ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
061-provider-foundation
TenantAtlas/specs/006-sot-foundations-assignments/tasks.md
ahmido d2dbc52a32 feat(006): foundations + assignment mapping and preview-only restore guard (#7) 
## Summary
- Capture and restore foundation types (assignment filters, scope tags, notification templates) with deterministic mapping.
- Apply foundation mappings during restore (scope tags on policy payloads, assignment filter mapping with skip reasons).
- Improve restore run UX (item selection, rerun action, preview-only badges).
- Enforce preview-only policy types (e.g. Conditional Access) during execution.

## Testing
- ./vendor/bin/sail artisan test tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php

## Notes
- Specs/plan/tasks updated under specs/006-sot-foundations-assignments.
- No migrations.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #7
2025-12-26 23:44:31 +00:00

6.8 KiB
Raw Permalink Blame History

Tasks: SoT Foundations & Assignments (006)

Branch: feat/006-sot-foundations-assignments | Date: 2025-12-25
Input: spec.md, plan.md, data-model.md, research.md, contracts

Task Format

  • Checkbox: - [ ] for incomplete, - [x] for complete
  • Task ID: Sequential T001, T002, T003...
  • [P] marker: Task can run in parallel (different files, no blocking dependencies)
  • [Story] label: User story tag (US1, US2, US3...)
  • File path: Always include exact file path in description

Phase 1: Foundation Registry and Permissions

Purpose: Define foundation object types and ensure Graph contracts and permissions exist.

  • T001 [P] Add foundation type registry in config/tenantpilot.php (assignmentFilter, roleScopeTag, notificationMessageTemplate) with label/category/backup/restore/risk metadata.
  • T002 [P] Extend config/graph_contracts.php with foundation contracts (resource, create/update methods, id_field, allowed_select, type_family).
  • T003 [P] Extend config/intune_permissions.php to include foundation permissions (DeviceManagementRBAC.ReadWrite.All and any missing read/write scopes for filters/templates).
  • T004 Update type metadata helpers to include foundation types in app/Filament/Resources/BackupSetResource.php, app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php, and app/Filament/Resources/RestoreRunResource.php.

Checkpoint: Foundation types and permissions defined and discoverable by UI helpers.

Phase 2: Foundations Backup Capture

Purpose: Capture assignment filters, scope tags, and notification templates into backup sets.

  • T005 Create app/Services/Intune/FoundationSnapshotService.php to list and fetch foundation objects with Graph paging, normalized metadata, and fail-soft behavior.
  • T006 Extend app/Services/Intune/BackupService.php to capture foundation snapshots into backup_items (policy_id null, policy_type set, policy_identifier = source id, metadata includes displayName).
  • T007 Add a UI action/toggle to include foundations when adding to a backup set in app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php.
  • T008 Add foundation display helpers on app/Models/BackupItem.php (e.g., isFoundation, foundationDisplayName) and use them in BackupItemsRelationManager.

Checkpoint: Foundations can be captured and displayed alongside policy backup items.

Phase 3: Foundations Restore and Mapping

Purpose: Restore foundations first and persist deterministic old to new mappings.

  • T009 Create app/Services/Intune/FoundationMappingService.php to match by displayName, handle collisions, and emit report entries matching contracts/restore-mapping-report.schema.json.
  • T010 Extend app/Services/Intune/RestoreService.php to run foundation restore first, build preview mapping (dry-run), and persist mapping results in restore_runs.preview and restore_runs.results.
  • T011 Add audit events for foundation mapping decisions and failures in app/Services/Intune/RestoreService.php.
  • T012 Render foundation mapping in restore UI views: resources/views/filament/infolists/entries/restore-preview.blade.php and resources/views/filament/infolists/entries/restore-results.blade.php.

Checkpoint: Restore preview and execute include a foundation mapping section with deterministic decisions.

Phase 4: Assignment-Aware Restore

Purpose: Apply assignments only when foundation mappings exist and record clear skip reasons.

  • T013 Extend app/Services/AssignmentRestoreService.php to map assignment filter IDs via the foundation mapping; skip and record reasons when mappings are missing.
  • T014 Update app/Services/Intune/RestoreService.php to pass foundation mappings into assignment restore and apply scope tag mapping when restoring policies.
  • T015 Add mapping context to assignment audit logs in app/Services/AssignmentRestoreService.php.

Checkpoint: Assignments are applied safely with explicit skip reasons and audit coverage.

Phase 5: Conditional Access Preview-Only Enforcement

Purpose: Keep CA restore preview-only even in execute mode.

  • T016 Update app/Services/Intune/RestoreService.php to prevent CA execution (status skipped, reason preview_only) while keeping preview output.
  • T017 Update restore UI to surface CA preview-only status in resources/views/filament/infolists/entries/restore-preview.blade.php and resources/views/filament/infolists/entries/restore-results.blade.php.

Checkpoint: CA items never execute; preview clearly signals preview-only.

Phase 6: Tests and Verification

Purpose: Ensure all new behavior is covered by Pest tests and formatting is clean.

  • T018 [P] Add unit tests for FoundationMappingService in tests/Unit/FoundationMappingServiceTest.php.
  • T019 [P] Add unit tests for FoundationSnapshotService in tests/Unit/FoundationSnapshotServiceTest.php.
  • T020 Add feature tests for foundations backup/restore preview and execute in tests/Feature/FoundationBackupTest.php, tests/Feature/Filament/RestorePreviewTest.php, tests/Feature/Filament/RestoreExecutionTest.php, tests/Feature/RestoreScopeTagMappingTest.php.
  • T021 Add feature tests for assignment mapping and skip reasons in tests/Feature/RestoreAssignmentApplicationTest.php.
  • T022 Add feature test for CA preview-only execution behavior in tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php.
  • T023 Run tests: ./vendor/bin/sail artisan test tests/Unit/FoundationSnapshotServiceTest.php tests/Unit/FoundationMappingServiceTest.php tests/Unit/TenantPermissionServiceTest.php tests/Feature/FoundationBackupTest.php tests/Feature/Filament/RestoreExecutionTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreItemSelectionTest.php tests/Feature/RestoreAssignmentApplicationTest.php tests/Feature/RestoreScopeTagMappingTest.php tests/Feature/RestoreRunRerunTest.php
  • T024 Run Pint: ./vendor/bin/pint --dirty

Phase 7: Admin UX and Safety

Purpose: Improve admin clarity and safe reruns for restore flows.

  • T025 Update tenant permission display to ignore configured stub grants in app/Services/Intune/TenantPermissionService.php and app/Filament/Resources/TenantResource.php, plus tests in tests/Unit/TenantPermissionServiceTest.php.
  • T026 Improve restore item selection UX (searchable list, descriptions, hint) in app/Filament/Resources/RestoreRunResource.php with coverage in tests/Feature/Filament/RestoreItemSelectionTest.php.
  • T027 Add restore run rerun action and coverage in app/Filament/Resources/RestoreRunResource.php and tests/Feature/RestoreRunRerunTest.php.

Checkpoint: Tests pass and formatting is clean.