TenantAtlas/specs/006-sot-foundations-assignments/tasks.md

# Tasks: SoT Foundations & Assignments (006)

**Branch**: `feat/006-sot-foundations-assignments` | **Date**: 2025-12-25  
**Input**: [spec.md](./spec.md), [plan.md](./plan.md), [data-model.md](./data-model.md), [research.md](./research.md), [contracts](./contracts/)

## Task Format

- **Checkbox**: `- [ ]` for incomplete, `- [x]` for complete
- **Task ID**: Sequential T001, T002, T003...
- **[P] marker**: Task can run in parallel (different files, no blocking dependencies)
- **[Story] label**: User story tag (US1, US2, US3...)
- **File path**: Always include exact file path in description

## Phase 1: Foundation Registry and Permissions

**Purpose**: Define foundation object types and ensure Graph contracts and permissions exist.

- [ ] T001 [P] Add foundation type registry in `config/tenantpilot.php` (assignmentFilter, roleScopeTag, notificationMessageTemplate) with label/category/backup/restore/risk metadata.
- [ ] T002 [P] Extend `config/graph_contracts.php` with foundation contracts (resource, create/update methods, id_field, allowed_select, type_family).
- [ ] T003 [P] Extend `config/intune_permissions.php` to include foundation permissions (DeviceManagementRBAC.ReadWrite.All and any missing read/write scopes for filters/templates).
- [ ] T004 Update type metadata helpers to include foundation types in `app/Filament/Resources/BackupSetResource.php`, `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`, and `app/Filament/Resources/RestoreRunResource.php`.

**Checkpoint**: Foundation types and permissions defined and discoverable by UI helpers.

---

## Phase 2: Foundations Backup Capture

**Purpose**: Capture assignment filters, scope tags, and notification templates into backup sets.

- [ ] T005 Create `app/Services/Intune/FoundationSnapshotService.php` to list and fetch foundation objects with Graph paging, normalized metadata, and fail-soft behavior.
- [ ] T006 Extend `app/Services/Intune/BackupService.php` to capture foundation snapshots into `backup_items` (policy_id null, policy_type set, policy_identifier = source id, metadata includes displayName).
- [ ] T007 Add a UI action/toggle to include foundations when adding to a backup set in `app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php`.
- [ ] T008 Add foundation display helpers on `app/Models/BackupItem.php` (e.g., isFoundation, foundationDisplayName) and use them in `BackupItemsRelationManager`.

**Checkpoint**: Foundations can be captured and displayed alongside policy backup items.

---

## Phase 3: Foundations Restore and Mapping

**Purpose**: Restore foundations first and persist deterministic old to new mappings.

- [ ] T009 Create `app/Services/Intune/FoundationMappingService.php` to match by displayName, handle collisions, and emit report entries matching `contracts/restore-mapping-report.schema.json`.
- [ ] T010 Extend `app/Services/Intune/RestoreService.php` to run foundation restore first, build preview mapping (dry-run), and persist mapping results in `restore_runs.preview` and `restore_runs.results`.
- [ ] T011 Add audit events for foundation mapping decisions and failures in `app/Services/Intune/AuditLogger.php`.
- [ ] T012 Render foundation mapping in restore UI views: `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`.

**Checkpoint**: Restore preview and execute include a foundation mapping section with deterministic decisions.

---

## Phase 4: Assignment-Aware Restore

**Purpose**: Apply assignments only when foundation mappings exist and record clear skip reasons.

- [ ] T013 Extend `app/Services/AssignmentRestoreService.php` to map assignment filter IDs and scope tag IDs via the foundation mapping; skip and record reasons when mappings are missing.
- [ ] T014 Update `app/Services/Intune/RestoreService.php` to pass foundation mappings into assignment restore and include decision summaries in results.
- [ ] T015 Add mapping context to assignment audit logs in `app/Services/Intune/AuditLogger.php`.

**Checkpoint**: Assignments are applied safely with explicit skip reasons and audit coverage.

---

## Phase 5: Conditional Access Preview-Only Enforcement

**Purpose**: Keep CA restore preview-only even in execute mode.

- [ ] T016 Update `app/Services/Intune/RestoreService.php` to prevent CA execution (status skipped, reason preview_only) while keeping preview output.
- [ ] T017 Update restore UI to surface CA preview-only status in `resources/views/filament/infolists/entries/restore-preview.blade.php` and `resources/views/filament/infolists/entries/restore-results.blade.php`.

**Checkpoint**: CA items never execute; preview clearly signals preview-only.

---

## Phase 6: Tests and Verification

**Purpose**: Ensure all new behavior is covered by Pest tests and formatting is clean.

- [ ] T018 [P] Add unit tests for FoundationMappingService in `tests/Unit/FoundationMappingServiceTest.php`.
- [ ] T019 [P] Add unit tests for FoundationSnapshotService in `tests/Unit/FoundationSnapshotServiceTest.php`.
- [ ] T020 Add feature tests for foundations backup/restore preview and execute in `tests/Feature/Filament/FoundationRestoreTest.php`.
- [ ] T021 Add feature tests for assignment mapping and skip reasons in `tests/Feature/Filament/AssignmentRestoreMappingTest.php`.
- [ ] T022 Add feature test for CA preview-only execution behavior in `tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php`.
- [ ] T023 Run tests: `./vendor/bin/sail artisan test tests/Feature/Filament/FoundationRestoreTest.php tests/Feature/Filament/AssignmentRestoreMappingTest.php tests/Feature/Filament/ConditionalAccessPreviewOnlyTest.php`
- [ ] T024 Run Pint: `./vendor/bin/pint --dirty`

**Checkpoint**: Tests pass and formatting is clean.