# Implementation Plan: SoT Foundations & Assignments **Branch**: `006-sot-foundations-assignments` | **Date**: 2025-12-25 | **Spec**: ./spec.md **Input**: Feature specification from `/specs/006-sot-foundations-assignments/spec.md` **Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/commands/plan.md` for the execution workflow. ## Summary Implement foundations-first backup/restore for Intune dependencies (Assignment Filters, Scope Tags, Notification Message Templates) and extend restore to be assignment-aware using a deterministic old→new ID mapping report. Conditional Access remains preview-only (never executed) until its dependency mapping is supported. Phase outputs: - Phase 0 research: `./research.md` - Phase 1 design: `./data-model.md`, `./contracts/`, `./quickstart.md` ## Technical Context **Language/Version**: PHP 8.4 (Laravel 12) **Primary Dependencies**: Laravel 12, Filament v4, Livewire v3, Microsoft Graph (custom client abstraction) **Storage**: PostgreSQL (JSONB payload storage for snapshots) **Testing**: Pest v4 + PHPUnit 12 **Target Platform**: Docker/Sail locally; container deploy via Dokploy **Project Type**: Web application (Laravel backend + Filament admin UI) **Performance Goals**: Restore preview for ~100 items in <2 minutes (SC-003); handle Graph paging and throttling safely **Constraints**: Restore must be defensive: no deletions; skip unsafe assignments; produce audit/report; respect Graph throttling **Scale/Scope**: Tenants with large policy inventories; focus on foundational object types + assignment application for already-supported policy types ## Constitution Check *GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.* The constitution at `.specify/memory/constitution.md` is currently an unfilled template (no ratified gates). For this feature, adopt the repo’s documented operating rules as gates: - **Sail-first** local dev/test commands. - **SpecKit Gate Rule**: code changes must be accompanied by `specs/006-sot-foundations-assignments/` updates. - **Testing is required**: every behavioral change covered by Pest tests. - **Safety**: restore never deletes; assignments only applied when mapped; CA stays preview-only. - **Auditability**: restore/backup outcomes recorded and tenant-scoped. If the team later ratifies a real constitution, re-map these gates accordingly. **Post-Phase 1 re-check**: Pass (no violations introduced by the Phase 1 design artifacts). ## Project Structure ### Documentation (this feature) ```text specs/[###-feature]/ ├── plan.md # This file (/speckit.plan command output) ├── research.md # Phase 0 output (/speckit.plan command) ├── data-model.md # Phase 1 output (/speckit.plan command) ├── quickstart.md # Phase 1 output (/speckit.plan command) ├── contracts/ # Phase 1 output (/speckit.plan command) └── tasks.md # Phase 2 output (/speckit.tasks command - NOT created by /speckit.plan) ``` ### Source Code (repository root) ```text app/ ├── Filament/ │ └── Resources/ ├── Jobs/ ├── Models/ │ ├── BackupItem.php │ ├── BackupSet.php │ └── RestoreRun.php ├── Services/ │ ├── Graph/ │ └── Intune/ └── Support/ config/ ├── graph_contracts.php └── tenantpilot.php database/ ├── migrations/ └── factories/ tests/ ├── Feature/ └── Unit/ ``` **Structure Decision**: Implement as incremental additions to existing Laravel services/models/jobs, with Filament UI using the existing Backup/Restore flows. ## Complexity Tracking > **Fill ONLY if Constitution Check has violations that must be justified** | Violation | Why Needed | Simpler Alternative Rejected Because | |-----------|------------|-------------------------------------| | [e.g., 4th project] | [current need] | [why 3 projects insufficient] | | [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |