Spec 423 security compliance readiness pack implementation. Head commit: c49acba7.
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #490
14 KiB
14 KiB
Tasks: Spec 423 - Security and Compliance Readiness Pack
Input: spec.md, plan.md, user-provided Spec 423 draft Prerequisites: Completed read-only Specs 414, 415, 417, 418, 419, 420, 421, and 422; existing Coverage v2 registry/read model; existing Security and Compliance registry rows; existing Sail/Pest platform test workflow.
Scope Reminder: Implement compare/render/readiness over existing content-backed Coverage v2 evidence only. Do not add restore/apply, certification, legal attestation, customer-facing output, Review Pack output, new capture/source contracts, routes, navigation, dashboards, migrations, tables, live provider calls, or a Security/Purview mini-platform.
Phase 1: Preflight and Evidence Gate
- T001 Record branch, HEAD, dirty state, activated skills, hard-gate status, and implementation start timestamp in
specs/423-security-compliance-readiness-pack/implementation-report.md. - T002 Verify
specs/414-tcm-first-coverage-core-cutover/,specs/415-generic-content-backed-capture/, andspecs/417-canonical-identity-engine/throughspecs/422-exchange-teams-comparable-renderable-pack/are treated as read-only dependency context; record no completed-spec rewrites inimplementation-report.md. - T003 Inspect existing Security and Compliance registry rows in
apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.phpandapps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php; record canonical keys, aliases, restore tier, and risk posture inimplementation-report.md. - T004 Build the evidence-promotion matrix for
retentionCompliancePolicy,labelPolicy,dlpCompliancePolicy,autoSensitivityLabelPolicy,protectionAlert, andcomplianceTagfrom existing Coverage v2 evidence/test fixtures; mark each typepromote,defer_missing_evidence,defer_missing_tests, ordefer_out_of_scope. - T005 Stop and amend
spec.md/plan.mdbefore runtime implementation if any promoted type needs a new source contract, capture contract, migration, live provider call, route/navigation, customer output, restore/apply behavior, or completed-spec rewrite.
Phase 2: Tests First - Mandatory Type Normalization
- T006 Add failing unit coverage for deterministic
retentionCompliancePolicynormalization inapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceComparablePayloadNormalizerTest.php. - T007 Add failing unit coverage for deterministic
labelPolicynormalization inapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceComparablePayloadNormalizerTest.php. - T008 Add failing unit coverage for deterministic
dlpCompliancePolicynormalization inapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceComparablePayloadNormalizerTest.php. - T009 Add failing unit coverage proving volatile fields are ignored and sensitive fields are redacted for mandatory types in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceComparablePayloadNormalizerTest.php. - T010 Add failing unit coverage proving unsupported or high-risk fields produce
unsupported_fieldormanual_review_requiredinstead of raw output inapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceComparablePayloadNormalizerTest.php.
Phase 3: Tests First - Compare, Render, and Readiness
- T011 Add failing unit coverage for compare labels
added,removed,changed,unchanged,ignored_volatile,redacted,unsupported_field, andmanual_review_requiredinapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceCoverageComparatorTest.php. - T012 Add failing unit coverage for derived importance labels
critical,important,informational, andmanual_review_requiredinapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceCoverageComparatorTest.php. - T013 Add failing field-level materiality coverage for FR-423-010 in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceCoverageComparatorTest.php, proving retention duration/disposition/scope/state, DLP mode/actions/rules/scope, label publication/default/mandatory behavior, and evidence-backed optional auto-label/alert/compliance-tag material fields are never downgraded to informational. - T014 Add failing unit coverage for operator-safe render summaries in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceRenderableSummaryBuilderTest.php. - T015 Add failing unit coverage proving render summaries hide raw JSON, provider responses, secrets, fingerprints, mail/chat/file/case content, DLP incident content, and security incident content in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceRenderableSummaryBuilderTest.php. - T016 Add failing unit coverage for readiness states
readiness_not_assessed,readiness_ready_for_operator_review,readiness_requires_manual_review,readiness_blocked_identity,readiness_blocked_evidence,readiness_blocked_permission, andreadiness_blocked_unsupportedinapps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceReadinessEvaluatorTest.php. - T017 Add failing unit coverage proving readiness never implies restore-ready, certification-ready, legal-ready, customer-ready, or support for Microsoft tenant writes in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceReadinessEvaluatorTest.php.
