[ { "id": "T001", "description": "CE delegator routes for Entra endpoints return EE-only error payload when enterprise edition is disabled.", "implemented": true, "featureIds": [ "F001", "F002" ] }, { "id": "T002", "description": "EE delegator forwards Entra route methods to EE handlers when enterprise edition is enabled.", "implemented": true, "featureIds": [ "F001", "F002" ] }, { "id": "T003", "description": "`entraActions` exports compile and are available from integrations actions barrel.", "implemented": true, "featureIds": [ "F003" ] }, { "id": "T004", "description": "Integrations settings page renders Entra entry card in EE mode.", "implemented": true, "featureIds": [ "F004", "F005" ] }, { "id": "T005", "description": "`EntraIntegrationSettings` dynamic import loads successfully and renders base shell.", "implemented": true, "featureIds": [ "F005" ] }, { "id": "T006", "description": "`entra-integration-ui` disabled hides Entra settings surface.", "implemented": true, "featureIds": [ "F006", "F007" ] }, { "id": "T007", "description": "`entra-integration-ui` enabled shows Entra settings surface.", "implemented": true, "featureIds": [ "F006", "F007" ] }, { "id": "T008", "description": "Client details Entra sync action is hidden when `entra-integration-client-sync-action` is disabled.", "implemented": true, "featureIds": [ "F008", "F009" ] }, { "id": "T009", "description": "CIPP connection option is hidden when `entra-integration-cipp` is disabled.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Phase 1 enforces a stronger invariant: CIPP option is hidden unconditionally. See T009b.", "featureIds": [ "F011" ] }, { "id": "T009b", "description": "CIPP connection option is hidden regardless of the `entra-integration-cipp` flag value (Phase 1 Direct-only invariant).", "implemented": false, "featureIds": [ "F011" ] }, { "id": "T010", "description": "Field-sync and reconciliation queue UI sections are hidden when their flags are disabled.", "implemented": true, "featureIds": [ "F012" ] }, { "id": "T011", "description": "Migration creates `entra_partner_connections` with expected required columns.", "implemented": true, "featureIds": [ "F013" ] }, { "id": "T012", "description": "Unique active-connection constraint rejects second active connection for same tenant.", "implemented": true, "featureIds": [ "F014" ] }, { "id": "T013", "description": "Migration creates `entra_managed_tenants` plus indexes used by discovery/mapping queries.", "implemented": true, "featureIds": [ "F015", "F016" ] }, { "id": "T014", "description": "Migration creates `entra_client_tenant_mappings` and enforces unique active mapping per discovered tenant.", "implemented": true, "featureIds": [ "F017", "F018" ] }, { "id": "T015", "description": "Migration creates `entra_sync_settings` with default cadence and toggle fields.", "implemented": true, "featureIds": [ "F019", "F031" ] }, { "id": "T016", "description": "Migration creates `entra_sync_runs` and expected status/count fields.", "implemented": true, "featureIds": [ "F020" ] }, { "id": "T017", "description": "Migration creates `entra_sync_run_tenants` with valid foreign keys to parent sync runs.", "implemented": true, "featureIds": [ "F021" ] }, { "id": "T018", "description": "Migration creates `entra_contact_links` with unique (`tenant`,`entra_tenant_id`,`entra_object_id`) constraint.", "implemented": true, "featureIds": [ "F022", "F023" ] }, { "id": "T019", "description": "Migration enforces one active Entra link per contact.", "implemented": true, "featureIds": [ "F024" ] }, { "id": "T020", "description": "Migration creates `entra_contact_reconciliation_queue` and lookup indexes.", "implemented": true, "featureIds": [ "F025" ] }, { "id": "T021", "description": "`clients` table contains `entra_tenant_id` and `entra_primary_domain` columns post-migration.", "implemented": true, "featureIds": [ "F026", "F027" ] }, { "id": "T022", "description": "`contacts` table contains Entra identity and sync metadata columns post-migration.", "implemented": true, "featureIds": [ "F028", "F029", "F030" ] }, { "id": "T023", "description": "Existing tenants receive one default `entra_sync_settings` row during backfill migration.", "implemented": true, "featureIds": [ "F031" ] }, { "id": "T024", "description": "New Entra interfaces/types compile and align with migration schema.", "implemented": true, "featureIds": [ "F032" ] }, { "id": "T025", "description": "Mapping validation blocks duplicate assignment of one discovered tenant to multiple clients.", "implemented": true, "featureIds": [ "F018", "F066" ] }, { "id": "T026", "description": "Unmap action updates mapping state without deleting historical sync run data.", "implemented": true, "featureIds": [ "F064", "F020", "F021" ] }, { "id": "T027", "description": "Remap action updates active mapping to target client and refreshes client linkage fields.", "implemented": true, "featureIds": [ "F065", "F062", "F063" ] }, { "id": "T028", "description": "Disconnect flow does not remove existing sync run history rows.", "implemented": true, "featureIds": [ "F044", "F020", "F021" ] }, { "id": "T029", "description": "Schema defaults keep Entra sync metadata columns nullable for backward-compatible contact rows.", "implemented": true, "featureIds": [ "F028", "F029", "F030" ] }, { "id": "T030", "description": "Lookup indexes on discovered tenants and mappings are used by mapping preview queries.", "implemented": true, "featureIds": [ "F016", "F018", "F056" ] }, { "id": "T031", "description": "Direct connect initiation rejects users lacking update permission.", "implemented": true, "featureIds": [ "F035", "F119" ] }, { "id": "T032", "description": "Direct connect initiation returns OAuth URL with encoded nonce/state.", "implemented": true, "featureIds": [ "F035" ] }, { "id": "T033", "description": "Entra OAuth callback rejects missing/invalid code-state requests.", "implemented": true, "featureIds": [ "F036" ] }, { "id": "T034", "description": "Entra OAuth callback persists token references and marks connection active.", "implemented": true, "featureIds": [ "F036", "F043" ] }, { "id": "T035", "description": "Direct token refresh updates stored access token and expiry fields.", "implemented": true, "featureIds": [ "F037", "F038" ] }, { "id": "T036", "description": "CIPP connect action validates base URL format and rejects invalid values.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Unit test retained in repo but not required for Phase 1 sign-off.", "featureIds": [ "F039" ] }, { "id": "T037", "description": "CIPP connect action stores API token via tenant secret provider (not plaintext DB field).", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Unit test retained in repo but not required for Phase 1 sign-off.", "featureIds": [ "F039", "F040" ] }, { "id": "T038", "description": "Direct validation action succeeds with valid credentials and reachable tenant list.", "implemented": true, "featureIds": [ "F041", "F047" ] }, { "id": "T039", "description": "CIPP validation action succeeds with valid CIPP token and tenant endpoint response.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Validation route retained but not required for Phase 1 sign-off.", "featureIds": [ "F042", "F049" ] }, { "id": "T040", "description": "Disconnect action clears provider-specific secrets and marks status disconnected.", "implemented": true, "featureIds": [ "F044" ] }, { "id": "T041", "description": "Switching direct->CIPP removes stale direct tokens and vice versa.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. User-triggered switching is not exposed; defensive cleanup logic retained.", "featureIds": [ "F045" ] }, { "id": "T042", "description": "Credential resolver prefers tenant Microsoft credentials when both tenant id/secret are present.", "implemented": true, "featureIds": [ "F034" ] }, { "id": "T043", "description": "Credential resolver falls back to env credentials when tenant pair is absent.", "implemented": true, "featureIds": [ "F034" ] }, { "id": "T044", "description": "Credential resolver falls back to app secrets when tenant/env are absent.", "implemented": true, "featureIds": [ "F034" ] }, { "id": "T045", "description": "Secret key constants map all required direct/CIPP secret names consistently.", "implemented": true, "featureIds": [ "F033" ] }, { "id": "T046", "description": "Provider factory returns direct adapter when connection type is direct.", "implemented": true, "featureIds": [ "F046", "F047", "F048" ] }, { "id": "T047", "description": "Provider factory returns CIPP adapter when connection type is cipp.