ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

spec: add plans and tasks for 007 and 008

Browse Source
This commit is contained in:
Ahmed Darrazi 2025-12-27 01:16:12 +01:00
parent bb68b8d603
commit f196023d98
4 changed files with 306 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
specs/007-device-config-compliance/plan.md Normal file
View File

@ -0,0 +1,79 @@
# Implementation Plan: Device Configuration and Compliance Coverage
**Branch**: `007-device-config-compliance` | **Date**: 2025-12-26 | **Spec**: ./spec.md
**Input**: Feature specification from `/specs/007-device-config-compliance/spec.md`
## Summary
Expand backup and restore coverage for device configuration, compliance, scripts, and update rings. This plan focuses on policy type coverage, assignment capture, and safe restore behavior using existing foundation mappings and assignment logic.
Phase outputs:
- Phase 0 research: n/a (no new research artifact yet)
- Phase 1 design: n/a (no new data model artifact yet)
## Technical Context
**Language/Version**: PHP 8.4 (Laravel 12)
**Primary Dependencies**: Laravel 12, Filament v4, Livewire v3, Microsoft Graph (custom client abstraction)
**Storage**: PostgreSQL (JSONB payload storage for snapshots)
**Testing**: Pest v4 + PHPUnit 12
**Target Platform**: Docker/Sail locally; container deploy via Dokploy
**Project Type**: Web application (Laravel backend + Filament admin UI)
**Performance Goals**: Restore preview for 100 selected items in under 2 minutes
**Constraints**: Restore must be defensive (no deletions); assignments only applied with valid mapping; audit logs required
**Scale/Scope**: Tenants with mixed configuration and compliance policies, including scripts and update rings
## Constitution Check
The constitution at `.specify/memory/constitution.md` is currently an unfilled template. For this feature, adopt the repo rules as gates:
- Sail-first local dev/test commands.
- Spec gate: code changes must be accompanied by `specs/007-device-config-compliance/` updates.
- Tests required for behavior changes (Pest).
- Restore safety: never delete; skip unsafe assignments; record reasons.
- Auditability: backup and restore outcomes are logged per tenant.
## Project Structure
### Documentation (this feature)
```text
specs/007-device-config-compliance/
├── spec.md
├── plan.md
└── tasks.md
```
### Source Code (expected touch points)
```text
app/
├── Filament/
│ └── Resources/
├── Models/
│ ├── BackupItem.php
│ ├── Policy.php
│ └── PolicyVersion.php
├── Services/
│ ├── Graph/
│ └── Intune/
└── Jobs/
config/
├── graph_contracts.php
├── intune_permissions.php
└── tenantpilot.php
tests/
├── Feature/
└── Unit/
```
**Structure Decision**: Extend existing services (PolicySnapshotService, PolicyCaptureOrchestrator, RestoreService) and Filament resources, adding only targeted helpers where needed.
## Complexity Tracking
| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| n/a | n/a | n/a |

