TenantAtlas/specs/427-exchange-teams-verified-source-contract-enablement/tasks.md
ahmido bfb52b84d6 feat: implement spec 427 source contract enablement (#494)
Automated PR for spec 427 Exchange Teams verified source contract enablement.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #494
2026-07-03 23:12:45 +00:00

14 KiB

Tasks: Spec 427 - Exchange / Teams Verified Source Contract Enablement

Input: Design documents from /specs/427-exchange-teams-verified-source-contract-enablement/
Prerequisites: spec.md, plan.md, checklists/requirements.md

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
  • Planned validation commands cover the change without pulling in unrelated lane cost.
  • Browser proof is explicitly N/A - no rendered UI surface changed.
  • Human Product Sanity and Product Surface close-out are N/A - no rendered UI surface changed.
  • Any material budget, baseline, trend, or escalation note is recorded in the active spec or implementation report.

Phase 1: Preflight And Dependency Guardrails

Purpose: Confirm the implementation can proceed without rewriting completed specs or drifting into runtime promotion.

  • T001 Capture branch, HEAD, and git status --short in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
  • T002 Confirm Specs 414, 415, 417, 419, 420, and 426 are completed dependency context only and do not modify their artifacts.
  • T003 Verify current canonical resource names in apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php and document the mapping from exchange.* / teams.* labels to repo keys.
  • T004 Verify current fail-safe resolver behavior for transportRule, acceptedDomain, appPermissionPolicy, and meetingPolicy in apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php.
  • T005 Confirm no UI, route, navigation, Filament provider, browser proof, OperationRun, real provider capture, evidence promotion, compare/render promotion, certification, restore, or customer output is required by this spec.
  • T006 Confirm no tenant_id, legacy adapter, fallback reader, dual write, or Coverage v1 vocabulary path is needed.

Phase 2: Source Contract State Model

Purpose: Make the verified-or-blocked contract result precise without creating a parallel source-of-truth layer.

  • T007 [P] Add or update unit coverage for contract state mapping in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeTeamsSourceContractStateTest.php.
  • T008 Define or map contract_verified_pending_capture, contract_blocked_missing_source, contract_blocked_permission_unclear, contract_blocked_beta_only, contract_blocked_response_shape_unsafe, contract_blocked_repo_adapter_missing, contract_blocked_identity_unsafe, and contract_blocked_redaction_unsafe in apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php and apps/platform/app/Services/TenantConfiguration/CoverageSourceContractDecision.php.
  • T009 Ensure any new state/reason values have behavior or follow-up consequences and are documented in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
  • T010 Ensure existing apps/platform/app/Support/TenantConfiguration/CaptureOutcome.php values remain compatible; do not create ambiguous duplicate truth between capture outcomes and source-contract states.

Phase 3: Per-Type Contract Verification

Purpose: Verify each target contract or block it with an exact safe reason.

  • T011 [P] Add transportRule contract verification tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeTransportRuleContractTest.php.
  • T012 [P] Add acceptedDomain contract verification tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427ExchangeAcceptedDomainContractTest.php.
  • T013 [P] Add appPermissionPolicy contract verification tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427TeamsAppPermissionPolicyContractTest.php.
  • T014 [P] Add meetingPolicy contract verification tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427TeamsMeetingPolicyContractTest.php.
  • T015 Verify or block the transportRule source contract through existing resolver/registry files: apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php and, only if repo-safe, apps/platform/config/graph_contracts.php.
  • T016 Verify or block the acceptedDomain source contract through existing resolver/registry files: apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php and, only if repo-safe, apps/platform/config/graph_contracts.php.
  • T017 Verify or block the appPermissionPolicy source contract through existing resolver/registry files: apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php and, only if repo-safe, apps/platform/config/graph_contracts.php.
  • T018 Verify or block the meetingPolicy source contract through existing resolver/registry files: apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php and, only if repo-safe, apps/platform/config/graph_contracts.php.
  • T019 Prove the existing provider adapter path for any repo_existing_provider_adapter source class, or assert contract_blocked_repo_adapter_missing in the relevant per-type test; document the final source class, source contract name/version, permission model, response shape, identity handoff, redaction rules, provider adapter proof/blocker, and final blocker/verified state for all four types in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.

Phase 4: Permission, Response Shape, Identity, And Redaction Safety

Purpose: Ensure verified contracts are safe enough for a later capture spec and unsafe contracts stay blocked.

  • T020 [P] Add permission metadata tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractPermissionMetadataTest.php.
  • T021 [P] Add response-shape tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractResponseShapeTest.php.
  • T022 [P] Add identity handoff tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractIdentityHandoffTest.php.
  • T023 [P] Add redaction metadata tests in apps/platform/tests/Unit/Support/TenantConfiguration/Spec427SourceContractRedactionTest.php.
  • T024 Ensure unclear required permissions block verification, do not widen provider scopes in apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php or apps/platform/config/graph_contracts.php, and capture static/diff proof that no provider OAuth scope, provider capability, or permission productization config changed outside this bounded contract metadata path.
  • T025 Ensure unsafe response semantics block verification in apps/platform/app/Services/TenantConfiguration/CoverageSourceContractResolver.php when empty, denied, unsupported, unavailable, and malformed responses cannot be distinguished.
  • T026 Ensure display-name-only, order/hash-only, or otherwise unstable identity blocks verification using existing apps/platform/app/Services/TenantConfiguration/CoverageIdentityStrategyRegistry.php and apps/platform/app/Services/TenantConfiguration/CanonicalIdentityResolver.php.
  • T027 Ensure sensitive fields and permission context have redaction rules in apps/platform/app/Services/TenantConfiguration/CoveragePayloadRedactor.php or source-contract metadata before any contract is marked verified pending capture.

