1.9 KiB
1.9 KiB
TenantPilot Constitution
Core Principles
Safety-First Restore
- Any destructive action MUST support preview/dry-run, explicit confirmation, and a clear pre-execution summary.
- High-risk policy types default to
preview-onlyrestore unless explicitly enabled by a feature spec + tests + checklist. - Restore must be defensive: validate inputs, detect conflicts, allow selective restore, and record outcomes per item.
Auditability & Tenant Isolation
- Every operation is tenant-scoped and MUST write an audit log entry (no secrets, no tokens).
- Snapshots are immutable JSONB and MUST remain reproducible (who/when/what/source tenant).
Graph Abstraction & Contracts
- All Microsoft Graph calls MUST go through
GraphClientInterface. - Contract assumptions are config-driven (
config/graph_contracts.php); do not hardcode endpoints in feature code. - Unknown/missing policy types MUST fail safe (preview-only / no Graph calls) rather than calling
deviceManagement/{type}.
Least Privilege
- Prefer least-privilege roles/scopes; surface warnings when higher privileges are selected.
- Never store secrets in code/config; never log credentials or tokens.
Spec-First Workflow
- For any feature that changes runtime behavior, include or update
specs/<NNN>-<slug>/withspec.md,plan.md,tasks.md, andchecklists/requirements.md. - New work branches from
devusingfeat/<NNN>-<slug>(spec + code in the same PR).
Quality Gates
- Changes MUST be programmatically tested (Pest) and run via targeted
php artisan test .... - Run
./vendor/bin/pint --dirtybefore finalizing.
Governance
- This constitution applies across the repo. Feature specs may add stricter constraints but not weaker ones.
- Restore semantics changes require: spec update, checklist update, and tests proving safety.
Version: 1.0.0 | Ratified: 2026-01-03 | Last Amended: 2026-01-03