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Factory path retained in code for future reinstatement.", "featureIds": [ "F046", "F049", "F050" ] }, { "id": "T048", "description": "Direct adapter tenant responses normalize into canonical managed-tenant DTO fields.", "implemented": true, "featureIds": [ "F047" ] }, { "id": "T049", "description": "Direct adapter user responses normalize into canonical sync-user DTO fields.", "implemented": true, "featureIds": [ "F048" ] }, { "id": "T050", "description": "CIPP adapter tenant responses normalize into canonical managed-tenant DTO fields.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Adapter test retained in repo but not required for Phase 1 sign-off.", "featureIds": [ "F049" ] }, { "id": "T051", "description": "CIPP adapter user responses normalize into canonical sync-user DTO fields.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Adapter test retained in repo but not required for Phase 1 sign-off.", "featureIds": [ "F050" ] }, { "id": "T052", "description": "Discovery action inserts new managed tenants and updates existing rows idempotently.", "implemented": true, "featureIds": [ "F051", "F052" ] }, { "id": "T053", "description": "Discovery action updates changed display name/domain for previously discovered tenant rows.", "implemented": true, "featureIds": [ "F052" ] }, { "id": "T054", "description": "Discovery action persists provider user counts per managed tenant.", "implemented": true, "featureIds": [ "F052" ] }, { "id": "T055", "description": "Exact domain match appears in `autoMatched` preview group.", "implemented": true, "featureIds": [ "F053", "F056" ] }, { "id": "T056", "description": "Secondary-domain match path contributes candidate confidence values.", "implemented": true, "featureIds": [ "F054", "F056" ] }, { "id": "T057", "description": "Fuzzy match candidates are sorted by score and never auto-confirmed.", "implemented": true, "featureIds": [ "F055", "F056" ] }, { "id": "T058", "description": "Preview returns unmatched list when no candidate crosses threshold.", "implemented": true, "featureIds": [ "F056" ] }, { "id": "T059", "description": "Mapping table UI supports selecting candidate client for fuzzy/unmatched entries.", "implemented": true, "featureIds": [ "F057", "F058" ] }, { "id": "T060", "description": "Skip control marks tenant mapping row as skipped without creating active mapping.", "implemented": true, "featureIds": [ "F059" ] }, { "id": "T061", "description": "Bulk accept marks all exact auto matches as selected pending confirm.", "implemented": true, "featureIds": [ "F060" ] }, { "id": "T062", "description": "Confirm mappings persists only selected mappings and does not write during preview stage.", "implemented": true, "featureIds": [ "F061" ] }, { "id": "T063", "description": "Confirm mappings updates mapped client rows with Entra tenant id and primary domain.", "implemented": true, "featureIds": [ "F062" ] }, { "id": "T064", "description": "Remap operation preserves one active mapping row and updates previous mapping state.", "implemented": true, "featureIds": [ "F063", "F065" ] }, { "id": "T065", "description": "Mapping summary counters reflect mapped/skipped/review counts after confirm.", "implemented": true, "featureIds": [ "F067" ] }, { "id": "T066", "description": "`Run Initial Sync` CTA remains disabled when there are zero confirmed mappings.", "implemented": true, "featureIds": [ "F068" ] }, { "id": "T067", "description": "Skipped tenants panel lists skipped entries and allows remap entry.", "implemented": true, "featureIds": [ "F069" ] }, { "id": "T068", "description": "Mapping