# Tasks: Custom Compliance Scripts (Windows) (026)

**Branch**: `feat/026-custom-compliance-scripts`  
**Date**: 2026-01-04  
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)

## Phase 1: Setup
- [x] T001 Create spec/plan/tasks and checklist.

## Phase 2: Research & Design
- [ ] T002 Confirm Graph resource + `@odata.type` and required permissions.
- [ ] T003 Confirm patchable fields and define `update_strip_keys` / `update_whitelist`.
- [ ] T004 Confirm assignments endpoints (`/assignments`, `/assign`) and body shape.
- [ ] T005 Decide restore mode + risk classification.

## Phase 3: Tests (TDD)
- [ ] T006 Add sync test for `deviceComplianceScript`.
- [ ] T007 Add snapshot/version capture test (incl. `detectionScriptContent`).
- [ ] T008 Add restore preview test (restore_mode + action).
- [ ] T009 Add restore execution test (sanitization + assignment apply).
- [ ] T010 Add normalized display test for key fields.

## Phase 4: Implementation
- [ ] T011 Add `deviceComplianceScript` to `config/tenantpilot.php`.
- [ ] T012 Add Graph contract entry in `config/graph_contracts.php`.
- [ ] T013 Implement snapshot capture handling (script content preservation rules).
- [ ] T014 Implement restore apply support (contract-driven sanitization + assignments).
- [ ] T015 Add `DeviceComplianceScriptNormalizer` and register it.

## Phase 5: Verification
- [ ] T016 Run targeted tests.
- [ ] T017 Run Pint (`./vendor/bin/pint --dirty`).