TenantAtlas/Agents.md

TenantPilot - Agent Guidelines

Context

TenantPilot is an Intune Management application built with Laravel and Filament. It re-implements and extends key features inspired by the IntuneManagement project, with a focus on admin productivity, safe change management, and auditability.

This repo uses GitHub Spec Kit. Primary spec artifacts live in .specify/.

Sail-first for local development. Dokploy-first for staging/production.

Product Goals

• Provide Intune policy version control (diff, history, rollback).
• Enable reliable backup and restore of Intune configurations.
• Extend Intune with admin-focused features that improve visibility, safety, and velocity.
• Prioritize auditability, least privilege, and predictable operations.

Scope Reference

When designing or implementing features, align with:

• Policy inventory & metadata normalization
• Change tracking and version snapshots
• Safe restore flows (dry-run, validation, partial restore)
• Reporting, dashboards, and operational insights
• Tenant-scoped RBAC and audit logs

Workflow (Spec Kit)

1. Read .specify/constitution.md
2. For new work: create/update .specify/spec.md
3. Produce .specify/plan.md
4. Break into .specify/tasks.md
5. Implement changes in small PRs

If requirements change during implementation, update spec/plan before continuing.

Architecture Assumptions

• Backend: Laravel (latest stable)
• Admin UI: Filament
• Auth: Microsoft identity integration (Entra ID/Azure AD) when applicable
• External API: Microsoft Graph for Intune

Do not assume additional services unless stated in spec.

---

DevOps & Environments

Local Development

• Local dev & testing use Laravel Sail (Docker).
• Prefer Sail commands when referencing setup or running tests.
• PostgreSQL is used locally via Sail.
• Drizzle is used locally for PostgreSQL tooling (e.g., schema inspection, dev workflows) if configured in the repo.

Repository

• Repository is hosted on Gitea.
• Do not assume GitHub-specific features (Actions, GH-specific PR automation) unless explicitly added.
• CI suggestions should be compatible with Gitea pipelines or external CI runners.

Deployment

• Deployed via Dokploy on a VPS.
• Two environments:
  • Staging
  • Production
• Assume container-based deployments.
• Changes that affect runtime must consider:
  • environment variables
  • database migrations
  • queue/cron workers
  • storage persistence/volumes
  • reverse proxy/SSL likely handled by Dokploy

Release & Promotion Rules

• Staging is the mandatory validation gate for Production.
• Prefer:
  • feature flags for risky admin operations
  • staged rollout for backup/restore/versioning changes
• Schema changes must be validated on Staging before Production.

Release Safety

• For schema changes:
  • provide safe, incremental migrations
  • avoid long locks
  • document rollback/forward steps
• For Intune-critical flows:
  • prefer dry-run/preview
  • require explicit confirmation
  • ensure audit logs

---

Data Layer

• Database: PostgreSQL
• Prefer JSONB to store raw Graph policy snapshots and backup payloads.
• Add appropriate indexes (e.g., GIN on JSONB where search/filter is expected).
• Migrations must be reversible where possible.

Versioning Storage Strategy

• Store immutable policy snapshots.
• Track metadata separately (tenant, policy type, platform, created_by, created_at).
• Prefer full snapshots first for correctness and simplicity.
• Consider retention policies to prevent unbounded growth.

---

Engineering Rules

• PHP: follow PSR-12 conventions.
• Prefer Laravel best practices (Service classes, Jobs, Events, Policies).
• Keep Microsoft Graph integration isolated behind a dedicated abstraction layer.
• Use dependency injection and clear interfaces for Graph clients.
• No breaking changes to data structures or API contracts without updating:
  • .specify/spec.md
  • migration notes
  • upgrade steps
• If a TypeScript/JS tooling package exists, use strict typing rules there too.

Intune Data & Safety Rules

• Treat Intune resources as critical configuration.
• Every destructive action must support:
  • explicit confirmation UI
  • audit log entry
  • optional dry-run/preview mode if feasible
• Restore must be defensive:
  • validate inputs
  • detect conflicts
  • allow selective restore
  • show a clear pre-execution summary

Version Control Semantics

• A "version" should be reproducible and queryable:
  • what changed
  • when
  • by whom
  • source tenant/environment
• Provide diff outputs where possible:
  • human-readable summary
  • structured diff (JSON)

Observability & Audit

• Log Graph calls at a high-level (no secrets).
• Maintain an audit trail for:
  • backups created
  • restores executed/attempted
  • policy changes detected/imported
• Ensure logs are tenant-scoped and RBAC-respecting.

