ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6a2fe91547
TenantAtlas/specs/006-sot-foundations-assignments/tasks.md
ahmido d2dbc52a32 feat(006): foundations + assignment mapping and preview-only restore guard (#7) 
## Summary
- Capture and restore foundation types (assignment filters, scope tags, notification templates) with deterministic mapping.
- Apply foundation mappings during restore (scope tags on policy payloads, assignment filter mapping with skip reasons).
- Improve restore run UX (item selection, rerun action, preview-only badges).
- Enforce preview-only policy types (e.g. Conditional Access) during execution.

## Testing
- ./vendor/bin/sail artisan test tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php

## Notes
- Specs/plan/tasks updated under specs/006-sot-foundations-assignments.
- No migrations.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #7
2025-12-26 23:44:31 +00:00

99 lines
6.8 KiB
Markdown
Raw Blame History

# Tasks: SoT Foundations & Assignments (006)
**Branch**: `feat/006-sot-foundations-assignments` | **Date**: 2025-12-25
**Input**: [spec.md](./spec.md), [plan.md](./plan.md), [data-model.md](./data-model.md), [research.md](./research.md), [contracts](./contracts/)
## Task Format
- **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete
- **Task ID**: Sequential T001, T002, T003...
- **[P] marker**: Task can run in parallel (different files, no blocking dependencies)
- **[Story] label**: User story tag (US1, US2, US3...)
- **File path**: Always include exact file path in description
## Phase 1: Foundation Registry and Permissions
**Purpose**: Define foundation object types and ensure Graph contracts and permissions exist.
- [x] T001 [P] Add foundation type registry in `config/tenantpilot.php` (assignmentFilter, roleScopeTag, notificationMessageTemplate) with label/category/backup/restore/risk metadata.
- [x] T002 [P] Extend `config/graph_contracts.php` with foundation contracts (resource, create/update methods, id_field, allowed_select, type_family).
- [x] T003 [P] Extend `config/intune_permissions.php` to include foundation permissions (DeviceManagementRBAC.ReadWrite.All and any missing read/write scopes for filters/templates).
- [x] T004 Update type metadata helpers to include foundation types in `app/Filament/Resources/BackupSetResource.php`, `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`, and `app/Filament/Resources/RestoreRunResource.php`.
**Checkpoint**: Foundation types and permissions defined and discoverable by UI helpers.
---
## Phase 2: Foundations Backup Capture
**Purpose**: Capture assignment filters, scope tags, and notification templates into backup sets.
- [x] T005 Create `app/Services/Intune/FoundationSnapshotService.php` to list and fetch foundation objects with Graph paging, normalized metadata, and fail-soft behavior.
- [x] T006 Extend `app/Services/Intune/BackupService.php` to capture foundation snapshots into `backup_items` (policy_id null, policy_type set, policy_identifier = source id, metadata includes displayName).
- [x] T007 Add a UI action/toggle to include foundations when adding to a backup set in `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`.
- [x] T008 Add foundation display helpers on `app/Models/BackupItem.php` (e.g., isFoundation, foundationDisplayName) and use them in `BackupItemsRelationManager`.
**Checkpoint**: Foundations can be captured and displayed alongside policy backup items.
---
## Phase 3: Foundations Restore and Mapping
**Purpose**: Restore foundations first and persist deterministic old to new mappings.
- [x] T009 Create `app/Services/Intune/FoundationMappingService.php` to match by displayName, handle collisions, and emit report entries matching `contracts/restore-mapping-report.schema.json`.
- [x] T010 Extend `app/Services/Intune/RestoreService.php` to run foundation restore first, build preview mapping (dry-run), and persist mapping results in `restore_runs.preview` and `restore_runs.results`.
- [x] T011 Add audit events for foundation mapping decisions and failures in `app/Services/Intune/RestoreService.php`.
- [x] T012 Render foundation mapping in restore UI views: `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`.
**Checkpoint**: Restore preview and execute include a foundation mapping section with deterministic decisions.
---
## Phase 4: Assignment-Aware Restore
**Purpose**: Apply assignments only when foundation mappings exist and record clear skip reasons.
- [x] T013 Extend `app/Services/AssignmentRestoreService.php` to map assignment filter IDs via the foundation mapping; skip and record reasons when mappings are missing.
- [x] T014 Update `app/Services/Intune/RestoreService.php` to pass foundation mappings into assignment restore and apply scope tag mapping when restoring policies.
- [x] T015 Add mapping context to assignment audit logs in `app/Services/AssignmentRestoreService.php`.
**Checkpoint**: Assignments are applied safely with explicit skip reasons and audit coverage.
---
## Phase 5: Conditional Access Preview-Only Enforcement
**Purpose**: Keep CA restore preview-only even in execute mode.
- [x] T016 Update `app/Services/Intune/RestoreService.php` to prevent CA execution (status skipped, reason preview_only) while keeping preview output.
- [x] T017 Update restore UI to surface CA preview-only status in `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`.
**Checkpoint**: CA items never execute; preview clearly signals preview-only.
---
## Phase 6: Tests and Verification
**Purpose**: Ensure all new behavior is covered by Pest tests and formatting is clean.
- [x] T018 [P] Add unit tests for FoundationMappingService in `tests/Unit/FoundationMappingServiceTest.php`.
- [x] T019 [P] Add unit tests for FoundationSnapshotService in `tests/Unit/FoundationSnapshotServiceTest.php`.
- [x] T020 Add feature tests for foundations backup/restore preview and execute in `tests/Feature/FoundationBackupTest.php`, `tests/Feature/Filament/RestorePreviewTest.php`, `tests/Feature/Filament/RestoreExecutionTest.php`, `tests/Feature/RestoreScopeTagMappingTest.php`.
- [x] T021 Add feature tests for assignment mapping and skip reasons in `tests/Feature/RestoreAssignmentApplicationTest.php`.
- [x] T022 Add feature test for CA preview-only execution behavior in `tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php`.
- [x] T023 Run tests: `./vendor/bin/sail artisan test tests/Unit/FoundationSnapshotServiceTest.php tests/Unit/FoundationMappingServiceTest.php tests/Unit/TenantPermissionServiceTest.php tests/Feature/FoundationBackupTest.php tests/Feature/Filament/RestoreExecutionTest.php tests/Feature/Filament/RestorePreviewTest.php tests/Feature/Filament/RestoreItemSelectionTest.php tests/Feature/RestoreAssignmentApplicationTest.php tests/Feature/RestoreScopeTagMappingTest.php tests/Feature/RestoreRunRerunTest.php`
- [x] T024 Run Pint: `./vendor/bin/pint --dirty`
---
## Phase 7: Admin UX and Safety
**Purpose**: Improve admin clarity and safe reruns for restore flows.
- [x] T025 Update tenant permission display to ignore configured stub grants in `app/Services/Intune/TenantPermissionService.php` and `app/Filament/Resources/TenantResource.php`, plus tests in `tests/Unit/TenantPermissionServiceTest.php`.
- [x] T026 Improve restore item selection UX (searchable list, descriptions, hint) in `app/Filament/Resources/RestoreRunResource.php` with coverage in `tests/Feature/Filament/RestoreItemSelectionTest.php`.
- [x] T027 Add restore run rerun action and coverage in `app/Filament/Resources/RestoreRunResource.php` and `tests/Feature/RestoreRunRerunTest.php`.
**Checkpoint**: Tests pass and formatting is clean.
Reference in New Issue View Git Blame Copy Permalink