.
- No dual write.
Validation
- Focused Spec 435 unit tests pass.
- Focused Spec 435 feature tests pass.
- Spec 434 regression passes.
- Spec 433 regression passes.
- Spec 432/431/430 regression passes.
- Spec 415/417/419/420/426/427 regression passes.
- Provider capability registry/evaluation regression passes.
- Pint passes.
git diff --checkpasses.git status --shortis documented.
Final Candidate Gate
- PASS for preparation.
- PASS for implementation.
- PASS WITH CONDITIONS for implementation.
- FAIL.
Preparation PASS rationale: spec.md, plan.md, and tasks.md define a bounded, testable, no-application-implementation package. Implementation PASS requires all applicable unchecked runtime validation items above to be checked with evidence.
FAIL if evidence rows are created, content-backed promotion occurs, raw stdout/stderr is treated as evidence, remoteDomain identity is faked, inboundConnector protected config leaks, unsafe output passes readiness, unsafe identity passes readiness, UI/routes/jobs/schedules/listeners are added, migration is added without amendment, tenant_id ownership truth is introduced, an Exchange-specific evidence table appears, or tests do not prove normalizer readiness safety.