TenantAtlas/specs/431-exchange-powershell-invocation-operation-registration-gate/checklists/requirements.md
ahmido 9374260ae1 feat: add Exchange PowerShell invocation gate (#498)
## Summary
- Adds the Spec 431 Exchange PowerShell invocation gate and operation registration slice.
- Introduces trusted provider operation start handling and read-only Exchange PowerShell runner abstractions.
- Updates provider capability/readiness evaluation and coverage for Exchange PowerShell invocation safety.

## Verification
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Providers/ProviderCapabilityEvaluationTest.php tests/Feature/Providers/ProviderOperationCapabilityGateTest.php tests/Feature/TenantConfiguration/Spec431ExchangePowerShellInvocationGateTest.php tests/Unit/Providers/ProviderCapabilityRegistryTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php tests/Unit/Support/TenantConfiguration/Spec430ExchangePowerShellCommandAllowlistTest.php tests/Unit/Support/TenantConfiguration/Spec431ExchangePowerShellOperationRegistrationTest.php tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php`
- Result: 80 passed, 685 assertions.

## Product Surface / Ops
- Rendered UI surface changed: N/A.
- Filament/Livewire surface changed: N/A.
- Deployment impact: config/runtime service changes only; no migrations, queues, or assets added.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #498
2026-07-07 15:23:29 +00:00

5.7 KiB

Requirements Checklist: Exchange PowerShell Invocation Operation Registration and Execution Gate

Purpose: Validate Spec 431 preparation and later implementation against operation registration, invocation safety, no-promotion, and no-surface requirements.
Created: 2026-07-05
Feature: specs/431-exchange-powershell-invocation-operation-registration-gate/spec.md

Applicability And Low-Impact Gate

  • CHK001 The change explicitly says no rendered UI surface is affected.
  • CHK002 The spec, plan, and tasks carry the same no-UI/no-product-surface decision.
  • CHK029 The spec includes exactly one coherent UI Surface Impact decision: No UI surface impact.
  • CHK037 Browser proof is N/A - no rendered UI surface changed.
  • CHK038 Human Product Sanity is N/A because no product surface changes.
  • CHK040 Completed historical specs were not rewritten or stripped of implementation history.

Spec Package

  • spec.md exists.
  • plan.md exists.
  • tasks.md exists.
  • checklists/requirements.md exists.
  • implementation-report.md exists and records implementation validation.

Scope

  • Only transportRule.
  • Only remoteDomain.
  • Only inboundConnector.
  • Only Get-TransportRule.
  • Only Get-RemoteDomain.
  • Only Get-InboundConnector.
  • No Teams.
  • No Exchange Admin API.
  • No live provider execution.
  • No evidence.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No UI.
  • No migration.

Proportionality

  • New operation type justified.
  • New catalog entry justified.
  • New provider operation justified.
  • New capability justified.
  • New runner interface justified.
  • No mini-platform planned.
  • No new persisted status framework planned.

Operation Registration

  • OperationRunType registered.
  • OperationCatalog registered.
  • ProviderOperationRegistry registered.
  • ProviderCapabilityRegistry registered.
  • OperationRunCapabilityResolver mapping exists.
  • Tests prove all mappings.

Summary Counts

  • Existing allowed keys reused or new keys explicitly added.
  • SummaryCountsNormalizer preserves emitted keys.
  • Unknown keys remain dropped.
  • No raw output in summary counts.
  • No secrets in summary counts.

Failure Sanitization

  • Invocation blocker reasons sanitized.
  • Invocation failure reasons sanitized.
  • Unknown failures sanitized.
  • Secret-like values redacted.
  • Raw stderr/stdout not persisted.

Invocation Gate

  • Verified contract required.
  • Allowlisted command required.
  • OperationRun required before fake runner execution.
  • Provider scope required.
  • Capability required.
  • Actor capability is Capabilities::PROVIDER_RUN or a spec amendment documents a narrower dedicated capability.
  • Feature gate tenantpilot.features.exchange_powershell_invocation required and default disabled.
  • Provider identity/credential reference required or fake-runner-only mode documented.
  • Bypass calls rejected.

Runner Safety

  • Structured runner interface.
  • Fake runner.
  • Production runner disabled/inert.
  • Raw command strings rejected.
  • Mutation commands rejected.
  • Unknown parameters rejected.
  • No shell execution in unit tests.
  • No Microsoft service calls in tests.

OperationRun Safety

  • OperationRun created before fake invocation.
  • Status transitions owned by OperationRunService.
  • Numeric/safe summary counts only.
  • Safe failure category only.
  • provider_connection_id only in safe context.
  • No provider_connection_id migration.
  • No raw stdout/stderr.
  • No raw provider payload.
  • No secrets.

Credential / Provider Scope

  • Provider connection scoped to workspace/environment.
  • Credential reference source is existing ProviderIdentityResolver / ProviderConnection::credential / ProviderCredential truth, not a new persistence path.
  • Missing credential reference blocks.
  • Unsupported credential kind blocks.
  • Missing permission evidence blocks or stays unvalidated.
  • Username/password blocked.
  • No plaintext secret fields.
  • Capability checks enforced.

Shape Validation

  • Structured collection accepted.
  • Empty collection distinguished from permission failure.
  • Malformed result blocks.
  • Missing identity fields block or fail safe.
  • Text/scalar output fails safe.

No Promotion

  • No evidence rows.
  • No raw evidence payload.
  • No normalized evidence payload.
  • No content-backed state.
  • No comparable state.
  • No renderable state.
  • No certified state.
  • No restore-ready state.
  • No customer-ready state.

Product Surface

  • No routes planned.
  • No Filament pages planned.
  • No Livewire components planned.
  • No navigation planned.
  • No global search changes planned.
  • No asset changes planned.
  • Browser N/A.

Architecture

  • Uses OperationRun architecture.
  • Uses provider operation/capability architecture.
  • Uses Coverage v2 source contract architecture.
  • No tenant_id.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.

Validation

  • Focused unit tests pass.
  • Focused feature tests pass.
  • Regressions pass.
  • Pint passes.
  • git diff --check passes.
  • git status --short documented.

Review Outcome

  • Review outcome class: implementation gate passed for backend-only slice.
  • Workflow outcome: keep.
  • Final note location: implementation-report.md.

Final Candidate Gate

PASS for implementation. Runtime checklist items are checked against the implementation report and validation runs.