# Tasks: Apps and App Management Coverage (008) **Branch**: `feat/008-apps-app-management` | **Date**: 2025-12-26 **Input**: [spec.md](./spec.md), [plan.md](./plan.md) ## Task Format - **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete - **Task ID**: Sequential T001, T002, T003... - **[P] marker**: Task can run in parallel (different files, no blocking dependencies) - **[Story] label**: User story tag (US1, US2, US3...) - **File path**: Always include exact file path in description ## Phase 1: Policy Types, Contracts, Permissions **Purpose**: Add app workload types and Graph contract coverage for app endpoints and assignments. - [ ] T001 [P] Expand app policy type registry in `config/tenantpilot.php` (client apps, app protection policies, app configuration policies). - [ ] T002 [P] Add/update Graph contracts and assignment endpoints for app workloads in `config/graph_contracts.php`. - [ ] T003 [P] Verify and extend permissions for app workloads in `config/intune_permissions.php`. - [ ] T004 Update type metadata helpers and filters in `app/Filament/Resources/PolicyResource.php` and `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`. **Checkpoint**: App workload types are discoverable and contract-backed. --- ## Phase 2: Snapshot Capture (Metadata-Only) **Purpose**: Capture app metadata without binary payloads and include assignments. - [ ] T005 Update `app/Services/Intune/PolicySnapshotService.php` to fetch app workloads and sanitize payloads. - [ ] T006 Add metadata-only sanitization in `app/Services/Graph/GraphContractRegistry.php` for app payloads (strip binary/content fields). - [ ] T007 Extend `app/Services/Intune/PolicyCaptureOrchestrator.php` to capture app assignments where supported. - [ ] T008 Update `app/Services/Intune/BackupService.php` to store app metadata-only snapshots and warnings. **Checkpoint**: App backups capture metadata and assignments safely. --- ## Phase 3: Restore Logic and Dependencies **Purpose**: Restore apps in metadata-only mode with dependency ordering and safe assignment application. - [ ] T009 Update `app/Services/Intune/RestoreService.php` to restore app workloads using metadata-only payloads. - [ ] T010 Extend `app/Services/AssignmentRestoreService.php` to apply app assignments with group and filter mapping. - [ ] T011 Add dependency ordering for app supersedence in `app/Services/Intune/AppDependencyPlanner.php`. - [ ] T012 Add preview-only warnings for unresolved app dependencies in `resources/views/filament/infolists/entries/restore-preview.blade.php`. **Checkpoint**: App restore handles dependencies and assignment mapping safely. --- ## Phase 4: Admin UX **Purpose**: Surface app restore constraints and metadata-only status in the UI. - [ ] T013 Update `resources/views/filament/infolists/entries/restore-results.blade.php` to show metadata-only and dependency warnings. - [ ] T014 Update restore item selection descriptions in `app/Filament/Resources/RestoreRunResource.php` for app workloads. **Checkpoint**: Admins see clear metadata-only and dependency warnings. --- ## Phase 5: Tests and Verification **Purpose**: Cover app workloads with Pest tests and verify formatting. - [ ] T015 Add unit tests for app payload sanitization in `tests/Unit/GraphContractRegistryTest.php`. - [ ] T016 Add feature tests for app backup and restore in `tests/Feature/Filament/RestorePreviewTest.php` and `tests/Feature/Filament/RestoreExecutionTest.php`. - [ ] T017 Run tests: `./vendor/bin/sail artisan test tests/Unit/GraphContractRegistryTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreExecutionTest.php` - [ ] T018 Run Pint: `./vendor/bin/pint --dirty` **Checkpoint**: Tests pass and formatting is clean.