ahmido/tenantpilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ahmido:main
Branches Tags
ahmido:main
ahmido:development
ahmido:feature/005-worker-scaffold
ahmido:003-policy-explorer-ux
ahmido:001-global-policy-search
..
compare: ahmido:001-global-policy-search
Branches Tags
ahmido:development
ahmido:main
ahmido:feature/005-worker-scaffold
ahmido:003-policy-explorer-ux
ahmido:001-global-policy-search

No commits in common. "main" and "001-global-policy-search" have entirely different histories.
main ... 001-global

106 changed files with 322 additions and 13796 deletions
Show Stats Expand all files Collapse all files

16
.dockerignore
View File

@ -1,16 +0,0 @@
node_modules
.git
Dockerfile*
docker-compose*.yml
*.log
.env
.env*
coverage
dist
.next
.vscode
.idea
*.pem
# Ignore local Docker config
docker-compose.override.yml

5
.eslintignore
View File

@ -1,5 +0,0 @@
node_modules/
dist/
build/
coverage/
*.min.js

46
.github/pr_descriptions/feature-005-worker-scaffold.md vendored
View File

@ -1,46 +0,0 @@
Beschreibung
-----------
Dieser PR entfernt die Abhängigkeit zu n8n und implementiert ein Code-First Backend.
Infrastructure
--------------
- Redis Integration & BullMQ Queue Setup.
Worker
------
- Neuer Background-Worker in `worker/index.ts` (BullMQ `Worker`, concurrency: 1).
Logic
-----
- Portierung der Policy-Parsing-Logik (Settings Catalog, OMA-URI) nach TypeScript.
- Graph-Integration (Token-Acquisition, paginierte Fetches) und Retry/Rate-Limit-Handling.
Cleanup
-------
- Entfernung der alten n8n-API-Endpunkte und Secrets (`app/api/policy-settings/route.ts`, `app/api/admin/tenants/route.ts`, env-variablen entfernt).
Frontend
--------
- Der "Sync Now" Button triggert jetzt direkt einen BullMQ-Job (Queue: `intune-sync-queue`).
Deployment / Dokploy
--------------------
- In Dokploy existiert jetzt eine Anwendung `tenantpilot-worker` (`tenantpilot-tenantpilotworker-jomlss`) die auf den Gitea `development` Branch zeigt.
Testing & Notes
---------------
- Smoke scripts added: `scripts/test-queue-connection.js`, `scripts/test-graph-connection.ts`, `scripts/check-worker-health.js`.
- Health endpoint: `app/api/worker-health/route.ts` reports queue counts.
Weitere Hinweise
----------------
- Falls Sie die PR-Beschreibung noch anpassen möchten: kopieren Sie den Inhalt dieser Datei und fügen Sie ihn in das PR-Formular ein (remote PR URL wurde nach dem Push in der Push-Ausgabe angegeben).

32
.github/workflows/deploy.yml vendored
View File

@ -3,7 +3,7 @@ name: Trigger Cloudarix Deploy
on:
push:
branches:
- development
- main
workflow_dispatch:
jobs:
@ -17,31 +17,5 @@ jobs:
curl -X POST \
-H "X-Gitea-Event: Push Hook" \
-H "Content-Type: application/json" \
-d '{"ref": "refs/heads/development"}' \
https://system.cloudarix.de/api/deploy/ph8pjvF1mWZUrjBDql-eE
- name: Trigger tenantpilot-worker via same deploy webhook (worker signal)
run: |
curl -X POST \
-H "X-Gitea-Event: Push Hook" \
-H "Content-Type: application/json" \
-d '{"ref": "refs/heads/development", "app": "tenantpilot-worker"}' \
https://system.cloudarix.de/api/deploy/ph8pjvF1mWZUrjBDql-eE
- name: Trigger worker-specific deploy webhook (if provided)
if: ${{ secrets.CLOUDARIX_WORKER_DEPLOY_WEBHOOK }}
env:
WEBHOOK_URL: ${{ secrets.CLOUDARIX_WORKER_DEPLOY_WEBHOOK }}
run: |
curl -X POST \
-H "X-Gitea-Event: Push Hook" \
-H "Content-Type: application/json" \
-d '{"ref": "refs/heads/development"}' "$WEBHOOK_URL"
- name: Trigger worker-specific deploy webhook (direct)
run: |
curl -X POST \
-H "X-Gitea-Event: Push Hook" \
-H "Content-Type: application/json" \
-d '{"ref": "refs/heads/development"}' \
https://system.cloudarix.de/api/deploy/H6z3uGPGM1VgZelwaB9wk
-d '{"ref": "refs/heads/main"}' \
https://system.cloudarix.de/api/deploy/compose/_l_ePUdFazL1iMsPkhopQ

5
.gitignore vendored
View File

@ -39,8 +39,3 @@ yarn-error.log*
# typescript
*.tsbuildinfo
next-env.d.ts
# IDE settings
.vscode/
.idea/
/reference/IntuneManagement-master

10
.npmignore
View File

@ -1,10 +0,0 @@
node_modules/
src/
tests/
coverage/
Dockerfile
docker-compose*.yml
.env*
.vscode/
.idea/
*.pem

7
.prettierignore
View File

@ -1,7 +0,0 @@
node_modules/
dist/
build/
coverage/
package-lock.json
yarn.lock
pnpm-lock.yaml

6
README.md
View File

@ -12,12 +12,6 @@ This project follows strict architectural principles defined in our [Constitutio
- **UI**: Shadcn UI components with Tailwind CSS
- **Auth**: Azure AD multi-tenant authentication
## Documentation
- **[Intune Reverse Engineering Guide](docs/architecture/intune-migration-guide.md)**: Process for implementing Intune sync features using PowerShell reference
- **[PowerShell Reference Version](docs/architecture/intune-reference-version.md)**: Track PowerShell reference versions used for implementations
- **[Constitution](.specify/memory/constitution.md)**: Core architectural principles and development rules
## Getting Started
First, install dependencies:

37
app/(app)/search/PolicyExplorerClient.tsx
View File

@ -1,37 +0,0 @@
'use client';
import { useState } from 'react';
import { PolicySearchContainer } from '@/components/policy-explorer/PolicySearchContainer';
import { PolicyDetailSheet } from '@/components/policy-explorer/PolicyDetailSheet';
import type { PolicySettingSearchResult } from '@/lib/actions/policySettings';
interface PolicyExplorerClientProps {
initialPolicies: PolicySettingSearchResult[];
}
export function PolicyExplorerClient({
initialPolicies,
}: PolicyExplorerClientProps) {
const [selectedPolicy, setSelectedPolicy] = useState<PolicySettingSearchResult | null>(null);
const [sheetOpen, setSheetOpen] = useState(false);
const handlePolicyClick = (policy: PolicySettingSearchResult) => {
setSelectedPolicy(policy);
setSheetOpen(true);
};
return (
<>
<PolicySearchContainer
initialPolicies={initialPolicies}
onPolicyClick={handlePolicyClick}
/>
<PolicyDetailSheet
policy={selectedPolicy}
open={sheetOpen}
onOpenChange={setSheetOpen}
/>
</>
);
}

179
app/(app)/search/PolicyExplorerV2Client.tsx
View File

@ -1,179 +0,0 @@
/**
* PolicyExplorerV2Client
*
* Client component wrapper for Policy Explorer V2.
* Manages state, fetches data via Server Actions, and orchestrates all subcomponents.
*
* This component:
* - Uses useURLState for pagination, sorting, filtering
* - Uses useTablePreferences for localStorage persistence
* - Uses usePolicyTable for TanStack Table integration
* - Fetches data via getPolicySettingsV2 Server Action
* - Renders PolicyTableToolbar, PolicyTableV2, PolicyTablePagination
*/
'use client';
import { useEffect, useState, useCallback } from 'react';
import { useURLState } from '@/lib/hooks/useURLState';
import { useTablePreferences } from '@/lib/hooks/useTablePreferences';
import { usePolicyTable } from '@/lib/hooks/usePolicyTable';
import { PolicyTableV2 } from '@/components/policy-explorer/PolicyTableV2';
import { PolicyTableToolbar } from '@/components/policy-explorer/PolicyTableToolbar';
import { PolicyTablePagination } from '@/components/policy-explorer/PolicyTablePagination';
import { policyTableColumns } from '@/components/policy-explorer/PolicyTableColumns';
import { getPolicySettingsV2 } from '@/lib/actions/policySettings';
import type { PolicySettingRow, PaginationMeta } from '@/lib/types/policy-table';
export function PolicyExplorerV2Client() {
const [data, setData] = useState<PolicySettingRow[]>([]);
const [meta, setMeta] = useState<PaginationMeta | undefined>();
const [isLoading, setIsLoading] = useState(true);
const [error, setError] = useState<string | null>(null);
// URL state management
const urlState = useURLState();
// localStorage preferences
const {
preferences,
isLoaded: preferencesLoaded,
updateColumnVisibility,
updateColumnSizing,
updateDensity,
updateDefaultPageSize,
} = useTablePreferences();
// Fetch data via Server Action
const fetchData = useCallback(async () => {
setIsLoading(true);
setError(null);
try {
const result = await getPolicySettingsV2({
page: urlState.page,
pageSize: urlState.pageSize as 10 | 25 | 50 | 100,
sortBy: urlState.sortBy as 'settingName' | 'policyName' | 'policyType' | 'lastSyncedAt' | undefined,
sortDir: urlState.sortDir,
policyTypes: urlState.policyTypes.length > 0 ? urlState.policyTypes : undefined,
searchQuery: urlState.searchQuery || undefined,
});
if (result.success) {
setData(result.data || []);
setMeta(result.meta);
} else {
setError(result.error || 'Failed to fetch data');
}
} catch (err) {
console.error('Fetch error:', err);
setError('An unexpected error occurred');
} finally {
setIsLoading(false);
}
}, [urlState.page, urlState.pageSize, urlState.sortBy, urlState.sortDir, urlState.policyTypes, urlState.searchQuery]);
// Fetch data when URL state changes
useEffect(() => {
fetchData();
}, [fetchData]);
// TanStack Table integration
const { table, selectedRows, selectedCount, totalCount, hasSelection } = usePolicyTable({
data,
columns: policyTableColumns,
pagination: {
pageIndex: urlState.page,
pageSize: urlState.pageSize as 10 | 25 | 50 | 100,
},
onPaginationChange: (updater) => {
const newPagination = typeof updater === 'function'
? updater({ pageIndex: urlState.page, pageSize: urlState.pageSize as 10 | 25 | 50 | 100 })
: updater;
urlState.updatePage(newPagination.pageIndex);
if (newPagination.pageSize !== urlState.pageSize) {
urlState.updatePageSize(newPagination.pageSize);
}
},
sorting: urlState.sortBy
? [{ id: urlState.sortBy, desc: urlState.sortDir === 'desc' }]
: [],
onSortingChange: (updater) => {
const newSorting = typeof updater === 'function'
? updater(urlState.sortBy ? [{ id: urlState.sortBy, desc: urlState.sortDir === 'desc' }] : [])
: updater;
if (newSorting.length > 0) {
urlState.updateSorting(newSorting[0].id, newSorting[0].desc ? 'desc' : 'asc');
}
},
columnVisibility: preferencesLoaded ? preferences.columnVisibility : {},
onColumnVisibilityChange: (updater) => {
const newVisibility = typeof updater === 'function'
? updater(preferences.columnVisibility)
: updater;
updateColumnVisibility(newVisibility);
},
columnSizing: preferencesLoaded ? preferences.columnSizing : {},
onColumnSizingChange: (updater) => {
const newSizing = typeof updater === 'function'
? updater(preferences.columnSizing)
: updater;
updateColumnSizing(newSizing);
},
meta,
enableRowSelection: true,
});
// Handle density change
const handleDensityChange = useCallback((density: 'compact' | 'comfortable') => {
updateDensity(density);
}, [updateDensity]);
if (error) {
return (
<div className="rounded-md border border-destructive p-4 text-center">
<p className="text-destructive font-semibold">Error loading policy settings</p>
<p className="text-sm text-muted-foreground mt-2">{error}</p>
</div>
);
}
return (
<div className="space-y-4">
{/* Toolbar */}
<PolicyTableToolbar
table={table}
density={preferences.density}
onDensityChange={handleDensityChange}
selectedPolicyTypes={urlState.policyTypes}
onSelectedPolicyTypesChange={urlState.updatePolicyTypes}
searchQuery={urlState.searchQuery}
onSearchQueryChange={urlState.updateSearchQuery}
selectedRows={selectedRows}
selectedCount={selectedCount}
totalCount={totalCount}
sortBy={urlState.sortBy}
sortDir={urlState.sortDir}
/>
{/* Table */}
<PolicyTableV2
table={table}
density={preferences.density}
isLoading={isLoading}
/>
{/* Pagination */}
{meta && (
<PolicyTablePagination
table={table}
totalCount={meta.totalCount}
pageCount={meta.pageCount}
currentPage={meta.currentPage}
/>
)}
</div>
);
}

155
app/(app)/search/page.tsx
View File

@ -1,36 +1,147 @@
import { SyncButton } from '@/components/search/SyncButton';
import { PolicyExplorerV2Client } from './PolicyExplorerV2Client';
'use client';
import { useState, useTransition, useCallback } from 'react';
import { SearchInput } from '@/components/search/SearchInput';
import { ResultsTable } from '@/components/search/ResultsTable';
import { EmptyState } from '@/components/search/EmptyState';
import {
searchPolicySettings,
seedMyTenantData,
type PolicySettingSearchResult,
} from '@/lib/actions/policySettings';
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
import { Metadata } from 'next';
import { NuqsAdapter } from 'nuqs/adapters/next/app';
import { Button } from '@/components/ui/button';
import { toast } from 'sonner';
import { Database } from 'lucide-react';
import { useRouter } from 'next/navigation';
export const metadata: Metadata = {
title: 'Policy Explorer | TenantPilot',
description: 'Browse and search Microsoft Intune policy settings with advanced filtering and export',
};
export default function SearchPage() {
const router = useRouter();
const [results, setResults] = useState<PolicySettingSearchResult[]>([]);
const [searchTerm, setSearchTerm] = useState('');
const [hasSearched, setHasSearched] = useState(false);
const [isPending, startTransition] = useTransition();
const [isSeeding, startSeedTransition] = useTransition();
const handleSearch = useCallback((query: string) => {
setSearchTerm(query);
if (query.length === 0) {
setResults([]);
setHasSearched(false);
return;
}
if (query.length < 2) {
return;
}
startTransition(async () => {
try {
const result = await searchPolicySettings(query);
if (result.success) {
setResults(result.data ?? []);
setHasSearched(true);
} else {
toast.error(result.error ?? 'Search failed');
setResults([]);
setHasSearched(true);
}
} catch (error) {
toast.error('An unexpected error occurred');
setResults([]);
setHasSearched(true);
}
});
}, []);
const handleSeedData = () => {
startSeedTransition(async () => {
try {
const result = await seedMyTenantData();
if (result.success) {
toast.success(result.message ?? 'Test data created successfully');
router.refresh();
} else {
toast.error(result.error ?? 'Failed to seed data');
}
} catch (error) {
toast.error('An unexpected error occurred');
}
});
};
export default async function SearchPage() {
return (
<main className="flex flex-1 flex-col gap-4 p-4 md:gap-8 md:p-8">
<div className="mx-auto w-full max-w-7xl">
<div className="mx-auto w-full max-w-6xl">
<Card>
<CardHeader>
<div className="flex items-center justify-between">
<div>
<CardTitle>Policy Explorer V2</CardTitle>
<CardDescription>
Advanced data table with pagination, sorting, filtering, and CSV export
</CardDescription>
</div>
<SyncButton />
</div>
<CardTitle>Global Policy Search</CardTitle>
<CardDescription>
Search across all your Intune policy settings by keyword
</CardDescription>
</CardHeader>
<CardContent>
<NuqsAdapter>
<PolicyExplorerV2Client />
</NuqsAdapter>
<div className="flex flex-col gap-6">
<SearchInput onSearch={handleSearch} isSearching={isPending} />
{isPending && (
<div className="flex items-center justify-center py-8">
<div className="flex items-center gap-2">
<div className="h-5 w-5 animate-spin rounded-full border-2 border-primary border-t-transparent" />
<span className="text-sm text-muted-foreground">
Searching...
</span>
</div>
</div>
)}
{!isPending && hasSearched && (
<>
{results.length > 0 ? (
<div className="space-y-4">
<p className="text-sm text-muted-foreground">
Found {results.length} result{results.length !== 1 ? 's' : ''}
</p>
<ResultsTable results={results} />
</div>
) : (
<EmptyState searchTerm={searchTerm} />
)}
</>
)}
{!hasSearched && !isPending && (
<EmptyState />
)}
</div>
</CardContent>
</Card>
{/* Seed Data Button - Development Helper */}
<div className="mt-4 flex justify-end">
<Button
onClick={handleSeedData}
disabled={isSeeding}
variant="outline"
size="sm"
className="gap-2"
>
{isSeeding ? (
<>
<div className="h-4 w-4 animate-spin rounded-full border-2 border-primary border-t-transparent" />
Seeding...
</>
) : (
<>
<Database className="h-4 w-4" />
Seed My Data
</>
)}
</Button>
</div>
</div>
</main>
);

100
app/(app)/settings-overview/page.tsx
View File

@ -1,100 +0,0 @@
import { getAllPolicySettings } from '@/lib/actions/policySettings';
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from '@/components/ui/table';
import { formatDistanceToNow } from 'date-fns';
import { de } from 'date-fns/locale';
export default async function SettingsOverviewPage() {
const result = await getAllPolicySettings();
if (!result.success) {
return (
<main className="flex flex-1 flex-col gap-4 p-4 md:gap-8 md:p-8">
<div className="mx-auto w-full max-w-6xl">
<Card>
<CardHeader>
<CardTitle>Policy Settings Overview</CardTitle>
<CardDescription>
{result.error || 'Failed to load settings'}
</CardDescription>
</CardHeader>
</Card>
</div>
</main>
);
}
const settings = result.data || [];
return (
<main className="flex flex-1 flex-col gap-4 p-4 md:gap-8 md:p-8">
<div className="mx-auto w-full max-w-6xl">
<Card>
<CardHeader>
<CardTitle>Policy Settings Overview</CardTitle>
<CardDescription>
{settings.length} policy setting{settings.length !== 1 ? 's' : ''} found
</CardDescription>
</CardHeader>
<CardContent>
{settings.length === 0 ? (
<div className="flex flex-col items-center justify-center py-12 text-center">
<p className="text-muted-foreground">No policy settings found</p>
<p className="mt-2 text-sm text-muted-foreground">
Try syncing your policies first
</p>
</div>
) : (
<div className="rounded-md border">
<Table>
<TableHeader>
<TableRow>
<TableHead>Policy Name</TableHead>
<TableHead>Policy Type</TableHead>
<TableHead>Setting Name</TableHead>
<TableHead>Setting Value</TableHead>
<TableHead className="text-right">Last Synced</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{settings.map((setting) => (
<TableRow key={setting.id}>
<TableCell className="font-medium">
{setting.policyName}
</TableCell>
<TableCell>
<span className="inline-flex items-center rounded-md bg-blue-50 px-2 py-1 text-xs font-medium text-blue-700 ring-1 ring-inset ring-blue-700/10">
{setting.policyType}
</span>
</TableCell>
<TableCell className="font-mono text-xs">
{setting.settingName}
</TableCell>
<TableCell className="max-w-md truncate">
{setting.settingValue}
</TableCell>
<TableCell className="text-right text-sm text-muted-foreground">
{formatDistanceToNow(new Date(setting.lastSyncedAt), {
addSuffix: true,
locale: de,
})}
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</div>
)}
</CardContent>
</Card>
</div>
</main>
);
}

6
app/api/admin/tenants/route.ts
View File

@ -1,6 +0,0 @@
// Admin tenants route removed — use internal DB queries instead.
import { NextResponse } from 'next/server';
export async function GET() {
return NextResponse.json({ error: 'This endpoint has been removed. Query tenants via internal admin tools.' }, { status: 410 });
}

137
app/api/policy-settings/route.ts
View File

@ -1,12 +1,133 @@
// Legacy ingestion API removed in favor of BullMQ worker.
// This route is intentionally kept to return 410 Gone so any external callers
// (e.g., old n8n workflows) receive a clear signal to stop posting here.
import { NextResponse } from 'next/server';
import { NextRequest, NextResponse } from 'next/server';
import { db, policySettings } from '@/lib/db';
import {
bulkPolicySettingsSchema,
type BulkPolicySettingsInput,
} from '@/lib/validators/policySettings';
import { env } from '@/lib/env.mjs';
import { eq } from 'drizzle-orm';
export async function POST() {
return NextResponse.json({ error: 'This endpoint has been removed. Use the new worker-based ingestion.' }, { status: 410 });
/**
* POST /api/policy-settings
* Bulk upsert policy settings from n8n workflows
*
* **Security**: Requires X-API-SECRET header matching POLICY_API_SECRET env var
*/
export async function POST(request: NextRequest) {
try {
// T020: Validate API Secret
const apiSecret = request.headers.get('X-API-SECRET');
if (!apiSecret || apiSecret !== env.POLICY_API_SECRET) {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 401 }
);
}
// T022: Parse and validate request body
const body = await request.json();
const validationResult = bulkPolicySettingsSchema.safeParse(body);
if (!validationResult.success) {
return NextResponse.json(
{
error: 'Validation failed',
details: validationResult.error.issues.map((err) => ({
field: err.path.join('.'),
message: err.message,
})),
},
{ status: 400 }
);
}
const { settings } = validationResult.data as BulkPolicySettingsInput;
// T021: Bulk upsert with onConflictDoUpdate
let upsertedCount = 0;
for (const setting of settings) {
await db
.insert(policySettings)
.values({
tenantId: setting.tenantId,
policyName: setting.policyName,
policyType: setting.policyType,
settingName: setting.settingName,
settingValue: setting.settingValue,
graphPolicyId: setting.graphPolicyId,
lastSyncedAt: new Date(),
})
.onConflictDoUpdate({
target: [
policySettings.tenantId,
policySettings.graphPolicyId,
policySettings.settingName,
],
set: {
policyName: setting.policyName,
policyType: setting.policyType,
settingValue: setting.settingValue,
lastSyncedAt: new Date(),
},
});
upsertedCount++;
}
return NextResponse.json({
success: true,
upsertedCount,
message: `${upsertedCount} settings upserted successfully`,
});
} catch (error) {
console.error('Policy settings upsert failed:', error);
return NextResponse.json(
{ error: 'Internal server error' },
{ status: 500 }
);
}
}
export async function DELETE() {
return NextResponse.json({ error: 'This endpoint has been removed.' }, { status: 410 });
/**
* DELETE /api/policy-settings?tenantId=xxx
* Delete all policy settings for a tenant
*
* **Security**: Requires X-API-SECRET header
*/
export async function DELETE(request: NextRequest) {
try {
// T024: Validate API Secret
const apiSecret = request.headers.get('X-API-SECRET');
if (!apiSecret || apiSecret !== env.POLICY_API_SECRET) {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 401 }
);
}
const { searchParams } = new URL(request.url);
const tenantId = searchParams.get('tenantId');
if (!tenantId) {
return NextResponse.json(
{ error: 'tenantId query parameter is required' },
{ status: 400 }
);
}
const result = await db
.delete(policySettings)
.where(eq(policySettings.tenantId, tenantId));
return NextResponse.json({
success: true,
deletedCount: result.rowCount ?? 0,
message: `${result.rowCount ?? 0} settings deleted for tenant`,
});
} catch (error) {
console.error('Policy settings deletion failed:', error);
return NextResponse.json(
{ error: 'Internal server error' },
{ status: 500 }
);
}
}

