5.5 KiB
5.5 KiB
Requirements Checklist: Spec 423 - Security and Compliance Readiness Pack
Purpose: Validate that the Spec 423 artifacts are ready for implementation without widening scope beyond bounded Coverage v2 compare/render/readiness support. Created: 2026-06-30 Feature: spec.md
Scope and Candidate Fit
- CHK001 The selected candidate is explicitly Spec 423 - Security and Compliance Readiness Pack.
- CHK002 The spec explains why the active auto-prep queue being empty does not block this user-promoted candidate.
- CHK003 The spec states the smallest viable slice as DB-only compare/render/readiness over existing content-backed Coverage v2 evidence.
- CHK004 The mandatory first resource types are limited to
retentionCompliancePolicy,labelPolicy, anddlpCompliancePolicy. - CHK005 Optional resource types
autoSensitivityLabelPolicy,protectionAlert, andcomplianceTagare evidence-gated and test-gated. - CHK006 Explicit non-goals exclude restore/apply, certification, legal/regulatory attestation, customer reports, Review Pack output, new capture/source contracts, new routes/navigation/dashboards, new tables, live provider calls, and a Security/Purview mini-platform.
Existing Evidence and Ownership
- CHK007 The spec and plan identify existing Coverage v2 registry/read-model truth as the implementation base.
- CHK008 The implementation tasks require an evidence-promotion matrix for all six candidate resource types before runtime work.
- CHK009 Ownership is workspace/environment/provider-connection scoped and does not introduce
tenant_id. - CHK010 Related completed Specs 414, 415, and 417-422 are treated as read-only context.
Compare, Render, and Readiness Semantics
- CHK011 Compare labels are bounded to
added,removed,changed,unchanged,ignored_volatile,redacted,unsupported_field, andmanual_review_required. - CHK012 Importance labels are derived and bounded to
critical,important,informational, andmanual_review_required. - CHK013 Readiness labels are derived, non-persisted, and bounded to the seven states listed in the spec.
- CHK014 Readiness wording cannot imply restore readiness, certification readiness, legal readiness, customer readiness, or Microsoft tenant mutation readiness.
- CHK015 Unsupported or high-risk fields require redaction, unsupported-field handling, or manual-review handling rather than raw default output.
Safety, Claims, and Redaction
- CHK016 Claim Guard allows only scoped internal/operator comparable/renderable/readiness claims for selected Security and Compliance evidence.
- CHK017 Claim Guard blocks restore-ready, apply-ready, certified, legal/regulatory, customer-facing, Review Pack, broad Security and Compliance, broad Purview, and 100 percent coverage claims.
- CHK018 Default-visible summaries hide raw JSON, provider responses, secrets, fingerprints, incident/content payloads, and internal debug fields.
- CHK019 Render/compare/readiness paths are DB-only and cannot call Graph, TCM, HTTP, live providers, or Microsoft documentation.
- CHK020 Selected resource types remain non-restorable and no destructive/high-impact action becomes reachable.
Product Surface Contract
- CHK021 The UI Surface Impact section identifies only existing internal/operator Coverage v2 status/evidence/review presentation changes.
- CHK022 The Product Surface plan classifies the page archetype as Technical Annex / read-only evidence inspection.
- CHK023 No new route, navigation entry, modal, wizard, table, dashboard, panel provider, customer surface, or action is planned.
- CHK024 Browser proof is required if rendered output changes; otherwise the implementation report must record exact
N/A - no rendered UI surface changed. - CHK025 Human Product Sanity must verify that an internal operator can decide manual-review need without raw payloads or overclaim.
- CHK026 Product Surface exceptions are
noneunless implementation amends the spec/plan before runtime UI work.
Filament, Livewire, and Deployment
- CHK027 Livewire v4 and Filament v5 posture is explicit.
- CHK028 Panel provider registration location is
apps/platform/bootstrap/providers.php, with no panel change planned. - CHK029 Global search posture is no resource/global search change.
- CHK030 Asset strategy is no new assets unless later amended.
- CHK031 Deployment impact is expected to be no migrations, env vars, queues, scheduler, storage, or assets.
Testing and Review Readiness
- CHK032 Tasks include tests for mandatory type normalization, compare labels, render summaries, readiness states, redaction, Claim Guard, RBAC, no remote calls, and no overclaim.
- CHK033 Tasks include optional type defer/promotion rules with evidence and test gates.
- CHK034 Tasks include implementation-report close-out fields for promoted/deferred type matrix, Product Surface proof, Filament/Livewire posture, deployment impact, no
tenant_id, no completed-spec rewrites, no remote calls, and no mini-platform. - CHK035 Stop conditions require spec/plan amendment before widening scope.
- CHK036 Preparation analysis finds no unresolved placeholders, contradiction between spec/plan/tasks, or missing hard-gate artifact.
Review Outcome
- CHK037 Ready for implementation without scope change.
- CHK038 Ready only after checklist items are corrected.
- CHK039 Blocked pending user/product/legal/security decision.