# Quickstart — Intune RBAC Inventory & Backup v1 (127) ## Prerequisites - Docker running - Laravel Sail available at `vendor/bin/sail` - Existing test database available through Sail ## Local setup - Start containers: - `vendor/bin/sail up -d` - Install dependencies if needed: - `vendor/bin/sail composer install` - `vendor/bin/sail npm install` ## Implementation checkpoints 1. Extend foundation metadata and Graph contracts for: - `intuneRoleDefinition` - `intuneRoleAssignment` 2. Add RBAC normalizers and register them in `AppServiceProvider`. 3. Wire permission-warning handling for missing `DeviceManagementRBAC.Read.All`. 4. Verify inventory, backup, and restore preview surfaces treat both types as foundations and `preview-only`. ## Format - Run formatting before final review: - `vendor/bin/sail bin pint --dirty --format agent` ## Focused tests Run the smallest relevant sets first: - Inventory sync and coverage: - `vendor/bin/sail artisan test --compact tests/Feature/Inventory/InventorySyncServiceTest.php` - `vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageTableTest.php` - Foundation backup capture and preview-only behavior: - `vendor/bin/sail artisan test --compact tests/Feature/FoundationBackupTest.php` - `vendor/bin/sail artisan test --compact tests/Feature/Filament/RestoreExecutionTest.php` - `vendor/bin/sail artisan test --compact tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php` - Graph contract and snapshot helpers: - `vendor/bin/sail artisan test --compact tests/Unit/GraphContractRegistryTest.php` - `vendor/bin/sail artisan test --compact tests/Unit/FoundationSnapshotServiceTest.php` - RBAC permission and verification surfaces: - `vendor/bin/sail artisan test --compact tests/Feature/Verification` - `vendor/bin/sail artisan test --compact tests/Unit/RbacOnboardingServiceTest.php` If dedicated spec-127 tests are added, run those file paths directly. ## Manual verification checklist - As a tenant member with inventory capability: - run inventory sync with foundations enabled - confirm `intuneRoleDefinition` and `intuneRoleAssignment` appear in coverage under RBAC - As a tenant member with backup visibility: - create a backup set with foundations enabled - confirm RBAC foundation items appear as backup items with readable display names - In backup or restore preview detail: - confirm both RBAC foundation types show `preview-only` - confirm no execute-restore action is available for them - With missing `DeviceManagementRBAC.Read.All`: - run verification or inventory sync - confirm the result surfaces a clear RBAC permission warning or reason instead of an opaque failure - As a non-member: - attempt direct access to tenant-scoped RBAC coverage or backup/version views - confirm the response is 404