ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dfda397eb6
TenantAtlas/specs/414-tcm-first-coverage-core-cutover/tasks.md
ahmido dfda397eb6 feat: migrate tcm first coverage core cutover (#481) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #481
2026-06-25 12:54:56 +00:00

165 lines
14 KiB
Markdown
Raw Blame History

# Tasks: Spec 414 - TCM-First Coverage v2 Kernel
**Input**: Design documents from `/specs/414-tcm-first-coverage-core-cutover/`
**Prerequisites**: `spec.md`, `plan.md`, user-provided patch prompt narrowing Spec 414 to an inactive kernel
**Tests**: Runtime behavior changes require Pest unit and feature tests. Browser tests are not required because this narrowed spec has no rendered UI surface impact unless implementation stops and amends the spec first.
## Test Governance Checklist
- [x] TGC001 Lane assignment is named and is the narrowest sufficient proof for kernel behavior.
- [x] TGC002 New or changed tests stay in unit/feature/pgsql lanes; no browser/heavy-governance family is introduced unless scope is amended.
- [x] TGC003 Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; Coverage v2 setup is opt-in.
- [x] TGC004 Planned validation commands cover kernel behavior without hiding unrelated lane cost.
- [x] TGC005 Browser proof is explicitly `N/A - no rendered UI surface changed`.
- [x] TGC006 Product Surface implementation-report close-out records no UI impact, no dual truth, and no browser requirement.
- [x] TGC007 Material budget, baseline, trend, or escalation notes are recorded in the implementation report.
## Phase 1: Preparation And Guardrails
**Purpose**: Protect repo state and keep Spec 414 bounded to the inactive kernel.
- [x] T001 Capture current branch, HEAD, and `git status --short` in `specs/414-tcm-first-coverage-core-cutover/implementation-report.md`.
- [x] T002 Confirm `.specify/memory/constitution.md` ownership alignment: Coverage v2 uses `workspace_id`, `managed_environment_id`, and same-scope `provider_connection_id` where provider provenance is stored.
- [x] T003 Confirm the patched `spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md` remove full-cutover scope and frame Spec 414 as inactive kernel only.
- [x] T004 Confirm changed files before implementation do not include runtime code outside active spec artifacts; if unrelated dirty files appear, stop before application changes.
- [x] T005 Confirm no reachable UI surface, Filament resource/page, navigation entry, browser proof, OperationRun-backed capture, remote TCM/Graph ingestion, legacy runtime deletion, or broad v1 test rewrite remains required by Spec 414.
## Phase 2: Tests First - Kernel Semantics
**Purpose**: Lock the kernel contract before implementation.
- [x] T006 [P] [US1] Add `apps/platform/tests/Unit/Support/TenantConfiguration/ResourceTypeRegistryTest.php` covering the required initial resource type entries and source classes.
- [x] T007 [P] [US2] Add `apps/platform/tests/Unit/Support/TenantConfiguration/SupportedScopeResolverTest.php` covering explicit denominator membership, required minimum coverage level, beta exclusion by default, fallback inclusion only when allowed, and no unscoped 100% claims.
- [x] T008 [P] [US3] Add `apps/platform/tests/Unit/Support/TenantConfiguration/ClaimGuardTest.php` covering unscoped 100% blocks, beta certification blocks, non-restorable restore claim blocks, incomplete supported-scope blocks, and exact scope + level allowance.
- [x] T009 [P] [US1] Add `apps/platform/tests/Unit/Support/TenantConfiguration/CoverageKernelValueTest.php` covering the exact allowed values for all kernel value families and ordering where ordering affects claim behavior.
## Phase 3: Tests First - Persistence And Ownership
**Purpose**: Prove persistence and ownership rules without activating product surfaces.
- [x] T010 [P] [US1] Add `apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationResourceTypeRegistryTest.php` covering persisted or seeded required registry entries.
- [x] T011 [P] [US2] Add `apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationSupportedScopeTest.php` covering persisted supported-scope denominator rules and minimum coverage levels.
- [x] T012 [P] [US3] Add `apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationClaimGuardFeatureTest.php` proving claim guard blocks unsafe customer-facing claims without wiring into rendered UI.
- [x] T013 [P] [US4] Add `apps/platform/tests/Feature/TenantConfiguration/TenantConfigurationKernelSchemaTest.php` proving Coverage v2 ownership fields do not include `tenant_id` and provider-native tenant IDs remain metadata only.
- [x] T014 [P] [US4] Add PostgreSQL-focused coverage for JSONB fields, composite foreign keys, partial unique indexes, or same-scope `provider_connection_id` constraints if the Coverage v2 schema uses any of those PostgreSQL-specific behaviors.
