TenantAtlas/specs/414-tcm-first-coverage-core-cutover/implementation-report.md

Implementation Report: Spec 414 - TCM-First Coverage v2 Kernel

Preflight

• Branch: 414-tcm-first-coverage-core-cutover
• Starting HEAD: fdd9eb2e feat: add focused pilot gate recheck (#480)
• Starting dirty state: .specify/memory/constitution.md modified; specs/414-tcm-first-coverage-core-cutover/ untracked.
• Dirty-state assessment: active Spec 414 preparation artifacts only; no runtime code was dirty before implementation.

Scope Close-Out

• Kernel status: inactive Coverage v2 kernel only.
• Kernel tables: tenant_configuration_resource_types, tenant_configuration_supported_scopes.
• Kernel models: TenantConfigurationResourceType, TenantConfigurationSupportedScope.
• Kernel services: ResourceTypeRegistry, SupportedScopeResolver, ClaimGuard.
• Kernel value families: SourceClass, Workload, ResourceClass, SupportState, CoverageLevel, EvidenceState, IdentityState, ClaimState, RestoreTier.
• Runtime UI impact: none.
• Browser proof: N/A - no rendered UI surface changed.
• Human Product Sanity: N/A - no rendered UI surface changed; workflow sanity result is that the slice remains inactive and does not create customer-facing dual truth.
• OperationRun impact: none.
• Remote provider calls: none.
• Legacy compatibility: no v1-to-v2 adapter, fallback reader, dual write, old snapshot promotion, or old gap-taxonomy runtime dependency introduced.
• Optional concrete resource/evidence tables: deferred; the required definition tables and service tests prove the kernel scope without environment-owned observation rows.
• Provider provenance: required definition tables intentionally omit workspace_id, managed_environment_id, and provider_connection_id; provider-native tenant IDs remain outside Coverage v2 ownership schema.
• tenant_id proof: required Coverage v2 tables omit tenant_id and any provider-native tenant identifier columns.
• Policy posture: no policies were added because the new models are inactive platform-seeded definitions with no route, Filament resource, API, or mutation surface. Later activation must add policy/authorization coverage before exposure.

Manual Review Finding Remediation

• PASS: Supported-scope denominator integrity is fail-closed. SupportedScopeResolver now rejects unknown canonical resource types instead of silently shrinking the denominator before completeness checks.
• PASS: Denominator fail-closed behavior is covered in both unit and feature lanes, including persisted supported-scope rows.
• PASS: Spec 414 migration seed semantics are frozen in the migration and no longer depend on mutable runtime registry/resolver services or enum value lists.
• PASS: A focused schema guard verifies the historical migration does not import App\Services\TenantConfiguration\* or App\Support\TenantConfiguration\* runtime defaults.
• PASS: Coverage v2 factories now emit JSONB object-shaped metadata, matching the PostgreSQL object check constraints.

Product Surface Close-Out

• Livewire v4 compliance: Livewire 4.1.4 confirmed; no Livewire code changed.
• Provider registration location: no panel provider change; Laravel 12 providers remain in apps/platform/bootstrap/providers.php.
• Global search posture: no Filament resource or global search change.
• Destructive/high-impact actions: none introduced.
• Asset strategy: no assets registered; filament:assets is not required for this spec.
• Visible complexity outcome: neutral; no rendered product surface changed.
• Deployment impact: additive migrations for inactive kernel definition tables only; no env vars, queues, scheduler, storage, or asset step.

Validation

• PASS: cd apps/platform && ./vendor/bin/sail bin pint app/Services/TenantConfiguration/SupportedScopeResolver.php database/migrations/2026_06_25_000414_create_tenant_configuration_kernel_tables.php tests/Unit/Support/TenantConfiguration/SupportedScopeResolverTest.php tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php tests/Feature/TenantConfiguration/TenantConfigurationKernelSchemaTest.php --format agent
• PASS: cd apps/platform && ./vendor/bin/sail bin pint database/factories/TenantConfigurationResourceTypeFactory.php database/factories/TenantConfigurationSupportedScopeFactory.php tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php --format agent
• PASS: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration (14 tests, 40 assertions)
• PASS: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration (11 passed, 1 PostgreSQL-only skipped, 43 assertions)
• NOTE: cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml --filter=TenantConfiguration matched no tests in this repo.
• PASS: cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration (12 tests, 48 assertions)
• PASS: git diff --check
• PASS: untracked implementation-file whitespace check via git diff --no-index --check /dev/null <file>

Final Dirty State

• .specify/memory/constitution.md
• apps/platform/app/Models/TenantConfigurationResourceType.php
• apps/platform/app/Models/TenantConfigurationSupportedScope.php
• apps/platform/app/Services/TenantConfiguration/*
• apps/platform/app/Support/TenantConfiguration/*
• apps/platform/database/factories/TenantConfigurationResourceTypeFactory.php
• apps/platform/database/factories/TenantConfigurationSupportedScopeFactory.php
• apps/platform/database/migrations/2026_06_25_000414_create_tenant_configuration_kernel_tables.php
• apps/platform/tests/Feature/TenantConfiguration/*
• apps/platform/tests/Unit/Support/TenantConfiguration/*
• specs/414-tcm-first-coverage-core-cutover/*

Follow-Up Candidates

• Spec 415 - Generic Content-Backed Capture.
• Spec 416 - Canonical Identity Engine.
• Spec 417 - Coverage v2 Operator Surface.
• Spec 418 - Legacy Coverage Cutover & Removal.
• Spec 419 - Intune Core Comparable/Renderable Pack.
• Spec 420 - Certified Intune Core Coverage Pack.