Security

• Enforce least privilege.
• Never store secrets in config or code.
• Use Laravel encrypted storage or secure secret management where applicable.
• Validate all tenant identifiers and Graph scopes.

---

Commands

Sail (preferred locally)

• ./vendor/bin/sail up -d
• ./vendor/bin/sail down
• ./vendor/bin/sail composer install
• ./vendor/bin/sail artisan migrate
• ./vendor/bin/sail artisan test
• ./vendor/bin/sail artisan (general)

Drizzle (local DB tooling, if configured)

• Use only for local/dev workflows.
• Prefer running via package scripts, e.g.:
  • pnpm drizzle:generate
  • pnpm drizzle:migrate
  • pnpm drizzle:studio

(Agents should confirm the exact script names in package.json before suggesting them.)

Non-Docker fallback (only if needed)

• composer install
• php artisan serve
• php artisan migrate
• php artisan test

Frontend/assets/tooling (if present)

• pnpm install
• pnpm dev
• pnpm test
• pnpm lint

---

Where to look first

• .specify/
• AGENTS.md
• README.md
• app/
• database/
• routes/
• resources/
• config/

---

Definition of Done

• Spec + Plan + Tasks aligned with implementation.
• Tests added/updated.
• UI includes clear admin-safe affordances for backup/restore/versioning.
• Audit logging implemented for sensitive flows.
• Documentation updated (README or in-app help).
• Deployment impact assessed for:
  • Staging
  • Production
  • migrations, env vars, queues

---

AI Usage Note

All AI agents must read:

• AGENTS.md
• .specify/*

before proposing or implementing changes.

Reference Materials

• PowerShell scripts from IntuneManagement are stored under /references/IntuneManagement-master for implementation guidance only.
• They must not be treated as production runtime dependencies.

===

=== foundation rules ===

Laravel Boost Guidelines

The Laravel Boost guidelines are specifically curated by Laravel maintainers for this application. These guidelines should be followed closely to enhance the user's satisfaction building Laravel applications.

Foundational Context

This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.

• php - 8.4.15
• filament/filament (FILAMENT) - v4
• laravel/framework (LARAVEL) - v12
• laravel/prompts (PROMPTS) - v0
• livewire/livewire (LIVEWIRE) - v3
• laravel/mcp (MCP) - v0
• laravel/pint (PINT) - v1
• laravel/sail (SAIL) - v1
• pestphp/pest (PEST) - v4
• phpunit/phpunit (PHPUNIT) - v12
• tailwindcss (TAILWINDCSS) - v4

Conventions

• You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, naming.
• Use descriptive names for variables and methods. For example, isRegisteredForDiscounts, not discount().
• Check for existing components to reuse before writing a new one.

Verification Scripts

• Do not create verification scripts or tinker when tests cover that functionality and prove it works. Unit and feature tests are more important.

Application Structure & Architecture

• Stick to existing directory structure - don't create new base folders without approval.
• Do not change the application's dependencies without approval.

Frontend Bundling

• If the user doesn't see a frontend change reflected in the UI, it could mean they need to run npm run build, npm run dev, or composer run dev. Ask them.

Replies

• Be concise in your explanations - focus on what's important rather than explaining obvious details.

Documentation Files

• You must only create documentation files if explicitly requested by the user.

=== boost rules ===

Laravel Boost

• Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.

Artisan

• Use the list-artisan-commands tool when you need to call an Artisan command to double check the available parameters.

URLs

• Whenever you share a project URL with the user you should use the get-absolute-url tool to ensure you're using the correct scheme, domain / IP, and port.

Tinker / Debugging

• You should use the tinker tool when you need to execute PHP to debug code or query Eloquent models directly.
• Use the database-query tool when you only need to read from the database.

