Plan: Scripts Management (013)

Branch: 013-scripts-management
Date: 2026-01-01
Input: spec.md

Goal

Provide end-to-end support for script policies (PowerShell scripts, macOS shell scripts, and proactive remediations) with readable normalized settings and safe restore behavior including assignments.

Scope

In scope

Script policy types:
- deviceManagementScript
- deviceShellScript
- deviceHealthScript
Readable “Normalized settings” output for the above types.
Restore apply safety is preserved (type mismatch fails; preview vs execute follows existing system behavior).
Assignment restore is supported (using existing assignment restore mechanisms and contract metadata).

Out of scope

Adding new UI flows or pages.
Introducing new external services or background infrastructure.
Changing how authentication/authorization works.

Approach

Confirm contract entries exist and are correct for the three script policy types (resource, type families, assignment paths/payload keys).
Add a policy normalizer that supports the three script policy types and outputs a stable, readable structure.
Register the normalizer in the application normalizer tag.
Add tests:
- Normalized output shape/stability for each type.
- Filament “Normalized settings” tab renders without errors for a version of each type.
Run targeted tests and Pint.

Risks & Mitigations

Scripts may contain large content blobs: normalized view must be readable and avoid overwhelming output (truncate or summarize where needed).
Platform-specific fields vary: normalizer must handle missing keys safely and remain stable.

Success Criteria

Normalized settings views are readable and stable for all three script policy types.
Restore execution remains safe and assignment behavior is unchanged/regression-free.
Tests cover the new normalizer behavior and basic UI render.

1.9 KiB Raw Blame History