TenantAtlas/specs/419-m365-tcm-workload-registry-expansion/tasks.md
ahmido 5252398063 feat: expand m365 tcm workload registry (#486)
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #486
2026-06-26 22:36:24 +00:00

123 lines
14 KiB
Markdown

# Tasks: Spec 419 - M365 TCM Workload Registry Expansion
**Input**: `specs/419-m365-tcm-workload-registry-expansion/spec.md`, `specs/419-m365-tcm-workload-registry-expansion/plan.md`, `specs/419-m365-tcm-workload-registry-expansion/checklists/requirements.md`
**Prerequisites**: completed Specs 414, 415, 417, and 418 as read-only dependency context
**Tests**: Required. Runtime registry/default/claim behavior must be covered with focused Pest unit and feature/static guard tests. PostgreSQL lane is required if migrations/check constraints/indexes change. Focused browser proof is required if new active registry rows/scopes render on the existing Spec 418 Coverage v2 operator surface.
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for registry/default/claim behavior.
- [x] New or changed tests stay in Unit/Feature lanes; PostgreSQL lane is explicit only if schema/check constraints change.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default and opt-in.
- [x] Planned validation commands cover the change without pulling unrelated lane cost.
- [x] Browser proof is required for data-driven existing-surface changes, or explicitly `N/A` only with proof that no new rows/scopes render.
- [x] Human Product Sanity and Product Surface implementation-report close-out cover existing-surface data impact, or are `N/A` only with proof that no rendered output changed.
- [x] Material budget, baseline, trend, or escalation notes are recorded if test cost changes.
## Phase 1: Preflight And Dependency Guard
- [x] T001 Capture branch, HEAD, `git status --short`, activated skills, and hard-gate status in `specs/419-m365-tcm-workload-registry-expansion/implementation-report.md`.
- [x] T002 Confirm `specs/414-tcm-first-coverage-core-cutover/implementation-report.md`, `specs/415-generic-content-backed-capture/implementation-report.md`, `specs/417-canonical-identity-engine/`, and `specs/418-coverage-v2-operator-surface/` are dependency context only and must not be modified.
- [x] T003 Confirm current Coverage v2 registry surfaces exist: `TenantConfigurationResourceType`, `TenantConfigurationSupportedScope`, `ResourceTypeRegistry`, Coverage v2 enum classes, and `ClaimGuard`.
- [x] T004 Inspect current `ResourceTypeRegistry::defaultDefinitions()`, supported-scope definitions, migrations/check constraints, factories, and Claim Guard rules before editing.
- [x] T005 Record the draft-to-repo mapping for missing draft terms: no `tenantpilot_internal` source class, no `detected_only` support state, no `compare_only` or `manual_review_required` restore tier.
- [x] T006 Stop if Coverage v2 registry or Claim Guard is missing, or if implementation would require capture, compare, render, restore, certification, customer output, runtime docs fetch, UI activation, `tenant_id`, or workload-specific mini-platforms.
## Phase 2: Tests First - Workloads, Manifest, And Defaults
- [x] T007 Add focused workload registry tests proving `intune`, `entra`, `exchange`, `teams`, `security_compliance`, `defender`, `purview`, `tenantpilot`, and `unknown` are accepted by the shared Coverage v2 workload enum/check path.
- [x] T008 Add manifest/default tests proving new non-Intune entries default to `default_coverage_level = detected`, `default_evidence_state = not_captured`, and `default_claim_state = internal_only` or `claim_blocked`.
- [x] T009 Add tests proving new non-Intune entries do not default to `content_backed`, `comparable`, `renderable`, `restorable`, `certified`, or `claim_allowed`.
- [x] T010 Add documentation status tests proving `documented_resource_catalog`, `documented_overview_only`, `combined_catalog`, `graph_only`, `internal`, and `unknown` are represented in metadata or a justified field.
- [x] T011 Add partial-vs-full catalog tests proving seeded/partial manifests use `is_full_catalog = false` or equivalent metadata and cannot be treated as full workload coverage.
- [x] T012 Add restore-tier default tests proving high-risk resource types use `not_restorable` or `preview_only`, never `restorable`.
## Phase 3: Tests First - Representative Resource Types
- [x] T013 Add Entra registry tests for `conditionalAccessPolicy`, `securityDefaults`, `application`, `servicePrincipal`, `roleDefinition`, and `administrativeUnit`.
- [x] T014 Add Exchange registry tests for `transportRule`, `acceptedDomain`, `sharedMailbox`, `remoteDomain`, `mailboxPlan`, and `organizationConfig`.