Phase 4: Tests First - Claim Guard, Authorization, and No Remote Work
- T018 Add failing Claim Guard tests allowing only scoped internal/operator comparable/renderable/readiness wording for selected Security and Compliance evidence in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceClaimGuardTest.php. - T019 Add failing Claim Guard tests blocking restore-ready, apply-ready, certified, legal/regulatory, customer-facing, Review Pack, broad Security and Compliance, broad Purview, and 100 percent coverage claims in
apps/platform/tests/Unit/Support/TenantConfiguration/Spec423SecurityComplianceClaimGuardTest.php. - T020 Add failing feature tests proving wrong-workspace/non-member access is deny-as-not-found and missing read capability is 403 in
apps/platform/tests/Feature/TenantConfiguration/Spec423SecurityComplianceCoverageAuthorizationTest.php. - T021 Add failing feature tests proving provider connection, managed environment, and workspace scope are enforced without
tenant_idownership inapps/platform/tests/Feature/TenantConfiguration/Spec423SecurityComplianceCoverageAuthorizationTest.php. - T022 Add failing feature/unit tests proving compare/render/readiness performs no Graph, TCM, HTTP, provider, Microsoft docs, or remote network calls in
apps/platform/tests/Feature/TenantConfiguration/Spec423SecurityComplianceCoverageReadinessTest.php.
Phase 5: Implement Typed Security and Compliance Helpers
- T023 Create the smallest repo-conventional typed normalizer for selected Security and Compliance payloads in
apps/platform/app/Services/TenantConfiguration/SecurityComplianceComparablePayloadNormalizer.php. - T024 Implement mandatory type field allowlists, volatile-field dropping, stable value shaping, and redaction handoff in
apps/platform/app/Services/TenantConfiguration/SecurityComplianceComparablePayloadNormalizer.php. - T025 Implement deterministic compare behavior in
apps/platform/app/Services/TenantConfiguration/SecurityComplianceCoverageComparator.php. - T026 Implement operator-safe render summaries in
apps/platform/app/Services/TenantConfiguration/SecurityComplianceRenderableSummaryBuilder.php. - T027 Implement bounded readiness/manual-review derivation in
apps/platform/app/Services/TenantConfiguration/SecurityComplianceReadinessEvaluator.phpor the repo-equivalent local helper if sibling naming dictates a different structure. - T028 Reuse existing
CoveragePayloadRedactor.phpbehavior; extend it only if focused tests prove Security/Compliance-sensitive values are not already covered.
Phase 6: Integrate with Coverage v2 Read Model and Claims
- T029 Wire selected Security/Compliance helper dispatch into
apps/platform/app/Services/TenantConfiguration/CoverageV2ReadinessReadModel.phpusing the existing Entra/Exchange/Teams pattern and without a new generic registry/framework unless implementation evidence proves it is necessary. - T030 Update
apps/platform/app/Services/TenantConfiguration/ClaimGuard.phpso scoped internal/operator Security/Compliance comparable/renderable/readiness claims are allowed and prohibited claims are blocked. - T031 Ensure selected type promotion respects the evidence-promotion matrix: unsupported optional types remain deferred and explain why in
implementation-report.md. - T032 Confirm existing registry and supported-scope metadata remain conservative: selected Security/Compliance types stay non-restorable and no restore/apply action becomes reachable.
Phase 7: Optional Type Promotion Gate
- T033 Promote
autoSensitivityLabelPolicyonly if existing content-backed evidence and focused tests prove normalization, compare, render, readiness, redaction, Claim Guard, RBAC, and no-remote behavior. - T034 Promote
protectionAlertonly if existing content-backed evidence and focused tests prove default-visible summaries never expose security incident details or sensitive alert payloads. - T035 Promote
complianceTagonly if existing content-backed evidence and focused tests prove label/tag summaries remain operator-safe and non-certifying. - T036 Defer any optional type that lacks evidence, test coverage, or bounded semantics; document the reason in
implementation-report.mdinstead of widening scope.