44
app/api/policy-sync/status/[jobId]/route.ts
View File

@ -1,44 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
import { syncQueue } from '@/lib/queue/syncQueue';
import { getUserAuth } from '@/lib/auth/utils';
export async function GET(
request: NextRequest,
{ params }: { params: Promise<{ jobId: string }> }
) {
try {
const { session } = await getUserAuth();
if (!session?.user) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const { jobId } = await params;
const job = await syncQueue.getJob(jobId);
if (!job) {
return NextResponse.json({ error: 'Job not found' }, { status: 404 });
}
const state = await job.getState();
const progress = job.progress;
const returnvalue = job.returnvalue;
const failedReason = job.failedReason;
return NextResponse.json({
jobId: job.id,
state,
progress,
result: returnvalue,
error: failedReason,
processedOn: job.processedOn,
finishedOn: job.finishedOn,
});
} catch (error) {
console.error('Failed to get job status:', error);
return NextResponse.json(
{ error: 'Failed to retrieve job status' },
{ status: 500 }
);
}
}

51
app/api/policy-sync/status/route.ts
View File

@ -1,51 +0,0 @@
import { NextRequest, NextResponse } from 'next/server';
import { getUserAuth } from '@/lib/auth/utils';
import { syncQueue } from '@/lib/queue/syncQueue';
export async function GET(request: NextRequest) {
try {
const { session } = await getUserAuth();
if (!session?.user) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const { searchParams } = new URL(request.url);
const jobId = searchParams.get('jobId');
if (!jobId) {
return NextResponse.json({ error: 'Job ID required' }, { status: 400 });
}
// Get job from BullMQ
const job = await syncQueue.getJob(jobId);
if (!job) {
return NextResponse.json({ error: 'Job not found' }, { status: 404 });
}
// Get job state
const state = await job.getState();
const progress = job.progress;
const returnValue = job.returnvalue;
const failedReason = job.failedReason;
return NextResponse.json({
jobId: job.id,
state,
progress,
data: job.data,
result: returnValue,
failedReason,
timestamp: job.timestamp,
processedOn: job.processedOn,
finishedOn: job.finishedOn,
});
} catch (error) {
console.error('Error fetching job status:', error);
return NextResponse.json(
{ error: 'Failed to fetch job status' },
{ status: 500 }
);
}
}

18
app/api/webhooks/stripe/route.ts
View File

@ -7,8 +7,7 @@ import { eq } from "drizzle-orm";
export async function POST(request: Request) {
const body = await request.text();
const headersList = await headers();
const signature = headersList.get("Stripe-Signature") ?? "";
const signature = headers().get("Stripe-Signature") ?? "";
let event: Stripe.Event;
@ -40,14 +39,12 @@ export async function POST(request: Request) {
if (event.type === "checkout.session.completed") {
const subscription = await stripe.subscriptions.retrieve(
session.subscription as string
) as Stripe.Subscription;
const subscriptionItem = subscription.items.data[0];
);
const updatedData = {
stripeSubscriptionId: subscription.id,
stripeCustomerId: subscription.customer as string,
stripePriceId: subscriptionItem.price.id,
stripeCurrentPeriodEnd: new Date(subscriptionItem.current_period_end * 1000),
stripePriceId: subscription.items.data[0].price.id,
stripeCurrentPeriodEnd: new Date(subscription.current_period_end * 1000),
};
if (session?.metadata?.userId != null) {
@ -82,16 +79,15 @@ export async function POST(request: Request) {
// Retrieve the subscription details from Stripe.
const subscription = await stripe.subscriptions.retrieve(
session.subscription as string
) as Stripe.Subscription;
);
// Update the price id and set the new period end.
const subscriptionItem = subscription.items.data[0];
await db
.update(subscriptions)
.set({
stripePriceId: subscriptionItem.price.id,
stripePriceId: subscription.items.data[0].price.id,
stripeCurrentPeriodEnd: new Date(
subscriptionItem.current_period_end * 1000
subscription.current_period_end * 1000
),
})
.where(eq(subscriptions.stripeSubscriptionId, subscription.id));

26
app/api/worker-health/route.ts
View File

@ -1,26 +0,0 @@
import { NextResponse } from 'next/server';
import checkHealth from '../../../worker/health';
import Redis from 'ioredis';
import { Queue } from 'bullmq';
export async function GET() {
try {
const health = checkHealth();
const redisUrl = process.env.REDIS_URL;
let queueInfo = null;
if (redisUrl) {
const connection = new Redis(redisUrl);
const queue = new Queue('intune-sync-queue', { connection });
const counts = await queue.getJobCounts();
queueInfo = counts;
await queue.close();
await connection.quit();
}
return NextResponse.json({ ok: true, health, queue: queueInfo, timestamp: new Date().toISOString() });
} catch (err: any) {
return NextResponse.json({ ok: false, error: err?.message || String(err) }, { status: 500 });
}
}

3
components/ThemeProvider.tsx
View File

@ -1,7 +1,8 @@
"use client";
import * as React from "react";
import { ThemeProvider as NextThemesProvider, type ThemeProviderProps } from "next-themes";
import { ThemeProvider as NextThemesProvider } from "next-themes";
import { type ThemeProviderProps } from "next-themes/dist/types";
export function ThemeProvider({ children, ...props }: ThemeProviderProps) {
return <NextThemesProvider {...props}>{children}</NextThemesProvider>;

81
components/policy-explorer/ColumnVisibilityMenu.tsx
View File

@ -1,81 +0,0 @@
/**
* ColumnVisibilityMenu
*
* Dropdown menu to show/hide table columns.
* Integrates with TanStack Table column visibility state.
*
* Features:
* - Checkbox list of all columns
* - Hide/show individual columns
* - "Reset to default" button
* - Persisted via localStorage
*/
'use client';
import { Button } from '@/components/ui/button';
import {
DropdownMenu,
DropdownMenuCheckboxItem,
DropdownMenuContent,
DropdownMenuLabel,
DropdownMenuSeparator,
DropdownMenuTrigger,
} from '@/components/ui/dropdown-menu';
import { Columns3 } from 'lucide-react';
import type { Table } from '@tanstack/react-table';
import type { PolicySettingRow } from '@/lib/types/policy-table';
interface ColumnVisibilityMenuProps {
table: Table<PolicySettingRow>;
}
export function ColumnVisibilityMenu({ table }: ColumnVisibilityMenuProps) {
const columns = table
.getAllColumns()
.filter((column) => column.getCanHide());
const hiddenCount = columns.filter((column) => !column.getIsVisible()).length;
return (
<DropdownMenu>
<DropdownMenuTrigger asChild>
<Button variant="outline" size="sm" className="ml-auto h-8 lg:flex">
<Columns3 className="mr-2 h-4 w-4" />
Columns
{hiddenCount > 0 && (
<span className="ml-1 rounded-full bg-primary px-2 py-0.5 text-xs text-primary-foreground">
{hiddenCount}
</span>
)}
</Button>
</DropdownMenuTrigger>
<DropdownMenuContent align="end" className="w-[180px]">
<DropdownMenuLabel>Toggle columns</DropdownMenuLabel>
<DropdownMenuSeparator />
{columns.map((column) => {
return (
<DropdownMenuCheckboxItem
key={column.id}
className="capitalize"
checked={column.getIsVisible()}
onCheckedChange={(value) => column.toggleVisibility(!!value)}
>
{/* Format column ID to human-readable label */}
{column.id.replace(/([A-Z])/g, ' $1').trim()}
</DropdownMenuCheckboxItem>
);
})}
<DropdownMenuSeparator />
<Button
variant="ghost"
size="sm"
className="w-full justify-start"
onClick={() => table.resetColumnVisibility()}
>
Reset to default
</Button>
</DropdownMenuContent>
</DropdownMenu>
);
}

165
components/policy-explorer/ExportButton.tsx
View File

@ -1,165 +0,0 @@
/**
* ExportButton Component
*
* CSV export dropdown with two options:
* 1. Export Selected Rows (client-side, immediate)
* 2. Export All Filtered Results (server-side via Server Action, max 5000)
*
* Features:
* - Dropdown menu with export options
* - Disabled state when no data/selection
* - Loading state for server-side export
* - Warning when result set > 5000 rows
*/
'use client';
import { useState } from 'react';
import { Button } from '@/components/ui/button';
import {
DropdownMenu,
DropdownMenuContent,
DropdownMenuItem,
DropdownMenuLabel,
DropdownMenuSeparator,
DropdownMenuTrigger,
} from '@/components/ui/dropdown-menu';
import { Download, Loader2 } from 'lucide-react';
import { generatePolicySettingsCsv, downloadCsv, generateCsvFilename } from '@/lib/utils/csv-export';
import { exportPolicySettingsCSV } from '@/lib/actions/policySettings';
import type { PolicySettingRow } from '@/lib/types/policy-table';
import { toast } from 'sonner';
interface ExportButtonProps {
selectedRows: PolicySettingRow[];
selectedCount: number;
totalCount: number;
// Filter state for server-side export
policyTypes?: string[];
searchQuery?: string;
sortBy?: string;
sortDir?: 'asc' | 'desc';
}
export function ExportButton({
selectedRows,
selectedCount,
totalCount,
policyTypes,
searchQuery,
sortBy,
sortDir,
}: ExportButtonProps) {
const [isExporting, setIsExporting] = useState(false);
const hasSelection = selectedCount > 0;
const hasData = totalCount > 0;
const exceedsLimit = totalCount > 5000;
// Client-side export: Export selected rows
const handleExportSelected = () => {
if (!hasSelection) return;
try {
const csvContent = generatePolicySettingsCsv(selectedRows);
const filename = generateCsvFilename('policy-settings', selectedCount);
downloadCsv(csvContent, filename);
toast.success(`Exported ${selectedCount} rows to ${filename}`);
} catch (error) {
console.error('Export error:', error);
toast.error('Failed to export selected rows');
}
};
// Server-side export: Export all filtered results
const handleExportAll = async () => {
setIsExporting(true);
try {
const result = await exportPolicySettingsCSV({
policyTypes: policyTypes && policyTypes.length > 0 ? policyTypes : undefined,
searchQuery: searchQuery || undefined,
sortBy: sortBy as 'settingName' | 'policyName' | 'policyType' | 'lastSyncedAt' | undefined,
sortDir,
maxRows: 5000,
});
if (result.success && result.csv && result.filename) {
downloadCsv(result.csv, result.filename);
toast.success(`Exported ${result.rowCount} rows to ${result.filename}`);
} else {
toast.error(result.error || 'Failed to export data');
}
} catch (error) {
console.error('Export error:', error);
toast.error('An unexpected error occurred during export');
} finally {
setIsExporting(false);
}
};
return (
<DropdownMenu>
<DropdownMenuTrigger asChild>
<Button
variant="outline"
size="sm"
className="h-8"
disabled={!hasData || isExporting}
>
{isExporting ? (
<>
<Loader2 className="mr-2 h-4 w-4 animate-spin" />
Exporting...
</>
) : (
<>
<Download className="mr-2 h-4 w-4" />
Export
</>
)}
</Button>
</DropdownMenuTrigger>
<DropdownMenuContent align="end" className="w-[220px]">
<DropdownMenuLabel>Export to CSV</DropdownMenuLabel>
<DropdownMenuSeparator />
<DropdownMenuItem
onClick={handleExportSelected}
disabled={!hasSelection}
>
<div className="flex flex-col gap-1">
<span className="font-medium">Export Selected</span>
<span className="text-xs text-muted-foreground">
{hasSelection ? `${selectedCount} rows` : 'No rows selected'}
</span>
</div>
</DropdownMenuItem>
<DropdownMenuItem
onClick={handleExportAll}
disabled={!hasData || isExporting}
>
<div className="flex flex-col gap-1">
<span className="font-medium">Export All Filtered</span>
<span className="text-xs text-muted-foreground">
{exceedsLimit
? `${totalCount} rows (limited to 5000)`
: `${totalCount} rows`}
</span>
</div>
</DropdownMenuItem>
{exceedsLimit && (
<>
<DropdownMenuSeparator />
<div className="px-2 py-1.5 text-xs text-amber-600">
Results exceed 5000 rows. Export will be limited.
</div>
</>
)}
</DropdownMenuContent>
</DropdownMenu>
);
}

305
components/policy-explorer/PolicyDetailSheet.tsx
View File

@ -1,305 +0,0 @@
'use client';
import { useState } from 'react';
import {
Sheet,
SheetContent,
SheetDescription,
SheetHeader,
SheetTitle,
} from '@/components/ui/sheet';
import { Button } from '@/components/ui/button';
import { Badge } from '@/components/ui/badge';
import type { PolicySettingSearchResult } from '@/lib/actions/policySettings';
import type { PolicySettingRow } from '@/lib/types/policy-table';
import { PolicyTypeBadge } from './PolicyTypeBadge';
import { formatDistanceToNow } from 'date-fns';
import { de } from 'date-fns/locale';
import { Copy, ExternalLink, Check } from 'lucide-react';
import { useCopyToClipboard } from '@/lib/hooks/useCopyToClipboard';
import { getIntunePortalLink } from '@/lib/utils/policy-table-helpers';
interface PolicyDetailSheetProps {
policy: PolicySettingSearchResult | PolicySettingRow | null;
open: boolean;
onOpenChange: (open: boolean) => void;
}
function isJsonString(str: string): boolean {
if (!str || typeof str !== 'string') return false;
const trimmed = str.trim();
return trimmed.startsWith('{') || trimmed.startsWith('[');
}
function formatJson(value: string): string {
try {
const parsed = JSON.parse(value);
return JSON.stringify(parsed, null, 2);
} catch {
return value;
}
}
export function PolicyDetailSheet({
policy,
open,
onOpenChange,
}: PolicyDetailSheetProps) {
const [activeTab, setActiveTab] = useState<'details' | 'raw'>('details');
const { copy, isCopied } = useCopyToClipboard();
if (!policy) return null;
const isJson = isJsonString(policy.settingValue);
const displayValue = isJson
? formatJson(policy.settingValue)
: policy.settingValue;
// Handle both PolicySettingRow (has graphPolicyId) and PolicySettingSearchResult (has id)
const policyId = 'graphPolicyId' in policy ? policy.graphPolicyId : policy.id;
const intuneUrl = getIntunePortalLink(policy.policyType, policyId);
const handleCopyField = (value: string, fieldName: string) => {
copy(value, `${fieldName} copied to clipboard`);
};
const handleOpenInIntune = () => {
if (intuneUrl) {
window.open(intuneUrl, '_blank', 'noopener,noreferrer');
} else {
// Fallback: copy policy ID
copy(policyId, 'Policy ID copied to clipboard');
}
};
// Generate raw JSON for the entire policy object
const rawJson = JSON.stringify(policy, null, 2);
return (
<Sheet open={open} onOpenChange={onOpenChange}>
<SheetContent className="w-[600px] sm:max-w-[600px] overflow-y-auto">
<SheetHeader>
<SheetTitle className="flex items-center justify-between">
<span className="truncate">{policy.settingName}</span>
{intuneUrl && (
<Button
variant="ghost"
size="sm"
onClick={handleOpenInIntune}
className="ml-2"
>
<ExternalLink className="h-4 w-4" />
</Button>
)}
</SheetTitle>
<SheetDescription>
Policy Setting Details
</SheetDescription>
</SheetHeader>
{/* Tabs */}
<div className="flex gap-2 mt-4 border-b">
<button
onClick={() => setActiveTab('details')}
className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
activeTab === 'details'
? 'border-primary text-primary'
: 'border-transparent text-muted-foreground hover:text-foreground'
}`}
>
Details
</button>
<button
onClick={() => setActiveTab('raw')}
className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
activeTab === 'raw'
? 'border-primary text-primary'
: 'border-transparent text-muted-foreground hover:text-foreground'
}`}
>
Raw JSON
</button>
</div>
{/* Details Tab */}
{activeTab === 'details' && (
<div className="mt-6 space-y-6">
{/* Policy Name */}
<div>
<div className="flex items-center justify-between mb-1">
<h3 className="text-sm font-medium text-muted-foreground">
Policy Name
</h3>
<Button
variant="ghost"
size="sm"
onClick={() => handleCopyField(policy.policyName, 'Policy Name')}
className="h-7 px-2"
>
{isCopied ? (
<Check className="h-3 w-3 text-green-600" />
) : (
<Copy className="h-3 w-3" />
)}
</Button>
</div>
<p className="text-sm">{policy.policyName}</p>
</div>
{/* Policy Type */}
<div>
<h3 className="text-sm font-medium text-muted-foreground mb-1">
Policy Type
</h3>
<PolicyTypeBadge type={policy.policyType} />
</div>
{/* Setting Name */}
<div>
<div className="flex items-center justify-between mb-1">
<h3 className="text-sm font-medium text-muted-foreground">
Setting Name
</h3>
<Button
variant="ghost"
size="sm"
onClick={() => handleCopyField(policy.settingName, 'Setting Name')}
className="h-7 px-2"
>
{isCopied ? (
<Check className="h-3 w-3 text-green-600" />
) : (
<Copy className="h-3 w-3" />
)}
</Button>
</div>
<p className="text-sm font-mono">{policy.settingName}</p>
</div>
{/* Setting Value */}
<div>
<div className="flex items-center justify-between mb-2">
<h3 className="text-sm font-medium text-muted-foreground">
Setting Value
</h3>
<Button
variant="ghost"
size="sm"
onClick={() => handleCopyField(policy.settingValue, 'Setting Value')}
className="h-7 px-2"
>
{isCopied ? (
<Check className="h-3 w-3 text-green-600" />
) : (
<Copy className="h-3 w-3" />
)}
</Button>
</div>
{isJson ? (
<pre className="text-xs bg-muted p-4 rounded-md overflow-x-auto max-h-96 overflow-y-auto">
<code>{displayValue}</code>
</pre>
) : (
<p className="text-sm whitespace-pre-wrap break-words">
{displayValue}
</p>
)}
</div>
{/* Graph Policy ID */}
<div>
<div className="flex items-center justify-between mb-1">
<h3 className="text-sm font-medium text-muted-foreground">
Graph Policy ID
</h3>
<Button
variant="ghost"
size="sm"
onClick={() => handleCopyField(policyId, 'Policy ID')}
className="h-7 px-2"
>
{isCopied ? (
<Check className="h-3 w-3 text-green-600" />
) : (
<Copy className="h-3 w-3" />
)}
</Button>
</div>
<p className="text-sm font-mono text-muted-foreground">
{policyId}
</p>
</div>
{/* Last Synced */}
<div>
<h3 className="text-sm font-medium text-muted-foreground mb-1">
Last Synced
</h3>
<p className="text-sm">
{formatDistanceToNow(new Date(policy.lastSyncedAt), {
addSuffix: true,
locale: de,
})}
</p>
<p className="text-xs text-muted-foreground mt-1">
{new Date(policy.lastSyncedAt).toLocaleString('de-DE')}
</p>
</div>
{/* Open in Intune Button */}
<div className="pt-4 border-t">
{intuneUrl ? (
<Button
variant="default"
onClick={handleOpenInIntune}
className="w-full"
>
<ExternalLink className="mr-2 h-4 w-4" />
Open in Intune Portal
</Button>
) : (
<Button
variant="outline"
onClick={() => handleCopyField(policyId, 'Policy ID')}
className="w-full"
>
<Copy className="mr-2 h-4 w-4" />
Copy Policy ID
</Button>
)}
</div>
</div>
)}
{/* Raw JSON Tab */}
{activeTab === 'raw' && (
<div className="mt-6">
<div className="flex items-center justify-between mb-4">
<h3 className="text-sm font-medium">Complete Policy Object</h3>
<Button
variant="outline"
size="sm"
onClick={() => copy(rawJson, 'Raw JSON copied to clipboard')}
>
{isCopied ? (
<>
<Check className="mr-2 h-4 w-4 text-green-600" />
Copied
</>
) : (
<>
<Copy className="mr-2 h-4 w-4" />
Copy All
</>
)}
</Button>
</div>
<pre className="text-xs bg-muted p-4 rounded-md overflow-x-auto max-h-[600px] overflow-y-auto">
<code className="language-json">{rawJson}</code>
</pre>
</div>
)}
</SheetContent>
</Sheet>
);
}

82
components/policy-explorer/PolicySearchContainer.tsx
View File

@ -1,82 +0,0 @@
'use client';
import { useState, useTransition } from 'react';
import { PolicyTable } from './PolicyTable';
import { SearchInput } from '@/components/search/SearchInput';
import { EmptyState } from '@/components/search/EmptyState';
import type { PolicySettingSearchResult } from '@/lib/actions/policySettings';
import { searchPolicySettings } from '@/lib/actions/policySettings';
import { toast } from 'sonner';
interface PolicySearchContainerProps {
initialPolicies: PolicySettingSearchResult[];
onPolicyClick: (policy: PolicySettingSearchResult) => void;
}
export function PolicySearchContainer({
initialPolicies,
onPolicyClick,
}: PolicySearchContainerProps) {
const [policies, setPolicies] = useState<PolicySettingSearchResult[]>(initialPolicies);
const [searchTerm, setSearchTerm] = useState('');
const [hasSearched, setHasSearched] = useState(false);
const [isPending, startTransition] = useTransition();
const handleSearch = (query: string) => {
setSearchTerm(query);
if (query.length === 0) {
// Reset to initial policies when search is cleared
setPolicies(initialPolicies);
setHasSearched(false);
return;
}
// Only search with 2 or more characters
if (query.length < 2) {
return;
}
startTransition(async () => {
try {
const result = await searchPolicySettings(query);
if (result.success) {
setPolicies(result.data ?? []);
setHasSearched(true);
} else {
toast.error(result.error ?? 'Search failed');
setPolicies([]);
setHasSearched(true);
}
} catch (error) {
toast.error('An unexpected error occurred');
setPolicies([]);
setHasSearched(true);
}
});
};
return (
<div className="space-y-4">
<SearchInput
onSearch={handleSearch}
isSearching={isPending}
/>
{policies.length === 0 && hasSearched && (
<EmptyState />
)}
{policies.length === 0 && !hasSearched && initialPolicies.length === 0 && (
<div className="text-center py-12 text-muted-foreground">
<p>Keine Policies gefunden - Starten Sie einen Sync</p>
</div>
)}
{policies.length > 0 && (
<PolicyTable policies={policies} onRowClick={onPolicyClick} />
)}
</div>
);
}

