TenantAtlas/specs/434-exchange-evidence-capture-adapter-content-only-guard/checklists/requirements.md
ahmido a23131cdbc feat: add Exchange evidence capture adapter guard (#501)
Summary: add Spec 434 Exchange PowerShell evidence capture adapter and prerequisite/identity/content-only guards; cap Exchange evidence at content_backed while preserving Graph capture. Validation: php artisan test --filter=Spec434 --compact; ./vendor/bin/pint --dirty --test; git diff --cached --check. Product Surface: N/A - no rendered UI surface changed; no deployment impact.
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #501
2026-07-08 10:46:05 +00:00

9.7 KiB

Requirements Checklist: Exchange Evidence Capture Adapter and Content-Only Guard

Feature: specs/434-exchange-evidence-capture-adapter-content-only-guard/ Mode: Backend adapter/guard implementation close-out. Preparation completed earlier; implementation evidence is documented in tasks.md and implementation-report.md.

Implementation Evidence Note

  • Completed items below are marked only where supported by the implementation report, completed task evidence, focused Spec 434 feature coverage, regression results, or code review evidence.
  • Unsafe-identity writer non-invocation is proven by adapter code order plus zero resource/evidence database assertions; Spec 434 did not add a literal writer spy.

Preparation Gate

  • spec.md exists.
  • plan.md exists.
  • tasks.md exists.
  • checklists/requirements.md exists.
  • Candidate Selection Gate result is recorded.
  • Spec Readiness Gate result is recorded.
  • Completed-spec guardrail result for Specs 429-433 is recorded.
  • Spec 433 PASS WITH CONDITIONS dependency is recorded.
  • Product Surface impact is N/A - no rendered product surface changed.
  • Browser proof is N/A - no rendered UI surface changed.
  • Proportionality review is present for the adapter/guard abstraction.
  • No application runtime file was edited during preparation.

Prerequisites for Implementation

  • Re-check current branch, HEAD, and dirty state before runtime changes.
  • Confirm Specs 429-433 remain read-only context.
  • Confirm Spec 433 has no merge-blocking readiness/redaction/no-promotion finding for this adapter slice.
  • Confirm Spec 430 verified command contracts still cover transportRule, remoteDomain, and inboundConnector.
  • Confirm Spec 432 runner boundary remains implemented and validated.
  • Confirm Spec 433 combined credential/permission readiness remains implemented and validated.
  • Confirm exchange_powershell_invoke provider capability evaluation remains implemented and validated.
  • Confirm no new UI/routes/jobs/schedules/listeners/migrations/customer-output scope is required.

Scope Requirements

  • Adapter boundary only.
  • Content-only guard only.
  • Identity hard-stop before evidence append.
  • Empty collection no-fake-evidence policy.
  • No full target evidence promotion.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No UI.
  • No jobs/schedules/listeners/triggers.
  • No migration unless spec is amended.
  • No tenant_id ownership truth.

OperationRun Requirements

  • Uses tenant_configuration.capture.
  • Does not add a new OperationRun type.
  • Requires same workspace and managed environment scope.
  • Requires matching provider connection scope.
  • Uses existing summary keys only; no OperationSummaryKeys expansion was required.
  • Summary counts are flat numeric values.
  • OperationRun context contains no raw payload.
  • OperationRun context contains no raw stdout/stderr.
  • OperationRun context contains no credential material, token, provider response body, or serialized Exchange object.

Adapter Boundary Requirements

  • Exchange adapter exists or repo-canonical equivalent exists.
  • Adapter is internal/trusted only.
  • Adapter accepts only transportRule, remoteDomain, and inboundConnector.
  • Adapter requires Spec 433 readiness.
  • Adapter requires exchange_powershell_invoke provider capability status Supported.
  • Adapter requires Spec 432 runner boundary.
  • Adapter accepts only successful list-shaped ExchangePowerShellInvocationResult output with sanitized structured_collection or empty_collection context.
  • Adapter requires Spec 430 verified command contracts.
  • Adapter does not use ProviderGateway or the generic Graph list path.
  • Adapter does not fake Graph endpoints or fake captured outcomes.
  • Adapter-local outcome/failure codes are limited to the Spec 434 allowlist.
  • Persisted evidence outcomes reuse existing CaptureOutcome values only.

Identity Requirements

  • Identity is evaluated before evidence append.
  • Identity conflict blocks.
  • Missing stable external ID blocks unless an existing repo-approved safe rule applies.
  • Unsupported identity blocks.
  • Duplicate identity blocks.
  • Display-name-only stable identity is impossible by default.
  • Unsafe identity blocks before the writer path by adapter code order plus zero resource/evidence assertions; no literal writer spy is used.
  • Unsafe identity creates no resource or evidence row.

