# Implementation Plan: TenantPilot v1 - RBAC Onboarding **Branch**: `feat/001-rbac-onboarding` | **Date**: 2025-12-19 | **Spec**: `specs/001-rbac-onboarding/spec.md` **Input**: Feature specification from `specs/001-rbac-onboarding/spec.md` ## Summary TenantPilot v1 core flows are already implemented per `specs/001-rbac-onboarding/tasks.md`. This plan focuses on finishing the remaining open items for this branch: US4 restore rerun (T156), optional RBAC check/report CLI (T167), and Settings Catalog improvements (T179, T185, T186). The RBAC onboarding wizard (US7) is tenant scoped, uses delegated login, and applies idempotent RBAC setup with audit logging. All Graph calls stay behind the Graph abstraction and contract registry. ## Technical Context **Language/Version**: PHP 8.4.15 (Laravel 12) **Primary Dependencies**: Filament v4, Livewire v3, Pest v4, Tailwind CSS v4 **Storage**: PostgreSQL (JSONB for snapshots/backups/versions) **Testing**: Pest (`php artisan test` or `./vendor/bin/sail artisan test`) **Target Platform**: Docker/Sail locally; Dokploy containers in staging/production **Project Type**: Single Laravel web application (Filament admin UI) **Performance Goals**: Needs clarification (focus on safety and admin UX) **Constraints**: Tenant isolation, least privilege, explicit confirmations, audit logging, no token persistence, staging gate before production **Scale/Scope**: Multi-tenant Intune admin workflows (inventory, backup, versioning, restore, RBAC onboarding) ## Constitution Check `/.specify/memory/constitution.md` is a placeholder template, so there are no explicit gates defined there. This plan follows the repo rules in `AGENTS.md` and the spec: - Spec first workflow and branch naming conventions - Tests required for changes (Pest) - Audit logging for sensitive actions - Restore safety gates and explicit confirmations - No secrets in logs; delegated tokens are not persisted ## Project Structure ### Documentation (this feature) ```text specs/001-rbac-onboarding/ ├── spec.md ├── plan.md └── tasks.md ``` ### Source Code (repository root) ```text app/ ├── Filament/ ├── Livewire/ ├── Models/ ├── Services/ ├── Jobs/ ├── Console/ bootstrap/ config/ database/ resources/ routes/ tests/ ``` **Structure Decision**: Single Laravel application; no separate frontend/backend split. ## Execution Plan (aligned to tasks.md) ### Phase A - RBAC wizard completion and safety - Confirm US7 wizard flow, audit coverage, and health panel status (FR-023 to FR-030). - Optional: implement T167 (check/report CLI only; no grant). ### Phase B - Restore rerun UX - Implement T156: rerun action clones restore run (backup_set_id, items, dry_run) and enforces same safety gates. ### Phase C - Settings Catalog restore correctness and readability - Implement T179: central hydration of settingsCatalogPolicy snapshots (versions, backups, previews). - Implement T185: improve labels/value previews in settings table. - Implement T186: ensure settings_apply payload preserves @odata.type and correct body shape. ### Testing and Quality Gates - Add or extend Pest tests per task requirements (feature + unit); run targeted tests. - Run `vendor/bin/pint --dirty` on touched files. ## Complexity Tracking None.