ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dfda397eb6
TenantAtlas/specs/414-tcm-first-coverage-core-cutover/tasks.md
ahmido dfda397eb6 feat: migrate tcm first coverage core cutover (#481) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #481
2026-06-25 12:54:56 +00:00

14 KiB
Raw Blame History

Tasks: Spec 414 - TCM-First Coverage v2 Kernel

Input: Design documents from /specs/414-tcm-first-coverage-core-cutover/ Prerequisites: spec.md, plan.md, user-provided patch prompt narrowing Spec 414 to an inactive kernel

Tests: Runtime behavior changes require Pest unit and feature tests. Browser tests are not required because this narrowed spec has no rendered UI surface impact unless implementation stops and amends the spec first.

Test Governance Checklist

  • TGC001 Lane assignment is named and is the narrowest sufficient proof for kernel behavior.
  • TGC002 New or changed tests stay in unit/feature/pgsql lanes; no browser/heavy-governance family is introduced unless scope is amended.
  • TGC003 Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; Coverage v2 setup is opt-in.
  • TGC004 Planned validation commands cover kernel behavior without hiding unrelated lane cost.
  • TGC005 Browser proof is explicitly N/A - no rendered UI surface changed.
  • TGC006 Product Surface implementation-report close-out records no UI impact, no dual truth, and no browser requirement.
  • TGC007 Material budget, baseline, trend, or escalation notes are recorded in the implementation report.

Phase 1: Preparation And Guardrails

Purpose: Protect repo state and keep Spec 414 bounded to the inactive kernel.

  • T001 Capture current branch, HEAD, and git status --short in specs/414-tcm-first-coverage-core-cutover/implementation-report.md.
  • T002 Confirm .specify/memory/constitution.md ownership alignment: Coverage v2 uses workspace_id, managed_environment_id, and same-scope provider_connection_id where provider provenance is stored.
  • T003 Confirm the patched spec.md, plan.md, tasks.md, and checklists/requirements.md remove full-cutover scope and frame Spec 414 as inactive kernel only.
  • T004 Confirm changed files before implementation do not include runtime code outside active spec artifacts; if unrelated dirty files appear, stop before application changes.
  • T005 Confirm no reachable UI surface, Filament resource/page, navigation entry, browser proof, OperationRun-backed capture, remote TCM/Graph ingestion, legacy runtime deletion, or broad v1 test rewrite remains required by Spec 414.

Phase 2: Tests First - Kernel Semantics

Purpose: Lock the kernel contract before implementation.

  • T006 [P] [US1] Add apps/platform/tests/Unit/Support/TenantConfiguration/ResourceTypeRegistryTest.php covering the required initial resource type entries and source classes.
  • T007 [P] [US2] Add apps/platform/tests/Unit/Support/TenantConfiguration/SupportedScopeResolverTest.php covering explicit denominator membership, required minimum coverage level, beta exclusion by default, fallback inclusion only when allowed, and no unscoped 100% claims.
  • T008 [P] [US3] Add apps/platform/tests/Unit/Support/TenantConfiguration/ClaimGuardTest.php covering unscoped 100% blocks, beta certification blocks, non-restorable restore claim blocks, incomplete supported-scope blocks, and exact scope + level allowance.
  • T009 [P] [US1] Add apps/platform/tests/Unit/Support/TenantConfiguration/CoverageKernelValueTest.php covering the exact allowed values for all kernel value families and ordering where ordering affects claim behavior.

Phase 3: Tests First - Persistence And Ownership

Purpose: Prove persistence and ownership rules without activating product surfaces.

  • T010 [P] [US1] Add apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationResourceTypeRegistryTest.php covering persisted or seeded required registry entries.
  • T011 [P] [US2] Add apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php covering persisted supported-scope denominator rules and minimum coverage levels.
  • T012 [P] [US3] Add apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationClaimGuardFeatureTest.php proving claim guard blocks unsafe customer-facing claims without wiring into rendered UI.
  • T013 [P] [US4] Add apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationKernelSchemaTest.php proving Coverage v2 ownership fields do not include tenant_id and provider-native tenant IDs remain metadata only.
  • T014 [P] [US4] Add PostgreSQL-focused coverage for JSONB fields, composite foreign keys, partial unique indexes, or same-scope provider_connection_id constraints if the Coverage v2 schema uses any of those PostgreSQL-specific behaviors.