Reading Browser Logs With the browser-logs Tool

• You can read browser logs, errors, and exceptions using the browser-logs tool from Boost.
• Only recent browser logs will be useful - ignore old logs.

Searching Documentation (Critically Important)

• Boost comes with a powerful search-docs tool you should use before any other approaches. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation specific for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
• The 'search-docs' tool is perfect for all Laravel related packages, including Laravel, Inertia, Livewire, Filament, Tailwind, Pest, Nova, Nightwatch, etc.
• You must use this tool to search for Laravel-ecosystem documentation before falling back to other approaches.
• Search the documentation before making code changes to ensure we are taking the correct approach.
• Use multiple, broad, simple, topic based queries to start. For example: ['rate limiting', 'routing rate limiting', 'routing'].
• Do not add package names to queries - package information is already shared. For example, use test resource table, not filament 4 test resource table.

Available Search Syntax

• You can and should pass multiple queries at once. The most relevant results will be returned first.

1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'
2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit"
3. Quoted Phrases (Exact Position) - query="infinite scroll" - Words must be adjacent and in that order
4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit"
5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms

=== php rules ===

PHP

• Always use curly braces for control structures, even if it has one line.

Constructors

• Use PHP 8 constructor property promotion in __construct().
  • public function __construct(public GitHub $github) { }
• Do not allow empty __construct() methods with zero parameters.

Type Declarations

• Always use explicit return type declarations for methods and functions.
• Use appropriate PHP type hints for method parameters.

protected function isAccessible(User $user, ?string $path = null): bool { ... }

Comments

• Prefer PHPDoc blocks over comments. Never use comments within the code itself unless there is something very complex going on.

PHPDoc Blocks

• Add useful array shape type definitions for arrays when appropriate.

Enums

• Typically, keys in an Enum should be TitleCase. For example: FavoritePerson, BestLake, Monthly.

=== tests rules ===

Test Enforcement

• Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
• Run the minimum number of tests needed to ensure code quality and speed. Use php artisan test with a specific filename or filter.

=== laravel/core rules ===

Do Things the Laravel Way

• Use php artisan make: commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the list-artisan-commands tool.
• If you're creating a generic PHP class, use php artisan make:class.
• Pass --no-interaction to all Artisan commands to ensure they work without user input. You should also pass the correct --options to ensure correct behavior.

Database

• Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
• Use Eloquent models and relationships before suggesting raw database queries
• Avoid DB::; prefer Model::query(). Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
• Generate code that prevents N+1 query problems by using eager loading.
• Use Laravel's query builder for very complex database operations.

Model Creation

• When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using list-artisan-commands to check the available options to php artisan make:model.

APIs & Eloquent Resources

• For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.

Controllers & Validation

• Always create Form Request classes for validation rather than inline validation in controllers. Include both validation rules and custom error messages.
• Check sibling Form Requests to see if the application uses array or string based validation rules.

Queues

• Use queued jobs for time-consuming operations with the ShouldQueue interface.

Authentication & Authorization

• Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).

URL Generation

• When generating links to other pages, prefer named routes and the route() function.

Configuration

• Use environment variables only in configuration files - never use the env() function directly outside of config files. Always use config('app.name'), not env('APP_NAME').

Testing

• When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
• Faker: Use methods such as $this->faker->word() or fake()->randomDigit(). Follow existing conventions whether to use $this->faker or fake().
• When creating tests, make use of php artisan make:test [options] {name} to create a feature test, and pass --unit to create a unit test. Most tests should be feature tests.

Vite Error

• If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run npm run build or ask the user to run npm run dev or composer run dev.

=== laravel/v12 rules ===

Laravel 12

• Use the search-docs tool to get version specific documentation.
• Since Laravel 11, Laravel has a new streamlined file structure which this project uses.

Laravel 12 Structure

• No middleware files in app/Http/Middleware/.
• bootstrap/app.php is the file to register middleware, exceptions, and routing files.
• bootstrap/providers.php contains application specific service providers.
• No app\Console\Kernel.php - use bootstrap/app.php or routes/console.php for console configuration.
• Commands auto-register - files in app/Console/Commands/ are automatically available and do not require manual registration.

