Plan: Custom Compliance Scripts (Windows) (026)

Branch: feat/026-custom-compliance-scripts
Date: 2026-01-04
Input: spec.md

Approach

Confirm Graph contract details:
- resource: deviceManagement/deviceComplianceScripts (beta)
- patchable fields vs read-only fields
- assignment pattern: /deviceComplianceScripts/{id}/assign and /assignments
Add deviceComplianceScript to config/tenantpilot.php (category “Compliance”, risk, restore mode).
Add contract entry to config/graph_contracts.php (resource + assignment endpoints + scope tags support).
Implement snapshot capture:
- ensure detectionScriptContent is preserved and treated like other scripts (safe display, encode/decode where needed)
Implement restore:
- sanitize payload via contract
- ensure detectionScriptContent is encoded as expected by Graph
- apply assignments via assign action
Add normalizer and targeted tests.

Restore mode: default enabled (risk: medium-high) because tenant recovery often depends on these scripts.
Use the existing script content display rules (TENANTPILOT_SHOW_SCRIPT_CONTENT, max chars).