74
specs/007-device-config-compliance/tasks.md Normal file
View File

@ -0,0 +1,74 @@
# Tasks: Device Configuration and Compliance Coverage (007)
**Branch**: `feat/007-device-config-compliance` | **Date**: 2025-12-26
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)
## Task Format
- **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete
- **Task ID**: Sequential T001, T002, T003...
- **[P] marker**: Task can run in parallel (different files, no blocking dependencies)
- **[Story] label**: User story tag (US1, US2, US3...)
- **File path**: Always include exact file path in description
## Phase 1: Policy Types, Contracts, Permissions
**Purpose**: Add missing device configuration, compliance, scripts, and update ring types with Graph contract coverage.
- [ ] T001 [P] Expand policy type registry for device configuration, compliance, scripts, and update rings in `config/tenantpilot.php` (labels, categories, restore mode, risk).
- [ ] T002 [P] Add/update Graph contracts and assignment endpoints for new policy types in `config/graph_contracts.php`.
- [ ] T003 [P] Verify and extend permissions for the new workloads in `config/intune_permissions.php`.
- [ ] T004 Update type metadata helpers and filters in `app/Filament/Resources/PolicyResource.php` and `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`.
**Checkpoint**: New policy types are recognized across UI metadata and Graph contract registry.
---
## Phase 2: Snapshot Capture and Metadata
**Purpose**: Ensure snapshots, assignments, and scope tags are captured for the new workloads.
- [ ] T005 Update `app/Services/Intune/PolicySnapshotService.php` to fetch and hydrate the new policy types correctly (filters, select fields).
- [ ] T006 Extend `app/Services/Intune/PolicyCaptureOrchestrator.php` to capture assignments and scope tags for the new types with existing resolvers.
- [ ] T007 Update `app/Services/Intune/BackupService.php` to capture snapshots for the new types and propagate warnings.
- [ ] T008 Add or extend normalization support in `app/Services/Intune/PolicyNormalizer.php` for the new policy types.
**Checkpoint**: Backups include snapshots and metadata for configuration/compliance policies.
---
## Phase 3: Restore Logic and Mapping
**Purpose**: Restore new policy types safely using assignment and foundation mappings.
- [ ] T009 Update `app/Services/Intune/RestoreService.php` to restore the new policy types using Graph contracts.
- [ ] T010 Extend `app/Services/AssignmentRestoreService.php` for assignment endpoints of the new types.
- [ ] T011 Ensure compliance notification templates are restored and referenced via mapping in `app/Services/Intune/RestoreService.php`.
- [ ] T012 Add audit coverage for compliance action mapping outcomes in `app/Services/Intune/AuditLogger.php`.
**Checkpoint**: Restore applies policies and assignments or skips with clear reasons.
---
## Phase 4: Admin UX
**Purpose**: Surface restore and compliance details clearly in the UI.
- [ ] T013 Update `resources/views/filament/infolists/entries/restore-preview.blade.php` to surface compliance action/template warnings.
- [ ] T014 Update `resources/views/filament/infolists/entries/restore-results.blade.php` to show compliance action mapping outcomes and skip reasons.
**Checkpoint**: Admins can see compliance related mapping results in preview and results.
---
## Phase 5: Tests and Verification
**Purpose**: Cover new workloads with Pest tests and verify formatting.
- [ ] T015 Add unit tests for snapshot and normalization coverage in `tests/Unit/PolicySnapshotServiceTest.php` and `tests/Unit/PolicyNormalizerTest.php`.
- [ ] T016 Add feature tests for backup and restore flows in `tests/Feature/Filament/RestorePreviewTest.php` and `tests/Feature/Filament/RestoreExecutionTest.php`.
- [ ] T017 Run tests: `./vendor/bin/sail artisan test tests/Unit/PolicySnapshotServiceTest.php tests/Unit/PolicyNormalizerTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreExecutionTest.php`
- [ ] T018 Run Pint: `./vendor/bin/pint --dirty`
**Checkpoint**: Tests pass and formatting is clean.

79
specs/008-apps-app-management/plan.md Normal file
View File

@ -0,0 +1,79 @@
# Implementation Plan: Apps and App Management Coverage
**Branch**: `008-apps-app-management` | **Date**: 2025-12-26 | **Spec**: ./spec.md
**Input**: Feature specification from `/specs/008-apps-app-management/spec.md`
## Summary
Introduce backup and restore coverage for app workloads: client apps (metadata-only), app protection policies, and app configuration policies. The plan emphasizes safe restore with clear dependency handling and assignment mapping, without binary uploads.
Phase outputs:
- Phase 0 research: n/a (no new research artifact yet)
- Phase 1 design: n/a (no new data model artifact yet)
## Technical Context
**Language/Version**: PHP 8.4 (Laravel 12)
**Primary Dependencies**: Laravel 12, Filament v4, Livewire v3, Microsoft Graph (custom client abstraction)
**Storage**: PostgreSQL (JSONB payload storage for snapshots)
**Testing**: Pest v4 + PHPUnit 12
**Target Platform**: Docker/Sail locally; container deploy via Dokploy
**Project Type**: Web application (Laravel backend + Filament admin UI)
**Performance Goals**: Preview and restore for 50 app items in under 2 minutes
**Constraints**: No binary upload; restore must be preview-only when dependencies are missing; audit logs required
**Scale/Scope**: Mixed app portfolios with assignments and app dependency chains
## Constitution Check
The constitution at `.specify/memory/constitution.md` is currently an unfilled template. For this feature, adopt the repo rules as gates:
- Sail-first local dev/test commands.
- Spec gate: code changes must be accompanied by `specs/008-apps-app-management/` updates.
- Tests required for behavior changes (Pest).
- Restore safety: metadata-only for apps, no deletions, skip unsafe assignments.
- Auditability: backup and restore outcomes are logged per tenant.
## Project Structure
### Documentation (this feature)
```text
specs/008-apps-app-management/
├── spec.md
├── plan.md
└── tasks.md
```
### Source Code (expected touch points)
```text
app/
├── Filament/
│ └── Resources/
├── Models/
│ ├── BackupItem.php
│ ├── Policy.php
│ └── PolicyVersion.php
├── Services/
│ ├── Graph/
│ └── Intune/
└── Jobs/
config/
├── graph_contracts.php
├── intune_permissions.php
└── tenantpilot.php
tests/
├── Feature/
└── Unit/
```
**Structure Decision**: Extend existing policy snapshot and restore services with app-specific helpers where needed, keeping metadata-only operations.
## Complexity Tracking
| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| n/a | n/a | n/a |