Phase 4: Kernel Value Families

Purpose: Add the minimal domain vocabulary needed by registry, scope, and claim guard.

  • T015 [US1] Create apps/platform/app/Support/TenantConfiguration/SourceClass.php with exactly tcm, graph_v1_fallback, and graph_beta_experimental.
  • T016 [US1] Create apps/platform/app/Support/TenantConfiguration/Workload.php with exactly intune.
  • T017 [US1] Create apps/platform/app/Support/TenantConfiguration/ResourceClass.php with exactly configuration.
  • T018 [US1] Create apps/platform/app/Support/TenantConfiguration/SupportState.php with exactly supported, fallback_supported, experimental, unsupported, and out_of_scope.
  • T019 [US1] Create apps/platform/app/Support/TenantConfiguration/CoverageLevel.php with exactly detected, content_backed, comparable, renderable, restorable, and certified.
  • T020 [US1] Create apps/platform/app/Support/TenantConfiguration/EvidenceState.php with exactly not_captured, captured, content_backed, permission_blocked, source_unavailable, schema_unknown, and capture_failed.
  • T021 [US1] Create apps/platform/app/Support/TenantConfiguration/IdentityState.php with exactly stable, derived, identity_conflict, missing_external_id, and unsupported_identity.
  • T022 [US3] Create apps/platform/app/Support/TenantConfiguration/ClaimState.php with exactly claim_allowed, claim_limited, claim_blocked, and internal_only.
  • T023 [US3] Create apps/platform/app/Support/TenantConfiguration/RestoreTier.php with exactly not_restorable, preview_only, and restorable only if restore-claim blocking cannot stay local to ClaimGuard.

Phase 5: Minimal Kernel Persistence

Purpose: Persist only the required kernel truth.

  • T024 [US1] Create migration(s) under apps/platform/database/migrations/ for tenant_configuration_resource_types and tenant_configuration_supported_scopes.
  • T025 [US4] Ensure required Coverage v2 kernel tables do not include tenant_id.
  • T026 [US4] Ensure required Coverage v2 kernel definition tables do not include workspace_id, managed_environment_id, or provider_connection_id; they are platform-seeded definitions.
  • T027 [US4] Ensure environment-owned optional tables, if added, include non-null workspace_id and managed_environment_id, require provider_connection_id for provider-observed tcm, graph_v1_fallback, or graph_beta_experimental rows, and validate that any stored provider connection belongs to the same workspace and managed environment. Not applicable in this slice because optional environment-owned tables were deferred.
  • T028 [US1] Create apps/platform/app/Models/TenantConfigurationResourceType.php and apps/platform/app/Models/TenantConfigurationSupportedScope.php with casts and relationships following sibling model conventions.
  • T029 [US1] Create factories under apps/platform/database/factories/ for required kernel models with explicit workspace/managed-environment setup only where required.
  • T030 [US1] Add optional tenant_configuration_resources and tenant_configuration_resource_evidence tables/models only if tests or clean service boundaries require them; otherwise record the deferral in implementation-report.md. Deferred in implementation report.

Phase 6: Initial Registry And Supported Scope

Purpose: Seed the required initial source-class definitions and exact supported-scope contract.

  • T031 [US1] Create apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php to load active resource type definitions without Graph/TCM/provider calls.
  • T032 [US1] Seed or migrate TCM-aligned Intune types: deviceAndAppManagementAssignmentFilter, deviceEnrollmentLimitRestriction, deviceEnrollmentPlatformRestriction, deviceEnrollmentStatusPageWindows10, appProtectionPolicyAndroid, and appProtectionPolicyiOS with source_class = tcm.
  • T033 [US1] Seed or migrate notificationMessageTemplate with source_class = graph_v1_fallback.
  • T034 [US1] Seed or migrate roleScopeTag with source_class = graph_beta_experimental and default beta/certification-blocking posture.
  • T035 [US2] Create apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php to resolve explicit denominators, minimum coverage levels, beta exclusion, and fallback inclusion rules.
  • T036 [US2] Add initial supported-scope definitions in tenant_configuration_supported_scopes using deterministic scope_key values, JSONB included_resource_types, minimum coverage level, beta/fallback flags, and no broad Microsoft 365 or 249-resource catalog labels.