Database

• When modifying a column, the migration must include all of the attributes that were previously defined on the column. Otherwise, they will be dropped and lost.
• Laravel 11 allows limiting eagerly loaded records natively, without external packages: $query->latest()->limit(10);.

Models

• Casts can and likely should be set in a casts() method on a model rather than the $casts property. Follow existing conventions from other models.

=== livewire/core rules ===

Livewire Core

• Use the search-docs tool to find exact version specific documentation for how to write Livewire & Livewire tests.
• Use the php artisan make:livewire [Posts\CreatePost] artisan command to create new components
• State should live on the server, with the UI reflecting it.
• All Livewire requests hit the Laravel backend, they're like regular HTTP requests. Always validate form data, and run authorization checks in Livewire actions.

Livewire Best Practices

• Livewire components require a single root element.

• Use wire:loading and wire:dirty for delightful loading states.

• Add wire:key in loops:

  @foreach ($items as $item)
      <div wire:key="item-{{ $item->id }}">
          {{ $item->name }}
      </div>
  @endforeach
  

• Prefer lifecycle hooks like mount(), updatedFoo() for initialization and reactive side effects:

public function mount(User $user) { $this->user = $user; } public function updatedSearch() { $this->resetPage(); }

Testing Livewire

Livewire::test(Counter::class) ->assertSet('count', 0) ->call('increment') ->assertSet('count', 1) ->assertSee(1) ->assertStatus(200);

<code-snippet name="Testing a Livewire component exists within a page" lang="php">
    $this->get('/posts/create')
    ->assertSeeLivewire(CreatePost::class);
</code-snippet>

=== livewire/v3 rules ===

Livewire 3

Key Changes From Livewire 2

• These things changed in Livewire 2, but may not have been updated in this application. Verify this application's setup to ensure you conform with application conventions.
  • Use wire:model.live for real-time updates, wire:model is now deferred by default.
  • Components now use the App\Livewire namespace (not App\Http\Livewire).
  • Use $this->dispatch() to dispatch events (not emit or dispatchBrowserEvent).
  • Use the components.layouts.app view as the typical layout path (not layouts.app).

New Directives

• wire:show, wire:transition, wire:cloak, wire:offline, wire:target are available for use. Use the documentation to find usage examples.

Alpine

• Alpine is now included with Livewire, don't manually include Alpine.js.
• Plugins included with Alpine: persist, intersect, collapse, and focus.

Lifecycle Hooks

• You can listen for livewire:init to hook into Livewire initialization, and fail.status === 419 for the page expiring:

document.addEventListener('livewire:init', function () { Livewire.hook('request', ({ fail }) => { if (fail && fail.status === 419) { alert('Your session expired'); } });

Livewire.hook('message.failed', (message, component) => {
    console.error(message);
});

});

=== pint/core rules ===

Laravel Pint Code Formatter

• You must run vendor/bin/pint --dirty before finalizing changes to ensure your code matches the project's expected style.
• Do not run vendor/bin/pint --test, simply run vendor/bin/pint to fix any formatting issues.

=== pest/core rules ===

Pest

Testing

• If you need to verify a feature is working, write or update a Unit / Feature test.

Pest Tests

• All tests must be written using Pest. Use php artisan make:test --pest {name}.
• You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files - these are core to the application.
• Tests should test all of the happy paths, failure paths, and weird paths.
• Tests live in the tests/Feature and tests/Unit directories.
• Pest tests look and behave like this: it('is true', function () { expect(true)->toBeTrue(); });

Running Tests

• Run the minimal number of tests using an appropriate filter before finalizing code edits.
• To run all tests: php artisan test.
• To run all tests in a file: php artisan test tests/Feature/ExampleTest.php.
• To filter on a particular test name: php artisan test --filter=testName (recommended after making a change to a related file).
• When the tests relating to your changes are passing, ask the user if they would like to run the entire test suite to ensure everything is still passing.

Pest Assertions

• When asserting status codes on a response, use the specific method like assertForbidden and assertNotFound instead of using assertStatus(403) or similar, e.g.: it('returns all', function () { $response = $this->postJson('/api/docs', []);

  $response->assertSuccessful(); });

Mocking

• Mocking can be very helpful when appropriate.
• When mocking, you can use the Pest\Laravel\mock Pest function, but always import it via use function Pest\Laravel\mock; before using it. Alternatively, you can use $this->mock() if existing tests do.
• You can also create partial mocks using the same import or self method.

