ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
9405058433
TenantAtlas/specs/420-m365-generic-evidence-coverage-pack/tasks.md
Ahmed Darrazi 9405058433
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 5m46s
Details
feat: complete m365 generic evidence coverage pack
2026-06-27 13:00:22 +02:00

13 KiB
Raw Blame History

Tasks: Spec 420 - M365 Generic Evidence Coverage Pack

Input: specs/420-m365-generic-evidence-coverage-pack/spec.md, specs/420-m365-generic-evidence-coverage-pack/plan.md, specs/420-m365-generic-evidence-coverage-pack/checklists/requirements.md Prerequisites: Specs 414, 415, 417, 418, and 419 as read-only dependency context Tests: Required. Runtime capture/evidence behavior must be covered with focused Pest unit and feature tests. Browser proof is required only if new M365 captured/blocked data renders on the existing Spec 418 Coverage v2 operator surface.

Test Governance Checklist

  • Lane assignment is named and remains the narrowest sufficient proof for resolver, capture, evidence, identity, RBAC, OperationRun, and no-overclaim behavior.
  • Unit and Feature tests stay focused; PostgreSQL lane is explicit only if schema/check constraints change.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default and opt-in.
  • Planned validation commands cover the change without pulling unrelated lane cost.
  • Browser proof is required for rendered existing-surface data impact, or explicitly N/A - no rendered UI surface changed with proof.
  • Human Product Sanity and Product Surface implementation-report close-out cover existing-surface data impact, or are N/A only with proof.
  • Material budget, baseline, trend, or escalation notes are recorded if test cost changes.

Phase 1: Preflight And Dependency Guard

  • T001 Capture branch, HEAD, git status --short, activated skills, and hard-gate status in specs/420-m365-generic-evidence-coverage-pack/implementation-report.md.
  • T002 Confirm Specs 414, 415, 417, 418, and 419 are dependency context only and must not be modified.
  • T003 Inspect apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php, GenericContentEvidenceCaptureService.php, CoverageResourceUpserter.php, CoverageEvidenceWriter.php, CoverageIdentityStrategyRegistry.php, ClaimGuard.php, StartTenantConfigurationCapture.php, and CaptureTenantConfigurationEvidenceJob.php.
  • T004 Inspect apps/platform/config/graph_contracts.php for the current conditionalAccessPolicy contract and verify no explicit contracts exist for selected missing-contract types. If explicit contracts already exist for acceptedDomain, appPermissionPolicy, or dlpCompliancePolicy, stop and amend the package before implementation continues.
  • T005 Record draft-to-repo deviations: reuse tenant_configuration.capture, use existing CaptureOutcome values, and narrow first pack to conditionalAccessPolicy, acceptedDomain, appPermissionPolicy, and dlpCompliancePolicy.
  • T006 Stop if implementation would require compare, render, restore, certification, customer output, M365 dashboard, UI start action, endpoint guessing, direct HTTP, tenant_id, v1 compatibility, or workload-specific mini-platforms.

Phase 2: Tests First - Source Contracts And Eligibility

  • T007 Add apps/platform/tests/Unit/Support/TenantConfiguration/Spec420M365CaptureSourceContractResolverTest.php proving conditionalAccessPolicy resolves only through an explicit repo-real source contract mapping.
  • T008 Add resolver tests proving acceptedDomain, appPermissionPolicy, and dlpCompliancePolicy return capture_blocked_missing_contract until explicit contracts exist.
  • T009 Add eligibility tests proving missing-contract decisions do not call provider gateway, do not guess endpoints from canonical type/source aliases, and keep stable reason codes.
  • T010 Add tests proving beta/unsupported states remain blocked through existing CaptureOutcome values and do not require a new outcome family.
  • T011 Add tests proving source metadata separates registry/source-class truth from actual source contract key, endpoint, source version, schema hash, and explicit null/unknown values when source version/schema hash is unavailable.

