Summary: add Spec 434 Exchange PowerShell evidence capture adapter and prerequisite/identity/content-only guards; cap Exchange evidence at content_backed while preserving Graph capture. Validation: php artisan test --filter=Spec434 --compact; ./vendor/bin/pint --dirty --test; git diff --cached --check. Product Surface: N/A - no rendered UI surface changed; no deployment impact. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #501
9.7 KiB
9.7 KiB
Requirements Checklist: Exchange Evidence Capture Adapter and Content-Only Guard
Feature: specs/434-exchange-evidence-capture-adapter-content-only-guard/
Mode: Backend adapter/guard implementation close-out. Preparation completed earlier; implementation evidence is documented in tasks.md and implementation-report.md.
Implementation Evidence Note
- Completed items below are marked only where supported by the implementation report, completed task evidence, focused Spec 434 feature coverage, regression results, or code review evidence.
- Unsafe-identity writer non-invocation is proven by adapter code order plus zero resource/evidence database assertions; Spec 434 did not add a literal writer spy.
Preparation Gate
spec.mdexists.plan.mdexists.tasks.mdexists.checklists/requirements.mdexists.- Candidate Selection Gate result is recorded.
- Spec Readiness Gate result is recorded.
- Completed-spec guardrail result for Specs 429-433 is recorded.
- Spec 433 PASS WITH CONDITIONS dependency is recorded.
- Product Surface impact is
N/A - no rendered product surface changed. - Browser proof is
N/A - no rendered UI surface changed. - Proportionality review is present for the adapter/guard abstraction.
- No application runtime file was edited during preparation.
Prerequisites for Implementation
- Re-check current branch, HEAD, and dirty state before runtime changes.
- Confirm Specs 429-433 remain read-only context.
- Confirm Spec 433 has no merge-blocking readiness/redaction/no-promotion finding for this adapter slice.
- Confirm Spec 430 verified command contracts still cover
transportRule,remoteDomain, andinboundConnector. - Confirm Spec 432 runner boundary remains implemented and validated.
- Confirm Spec 433 combined credential/permission readiness remains implemented and validated.
- Confirm
exchange_powershell_invokeprovider capability evaluation remains implemented and validated. - Confirm no new UI/routes/jobs/schedules/listeners/migrations/customer-output scope is required.
Scope Requirements
- Adapter boundary only.
- Content-only guard only.
- Identity hard-stop before evidence append.
- Empty collection no-fake-evidence policy.
- No full target evidence promotion.
- No compare/render.
- No certification.
- No restore.
- No customer claim.
- No UI.
- No jobs/schedules/listeners/triggers.
- No migration unless spec is amended.
- No
tenant_idownership truth.
OperationRun Requirements
- Uses
tenant_configuration.capture. - Does not add a new OperationRun type.
- Requires same workspace and managed environment scope.
- Requires matching provider connection scope.
- Uses existing summary keys only; no
OperationSummaryKeysexpansion was required. - Summary counts are flat numeric values.
- OperationRun context contains no raw payload.
- OperationRun context contains no raw stdout/stderr.
- OperationRun context contains no credential material, token, provider response body, or serialized Exchange object.
Adapter Boundary Requirements
- Exchange adapter exists or repo-canonical equivalent exists.
- Adapter is internal/trusted only.
- Adapter accepts only
transportRule,remoteDomain, andinboundConnector. - Adapter requires Spec 433 readiness.
- Adapter requires
exchange_powershell_invokeprovider capability statusSupported. - Adapter requires Spec 432 runner boundary.
- Adapter accepts only successful list-shaped
ExchangePowerShellInvocationResultoutput with sanitizedstructured_collectionorempty_collectioncontext. - Adapter requires Spec 430 verified command contracts.
- Adapter does not use
ProviderGatewayor the generic Graph list path. - Adapter does not fake Graph endpoints or fake captured outcomes.
- Adapter-local outcome/failure codes are limited to the Spec 434 allowlist.
- Persisted evidence outcomes reuse existing
CaptureOutcomevalues only.
Identity Requirements
- Identity is evaluated before evidence append.
- Identity conflict blocks.
- Missing stable external ID blocks unless an existing repo-approved safe rule applies.
- Unsupported identity blocks.
- Duplicate identity blocks.
- Display-name-only stable identity is impossible by default.
- Unsafe identity blocks before the writer path by adapter code order plus zero resource/evidence assertions; no literal writer spy is used.
- Unsafe identity creates no resource or evidence row.
Content-Only Guard Requirements
- Maximum Exchange adapter coverage level is
content_backed. - Comparable is not set.