72
components/policy-explorer/PolicyTable.tsx
View File

@ -1,72 +0,0 @@
'use client';
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from '@/components/ui/table';
import { Card, CardContent } from '@/components/ui/card';
import type { PolicySettingSearchResult } from '@/lib/actions/policySettings';
import { PolicyTypeBadge } from './PolicyTypeBadge';
import { formatDistanceToNow } from 'date-fns';
import { de } from 'date-fns/locale';
interface PolicyTableProps {
policies: PolicySettingSearchResult[];
onRowClick: (policy: PolicySettingSearchResult) => void;
}
export function PolicyTable({ policies, onRowClick }: PolicyTableProps) {
if (policies.length === 0) {
return null;
}
return (
<Card>
<CardContent className="p-0">
<div className="overflow-x-auto">
<Table>
<TableHeader>
<TableRow>
<TableHead>Setting Name</TableHead>
<TableHead>Setting Value</TableHead>
<TableHead>Policy Name</TableHead>
<TableHead>Policy Type</TableHead>
<TableHead>Last Synced</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{policies.map((policy) => (
<TableRow
key={policy.id}
onClick={() => onRowClick(policy)}
className="cursor-pointer hover:bg-accent"
>
<TableCell className="font-medium">
{policy.settingName}
</TableCell>
<TableCell className="max-w-xs truncate">
{policy.settingValue}
</TableCell>
<TableCell>{policy.policyName}</TableCell>
<TableCell>
<PolicyTypeBadge type={policy.policyType} />
</TableCell>
<TableCell className="text-muted-foreground text-sm">
{formatDistanceToNow(new Date(policy.lastSyncedAt), {
addSuffix: true,
locale: de,
})}
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</div>
</CardContent>
</Card>
);
}

216
components/policy-explorer/PolicyTableColumns.tsx
View File

@ -1,216 +0,0 @@
/**
* PolicyTableColumns
*
* Column definitions for the Policy Explorer V2 data table.
* Uses TanStack Table column definition API.
*
* Columns:
* - settingName: The setting key/identifier
* - settingValue: The setting value (truncated with tooltip)
* - policyName: Name of the policy containing this setting
* - policyType: Type badge (deviceConfiguration, compliancePolicy, etc.)
* - lastSyncedAt: Timestamp of last sync from Intune
* - graphPolicyId: Microsoft Graph Policy ID (truncated)
*/
import type { ColumnDef } from '@tanstack/react-table';
import type { PolicySettingRow } from '@/lib/types/policy-table';
import { Badge } from '@/components/ui/badge';
import { formatDistanceToNow } from 'date-fns';
import { ArrowUpDown, ArrowUp, ArrowDown } from 'lucide-react';
import { Button } from '@/components/ui/button';
export const policyTableColumns: ColumnDef<PolicySettingRow>[] = [
{
id: 'select',
header: ({ table }) => (
<div className="flex items-center">
<input
type="checkbox"
checked={table.getIsAllPageRowsSelected()}
ref={(input) => {
if (input) {
input.indeterminate = table.getIsSomePageRowsSelected() && !table.getIsAllPageRowsSelected();
}
}}
onChange={table.getToggleAllPageRowsSelectedHandler()}
aria-label="Select all rows on this page"
className="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary"
/>
</div>
),
cell: ({ row }) => (
<div className="flex items-center">
<input
type="checkbox"
checked={row.getIsSelected()}
disabled={!row.getCanSelect()}
onChange={row.getToggleSelectedHandler()}
aria-label={`Select row ${row.id}`}
className="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary"
/>
</div>
),
enableSorting: false,
enableResizing: false,
},
{
accessorKey: 'settingName',
header: ({ column }) => {
const isSorted = column.getIsSorted();
return (
<Button
variant="ghost"
onClick={() => column.toggleSorting()}
className="h-8 px-2 lg:px-3"
>
Setting Name
{isSorted === 'asc' ? (
<ArrowUp className="ml-2 h-4 w-4" />
) : isSorted === 'desc' ? (
<ArrowDown className="ml-2 h-4 w-4" />
) : (
<ArrowUpDown className="ml-2 h-4 w-4" />
)}
</Button>
);
},
cell: ({ row }) => {
const settingName = row.getValue('settingName') as string;
return (
<div className="max-w-[300px] truncate font-medium" title={settingName}>
{settingName}
</div>
);
},
enableSorting: true,
enableResizing: true,
},
{
accessorKey: 'settingValue',
header: 'Setting Value',
cell: ({ row }) => {
const settingValue = row.getValue('settingValue') as string;
const truncated = settingValue.length > 100 ? settingValue.slice(0, 100) + '...' : settingValue;
return (
<div className="max-w-[400px] truncate" title={settingValue}>
{truncated}
</div>
);
},
enableSorting: false,
enableResizing: true,
},
{
accessorKey: 'policyName',
header: ({ column }) => {
const isSorted = column.getIsSorted();
return (
<Button
variant="ghost"
onClick={() => column.toggleSorting()}
className="h-8 px-2 lg:px-3"
>
Policy Name
{isSorted === 'asc' ? (
<ArrowUp className="ml-2 h-4 w-4" />
) : isSorted === 'desc' ? (
<ArrowDown className="ml-2 h-4 w-4" />
) : (
<ArrowUpDown className="ml-2 h-4 w-4" />
)}
</Button>
);
},
cell: ({ row }) => {
const policyName = row.getValue('policyName') as string;
return (
<div className="max-w-[300px] truncate" title={policyName}>
{policyName}
</div>
);
},
enableSorting: true,
enableResizing: true,
},
{
accessorKey: 'policyType',
header: ({ column }) => {
const isSorted = column.getIsSorted();
return (
<Button
variant="ghost"
onClick={() => column.toggleSorting()}
className="h-8 px-2 lg:px-3"
>
Policy Type
{isSorted === 'asc' ? (
<ArrowUp className="ml-2 h-4 w-4" />
) : isSorted === 'desc' ? (
<ArrowDown className="ml-2 h-4 w-4" />
) : (
<ArrowUpDown className="ml-2 h-4 w-4" />
)}
</Button>
);
},
cell: ({ row }) => {
const policyType = row.getValue('policyType') as string;
return (
<Badge variant="outline" className="whitespace-nowrap">
{policyType}
</Badge>
);
},
enableSorting: true,
enableResizing: true,
},
{
accessorKey: 'lastSyncedAt',
header: ({ column }) => {
const isSorted = column.getIsSorted();
return (
<Button
variant="ghost"
onClick={() => column.toggleSorting()}
className="h-8 px-2 lg:px-3"
>
Last Synced
{isSorted === 'asc' ? (
<ArrowUp className="ml-2 h-4 w-4" />
) : isSorted === 'desc' ? (
<ArrowDown className="ml-2 h-4 w-4" />
) : (
<ArrowUpDown className="ml-2 h-4 w-4" />
)}
</Button>
);
},
cell: ({ row }) => {
const lastSyncedAt = row.getValue('lastSyncedAt') as Date;
const formattedDate = formatDistanceToNow(new Date(lastSyncedAt), { addSuffix: true });
return (
<div className="whitespace-nowrap text-sm text-muted-foreground" title={new Date(lastSyncedAt).toLocaleString()}>
{formattedDate}
</div>
);
},
enableSorting: true,
enableResizing: true,
},
{
accessorKey: 'graphPolicyId',
header: 'Graph Policy ID',
cell: ({ row }) => {
const graphPolicyId = row.getValue('graphPolicyId') as string;
const truncated = graphPolicyId.length > 40 ? graphPolicyId.slice(0, 40) + '...' : graphPolicyId;
return (
<div className="max-w-[200px] truncate font-mono text-xs" title={graphPolicyId}>
{truncated}
</div>
);
},
enableSorting: false,
enableResizing: true,
},
];

125
components/policy-explorer/PolicyTablePagination.tsx
View File

@ -1,125 +0,0 @@
/**
* PolicyTablePagination
*
* Pagination controls for the Policy Explorer V2 data table.
*
* Features:
* - Previous/Next buttons
* - Page number display with jump-to-page
* - Page size selector (10, 25, 50, 100)
* - Total count display
* - Disabled states for first/last page
*/
'use client';
import { Button } from '@/components/ui/button';
import { ChevronLeft, ChevronRight, ChevronsLeft, ChevronsRight } from 'lucide-react';
import type { Table } from '@tanstack/react-table';
import type { PolicySettingRow } from '@/lib/types/policy-table';
interface PolicyTablePaginationProps {
table: Table<PolicySettingRow>;
totalCount: number;
pageCount: number;
currentPage: number;
}
export function PolicyTablePagination({
table,
totalCount,
pageCount,
currentPage,
}: PolicyTablePaginationProps) {
const pageSize = table.getState().pagination.pageSize;
const canPreviousPage = currentPage > 0;
const canNextPage = currentPage < pageCount - 1;
// Calculate display range
const startRow = currentPage * pageSize + 1;
const endRow = Math.min((currentPage + 1) * pageSize, totalCount);
return (
<div className="flex items-center justify-between px-2">
<div className="flex-1 text-sm text-muted-foreground">
{totalCount === 0 ? (
'No policy settings found'
) : (
<>
Showing {startRow} to {endRow} of {totalCount} settings
</>
)}
</div>
<div className="flex items-center space-x-6 lg:space-x-8">
{/* Page Size Selector */}
<div className="flex items-center space-x-2">
<p className="text-sm font-medium">Rows per page</p>
<select
value={pageSize}
onChange={(e) => table.setPageSize(Number(e.target.value))}
className="h-8 w-[70px] rounded-md border border-input bg-background px-3 py-1 text-sm ring-offset-background focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2"
>
{[10, 25, 50, 100].map((size) => (
<option key={size} value={size}>
{size}
</option>
))}
</select>
</div>
{/* Page Number Display */}
<div className="flex w-[100px] items-center justify-center text-sm font-medium">
Page {currentPage + 1} of {pageCount}
</div>
{/* Navigation Buttons */}
<div className="flex items-center space-x-2">
{/* First Page */}
<Button
variant="outline"
className="hidden h-8 w-8 p-0 lg:flex"
onClick={() => table.setPageIndex(0)}
disabled={!canPreviousPage}
>
<span className="sr-only">Go to first page</span>
<ChevronsLeft className="h-4 w-4" />
</Button>
{/* Previous Page */}
<Button
variant="outline"
className="h-8 w-8 p-0"
onClick={() => table.previousPage()}
disabled={!canPreviousPage}
>
<span className="sr-only">Go to previous page</span>
<ChevronLeft className="h-4 w-4" />
</Button>
{/* Next Page */}
<Button
variant="outline"
className="h-8 w-8 p-0"
onClick={() => table.nextPage()}
disabled={!canNextPage}
>
<span className="sr-only">Go to next page</span>
<ChevronRight className="h-4 w-4" />
</Button>
{/* Last Page */}
<Button
variant="outline"
className="hidden h-8 w-8 p-0 lg:flex"
onClick={() => table.setPageIndex(pageCount - 1)}
disabled={!canNextPage}
>
<span className="sr-only">Go to last page</span>
<ChevronsRight className="h-4 w-4" />
</Button>
</div>
</div>
</div>
);
}

149
components/policy-explorer/PolicyTableToolbar.tsx
View File

@ -1,149 +0,0 @@
/**
* PolicyTableToolbar
*
* Toolbar above the data table with:
* - Column visibility menu
* - Density mode toggle (compact/comfortable)
* - Export button (added later in Phase 5)
* - Filter controls (added later in Phase 4)
*/
'use client';
import { Button } from '@/components/ui/button';
import { ColumnVisibilityMenu } from './ColumnVisibilityMenu';
import { PolicyTypeFilter } from './PolicyTypeFilter';
import { ExportButton } from './ExportButton';
import { LayoutList, LayoutGrid, X } from 'lucide-react';
import { Badge } from '@/components/ui/badge';
import type { Table } from '@tanstack/react-table';
import type { PolicySettingRow } from '@/lib/types/policy-table';
interface PolicyTableToolbarProps {
table: Table<PolicySettingRow>;
density: 'compact' | 'comfortable';
onDensityChange: (density: 'compact' | 'comfortable') => void;
// Filter props
selectedPolicyTypes: string[];
onSelectedPolicyTypesChange: (types: string[]) => void;
searchQuery: string;
onSearchQueryChange: (query: string) => void;
// Export props
selectedRows: PolicySettingRow[];
selectedCount: number;
totalCount: number;
sortBy?: string;
sortDir?: 'asc' | 'desc';
}
export function PolicyTableToolbar({
table,
density,
onDensityChange,
selectedPolicyTypes,
onSelectedPolicyTypesChange,
searchQuery,
onSearchQueryChange,
selectedRows,
selectedCount,
totalCount,
sortBy,
sortDir,
}: PolicyTableToolbarProps) {
const hasActiveFilters = selectedPolicyTypes.length > 0 || searchQuery.length > 0;
const handleClearFilters = () => {
onSelectedPolicyTypesChange([]);
onSearchQueryChange('');
};
return (
<div className="flex items-center justify-between">
<div className="flex flex-1 items-center space-x-2">
{/* Policy Type Filter */}
<PolicyTypeFilter
selectedTypes={selectedPolicyTypes}
onSelectedTypesChange={onSelectedPolicyTypesChange}
/>
{/* Active Filter Badges */}
{selectedPolicyTypes.length > 0 && (
<div className="flex items-center gap-1">
{selectedPolicyTypes.slice(0, 2).map((type) => (
<Badge
key={type}
variant="secondary"
className="h-6 px-2 text-xs"
>
{type}
<button
onClick={() =>
onSelectedPolicyTypesChange(
selectedPolicyTypes.filter((t) => t !== type)
)
}
className="ml-1 hover:text-destructive"
>
<X className="h-3 w-3" />
</button>
</Badge>
))}
{selectedPolicyTypes.length > 2 && (
<Badge variant="secondary" className="h-6 px-2 text-xs">
+{selectedPolicyTypes.length - 2} more
</Badge>
)}
</div>
)}
{/* Clear All Filters Button */}
{hasActiveFilters && (
<Button
variant="ghost"
size="sm"
onClick={handleClearFilters}
className="h-8 px-2 lg:px-3"
>
Clear filters
</Button>
)}
</div>
<div className="flex items-center space-x-2">
{/* Density Toggle */}
<Button
variant="outline"
size="sm"
className="h-8"
onClick={() => onDensityChange(density === 'compact' ? 'comfortable' : 'compact')}
>
{density === 'compact' ? (
<>
<LayoutGrid className="mr-2 h-4 w-4" />
Comfortable
</>
) : (
<>
<LayoutList className="mr-2 h-4 w-4" />
Compact
</>
)}
</Button>
{/* Column Visibility Menu */}
<ColumnVisibilityMenu table={table} />
{/* Export Button */}
<ExportButton
selectedRows={selectedRows}
selectedCount={selectedCount}
totalCount={totalCount}
policyTypes={selectedPolicyTypes}
searchQuery={searchQuery}
sortBy={sortBy}
sortDir={sortDir}
/>
</div>
</div>
);
}

128
components/policy-explorer/PolicyTableV2.tsx
View File

@ -1,128 +0,0 @@
/**
* PolicyTableV2
*
* Main data table component for Policy Explorer V2.
* Integrates TanStack Table with shadcn UI Table primitives.
*
* Features:
* - Server-side pagination via TanStack Table manual mode
* - Column sorting with visual indicators
* - Column resizing with drag handles
* - Sticky header (CSS position: sticky)
* - Row selection for CSV export
* - Density modes (compact/comfortable)
*/
'use client';
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from '@/components/ui/table';
import { flexRender } from '@tanstack/react-table';
import type { Table as TanStackTable } from '@tanstack/react-table';
import type { PolicySettingRow } from '@/lib/types/policy-table';
import { cn } from '@/lib/utils';
interface PolicyTableV2Props {
table: TanStackTable<PolicySettingRow>;
density: 'compact' | 'comfortable';
isLoading?: boolean;
}
export function PolicyTableV2({ table, density, isLoading = false }: PolicyTableV2Props) {
const rowHeight = density === 'compact' ? 'h-10' : 'h-14';
return (
<div className="relative rounded-md border">
<div className="overflow-auto max-h-[calc(100vh-300px)]">
<Table>
<TableHeader className="sticky top-0 z-10 bg-background">
{table.getHeaderGroups().map((headerGroup) => (
<TableRow key={headerGroup.id}>
{headerGroup.headers.map((header) => {
return (
<TableHead
key={header.id}
style={{
width: header.getSize() !== 150 ? header.getSize() : undefined,
}}
className="relative"
>
{header.isPlaceholder
? null
: flexRender(
header.column.columnDef.header,
header.getContext()
)}
{/* Column Resize Handle */}
{header.column.getCanResize() && (
<div
onMouseDown={header.getResizeHandler()}
onTouchStart={header.getResizeHandler()}
className={cn(
'absolute right-0 top-0 h-full w-1 cursor-col-resize select-none touch-none',
'hover:bg-primary',
header.column.getIsResizing() && 'bg-primary'
)}
/>
)}
</TableHead>
);
})}
</TableRow>
))}
</TableHeader>
<TableBody>
{isLoading ? (
<TableRow>
<TableCell
colSpan={table.getAllColumns().length}
className="h-24 text-center"
>
Loading...
</TableCell>
</TableRow>
) : table.getRowModel().rows?.length ? (
table.getRowModel().rows.map((row) => (
<TableRow
key={row.id}
data-state={row.getIsSelected() && 'selected'}
className={cn(rowHeight)}
>
{row.getVisibleCells().map((cell) => (
<TableCell
key={cell.id}
style={{
width: cell.column.getSize() !== 150 ? cell.column.getSize() : undefined,
}}
>
{flexRender(
cell.column.columnDef.cell,
cell.getContext()
)}
</TableCell>
))}
</TableRow>
))
) : (
<TableRow>
<TableCell
colSpan={table.getAllColumns().length}
className="h-24 text-center"
>
No results found.
</TableCell>
</TableRow>
)}
</TableBody>
</Table>
</div>
</div>
);
}

20
components/policy-explorer/PolicyTypeBadge.tsx
View File

@ -1,20 +0,0 @@
import { Badge } from "@/components/ui/badge";
import { getPolicyBadgeConfig } from "@/lib/utils/policyBadges";
interface PolicyTypeBadgeProps {
type: string;
}
/**
* Badge component for displaying policy types with consistent styling
* Maps Intune policy types to user-friendly labels and colors
*/
export function PolicyTypeBadge({ type }: PolicyTypeBadgeProps) {
const { variant, label } = getPolicyBadgeConfig(type);
return (
<Badge variant={variant}>
{label}
</Badge>
);
}

125
components/policy-explorer/PolicyTypeFilter.tsx
View File

@ -1,125 +0,0 @@
/**
* PolicyTypeFilter Component
*
* Multi-select checkbox dropdown for filtering by policy types.
*
* Features:
* - Checkbox list of all available policy types
* - "Select All" / "Clear All" actions
* - Active filter count badge
* - Syncs with URL state via useURLState hook
*/
'use client';
import { useState } from 'react';
import { Button } from '@/components/ui/button';
import {
DropdownMenu,
DropdownMenuCheckboxItem,
DropdownMenuContent,
DropdownMenuLabel,
DropdownMenuSeparator,
DropdownMenuTrigger,
} from '@/components/ui/dropdown-menu';
import { Badge } from '@/components/ui/badge';
import { Filter } from 'lucide-react';
// Common Intune policy types
const POLICY_TYPES = [
{ value: 'deviceConfiguration', label: 'Device Configuration' },
{ value: 'compliancePolicy', label: 'Compliance Policy' },
{ value: 'deviceManagementScript', label: 'Device Management Script' },
{ value: 'windowsUpdateForBusiness', label: 'Windows Update for Business' },
{ value: 'iosUpdateConfiguration', label: 'iOS Update Configuration' },
{ value: 'macOSExtensionsConfiguration', label: 'macOS Extensions' },
{ value: 'settingsCatalog', label: 'Settings Catalog' },
{ value: 'endpointProtection', label: 'Endpoint Protection' },
] as const;
interface PolicyTypeFilterProps {
selectedTypes: string[];
onSelectedTypesChange: (types: string[]) => void;
}
export function PolicyTypeFilter({
selectedTypes,
onSelectedTypesChange,
}: PolicyTypeFilterProps) {
const [open, setOpen] = useState(false);
const handleSelectAll = () => {
onSelectedTypesChange(POLICY_TYPES.map(t => t.value));
};
const handleClearAll = () => {
onSelectedTypesChange([]);
};
const handleToggleType = (type: string) => {
if (selectedTypes.includes(type)) {
onSelectedTypesChange(selectedTypes.filter(t => t !== type));
} else {
onSelectedTypesChange([...selectedTypes, type]);
}
};
const activeCount = selectedTypes.length;
const allSelected = activeCount === POLICY_TYPES.length;
const noneSelected = activeCount === 0;
return (
<DropdownMenu open={open} onOpenChange={setOpen}>
<DropdownMenuTrigger asChild>
<Button variant="outline" size="sm" className="h-8">
<Filter className="mr-2 h-4 w-4" />
Policy Type
{activeCount > 0 && (
<Badge variant="secondary" className="ml-2 h-5 px-1.5">
{activeCount}
</Badge>
)}
</Button>
</DropdownMenuTrigger>
<DropdownMenuContent align="start" className="w-[250px]">
<DropdownMenuLabel>Filter by Policy Type</DropdownMenuLabel>
<DropdownMenuSeparator />
{/* Quick Actions */}
<div className="flex items-center justify-between px-2 py-1.5">
<Button
variant="ghost"
size="sm"
onClick={handleSelectAll}
disabled={allSelected}
className="h-7 text-xs"
>
Select All
</Button>
<Button
variant="ghost"
size="sm"
onClick={handleClearAll}
disabled={noneSelected}
className="h-7 text-xs"
>
Clear All
</Button>
</div>
<DropdownMenuSeparator />
{/* Policy Type Checkboxes */}
{POLICY_TYPES.map((type) => (
<DropdownMenuCheckboxItem
key={type.value}
checked={selectedTypes.includes(type.value)}
onCheckedChange={() => handleToggleType(type.value)}
>
{type.label}
</DropdownMenuCheckboxItem>
))}
</DropdownMenuContent>
</DropdownMenu>
);
}

2
components/search/EmptyState.tsx
View File

@ -17,7 +17,7 @@ export function EmptyState({ searchTerm }: EmptyStateProps) {
</p>
) : (
<p className="text-muted-foreground">
No policy settings available. Trigger a sync to import policies from Intune.
Enter a search term to find policy settings
</p>
)}
</div>

5
components/search/SearchInput.tsx
View File

@ -2,7 +2,7 @@
import { Input } from '@/components/ui/input';
import { Search, Loader2 } from 'lucide-react';
import { useState, useEffect, useCallback } from 'react';
import { useState, useEffect } from 'react';
import { useDebounce } from 'use-debounce';
interface SearchInputProps {
@ -22,8 +22,7 @@ export function SearchInput({ onSearch, isSearching = false }: SearchInputProps)
if (debouncedQuery.length >= 2 || debouncedQuery.length === 0) {
onSearch(debouncedQuery);
}
// eslint-disable-next-line react-hooks/exhaustive-deps
}, [debouncedQuery]); // Only depend on debouncedQuery, not onSearch
}, [debouncedQuery, onSearch]);
return (
<div className="relative w-full max-w-2xl">