wizard remains inaccessible while `entra-integration-ui` flag is off.", "implemented": true, "featureIds": [ "F070" ] }, { "id": "T069", "description": "Entra Temporal types compile and are consumed by workflows/activities without `any` leakage.", "implemented": true, "featureIds": [ "F071" ] }, { "id": "T070", "description": "`entraDiscoveryWorkflow` executes discovery activities in expected order.", "implemented": true, "featureIds": [ "F072", "F076" ] }, { "id": "T071", "description": "`entraInitialSyncWorkflow` loads mapped tenants then processes each tenant sync.", "implemented": true, "featureIds": [ "F073", "F077", "F078" ] }, { "id": "T072", "description": "`entraTenantSyncWorkflow` only syncs requested tenant mapping context.", "implemented": true, "featureIds": [ "F074", "F078" ] }, { "id": "T073", "description": "`entraAllTenantsSyncWorkflow` processes all active mapped tenants.", "implemented": true, "featureIds": [ "F075", "F077", "F078" ] }, { "id": "T074", "description": "`upsertSyncRunActivity` creates parent sync run with initiating user and mode.", "implemented": true, "featureIds": [ "F079" ] }, { "id": "T075", "description": "`recordSyncTenantResultActivity` writes per-tenant result rows and counters.", "implemented": true, "featureIds": [ "F081" ] }, { "id": "T076", "description": "`finalizeSyncRunActivity` marks run terminal state and summary totals.", "implemented": true, "featureIds": [ "F080" ] }, { "id": "T077", "description": "Workflow registration index exports all new Entra workflows.", "implemented": true, "featureIds": [ "F082" ] }, { "id": "T078", "description": "Activity registration index exports all new Entra activities.", "implemented": true, "featureIds": [ "F083" ] }, { "id": "T079", "description": "EE workflow client can start initial sync and returns workflow/run IDs.", "implemented": true, "featureIds": [ "F084", "F085" ] }, { "id": "T080", "description": "EE workflow client can start all-tenant sync and returns workflow/run IDs.", "implemented": true, "featureIds": [ "F084", "F086" ] }, { "id": "T081", "description": "EE workflow client can start single-client sync and returns workflow/run IDs.", "implemented": true, "featureIds": [ "F084", "F087" ] }, { "id": "T082", "description": "Progress query endpoint returns run-level and tenant-level status data for polling.", "implemented": true, "featureIds": [ "F088" ] }, { "id": "T083", "description": "Mapping confirm action can optionally start initial sync workflow and persist run id.", "implemented": true, "featureIds": [ "F085" ] }, { "id": "T084", "description": "Manual `Sync All Tenants Now` action starts expected workflow type.", "implemented": true, "featureIds": [ "F086", "F113" ] }, { "id": "T085", "description": "Manual client-level sync action starts expected single-tenant workflow type.", "implemented": true, "featureIds": [ "F087", "F114" ] }, { "id": "T086", "description": "Schedule setup creates Entra recurring sync schedule when not present.", "implemented": true, "featureIds": [ "F089" ] }, { "id": "T087", "description": "Schedule setup updates existing Entra schedule definition when already present.", "implemented": true, "featureIds": [ "F089" ] }, { "id": "T088", "description": "Workflow IDs are deterministic/deduplicated for repeated manual trigger collisions.", "implemented": true, "featureIds": [ "F090" ] }, { "id": "T089", "description": "Workflow run with no mapped tenants completes gracefully with zero-processed summary.", "implemented": true, "featureIds": [ "F073", "F075" ] }, { "id": "T090", "description": "Adapter failure in tenant sync marks tenant result failed and parent run failed/partial as designed.", "implemented": true, "featureIds": [ "F078", "F080", "F081" ] }, { "id": "T091", "description": "Sync filter excludes disabled Entra users (`accountEnabled=false`).", "implemented": true, "featureIds": [ "F092" ] }, { "id": "T092", "description": "Sync filter excludes users missing valid UPN/email identity.", "implemented": true, "featureIds": [ "F092" ] }, { "id": "T093", "description": "Default