# Tasks: SoT Foundations & Assignments (006) **Branch**: `feat/006-sot-foundations-assignments` | **Date**: 2025-12-25 **Input**: [spec.md](./spec.md), [plan.md](./plan.md), [data-model.md](./data-model.md), [research.md](./research.md), [contracts](./contracts/) ## Task Format - **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete - **Task ID**: Sequential T001, T002, T003... - **[P] marker**: Task can run in parallel (different files, no blocking dependencies) - **[Story] label**: User story tag (US1, US2, US3...) - **File path**: Always include exact file path in description ## Phase 1: Foundation Registry and Permissions **Purpose**: Define foundation object types and ensure Graph contracts and permissions exist. - [x] T001 [P] Add foundation type registry in `config/tenantpilot.php` (assignmentFilter, roleScopeTag, notificationMessageTemplate) with label/category/backup/restore/risk metadata. - [x] T002 [P] Extend `config/graph_contracts.php` with foundation contracts (resource, create/update methods, id_field, allowed_select, type_family). - [x] T003 [P] Extend `config/intune_permissions.php` to include foundation permissions (DeviceManagementRBAC.ReadWrite.All and any missing read/write scopes for filters/templates). - [x] T004 Update type metadata helpers to include foundation types in `app/Filament/Resources/BackupSetResource.php`, `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`, and `app/Filament/Resources/RestoreRunResource.php`. **Checkpoint**: Foundation types and permissions defined and discoverable by UI helpers. --- ## Phase 2: Foundations Backup Capture **Purpose**: Capture assignment filters, scope tags, and notification templates into backup sets. - [x] T005 Create `app/Services/Intune/FoundationSnapshotService.php` to list and fetch foundation objects with Graph paging, normalized metadata, and fail-soft behavior. - [x] T006 Extend `app/Services/Intune/BackupService.php` to capture foundation snapshots into `backup_items` (policy_id null, policy_type set, policy_identifier = source id, metadata includes displayName). - [x] T007 Add a UI action/toggle to include foundations when adding to a backup set in `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`. - [x] T008 Add foundation display helpers on `app/Models/BackupItem.php` (e.g., isFoundation, foundationDisplayName) and use them in `BackupItemsRelationManager`. **Checkpoint**: Foundations can be captured and displayed alongside policy backup items. --- ## Phase 3: Foundations Restore and Mapping **Purpose**: Restore foundations first and persist deterministic old to new mappings. - [x] T009 Create `app/Services/Intune/FoundationMappingService.php` to match by displayName, handle collisions, and emit report entries matching `contracts/restore-mapping-report.schema.json`. - [x] T010 Extend `app/Services/Intune/RestoreService.php` to run foundation restore first, build preview mapping (dry-run), and persist mapping results in `restore_runs.preview` and `restore_runs.results`. - [x] T011 Add audit events for foundation mapping decisions and failures in `app/Services/Intune/RestoreService.php`. - [x] T012 Render foundation mapping in restore UI views: `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`. **Checkpoint**: Restore preview and execute include a foundation mapping section with deterministic decisions. --- ## Phase 4: Assignment-Aware Restore **Purpose**: Apply assignments only when foundation mappings exist and record clear skip reasons. - [x] T013 Extend `app/Services/AssignmentRestoreService.php` to map assignment filter IDs via the foundation mapping; skip and record reasons when mappings are missing. - [x] T014 Update `app/Services/Intune/RestoreService.php` to pass foundation mappings into assignment restore and apply scope tag mapping when restoring policies. - [x] T015 Add mapping context to assignment audit logs in `app/Services/AssignmentRestoreService.php`. **Checkpoint**: Assignments are applied safely with explicit skip reasons and audit coverage. --- ## Phase 5: Conditional Access Preview-Only Enforcement **Purpose**: Keep CA restore preview-only even in execute mode. - [x] T016 Update `app/Services/Intune/RestoreService.php` to prevent CA execution (status skipped, reason preview_only) while keeping preview output. - [x] T017 Update restore UI to surface CA preview-only status in `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`. **Checkpoint**: CA items never execute; preview clearly signals preview-only. --- ## Phase 6: Tests and Verification **Purpose**: Ensure all new behavior is covered by Pest tests and formatting is clean. - [x] T018 [P] Add unit tests for FoundationMappingService in `tests/Unit/FoundationMappingServiceTest.php`. - [x] T019 [P] Add unit tests for FoundationSnapshotService in `tests/Unit/FoundationSnapshotServiceTest.php`. - [x] T020 Add feature tests for foundations backup/restore preview and execute in `tests/Feature/FoundationBackupTest.php`, `tests/Feature/Filament/RestorePreviewTest.php`, `tests/Feature/Filament/RestoreExecutionTest.php`, `tests/Feature/RestoreScopeTagMappingTest.php`. - [x] T021 Add feature tests for assignment mapping and skip reasons in `tests/Feature/RestoreAssignmentApplicationTest.php`. - [x] T022 Add feature test for CA preview-only execution behavior in `tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php`. - [x] T023 Run tests: `./vendor/bin/sail artisan test tests/Unit/FoundationSnapshotServiceTest.php tests/Unit/FoundationMappingServiceTest.php tests/Unit/TenantPermissionServiceTest.php tests/Feature/FoundationBackupTest.php tests/Feature/Filament/RestoreExecutionTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreItemSelectionTest.php tests/Feature/RestoreAssignmentApplicationTest.php tests/Feature/RestoreScopeTagMappingTest.php tests/Feature/RestoreRunRerunTest.php` - [x] T024 Run Pint: `./vendor/bin/pint --dirty` --- ## Phase 7: Admin UX and Safety **Purpose**: Improve admin clarity and safe reruns for restore flows. - [x] T025 Update tenant permission display to ignore configured stub grants in `app/Services/Intune/TenantPermissionService.php` and `app/Filament/Resources/TenantResource.php`, plus tests in `tests/Unit/TenantPermissionServiceTest.php`. - [x] T026 Improve restore item selection UX (searchable list, descriptions, hint) in `app/Filament/Resources/RestoreRunResource.php` with coverage in `tests/Feature/Filament/RestoreItemSelectionTest.php`. - [x] T027 Add restore run rerun action and coverage in `app/Filament/Resources/RestoreRunResource.php` and `tests/Feature/RestoreRunRerunTest.php`. **Checkpoint**: Tests pass and formatting is clean.