ahmido dedca3c612 spec: add inventory specs 039-044 (#42 )

What’s included
	•	specs/039-inventory-program/ — program/epic overview (vision + phased plan)
	•	specs/041-inventory-ui/ — UI skeleton (Inventory list, Coverage, Sync Runs)
	•	specs/042-inventory-dependencies-graph/ — dependency graph skeleton (assignments/filters/scope tags → later)
	•	specs/043-cross-tenant-compare-and-promotion/ — compare/promotion skeleton (read-only first; writes gated later)
	•	specs/044-drift-mvp/ — drift detection skeleton (read-only by default)

Why

We need a clear, spec-first structure for:
	•	separating Inventory (“last observed”) from Snapshots/Backups (immutable)
	•	scaling to MSP / multi-tenant workflows (portfolio, compare, monitoring)
	•	making future modules (security suite, drift, promotion) consistent with the Constitution (fail-safe, auditability, contract-driven Graph)

Scope / Non-goals (this PR)
	•	No implementation tasks executed
	•	No DB migrations, services, jobs, or UI changes
	•	No changes to Graph contracts or supported policy types

Review focus
	•	Naming/numbering and folder structure (spec.md, plan.md, tasks.md for each spec)
	•	Scope boundaries and non-goals across 041–044
	•	Alignment with Constitution principles (tenant isolation, read-only default for analysis, explicit gating for high-risk writes)

Follow-up (next PRs)
	•	Spec 040: Inventory Core (data model + selection hash + missing semantics + NFRs + tests)
	•	Implementation PRs will be split per spec (040 → 041 → 042/043/044)

⸻

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #42

2026-01-07 14:01:07 +00:00

1.3 KiB

Raw Blame History

Implementation Plan: Inventory Core (040)

Branch: feat/040-inventory-core | Date: 2026-01-07 | Spec: specs/040-inventory-core/spec.md

Summary

Implement a tenant-scoped inventory catalog (“last observed”) and an observable sync run system with deterministic selection scoping. Ensure no snapshots/backups are created by sync.

Constitution Check

Inventory-first, snapshots-second (sync never creates snapshots)
Read/write separation (sync is read-only; any future writes require preview/confirmation/audit/tests)
Single contract path to Graph (Graph access only through existing abstractions/contracts)
Deterministic capabilities (capabilities resolver output testable)
Tenant isolation (non-negotiable)
Automation observable + idempotent (locks, run records, stable error codes, 429/503 handling)
Data minimization + safe logging

Deliverables (Phase-friendly)

Data model for inventory items and sync runs
Sync engine orchestration and locking strategy
Deterministic selection hashing
Capabilities resolver output snapshot tests
Minimal Filament/CLI surface to trigger and observe sync runs (if required by tasks)

Out of Scope

Dependency graph hydration (spec 042)
Cross-tenant promotion (spec 043)
Drift reporting (spec 044)
Lifecycle “deleted” semantics (feature 900)

1.3 KiB Raw Blame History