TenantAtlas/specs/423-security-compliance-readiness-pack/checklists/requirements.md
ahmido c49784b305 feat: complete spec 423 security compliance readiness pack (#490)
Spec 423 security compliance readiness pack implementation. Head commit: c49acba7.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #490
2026-06-30 16:03:01 +00:00

5.5 KiB

Requirements Checklist: Spec 423 - Security and Compliance Readiness Pack

Purpose: Validate that the Spec 423 artifacts are ready for implementation without widening scope beyond bounded Coverage v2 compare/render/readiness support. Created: 2026-06-30 Feature: spec.md

Scope and Candidate Fit

  • CHK001 The selected candidate is explicitly Spec 423 - Security and Compliance Readiness Pack.
  • CHK002 The spec explains why the active auto-prep queue being empty does not block this user-promoted candidate.
  • CHK003 The spec states the smallest viable slice as DB-only compare/render/readiness over existing content-backed Coverage v2 evidence.
  • CHK004 The mandatory first resource types are limited to retentionCompliancePolicy, labelPolicy, and dlpCompliancePolicy.
  • CHK005 Optional resource types autoSensitivityLabelPolicy, protectionAlert, and complianceTag are evidence-gated and test-gated.
  • CHK006 Explicit non-goals exclude restore/apply, certification, legal/regulatory attestation, customer reports, Review Pack output, new capture/source contracts, new routes/navigation/dashboards, new tables, live provider calls, and a Security/Purview mini-platform.

Existing Evidence and Ownership

  • CHK007 The spec and plan identify existing Coverage v2 registry/read-model truth as the implementation base.
  • CHK008 The implementation tasks require an evidence-promotion matrix for all six candidate resource types before runtime work.
  • CHK009 Ownership is workspace/environment/provider-connection scoped and does not introduce tenant_id.
  • CHK010 Related completed Specs 414, 415, and 417-422 are treated as read-only context.

Compare, Render, and Readiness Semantics

  • CHK011 Compare labels are bounded to added, removed, changed, unchanged, ignored_volatile, redacted, unsupported_field, and manual_review_required.
  • CHK012 Importance labels are derived and bounded to critical, important, informational, and manual_review_required.
  • CHK013 Readiness labels are derived, non-persisted, and bounded to the seven states listed in the spec.
  • CHK014 Readiness wording cannot imply restore readiness, certification readiness, legal readiness, customer readiness, or Microsoft tenant mutation readiness.
  • CHK015 Unsupported or high-risk fields require redaction, unsupported-field handling, or manual-review handling rather than raw default output.

Safety, Claims, and Redaction

  • CHK016 Claim Guard allows only scoped internal/operator comparable/renderable/readiness claims for selected Security and Compliance evidence.
  • CHK017 Claim Guard blocks restore-ready, apply-ready, certified, legal/regulatory, customer-facing, Review Pack, broad Security and Compliance, broad Purview, and 100 percent coverage claims.
  • CHK018 Default-visible summaries hide raw JSON, provider responses, secrets, fingerprints, incident/content payloads, and internal debug fields.
  • CHK019 Render/compare/readiness paths are DB-only and cannot call Graph, TCM, HTTP, live providers, or Microsoft documentation.
  • CHK020 Selected resource types remain non-restorable and no destructive/high-impact action becomes reachable.

Product Surface Contract

  • CHK021 The UI Surface Impact section identifies only existing internal/operator Coverage v2 status/evidence/review presentation changes.
  • CHK022 The Product Surface plan classifies the page archetype as Technical Annex / read-only evidence inspection.
  • CHK023 No new route, navigation entry, modal, wizard, table, dashboard, panel provider, customer surface, or action is planned.
  • CHK024 Browser proof is required if rendered output changes; otherwise the implementation report must record exact N/A - no rendered UI surface changed.
  • CHK025 Human Product Sanity must verify that an internal operator can decide manual-review need without raw payloads or overclaim.
  • CHK026 Product Surface exceptions are none unless implementation amends the spec/plan before runtime UI work.

Filament, Livewire, and Deployment

  • CHK027 Livewire v4 and Filament v5 posture is explicit.
  • CHK028 Panel provider registration location is apps/platform/bootstrap/providers.php, with no panel change planned.
  • CHK029 Global search posture is no resource/global search change.
  • CHK030 Asset strategy is no new assets unless later amended.
  • CHK031 Deployment impact is expected to be no migrations, env vars, queues, scheduler, storage, or assets.

Testing and Review Readiness

  • CHK032 Tasks include tests for mandatory type normalization, compare labels, render summaries, readiness states, redaction, Claim Guard, RBAC, no remote calls, and no overclaim.
  • CHK033 Tasks include optional type defer/promotion rules with evidence and test gates.
  • CHK034 Tasks include implementation-report close-out fields for promoted/deferred type matrix, Product Surface proof, Filament/Livewire posture, deployment impact, no tenant_id, no completed-spec rewrites, no remote calls, and no mini-platform.
  • CHK035 Stop conditions require spec/plan amendment before widening scope.
  • CHK036 Preparation analysis finds no unresolved placeholders, contradiction between spec/plan/tasks, or missing hard-gate artifact.

Review Outcome

  • CHK037 Ready for implementation without scope change.
  • CHK038 Ready only after checklist items are corrected.
  • CHK039 Blocked pending user/product/legal/security decision.