# Implementation Plan: Device Configuration and Compliance Coverage

**Branch**: `007-device-config-compliance` | **Date**: 2025-12-26 | **Spec**: ./spec.md
**Input**: Feature specification from `/specs/007-device-config-compliance/spec.md`

## Summary

Expand backup and restore coverage for device configuration, compliance, scripts, and update rings. This plan focuses on policy type coverage, assignment capture, and safe restore behavior using existing foundation mappings and assignment logic.

Phase outputs:
- Phase 0 research: n/a (no new research artifact yet)
- Phase 1 design: n/a (no new data model artifact yet)

## Technical Context

**Language/Version**: PHP 8.4 (Laravel 12)  
**Primary Dependencies**: Laravel 12, Filament v4, Livewire v3, Microsoft Graph (custom client abstraction)  
**Storage**: PostgreSQL (JSONB payload storage for snapshots)  
**Testing**: Pest v4 + PHPUnit 12  
**Target Platform**: Docker/Sail locally; container deploy via Dokploy  
**Project Type**: Web application (Laravel backend + Filament admin UI)  
**Performance Goals**: Restore preview for 100 selected items in under 2 minutes  
**Constraints**: Restore must be defensive (no deletions); assignments only applied with valid mapping; audit logs required  
**Scale/Scope**: Tenants with mixed configuration and compliance policies, including scripts and update rings

## Constitution Check

The constitution at `.specify/memory/constitution.md` is currently an unfilled template. For this feature, adopt the repo rules as gates:

- Sail-first local dev/test commands.
- Spec gate: code changes must be accompanied by `specs/007-device-config-compliance/` updates.
- Tests required for behavior changes (Pest).
- Restore safety: never delete; skip unsafe assignments; record reasons.
- Auditability: backup and restore outcomes are logged per tenant.

## Project Structure

### Documentation (this feature)

```text
specs/007-device-config-compliance/
├── spec.md
├── plan.md
└── tasks.md
```

### Source Code (expected touch points)

```text
app/
├── Filament/
│   └── Resources/
├── Models/
│   ├── BackupItem.php
│   ├── Policy.php
│   └── PolicyVersion.php
├── Services/
│   ├── Graph/
│   └── Intune/
└── Jobs/

config/
├── graph_contracts.php
├── intune_permissions.php
└── tenantpilot.php

tests/
├── Feature/
└── Unit/
```

**Structure Decision**: Extend existing services (PolicySnapshotService, PolicyCaptureOrchestrator, RestoreService) and Filament resources, adding only targeted helpers where needed.

## Complexity Tracking

| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| n/a | n/a | n/a |