Phase 5: No-Promotion And Architecture Guards

Purpose: Preserve Spec 426 fail-safe behavior and prevent premature readiness claims.

  • T028 [P] Add no-evidence-promotion tests in apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoEvidencePromotionTest.php.
  • T029 [P] Add no compare/render/certification tests in apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCompareRenderCertificationTest.php.
  • T030 [P] Add no customer/restore claim tests in apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCustomerRestoreClaimTest.php.
  • T031 [P] Add no tenant_id ownership regression in apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoTenantIdTest.php.
  • T032 [P] Add no Exchange/Teams mini-platform regression in apps/platform/tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoMiniPlatformTest.php.
  • T033 Ensure verified contracts remain pending_capture only and do not create TenantConfigurationResource or TenantConfigurationResourceEvidence rows through apps/platform/app/Services/TenantConfiguration/GenericContentEvidenceCaptureService.php, apps/platform/app/Models/TenantConfigurationResource.php, or apps/platform/app/Models/TenantConfigurationResourceEvidence.php in this spec.
  • T034 Ensure no new Exchange/Teams-specific migration, model, route, Filament Resource/Page/Widget, dashboard, report, export, Review Pack output, PDF output, restore action, or customer surface is introduced under apps/platform/database/, apps/platform/app/Models/, apps/platform/app/Filament/, apps/platform/routes/, or apps/platform/resources/.

Phase 6: Regression And Validation

Purpose: Prove Spec 427 did not weaken completed Coverage v2 prerequisites.

  • T035 Run focused Spec 427 unit tests with cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec427ExchangeTeamsSourceContractStateTest.php tests/Unit/Support/TenantConfiguration/Spec427ExchangeTransportRuleContractTest.php tests/Unit/Support/TenantConfiguration/Spec427ExchangeAcceptedDomainContractTest.php tests/Unit/Support/TenantConfiguration/Spec427TeamsAppPermissionPolicyContractTest.php tests/Unit/Support/TenantConfiguration/Spec427TeamsMeetingPolicyContractTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractPermissionMetadataTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractResponseShapeTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractIdentityHandoffTest.php tests/Unit/Support/TenantConfiguration/Spec427SourceContractRedactionTest.php.
  • T036 Run focused Spec 427 feature tests with cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoEvidencePromotionTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCompareRenderCertificationTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoCustomerRestoreClaimTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoTenantIdTest.php tests/Feature/TenantConfiguration/Spec427ExchangeTeamsNoMiniPlatformTest.php.
  • T037 Run Spec 426 source/fail-safe regressions with cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec426ExchangeTeamsSourceContractResolverTest.php tests/Feature/TenantConfiguration/Spec426ExchangeTeamsCoreEvidenceReadinessTest.php.
  • T038 Run Spec 417 identity and Spec 420 generic evidence regressions with cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration/Spec417CoverageIdentityStrategyRegistryTest.php tests/Unit/Support/TenantConfiguration/Spec420M365CaptureSourceContractResolverTest.php tests/Feature/TenantConfiguration/Spec420M365GenericEvidenceCaptureTest.php.
  • T039 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T040 Run git diff --check.
  • T041 If any combined --filter=Spec427 or regression filter is killed by Signal 9, document the combined command, Signal 9 result, direct-file runs, pass counts, assertion counts, and regression pass counts in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.

Phase 7: Product Surface, Filament, Deployment, And Close-Out

Purpose: Finish the active spec without implying application implementation readiness beyond the bounded contract slice.

  • T042 Record Product Surface result as N/A - no rendered UI surface changed in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
  • T043 Record Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, visible complexity outcome, and no completed-spec rewrite assertion in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
  • T044 Complete the required source contract matrix and no-promotion matrix in specs/427-exchange-teams-verified-source-contract-enablement/implementation-report.md.
  • T045 Document deferred work: content-backed evidence promotion, compare/render promotion, certified compare pack, customer reporting claims, restore/apply, provider permission productization, and optional resource expansion.

Dependencies & Execution Order

  • Phase 1 blocks all implementation.
  • Phase 2 must complete before per-type contract verification.
  • Phase 3 and Phase 4 tests can be developed in parallel by file.
  • Phase 5 no-promotion guards must pass before claiming any target type is verified pending capture.
  • Phase 6 validation and Phase 7 close-out are final gates.

Parallel Opportunities

  • T011-T014 can run in parallel after T007-T010.
  • T020-T023 can run in parallel after the contract metadata shape is decided.
  • T028-T032 can run in parallel because they cover separate guard files.

Implementation Strategy

  1. Preserve current fail-safe behavior first.
  2. Add exact blocker/verified metadata without promoting evidence.
  3. Verify each target independently.
  4. Run no-promotion guards before any regression close-out.
  5. Stop if implementation requires UI, live provider calls, new permissions, migrations, or customer claims.

Stop Conditions

  • A target contract can only be "verified" through endpoint guessing or runtime docs fetch.
  • A verified state would require provider permission widening not already productized.
  • Implementation needs real provider capture or OperationRun creation.
  • Evidence, compare/render, certification, restore, customer output, UI, route, navigation, or report output becomes necessary.
  • tenant_id, legacy adapters, fallback readers, dual writes, or a new Exchange/Teams mini-platform appear.