Automated PR for spec 427 Exchange Teams verified source contract enablement. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #494
14 KiB
Tasks: Spec 427 - Exchange / Teams Verified Source Contract Enablement
Input: Design documents from /specs/427-exchange-teams-verified-source-contract-enablement/
Prerequisites: spec.md, plan.md, checklists/requirements.md
Test Governance Checklist
- Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
- Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
- Planned validation commands cover the change without pulling in unrelated lane cost.
- Browser proof is explicitly
N/A - no rendered UI surface changed. - Human Product Sanity and Product Surface close-out are
N/A - no rendered UI surface changed. - Any material budget, baseline, trend, or escalation note is recorded in the active spec or implementation report.
Phase 1: Preflight And Dependency Guardrails
Purpose: Confirm the implementation can proceed without rewriting completed specs or drifting into runtime promotion.
- T001 Capture branch, HEAD, and
git status --shortinspecs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md. - T002 Confirm Specs 414, 415, 417, 419, 420, and 426 are completed dependency context only and do not modify their artifacts.
- T003 Verify current canonical resource names in
apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.phpand document the mapping fromexchange.*/teams.*labels to repo keys. - T004 Verify current fail-safe resolver behavior for
transportRule,acceptedDomain,appPermissionPolicy, andmeetingPolicyinapps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php. - T005 Confirm no UI, route, navigation, Filament provider, browser proof, OperationRun, real provider capture, evidence promotion, compare/render promotion, certification, restore, or customer output is required by this spec.
- T006 Confirm no
tenant_id, legacy adapter, fallback reader, dual write, or Coverage v1 vocabulary path is needed.
Phase 2: Source Contract State Model
Purpose: Make the verified-or-blocked contract result precise without creating a parallel source-of-truth layer.
- T007 [P] Add or update unit coverage for contract state mapping in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeTeamsSourceContractStateTest.php. - T008 Define or map
contract_verified_pending_capture,contract_blocked_missing_source,contract_blocked_permission_unclear,contract_blocked_beta_only,contract_blocked_response_shape_unsafe,contract_blocked_repo_adapter_missing,contract_blocked_identity_unsafe, andcontract_blocked_redaction_unsafeinapps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpandapps/platform/app/Services/TenantConfiguration/CoverageSourceContractDecision.php. - T009 Ensure any new state/reason values have behavior or follow-up consequences and are documented in
specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md. - T010 Ensure existing
apps/platform/app/Support/TenantConfiguration/CaptureOutcome.phpvalues remain compatible; do not create ambiguous duplicate truth between capture outcomes and source-contract states.
Phase 3: Per-Type Contract Verification
Purpose: Verify each target contract or block it with an exact safe reason.
- T011 [P] Add
transportRulecontract verification tests inapps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeTransportRuleContractTest.php. - T012 [P] Add
acceptedDomaincontract verification tests inapps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeAcceptedDomainContractTest.php. - T013 [P] Add
appPermissionPolicycontract verification tests inapps/platform/tests/Unit/Support/TenantConfiguration/Spec427TeamsAppPermissionPolicyContractTest.php. - T014 [P] Add
meetingPolicycontract verification tests inapps/platform/tests/Unit/Support/TenantConfiguration/Spec427TeamsMeetingPolicyContractTest.php. - T015 Verify or block the
transportRulesource contract through existing resolver/registry files:apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpand, only if repo-safe,apps/platform/config/graph_contracts.php. - T016 Verify or block the
acceptedDomainsource contract through existing resolver/registry files:apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpand, only if repo-safe,apps/platform/config/graph_contracts.php. - T017 Verify or block the
appPermissionPolicysource contract through existing resolver/registry files:apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpand, only if repo-safe,apps/platform/config/graph_contracts.php. - T018 Verify or block the
meetingPolicysource contract through existing resolver/registry files:apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpand, only if repo-safe,apps/platform/config/graph_contracts.php. - T019 Prove the existing provider adapter path for any
repo_existing_provider_adaptersource class, or assertcontract_blocked_repo_adapter_missingin the relevant per-type test; document the final source class, source contract name/version, permission model, response shape, identity handoff, redaction rules, provider adapter proof/blocker, and final blocker/verified state for all four types inspecs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
Phase 4: Permission, Response Shape, Identity, And Redaction Safety
Purpose: Ensure verified contracts are safe enough for a later capture spec and unsafe contracts stay blocked.
- T020 [P] Add permission metadata tests in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractPermissionMetadataTest.php. - T021 [P] Add response-shape tests in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractResponseShapeTest.php. - T022 [P] Add identity handoff tests in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractIdentityHandoffTest.php. - T023 [P] Add redaction metadata tests in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractRedactionTest.php. - T024 Ensure unclear required permissions block verification, do not widen provider scopes in
apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phporapps/platform/config/graph_contracts.php, and capture static/diff proof that no provider OAuth scope, provider capability, or permission productization config changed outside this bounded contract metadata path. - T025 Ensure unsafe response semantics block verification in
apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.phpwhen empty, denied, unsupported, unavailable, and malformed responses cannot be distinguished. - T026 Ensure display-name-only, order/hash-only, or otherwise unstable identity blocks verification using existing
apps/platform/app/Services/TenantConfiguration/CoverageIdentityStrategyRegistry.phpandapps/platform/app/Services/TenantConfiguration/CanonicalIdentityResolver.php. - T027 Ensure sensitive fields and permission context have redaction rules in
apps/platform/app/Services/TenantConfiguration/CoveragePayloadRedactor.phpor source-contract metadata before any contract is marked verified pending capture.