## Phase 4: Kernel Value Families
**Purpose**: Add the minimal domain vocabulary needed by registry, scope, and claim guard.
- [x] T015 [US1] Create `apps/platform/app/Support/TenantConfiguration/SourceClass.php` with exactly `tcm`, `graph_v1_fallback`, and `graph_beta_experimental`.
- [x] T016 [US1] Create `apps/platform/app/Support/TenantConfiguration/Workload.php` with exactly `intune`.
- [x] T017 [US1] Create `apps/platform/app/Support/TenantConfiguration/ResourceClass.php` with exactly `configuration`.
- [x] T018 [US1] Create `apps/platform/app/Support/TenantConfiguration/SupportState.php` with exactly `supported`, `fallback_supported`, `experimental`, `unsupported`, and `out_of_scope`.
- [x] T019 [US1] Create `apps/platform/app/Support/TenantConfiguration/CoverageLevel.php` with exactly `detected`, `content_backed`, `comparable`, `renderable`, `restorable`, and `certified`.
- [x] T020 [US1] Create `apps/platform/app/Support/TenantConfiguration/EvidenceState.php` with exactly `not_captured`, `captured`, `content_backed`, `permission_blocked`, `source_unavailable`, `schema_unknown`, and `capture_failed`.
- [x] T021 [US1] Create `apps/platform/app/Support/TenantConfiguration/IdentityState.php` with exactly `stable`, `derived`, `identity_conflict`, `missing_external_id`, and `unsupported_identity`.
- [x] T022 [US3] Create `apps/platform/app/Support/TenantConfiguration/ClaimState.php` with exactly `claim_allowed`, `claim_limited`, `claim_blocked`, and `internal_only`.
- [x] T023 [US3] Create `apps/platform/app/Support/TenantConfiguration/RestoreTier.php` with exactly `not_restorable`, `preview_only`, and `restorable` only if restore-claim blocking cannot stay local to `ClaimGuard`.
## Phase 5: Minimal Kernel Persistence
**Purpose**: Persist only the required kernel truth.
- [x] T024 [US1] Create migration(s) under `apps/platform/database/migrations/` for `tenant_configuration_resource_types` and `tenant_configuration_supported_scopes`.
- [x] T025 [US4] Ensure required Coverage v2 kernel tables do not include `tenant_id`.
- [x] T026 [US4] Ensure required Coverage v2 kernel definition tables do not include `workspace_id`, `managed_environment_id`, or `provider_connection_id`; they are platform-seeded definitions.
- [x] T027 [US4] Ensure environment-owned optional tables, if added, include non-null `workspace_id` and `managed_environment_id`, require `provider_connection_id` for provider-observed `tcm`, `graph_v1_fallback`, or `graph_beta_experimental` rows, and validate that any stored provider connection belongs to the same workspace and managed environment. Not applicable in this slice because optional environment-owned tables were deferred.
- [x] T028 [US1] Create `apps/platform/app/Models/TenantConfigurationResourceType.php` and `apps/platform/app/Models/TenantConfigurationSupportedScope.php` with casts and relationships following sibling model conventions.
- [x] T029 [US1] Create factories under `apps/platform/database/factories/` for required kernel models with explicit workspace/managed-environment setup only where required.
- [x] T030 [US1] Add optional `tenant_configuration_resources` and `tenant_configuration_resource_evidence` tables/models only if tests or clean service boundaries require them; otherwise record the deferral in `implementation-report.md`. Deferred in implementation report.
## Phase 6: Initial Registry And Supported Scope
**Purpose**: Seed the required initial source-class definitions and exact supported-scope contract.
- [x] T031 [US1] Create `apps/platform/app/Services/TenantConfiguration/ResourceTypeRegistry.php` to load active resource type definitions without Graph/TCM/provider calls.
- [x] T032 [US1] Seed or migrate TCM-aligned Intune types: `deviceAndAppManagementAssignmentFilter`, `deviceEnrollmentLimitRestriction`, `deviceEnrollmentPlatformRestriction`, `deviceEnrollmentStatusPageWindows10`, `appProtectionPolicyAndroid`, and `appProtectionPolicyiOS` with `source_class = tcm`.
- [x] T033 [US1] Seed or migrate `notificationMessageTemplate` with `source_class = graph_v1_fallback`.
- [x] T034 [US1] Seed or migrate `roleScopeTag` with `source_class = graph_beta_experimental` and default beta/certification-blocking posture.
- [x] T035 [US2] Create `apps/platform/app/Services/TenantConfiguration/SupportedScopeResolver.php` to resolve explicit denominators, minimum coverage levels, beta exclusion, and fallback inclusion rules.
