# Quickstart — Provider Access Hardening v1 (Intune Write Gate)

## Goal

Validate that Intune write operations (restore execution + restore assignments) are blocked unless tenant RBAC hardening is configured, healthy, and fresh.

## Local setup

- Start containers: `vendor/bin/sail up -d`

## Manual verification (once implemented)

1) Navigate to a tenant view page (`TenantResource` → View).
2) Set tenant RBAC status to a blocked state (e.g., `rbac_status = null` or `degraded`, or make `rbac_last_checked_at` stale).
3) Attempt to start a restore execution (Restore Runs → Execute).
   - Expected: start surface blocks before enqueue; operator sees reason + CTA; no `OperationRun` is started for execution.
4) Attempt to trigger assignments restore (where available).
   - Expected: blocked with the same reason codes.
5) For job-level defense-in-depth, directly enqueue the job (or trigger a code path that dispatches it) while tenant is blocked.
   - Expected: `OperationRun` is marked failed with `reason_code` and no Graph mutation occurs.

## Test execution (once implemented)

Run the minimal related tests:

- `vendor/bin/sail artisan test --compact --filter=IntuneRbacWriteGate`
- or run file-scoped tests created for this feature under `tests/Feature`.

## Notes

- Gate evaluation is DB-only; no synchronous Graph calls are allowed during UI evaluation.
- When the gate is disabled via config, writes proceed but a warning is logged per evaluation that the gate is bypassed.