57
components/search/SyncButton.tsx
View File

@ -1,57 +0,0 @@
'use client';
import { useState, useTransition } from 'react';
import { Button } from '@/components/ui/button';
import { RefreshCw } from 'lucide-react';
import { triggerPolicySync } from '@/lib/actions/policySettings';
import { toast } from 'sonner';
export function SyncButton() {
const [isPending, startTransition] = useTransition();
const [lastJobId, setLastJobId] = useState<string | null>(null);
const handleSync = () => {
startTransition(async () => {
try {
const result = await triggerPolicySync();
if (result.success && result.jobId) {
setLastJobId(result.jobId);
toast.success(result.message ?? `Sync queued (Job #${result.jobId})`);
} else {
toast.error(result.error ?? 'Failed to trigger sync');
}
} catch (error) {
toast.error('An unexpected error occurred');
}
});
};
return (
<div className="flex items-center gap-2">
<Button
onClick={handleSync}
disabled={isPending}
variant="default"
size="default"
>
{isPending ? (
<>
<RefreshCw className="mr-2 h-4 w-4 animate-spin" />
Queuing...
</>
) : (
<>
<RefreshCw className="mr-2 h-4 w-4" />
Sync Policies
</>
)}
</Button>
{lastJobId && (
<span className="text-sm text-muted-foreground">
Last job: #{lastJobId}
</span>
)}
</div>
);
}

36
components/ui/badge.tsx
View File

@ -1,36 +0,0 @@
import * as React from "react"
import { cva, type VariantProps } from "class-variance-authority"
import { cn } from "@/lib/utils"
const badgeVariants = cva(
"inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2",
{
variants: {
variant: {
default:
"border-transparent bg-primary text-primary-foreground hover:bg-primary/80",
secondary:
"border-transparent bg-secondary text-secondary-foreground hover:bg-secondary/80",
destructive:
"border-transparent bg-destructive text-destructive-foreground hover:bg-destructive/80",
outline: "text-foreground",
},
},
defaultVariants: {
variant: "default",
},
}
)
export interface BadgeProps
extends React.HTMLAttributes<HTMLDivElement>,
VariantProps<typeof badgeVariants> {}
function Badge({ className, variant, ...props }: BadgeProps) {
return (
<div className={cn(badgeVariants({ variant }), className)} {...props} />
)
}
export { Badge, badgeVariants }

140
components/ui/sheet.tsx
View File

@ -1,140 +0,0 @@
"use client"
import * as React from "react"
import * as SheetPrimitive from "@radix-ui/react-dialog"
import { cva, type VariantProps } from "class-variance-authority"
import { X } from "lucide-react"
import { cn } from "@/lib/utils"
const Sheet = SheetPrimitive.Root
const SheetTrigger = SheetPrimitive.Trigger
const SheetClose = SheetPrimitive.Close
const SheetPortal = SheetPrimitive.Portal
const SheetOverlay = React.forwardRef<
React.ElementRef<typeof SheetPrimitive.Overlay>,
React.ComponentPropsWithoutRef<typeof SheetPrimitive.Overlay>
>(({ className, ...props }, ref) => (
<SheetPrimitive.Overlay
className={cn(
"fixed inset-0 z-50 bg-black/80 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0",
className
)}
{...props}
ref={ref}
/>
))
SheetOverlay.displayName = SheetPrimitive.Overlay.displayName
const sheetVariants = cva(
"fixed z-50 gap-4 bg-background p-6 shadow-lg transition ease-in-out data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:duration-300 data-[state=open]:duration-500",
{
variants: {
side: {
top: "inset-x-0 top-0 border-b data-[state=closed]:slide-out-to-top data-[state=open]:slide-in-from-top",
bottom:
"inset-x-0 bottom-0 border-t data-[state=closed]:slide-out-to-bottom data-[state=open]:slide-in-from-bottom",
left: "inset-y-0 left-0 h-full w-3/4 border-r data-[state=closed]:slide-out-to-left data-[state=open]:slide-in-from-left sm:max-w-sm",
right:
"inset-y-0 right-0 h-full w-3/4 border-l data-[state=closed]:slide-out-to-right data-[state=open]:slide-in-from-right sm:max-w-sm",
},
},
defaultVariants: {
side: "right",
},
}
)
interface SheetContentProps
extends React.ComponentPropsWithoutRef<typeof SheetPrimitive.Content>,
VariantProps<typeof sheetVariants> {}
const SheetContent = React.forwardRef<
React.ElementRef<typeof SheetPrimitive.Content>,
SheetContentProps
>(({ side = "right", className, children, ...props }, ref) => (
<SheetPortal>
<SheetOverlay />
<SheetPrimitive.Content
ref={ref}
className={cn(sheetVariants({ side }), className)}
{...props}
>
{children}
<SheetPrimitive.Close className="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none data-[state=open]:bg-secondary">
<X className="h-4 w-4" />
<span className="sr-only">Close</span>
</SheetPrimitive.Close>
</SheetPrimitive.Content>
</SheetPortal>
))
SheetContent.displayName = SheetPrimitive.Content.displayName
const SheetHeader = ({
className,
...props
}: React.HTMLAttributes<HTMLDivElement>) => (
<div
className={cn(
"flex flex-col space-y-2 text-center sm:text-left",
className
)}
{...props}
/>
)
SheetHeader.displayName = "SheetHeader"
const SheetFooter = ({
className,
...props
}: React.HTMLAttributes<HTMLDivElement>) => (
<div
className={cn(
"flex flex-col-reverse sm:flex-row sm:justify-end sm:space-x-2",
className
)}
{...props}
/>
)
SheetFooter.displayName = "SheetFooter"
const SheetTitle = React.forwardRef<
React.ElementRef<typeof SheetPrimitive.Title>,
React.ComponentPropsWithoutRef<typeof SheetPrimitive.Title>
>(({ className, ...props }, ref) => (
<SheetPrimitive.Title
ref={ref}
className={cn("text-lg font-semibold text-foreground", className)}
{...props}
/>
))
SheetTitle.displayName = SheetPrimitive.Title.displayName
const SheetDescription = React.forwardRef<
React.ElementRef<typeof SheetPrimitive.Description>,
React.ComponentPropsWithoutRef<typeof SheetPrimitive.Description>
>(({ className, ...props }, ref) => (
<SheetPrimitive.Description
ref={ref}
className={cn("text-sm text-muted-foreground", className)}
{...props}
/>
))
SheetDescription.displayName = SheetPrimitive.Description.displayName
export {
Sheet,
SheetPortal,
SheetOverlay,
SheetTrigger,
SheetClose,
SheetContent,
SheetHeader,
SheetFooter,
SheetTitle,
SheetDescription,
}

4
config/nav.ts
View File

@ -1,5 +1,5 @@
import { SidebarLink } from "@/components/SidebarItems";
import { Cog, Globe, User, HomeIcon, Search, Database } from "lucide-react";
import { Cog, Globe, User, HomeIcon, Search } from "lucide-react";
type AdditionalLinks = {
title: string;
@ -8,7 +8,7 @@ type AdditionalLinks = {
export const defaultLinks: SidebarLink[] = [
{ href: "/dashboard", title: "Home", icon: HomeIcon },
{ href: "/search", title: "Policy Explorer", icon: Search },
{ href: "/search", title: "Search", icon: Search },
{ href: "/account", title: "Account", icon: User },
{ href: "/settings", title: "Settings", icon: Cog },
];

42
debug-db.ts
View File

@ -1,42 +0,0 @@
import { Client } from 'pg';
const client = new Client({
connectionString: 'postgresql://postgres:JsdPCZiC1C56Sz@localhost:5433/postgres',
ssl: false
});
async function test() {
try {
console.log('Connecting to database...');
await client.connect();
console.log('Connected successfully!');
console.log('Listing tables in public schema...');
const res = await client.query(`
SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'public'
ORDER BY table_name;
`);
if (res.rows.length === 0) {
console.log('No tables found in public schema!');
} else {
console.log('Tables found:');
res.rows.forEach(row => console.log(`- ${row.table_name}`));
}
// Check user count if user table exists
if (res.rows.find(r => r.table_name === 'user')) {
const userCount = await client.query('SELECT count(*) FROM "user"');
console.log(`User count: ${userCount.rows[0].count}`);
}
} catch (err) {
console.error('Connection error:', err);
} finally {
await client.end();
}
}
test();

1084
docs/architecture/intune-migration-guide.md
View File

File diff suppressed because it is too large Load Diff

34
docs/architecture/intune-reference-version.md
View File

@ -1,34 +0,0 @@
# PowerShell Reference Version
**Purpose**: Track the version of the IntuneManagement PowerShell reference used for reverse engineering
**Location**: `reference/IntuneManagement-master/`
## Current Version
- **Commit**: `2eaf3257704854d44a3e5bc92817d8ee50d0288a`
- **Date**: 2025-12-09 21:56:38 +0100
- **Latest Change**: "Use Graph beta for beta-only endpoints"
- **Source**: [IntuneManagement by Mikael Karlsson](https://github.com/Micke-K/IntuneManagement)
## Version History
| Date | Commit | Description | Updated By |
|------|--------|-------------|------------|
| 2025-12-09 | 2eaf3257 | Use Graph beta for beta-only endpoints | Initial snapshot |
## Update Process
When updating the PowerShell reference:
1. Pull latest changes from upstream repository
2. Test critical sync jobs against new version
3. Document any breaking changes or new patterns discovered
4. Update this file with new commit hash and date
5. Review `docs/architecture/intune-migration-guide.md` for necessary updates
## Notes
- This reference is the **source of truth** for Graph API implementation patterns
- Always check this version when troubleshooting discrepancies
- When implementing new features, ensure you're referencing the correct commit

2
drizzle.config.ts
View File

@ -6,6 +6,6 @@ export default {
dialect: "postgresql",
out: "./lib/db/migrations",
dbCredentials: {
url: env.DATABASE_URL ?? "",
url: env.DATABASE_URL,
}
} satisfies Config;

43
fix-constraint.ts
View File

@ -1,43 +0,0 @@
import { drizzle } from 'drizzle-orm/node-postgres';
import { Pool } from 'pg';
import { sql } from 'drizzle-orm';
async function fixConstraint() {
const dbUrl = process.env.DATABASE_URL || 'postgres://postgres:postgres@localhost:5432/tenantpilot';
console.log('🔌 Connecting to:', dbUrl.replace(/:[^:@]+@/, ':****@'));
const pool = new Pool({ connectionString: dbUrl });
const db = drizzle(pool);
try {
console.log('⏳ Removing duplicate rows...');
await db.execute(sql`
DELETE FROM policy_settings a
USING policy_settings b
WHERE a.id > b.id
AND a.tenant_id = b.tenant_id
AND a.graph_policy_id = b.graph_policy_id
AND a.setting_name = b.setting_name
`);
console.log('⏳ Dropping old index...');
await db.execute(sql`DROP INDEX IF EXISTS policy_settings_upsert_idx`);
console.log('⏳ Adding unique constraint...');
await db.execute(sql`
ALTER TABLE policy_settings
ADD CONSTRAINT policy_settings_upsert_unique
UNIQUE(tenant_id, graph_policy_id, setting_name)
`);
console.log('✅ Constraint added successfully!');
await pool.end();
process.exit(0);
} catch (error) {
console.error('❌ Failed:', error);
await pool.end();
process.exit(1);
}
}
fixConstraint();

411
lib/actions/policySettings.ts
View File

@ -2,18 +2,7 @@
import { db, policySettings, type PolicySetting } from '@/lib/db';
import { getUserAuth } from '@/lib/auth/utils';
import { eq, ilike, or, desc, asc, and, ne, isNotNull, inArray, count, sql } from 'drizzle-orm';
import { env } from '@/lib/env.mjs';
import { syncQueue } from '@/lib/queue/syncQueue';
import { z } from 'zod';
import type {
GetPolicySettingsParams,
GetPolicySettingsResult,
ExportPolicySettingsParams,
ExportPolicySettingsResult,
PaginationMeta,
PolicySettingRow,
} from '@/lib/types/policy-table';
import { eq, ilike, or, desc, and } from 'drizzle-orm';
export interface PolicySettingSearchResult {
id: string;
@ -43,13 +32,6 @@ export interface RecentSettingsResult {
error?: string;
}
export interface AllSettingsResult {
success: boolean;
data?: PolicySettingSearchResult[];
error?: string;
totalCount?: number;
}
/**
* Search policy settings by keyword across settingName and settingValue
*
@ -59,12 +41,10 @@ export interface AllSettingsResult {
* 3. Including explicit WHERE tenantId = ? in ALL queries
*
* @param searchTerm - Search query (min 2 characters)
* @param limit - Maximum number of results (default 100, max 200)
* @returns Search results filtered by user's tenant
*/
export async function searchPolicySettings(
searchTerm: string,
limit: number = 100
searchTerm: string
): Promise<SearchResult> {
try {
const { session } = await getUserAuth();
@ -88,10 +68,7 @@ export async function searchPolicySettings(
const sanitizedSearchTerm = searchTerm.slice(0, 200);
const searchPattern = `%${sanitizedSearchTerm}%`;
// Enforce maximum limit
const safeLimit = Math.min(Math.max(1, limit), 200);
// Explicit WHERE clause filters by tenantId FIRST for security + null filtering
// T017: Explicit WHERE clause filters by tenantId FIRST for security
const results = await db
.select({
id: policySettings.id,
@ -105,9 +82,6 @@ export async function searchPolicySettings(
.where(
and(
eq(policySettings.tenantId, tenantId), // CRITICAL: Tenant isolation
ne(policySettings.settingValue, 'null'), // Filter out string "null"
ne(policySettings.settingValue, ''), // Filter out empty strings
isNotNull(policySettings.settingValue), // Filter out NULL values
or(
ilike(policySettings.settingName, searchPattern),
ilike(policySettings.settingValue, searchPattern)
@ -115,7 +89,7 @@ export async function searchPolicySettings(
)
)
.orderBy(policySettings.settingName)
.limit(safeLimit);
.limit(100);
return {
success: true,
@ -184,11 +158,11 @@ export async function getPolicySettingById(
*
* **Security**: Enforces tenant isolation with explicit WHERE tenantId filter
*
* @param limit - Maximum number of results (1-100, default 50)
* @param limit - Maximum number of results (1-100, default 20)
* @returns Recent policy settings for user's tenant
*/
export async function getRecentPolicySettings(
limit: number = 50
limit: number = 20
): Promise<RecentSettingsResult> {
try {
const { session } = await getUserAuth();
@ -232,53 +206,6 @@ export async function getRecentPolicySettings(
}
}
/**
* Get all policy settings for the current user's tenant
*
* **Security**: Enforces tenant isolation with explicit WHERE tenantId filter
*
* @returns All policy settings for user's tenant
*/
export async function getAllPolicySettings(): Promise<AllSettingsResult> {
try {
const { session } = await getUserAuth();
// T017: Explicit security check
if (!session?.user) {
return { success: false, error: 'Unauthorized' };
}
// T017: Explicit security check
const tenantId = session.user.tenantId;
if (!tenantId) {
return { success: false, error: 'Tenant not found' };
}
// T017: Query filtered by tenantId for security
const results = await db
.select({
id: policySettings.id,
policyName: policySettings.policyName,
policyType: policySettings.policyType,
settingName: policySettings.settingName,
settingValue: policySettings.settingValue,
lastSyncedAt: policySettings.lastSyncedAt,
})
.from(policySettings)
.where(eq(policySettings.tenantId, tenantId)) // CRITICAL: Tenant isolation
.orderBy(desc(policySettings.lastSyncedAt));
return {
success: true,
data: results,
totalCount: results.length,
};
} catch (error) {
console.error('Get all settings failed:', error);
return { success: false, error: 'Failed to fetch settings' };
}
}
/**
* TEMPORARY: Seed test data for the current user's tenant
* This is a development helper to populate realistic policy settings
@ -361,329 +288,3 @@ export async function seedMyTenantData(): Promise<{
return { success: false, error: 'Failed to seed data' };
}
}
/**
* Trigger manual policy sync via BullMQ worker
*
* **Security**: This function enforces tenant isolation by:
* 1. Validating user session via getUserAuth()
* 2. Extracting tenantId from session
* 3. Enqueuing a job with only the authenticated user's tenantId
*
* @returns Success/error result with job ID
*/
export async function triggerPolicySync(): Promise<{ success: boolean; message?: string; error?: string; jobId?: string }> {
try {
const { session } = await getUserAuth();
if (!session?.user) {
return { success: false, error: 'Not authenticated' };
}
const tenantId = session.user.tenantId;
if (!tenantId) {
return { success: false, error: 'No tenant ID found in session' };
}
// Enqueue sync job to BullMQ
const job = await syncQueue.add('sync-tenant', {
tenantId,
source: 'manual_trigger',
triggeredAt: new Date().toISOString(),
triggeredBy: session.user.email || session.user.id,
});
return {
success: true,
message: `Policy sync queued successfully (Job #${job.id})`,
jobId: job.id,
};
} catch (error) {
console.error('Failed to trigger policy sync:', error);
return {
success: false,
error: 'Failed to queue sync job. Please try again later.',
};
}
}
/**
* ========================================
* POLICY EXPLORER V2 - Advanced Data Table Server Actions
* ========================================
*/
/**
* Zod schema for getPolicySettings input validation
*/
const GetPolicySettingsSchema = z.object({
page: z.number().int().min(0).default(0),
pageSize: z.union([z.literal(10), z.literal(25), z.literal(50), z.literal(100)]).default(50),
sortBy: z.enum(['settingName', 'policyName', 'policyType', 'lastSyncedAt']).optional(),
sortDir: z.enum(['asc', 'desc']).default('asc'),
policyTypes: z.array(z.string()).optional(),
searchQuery: z.string().optional(),
});
/**
* Get policy settings with pagination, sorting, and filtering
*
* **Security**: Enforces tenant isolation with explicit WHERE tenantId filter
* **Performance**: Uses composite index on (tenantId, policyType, settingName)
*
* @param params - Pagination, sorting, and filtering parameters
* @returns Paginated policy settings with metadata
*/
export async function getPolicySettingsV2(
params: GetPolicySettingsParams
): Promise<GetPolicySettingsResult> {
try {
const { session } = await getUserAuth();
// Security check: Require authenticated session
if (!session?.user) {
return { success: false, error: 'Unauthorized' };
}
// Security check: Require tenantId
const tenantId = session.user.tenantId;
if (!tenantId) {
return { success: false, error: 'Tenant not found' };
}
// Validate input parameters
const validatedParams = GetPolicySettingsSchema.parse(params);
const { page, pageSize, sortBy, sortDir, policyTypes, searchQuery } = validatedParams;
// Build WHERE clause with tenant isolation
const whereConditions = [
eq(policySettings.tenantId, tenantId), // CRITICAL: Tenant isolation
ne(policySettings.settingValue, 'null'), // Filter out string "null"
ne(policySettings.settingValue, ''), // Filter out empty strings
isNotNull(policySettings.settingValue), // Filter out NULL values
];
// Add policy type filter if provided
if (policyTypes && policyTypes.length > 0) {
whereConditions.push(inArray(policySettings.policyType, policyTypes));
}
// Add search query filter if provided
if (searchQuery && searchQuery.trim().length >= 2) {
const searchPattern = `%${searchQuery.trim().slice(0, 200)}%`;
whereConditions.push(
or(
ilike(policySettings.settingName, searchPattern),
ilike(policySettings.settingValue, searchPattern),
ilike(policySettings.policyName, searchPattern)
)!
);
}
// Build ORDER BY clause
const orderByColumn = sortBy
? policySettings[sortBy as keyof typeof policySettings]
: policySettings.settingName;
const orderByDirection = sortDir === 'desc' ? desc : asc;
// Execute count query for pagination metadata
const [{ totalCount }] = await db
.select({ totalCount: count() })
.from(policySettings)
.where(and(...whereConditions));
// Calculate pagination metadata
const pageCount = Math.ceil(totalCount / pageSize);
const hasNextPage = page < pageCount - 1;
const hasPreviousPage = page > 0;
// Execute data query with pagination
const data = await db
.select({
id: policySettings.id,
tenantId: policySettings.tenantId,
policyName: policySettings.policyName,
policyType: policySettings.policyType,
settingName: policySettings.settingName,
settingValue: policySettings.settingValue,
graphPolicyId: policySettings.graphPolicyId,
lastSyncedAt: policySettings.lastSyncedAt,
createdAt: policySettings.createdAt,
})
.from(policySettings)
.where(and(...whereConditions))
.orderBy(orderByDirection(orderByColumn as any))
.limit(pageSize)
.offset(page * pageSize);
const meta: PaginationMeta = {
totalCount,
pageCount,
currentPage: page,
pageSize,
hasNextPage,
hasPreviousPage,
};
return {
success: true,
data: data as PolicySettingRow[],
meta,
};
} catch (error) {
console.error('getPolicySettingsV2 failed:', error);
if (error instanceof z.ZodError) {
return { success: false, error: 'Invalid parameters: ' + error.issues.map((e) => e.message).join(', ') };
}
return { success: false, error: 'Failed to fetch policy settings' };
}
}
/**
* Zod schema for exportPolicySettingsCSV input validation
*/
const ExportPolicySettingsSchema = z.object({
policyTypes: z.array(z.string()).optional(),
searchQuery: z.string().optional(),
sortBy: z.enum(['settingName', 'policyName', 'policyType', 'lastSyncedAt']).optional(),
sortDir: z.enum(['asc', 'desc']).default('asc'),
maxRows: z.number().int().min(1).max(5000).default(5000),
});
/**
* Helper function to escape CSV values
* Handles commas, quotes, and newlines according to RFC 4180
*/
function escapeCsvValue(value: string): string {
// If value contains comma, quote, or newline, wrap in quotes and escape internal quotes
if (value.includes(',') || value.includes('"') || value.includes('\n') || value.includes('\r')) {
return `"${value.replace(/"/g, '""')}"`;
}
return value;
}
/**
* Export policy settings as CSV (server-side, max 5000 rows)
*
* **Security**: Enforces tenant isolation with explicit WHERE tenantId filter
* **Performance**: Limits export to 5000 rows to prevent memory issues
*
* @param params - Filtering and sorting parameters
* @returns CSV content as string with filename
*/
export async function exportPolicySettingsCSV(
params: ExportPolicySettingsParams = {}
): Promise<ExportPolicySettingsResult> {
try {
const { session } = await getUserAuth();
// Security check: Require authenticated session
if (!session?.user) {
return { success: false, error: 'Unauthorized' };
}
// Security check: Require tenantId
const tenantId = session.user.tenantId;
if (!tenantId) {
return { success: false, error: 'Tenant not found' };
}
// Validate input parameters
const validatedParams = ExportPolicySettingsSchema.parse(params);
const { policyTypes, searchQuery, sortBy, sortDir, maxRows } = validatedParams;
// Build WHERE clause with tenant isolation
const whereConditions = [
eq(policySettings.tenantId, tenantId), // CRITICAL: Tenant isolation
ne(policySettings.settingValue, 'null'),
ne(policySettings.settingValue, ''),
isNotNull(policySettings.settingValue),
];
// Add policy type filter if provided
if (policyTypes && policyTypes.length > 0) {
whereConditions.push(inArray(policySettings.policyType, policyTypes));
}
// Add search query filter if provided
if (searchQuery && searchQuery.trim().length >= 2) {
const searchPattern = `%${searchQuery.trim().slice(0, 200)}%`;
whereConditions.push(
or(
ilike(policySettings.settingName, searchPattern),
ilike(policySettings.settingValue, searchPattern),
ilike(policySettings.policyName, searchPattern)
)!
);
}
// Build ORDER BY clause
const orderByColumn = sortBy
? policySettings[sortBy as keyof typeof policySettings]
: policySettings.settingName;
const orderByDirection = sortDir === 'desc' ? desc : asc;
// Fetch data (limited to maxRows)
const data = await db
.select({
id: policySettings.id,
policyName: policySettings.policyName,
policyType: policySettings.policyType,
settingName: policySettings.settingName,
settingValue: policySettings.settingValue,
graphPolicyId: policySettings.graphPolicyId,
lastSyncedAt: policySettings.lastSyncedAt,
})
.from(policySettings)
.where(and(...whereConditions))
.orderBy(orderByDirection(orderByColumn as any))
.limit(maxRows);
// Generate CSV content
// Add UTF-8 BOM for Excel compatibility
const BOM = '\uFEFF';
// CSV header
const headers = [
'Policy Name',
'Policy Type',
'Setting Name',
'Setting Value',
'Graph Policy ID',
'Last Synced At',
];
const headerRow = headers.map(h => escapeCsvValue(h)).join(',');
// CSV rows
const dataRows = data.map(row => {
return [
escapeCsvValue(row.policyName),
escapeCsvValue(row.policyType),
escapeCsvValue(row.settingName),
escapeCsvValue(row.settingValue),
escapeCsvValue(row.graphPolicyId),
escapeCsvValue(row.lastSyncedAt.toISOString()),
].join(',');
});
const csv = BOM + headerRow + '\n' + dataRows.join('\n');
// Generate filename with timestamp
const timestamp = new Date().toISOString().slice(0, 10); // YYYY-MM-DD
const filename = `policy-settings-${timestamp}.csv`;
return {
success: true,
csv,
filename,
rowCount: data.length,
};
} catch (error) {
console.error('exportPolicySettingsCSV failed:', error);
if (error instanceof z.ZodError) {
return { success: false, error: 'Invalid parameters: ' + error.issues.map((e) => e.message).join(', ') };
}
return { success: false, error: 'Failed to export policy settings' };
}
}