Phase 8: Product Surface and Browser Proof
- T037 If rendered output changes, run a focused browser smoke against the existing Coverage v2 readiness/inspect surface and verify decision-first summary, diagnostics-second detail, raw/support gating, no customer/legal/certification/restore wording, and no overlapping/incoherent UI.
- T038 N/A - rendered Coverage v2 output changed, so focused browser proof was recorded under T037 instead of
N/A - no rendered UI surface changed. - T039 Record Human Product Sanity result in
implementation-report.md: an internal operator can decide manual-review need without raw payloads and without overclaim. - T040 Update
docs/ui-ux-enterprise-audit/coverage artifacts only if implementation changes runtime UI files, routes, navigation, page structure, actions, or panel/provider surface.
Phase 9: Validation and Close-Out
- T041 Run
cd apps/platform && ./vendor/bin/sail artisan test --filter=Spec423and record the result inimplementation-report.md. - T042 Run focused Claim Guard validation, e.g.
cd apps/platform && ./vendor/bin/sail artisan test --filter=ClaimGuard, and record the result inimplementation-report.md. - T043 Run the existing narrow Coverage v2 affected tests identified during implementation and record commands/results in
implementation-report.md. - T044 Run formatting/static validation used by the repo for touched PHP files and record commands/results in
implementation-report.md. - T045 Confirm no migration, env var, queue, scheduler, storage, or asset deployment step was introduced; if any was introduced, amend
plan.mdbefore close-out. - T046 Confirm Livewire v4 compliance, panel provider registration location (
apps/platform/bootstrap/providers.php), global search posture, destructive/high-impact action posture, asset strategy, deployment impact, and Product Surface Contract close-out fields inimplementation-report.md. - T047 Confirm no
tenant_idownership, no raw role-string checks, no completed-spec rewrites, no remote calls, no customer output, no certification/legal/restore/apply claims, and no Security/Purview mini-platform.
Dependencies and Ordering
- T001-T005 must complete before runtime implementation.
- T006-T022 should be written before implementation where practical; if repo helpers require small fixture discovery first, document the deviation in
implementation-report.md. - T023-T028 depend on the relevant failing unit tests.
- T029-T032 depend on core helper behavior.
- T033-T036 are optional and may be skipped with documented defer reasons.
- T037-T040 depend on whether rendered output changes.
- T041-T047 are close-out tasks and must not be completed before implementation validation.
Parallel Work Opportunities
- T006-T010 can be split by mandatory resource type.
- T011-T017 can be split by compare/render/readiness helper.
- T018-T019 can run in parallel with T020-T022.
- T023-T028 can proceed in parallel after test contracts are clear, but one reviewer should keep Claim Guard wording aligned with readiness semantics.
- T037-T040 can run after the read model wiring is stable.
Implementation Guardrails
- Keep fake payload fixtures minimal and local to Spec 423 tests.
- Use existing service/test naming conventions from sibling TenantConfiguration code.
- Prefer direct concrete helpers over a new registry, factory, interface, or orchestration pipeline.
- Do not introduce persisted states, enums, tables, migrations, routes, navigation entries, dashboards, actions, or assets without stopping to amend the spec/plan.
- Do not rewrite completed specs to retrofit close-out wording.
- Do not use live Microsoft Graph, TCM, Purview, Security and Compliance, Microsoft docs, or HTTP calls in tests or runtime render/compare/readiness paths.
Completion Definition
- Spec, plan, tasks, checklist, implementation report, and implementation agree on promoted/deferred types.
- Mandatory selected evidence types have deterministic normalization, compare, render, readiness, redaction, Claim Guard, RBAC, and no-remote proof.
- Optional types are either fully proven or explicitly deferred.
- Product Surface proof or exact N/A proof is recorded.
- Deployment impact is assessed as none or amended before merge.