Phase 5: No-Promotion And Architecture Guards
Purpose: Preserve Spec 426 fail-safe behavior and prevent premature readiness claims.
- T028 [P] Add no-evidence-promotion tests in
apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoEvidencePromotionTest.php. - T029 [P] Add no compare/render/certification tests in
apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCompareRenderCertificationTest.php. - T030 [P] Add no customer/restore claim tests in
apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCustomerRestoreClaimTest.php. - T031 [P] Add no
tenant_idownership regression inapps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoTenantIdTest.php. - T032 [P] Add no Exchange/Teams mini-platform regression in
apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoMiniPlatformTest.php. - T033 Ensure verified contracts remain
pending_captureonly and do not createTenantConfigurationResourceorTenantConfigurationResourceEvidencerows throughapps/platform/app/Services/TenantConfiguration/GenericContentEvidenceCaptureService.php,apps/platform/app/Models/TenantConfigurationResource.php, orapps/platform/app/Models/TenantConfigurationResourceEvidence.phpin this spec. - T034 Ensure no new Exchange/Teams-specific migration, model, route, Filament Resource/Page/Widget, dashboard, report, export, Review Pack output, PDF output, restore action, or customer surface is introduced under
apps/platform/database/,apps/platform/app/Models/,apps/platform/app/Filament/,apps/platform/routes/, orapps/platform/resources/.
Phase 6: Regression And Validation
Purpose: Prove Spec 427 did not weaken completed Coverage v2 prerequisites.
- T035 Run focused Spec 427 unit tests with
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec427ExchangeTeamsSourceContractStateTest.php tests/Unit/Support/TenantConfiguration/Spec427ExchangeTransportRuleContractTest.php tests/Unit/Support/TenantConfiguration/Spec427ExchangeAcceptedDomainContractTest.php tests/Unit/Support/TenantConfiguration/Spec427TeamsAppPermissionPolicyContractTest.php tests/Unit/Support/TenantConfiguration/Spec427TeamsMeetingPolicyContractTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractPermissionMetadataTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractResponseShapeTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractIdentityHandoffTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractRedactionTest.php. - T036 Run focused Spec 427 feature tests with
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoEvidencePromotionTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCompareRenderCertificationTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCustomerRestoreClaimTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoMiniPlatformTest.php. - T037 Run Spec 426 source/fail-safe regressions with
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec426ExchangeTeamsSourceContractResolverTest.php tests/Feature/TenantConfiguration/Spec426ExchangeTeamsCoreEvidenceReadinessTest.php. - T038 Run Spec 417 identity and Spec 420 generic evidence regressions with
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec417CoverageIdentityStrategyRegistryTest.php tests/Unit/Support/TenantConfiguration/Spec420M365CaptureSourceContractResolverTest.php tests/Feature/TenantConfiguration/Spec420M365GenericEvidenceCaptureTest.php. - T039 Run
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent. - T040 Run
git diff --check. - T041 If any combined
--filter=Spec427or regression filter is killed by Signal 9, document the combined command, Signal 9 result, direct-file runs, pass counts, assertion counts, and regression pass counts inspecs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
Phase 7: Product Surface, Filament, Deployment, And Close-Out
Purpose: Finish the active spec without implying application implementation readiness beyond the bounded contract slice.
- T042 Record Product Surface result as
N/A - no rendered UI surface changedinspecs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md. - T043 Record Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, visible complexity outcome, and no completed-spec rewrite assertion in
specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md. - T044 Complete the required source contract matrix and no-promotion matrix in
specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md. - T045 Document deferred work: content-backed evidence promotion, compare/render promotion, certified compare pack, customer reporting claims, restore/apply, provider permission productization, and optional resource expansion.
Dependencies & Execution Order
- Phase 1 blocks all implementation.
- Phase 2 must complete before per-type contract verification.
- Phase 3 and Phase 4 tests can be developed in parallel by file.
- Phase 5 no-promotion guards must pass before claiming any target type is verified pending capture.
- Phase 6 validation and Phase 7 close-out are final gates.
Parallel Opportunities
- T011-T014 can run in parallel after T007-T010.
- T020-T023 can run in parallel after the contract metadata shape is decided.
- T028-T032 can run in parallel because they cover separate guard files.
Implementation Strategy
- Preserve current fail-safe behavior first.
- Add exact blocker/verified metadata without promoting evidence.
- Verify each target independently.
- Run no-promotion guards before any regression close-out.
- Stop if implementation requires UI, live provider calls, new permissions, migrations, or customer claims.
Stop Conditions
- A target contract can only be "verified" through endpoint guessing or runtime docs fetch.
- A verified state would require provider permission widening not already productized.
- Implementation needs real provider capture or OperationRun creation.
- Evidence, compare/render, certification, restore, customer output, UI, route, navigation, or report output becomes necessary.
tenant_id, legacy adapters, fallback readers, dual writes, or a new Exchange/Teams mini-platform appear.