Phase 3: Tests First - Identity, Normalization, Redaction, And Claims

  • T012 Add apps/platform/tests/Unit/Support/TenantConfiguration/Spec420M365CaptureIdentityStrategyTest.php covering selected resource identity strategies and no display-name-only stable identity.
  • T013 Add identity tests proving missing, unsupported, derived-without-claim, and conflict states block customer-facing claims.
  • T014 Add Spec420M365GenericPayloadNormalizerTest.php proving stable key ordering, volatile field stripping, and deterministic payload hash for a fake conditionalAccessPolicy payload.
  • T015 Add redaction coverage proving secret keys are redacted from normalized evidence payloads, permission context, OperationRun context/failure summary, audit metadata, and logs, with raw payload retained only inside the evidence raw-payload storage boundary.
  • T016 Add Spec420M365CaptureClaimGuardTest.php proving broad M365, certified, restore-ready, customer-ready, complete tenant, all-resource, and unscoped 100% claims are blocked.

Phase 4: Tests First - Persistence, OperationRun, Authorization, And Scope

  • T017 Add apps/platform/tests/Feature/TenantConfiguration/Spec420M365GenericEvidenceCaptureTest.php proving fake conditionalAccessPolicy capture persists a TenantConfigurationResource and append-only TenantConfigurationResourceEvidence row.
  • T018 Assert persisted evidence includes raw payload, normalized payload, deterministic payload_hash, source metadata, redacted permission context, operation_run_id, and coverage_level = content_backed only when a real payload was captured.
  • T019 Assert missing-contract selected types create no fake evidence rows and update only structured outcome/summary data.
  • T020 Add Spec420M365CaptureOperationRunTest.php proving existing tenant_configuration.capture lifecycle, service-owned transitions, numeric summary counts, retry/idempotency behavior, stale active-run or duplicate-run handling, bounded duplicate resource/evidence behavior, sanitized failure-summary behavior, and no raw payload in OperationRun context.
  • T021 Add Spec420M365CaptureAuthorizationTest.php covering non-member 404, missing environment entitlement 404 via existing capture authorization coverage, missing capability 403, operator/readonly denial, and allowed owner/manager behavior according to the current capability matrix.
  • T022 Add Spec420M365ProviderConnectionScopeTest.php proving cross-workspace and cross-environment provider connections are rejected before run creation and again at job execution time.
  • T023 Add Spec420M365NoOverclaimTest.php, Spec420M365NoLegacyTest.php, and Spec420M365NoTenantIdTest.php proving no customer claim activation, no old gap taxonomy/v1 adapter/fallback reader/dual write, and no tenant_id.

Phase 5: Source Contract And Eligibility Implementation

  • T024 Update CoverageSourceContractResolver or its existing mapping path with the narrow selected M365 decisions required by tests.
  • T025 Map conditionalAccessPolicy to the repo-valid Graph contract only after verifying the contract exists and is safe for generic read capture; if it is missing or unsafe, stop and amend the package.
  • T026 Keep acceptedDomain, appPermissionPolicy, and dlpCompliancePolicy blocked with capture_blocked_missing_contract for Spec 420; do not add explicit contracts for those three types in this slice.
  • T027 Ensure no runtime endpoint path is derived from resource type strings or Spec 419 source_aliases metadata.
  • T028 Ensure source metadata is sufficient for implementation-report source-contract matrix, including explicit null/unknown source version/schema hash semantics, without leaking raw provider payloads or secrets.

Phase 6: Identity, Evidence, And Claim Implementation

  • T029 Extend CoverageIdentityStrategyRegistry narrowly for selected M365 resource types.
  • T030 Ensure CanonicalIdentityResolver remains the only identity resolution path used by CoverageResourceUpserter.
  • T031 Ensure CoverageResourceUpserter and CoverageEvidenceWriter preserve selected M365 identity and claim state, same-scope provider connection, source metadata, and append-only evidence behavior.
  • T032 Ensure GenericPayloadNormalizer and CoveragePayloadRedactor cover selected fake M365 payload shapes and secret keys.
  • T033 Update ClaimGuard only if tests show existing M365 claim blocking is insufficient; do not create a parallel M365 claim guard.