74
specs/008-apps-app-management/tasks.md Normal file
View File

@ -0,0 +1,74 @@
# Tasks: Apps and App Management Coverage (008)
**Branch**: `feat/008-apps-app-management` | **Date**: 2025-12-26
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)
## Task Format
- **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete
- **Task ID**: Sequential T001, T002, T003...
- **[P] marker**: Task can run in parallel (different files, no blocking dependencies)
- **[Story] label**: User story tag (US1, US2, US3...)
- **File path**: Always include exact file path in description
## Phase 1: Policy Types, Contracts, Permissions
**Purpose**: Add app workload types and Graph contract coverage for app endpoints and assignments.
- [ ] T001 [P] Expand app policy type registry in `config/tenantpilot.php` (client apps, app protection policies, app configuration policies).
- [ ] T002 [P] Add/update Graph contracts and assignment endpoints for app workloads in `config/graph_contracts.php`.
- [ ] T003 [P] Verify and extend permissions for app workloads in `config/intune_permissions.php`.
- [ ] T004 Update type metadata helpers and filters in `app/Filament/Resources/PolicyResource.php` and `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`.
**Checkpoint**: App workload types are discoverable and contract-backed.
---
## Phase 2: Snapshot Capture (Metadata-Only)
**Purpose**: Capture app metadata without binary payloads and include assignments.
- [ ] T005 Update `app/Services/Intune/PolicySnapshotService.php` to fetch app workloads and sanitize payloads.
- [ ] T006 Add metadata-only sanitization in `app/Services/Graph/GraphContractRegistry.php` for app payloads (strip binary/content fields).
- [ ] T007 Extend `app/Services/Intune/PolicyCaptureOrchestrator.php` to capture app assignments where supported.
- [ ] T008 Update `app/Services/Intune/BackupService.php` to store app metadata-only snapshots and warnings.
**Checkpoint**: App backups capture metadata and assignments safely.
---
## Phase 3: Restore Logic and Dependencies
**Purpose**: Restore apps in metadata-only mode with dependency ordering and safe assignment application.
- [ ] T009 Update `app/Services/Intune/RestoreService.php` to restore app workloads using metadata-only payloads.
- [ ] T010 Extend `app/Services/AssignmentRestoreService.php` to apply app assignments with group and filter mapping.
- [ ] T011 Add dependency ordering for app supersedence in `app/Services/Intune/AppDependencyPlanner.php`.
- [ ] T012 Add preview-only warnings for unresolved app dependencies in `resources/views/filament/infolists/entries/restore-preview.blade.php`.
**Checkpoint**: App restore handles dependencies and assignment mapping safely.
---
## Phase 4: Admin UX
**Purpose**: Surface app restore constraints and metadata-only status in the UI.
- [ ] T013 Update `resources/views/filament/infolists/entries/restore-results.blade.php` to show metadata-only and dependency warnings.
- [ ] T014 Update restore item selection descriptions in `app/Filament/Resources/RestoreRunResource.php` for app workloads.
**Checkpoint**: Admins see clear metadata-only and dependency warnings.
---
## Phase 5: Tests and Verification
**Purpose**: Cover app workloads with Pest tests and verify formatting.
- [ ] T015 Add unit tests for app payload sanitization in `tests/Unit/GraphContractRegistryTest.php`.
- [ ] T016 Add feature tests for app backup and restore in `tests/Feature/Filament/RestorePreviewTest.php` and `tests/Feature/Filament/RestoreExecutionTest.php`.
- [ ] T017 Run tests: `./vendor/bin/sail artisan test tests/Unit/GraphContractRegistryTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreExecutionTest.php`
- [ ] T018 Run Pint: `./vendor/bin/pint --dirty`
**Checkpoint**: Tests pass and formatting is clean.