# Plan: Custom Compliance Scripts (Windows) (026)

**Branch**: `feat/026-custom-compliance-scripts`  
**Date**: 2026-01-04  
**Input**: [spec.md](./spec.md)

## Approach
1. Confirm Graph contract details:
   - resource: `deviceManagement/deviceComplianceScripts` (beta)
   - patchable fields vs read-only fields
   - assignment pattern: `/deviceComplianceScripts/{id}/assign` and `/assignments`
2. Add `deviceComplianceScript` to `config/tenantpilot.php` (category “Compliance”, risk, restore mode).
3. Add contract entry to `config/graph_contracts.php` (resource + assignment endpoints + scope tags support).
4. Implement snapshot capture:
   - ensure `detectionScriptContent` is preserved and treated like other scripts (safe display, encode/decode where needed)
5. Implement restore:
   - sanitize payload via contract
   - ensure `detectionScriptContent` is encoded as expected by Graph
   - apply assignments via assign action
6. Add normalizer and targeted tests.

## Decisions / Notes
- **Restore mode**: default `enabled` (risk: medium-high) because tenant recovery often depends on these scripts.
- Use the existing script content display rules (`TENANTPILOT_SHOW_SCRIPT_CONTENT`, max chars).