Datasets

• Use datasets in Pest to simplify tests which have a lot of duplicated data. This is often the case when testing validation rules, so consider going with this solution when writing tests for validation rules.

it('has emails', function (string $email) { expect($email)->not->toBeEmpty(); })->with([ 'james' => 'james@laravel.com', 'taylor' => 'taylor@laravel.com', ]);

=== pest/v4 rules ===

Pest 4

• Pest v4 is a huge upgrade to Pest and offers: browser testing, smoke testing, visual regression testing, test sharding, and faster type coverage.
• Browser testing is incredibly powerful and useful for this project.
• Browser tests should live in tests/Browser/.
• Use the search-docs tool for detailed guidance on utilizing these features.

Browser Testing

• You can use Laravel features like Event::fake(), assertAuthenticated(), and model factories within Pest v4 browser tests, as well as RefreshDatabase (when needed) to ensure a clean state for each test.
• Interact with the page (click, type, scroll, select, submit, drag-and-drop, touch gestures, etc.) when appropriate to complete the test.
• If requested, test on multiple browsers (Chrome, Firefox, Safari).
• If requested, test on different devices and viewports (like iPhone 14 Pro, tablets, or custom breakpoints).
• Switch color schemes (light/dark mode) when appropriate.
• Take screenshots or pause tests for debugging when appropriate.

Example Tests

it('may reset the password', function () { Notification::fake();

$this->actingAs(User::factory()->create());

$page = visit('/sign-in'); // Visit on a real browser...

$page->assertSee('Sign In')
    ->assertNoJavascriptErrors() // or ->assertNoConsoleLogs()
    ->click('Forgot Password?')
    ->fill('email', 'nuno@laravel.com')
    ->click('Send Reset Link')
    ->assertSee('We have emailed your password reset link!')

Notification::assertSent(ResetPassword::class);

});

$pages = visit(['/', '/about', '/contact']);

$pages->assertNoJavascriptErrors()->assertNoConsoleLogs();

=== tailwindcss/core rules ===

Tailwind Core

• Use Tailwind CSS classes to style HTML, check and use existing tailwind conventions within the project before writing your own.
• Offer to extract repeated patterns into components that match the project's conventions (i.e. Blade, JSX, Vue, etc..)
• Think through class placement, order, priority, and defaults - remove redundant classes, add classes to parent or child carefully to limit repetition, group elements logically
• You can use the search-docs tool to get exact examples from the official documentation when needed.

Spacing

• When listing items, use gap utilities for spacing, don't use margins.

  Superior

  Michigan

  Erie

Dark Mode

• If existing pages and components support dark mode, new pages and components must support dark mode in a similar way, typically using dark:.

=== tailwindcss/v4 rules ===

Tailwind 4

• Always use Tailwind CSS v4 - do not use the deprecated utilities.

• corePlugins is not supported in Tailwind v4.

• In Tailwind v4, configuration is CSS-first using the @theme directive — no separate tailwind.config.js file is needed. @theme { --color-brand: oklch(0.72 0.11 178); }

• In Tailwind v4, you import Tailwind using a regular CSS @import statement, not using the @tailwind directives used in v3:

- @tailwind base; - @tailwind components; - @tailwind utilities; + @import "tailwindcss";

Replaced Utilities

• Tailwind v4 removed deprecated utilities. Do not use the deprecated option - use the replacement.
• Opacity values are still numeric.

| Deprecated | Replacement | |------------+--------------| | bg-opacity-* | bg-black/* | | text-opacity-* | text-black/* | | border-opacity-* | border-black/* | | divide-opacity-* | divide-black/* | | ring-opacity-* | ring-black/* | | placeholder-opacity-* | placeholder-black/* | | flex-shrink-* | shrink-* | | flex-grow-* | grow-* | | overflow-ellipsis | text-ellipsis | | decoration-slice | box-decoration-slice | | decoration-clone | box-decoration-clone |