Content-Only Guard Requirements

  • Maximum Exchange adapter coverage level is content_backed.
  • Comparable is not set.
  • Renderable is not set.
  • Certified is not set.
  • Restore-ready is not set.
  • Customer-claimable is not set.
  • Existing Graph capture writer behavior remains unchanged.

Empty Collection Requirements

  • Empty collection produces a safe zero-item outcome.
  • Empty collection uses exchange_capture_empty_collection or repo-canonical equivalent only as an internal sanitized outcome.
  • Empty collection may update safe summary counts only.
  • Empty collection creates no fake resource row.
  • Empty collection creates no fake evidence row.
  • Durable collection-level empty proof is deferred.

Redaction Requirements

  • Raw provider payload stays out of OperationRun context, messages, logs, notifications, and summaries.
  • Raw stdout/stderr stays out of OperationRun context, messages, logs, notifications, and summaries.
  • Serialized Exchange objects stay out of OperationRun context, messages, logs, notifications, and summaries.
  • Credential material, tokens, authorization headers, cookies, and certificate material never appear in context/logs/tests.
  • Sensitive Exchange configuration examples are not rendered or summarized as product/customer output.

Product Surface / Trigger Requirements

  • No routes.
  • No Filament pages/resources/widgets.
  • No Livewire components.
  • No Blade/view changes.
  • No navigation.
  • No asset changes.
  • No global search changes.
  • No job trigger.
  • No schedule trigger.
  • No listener trigger.
  • No customer output.
  • No report, Review Pack, PDF, restore, compare/render, or certification surface.
  • Browser result is N/A - no rendered UI surface changed.

Architecture Requirements

  • Uses existing Coverage v2 evidence architecture.
  • Generic Graph capture remains intact.
  • No Exchange-specific evidence table.
  • No tenant_id ownership truth.
  • No new CaptureOutcome enum value.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.
  • No dual write.
  • No Coverage v1 bridge.

Validation Requirements

  • Focused Spec 434 unit-test intent is covered by the DB-backed Spec 434 feature test file per the tasks implementation note.
  • Focused Spec 434 feature tests pass; implementation report records 25 tests / 154 assertions.
  • Spec 433 regression passes.
  • Spec 432/431/430 regression passes.
  • Coverage v2/generic capture/identity/provider regressions pass.
  • Provider capability regressions prove exchange_powershell_invoke must be Supported before adapter capture proceeds.
  • Laravel 12, PHP 8.4, PostgreSQL, and Pest 4 compatibility notes are recorded.
  • Pint passes.
  • git diff --check passes for tracked changes; untracked file content is not claimed as covered until staged/tracked and is listed through git status --short.
  • git status --short is documented.
  • Implementation report records all required matrices and deferred work.

Final Implementation Gate

Choose one during implementation close-out:

PASS
PASS WITH CONDITIONS
FAIL

PASS requires:

Exchange capture adapter boundary exists.
tenant_configuration.capture is reused.
No new OperationRun type is added.
exchange_powershell_invoke provider capability is required and Supported.
Accepted runner output is an ExchangePowerShellInvocationResult with list-shaped structured or empty collection context.
Identity hard-stop prevents unsafe evidence append.
Content-only guard prevents promotion beyond content_backed.
Empty collection policy prevents fake evidence.
Generic Graph capture remains intact.
OperationRun context is sanitized.
Persisted outcomes use existing CaptureOutcome values and internal outcome/failure codes are allowlisted.
No compare/render/certification/restore/customer state appears.
No UI/routes/jobs/schedules/listeners are added.
No tenant_id ownership truth is introduced.
No Exchange-specific evidence table appears.
Focused tests and regressions pass.

PASS WITH CONDITIONS is allowed only for bounded follow-ups that do not weaken adapter safety, identity hard-stop, content-only guard, empty-collection safety, redaction, no-promotion posture, no-product-surface posture, ownership, or no-mini-platform posture.

FAIL if:

Exchange adapter bypasses readiness gates.
Exchange adapter proceeds while exchange_powershell_invoke is not Supported.
Exchange adapter accepts malformed or unverified runner output.
Unsafe identity can append evidence.
CoverageEvidenceWriter can over-promote through the Exchange path.
Empty collection creates fake evidence.
New CaptureOutcome values are added without spec amendment.
Exchange routes through Graph gateway incorrectly.
OperationRun stores raw payload or credential/provider secrets.
Coverage promotes to comparable/renderable/certified.
Restore/customer claims appear.
UI/routes/jobs/schedules/listeners are added.
tenant_id ownership truth is introduced.
Exchange-specific evidence table appears.
Tests do not prove adapter and guard safety.