service-account patterns are excluded from sync candidate set.", "implemented": true, "featureIds": [ "F093" ] }, { "id": "T094", "description": "Tenant custom exclusion patterns are applied on top of default filters.", "implemented": true, "featureIds": [ "F094" ] }, { "id": "T095", "description": "Exact email match links to existing contact and does not create duplicate contact.", "implemented": true, "featureIds": [ "F095", "F096" ] }, { "id": "T096", "description": "No email match creates a new contact under the mapped client.", "implemented": true, "featureIds": [ "F097" ] }, { "id": "T097", "description": "Multiple plausible matches generate reconciliation queue item instead of auto-link.", "implemented": true, "featureIds": [ "F098" ] }, { "id": "T098", "description": "Name-only similarity without email never auto-links a contact.", "implemented": true, "featureIds": [ "F099" ] }, { "id": "T099", "description": "Linking/new-contact paths persist Entra object id/source metadata fields.", "implemented": true, "featureIds": [ "F100" ] }, { "id": "T100", "description": "Field sync toggle OFF prevents display-name overwrite on existing contacts.", "implemented": true, "featureIds": [ "F101" ] }, { "id": "T101", "description": "Field sync toggle ON allows display-name overwrite for linked contacts.", "implemented": true, "featureIds": [ "F101" ] }, { "id": "T102", "description": "Field sync toggle ON allows UPN overwrite for linked contacts.", "implemented": true, "featureIds": [ "F101" ] }, { "id": "T103", "description": "Disabled upstream user marks linked contact inactive with sync reason.", "implemented": true, "featureIds": [ "F102" ] }, { "id": "T104", "description": "Deleted upstream user marks linked contact inactive with sync reason.", "implemented": true, "featureIds": [ "F103" ] }, { "id": "T105", "description": "Disabled/deleted handling never deletes contact rows.", "implemented": true, "featureIds": [ "F104" ] }, { "id": "T106", "description": "Every processed contact gets `last_entra_sync_at` refreshed.", "implemented": true, "featureIds": [ "F105" ] }, { "id": "T107", "description": "Contact link records refresh `last_seen_at` and status per sync.", "implemented": true, "featureIds": [ "F106" ] }, { "id": "T108", "description": "Per-tenant counters include created count accurately.", "implemented": true, "featureIds": [ "F107" ] }, { "id": "T109", "description": "Per-tenant counters include linked count accurately.", "implemented": true, "featureIds": [ "F107" ] }, { "id": "T110", "description": "Per-tenant counters include ambiguous count accurately.", "implemented": true, "featureIds": [ "F107" ] }, { "id": "T111", "description": "Dry-run sync mode performs no DB writes while returning preview counters.", "implemented": true, "featureIds": [ "F108" ] }, { "id": "T112", "description": "Sync result serializer output remains stable across success/failure run states.", "implemented": true, "featureIds": [ "F109" ] }, { "id": "T113", "description": "Retry of same tenant sync does not duplicate `entra_contact_links` rows.", "implemented": true, "featureIds": [ "F110" ] }, { "id": "T114", "description": "Retry of same tenant sync does not duplicate contact creation for same Entra identity.", "implemented": true, "featureIds": [ "F110" ] }, { "id": "T115", "description": "Reconciliation queue item stores tenant/client context and candidate detail payload.", "implemented": true, "featureIds": [ "F025", "F098", "F115" ] }, { "id": "T116", "description": "Resolve queue -> existing contact links identity and marks queue item resolved.", "implemented": true, "featureIds": [ "F116" ] }, { "id": "T117", "description": "Resolve queue -> new contact creates contact/link and marks queue item resolved.", "implemented": true, "featureIds": [ "F117" ] }, { "id": "T118", "description": "Queue resolve rejects cross-client or cross-tenant contact targets.", "implemented": true, "featureIds": [ "F116", "F117" ] }, { "id": "T119", "description": "Single-client sync only processes identities belonging to that mapped