- [x] T015 Add Teams registry tests for `appPermissionPolicy`, `appSetupPolicy`, `meetingPolicy`, `messagingPolicy`, `teamsUpdateManagementPolicy`, and `voiceRoute`.
- [x] T016 Add Security and Compliance registry tests for `labelPolicy`, `retentionCompliancePolicy`, `dlpCompliancePolicy` or repo-canonical equivalent, `autoSensitivityLabelPolicy`, `protectionAlert`, and `complianceTag`.
- [x] T017 Add Defender/Purview workload status tests proving they are represented under `tenant_configuration_supported_scopes.metadata.workload_documentation_status.defender` and `.purview` on the aggregate M365 planning scope, and are not represented as fake certified resource types.
## Phase 4: Tests First - Supported Scopes And Claim Guard
- [x] T018 Add supported-scope tests for `m365_tcm_registry_detected`, `entra_tcm_registry_detected`, `exchange_tcm_registry_detected`, `teams_tcm_registry_detected`, `security_compliance_tcm_registry_detected`, `m365_tcm_generic_future`, and `m365_tcm_certified_none`, including proof that new planning scopes do not accidentally become the existing Coverage v2 operator surface default scope.
- [x] T019 Add tests proving forbidden scopes do not exist: `m365_full_coverage`, `m365_certified`, `all_microsoft_365_supported`, `full_tenant_coverage`, and `full_m365_restore_ready`.
- [x] T020 Add Claim Guard tests blocking `100% Microsoft 365 coverage`, `Full M365 coverage`, `Certified M365 coverage`, `Restore-ready M365 coverage`, `Complete tenant coverage`, `All Microsoft 365 resources supported`, and `All TCM resources certified`.
- [x] T021 Add Claim Guard tests proving internal registry-only percent wording is allowed only when explicitly denominator-scoped, for example seeded Entra registry entries.
## Phase 5: Tests First - No Runtime Capture, No Tenant ID, No Mini-Platform
- [x] T022 Add static/feature guard proving no Graph/TCM/provider remote call path or runtime Microsoft documentation fetch is introduced by Spec 419.
- [x] T023 Add guard proving no capture job, scheduler sync, queue sync, capture/start action, restore/apply action, publish/export action, or certification action is added.
- [x] T024 Add guard proving registry sync/seed does not create concrete `TenantConfigurationResource` or `TenantConfigurationResourceEvidence` rows.
- [x] T025 Add schema/source guard proving no `tenant_id` is introduced as Coverage v2 ownership truth.
- [x] T026 Add guard proving no workload-specific tables/classes/engines are introduced for Entra, Exchange, Teams, Security and Compliance, Defender, or Purview.
- [x] T027 Add guard proving no v1 gap taxonomy, v1-to-v2 adapter, fallback reader, old snapshot promotion, dual write, or customer-facing dual truth appears.
## Phase 6: Workload Enum And Registry Metadata
- [x] T028 Expand or confirm `apps/platform/app/Support/TenantConfiguration/Workload.php` values and related database check constraints for the required workload set.
- [x] T029 Prefer existing JSONB `metadata` for `documentation_status`, `catalog_source`, `catalog_last_reviewed_at`, `source_aliases`, `risk_tier`, `default_restore_posture`, `is_full_catalog`, and `catalog_import_batch`.
- [x] T030 If documentation status or catalog metadata needs a dedicated column/constraint, add a narrow reversible migration and record the proportionality reason in the implementation report.
- [x] T031 Ensure enum/check-constraint additions are mirrored across model casts, migrations, factories, tests, and any registry sync path.
## Phase 7: Resource Type Manifest / Registry Expansion
- [x] T032 Update `ResourceTypeRegistry::defaultDefinitions()` or repo-equivalent static manifest/config with M365 representative entries.
- [x] T033 Ensure TCM-documented entries use `source_class = tcm`.
- [x] T034 Ensure all new non-Intune entries use conservative defaults: support `out_of_scope` unless a new state is justified, coverage `detected`, evidence `not_captured`, claim `internal_only` or `claim_blocked`, restore `not_restorable` or `preview_only`.
- [x] T035 Add Entra representative entries with high-risk defaults for Conditional Access, Security Defaults, and role definitions.
- [x] T036 Add Exchange representative entries with high-risk defaults for transport rules and organization configuration.
- [x] T037 Add Teams representative entries with manual-review/preview-only defaults.
- [x] T038 Add Security and Compliance representative entries with high-risk defaults for labels, retention, DLP, and auto-sensitivity label policies.
