# Tasks: Device Configuration and Compliance Coverage (007) **Branch**: `feat/007-device-config-compliance` | **Date**: 2025-12-26 **Input**: [spec.md](./spec.md), [plan.md](./plan.md) ## Task Format - **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete - **Task ID**: Sequential T001, T002, T003... - **[P] marker**: Task can run in parallel (different files, no blocking dependencies) - **[Story] label**: User story tag (US1, US2, US3...) - **File path**: Always include exact file path in description ## Phase 1: Policy Types, Contracts, Permissions **Purpose**: Add missing device configuration, compliance, scripts, and update ring types with Graph contract coverage. - [x] T001 [P] Expand policy type registry for device configuration, compliance, scripts, and update rings in `config/tenantpilot.php` (labels, categories, restore mode, risk). - [x] T002 [P] Add/update Graph contracts and assignment endpoints for new policy types in `config/graph_contracts.php`. - [x] T003 [P] Verify and extend permissions for the new workloads in `config/intune_permissions.php`. - [x] T004 Update type metadata helpers and filters in `app/Filament/Resources/PolicyResource.php` and `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`. **Checkpoint**: New policy types are recognized across UI metadata and Graph contract registry. --- ## Phase 2: Snapshot Capture and Metadata **Purpose**: Ensure snapshots, assignments, and scope tags are captured for the new workloads. - [x] T005 Update `app/Services/Intune/PolicySnapshotService.php` to fetch and hydrate the new policy types correctly (filters, select fields). - [x] T006 Extend `app/Services/Intune/PolicyCaptureOrchestrator.php` to capture assignments and scope tags for the new types with existing resolvers. - [x] T007 Update `app/Services/Intune/BackupService.php` to capture snapshots for the new types and propagate warnings. - [x] T008 Add or extend normalization support in `app/Services/Intune/PolicyNormalizer.php` for the new policy types. **Checkpoint**: Backups include snapshots and metadata for configuration/compliance policies. --- ## Phase 3: Restore Logic and Mapping **Purpose**: Restore new policy types safely using assignment and foundation mappings. - [ ] T009 Update `app/Services/Intune/RestoreService.php` to restore the new policy types using Graph contracts. - [ ] T010 Extend `app/Services/AssignmentRestoreService.php` for assignment endpoints of the new types. - [ ] T011 Ensure compliance notification templates are restored and referenced via mapping in `app/Services/Intune/RestoreService.php`. - [ ] T012 Add audit coverage for compliance action mapping outcomes in `app/Services/Intune/AuditLogger.php`. **Checkpoint**: Restore applies policies and assignments or skips with clear reasons. --- ## Phase 4: Admin UX **Purpose**: Surface restore and compliance details clearly in the UI. - [ ] T013 Update `resources/views/filament/infolists/entries/restore-preview.blade.php` to surface compliance action/template warnings. - [ ] T014 Update `resources/views/filament/infolists/entries/restore-results.blade.php` to show compliance action mapping outcomes and skip reasons. **Checkpoint**: Admins can see compliance related mapping results in preview and results. --- ## Phase 5: Tests and Verification **Purpose**: Cover new workloads with Pest tests and verify formatting. - [ ] T015 Add unit tests for snapshot and normalization coverage in `tests/Unit/PolicySnapshotServiceTest.php` and `tests/Unit/PolicyNormalizerTest.php`. - [ ] T016 Add feature tests for backup and restore flows in `tests/Feature/Filament/RestorePreviewTest.php` and `tests/Feature/Filament/RestoreExecutionTest.php`. - [ ] T017 Run tests: `./vendor/bin/sail artisan test tests/Unit/PolicySnapshotServiceTest.php tests/Unit/PolicyNormalizerTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreExecutionTest.php` - [ ] T018 Run Pint: `./vendor/bin/pint --dirty` **Checkpoint**: Tests pass and formatting is clean. --- ## Deferred / Backlog - [ ] T019 [Deferred] Add inventory/properties catalog policies (`deviceManagement/inventoryPolicies`) once required permissions are confirmed; include contracts, sync, snapshot hydration via `/settings`, and normalized UI display.