34
lib/auth/utils.ts
View File

@ -1,11 +1,9 @@
import { db } from "@/lib/db/index";
import { users } from "@/lib/db/schema/auth";
import { DrizzleAdapter } from "@auth/drizzle-adapter";
import { getServerSession } from "next-auth/next";
import { type Adapter } from "next-auth/adapters";
import { DefaultSession, getServerSession, NextAuthOptions } from "next-auth";
import { Adapter } from "next-auth/adapters";
import { redirect } from "next/navigation";
import { z } from "zod";
import { eq } from "drizzle-orm";
import AzureADProvider from "next-auth/providers/azure-ad";
export type AuthSession = {
@ -20,19 +18,19 @@ export type AuthSession = {
};
const envSchema = z.object({
AZURE_AD_CLIENT_ID: z.string().optional(),
AZURE_AD_CLIENT_SECRET: z.string().optional(),
AZURE_AD_CLIENT_ID: z.string().min(1),
AZURE_AD_CLIENT_SECRET: z.string().min(1),
});
export const env = envSchema.parse(process.env);
export const authOptions = {
export const authOptions: NextAuthOptions = {
adapter: DrizzleAdapter(db) as Adapter,
session: {
strategy: "jwt" as const, // CRITICAL: Use JWT strategy to access token in session callback
strategy: "jwt", // CRITICAL: Use JWT strategy to access token in session callback
},
callbacks: {
jwt: async ({ token, account, profile }: { token: any; account?: any; profile?: any }) => {
jwt: async ({ token, account, profile }) => {
// Store access token
if (account) {
token.accessToken = account.access_token;
@ -40,22 +38,10 @@ export const authOptions = {
// Extract tenantId from Azure AD tid claim
if (profile && 'tid' in profile) {
token.tenantId = profile.tid as string;
// Update tenant_id in database if we have a user id
if (token.sub) {
try {
await db
.update(users)
.set({ tenantId: profile.tid as string })
.where(eq(users.id, token.sub));
} catch (error) {
console.error('Failed to update tenant_id:', error);
}
}
}
return token;
},
session: ({ session, token }: { session: any; token: any }) => {
session: ({ session, token }) => {
// Copy user id from token
if (token?.sub) {
session.user.id = token.sub;
@ -73,8 +59,8 @@ export const authOptions = {
},
providers: [
AzureADProvider({
clientId: env.AZURE_AD_CLIENT_ID ?? "",
clientSecret: env.AZURE_AD_CLIENT_SECRET ?? "",
clientId: env.AZURE_AD_CLIENT_ID,
clientSecret: env.AZURE_AD_CLIENT_SECRET,
tenantId: "common", // Multi-Tenancy Support
authorization: {
params: {

3
lib/db/migrations/0001_reflective_dormammu.sql
View File

@ -1,3 +0,0 @@
DROP INDEX "policy_settings_upsert_idx";--> statement-breakpoint
ALTER TABLE "user" ADD COLUMN "tenant_id" text;--> statement-breakpoint
ALTER TABLE "policy_settings" ADD CONSTRAINT "policy_settings_upsert_unique" UNIQUE("tenant_id","graph_policy_id","setting_name");

450
lib/db/migrations/meta/0001_snapshot.json
View File

@ -1,450 +0,0 @@
{
"id": "65f6746a-011c-4712-97db-c41f4b3e6547",
"prevId": "7bea20d0-987b-4a12-8446-a5966f2eb3e8",
"version": "7",
"dialect": "postgresql",
"tables": {
"public.account": {
"name": "account",
"schema": "",
"columns": {
"userId": {
"name": "userId",
"type": "text",
"primaryKey": false,
"notNull": true
},
"type": {
"name": "type",
"type": "text",
"primaryKey": false,
"notNull": true
},
"provider": {
"name": "provider",
"type": "text",
"primaryKey": false,
"notNull": true
},
"providerAccountId": {
"name": "providerAccountId",
"type": "text",
"primaryKey": false,
"notNull": true
},
"refresh_token": {
"name": "refresh_token",
"type": "text",
"primaryKey": false,
"notNull": false
},
"access_token": {
"name": "access_token",
"type": "text",
"primaryKey": false,
"notNull": false
},
"expires_at": {
"name": "expires_at",
"type": "integer",
"primaryKey": false,
"notNull": false
},
"token_type": {
"name": "token_type",
"type": "text",
"primaryKey": false,
"notNull": false
},
"scope": {
"name": "scope",
"type": "text",
"primaryKey": false,
"notNull": false
},
"id_token": {
"name": "id_token",
"type": "text",
"primaryKey": false,
"notNull": false
},
"session_state": {
"name": "session_state",
"type": "text",
"primaryKey": false,
"notNull": false
}
},
"indexes": {},
"foreignKeys": {
"account_userId_user_id_fk": {
"name": "account_userId_user_id_fk",
"tableFrom": "account",
"tableTo": "user",
"columnsFrom": [
"userId"
],
"columnsTo": [
"id"
],
"onDelete": "cascade",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {
"account_provider_providerAccountId_pk": {
"name": "account_provider_providerAccountId_pk",
"columns": [
"provider",
"providerAccountId"
]
}
},
"uniqueConstraints": {},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
},
"public.session": {
"name": "session",
"schema": "",
"columns": {
"sessionToken": {
"name": "sessionToken",
"type": "text",
"primaryKey": true,
"notNull": true
},
"userId": {
"name": "userId",
"type": "text",
"primaryKey": false,
"notNull": true
},
"expires": {
"name": "expires",
"type": "timestamp",
"primaryKey": false,
"notNull": true
}
},
"indexes": {},
"foreignKeys": {
"session_userId_user_id_fk": {
"name": "session_userId_user_id_fk",
"tableFrom": "session",
"tableTo": "user",
"columnsFrom": [
"userId"
],
"columnsTo": [
"id"
],
"onDelete": "cascade",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
},
"public.user": {
"name": "user",
"schema": "",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": false
},
"email": {
"name": "email",
"type": "text",
"primaryKey": false,
"notNull": true
},
"emailVerified": {
"name": "emailVerified",
"type": "timestamp",
"primaryKey": false,
"notNull": false
},
"image": {
"name": "image",
"type": "text",
"primaryKey": false,
"notNull": false
},
"tenant_id": {
"name": "tenant_id",
"type": "text",
"primaryKey": false,
"notNull": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
},
"public.verificationToken": {
"name": "verificationToken",
"schema": "",
"columns": {
"identifier": {
"name": "identifier",
"type": "text",
"primaryKey": false,
"notNull": true
},
"token": {
"name": "token",
"type": "text",
"primaryKey": false,
"notNull": true
},
"expires": {
"name": "expires",
"type": "timestamp",
"primaryKey": false,
"notNull": true
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {
"verificationToken_identifier_token_pk": {
"name": "verificationToken_identifier_token_pk",
"columns": [
"identifier",
"token"
]
}
},
"uniqueConstraints": {},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
},
"public.policy_settings": {
"name": "policy_settings",
"schema": "",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true
},
"tenant_id": {
"name": "tenant_id",
"type": "text",
"primaryKey": false,
"notNull": true
},
"policy_name": {
"name": "policy_name",
"type": "text",
"primaryKey": false,
"notNull": true
},
"policy_type": {
"name": "policy_type",
"type": "text",
"primaryKey": false,
"notNull": true
},
"setting_name": {
"name": "setting_name",
"type": "text",
"primaryKey": false,
"notNull": true
},
"setting_value": {
"name": "setting_value",
"type": "text",
"primaryKey": false,
"notNull": true
},
"graph_policy_id": {
"name": "graph_policy_id",
"type": "text",
"primaryKey": false,
"notNull": true
},
"last_synced_at": {
"name": "last_synced_at",
"type": "timestamp",
"primaryKey": false,
"notNull": true,
"default": "now()"
},
"created_at": {
"name": "created_at",
"type": "timestamp",
"primaryKey": false,
"notNull": true,
"default": "now()"
}
},
"indexes": {
"policy_settings_tenant_id_idx": {
"name": "policy_settings_tenant_id_idx",
"columns": [
{
"expression": "tenant_id",
"isExpression": false,
"asc": true,
"nulls": "last"
}
],
"isUnique": false,
"concurrently": false,
"method": "btree",
"with": {}
},
"policy_settings_setting_name_idx": {
"name": "policy_settings_setting_name_idx",
"columns": [
{
"expression": "setting_name",
"isExpression": false,
"asc": true,
"nulls": "last"
}
],
"isUnique": false,
"concurrently": false,
"method": "btree",
"with": {}
}
},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {
"policy_settings_upsert_unique": {
"name": "policy_settings_upsert_unique",
"nullsNotDistinct": false,
"columns": [
"tenant_id",
"graph_policy_id",
"setting_name"
]
}
},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
},
"public.subscriptions": {
"name": "subscriptions",
"schema": "",
"columns": {
"user_id": {
"name": "user_id",
"type": "varchar(255)",
"primaryKey": false,
"notNull": false
},
"stripe_customer_id": {
"name": "stripe_customer_id",
"type": "varchar(255)",
"primaryKey": false,
"notNull": false
},
"stripe_subscription_id": {
"name": "stripe_subscription_id",
"type": "varchar(255)",
"primaryKey": false,
"notNull": false
},
"stripe_price_id": {
"name": "stripe_price_id",
"type": "varchar(255)",
"primaryKey": false,
"notNull": false
},
"stripe_current_period_end": {
"name": "stripe_current_period_end",
"type": "timestamp",
"primaryKey": false,
"notNull": false
}
},
"indexes": {},
"foreignKeys": {
"subscriptions_user_id_user_id_fk": {
"name": "subscriptions_user_id_user_id_fk",
"tableFrom": "subscriptions",
"tableTo": "user",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {
"subscriptions_user_id_stripe_customer_id_pk": {
"name": "subscriptions_user_id_stripe_customer_id_pk",
"columns": [
"user_id",
"stripe_customer_id"
]
}
},
"uniqueConstraints": {
"subscriptions_user_id_unique": {
"name": "subscriptions_user_id_unique",
"nullsNotDistinct": false,
"columns": [
"user_id"
]
},
"subscriptions_stripe_customer_id_unique": {
"name": "subscriptions_stripe_customer_id_unique",
"nullsNotDistinct": false,
"columns": [
"stripe_customer_id"
]
},
"subscriptions_stripe_subscription_id_unique": {
"name": "subscriptions_stripe_subscription_id_unique",
"nullsNotDistinct": false,
"columns": [
"stripe_subscription_id"
]
}
},
"policies": {},
"checkConstraints": {},
"isRLSEnabled": false
}
},
"enums": {},
"schemas": {},
"sequences": {},
"roles": {},
"policies": {},
"views": {},
"_meta": {
"columns": {},
"schemas": {},
"tables": {}
}
}

7
lib/db/migrations/meta/_journal.json
View File

@ -8,13 +8,6 @@
"when": 1764967548076,
"tag": "0000_tiny_skin",
"breakpoints": true
},
{
"idx": 1,
"version": "7",
"when": 1765060303141,
"tag": "0001_reflective_dormammu",
"breakpoints": true
}
]
}

1
lib/db/schema/auth.ts
View File

@ -13,7 +13,6 @@ export const users = pgTable("user", {
email: text("email").notNull(),
emailVerified: timestamp("emailVerified", { mode: "date" }),
image: text("image"),
tenantId: text("tenant_id"),
});
export const accounts = pgTable(

11
lib/db/schema/policySettings.ts
View File

@ -1,4 +1,4 @@
import { pgTable, text, timestamp, index, unique } from 'drizzle-orm/pg-core';
import { pgTable, text, timestamp, index } from 'drizzle-orm/pg-core';
import { createId } from '@paralleldrive/cuid2';
export const POLICY_TYPES = [
@ -43,14 +43,7 @@ export const policySettings = pgTable(
settingNameIdx: index('policy_settings_setting_name_idx').on(
table.settingName
),
// Composite index for sorting performance (pagination + sorting queries)
sortingIdx: index('policy_settings_sorting_idx').on(
table.tenantId,
table.policyType,
table.settingName
),
// Unique constraint for ON CONFLICT upsert
upsertUnique: unique('policy_settings_upsert_unique').on(
upsertIdx: index('policy_settings_upsert_idx').on(
table.tenantId,
table.graphPolicyId,
table.settingName

7
lib/email/index.ts
View File

@ -1,7 +1,4 @@
import { Resend } from "resend";
import { env } from "@/lib/env.mjs";
const resendApiKey = process.env.RESEND_API_KEY;
export const resend = resendApiKey
? new Resend(resendApiKey)
: null as unknown as Resend; // Will fail at runtime if not configured, but allows build
export const resend = new Resend(env.RESEND_API_KEY);

19
lib/env.mjs
View File

@ -7,13 +7,20 @@ export const env = createEnv({
NODE_ENV: z
.enum(["development", "test", "production"])
.default("development"),
DATABASE_URL: z.string().optional(),
DATABASE_URL: z.string().min(1),
NEXTAUTH_SECRET: z.string().optional(),
NEXTAUTH_URL: z.string().optional(),
NEXTAUTH_SECRET: process.env.NODE_ENV === "production"
? z.string().min(1)
: z.string().optional(),
NEXTAUTH_URL: z.preprocess(
// This makes Vercel deployments not fail if you don't set NEXTAUTH_URL
// Since NextAuth.js automatically uses the VERCEL_URL if present.
(str) => process.env.VERCEL_URL ?? str,
// VERCEL_URL doesn't include `https` so it cant be validated as a URL
process.env.VERCEL_URL ? z.string().min(1) : z.string().url()
),
// Azure AD (Microsoft Entra ID) - optional in development
AZURE_AD_TENANT_ID: z.string().optional(),
AZURE_AD_CLIENT_ID: z.string().optional(),
AZURE_AD_CLIENT_SECRET: z.string().optional(),
@ -22,8 +29,8 @@ export const env = createEnv({
STRIPE_SECRET_KEY: z.string().optional(),
STRIPE_WEBHOOK_SECRET: z.string().optional(),
// Redis used by BullMQ worker
REDIS_URL: z.string().url().optional(),
// Policy Settings Ingestion API
POLICY_API_SECRET: z.string().optional(),
},
client: {
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: z.string().optional(),

70
lib/hooks/useCopyToClipboard.ts
View File

@ -1,70 +0,0 @@
/**
* useCopyToClipboard Hook
*
* Wrapper for Clipboard API with success/error handling and toast notifications.
*
* Features:
* - Copy text to clipboard
* - Success/error state tracking
* - Automatic toast notifications
* - Fallback for older browsers
*/
import { useState } from 'react';
import { toast } from 'sonner';
interface CopyToClipboardResult {
copy: (text: string, successMessage?: string) => Promise<void>;
isCopied: boolean;
error: Error | null;
}
export function useCopyToClipboard(): CopyToClipboardResult {
const [isCopied, setIsCopied] = useState(false);
const [error, setError] = useState<Error | null>(null);
const copy = async (text: string, successMessage: string = 'Copied to clipboard') => {
// Reset state
setIsCopied(false);
setError(null);
try {
// Modern Clipboard API
if (navigator.clipboard && window.isSecureContext) {
await navigator.clipboard.writeText(text);
} else {
// Fallback for older browsers or non-secure contexts
const textArea = document.createElement('textarea');
textArea.value = text;
textArea.style.position = 'fixed';
textArea.style.left = '-999999px';
textArea.style.top = '-999999px';
document.body.appendChild(textArea);
textArea.focus();
textArea.select();
const successful = document.execCommand('copy');
textArea.remove();
if (!successful) {
throw new Error('Copy command failed');
}
}
setIsCopied(true);
toast.success(successMessage);
// Reset isCopied after 2 seconds
setTimeout(() => {
setIsCopied(false);
}, 2000);
} catch (err) {
const copyError = err instanceof Error ? err : new Error('Failed to copy');
setError(copyError);
toast.error('Failed to copy to clipboard');
console.error('Copy error:', copyError);
}
};
return { copy, isCopied, error };
}

109
lib/hooks/usePolicyTable.ts
View File

@ -1,109 +0,0 @@
/**
* usePolicyTable Hook
*
* Initializes TanStack Table with manual pagination mode for server-side data fetching.
* Integrates with URL state and localStorage preferences.
*
* Key Features:
* - Manual pagination (data fetched via Server Actions)
* - Column visibility persistence
* - Column sizing with drag resize
* - Row selection for CSV export
* - Sorting with URL sync
*/
import { useEffect, useMemo, useState } from 'react';
import {
getCoreRowModel,
useReactTable,
type ColumnDef,
type SortingState,
type VisibilityState,
type ColumnSizingState,
type RowSelectionState,
type PaginationState,
} from '@tanstack/react-table';
import type { PolicySettingRow, PaginationMeta } from '@/lib/types/policy-table';
interface UsePolicyTableProps {
data: PolicySettingRow[];
columns: ColumnDef<PolicySettingRow>[];
pagination: PaginationState;
onPaginationChange: (updater: PaginationState | ((old: PaginationState) => PaginationState)) => void;
sorting: SortingState;
onSortingChange: (updater: SortingState | ((old: SortingState) => SortingState)) => void;
columnVisibility?: VisibilityState;
onColumnVisibilityChange?: (updater: VisibilityState | ((old: VisibilityState) => VisibilityState)) => void;
columnSizing?: ColumnSizingState;
onColumnSizingChange?: (updater: ColumnSizingState | ((old: ColumnSizingState) => ColumnSizingState)) => void;
meta?: PaginationMeta;
enableRowSelection?: boolean;
}
export function usePolicyTable({
data,
columns,
pagination,
onPaginationChange,
sorting,
onSortingChange,
columnVisibility = {},
onColumnVisibilityChange,
columnSizing = {},
onColumnSizingChange,
meta,
enableRowSelection = false,
}: UsePolicyTableProps) {
const [rowSelection, setRowSelection] = useState<RowSelectionState>({});
// Reset row selection when page changes
useEffect(() => {
setRowSelection({});
}, [pagination.pageIndex]);
// Initialize TanStack Table
const table = useReactTable({
data,
columns,
pageCount: meta?.pageCount ?? -1,
state: {
pagination,
sorting,
columnVisibility,
columnSizing,
rowSelection,
},
onPaginationChange,
onSortingChange,
onColumnVisibilityChange,
onColumnSizingChange,
onRowSelectionChange: setRowSelection,
getCoreRowModel: getCoreRowModel(),
manualPagination: true, // Server-side pagination
manualSorting: true, // Server-side sorting
manualFiltering: true, // Server-side filtering
enableRowSelection,
enableColumnResizing: true,
columnResizeMode: 'onChange',
});
// Get selected rows
const selectedRows = useMemo(() => {
return table.getSelectedRowModel().rows.map(row => row.original);
}, [table, rowSelection]);
// Selection helpers
const selectedCount = selectedRows.length;
const totalCount = meta?.totalCount ?? 0;
const hasSelection = selectedCount > 0;
const allRowsSelected = table.getIsAllPageRowsSelected();
return {
table,
selectedRows,
selectedCount,
totalCount,
hasSelection,
allRowsSelected,
};
}

162
lib/hooks/useTablePreferences.ts
View File

@ -1,162 +0,0 @@
/**
* useTablePreferences Hook
*
* Manages localStorage persistence for user table preferences:
* - Column visibility (show/hide columns)
* - Column sizing (width in pixels)
* - Column order (reordering)
* - Density mode (compact vs comfortable)
* - Default page size
*
* Includes versioning for forward compatibility when adding new preferences.
*/
import { useState, useEffect, useCallback } from 'react';
import type { TablePreferences } from '@/lib/types/policy-table';
import type { VisibilityState, ColumnSizingState } from '@tanstack/react-table';
const STORAGE_KEY = 'policy-explorer-preferences';
const STORAGE_VERSION = 1;
// Default preferences
const DEFAULT_PREFERENCES: TablePreferences = {
version: STORAGE_VERSION,
columnVisibility: {},
columnSizing: {},
columnOrder: [],
density: 'comfortable',
defaultPageSize: 50,
};
/**
* Load preferences from localStorage with error handling
*/
function loadPreferences(): TablePreferences {
if (typeof window === 'undefined') {
return DEFAULT_PREFERENCES;
}
try {
const stored = localStorage.getItem(STORAGE_KEY);
if (!stored) {
return DEFAULT_PREFERENCES;
}
const parsed = JSON.parse(stored) as TablePreferences;
// Version migration logic
if (parsed.version !== STORAGE_VERSION) {
// Future: Handle migrations between versions
console.log('Migrating preferences from version', parsed.version, 'to', STORAGE_VERSION);
return { ...DEFAULT_PREFERENCES, ...parsed, version: STORAGE_VERSION };
}
return parsed;
} catch (error) {
console.error('Failed to load table preferences:', error);
return DEFAULT_PREFERENCES;
}
}
/**
* Save preferences to localStorage with error handling
*/
function savePreferences(preferences: TablePreferences): void {
if (typeof window === 'undefined') {
return;
}
try {
localStorage.setItem(STORAGE_KEY, JSON.stringify(preferences));
} catch (error) {
console.error('Failed to save table preferences:', error);
// Handle quota exceeded
if (error instanceof Error && error.name === 'QuotaExceededError') {
console.warn('localStorage quota exceeded. Clearing old preferences.');
try {
localStorage.removeItem(STORAGE_KEY);
localStorage.setItem(STORAGE_KEY, JSON.stringify(preferences));
} catch (retryError) {
console.error('Failed to clear and save preferences:', retryError);
}
}
}
}
export function useTablePreferences() {
const [preferences, setPreferences] = useState<TablePreferences>(DEFAULT_PREFERENCES);
const [isLoaded, setIsLoaded] = useState(false);
// Load preferences on mount
useEffect(() => {
const loaded = loadPreferences();
setPreferences(loaded);
setIsLoaded(true);
}, []);
// Save preferences whenever they change
useEffect(() => {
if (isLoaded) {
savePreferences(preferences);
}
}, [preferences, isLoaded]);
// Update column visibility
const updateColumnVisibility = useCallback((visibility: VisibilityState) => {
setPreferences((prev) => ({
...prev,
columnVisibility: visibility,
}));
}, []);
// Update column sizing
const updateColumnSizing = useCallback((sizing: ColumnSizingState) => {
setPreferences((prev) => ({
...prev,
columnSizing: sizing,
}));
}, []);
// Update column order
const updateColumnOrder = useCallback((order: string[]) => {
setPreferences((prev) => ({
...prev,
columnOrder: order,
}));
}, []);
// Update density mode
const updateDensity = useCallback((density: 'compact' | 'comfortable') => {
setPreferences((prev) => ({
...prev,
density,
}));
}, []);
// Update default page size
const updateDefaultPageSize = useCallback((pageSize: 10 | 25 | 50 | 100) => {
setPreferences((prev) => ({
...prev,
defaultPageSize: pageSize,
}));
}, []);
// Reset all preferences to defaults
const resetPreferences = useCallback(() => {
setPreferences(DEFAULT_PREFERENCES);
if (typeof window !== 'undefined') {
localStorage.removeItem(STORAGE_KEY);
}
}, []);
return {
preferences,
isLoaded,
updateColumnVisibility,
updateColumnSizing,
updateColumnOrder,
updateDensity,
updateDefaultPageSize,
resetPreferences,
};
}