- [x] T039 Represent Defender and Purview through `tenant_configuration_supported_scopes.metadata.workload_documentation_status` on the aggregate M365 planning scope without inventing fake certified resource types.
- [x] T040 Ensure aliases such as `dataLossPreventionPolicy` vs `dlpCompliancePolicy` are source aliases, not duplicate canonical types, unless implementation documents a reason.
## Phase 8: Supported Scope Planning
- [x] T041 Add or update supported-scope planning entries required by `spec.md`, preserving the existing operator-surface default scope unless the changed default is explicitly covered by Product Surface/browser proof.
- [x] T042 Ensure scope metadata marks registry-only/detected planning status and `customer_claims_allowed = false` for broad M365 scopes.
- [x] T043 Ensure `m365_tcm_certified_none` explicitly states no M365-wide certified scope exists.
- [x] T044 Ensure `m365_tcm_generic_future` is marked future-only and cannot imply active generic capture.
## Phase 9: Claim Guard Expansion
- [x] T045 Update `ClaimGuard` or repo-equivalent claim-safety path to block broad M365, certified, restore-ready, complete-tenant, all-resource, and unscoped percent claims.
- [x] T046 Allow only explicit internal/operator registry-only denominator-scoped wording when supported by scope metadata.
- [x] T047 Ensure Claim Guard results for new workloads never imply content-backed, comparable, renderable, restorable, certified, or customer-ready coverage by default.
## Phase 10: Product Surface Data-Impact And Deployment Review
- [x] T048 Confirm no UI route, Filament page/provider, navigation entry, Blade view, Livewire component, action, report, download, customer output, or rendered label changed; document any existing Spec 418 operator-surface data impact from active registry rows/scopes.
- [x] T049 Run focused existing-surface feature/browser proof if new rows/scopes render: workload filters/scope options are intentional, registry-only status is clear, no broad M365 coverage label appears, no capture/restore/certify/report/download action appears, and no console/Livewire/500 errors appear.
- [x] T050 If any runtime UI code, route, navigation, action, report, download, customer output, or rendered label change is required beyond data-driven existing registry rows, stop and amend `spec.md`, `plan.md`, and `tasks.md` before runtime UI edits.
- [x] T051 Document deployment impact: migrations/check constraints if changed, no env vars, no queues, no scheduler, no storage, no assets, no `filament:assets` requirement unless scope is amended.
- [x] T052 Document staging validation expectations for schema/registry changes before production promotion.
## Phase 11: Validation And Close-Out
- [x] T053 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [x] T054 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/TenantConfiguration/Spec419M365WorkloadRegistryTest.php tests/Unit/Support/TenantConfiguration/Spec419M365ClaimGuardTest.php`.
- [x] T055 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php`.
- [x] T056 If active registry rows/scopes render on the existing Spec 418 surface, run `cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec419M365RegistryOperatorSurfaceSmokeTest.php` or the repo-equivalent focused browser smoke path.
- [x] T057 If migrations/check constraints/indexes changed, run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration/Spec419M365RegistryExpansionTest.php`.
- [x] T058 Run `git diff --check`.
- [x] T059 Complete `specs/419-m365-tcm-workload-registry-expansion/implementation-report.md` with candidate gate result, dirty state before/after, files changed, workload matrix, representative type matrix, full-vs-partial catalog decision, Claim Guard proof, restore tier proof, no-runtime-capture proof, no-tenant_id proof, no-mini-platform proof, Product Surface data-impact decision, tests/browser proof run or N/A proof, deployment impact, and deferred work.
- [x] T060 Confirm no completed historical spec was rewritten or stripped of close-out, validation, task, smoke, browser, or review history.
## Stop Conditions
Stop and update `spec.md`, `plan.md`, and `tasks.md` before continuing if any of these appear:
- Capture, compare, render, restore, apply, certification, customer output, Review Pack/report, broad M365 dashboard, or customer-facing claim activation is needed.
- Graph/TCM/provider remote calls or runtime Microsoft documentation fetch are needed.
- UI route/page/navigation/action/rendered label changes are needed beyond the existing data-driven registry display.
- Existing Coverage v2 operator surface default scope would change without explicit Product Surface/browser proof.
- A partial catalog cannot be labeled as partial.
- A new source/support/restore enum value is needed without proportionality proof.
- `tenant_id` appears as Coverage v2 ownership truth.
- A workload-specific table, model, engine, or mini-platform is introduced.
- A broad M365/certified/restore-ready/all-resource claim must be allowed.