# Plan: Enrollment & Autopilot (014)

**Branch**: `014-enrollment-autopilot`
**Date**: 2026-01-01
**Input**: [spec.md](./spec.md)

## Goal
Provide end-to-end support for enrollment & Autopilot configuration items with readable normalized settings and safe restore behavior.

## Scope

### In scope
- Policy types:
  - `windowsAutopilotDeploymentProfile` (restore enabled)
  - `windowsEnrollmentStatusPage` (restore enabled)
  - `enrollmentRestriction` (restore preview-only)
- Readable “Normalized settings” for the above types.
- Restore behavior:
  - Autopilot/ESP: apply via existing restore mechanisms (create-if-missing allowed)
  - Enrollment restrictions: must be skipped on execution by default (preview-only)
- Tests for normalization + UI rendering + preview-only enforcement.

### Out of scope
- New restore wizard flows/pages.
- Enabling execution for enrollment restrictions (requires product decision).
- New external services.

## Approach
1. Verify `config/graph_contracts.php` and `config/tenantpilot.php` entries for the three policy types.
2. Implement a new policy type normalizer to provide stable, enrollment-relevant blocks for:
   - Autopilot deployment profiles
   - Enrollment Status Page
   - Enrollment restrictions
3. Register the normalizer with the `policy-type-normalizers` tag.
4. Add tests:
   - Unit tests for normalized output stability/shape.
   - Filament feature tests verifying “Normalized settings” renders for each type.
   - Feature test verifying `enrollmentRestriction` restore is preview-only and skipped on execution.
5. Run targeted tests and Pint.

## Risks & Mitigations
- Payload shape variance across tenants: normalizer must handle missing keys safely.
- Enrollment restrictions are high impact: execution must remain disabled by default (preview-only).

## Success Criteria
- Normalized settings are stable and readable for all in-scope types.
- Restore execution skips preview-only types and reports clear result reasons.
- Tests cover normalization and preview-only enforcement.