TenantAtlas/specs/435-exchange-structured-output-target-normalizer-readiness/checklists/requirements.md
ahmido a09cc6ca8d Spec 435: Exchange structured output readiness (#502)
## Summary

- Add Spec 435 backend-only Exchange structured output envelope and target normalizer readiness helpers for transportRule, remoteDomain, and inboundConnector.
- Add deterministic hash input/readiness handling and no-promotion guard coverage.
- Add Spec 435 spec, plan, tasks, checklist, and implementation report artifacts.

## Validation

- git diff --cached --check
- cd apps/platform && php artisan test --filter=Spec435 --compact

## Product Surface / Deployment

- Livewire v4 compliance unchanged.
- Filament provider registration unchanged under apps/platform/bootstrap/providers.php.
- Global search unchanged; no resources added or modified.
- Destructive/high-impact actions: none.
- Asset strategy: none; no filament:assets requirement for this slice.
- Browser proof: N/A - no rendered UI surface changed.
- Deployment impact: no env vars, migrations, queues, scheduler, storage, assets, or Dokploy runtime behavior changes.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #502
2026-07-08 14:33:23 +00:00

6.1 KiB

Requirements Checklist: Exchange Structured Output and Target Normalizer Readiness

Purpose: Preparation and implementation-readiness checklist for Spec 435. Created: 2026-07-08 Feature: specs/435-exchange-structured-output-target-normalizer-readiness/spec.md

Prerequisites

  • Spec 434 merge-ready proof is required before implementation.
  • Spec 434 adapter boundary, identity hard-stop, content-only writer guard, empty collection no-fake-evidence policy, generic Graph preservation, no UI, no migration, and no tenant_id are recorded as prerequisite proof.
  • Spec 433 credential/permission readiness, client-secret blocking, scoped/current Exchange.ManageAsApp, combined readiness, provider capability support, and runner-gate consumption are recorded as prerequisite proof.
  • Spec 432 runner boundary, process executor abstraction, output guard, timeout/concurrency guards, sanitized OperationRun context, no raw stdout/stderr outside approved paths, no UI, no migration, and no tenant_id are recorded as prerequisite proof.
  • Spec 430 command contracts exist for Get-TransportRule, Get-RemoteDomain, and Get-InboundConnector.

Scope

  • Structured output only.
  • Normalizer readiness only.
  • Targets limited to transportRule, remoteDomain, and inboundConnector.
  • No evidence rows.
  • No content-backed promotion.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No UI.
  • No jobs/schedules/listeners.
  • No migration.
  • No tenant_id.

Structured Output

  • Structured envelope requirement exists.
  • Raw stdout/stderr exclusion requirement exists.
  • Shape states are defined or mapped to repo-canonical equivalents.
  • Malformed output must block.
  • Scalar output must block.
  • Warning-prefixed output must block or classify safely.
  • Binary/non-UTF8 output must block.
  • Oversized output must block.
  • Non-zero exit must block.
  • Timeout must block.
  • Empty collection is distinguishable from failure states.

Target Normalizers

  • transportRule readiness is required.
  • remoteDomain readiness must complete or explicitly block.
  • inboundConnector readiness must complete or explicitly block.
  • Volatile fields must be handled.
  • Sensitive fields must be handled.
  • Ordering must be deterministic.
  • Hash input rules must be defined.
  • Normalized payload previews are test-only/in-memory and not persisted.

Identity

  • Stable identity rules are required.
  • Display-name-only identity must block.
  • Derived/domain-only identity must block unless proven safe.
  • Duplicate identity must block.
  • Missing identity must block.
  • Unsupported identity must block.
  • Identity-unproven state must block.
  • Explicit blocker states are required.

Redaction

  • transportRule sensitive fields must be classified.
  • remoteDomain sensitive fields must be classified.
  • inboundConnector IPs, hosts, certificate names, comments, and routing metadata must be protected or potentially sensitive.
  • Protected config must not enter OperationRun context/logs/summaries.
  • Credential material must be absent.
  • Customer output must remain absent.

Hash

  • Hash input determinism is required.
  • Material changes must be detected.
  • Volatile changes must be ignored.
  • Provider ordering must be handled deterministically where order is not meaningful.
  • Target type and normalizer version handling are required.
  • Hash input must exclude raw output, OperationRun context, runtime timestamps, PowerShell session metadata, credential metadata, and permission metadata.

Empty Collection

  • Empty collection must be distinguished from failures.
  • Empty collection must create no resource row.
  • Empty collection must create no evidence row.
  • Durable collection proof is deferred.

No Promotion

  • No tenant_configuration_resource_evidence rows.
  • No raw Exchange payload persisted as evidence.
  • No normalized Exchange payload persisted as evidence.
  • No content-backed state.
  • No comparable state.
  • No renderable state.
  • No certified state.
  • No restore-ready state.
  • No customer-ready state.

Product Surface / Trigger

  • No routes.
  • No Filament pages/resources/widgets.
  • No Livewire components.
  • No Blade views.
  • No navigation.
  • No asset changes.
  • No global search changes.
  • No job trigger.
  • No schedule trigger.
  • No listener trigger.
  • Browser N/A.

Architecture

  • Uses existing Exchange adapter/readiness architecture.
  • No migration.
  • No tenant_id ownership truth.
  • No Exchange-specific evidence table.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.
  • No dual write.

Validation

  • Focused Spec 435 unit tests pass.
  • Focused Spec 435 feature tests pass.
  • Spec 434 regression passes.
  • Spec 433 regression passes.
  • Spec 432/431/430 regression passes.
  • Spec 415/417/419/420/426/427 regression passes.
  • Provider capability registry/evaluation regression passes.
  • Pint passes.
  • git diff --check passes.
  • git status --short is documented.

Final Candidate Gate

  • PASS for preparation.
  • PASS for implementation.
  • PASS WITH CONDITIONS for implementation.
  • FAIL.

Preparation PASS rationale: spec.md, plan.md, and tasks.md define a bounded, testable, no-application-implementation package. Implementation PASS requires all applicable unchecked runtime validation items above to be checked with evidence.

FAIL if evidence rows are created, content-backed promotion occurs, raw stdout/stderr is treated as evidence, remoteDomain identity is faked, inboundConnector protected config leaks, unsafe output passes readiness, unsafe identity passes readiness, UI/routes/jobs/schedules/listeners are added, migration is added without amendment, tenant_id ownership truth is introduced, an Exchange-specific evidence table appears, or tests do not prove normalizer readiness safety.