Phase 7: OperationRun, RBAC, Audit, And Guardrails

  • T034 Reuse StartTenantConfigurationCapture, CaptureTenantConfigurationEvidenceJob, and OperationRunService; do not add tenant_configuration.m365_capture unless proportionality review is amended.
  • T035 Ensure start path writes existing audit events with safe metadata and no raw payload or secrets.
  • T036 Ensure job/service path revalidates workspace, managed environment, provider connection, OperationRun type, and OperationRun target scope before provider work.
  • T037 Add or update static/focused guards proving no direct OperationRun status/outcome writes, no direct Graph/HTTP calls, no runtime docs fetch, and no workload-specific tables/classes/services.
  • T038 Confirm no Filament page/resource/widget/action, route, navigation entry, Blade view, Livewire component, customer output, report, download, restore/certify/export/publish action, scheduler, or new dashboard was added.

Phase 8: Product Surface Data-Impact Verification

  • T039 If existing Spec 418 Coverage v2 surface renders captured/blocked M365 data, add and run apps/platform/tests/Browser/Spec420M365GenericEvidenceOperatorSurfaceSmokeTest.php.
  • T040 Browser proof must verify no broad M365 claim, no certified/restore-ready/customer-ready wording, no raw/normalized payload default display, no new capture/restore/certify/export/download action, no console/Livewire/500 errors, and no provider calls during render.
  • T041 Make the rendered-surface close-out decision explicit: if existing output changes, run browser proof and Human Product Sanity; if implementation proves no rendered output changes, document N/A - no rendered UI surface changed with exact proof in the implementation report.
  • T042 Record Human Product Sanity result if rendered output changes.
  • T043 Stop and amend spec.md, plan.md, and tasks.md before any runtime UI file, route, navigation, action, label, report, download, or customer surface edit.

Phase 9: Validation And Close-Out

  • T044 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T045 Run focused unit tests for Spec 420 source contracts, eligibility, normalizer, identity strategy, Claim Guard, and redaction.
  • T046 Run focused feature tests for Spec 420 evidence capture, OperationRun, authorization, provider scope, no-overclaim, no-legacy, and no-tenant-id.
  • T047 N/A - no migrations/check constraints/indexes changed, so no additional PostgreSQL lane was required.
  • T048 Run focused browser proof if existing rendered output changes.
  • T049 Run git diff --check.
  • T050 Complete specs/420-m365-generic-evidence-coverage-pack/implementation-report.md with candidate gate result, dirty state before/after, files changed, capture eligibility matrix, source-contract matrix, evidence matrix, OperationRun proof, authorization proof, provider scope proof, redaction/log proof, Claim Guard proof, no-tenant-id proof, no-legacy/no-mini-platform proof, Product Surface proof, tests run, deployment impact, and deferred work.
  • T051 Confirm no historical spec was rewritten or stripped of task, smoke, browser, or review history.

Stop Conditions

Stop and update spec.md, plan.md, and tasks.md before continuing if any of these appear:

  • Compare, render, restore, apply, certification, customer output, Review Pack/report, broad M365 dashboard, customer-facing claim activation, or new UI start action is needed.
  • Graph/TCM/provider remote paths are guessed, hardcoded, scraped, or called outside GraphClientInterface/provider gateway contracts.
  • Existing tenant_configuration.capture cannot support the lifecycle and a new OperationRun type is proposed without proportionality review.
  • A new capture outcome, enum/status family, table, abstraction, or taxonomy is needed without proportionality review.
  • Existing Coverage v2 operator surface would change beyond data-driven rows/outcomes without Product Surface/browser proof.
  • Raw payload, normalized payload, permission context, provider response bodies, tokens, secrets, or internal diagnostics would render by default or enter logs/audit/OperationRun context/failure summary.
  • tenant_id appears as Coverage v2 ownership truth.
  • A workload-specific table, model, engine, namespace, dashboard, or mini-platform is introduced.
  • A broad M365/certified/restore-ready/customer-ready/all-resource claim must be allowed.