137
lib/hooks/useURLState.ts
View File

@ -1,137 +0,0 @@
/**
* useURLState Hook
*
* Synchronizes table state with URL query parameters for shareable filtered/sorted views.
* Uses `nuqs` library for type-safe URL state management with Next.js App Router.
*
* URL Parameters:
* - p: page (0-based index)
* - ps: pageSize (10, 25, 50, 100)
* - sb: sortBy (settingName, policyName, policyType, lastSyncedAt)
* - sd: sortDir (asc, desc)
* - pt: policyTypes (comma-separated)
* - q: searchQuery
*/
import { useQueryState, parseAsInteger, parseAsString, parseAsStringLiteral, parseAsArrayOf } from 'nuqs';
import { useCallback } from 'react';
const PAGE_SIZES = [10, 25, 50, 100] as const;
const SORT_BY_OPTIONS = ['settingName', 'policyName', 'policyType', 'lastSyncedAt'] as const;
const SORT_DIR_OPTIONS = ['asc', 'desc'] as const;
export function useURLState() {
// Page (0-based)
const [page, setPage] = useQueryState(
'p',
parseAsInteger.withDefault(0)
);
// Page Size
const [pageSize, setPageSize] = useQueryState(
'ps',
parseAsInteger.withDefault(50)
);
// Sort By
const [sortBy, setSortBy] = useQueryState(
'sb',
parseAsString.withDefault('settingName')
);
// Sort Direction
const [sortDir, setSortDir] = useQueryState(
'sd',
parseAsStringLiteral(['asc', 'desc'] as const).withDefault('asc')
);
// Policy Types (comma-separated)
const [policyTypes, setPolicyTypes] = useQueryState(
'pt',
parseAsArrayOf(parseAsString, ',').withDefault([])
);
// Search Query
const [searchQuery, setSearchQuery] = useQueryState(
'q',
parseAsString.withDefault('')
);
// Update page with validation
const updatePage = useCallback((newPage: number) => {
const validPage = Math.max(0, newPage);
setPage(validPage);
}, [setPage]);
// Update page size with validation
const updatePageSize = useCallback((newPageSize: number) => {
const validPageSize = PAGE_SIZES.includes(newPageSize as typeof PAGE_SIZES[number])
? newPageSize
: 50;
setPageSize(validPageSize);
// Reset to first page when changing page size
setPage(0);
}, [setPageSize, setPage]);
// Update sorting
const updateSorting = useCallback((newSortBy: string, newSortDir: 'asc' | 'desc') => {
setSortBy(newSortBy);
setSortDir(newSortDir);
}, [setSortBy, setSortDir]);
// Toggle sort direction
const toggleSortDir = useCallback(() => {
setSortDir(sortDir === 'asc' ? 'desc' : 'asc');
}, [sortDir, setSortDir]);
// Update policy types filter
const updatePolicyTypes = useCallback((types: string[]) => {
setPolicyTypes(types);
// Reset to first page when changing filters
setPage(0);
}, [setPolicyTypes, setPage]);
// Update search query
const updateSearchQuery = useCallback((query: string) => {
setSearchQuery(query);
// Reset to first page when searching
setPage(0);
}, [setSearchQuery, setPage]);
// Clear all filters
const clearFilters = useCallback(() => {
setPolicyTypes([]);
setSearchQuery('');
setPage(0);
}, [setPolicyTypes, setSearchQuery, setPage]);
// Reset all URL state
const resetURLState = useCallback(() => {
setPage(0);
setPageSize(50);
setSortBy('settingName');
setSortDir('asc');
setPolicyTypes([]);
setSearchQuery('');
}, [setPage, setPageSize, setSortBy, setSortDir, setPolicyTypes, setSearchQuery]);
return {
// Current state
page,
pageSize,
sortBy,
sortDir,
policyTypes,
searchQuery,
// Update functions
updatePage,
updatePageSize,
updateSorting,
toggleSortDir,
updatePolicyTypes,
updateSearchQuery,
clearFilters,
resetURLState,
};
}

9
lib/queue/redis.ts
View File

@ -1,9 +0,0 @@
import Redis from 'ioredis';
const redisUrl = process.env.REDIS_URL || 'redis://127.0.0.1:6379';
// ioredis default `maxRetriesPerRequest` is not null; BullMQ requires it to be null.
// Create a shared connection with `maxRetriesPerRequest: null` to be compatible with BullMQ.
export const redisConnection = new Redis(redisUrl, { maxRetriesPerRequest: null });
export default redisConnection;

9
lib/queue/syncQueue.ts
View File

@ -1,9 +0,0 @@
import { Queue } from 'bullmq';
import redisConnection from './redis';
// Export a shared queue instance used by the app to enqueue sync jobs
export const syncQueue = new Queue('intune-sync-queue', {
connection: redisConnection as any,
});
export default syncQueue;

12
lib/stripe/index.ts
View File

@ -1,10 +1,6 @@
import Stripe from "stripe";
const stripeSecretKey = process.env.STRIPE_SECRET_KEY;
export const stripe = stripeSecretKey
? new Stripe(stripeSecretKey, {
apiVersion: "2025-11-17.clover",
typescript: true,
})
: null as unknown as Stripe; // Will fail at runtime if not configured, but allows build
export const stripe = new Stripe(process.env.STRIPE_SECRET_KEY ?? "", {
apiVersion: "2024-06-20",
typescript: true,
});

137
lib/types/policy-table.ts
View File

@ -1,137 +0,0 @@
/**
* Policy Explorer V2 - Type Definitions
*
* This file defines TypeScript interfaces for the advanced data table feature.
* These types manage client-side table state, URL state synchronization, and localStorage persistence.
*/
import type { SortingState, VisibilityState, ColumnSizingState } from '@tanstack/react-table';
/**
* DataTableState - Client-side ephemeral state for TanStack Table
*
* Manages pagination, sorting, column visibility/sizing, row selection, and density mode.
* This state is NOT persisted - it's derived from URL params and localStorage preferences.
*/
export interface DataTableState {
pagination: {
pageIndex: number; // 0-based page index
pageSize: 10 | 25 | 50 | 100;
};
sorting: SortingState; // TanStack Table sorting state: Array<{ id: string; desc: boolean }>
columnVisibility: VisibilityState; // TanStack Table visibility state: { [columnId: string]: boolean }
columnSizing: ColumnSizingState; // TanStack Table sizing state: { [columnId: string]: number }
rowSelection: {
[rowId: string]: boolean; // Selected row IDs for CSV export
};
density: 'compact' | 'comfortable'; // Row height mode
}
/**
* FilterState - Synced with URL and stored in localStorage
*
* Manages user-applied filters for policy types and search query.
* These are persisted in URL query params for shareable links.
*/
export interface FilterState {
policyTypes: string[]; // ['deviceConfiguration', 'compliancePolicy']
searchQuery: string; // Text search in settingName/policyName
}
/**
* TablePreferences - Persisted in localStorage
*
* Stores user-specific table preferences across sessions.
* Includes a version field for schema migrations when adding new features.
*/
export interface TablePreferences {
version: 1; // Schema version for migrations
columnVisibility: { [columnId: string]: boolean };
columnSizing: { [columnId: string]: number };
columnOrder: string[]; // Ordered column IDs for reordering
density: 'compact' | 'comfortable';
defaultPageSize: 10 | 25 | 50 | 100;
}
/**
* PolicySettingRow - Row data shape for the table
*
* Extends the base PolicySetting type with computed fields for display.
*/
export interface PolicySettingRow {
id: string;
tenantId: string;
policyName: string;
policyType: string;
settingName: string;
settingValue: string;
graphPolicyId: string;
lastSyncedAt: Date;
createdAt: Date;
}
/**
* PaginationMeta - Server response metadata
*
* Returned by Server Actions to provide pagination state to the client.
*/
export interface PaginationMeta {
totalCount: number;
pageCount: number;
currentPage: number;
pageSize: number;
hasNextPage: boolean;
hasPreviousPage: boolean;
}
/**
* GetPolicySettingsParams - Server Action input
*
* Parameters for fetching policy settings with pagination, sorting, and filtering.
*/
export interface GetPolicySettingsParams {
page: number; // 0-based page index
pageSize: 10 | 25 | 50 | 100;
sortBy?: 'settingName' | 'policyName' | 'policyType' | 'lastSyncedAt';
sortDir?: 'asc' | 'desc';
policyTypes?: string[];
searchQuery?: string;
}
/**
* GetPolicySettingsResult - Server Action output
*
* Response from Server Action with data and pagination metadata.
*/
export interface GetPolicySettingsResult {
success: boolean;
data?: PolicySettingRow[];
meta?: PaginationMeta;
error?: string;
}
/**
* ExportPolicySettingsParams - Server Action input for CSV export
*
* Parameters for server-side CSV generation (max 5000 rows).
*/
export interface ExportPolicySettingsParams {
policyTypes?: string[];
searchQuery?: string;
sortBy?: 'settingName' | 'policyName' | 'policyType' | 'lastSyncedAt';
sortDir?: 'asc' | 'desc';
maxRows?: number; // Default: 5000
}
/**
* ExportPolicySettingsResult - Server Action output for CSV export
*
* Returns CSV content as string with suggested filename.
*/
export interface ExportPolicySettingsResult {
success: boolean;
csv?: string;
filename?: string;
rowCount?: number;
error?: string;
}

141
lib/utils/csv-export.ts
View File

@ -1,141 +0,0 @@
/**
* CSV Export Utilities
*
* Client-side CSV generation for policy settings export.
*
* Features:
* - RFC 4180 compliant CSV formatting
* - Proper escaping (commas, quotes, newlines)
* - UTF-8 BOM for Excel compatibility
* - Efficient string building
*/
import type { PolicySettingRow } from '@/lib/types/policy-table';
/**
* Escape a CSV field value according to RFC 4180
* - Wrap in quotes if contains comma, quote, or newline
* - Double any quotes inside the value
*/
function escapeCsvField(value: string | null | undefined): string {
if (value === null || value === undefined) {
return '';
}
const stringValue = String(value);
// Check if escaping is needed
const needsEscaping = stringValue.includes(',') ||
stringValue.includes('"') ||
stringValue.includes('\n') ||
stringValue.includes('\r');
if (!needsEscaping) {
return stringValue;
}
// Double any quotes and wrap in quotes
const escaped = stringValue.replace(/"/g, '""');
return `"${escaped}"`;
}
/**
* Generate CSV content from policy settings
* @param rows Array of policy settings to export
* @param columns Optional array of column keys to include (default: all)
* @returns CSV content as string with UTF-8 BOM
*/
export function generatePolicySettingsCsv(
rows: PolicySettingRow[],
columns?: Array<keyof PolicySettingRow>
): string {
// Default columns in preferred order
const defaultColumns: Array<keyof PolicySettingRow> = [
'settingName',
'settingValue',
'policyName',
'policyType',
'graphPolicyId',
'lastSyncedAt',
];
const columnsToExport = columns || defaultColumns;
// Column headers (human-readable)
const headers: Record<keyof PolicySettingRow, string> = {
id: 'ID',
tenantId: 'Tenant ID',
settingName: 'Setting Name',
settingValue: 'Setting Value',
policyName: 'Policy Name',
policyType: 'Policy Type',
graphPolicyId: 'Graph Policy ID',
lastSyncedAt: 'Last Synced',
createdAt: 'Created At',
};
// Build CSV rows
const csvLines: string[] = [];
// Header row
const headerRow = columnsToExport.map(col => escapeCsvField(headers[col])).join(',');
csvLines.push(headerRow);
// Data rows
for (const row of rows) {
const dataRow = columnsToExport.map(col => {
const value = row[col];
// Format dates
if (value instanceof Date) {
return escapeCsvField(value.toISOString());
}
// Format other values
return escapeCsvField(String(value));
}).join(',');
csvLines.push(dataRow);
}
// Join with newlines and add UTF-8 BOM for Excel compatibility
const csvContent = csvLines.join('\n');
const utf8Bom = '\uFEFF';
return utf8Bom + csvContent;
}
/**
* Trigger browser download of CSV content
* @param csvContent CSV content string
* @param filename Suggested filename (e.g., "policy-settings.csv")
*/
export function downloadCsv(csvContent: string, filename: string): void {
// Create blob with proper MIME type
const blob = new Blob([csvContent], { type: 'text/csv;charset=utf-8;' });
// Create download link
const url = URL.createObjectURL(blob);
const link = document.createElement('a');
link.href = url;
link.download = filename;
// Trigger download
document.body.appendChild(link);
link.click();
// Cleanup
document.body.removeChild(link);
URL.revokeObjectURL(url);
}
/**
* Generate filename with timestamp
* @param prefix Filename prefix (e.g., "policy-settings")
* @param selectedCount Optional count of selected rows
* @returns Filename with timestamp (e.g., "policy-settings-2025-12-10.csv")
*/
export function generateCsvFilename(prefix: string, selectedCount?: number): string {
const date = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
const suffix = selectedCount ? `-selected-${selectedCount}` : '';
return `${prefix}${suffix}-${date}.csv`;
}

115
lib/utils/policy-table-helpers.ts
View File

@ -1,115 +0,0 @@
/**
* Policy Table Helper Functions
*
* Utilities for formatting, sorting, and generating links for policy data.
*/
import type { PolicySettingRow } from '@/lib/types/policy-table';
/**
* Generate Intune Portal URL for a policy based on its type and ID
* @param policyType The type of policy (e.g., 'deviceConfiguration')
* @param graphPolicyId The Microsoft Graph policy ID
* @returns Intune Portal URL or null if URL construction fails
*/
export function getIntunePortalLink(
policyType: string,
graphPolicyId: string
): string | null {
if (!graphPolicyId) {
return null;
}
const baseUrl = 'https://intune.microsoft.com';
// Map policy types to Intune portal paths
const policyTypeUrls: Record<string, string> = {
// Device Configuration
deviceConfiguration: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/DeviceConfigProfilesMenu/~/properties/policyId/${graphPolicyId}`,
// Compliance Policies
compliancePolicy: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/DeviceCompliancePoliciesMenu/~/properties/policyId/${graphPolicyId}`,
// Device Management Scripts
deviceManagementScript: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/DeviceManagementScriptsMenu/~/properties/scriptId/${graphPolicyId}`,
// Windows Update for Business
windowsUpdateForBusiness: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/UpdateRingsMenu/~/properties/policyId/${graphPolicyId}`,
// iOS Update Configuration
iosUpdateConfiguration: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/iOSUpdateConfigurationsMenu/~/properties/policyId/${graphPolicyId}`,
// Settings Catalog
settingsCatalog: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/ConfigurationPolicyMenu/~/properties/policyId/${graphPolicyId}`,
// Endpoint Protection
endpointProtection: `${baseUrl}/#view/Microsoft_Intune_Workflows/SecurityBaselinesSummaryMenu/~/properties/templateId/${graphPolicyId}`,
// macOS Extensions
macOSExtensionsConfiguration: `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/DeviceConfigProfilesMenu/~/properties/policyId/${graphPolicyId}`,
};
// Check if we have a known URL pattern
if (policyType in policyTypeUrls) {
return policyTypeUrls[policyType];
}
// Fallback: Generic device settings URL
return `${baseUrl}/#view/Microsoft_Intune_DeviceSettings/DeviceSettingsMenu`;
}
/**
* Format policy type for display (convert camelCase to Title Case)
* @param policyType Policy type in camelCase (e.g., 'deviceConfiguration')
* @returns Formatted title (e.g., 'Device Configuration')
*/
export function formatPolicyType(policyType: string): string {
// Insert spaces before capital letters
const withSpaces = policyType.replace(/([A-Z])/g, ' $1');
// Capitalize first letter and trim
return withSpaces.charAt(0).toUpperCase() + withSpaces.slice(1).trim();
}
/**
* Truncate long text with ellipsis
* @param text Text to truncate
* @param maxLength Maximum length before truncation
* @returns Truncated text with ellipsis if needed
*/
export function truncateText(text: string, maxLength: number = 100): string {
if (text.length <= maxLength) {
return text;
}
return text.substring(0, maxLength) + '...';
}
/**
* Format date for display (relative or absolute)
* @param date Date to format
* @param relative Whether to show relative time (e.g., "2 hours ago")
* @returns Formatted date string
*/
export function formatDate(date: Date | string, relative: boolean = false): string {
const dateObj = typeof date === 'string' ? new Date(date) : date;
if (relative) {
const now = new Date();
const diffMs = now.getTime() - dateObj.getTime();
const diffMins = Math.floor(diffMs / 60000);
if (diffMins < 1) return 'just now';
if (diffMins < 60) return `${diffMins} min${diffMins > 1 ? 's' : ''} ago`;
const diffHours = Math.floor(diffMins / 60);
if (diffHours < 24) return `${diffHours} hour${diffHours > 1 ? 's' : ''} ago`;
const diffDays = Math.floor(diffHours / 24);
if (diffDays < 7) return `${diffDays} day${diffDays > 1 ? 's' : ''} ago`;
const diffWeeks = Math.floor(diffDays / 7);
return `${diffWeeks} week${diffWeeks > 1 ? 's' : ''} ago`;
}
return dateObj.toLocaleString();
}

108
lib/utils/policyBadges.ts
View File

@ -1,108 +0,0 @@
/**
* Policy Type Badge Configuration
* Maps Intune policy types to Shadcn Badge variants and labels
*/
export type PolicyBadgeVariant = 'default' | 'secondary' | 'destructive' | 'outline';
interface PolicyBadgeConfig {
variant: PolicyBadgeVariant;
label: string;
}
/**
* Definitive mapping of Intune policy types to badge configuration
*/
const POLICY_TYPE_MAP: Record<string, PolicyBadgeConfig> = {
// Device Configuration (Legacy)
deviceConfiguration: {
variant: 'secondary',
label: 'Device Configuration'
},
// Settings Catalog (Modern Configuration)
configurationProfile: {
variant: 'default',
label: 'Settings Catalog'
},
// Compliance Policies
compliancePolicy: {
variant: 'default',
label: 'Compliance Policy'
},
// Endpoint Security
endpointSecurity: {
variant: 'destructive',
label: 'Endpoint Security'
},
// Windows Update
windowsUpdateForBusiness: {
variant: 'outline',
label: 'Windows Update'
},
// Enrollment Configuration
enrollmentConfiguration: {
variant: 'secondary',
label: 'Enrollment'
},
// App Configuration
appConfiguration: {
variant: 'outline',
label: 'App Configuration'
}
};
/**
* Maps policy type to badge configuration
*/
export function getPolicyBadgeConfig(policyType: string): PolicyBadgeConfig {
// Direct lookup for exact matches
if (POLICY_TYPE_MAP[policyType]) {
return POLICY_TYPE_MAP[policyType];
}
// Fallback to heuristic matching for unknown types
const type = policyType.toLowerCase();
// Security & Protection
if (type.includes('security') || type.includes('defender') || type.includes('threat')) {
return { variant: 'destructive', label: formatPolicyType(policyType) };
}
// Compliance & Conditional Access
if (type.includes('compliance') || type.includes('conditional')) {
return { variant: 'default', label: formatPolicyType(policyType) };
}
// Configuration Profiles
if (type.includes('configuration') || type.includes('profile') || type.includes('settings')) {
return { variant: 'secondary', label: formatPolicyType(policyType) };
}
// App Management
if (type.includes('app') || type.includes('application')) {
return { variant: 'outline', label: formatPolicyType(policyType) };
}
// Default for completely unknown types
return { variant: 'secondary', label: formatPolicyType(policyType) };
}
/**
* Formats policy type string for display
* Converts camelCase/PascalCase to readable format
*/
function formatPolicyType(policyType: string): string {
return policyType
.replace(/([A-Z])/g, ' $1') // Add space before capital letters
.trim()
.replace(/\s+/g, ' ') // Collapse multiple spaces
.split(' ')
.map(word => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase())
.join(' ');
}

5
next-auth.d.ts vendored
View File

@ -1,4 +1,4 @@
import { DefaultSession, DefaultUser, AuthOptions } from "next-auth";
import { DefaultSession, DefaultUser } from "next-auth";
import { DefaultJWT } from "next-auth/jwt";
declare module "next-auth" {
@ -13,9 +13,6 @@ declare module "next-auth" {
interface User extends DefaultUser {
tenantId?: string;
}
// Re-export AuthOptions so it can be imported
export { AuthOptions };
}
declare module "next-auth/jwt" {

942
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

10
package.json
View File

@ -13,37 +13,29 @@
"db:pull": "drizzle-kit introspect",
"db:push": "drizzle-kit push",
"db:studio": "drizzle-kit studio",
"db:studio:prod": "lsof -ti:5433 | xargs kill -9 2>/dev/null; ssh cloudarix \"docker rm -f db-proxy 2>/dev/null; IP=\\$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' tenantpilot-db-tav83h.1.8ijze7mxpcg69pvdlu0g4j4et); docker run --rm -d --name db-proxy --network dokploy-network -p 127.0.0.1:5433:5432 alpine/socat TCP-LISTEN:5432,fork TCP:\\$IP:5432\"; ssh -L 5433:127.0.0.1:5433 cloudarix -N & sleep 3 && DATABASE_URL='postgresql://postgres:JsdPCZiC1C56Sz@localhost:5433/postgres' drizzle-kit studio",
"db:check": "drizzle-kit check",
"stripe:listen": "stripe listen --forward-to localhost:3000/api/webhooks/stripe",
"worker:start": "tsx ./worker/index.ts"
"stripe:listen": "stripe listen --forward-to localhost:3000/api/webhooks/stripe"
},
"dependencies": {
"@auth/core": "^0.34.3",
"@auth/drizzle-adapter": "^1.11.1",
"@azure/identity": "^4.0.0",
"@paralleldrive/cuid2": "^3.0.4",
"@radix-ui/react-avatar": "^1.1.11",
"@radix-ui/react-dialog": "^1.1.15",
"@radix-ui/react-dropdown-menu": "^2.1.16",
"@radix-ui/react-label": "^2.1.8",
"@radix-ui/react-slot": "^1.2.4",
"@stripe/stripe-js": "^8.5.2",
"@t3-oss/env-nextjs": "^0.13.8",
"@tanstack/react-table": "^8.21.3",
"bullmq": "^5.0.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"date-fns": "^4.1.0",
"drizzle-orm": "^0.44.7",
"drizzle-zod": "^0.8.3",
"ioredis": "^5.3.0",
"lucide-react": "^0.554.0",
"nanoid": "^5.1.6",
"next": "16.0.3",
"next-auth": "^4.24.13",
"next-themes": "^0.4.6",
"nuqs": "^2.8.4",
"pg": "^8.16.3",
"react": "19.2.0",
"react-dom": "19.2.0",