client tenant.", "implemented": true, "featureIds": [ "F087", "F118" ] }, { "id": "T120", "description": "All-tenant sync skips entries currently marked as skipped mappings.", "implemented": true, "featureIds": [ "F059", "F075" ] }, { "id": "T121", "description": "Settings status panel shows connection type/status, last discovery, mapping counts, and interval.", "implemented": true, "featureIds": [ "F111" ] }, { "id": "T122", "description": "Sync history panel renders latest run list sorted by started time.", "implemented": true, "featureIds": [ "F112" ] }, { "id": "T123", "description": "Sync history drilldown displays per-tenant outcome rows and counts.", "implemented": true, "featureIds": [ "F112", "F021" ] }, { "id": "T124", "description": "`Sync All Tenants Now` button disabled when no active mapping exists.", "implemented": true, "featureIds": [ "F113", "F068" ] }, { "id": "T125", "description": "`Sync All Tenants Now` button enabled once at least one active mapping exists.", "implemented": true, "featureIds": [ "F113", "F068" ] }, { "id": "T126", "description": "Client-level sync action is shown for mapped clients and hidden for unmapped clients.", "implemented": true, "featureIds": [ "F114" ] }, { "id": "T127", "description": "Client-level sync action returns run id and begins status polling successfully.", "implemented": true, "featureIds": [ "F114", "F088" ] }, { "id": "T128", "description": "Ambiguous queue panel hidden when `entra-integration-ambiguous-queue` is disabled.", "implemented": true, "featureIds": [ "F012", "F115" ] }, { "id": "T129", "description": "Ambiguous queue panel visible when `entra-integration-ambiguous-queue` is enabled.", "implemented": true, "featureIds": [ "F012", "F115" ] }, { "id": "T130", "description": "Client portal user cannot access Entra settings actions/routes (403/forbidden response).", "implemented": true, "featureIds": [ "F118" ] }, { "id": "T131", "description": "Client portal user cannot trigger manual sync endpoints/actions.", "implemented": true, "featureIds": [ "F118" ] }, { "id": "T132", "description": "Internal user without `system_settings.read` cannot read Entra status/mapping views.", "implemented": true, "featureIds": [ "F119" ] }, { "id": "T133", "description": "Internal user without `system_settings.update` cannot connect, map, or start sync.", "implemented": true, "featureIds": [ "F119" ] }, { "id": "T134", "description": "Internal user with required permissions can complete connect -> discover -> map -> sync flow.", "implemented": true, "featureIds": [ "F035", "F051", "F061", "F113", "F119" ] }, { "id": "T135", "description": "EE docs include both direct and CIPP setup paths and decision guidance.", "implemented": true, "descoped": true, "descopedNote": "Descoped 2026-04-17 — CIPP removed from Phase 1. Docs should now cover Direct setup only; CIPP decision guidance is no longer required. Docs update is tracked as T135b.", "featureIds": [ "F120" ] }, { "id": "T135b", "description": "EE docs cover Direct Microsoft partner auth setup as the sole Phase 1 connection path, and note that CIPP has been descoped from Phase 1.", "implemented": false, "featureIds": [ "F120" ] }, { "id": "T136", "description": "EE docs include Entra secret names and note secret-provider/vault compatibility.", "implemented": true, "featureIds": [ "F033", "F120" ] }, { "id": "T137", "description": "EE docs describe additive sync and non-overwrite behavior with field-sync toggles.", "implemented": true, "featureIds": [ "F101", "F104", "F120" ] }, { "id": "T138", "description": "EE docs describe feature-flag rollout order for pilot tenants.", "implemented": true, "featureIds": [ "F010", "F120" ] }, { "id": "T139", "description": "Disabling `entra-integration-ui` hides settings UI without deleting connection/mapping data.", "implemented": true, "featureIds": [ "F006", "F007" ] }, { "id": "T140", "description": "Disabling `entra-integration-client-sync-action` hides client action while preserving server-side run history.", "implemented": true, "featureIds": [ "F009", "F020", "F021" ] } ]