- Renderable is not set.
- Certified is not set.
- Restore-ready is not set.
- Customer-claimable is not set.
- Existing Graph capture writer behavior remains unchanged.
Empty Collection Requirements
- Empty collection produces a safe zero-item outcome.
- Empty collection uses
exchange_capture_empty_collectionor repo-canonical equivalent only as an internal sanitized outcome. - Empty collection may update safe summary counts only.
- Empty collection creates no fake resource row.
- Empty collection creates no fake evidence row.
- Durable collection-level empty proof is deferred.
Redaction Requirements
- Raw provider payload stays out of OperationRun context, messages, logs, notifications, and summaries.
- Raw stdout/stderr stays out of OperationRun context, messages, logs, notifications, and summaries.
- Serialized Exchange objects stay out of OperationRun context, messages, logs, notifications, and summaries.
- Credential material, tokens, authorization headers, cookies, and certificate material never appear in context/logs/tests.
- Sensitive Exchange configuration examples are not rendered or summarized as product/customer output.
Product Surface / Trigger Requirements
- No routes.
- No Filament pages/resources/widgets.
- No Livewire components.
- No Blade/view changes.
- No navigation.
- No asset changes.
- No global search changes.
- No job trigger.
- No schedule trigger.
- No listener trigger.
- No customer output.
- No report, Review Pack, PDF, restore, compare/render, or certification surface.
- Browser result is
N/A - no rendered UI surface changed.
Architecture Requirements
- Uses existing Coverage v2 evidence architecture.
- Generic Graph capture remains intact.
- No Exchange-specific evidence table.
- No
tenant_idownership truth. - No new
CaptureOutcomeenum value. - No Exchange mini-platform.
- No legacy shim.
- No fallback reader.
- No dual write.
- No Coverage v1 bridge.
Validation Requirements
- Focused Spec 434 unit-test intent is covered by the DB-backed Spec 434 feature test file per the tasks implementation note.
- Focused Spec 434 feature tests pass; implementation report records 25 tests / 154 assertions.
- Spec 433 regression passes.
- Spec 432/431/430 regression passes.
- Coverage v2/generic capture/identity/provider regressions pass.
- Provider capability regressions prove
exchange_powershell_invokemust beSupportedbefore adapter capture proceeds. - Laravel 12, PHP 8.4, PostgreSQL, and Pest 4 compatibility notes are recorded.
- Pint passes.
git diff --checkpasses for tracked changes; untracked file content is not claimed as covered until staged/tracked and is listed throughgit status --short.git status --shortis documented.- Implementation report records all required matrices and deferred work.
Final Implementation Gate
Choose one during implementation close-out:
PASS
PASS WITH CONDITIONS
FAIL
PASS requires:
Exchange capture adapter boundary exists.
tenant_configuration.capture is reused.
No new OperationRun type is added.
exchange_powershell_invoke provider capability is required and Supported.
Accepted runner output is an ExchangePowerShellInvocationResult with list-shaped structured or empty collection context.
Identity hard-stop prevents unsafe evidence append.
Content-only guard prevents promotion beyond content_backed.
Empty collection policy prevents fake evidence.
Generic Graph capture remains intact.
OperationRun context is sanitized.
Persisted outcomes use existing CaptureOutcome values and internal outcome/failure codes are allowlisted.
No compare/render/certification/restore/customer state appears.
No UI/routes/jobs/schedules/listeners are added.
No tenant_id ownership truth is introduced.
No Exchange-specific evidence table appears.
Focused tests and regressions pass.
PASS WITH CONDITIONS is allowed only for bounded follow-ups that do not weaken adapter safety, identity hard-stop, content-only guard, empty-collection safety, redaction, no-promotion posture, no-product-surface posture, ownership, or no-mini-platform posture.
FAIL if:
Exchange adapter bypasses readiness gates.
Exchange adapter proceeds while exchange_powershell_invoke is not Supported.
Exchange adapter accepts malformed or unverified runner output.
Unsafe identity can append evidence.
CoverageEvidenceWriter can over-promote through the Exchange path.
Empty collection creates fake evidence.
New CaptureOutcome values are added without spec amendment.
Exchange routes through Graph gateway incorrectly.
OperationRun stores raw payload or credential/provider secrets.
Coverage promotes to comparable/renderable/certified.
Restore/customer claims appear.
UI/routes/jobs/schedules/listeners are added.
tenant_id ownership truth is introduced.
Exchange-specific evidence table appears.
Tests do not prove adapter and guard safety.