Spec 432: Exchange PowerShell production runner boundary and runtime gate. Validation: php artisan test --filter=Spec432 --compact; ./vendor/bin/pint --dirty --test --format agent; git diff --check. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #499
7.4 KiB
Requirements Checklist: Exchange PowerShell Production Runner Boundary and Runtime Gate
Purpose: Preparation and implementation-readiness checklist for Spec 432.
Created: 2026-07-07
Feature: specs/432-exchange-powershell-production-runner-boundary-runtime-gate/spec.md
Prerequisites
- Spec 431 is PASS or PASS WITH CONDITIONS with no merge-blocking findings.
- Spec 431 provider-operation start bypass is closed.
- Spec 431 capability/admin-consent issue is closed.
- Spec 431 invalid parameter persistence is sanitized.
- Spec 431 disabled runner remains default.
- Spec 431 no evidence, no UI, no migration, no
tenant_id, and no mini-platform proof exists. - OperationRun/provider operation/capability path is registered.
Scope
- Only
transportRuleis included from Exchange transport rules. - Only
remoteDomainis included from Exchange remote domains. - Only
inboundConnectoris included from Exchange connectors. - No
outboundConnector. - No
acceptedDomain. - No
organizationConfig. - No
mailboxPlan. - No
sharingPolicy. - No Teams.
- No Exchange Admin API.
- No mutation commands.
- No evidence.
- No compare/render.
- No certification.
- No restore.
- No customer claim.
- No UI.
- No migration.
- No jobs/schedules/listeners that can invoke production runner.
Runner Binding
- Disabled runner remains default.
- Production runner is not selected by default.
- Explicit production-runner config flag exists and defaults false.
- Existing invocation gate is required.
- Production-runner gate is required.
- Missing credential evidence blocks.
- Missing permission evidence blocks.
- Config-cache-style behavior is tested.
Runtime Readiness
- Runtime readiness checker exists.
- PowerShell availability check is non-invasive.
- Exchange module check is non-invasive.
- No Microsoft connection.
- No tenant session import.
- No module installation or download.
- No env dump.
- No interactive prompt.
- Runtime environment allowlist is checked.
- Timeout policy is checked.
- Process executor availability is checked.
- Temp policy is checked if temp files are used.
Credential Handling
- Credential resolver exists.
- Credential handling is reference-only.
client_secretblocks by default.- Certificate state is tested.
- Federated state is tested.
- Managed-identity state is tested.
- Missing credential blocks.
- Expired credential blocks.
- Inaccessible credential blocks.
- Unsupported credential blocks.
- Unknown credential kind blocks.
- Credential material is not stored/logged.
Permission Evidence
- Admin consent alone is not sufficient.
- Missing Exchange permission evidence blocks.
- Unvalidated evidence blocks.
- Stale evidence blocks.
- Wrong workspace evidence blocks.
- Wrong managed environment evidence blocks.
- Wrong provider connection evidence blocks.
- Unsupported evidence blocks.
- Verified evidence only allows the next gate.
- No evidence/readiness/customer claim promotion occurs from permission proof.
Process / Command Safety
- Process executor abstraction exists.
- Fake process executor is used in tests.
- Argument vector / structured process call is used.
- Raw shell strings are rejected.
- Pipes, script fragments, semicolons, and redirection are rejected.
- Aliases and profile loading are rejected.
- Operator-supplied command text is rejected.
- Mutation commands are rejected.
- Unknown parameters are rejected.
- Invalid parameter names are not persisted raw.
Output Guards
- Oversized stdout blocks safely.
- Oversized stderr blocks safely.
- Non-JSON/scalar output blocks safely.
- Warning-prefixed output is handled safely.
- Non-UTF8/binary output blocks safely.
- Non-zero exit with stdout blocks safely.
- Timeout cleanup is tested.
- Concurrency lock cleanup is tested.
- Temp files are absent or cleaned safely.
- Raw stdout/stderr is not persisted.
OperationRun
- Public invocation returns OperationRun or safe blocker.
provider_connection_idremains context-only.- No
provider_connection_idmigration. managed_environment_iduses existing repo pattern.- Safe summary counts only.
- Safe failure category only.
- No raw stdout/stderr.
- No provider payload.
- No secrets.
- Transient envelopes are not persisted.
- Status/outcome transitions remain service-owned.
No Promotion
- No evidence rows.
- No raw evidence payload.
- No normalized evidence payload.
- No content-backed state.
- No comparable state.
- No renderable state.
- No certified state.
- No restore-ready state.
- No customer-ready state.
- No report output.
- No Review Pack output.
Product Surface / Triggers
- No routes.
- No Filament pages.
- No Livewire components.
- No navigation.
- No UI action.
- No dashboard/readiness badge.
- No asset changes.
- No global search changes.
- No job trigger.
- No schedule trigger.
- No listener trigger.
- Browser proof is
N/A - no rendered UI surface changed. - Human Product Sanity is N/A.
Architecture
- Uses Spec 431 OperationRun path.
- Uses provider operation/capability path.
- Uses Spec 430 Coverage v2 source contracts.
- No migration.
- No
tenant_idin Spec 432 changed runtime artifacts. - No Exchange mini-platform.
- No legacy shim.
- No fallback reader.
- No dual write.
- No customer-facing readiness vocabulary.
Validation
- Focused Spec 432 unit tests pass.
- Focused Spec 432 feature tests pass.
- Spec 431 regressions pass.
- Spec 430 regressions pass.
- Selected Spec 426/427 no-promotion/source-contract regressions pass.
- Selected Spec 417/419/420 identity/registry/generic evidence regressions pass.
- Pint passes.
git diff --checkpasses.git status --shortis documented.
Final Candidate Gate
Choose one during implementation close-out:
- PASS
- PASS WITH CONDITIONS
- FAIL
PASS requires disabled default, explicit production-runner gate, non-invasive runtime checks, safe credential handling, verified permission-evidence requirement or safe block, process executor abstraction, no-shell command construction, output guards, timeout/concurrency cleanup, sanitized OperationRun context, no evidence, no product promotion, no UI/trigger surface, no migration, no tenant_id, no mini-platform, and focused tests/regressions passing.
PASS WITH CONDITIONS is allowed only for bounded follow-ups that do not weaken runner binding, runtime safety, credential safety, permission evidence, OperationRun ownership, redaction, provider scope, no-evidence posture, no-claim posture, no-trigger posture, or no-mini-platform posture.
FAIL if production runner activates by default, client-secret or admin-consent-only enables live invocation, raw shell strings or mutation commands can execute, live invocation bypasses OperationRun/provider scope, credential material or raw output persists, evidence/product promotion appears, routes/UI/jobs/schedules/listeners are added, migration or tenant_id appears without amendment, or tests do not prove runner boundary and safe-block behavior.