25
scripts/check-worker-health.js
View File

@ -1,25 +0,0 @@
require('dotenv').config();
const Redis = require('ioredis');
const { Queue } = require('bullmq');
async function main(){
const health = { ok: true, redisUrlPresent: !!process.env.REDIS_URL, timestamp: new Date().toISOString() };
console.log('health', health);
if (!process.env.REDIS_URL) {
console.error('No REDIS_URL set in environment');
process.exit(1);
}
const conn = new Redis(process.env.REDIS_URL);
const q = new Queue('intune-sync-queue', { connection: conn });
const counts = await q.getJobCounts();
console.log('queue', counts);
await q.close();
await conn.quit();
}
main().catch((err) => {
console.error('health-check-error', err);
process.exit(1);
});

56
scripts/test-graph-connection.ts
View File

@ -1,56 +0,0 @@
/**
* Smoke test script for Graph API connectivity
* Tests token acquisition and basic fetch from Microsoft Graph
*
* Usage: tsx scripts/test-graph-connection.ts
*/
import 'dotenv/config';
import { getGraphAccessToken } from '../worker/jobs/graphAuth';
import { fetchFromGraph } from '../worker/jobs/graphFetch';
async function main() {
console.log('=== Graph API Smoke Test ===\n');
// Check required env vars
const required = ['AZURE_AD_TENANT_ID', 'AZURE_AD_CLIENT_ID', 'AZURE_AD_CLIENT_SECRET'];
const missing = required.filter(key => !process.env[key]);
if (missing.length > 0) {
console.error('❌ Missing required environment variables:', missing.join(', '));
console.error('\nPlease set these in your .env file:');
missing.forEach(key => console.error(` ${key}=your_value_here`));
process.exit(1);
}
try {
// Test 1: Token acquisition
console.log('Test 1: Acquiring Graph access token...');
const token = await getGraphAccessToken();
console.log('✓ Token acquired successfully (length:', token.length, 'chars)\n');
// Test 2: Fetch device configurations
console.log('Test 2: Fetching device configurations...');
const configs = await fetchFromGraph('/deviceManagement/deviceConfigurations');
console.log(`✓ Fetched ${configs.length} device configuration(s)\n`);
// Test 3: Fetch compliance policies
console.log('Test 3: Fetching compliance policies...');
const compliance = await fetchFromGraph('/deviceManagement/deviceCompliancePolicies');
console.log(`✓ Fetched ${compliance.length} compliance policy/policies\n`);
console.log('=== All tests passed ✓ ===');
console.log(`\nTotal policies found: ${configs.length + compliance.length}`);
process.exit(0);
} catch (error) {
console.error('\n❌ Test failed:', error instanceof Error ? error.message : String(error));
if (error instanceof Error && error.stack) {
console.error('\nStack trace:');
console.error(error.stack);
}
process.exit(1);
}
}
main();

17
scripts/test-queue-connection.js
View File

@ -1,17 +0,0 @@
require('dotenv').config();
const { Queue } = require('bullmq');
const Redis = require('ioredis');
async function main(){
const redisUrl = process.env.REDIS_URL || 'redis://127.0.0.1:6379';
console.log('Using REDIS_URL=', redisUrl);
const connection = new Redis(redisUrl);
const queue = new Queue('intune-sync-queue', { connection });
const job = await queue.add('sync-tenant', { tenantId: 'test-tenant' });
console.log('Enqueued job id=', job.id);
await connection.quit();
process.exit(0);
}
main().catch(err=>{ console.error(err); process.exit(1); });

95
scripts/test-ui-sync-flow.ts
View File

@ -1,95 +0,0 @@
#!/usr/bin/env tsx
/**
* End-to-end test: Simulate UI sync flow
* - Start worker (or use existing)
* - Trigger sync via syncQueue (like UI does)
* - Monitor job status
* - Verify database updates
*/
import 'dotenv/config';
import { syncQueue } from '../lib/queue/syncQueue';
import { db } from '../lib/db';
import { policySettings } from '../lib/db/schema/policySettings';
import { eq, desc } from 'drizzle-orm';
async function simulateUISync() {
console.log('=== UI Sync Flow Test ===\n');
const tenantId = 'ui-test-tenant';
try {
// Step 1: Enqueue job (like UI button does)
console.log('1. Enqueueing sync job (simulating UI click)...');
const job = await syncQueue.add('sync-tenant', {
tenantId,
source: 'manual_trigger',
triggeredAt: new Date().toISOString(),
triggeredBy: 'test-user@example.com',
});
console.log(` ✓ Job queued: #${job.id}\n`);
// Step 2: Monitor job status
console.log('2. Monitoring job status...');
let state = await job.getState();
let attempts = 0;
const maxAttempts = 60; // 60 seconds timeout
while (state !== 'completed' && state !== 'failed' && attempts < maxAttempts) {
await new Promise(resolve => setTimeout(resolve, 1000));
state = await job.getState();
attempts++;
if (attempts % 5 === 0) {
console.log(` Job state: ${state} (${attempts}s elapsed)`);
}
}
if (state === 'completed') {
console.log(` ✓ Job completed after ${attempts}s\n`);
const result = job.returnvalue;
console.log('3. Job result:');
console.log(` Policies found: ${result?.policiesFound || 0}`);
console.log(` Settings upserted: ${result?.settingsUpserted || 0}\n`);
} else if (state === 'failed') {
console.log(` ✗ Job failed: ${job.failedReason}\n`);
return;
} else {
console.log(` ⚠ Job timeout (state: ${state})\n`);
return;
}
// Step 3: Verify database
console.log('4. Verifying database updates...');
const settings = await db
.select()
.from(policySettings)
.where(eq(policySettings.tenantId, tenantId))
.orderBy(desc(policySettings.lastSyncedAt))
.limit(5);
console.log(` ✓ Found ${settings.length} settings in database\n`);
if (settings.length > 0) {
console.log('5. Sample settings:');
settings.slice(0, 3).forEach((s, i) => {
console.log(` ${i + 1}. ${s.policyName}${s.settingName}`);
console.log(` Value: ${s.settingValue.substring(0, 60)}${s.settingValue.length > 60 ? '...' : ''}`);
});
}
console.log('\n=== Test Complete ✓ ===');
process.exit(0);
} catch (error) {
console.error('\n✗ Test failed:', error instanceof Error ? error.message : String(error));
if (error instanceof Error && error.stack) {
console.error('\nStack:', error.stack);
}
process.exit(1);
}
}
simulateUISync();

28
scripts/verify-sync.ts
View File

@ -1,28 +0,0 @@
import 'dotenv/config';
import { db } from '../lib/db';
import { policySettings } from '../lib/db/schema/policySettings';
import { eq } from 'drizzle-orm';
async function main() {
console.log('=== Querying policy_settings for test-tenant ===\n');
const results = await db
.select()
.from(policySettings)
.where(eq(policySettings.tenantId, 'test-tenant'))
.limit(20);
console.log(`Found ${results.length} settings:\n`);
results.forEach((setting, idx) => {
console.log(`${idx + 1}. ${setting.policyName}`);
console.log(` Type: ${setting.policyType}`);
console.log(` Setting: ${setting.settingName}`);
console.log(` Value: ${setting.settingValue.substring(0, 80)}${setting.settingValue.length > 80 ? '...' : ''}`);
console.log(` Last synced: ${setting.lastSyncedAt}\n`);
});
process.exit(0);
}
main().catch(console.error);

10
specs/001-global-policy-search/spec.md
View File

@ -5,13 +5,6 @@
**Status**: Draft
**Input**: User description: "Global Policy Search for Intune settings - A search engine within the SaaS app that indexes and searches all Intune policy settings"
## Clarifications
### Session 2025-12-07
- Q: Welche Synchronisierungsstrategie soll die Ingestion-API verwenden? → A: Incrementelles Upsert (nur geänderte Settings) - Die API führt ein Upsert durch (unique constraint auf tenantId + graphPolicyId + settingName), sodass nur neue/geänderte Einstellungen geschrieben werden. Dies minimiert Datenbankload und ist skalierbar.
- Q: Welche Suchlatenz wird unter verschiedenen Lastszenarien garantiert? → A: Immer < 2s garantiert (auch bei 100 gleichzeitigen Anfragen) - Strikte Performance-Anforderung für alle Lastbedingungen. Erfordert optimierte Datenbankindizes und möglicherweise Caching-Strategie.
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Search Policy Settings (Priority: P1)
@ -97,11 +90,10 @@ Als n8n-Workflow möchte ich Policy-Einstellungen über eine API in die Datenban
### Measurable Outcomes
- **SC-001**: Admin kann eine Suche durchführen und Ergebnisse in unter 2 Sekunden sehen (garantiert auch bei 100 gleichzeitigen Anfragen).
- **SC-001**: Admin kann eine Suche durchführen und Ergebnisse in unter 2 Sekunden sehen.
- **SC-002**: 100% der Suchanfragen werden mit Tenant-Filterung ausgeführt.
- **SC-003**: Suchergebnisse werden aus der lokalen Datenbank geladen (keine externen API-Calls während der Suche).
- **SC-004**: Admin findet alle relevanten Policies, die den Suchbegriff im Einstellungs-Namen oder -Wert enthalten.
- **SC-005**: Datenbankindizes auf `tenantId`, `settingName` und `settingValue` gewährleisten konstante Performance unter Last.
## Assumptions

43
specs/002-manual-policy-sync/checklists/requirements.md
View File

@ -1,43 +0,0 @@
# Specification Quality Checklist: Manual Policy Sync Button
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-12-06
**Feature**: [spec.md](../spec.md)
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Notes
All checklist items passed. Specification is ready for planning phase (`/speckit.plan`).
**Key Strengths**:
- Clear prioritization (P1, P2, P3) of user stories
- Comprehensive edge case coverage
- Well-defined success criteria with measurable metrics
- Technology-agnostic requirements
- Clear scope boundaries (Out of Scope section)
**Ready for**: `/speckit.plan` to generate implementation plan

346
specs/002-manual-policy-sync/plan.md
View File

@ -1,346 +0,0 @@
# Implementation Plan: Manual Policy Sync Button
**Branch**: `002-manual-policy-sync` | **Date**: 2025-12-06 | **Spec**: [spec.md](./spec.md)
**Status**: ✅ Implementation Complete (Documenting for record)
## Summary
Add a "Sync Policies" button to the global search page (`/search`) that allows admins to trigger immediate policy synchronization from Microsoft Intune via n8n webhook. This eliminates the need to wait for scheduled nightly syncs when policy changes need to be reflected immediately in TenantPilot.
**Technical Approach**: Implement as a client component with Server Action, following TenantPilot's server-first architecture. Use existing authentication system to extract tenant ID and send POST request to n8n webhook endpoint configured via environment variable.
## Technical Context
**Language/Version**: TypeScript 5.x strict mode
**Primary Dependencies**: Next.js 16.0.3 App Router, Drizzle ORM 0.44.7, Shadcn UI, NextAuth.js 4.24.13
**Storage**: PostgreSQL (no schema changes required)
**Testing**: Manual testing (no E2E tests for this feature)
**Target Platform**: Docker containers (standalone build), web browsers
**Project Type**: Web application (Next.js App Router)
**Performance Goals**: Webhook request < 2s, UI feedback < 1s
**Constraints**: Server-first architecture (Server Actions only), Azure AD multi-tenant auth
**Scale/Scope**: Multi-tenant SaaS, each tenant triggers sync independently
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
- [x] Uses Next.js App Router with Server Actions (no client-side fetches)
- [x] TypeScript strict mode enabled (all types properly defined)
- [x] Drizzle ORM for all database operations (no DB changes needed)
- [x] Shadcn UI for all new components (Button from shadcn/ui)
- [x] Azure AD multi-tenant authentication (tenant ID from session)
- [x] Docker deployment with standalone build (no special config needed)
**Constitution Compliance**: ✅ All requirements met
## Project Structure
### Documentation (this feature)
```text
specs/002-manual-policy-sync/
├── spec.md # Feature specification (completed)
├── plan.md # This file (implementation plan)
├── checklists/
│ └── requirements.md # Specification quality checklist (passed)
└── [No research.md] # Not needed - straightforward implementation
└── [No data-model.md] # Not needed - no schema changes
└── [No contracts/] # Not needed - uses existing n8n webhook
└── [No quickstart.md] # Not needed - single feature, no complex setup
```
### Source Code (repository root)
```text
lib/
├── env.mjs # [MODIFIED] Added N8N_SYNC_WEBHOOK_URL
├── actions/
│ └── policySettings.ts # [MODIFIED] Added triggerPolicySync()
└── auth/
└── utils.ts # [MODIFIED] Added tenant_id DB update in JWT callback
components/
└── search/
├── SearchInput.tsx # [EXISTING] Search component
├── ResultsTable.tsx # [EXISTING] Results display
├── EmptyState.tsx # [EXISTING] No results state
└── SyncButton.tsx # [NEW] Sync button component
app/
└── (app)/
└── search/
└── page.tsx # [MODIFIED] Integrated SyncButton
specs/
└── 002-manual-policy-sync/ # [NEW] This feature spec directory
```
**Structure Decision**: Single Next.js project with App Router. Feature follows existing patterns from 001-global-policy-search. No new directories created - components added to existing `components/search/` structure.
## Phase 0: Research & Unknowns Resolution
**Status**: ✅ Complete (implementation straightforward, no research needed)
### Research Questions (All Resolved)
1. **Q**: How to trigger n8n workflow from Next.js?
**A**: POST request to webhook URL with JSON payload. n8n webhook accepts any POST with tenant ID.
2. **Q**: Where to store webhook URL?
**A**: Environment variable `N8N_SYNC_WEBHOOK_URL` in `lib/env.mjs`, validated with Zod (optional).
3. **Q**: How to get tenant ID?
**A**: From NextAuth session (`session.user.tenantId`) via `getUserAuth()` in Server Action.
4. **Q**: How to handle button loading state?
**A**: React `useTransition()` hook for pending state, disable button during transition.
5. **Q**: Toast notifications for feedback?
**A**: Existing `sonner` library already integrated, use `toast.success()` / `toast.error()`.
**No external research needed** - all patterns exist in codebase (Server Actions, auth, env vars, Shadcn UI).
## Phase 1: Design & Contracts
**Status**: ✅ Complete (no schema changes, webhook contract is simple)
### Data Model
**No database changes required**. Feature uses existing:
- `users` table (tenant_id column already added in previous feature)
- NextAuth session management (tenant ID already in JWT token)
### API Contracts
#### Server Action: `triggerPolicySync()`
**File**: `lib/actions/policySettings.ts`
```typescript
export async function triggerPolicySync(): Promise<{
success: boolean;
message?: string;
error?: string;
}>;
```
**Security**:
- ✅ Validates user session via `getUserAuth()`
- ✅ Extracts tenant ID from session (no user input)
- ✅ Server-side only (Server Action)
**Flow**:
1. Check authentication → return error if not authenticated
2. Extract `tenantId` from session → return error if missing
3. Validate `N8N_SYNC_WEBHOOK_URL` exists → return error if not configured
4. Send POST request to webhook
5. Return success/error based on response
#### n8n Webhook Contract (External)
**Endpoint**: `process.env.N8N_SYNC_WEBHOOK_URL` (configured in Dokploy)
**Method**: POST
**Headers**: `Content-Type: application/json`
**Body**:
```json
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"source": "manual_trigger",
"triggeredAt": "2025-12-06T12:00:00.000Z"
}
```
**Response**:
- Success: HTTP 200-299 (body irrelevant)
- Failure: HTTP 400+ (triggers error toast)
### Component Design
#### SyncButton Component
**File**: `components/search/SyncButton.tsx`
**Props**: None (uses Server Action directly)
**State**:
- `isPending` (from `useTransition()`) - tracks request in progress
**UI States**:
1. **Idle**: "Sync Policies" with RefreshCw icon
2. **Loading**: "Syncing..." with spinning RefreshCw icon, button disabled
3. **Success**: Returns to idle, shows green toast
4. **Error**: Returns to idle, shows red toast
**Styling**: Shadcn Button component with default variant
### Page Integration
**File**: `app/(app)/search/page.tsx`
**Change**: Add `<SyncButton />` in CardHeader, positioned right of title/description using flexbox.
```tsx
<CardHeader>
<div className="flex items-center justify-between">
<div>
<CardTitle>Global Policy Search</CardTitle>
<CardDescription>...</CardDescription>
</div>
<SyncButton />
</div>
</CardHeader>
```
## Phase 2: Implementation Tasks
**Status**: ✅ All tasks completed
### Task Breakdown (Already Implemented)
#### T001: Environment Variable Setup
- [x] Add `N8N_SYNC_WEBHOOK_URL: z.string().optional()` to `lib/env.mjs` server schema
- [x] Document in `.env.example` (if exists) or README
#### T002: Server Action Implementation
- [x] Import `env` from `lib/env.mjs` in `lib/actions/policySettings.ts`
- [x] Create `triggerPolicySync()` async function with 'use server'
- [x] Add authentication check with `getUserAuth()`
- [x] Extract tenant ID from session with error handling
- [x] Validate webhook URL exists
- [x] Implement fetch POST request with try/catch
- [x] Return typed success/error response
#### T003: SyncButton Component
- [x] Create `components/search/SyncButton.tsx` as 'use client' component
- [x] Import Button from `@/components/ui/button`
- [x] Import RefreshCw icon from `lucide-react`
- [x] Import `triggerPolicySync` action
- [x] Import `toast` from `sonner`
- [x] Implement `useTransition()` for pending state
- [x] Create `handleSync` function calling Server Action
- [x] Add toast notifications for success/error
- [x] Render button with conditional icon spin animation
- [x] Disable button when `isPending` is true
#### T004: Page Integration
- [x] Import `SyncButton` in `app/(app)/search/page.tsx`
- [x] Modify CardHeader to use flexbox layout
- [x] Position button right of title/description
- [x] Verify responsive layout on mobile
#### T005: Testing & Validation
- [x] Test button click without webhook URL configured → error toast ✅
- [x] Test button click when not authenticated → error toast ✅
- [x] Test button click with valid webhook → success toast ✅
- [x] Test rapid button clicks → only one request sent ✅
- [x] Test network error simulation → error toast ✅
- [x] Verify tenant ID extracted correctly from session ✅
#### T006: Documentation
- [x] Update feature spec with actual implementation
- [x] Document N8N_SYNC_WEBHOOK_URL in environment variables
- [x] Add deployment notes for Dokploy configuration
- [x] Create this implementation plan
## Deployment Checklist
- [x] Code committed to `002-manual-policy-sync` branch
- [x] Feature spec and plan documented
- [ ] **TODO**: Set `N8N_SYNC_WEBHOOK_URL` in Dokploy environment variables
- [ ] **TODO**: Merge to `main` branch
- [ ] **TODO**: Deploy to production
- [ ] **TODO**: Verify button appears on `/search` page
- [ ] **TODO**: Test manual sync trigger in production
## Implementation Notes
### Key Decisions
1. **No rate limiting**: Decided against implementing rate limiting (e.g., 1 sync per 5 min) because:
- n8n can handle duplicate requests
- User feedback (loading state) discourages rapid clicks
- Can add later if abuse occurs
2. **No sync status tracking**: Feature only confirms sync was triggered, doesn't show progress because:
- Intune API sync is async and can take minutes
- Would require polling or WebSocket complexity
- Out of scope for MVP (marked in spec)
3. **Environment variable optional**: Made `N8N_SYNC_WEBHOOK_URL` optional (not required) because:
- Allows Docker build without secret
- Runtime check provides clear error message
- Follows pattern of other optional env vars
4. **Client component for button**: Had to use 'use client' despite server-first principle because:
- Need `useTransition()` for loading state
- Toast notifications run client-side
- Server Action called from client follows Next.js patterns
### Security Considerations
- ✅ Tenant ID extracted from authenticated session (not user input)
- ✅ Server Action validates auth before any operations
- ✅ Webhook URL not exposed to client (server-side env var)
- ✅ No CSRF risk (Server Action has built-in protection)
- ✅ No SQL injection risk (no database writes)
### Performance Considerations
- ✅ Webhook request non-blocking (doesn't wait for Intune sync)
- ✅ UI feedback immediate (< 1s to show loading state)
- ✅ No database queries (reads session from NextAuth)
- ✅ Button disabled prevents duplicate requests
- ✅ Minimal bundle size (lucide-react tree-shaken, sonner already loaded)
## Testing Strategy
### Manual Testing (Completed)
1. **Happy Path**:
- Login → Navigate to /search → Click "Sync Policies" → See "Syncing..." → See success toast
- Verify n8n receives webhook with correct tenant ID
2. **Error Cases**:
- Not authenticated → Error toast
- No tenant ID in session → Error toast
- Webhook URL not configured → Error toast
- Network error → Error toast
- Webhook returns 500 → Error toast
3. **UI/UX**:
- Button shows loading spinner
- Button disabled during sync
- Rapid clicks don't send multiple requests
- Mobile responsive layout
### Future Testing (Out of Scope for MVP)
- E2E test with Playwright
- Unit test for Server Action
- Integration test with mock n8n webhook
- Load test for concurrent sync requests
## Known Limitations
1. **No sync progress**: User only gets confirmation sync started, not when it completes
2. **No last sync timestamp**: UI doesn't show when data was last synced
3. **No rate limiting**: User could theoretically spam the button (mitigated by loading state)
4. **No tenant-specific sync**: Always syncs all policies, can't select specific ones
5. **No webhook retry**: If webhook fails, user must click again (no automatic retry)
## Next Steps (Post-MVP)
1. **Add sync history**: Track when syncs were triggered in database
2. **Show last sync time**: Display on search page "Last synced: 5 minutes ago"
3. **Add rate limiting**: Prevent syncs more frequently than once per 5 minutes
4. **Add sync status polling**: Show progress while Intune data is being fetched
5. **Add sync notifications**: Email/toast when sync completes (async)
## References
- Feature Spec: [spec.md](./spec.md)
- Requirements Checklist: [checklists/requirements.md](./checklists/requirements.md)
- Similar Feature: [specs/001-global-policy-search/](../001-global-policy-search/)
- Constitution: [.specify/memory/constitution.md](../../.specify/memory/constitution.md)

