ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
d9db054bfd
TenantAtlas/.specify/memory/constitution.md
ahmido 69d98e925c feat/018-driver-updates-wufb (#27) 
Tenants: Tenant anlegen/öffnen → tenant_id, app_client_id, app_client_secret setzen → Make current (wichtig).
Inventory → Policies: oben Sync from Intune.
In der Tabelle nach Type = “Driver Updates (Windows)” (windowsDriverUpdateProfile) filtern und Policy öffnen.
Auf der Policy: Settings-Tab prüfen (Block „Driver Update Profile“), dann Capture snapshot klicken und unter Versions die Version ansehen.
Restore-Test (nur im Test-Tenant!): Version öffnen → Restore to Intune erst als Dry-run, dann Execute; danach unter Backups & Restore → Restore Runs Ergebnis prüfen (soll graph_path mit deviceManagement/windowsDriverUpdateProfiles/... zeigen).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #27
2026-01-04 00:38:54 +00:00

1.9 KiB
Raw Blame History

TenantPilot Constitution

Core Principles

Safety-First Restore

  • Any destructive action MUST support preview/dry-run, explicit confirmation, and a clear pre-execution summary.
  • High-risk policy types default to preview-only restore unless explicitly enabled by a feature spec + tests + checklist.
  • Restore must be defensive: validate inputs, detect conflicts, allow selective restore, and record outcomes per item.

Auditability & Tenant Isolation

  • Every operation is tenant-scoped and MUST write an audit log entry (no secrets, no tokens).
  • Snapshots are immutable JSONB and MUST remain reproducible (who/when/what/source tenant).

Graph Abstraction & Contracts

  • All Microsoft Graph calls MUST go through GraphClientInterface.
  • Contract assumptions are config-driven (config/graph_contracts.php); do not hardcode endpoints in feature code.
  • Unknown/missing policy types MUST fail safe (preview-only / no Graph calls) rather than calling deviceManagement/{type}.

Least Privilege

  • Prefer least-privilege roles/scopes; surface warnings when higher privileges are selected.
  • Never store secrets in code/config; never log credentials or tokens.

Spec-First Workflow

  • For any feature that changes runtime behavior, include or update specs/<NNN>-<slug>/ with spec.md, plan.md, tasks.md, and checklists/requirements.md.
  • New work branches from dev using feat/<NNN>-<slug> (spec + code in the same PR).

Quality Gates

  • Changes MUST be programmatically tested (Pest) and run via targeted php artisan test ....
  • Run ./vendor/bin/pint --dirty before finalizing.

Governance

  • This constitution applies across the repo. Feature specs may add stricter constraints but not weaker ones.
  • Restore semantics changes require: spec update, checklist update, and tests proving safety.

Version: 1.0.0 | Ratified: 2026-01-03 | Last Amended: 2026-01-03