- [x] T036 [US2] Add initial supported-scope definitions in `tenant_configuration_supported_scopes` using deterministic `scope_key` values, JSONB `included_resource_types`, minimum coverage level, beta/fallback flags, and no broad Microsoft 365 or 249-resource catalog labels.
## Phase 7: Claim Guard
**Purpose**: Block unsafe claims before any UI activation exists.
- [x] T037 [US3] Create `apps/platform/app/Services/TenantConfiguration/ClaimGuard.php`.
- [x] T038 [US3] Implement unscoped 100% claim blocking in `ClaimGuard`.
- [x] T039 [US3] Implement certified-claim blocking for beta experimental resource types in `ClaimGuard`.
- [x] T040 [US3] Implement restore-claim blocking when the resource type is not restorable in `ClaimGuard`.
- [x] T041 [US3] Implement customer-facing claim blocking when the supported scope is incomplete in `ClaimGuard`.
- [x] T042 [US3] Implement exact scope + level allowance in `ClaimGuard`.
- [x] T043 [US4] Confirm `ClaimGuard` does not adapt, translate, fallback-read, or dual-write legacy v1 truth.
## Phase 8: Boundary Guards And No-UI Proof
**Purpose**: Preserve the inactive kernel boundary.
- [x] T044 [US4] Confirm no Filament page/resource, Blade view, Livewire component, route, navigation entry, customer report, review pack, restore readiness, evidence overview, or baseline/compare surface is changed.
- [x] T045 [US4] Confirm no browser test is required because no rendered UI surface changed; if a UI file changed, stop and amend `spec.md`, `plan.md`, and `tasks.md`.
- [x] T046 [US4] Confirm no OperationRun-producing command/job/action is added; if one is required, stop and amend spec/plan/tasks with OperationRun UX impact.
- [x] T047 [US4] Confirm no remote TCM/Graph/provider call path is introduced.
- [x] T048 [US4] Confirm no v1-to-v2 compatibility adapter, dual-write target, fallback reader, or old snapshot promotion path was added.
- [x] T049 [US4] Confirm old v1 gap taxonomy is not used as Coverage v2 logic.
## Phase 9: Close-Out And Validation
**Purpose**: Run focused proof and document implementation readiness.
- [x] T050 Complete `specs/414-tcm-first-coverage-core-cutover/implementation-report.md` with branch, HEAD, dirty state, files changed, kernel tables/models/services, optional table deferrals, no-`tenant_id` proof, provider metadata/provenance proof, no-legacy/no-dual-truth confirmation, no-UI/browser N/A, tests, Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, deployment impact, and follow-up candidates.
- [x] T051 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [x] T052 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/TenantConfiguration`.
- [x] T053 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantConfiguration`.
- [x] T054 Run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/TenantConfiguration` because Coverage v2 migrations add JSONB fields and PostgreSQL check constraints. The original `--filter=TenantConfiguration` command matched no tests in this repo.
- [x] T055 Run `git diff --check`.
- [x] T056 Confirm final `git status --short` contains only intended Spec 414 and implementation files.
## Dependencies & Execution Order
- Phase 1 blocks all implementation.
- Phases 2 and 3 test tasks should be written before or alongside implementation.
- Phase 4 value families must precede registry/scope/claim services.
- Phase 5 required persistence must precede feature tests that query persisted kernel definitions.
- Phase 6 registry/scope must precede claim guard feature behavior.
- Phase 7 claim guard must precede boundary and close-out proof.
- Phase 8 must pass before validation close-out.
## Parallel Opportunities
- T006-T009 can run in parallel.
- T010-T014 can run in parallel after migration/model shape is agreed.
- T015-T023 can be split by value-family file.
- T031-T034 can run in parallel after persistence exists.
- T038-T042 can run in parallel after `ClaimGuard` shape is defined.
## Implementation Strategy
### MVP First
1. Complete preflight.
2. Add value-family tests and value families.
3. Add required kernel persistence.
4. Add registry and supported-scope resolver.
5. Add claim guard.
6. Prove no UI/dual-truth/legacy compatibility path exists.
### Incremental Delivery
1. Land kernel persistence and registry.
2. Land supported-scope contract.
3. Land claim guard.
4. Land ownership/no-UI/no-legacy proof.
5. Land implementation report and validation.
### Stop Conditions
- A UI, route, navigation, report, review, restore, evidence, baseline, or browser change becomes necessary.
- OperationRun-backed capture/evaluation becomes necessary.
- Remote TCM/Graph/provider calls become necessary.
- Concrete resource/evidence tables expand beyond minimal kernel needs.
- `tenant_id` appears in Coverage v2 ownership fields.
- A v1 compatibility adapter, dual write, fallback reader, or old snapshot promotion path is needed.
- Old gap taxonomy is required as Coverage v2 logic.
Reference in New Issue View Git Blame Copy Permalink