TenantAtlas/specs/432-exchange-powershell-production-runner-boundary-runtime-gate/checklists/requirements.md
ahmido f4e342121a feat: add Exchange PowerShell production runner gate (#499)
Spec 432: Exchange PowerShell production runner boundary and runtime gate. Validation: php artisan test --filter=Spec432 --compact; ./vendor/bin/pint --dirty --test --format agent; git diff --check.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #499
2026-07-07 18:34:18 +00:00

7.4 KiB

Requirements Checklist: Exchange PowerShell Production Runner Boundary and Runtime Gate

Purpose: Preparation and implementation-readiness checklist for Spec 432. Created: 2026-07-07 Feature: specs/432-exchange-powershell-production-runner-boundary-runtime-gate/spec.md

Prerequisites

  • Spec 431 is PASS or PASS WITH CONDITIONS with no merge-blocking findings.
  • Spec 431 provider-operation start bypass is closed.
  • Spec 431 capability/admin-consent issue is closed.
  • Spec 431 invalid parameter persistence is sanitized.
  • Spec 431 disabled runner remains default.
  • Spec 431 no evidence, no UI, no migration, no tenant_id, and no mini-platform proof exists.
  • OperationRun/provider operation/capability path is registered.

Scope

  • Only transportRule is included from Exchange transport rules.
  • Only remoteDomain is included from Exchange remote domains.
  • Only inboundConnector is included from Exchange connectors.
  • No outboundConnector.
  • No acceptedDomain.
  • No organizationConfig.
  • No mailboxPlan.
  • No sharingPolicy.
  • No Teams.
  • No Exchange Admin API.
  • No mutation commands.
  • No evidence.
  • No compare/render.
  • No certification.
  • No restore.
  • No customer claim.
  • No UI.
  • No migration.
  • No jobs/schedules/listeners that can invoke production runner.

Runner Binding

  • Disabled runner remains default.
  • Production runner is not selected by default.
  • Explicit production-runner config flag exists and defaults false.
  • Existing invocation gate is required.
  • Production-runner gate is required.
  • Missing credential evidence blocks.
  • Missing permission evidence blocks.
  • Config-cache-style behavior is tested.

Runtime Readiness

  • Runtime readiness checker exists.
  • PowerShell availability check is non-invasive.
  • Exchange module check is non-invasive.
  • No Microsoft connection.
  • No tenant session import.
  • No module installation or download.
  • No env dump.
  • No interactive prompt.
  • Runtime environment allowlist is checked.
  • Timeout policy is checked.
  • Process executor availability is checked.
  • Temp policy is checked if temp files are used.

Credential Handling

  • Credential resolver exists.
  • Credential handling is reference-only.
  • client_secret blocks by default.
  • Certificate state is tested.
  • Federated state is tested.
  • Managed-identity state is tested.
  • Missing credential blocks.
  • Expired credential blocks.
  • Inaccessible credential blocks.
  • Unsupported credential blocks.
  • Unknown credential kind blocks.
  • Credential material is not stored/logged.

Permission Evidence

  • Admin consent alone is not sufficient.
  • Missing Exchange permission evidence blocks.
  • Unvalidated evidence blocks.
  • Stale evidence blocks.
  • Wrong workspace evidence blocks.
  • Wrong managed environment evidence blocks.
  • Wrong provider connection evidence blocks.
  • Unsupported evidence blocks.
  • Verified evidence only allows the next gate.
  • No evidence/readiness/customer claim promotion occurs from permission proof.

Process / Command Safety

  • Process executor abstraction exists.
  • Fake process executor is used in tests.
  • Argument vector / structured process call is used.
  • Raw shell strings are rejected.
  • Pipes, script fragments, semicolons, and redirection are rejected.
  • Aliases and profile loading are rejected.
  • Operator-supplied command text is rejected.
  • Mutation commands are rejected.
  • Unknown parameters are rejected.
  • Invalid parameter names are not persisted raw.

Output Guards

  • Oversized stdout blocks safely.
  • Oversized stderr blocks safely.
  • Non-JSON/scalar output blocks safely.
  • Warning-prefixed output is handled safely.
  • Non-UTF8/binary output blocks safely.
  • Non-zero exit with stdout blocks safely.
  • Timeout cleanup is tested.
  • Concurrency lock cleanup is tested.
  • Temp files are absent or cleaned safely.
  • Raw stdout/stderr is not persisted.

OperationRun

  • Public invocation returns OperationRun or safe blocker.
  • provider_connection_id remains context-only.
  • No provider_connection_id migration.
  • managed_environment_id uses existing repo pattern.
  • Safe summary counts only.
  • Safe failure category only.
  • No raw stdout/stderr.
  • No provider payload.
  • No secrets.
  • Transient envelopes are not persisted.
  • Status/outcome transitions remain service-owned.

No Promotion

  • No evidence rows.
  • No raw evidence payload.
  • No normalized evidence payload.
  • No content-backed state.
  • No comparable state.
  • No renderable state.
  • No certified state.
  • No restore-ready state.
  • No customer-ready state.
  • No report output.
  • No Review Pack output.

Product Surface / Triggers

  • No routes.
  • No Filament pages.
  • No Livewire components.
  • No navigation.
  • No UI action.
  • No dashboard/readiness badge.
  • No asset changes.
  • No global search changes.
  • No job trigger.
  • No schedule trigger.
  • No listener trigger.
  • Browser proof is N/A - no rendered UI surface changed.
  • Human Product Sanity is N/A.

Architecture

  • Uses Spec 431 OperationRun path.
  • Uses provider operation/capability path.
  • Uses Spec 430 Coverage v2 source contracts.
  • No migration.
  • No tenant_id in Spec 432 changed runtime artifacts.
  • No Exchange mini-platform.
  • No legacy shim.
  • No fallback reader.
  • No dual write.
  • No customer-facing readiness vocabulary.

Validation

  • Focused Spec 432 unit tests pass.
  • Focused Spec 432 feature tests pass.
  • Spec 431 regressions pass.
  • Spec 430 regressions pass.
  • Selected Spec 426/427 no-promotion/source-contract regressions pass.
  • Selected Spec 417/419/420 identity/registry/generic evidence regressions pass.
  • Pint passes.
  • git diff --check passes.
  • git status --short is documented.

Final Candidate Gate

Choose one during implementation close-out:

  • PASS
  • PASS WITH CONDITIONS
  • FAIL

PASS requires disabled default, explicit production-runner gate, non-invasive runtime checks, safe credential handling, verified permission-evidence requirement or safe block, process executor abstraction, no-shell command construction, output guards, timeout/concurrency cleanup, sanitized OperationRun context, no evidence, no product promotion, no UI/trigger surface, no migration, no tenant_id, no mini-platform, and focused tests/regressions passing.

PASS WITH CONDITIONS is allowed only for bounded follow-ups that do not weaken runner binding, runtime safety, credential safety, permission evidence, OperationRun ownership, redaction, provider scope, no-evidence posture, no-claim posture, no-trigger posture, or no-mini-platform posture.

FAIL if production runner activates by default, client-secret or admin-consent-only enables live invocation, raw shell strings or mutation commands can execute, live invocation bypasses OperationRun/provider scope, credential material or raw output persists, evidence/product promotion appears, routes/UI/jobs/schedules/listeners are added, migration or tenant_id appears without amendment, or tests do not prove runner boundary and safe-block behavior.