Phase 7: Claim Guard

Purpose: Block unsafe claims before any UI activation exists.

  • T037 [US3] Create apps/platform/app/Services/TenantConfiguration/ClaimGuard.php.
  • T038 [US3] Implement unscoped 100% claim blocking in ClaimGuard.
  • T039 [US3] Implement certified-claim blocking for beta experimental resource types in ClaimGuard.
  • T040 [US3] Implement restore-claim blocking when the resource type is not restorable in ClaimGuard.
  • T041 [US3] Implement customer-facing claim blocking when the supported scope is incomplete in ClaimGuard.
  • T042 [US3] Implement exact scope + level allowance in ClaimGuard.
  • T043 [US4] Confirm ClaimGuard does not adapt, translate, fallback-read, or dual-write legacy v1 truth.

Phase 8: Boundary Guards And No-UI Proof

Purpose: Preserve the inactive kernel boundary.

  • T044 [US4] Confirm no Filament page/resource, Blade view, Livewire component, route, navigation entry, customer report, review pack, restore readiness, evidence overview, or baseline/compare surface is changed.
  • T045 [US4] Confirm no browser test is required because no rendered UI surface changed; if a UI file changed, stop and amend spec.md, plan.md, and tasks.md.
  • T046 [US4] Confirm no OperationRun-producing command/job/action is added; if one is required, stop and amend spec/plan/tasks with OperationRun UX impact.
  • T047 [US4] Confirm no remote TCM/Graph/provider call path is introduced.
  • T048 [US4] Confirm no v1-to-v2 compatibility adapter, dual-write target, fallback reader, or old snapshot promotion path was added.
  • T049 [US4] Confirm old v1 gap taxonomy is not used as Coverage v2 logic.

Phase 9: Close-Out And Validation

Purpose: Run focused proof and document implementation readiness.

  • T050 Complete specs/414-tcm-first-coverage-core-cutover/implementation-report.md with branch, HEAD, dirty state, files changed, kernel tables/models/services, optional table deferrals, no-tenant_id proof, provider metadata/provenance proof, no-legacy/no-dual-truth confirmation, no-UI/browser N/A, tests, Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, deployment impact, and follow-up candidates.
  • T051 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T052 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration.
  • T053 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration.
  • T054 Run cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration because Coverage v2 migrations add JSONB fields and PostgreSQL check constraints. The original --filter=TenantConfiguration command matched no tests in this repo.
  • T055 Run git diff --check.
  • T056 Confirm final git status --short contains only intended Spec 414 and implementation files.

Dependencies & Execution Order

  • Phase 1 blocks all implementation.
  • Phases 2 and 3 test tasks should be written before or alongside implementation.
  • Phase 4 value families must precede registry/scope/claim services.
  • Phase 5 required persistence must precede feature tests that query persisted kernel definitions.
  • Phase 6 registry/scope must precede claim guard feature behavior.
  • Phase 7 claim guard must precede boundary and close-out proof.
  • Phase 8 must pass before validation close-out.

Parallel Opportunities

  • T006-T009 can run in parallel.
  • T010-T014 can run in parallel after migration/model shape is agreed.
  • T015-T023 can be split by value-family file.
  • T031-T034 can run in parallel after persistence exists.
  • T038-T042 can run in parallel after ClaimGuard shape is defined.

Implementation Strategy

MVP First

  1. Complete preflight.
  2. Add value-family tests and value families.
  3. Add required kernel persistence.
  4. Add registry and supported-scope resolver.
  5. Add claim guard.
  6. Prove no UI/dual-truth/legacy compatibility path exists.

Incremental Delivery

  1. Land kernel persistence and registry.
  2. Land supported-scope contract.
  3. Land claim guard.
  4. Land ownership/no-UI/no-legacy proof.
  5. Land implementation report and validation.

Stop Conditions

  • A UI, route, navigation, report, review, restore, evidence, baseline, or browser change becomes necessary.
  • OperationRun-backed capture/evaluation becomes necessary.
  • Remote TCM/Graph/provider calls become necessary.
  • Concrete resource/evidence tables expand beyond minimal kernel needs.
  • tenant_id appears in Coverage v2 ownership fields.
  • A v1 compatibility adapter, dual write, fallback reader, or old snapshot promotion path is needed.
  • Old gap taxonomy is required as Coverage v2 logic.