fix: allow nested compliance action expand

app/Services/Graph/GraphContractRegistry.php

@@ -25,22 +25,41 @@ public function sanitizeQuery(string $policyType, array $query): array
         $allowedExpand = $contract['allowed_expand'] ?? [];
         $warnings = [];
 
-        if (! empty($query['$select']) && is_array($query['$select'])) {
+        if (! empty($query['$select'])) {
             $original = $query['$select'];
-            $query['$select'] = array_values(array_intersect($original, $allowedSelect));
+            $select = is_array($original)
+                ? $original
+                : array_map('trim', explode(',', (string) $original));
+            $filtered = array_values(array_intersect($select, $allowedSelect));
 
-            if (count($query['$select']) !== count($original)) {
+            if (count($filtered) !== count($select)) {
                 $warnings[] = 'Trimmed unsupported $select fields for capability safety.';
             }
+
+            if ($filtered === []) {
+                unset($query['$select']);
+            } else {
+                $query['$select'] = implode(',', $filtered);
+            }
         }
 
-        if (! empty($query['$expand']) && is_array($query['$expand'])) {
+        if (! empty($query['$expand'])) {
             $original = $query['$expand'];
-            $query['$expand'] = array_values(array_intersect($original, $allowedExpand));
+            $expand = is_array($original)
+                ? $original
+                : [trim((string) $original)];
+            $expand = array_values(array_filter($expand, static fn ($value) => $value !== ''));
+            $filtered = array_values(array_intersect($expand, $allowedExpand));
 
-            if (count($query['$expand']) !== count($original)) {
+            if (count($filtered) !== count($expand)) {
                 $warnings[] = 'Trimmed unsupported $expand fields for capability safety.';
             }
+
+            if ($filtered === []) {
+                unset($query['$expand']);
+            } else {
+                $query['$expand'] = implode(',', $filtered);
+            }
         }
 
         return [

app/Services/Intune/PolicySnapshotService.php

@@ -47,7 +47,7 @@ public function fetch(Tenant $tenant, Policy $policy, ?string $actorEmail = null
             ];
 
             if ($policy->policy_type === 'deviceCompliancePolicy') {
-                $options['expand'] = ['scheduledActionsForRule'];
+                $options['expand'] = 'scheduledActionsForRule($expand=scheduledActionConfigurations)';
             }
 
             $response = $this->graphClient->getPolicy($policy->policy_type, $policy->external_id, $options);

config/graph_contracts.php

@@ -15,7 +15,10 @@
         'deviceConfiguration' => [
             'resource' => 'deviceManagement/deviceConfigurations',
             'allowed_select' => ['id', 'displayName', 'description', '@odata.type', 'version', 'lastModifiedDateTime'],
-            'allowed_expand' => ['scheduledActionsForRule'],
+            'allowed_expand' => [
+                'scheduledActionsForRule',
+                'scheduledActionsForRule($expand=scheduledActionConfigurations)',
+            ],
             'type_family' => [
                 '#microsoft.graph.deviceConfiguration',
                 '#microsoft.graph.windows10CustomConfiguration',

tests/Unit/PolicySnapshotServiceTest.php

@@ -104,5 +104,6 @@ public function request(string $method, string $path, array $options = []): Grap
     expect($client->requests[0][0])->toBe('getPolicy');
     expect($client->requests[0][1])->toBe('deviceCompliancePolicy');
     expect($client->requests[0][2])->toBe('compliance-123');
-    expect($client->requests[0][3]['expand'] ?? [])->toBe(['scheduledActionsForRule']);
+    expect($client->requests[0][3]['expand'] ?? null)
+        ->toBe('scheduledActionsForRule($expand=scheduledActionConfigurations)');
 });