# Feature Specification: Custom Compliance Scripts (Windows) (026)

**Feature Branch**: `feat/026-custom-compliance-scripts`  
**Created**: 2026-01-04  
**Status**: Draft  
**Priority**: P1

## Context
Windows Custom Compliance is widely used. Without `deviceComplianceScripts`, backup/restore for compliance posture is incomplete. Restore must include assignments.

## User Scenarios & Testing

### User Story 1 — Inventory + view compliance scripts (Priority: P1)
As an admin, I can see Custom Compliance Scripts in inventory and view their script/config in a readable way.

**Acceptance Scenarios**
1. Given device compliance scripts exist, sync shows them as type `deviceComplianceScript`.
2. Detail view shows key settings (runAsAccount, enforceSignatureCheck, runAs32Bit) and script content (safe display rules).

### User Story 2 — Backup + versioning (Priority: P1)
As an admin, I can capture versions/backups of compliance scripts so I can diff changes.

**Acceptance Scenarios**
1. Snapshot capture stores the full payload including `detectionScriptContent`.
2. Diff highlights script changes and operational flags.

### User Story 3 — Restore preview + execution (Priority: P1)
As an admin, I can restore a compliance script and its assignments defensively.

**Acceptance Scenarios**
1. Preview shows create/update + restore mode and warnings.
2. Execution strips read-only fields and re-encodes script content correctly.
3. Assignments are applied via Graph assign action.

## Requirements

### Functional Requirements
- **FR-001**: Add policy type `deviceComplianceScript` backed by Graph `deviceManagement/deviceComplianceScripts` (beta).
- **FR-002**: Snapshot stores full payload (including `detectionScriptContent`) and assignments.
- **FR-003**: Restore supports create/update with contract-driven sanitization.
- **FR-004**: Restore applies assignments (`/assign`) and records audit logs.
- **FR-005**: Add normalized display support for key fields and script content (with safety limits).
- **FR-006**: Add Pest tests for sync + snapshot + preview + execution.

### Non-Functional Requirements
- **NFR-001**: Script content must never be logged; UI display must be bounded (config-driven).
- **NFR-002**: Preview-only fallback when Graph returns unexpected shapes or missing contracts.

## Success Criteria
- **SC-001**: Custom compliance scripts appear in inventory and backups.
- **SC-002**: Restore execution works and assignments are applied.