120
specs/002-manual-policy-sync/spec.md
View File

@ -1,120 +0,0 @@
# Feature Specification: Manual Policy Sync Button
**Feature Branch**: `002-manual-policy-sync`
**Created**: 2025-12-06
**Status**: Draft
**Input**: User description: "Manual Policy Sync Button - Allow admins to trigger immediate policy synchronization from Intune without waiting for scheduled sync"
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Trigger Immediate Sync (Priority: P1)
An IT administrator has just made changes to an Intune policy and wants to see those changes reflected in TenantPilot immediately without waiting for the scheduled nightly sync.
**Why this priority**: Core functionality that directly addresses the pain point of waiting for scheduled syncs. Delivers immediate value and is the primary reason for this feature.
**Independent Test**: Admin can click "Sync Policies" button on search page, receives confirmation that sync started, and n8n workflow is triggered for their tenant.
**Acceptance Scenarios**:
1. **Given** an authenticated admin is on the `/search` page, **When** they click the "Sync Policies" button, **Then** the button shows a loading state with "Syncing..." text and a spinner
2. **Given** a sync request is successfully sent to n8n, **When** the request completes, **Then** a success toast message appears saying "Policy sync triggered successfully"
3. **Given** an authenticated admin with a valid tenant ID, **When** they trigger a sync, **Then** the n8n webhook receives a POST request with their tenant ID and source "manual_trigger"
---
### User Story 2 - Handle Sync Errors Gracefully (Priority: P2)
When the sync cannot be triggered (network error, webhook down, etc.), the admin needs clear feedback about what went wrong.
**Why this priority**: Essential for production reliability. Without error handling, users won't know if sync failed and may think it succeeded.
**Independent Test**: Can be tested by simulating webhook failures (wrong URL, network timeout) and verifying error messages appear.
**Acceptance Scenarios**:
1. **Given** the n8n webhook is unreachable, **When** admin clicks "Sync Policies", **Then** an error toast appears with message "Failed to trigger sync. Please try again later."
2. **Given** a sync request fails, **When** the error occurs, **Then** the button returns to its normal state (not stuck in loading)
3. **Given** user is not authenticated, **When** they attempt to trigger sync, **Then** they receive "Not authenticated" error
---
### User Story 3 - Prevent Multiple Simultaneous Syncs (Priority: P3)
Admin should not be able to trigger multiple syncs simultaneously for the same tenant to avoid duplicate processing.
**Why this priority**: Nice-to-have for UX polish. Prevents confusion but not critical for MVP since n8n workflows can handle duplicates.
**Independent Test**: Click sync button multiple times rapidly and verify only one request is sent, button stays disabled during processing.
**Acceptance Scenarios**:
1. **Given** a sync is in progress, **When** admin clicks the button again, **Then** the button remains disabled and no additional request is sent
2. **Given** a sync completes (success or error), **When** the toast dismisses, **Then** the button becomes clickable again
---
### Edge Cases
- What happens when user's session has no tenant ID? (Show error: "No tenant ID found in session")
- What happens when N8N_SYNC_WEBHOOK_URL environment variable is not configured? (Show error: "Sync webhook not configured")
- What happens when n8n webhook returns non-200 status? (Log error, show user-friendly message)
- What happens if user navigates away while sync is in progress? (No issue - webhook call already sent, no cleanup needed)
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: System MUST provide a "Sync Policies" button on the `/search` page visible to authenticated users
- **FR-002**: System MUST validate user authentication before allowing sync trigger
- **FR-003**: System MUST extract tenant ID from user session and include it in webhook payload
- **FR-004**: System MUST send POST request to n8n webhook with JSON body containing `{ tenantId, source: "manual_trigger", triggeredAt: ISO timestamp }`
- **FR-005**: System MUST show loading state (spinner + "Syncing..." text) while request is in progress
- **FR-006**: System MUST display success toast notification when sync is triggered successfully
- **FR-007**: System MUST display error toast notification when sync fails with user-friendly error message
- **FR-008**: System MUST disable button during sync operation to prevent duplicate requests
- **FR-009**: System MUST log sync errors to console for debugging
- **FR-010**: System MUST validate that N8N_SYNC_WEBHOOK_URL environment variable is configured before attempting request
### Key Entities *(include if feature involves data)*
- **Sync Request**: Represents a manual sync trigger event
- Attributes: tenantId (from session), source ("manual_trigger"), triggeredAt (ISO timestamp)
- Sent to n8n webhook, not persisted in database
- Used for audit trail in n8n workflow logs
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: Admin can trigger policy sync with single button click from search page
- **SC-002**: Sync request reaches n8n webhook within 2 seconds of button click
- **SC-003**: Admin receives visual feedback (loading state + toast) within 1 second of clicking button
- **SC-004**: Error scenarios (network failure, missing config) show clear error messages to user
- **SC-005**: Button correctly handles rapid multiple clicks without sending duplicate requests
- **SC-006**: 100% of sync triggers include correct tenant ID from authenticated user's session
## Assumptions
- N8N_SYNC_WEBHOOK_URL will be configured in environment variables before feature deployment
- n8n workflow already exists and can handle manual sync requests (separate from scheduled sync)
- Webhook endpoint accepts POST requests with JSON body
- Tenant ID is always available in authenticated user's session (handled by existing auth logic)
- No database changes required - this is a client-side UI + server action feature
- Sync is asynchronous - user doesn't wait for actual Intune data fetch to complete
## Dependencies
- Existing authentication system (NextAuth with tenant ID in session)
- Existing server actions infrastructure (`lib/actions/policySettings.ts`)
- Existing UI components (Shadcn Button, Toast from sonner)
- n8n webhook endpoint must be deployed and accessible
- Environment variable validation system (`lib/env.mjs`)
## Out of Scope
- Showing sync progress or status (user only gets confirmation that sync was triggered)
- Displaying last sync timestamp on the page
- Limiting sync frequency (e.g., rate limiting to once per 5 minutes)
- Syncing specific policies (all policies for tenant are synced)
- Admin controls for other tenants (admin can only sync their own tenant)

318
specs/002-manual-policy-sync/tasks.md
View File

@ -1,318 +0,0 @@
---
description: "Task list for Manual Policy Sync Button feature"
---
# Tasks: Manual Policy Sync Button
**Branch**: `002-manual-policy-sync`
**Input**: [plan.md](./plan.md), [spec.md](./spec.md)
**Status**: ✅ **COMPLETED** (Documenting for record)
**Tests**: No test tasks included - manual testing only for this feature (as specified in plan.md)
**Organization**: Tasks organized by user story to enable independent implementation and testing
## Format: `- [ ] [ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (US1, US2, US3)
- Paths are absolute from repository root
---
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Configure environment and prepare existing codebase
- [x] T001 Add N8N_SYNC_WEBHOOK_URL to lib/env.mjs server schema with z.string().optional()
- [x] T002 [P] Verify existing authentication extracts tenantId in lib/auth/utils.ts
- [x] T003 [P] Confirm Shadcn Button and Toast (sonner) are available
**Status**: ✅ Complete - No new project setup needed, leveraging existing infrastructure
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Core infrastructure that MUST be complete before ANY user story can be implemented
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
- [x] T004 Verify NextAuth session includes tenantId field (already implemented in previous feature)
- [x] T005 Verify getUserAuth() server action exists in lib/auth/utils.ts
- [x] T006 Confirm fetch() is available for webhook calls (Node.js built-in)
**Status**: ✅ Complete - All foundational pieces already exist from 001-global-policy-search feature
**Checkpoint**: Foundation ready - user story implementation can now begin in parallel
---
## Phase 3: User Story 1 - Trigger Immediate Sync (Priority: P1) 🎯 MVP
**Goal**: Admin can click button to trigger n8n webhook for immediate policy sync
**Independent Test**: Login → /search page → Click "Sync Policies" → Success toast appears → n8n receives POST with tenantId
### Implementation for User Story 1
- [x] T007 [P] [US1] Create SyncButton component in components/search/SyncButton.tsx
- [x] T008 [P] [US1] Implement triggerPolicySync() Server Action in lib/actions/policySettings.ts
- [x] T009 [US1] Add authentication check with getUserAuth() in triggerPolicySync()
- [x] T010 [US1] Extract tenantId from session with null check
- [x] T011 [US1] Validate N8N_SYNC_WEBHOOK_URL environment variable exists
- [x] T012 [US1] Implement fetch POST request to webhook with JSON body
- [x] T013 [US1] Add useTransition() hook in SyncButton for loading state
- [x] T014 [US1] Implement handleSync function calling Server Action
- [x] T015 [US1] Add success toast notification "Policy sync triggered successfully"
- [x] T016 [US1] Render Button with RefreshCw icon from lucide-react
- [x] T017 [US1] Integrate SyncButton into app/(app)/search/page.tsx CardHeader
- [x] T018 [US1] Position button right of title using flexbox (justify-between)
**Files Modified**:
- ✅ `lib/env.mjs` - Added N8N_SYNC_WEBHOOK_URL
- ✅ `lib/actions/policySettings.ts` - Added triggerPolicySync() function
- ✅ `components/search/SyncButton.tsx` - Created new component
- ✅ `app/(app)/search/page.tsx` - Integrated SyncButton
**Checkpoint**: ✅ User Story 1 is fully functional and testable independently
---
## Phase 4: User Story 2 - Handle Sync Errors Gracefully (Priority: P2)
**Goal**: Admin receives clear error feedback when sync fails
**Independent Test**: Simulate webhook failure (wrong URL, network error) → Error toast appears with user-friendly message
### Implementation for User Story 2
- [x] T019 [US2] Add try-catch block in triggerPolicySync() to handle network errors
- [x] T020 [US2] Return error response when session.user is null ("Not authenticated")
- [x] T021 [US2] Return error response when tenantId is null ("No tenant ID found in session")
- [x] T022 [US2] Return error response when N8N_SYNC_WEBHOOK_URL is not configured ("Sync webhook not configured")
- [x] T023 [US2] Check webhook response status and throw error if not ok
- [x] T024 [US2] Add error toast notification in SyncButton handleSync catch block
- [x] T025 [US2] Add console.error logging in triggerPolicySync() for debugging
- [x] T026 [US2] Ensure button returns to normal state after error (useTransition handles this)
**Files Modified**:
- ✅ `lib/actions/policySettings.ts` - Added comprehensive error handling
- ✅ `components/search/SyncButton.tsx` - Added error toast display
**Checkpoint**: ✅ User Stories 1 AND 2 both work independently with proper error handling
---
## Phase 5: User Story 3 - Prevent Multiple Simultaneous Syncs (Priority: P3)
**Goal**: Button prevents duplicate requests during sync operation
**Independent Test**: Click button rapidly multiple times → Only one request sent, button stays disabled
### Implementation for User Story 3
- [x] T027 [US3] Add disabled prop to Button based on isPending state
- [x] T028 [US3] Conditionally render "Syncing..." text when isPending is true
- [x] T029 [US3] Add animate-spin class to RefreshCw icon when isPending is true
- [x] T030 [US3] Verify useTransition() prevents multiple simultaneous calls
**Files Modified**:
- ✅ `components/search/SyncButton.tsx` - Added disabled state and loading UI
**Checkpoint**: ✅ All user stories (1, 2, 3) are independently functional with proper UX
---
## Phase 6: Polish & Cross-Cutting Concerns
**Purpose**: Final touches and production readiness
- [x] T031 Test button on mobile responsive layout
- [x] T032 Verify button styling matches existing search page design
- [x] T033 Test with missing N8N_SYNC_WEBHOOK_URL → Error toast appears
- [x] T034 Test with unauthenticated user → Error toast appears
- [x] T035 Test with mock webhook success → Success toast appears
- [x] T036 Document N8N_SYNC_WEBHOOK_URL in deployment notes
- [x] T037 Commit changes to 002-manual-policy-sync branch
- [x] T038 Create specification and plan documentation
**Status**: ✅ Complete - All polish tasks finished
---
## Deployment Checklist
- [x] All tasks completed (T001-T038)
- [x] Code committed to feature branch
- [x] Specification (spec.md) created
- [x] Implementation plan (plan.md) created
- [x] Tasks (tasks.md) documented
- [ ] **TODO**: Configure N8N_SYNC_WEBHOOK_URL in Dokploy environment variables
- [ ] **TODO**: Merge 002-manual-policy-sync → main
- [ ] **TODO**: Deploy to production
- [ ] **TODO**: Verify button appears on /search page in production
- [ ] **TODO**: Test manual sync trigger with real n8n webhook
---
## Dependencies Between Tasks
**Legend**: `→` means "depends on"
```text
Setup Phase:
T001, T002, T003 → [Can run in parallel]
Foundational Phase:
T004, T005, T006 → [Already complete from previous work]
User Story 1 (Core Sync):
T007 [SyncButton UI] → T013-T018 [UI refinements]
T008 [Server Action] → T009-T012 [Action logic]
T007, T008 → T017 [Page integration]
User Story 2 (Error Handling):
T008 complete → T019-T025 [Add error cases]
T007 complete → T024, T026 [Error UI feedback]
User Story 3 (Prevent Duplicates):
T007, T013 complete → T027-T030 [Loading state enhancements]
```
**Parallel Opportunities**:
- Phase 1: All tasks (T001-T003) can run in parallel
- User Story 1: T007 (UI) and T008 (Server Action) can be built in parallel
- User Story 2: Error handling can be added to both files simultaneously
---
## Parallel Execution Examples
### Example 1: User Story 1 (Two Developers)
**Developer A** (Frontend):
```bash
# Create SyncButton component
- T007: components/search/SyncButton.tsx (stub Server Action call)
- T013-T016: Add loading state, toast, button rendering
- T017-T018: Integrate into search page
```
**Developer B** (Backend):
```bash
# Create Server Action
- T008: lib/actions/policySettings.ts (stub return success)
- T009-T012: Add auth check, tenant ID extraction, webhook call
```
**Integration**: Once both T007 and T008 are complete, connect them together
### Example 2: User Story 2 (One Developer)
```bash
# Add error handling after US1 is complete
- T019-T023: Server Action error cases (5 min each)
- T024-T026: UI error handling (5 min each)
- Total time: ~30 minutes
```
---
## Implementation Strategy
### MVP-First Approach
**MVP = User Story 1 ONLY (P1)**:
- Admin can click button
- Button shows loading state
- Success toast appears
- n8n receives webhook
This delivers immediate value and can be shipped independently.
### Incremental Delivery
**Release 1**: User Story 1 (P1) - Core sync functionality
**Release 2**: Add User Story 2 (P2) - Error handling
**Release 3**: Add User Story 3 (P3) - UX polish
Each release is independently valuable and deployable.
---
## Testing Notes
**Manual Testing Checklist** (from plan.md):
**Happy Path**:
- [x] Login → /search → Click "Sync Policies" → Loading state → Success toast
- [x] Verify n8n receives POST with correct tenantId
**Error Cases**:
- [x] Not authenticated → Error toast
- [x] No tenantId in session → Error toast
- [x] Webhook URL not configured → Error toast
- [x] Network error → Error toast
- [x] Webhook returns 500 → Error toast
**UI/UX**:
- [x] Button shows spinner during sync
- [x] Button disabled during sync
- [x] Rapid clicks don't send duplicates
- [x] Mobile responsive
**No automated tests for this feature** - manual testing deemed sufficient for MVP (as per plan.md).
---
## Task Summary
**Total Tasks**: 38
**Completed**: 38 ✅
**Remaining**: 0
**Tasks by User Story**:
- Setup: 3 tasks
- Foundational: 3 tasks
- User Story 1 (P1): 12 tasks
- User Story 2 (P2): 8 tasks
- User Story 3 (P3): 4 tasks
- Polish: 8 tasks
**Parallel Opportunities**: 15 tasks marked [P] can run in parallel
**Critical Path**: Setup → Foundational → US1 core (T007-T012) → US2 errors → US3 UX → Polish
**Estimated Implementation Time** (if starting from scratch):
- Setup: 15 minutes
- Foundational: 0 minutes (already done)
- User Story 1: 2 hours
- User Story 2: 30 minutes
- User Story 3: 20 minutes
- Polish: 30 minutes
- **Total**: ~3.5 hours
**Actual Time**: Already completed ✅
---
## Next Feature Recommendations
Based on this implementation, consider these follow-up features:
1. **Sync History Tracking** (new spec)
- Track when syncs were triggered
- Display last sync timestamp on search page
- Show sync status (pending, success, failed)
2. **Rate Limiting** (enhancement to 002)
- Prevent syncs more frequently than once per 5 minutes
- Show countdown timer until next sync allowed
3. **Bulk Tenant Sync** (admin feature)
- Allow platform admins to trigger sync for all tenants
- New admin dashboard page
- Requires admin role system
These can each be separate feature specs following the same workflow.

42
specs/003-policy-explorer-ux/checklists/requirements.md
View File

@ -1,42 +0,0 @@
# Specification Quality Checklist: Policy Explorer UX Upgrade
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-12-07
**Feature**: [spec.md](../spec.md)
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Notes
All checklist items pass. Specification is complete and ready for planning phase (`/speckit.plan`).
**Validation Summary**:
- ✅ 4 prioritized user stories (P1, P2, P3) with clear acceptance scenarios
- ✅ 11 functional requirements (FR-001 to FR-011), all testable
- ✅ 6 success criteria (SC-001 to SC-006), all measurable and technology-agnostic
- ✅ Edge cases documented (JSON size, rapid clicks, missing timestamps, special characters)
- ✅ Assumptions section complete (no DB changes, extend existing server actions, UI components available)
- ✅ No [NEEDS CLARIFICATION] markers - all decisions made with reasonable defaults

450
specs/003-policy-explorer-ux/plan.md
View File

@ -1,450 +0,0 @@
# Implementation Plan: Policy Explorer UX Upgrade
**Branch**: `003-policy-explorer-ux` | **Date**: 2025-12-07 | **Spec**: [spec.md](./spec.md)
**Status**: Planning Phase
## Summary
Transform the existing global policy search (`/search`) into a comprehensive Policy Explorer with improved UX: show 50 newest policies by default (no empty state), filter out null values automatically, add clickable rows with detail sheet for JSON formatting, improve visual hierarchy with policy type badges, and consolidate navigation.
**Technical Approach**: Extend existing `searchPolicySettings` Server Action with optional `limit` parameter and null-value filtering. Create new `PolicyDetailSheet` component using Shadcn Sheet. Refactor search page to be a Server Component that loads initial data, with client components for interactive features (search, detail sheet). Replace `/search` route with `/policy-explorer` and update navigation.
## Technical Context
**Language/Version**: TypeScript 5.x strict mode
**Primary Dependencies**: Next.js 16.0.3 App Router, Drizzle ORM 0.44.7, Shadcn UI, NextAuth.js 4.24.13, date-fns 4.x
**Storage**: PostgreSQL (no schema changes required)
**Testing**: Manual testing + E2E tests with Playwright (if applicable)
**Target Platform**: Docker containers (standalone build), web browsers
**Project Type**: Web application (Next.js App Router)
**Performance Goals**: Initial load < 2s, detail sheet open < 300ms, search response < 2s
**Constraints**: Server-first architecture (Server Actions + Server Components), Azure AD multi-tenant auth, no client-side fetches
**Scale/Scope**: Multi-tenant SaaS, 1000+ policy settings per tenant, 100+ concurrent users
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
- [x] Uses Next.js App Router with Server Actions (no client-side fetches)
- [x] TypeScript strict mode enabled (strict: true in tsconfig.json)
- [x] Drizzle ORM for all database operations (extends existing queries)
- [x] Shadcn UI for all new components (Sheet, Badge components)
- [x] Azure AD multi-tenant authentication (uses existing session)
- [x] Docker deployment with standalone build (no special config needed)
**Constitution Compliance**: ✅ All requirements met - feature extends existing patterns
## Project Structure
### Documentation (this feature)
```text
specs/003-policy-explorer-ux/
├── spec.md # Feature specification (✅ completed)
├── plan.md # This file (implementation plan)
├── research.md # Phase 0 output (research findings)
├── data-model.md # Phase 1 output (no DB changes, documents filtering logic)
├── quickstart.md # Phase 1 output (developer setup guide)
├── contracts/ # Phase 1 output (API contracts)
│ └── server-actions.md # Server Action signatures
├── checklists/
│ └── requirements.md # Specification quality checklist (✅ completed)
└── tasks.md # Phase 2 output (NOT created by this plan)
```
### Source Code (repository root)
```text
# Existing files to modify
lib/
├── actions/
│ └── policySettings.ts # [MODIFY] Add getRecentPolicySettings(), extend searchPolicySettings()
└── db/
└── schema/
└── policySettings.ts # [NO CHANGE] Uses existing schema
components/
├── search/
│ ├── SearchInput.tsx # [MODIFY] Add null-value filtering, refactor for new layout
│ ├── ResultsTable.tsx # [MODIFY] Add row click handler, hover styles, badge rendering
│ ├── EmptyState.tsx # [MODIFY] Update message for Policy Explorer context
│ └── SyncButton.tsx # [NO CHANGE] Keep existing sync functionality
└── ui/
├── sheet.tsx # [CHECK] Verify Shadcn Sheet installed, add if missing
└── badge.tsx # [CHECK] Verify Shadcn Badge installed, add if missing
app/
└── (app)/
├── search/
│ └── page.tsx # [REFACTOR] Convert to Server Component with initial data load
└── policy-explorer/
└── page.tsx # [NEW] New route (may redirect from /search or replace it)
config/
└── nav.ts # [MODIFY] Replace "Search" with "Policy Explorer", remove "All Settings"
# New files to create
components/
└── policy-explorer/
├── PolicyDetailSheet.tsx # [NEW] Slide-over detail view for policy settings
├── PolicyTable.tsx # [NEW] Refactored table with click handlers and badges
└── PolicySearchContainer.tsx # [NEW] Client wrapper for search functionality
```
**Structure Decision**: Single Next.js project following existing App Router patterns. New components under `components/policy-explorer/` to distinguish from legacy `/search` components. Route can either replace `/search` or create new `/policy-explorer` route (decision in Phase 1).
## Phase 0: Research & Unknowns Resolution
**Status**: 🔄 In Progress
### Research Questions
#### R001: How to implement Server Component with initial data load + client search?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Server Component page fetches initial 50 entries, passes to Client Component wrapper
- **Option B**: Separate Server Component for table + Client Component for search (parallel composition)
- **Research needed**: Next.js 16 patterns for mixing Server/Client with initial data + user interactions
#### R002: How to filter null values - backend or frontend?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Backend filter in Drizzle query (`ne(policySettings.settingValue, "null")`)
- **Option B**: Frontend filter after Server Action returns data
- **Option C**: Hybrid - backend for initial load, frontend for search results
- **Research needed**: Performance implications of filtering 1000+ records, indexing considerations
#### R003: How to format JSON in detail sheet?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Use `JSON.parse()` + `JSON.stringify(parsed, null, 2)` with `<pre>` tag
- **Option B**: Install syntax highlighter like `react-syntax-highlighter` or `prism-react-renderer`
- **Option C**: Use browser-native `<code>` with Tailwind prose styles
- **Research needed**: Bundle size impact, accessibility of code blocks, whether syntax highlighting is needed for MVP
#### R004: Badge color mapping for policy types?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Hardcode mapping (Compliance=blue, Configuration=gray, Security=red)
- **Option B**: Dynamic hashing (hash policyType string to generate consistent color)
- **Option C**: Store colors in database (requires schema change - violates spec)
- **Research needed**: Actual policy type values in production data, Shadcn Badge variant options
#### R005: Should `/search` route redirect to `/policy-explorer` or be replaced?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Keep both routes, redirect `/search``/policy-explorer` (backwards compatibility)
- **Option B**: Replace `/search` entirely, update all internal links
- **Option C**: Keep `/search` as-is for now, create `/policy-explorer` as new route (migration path)
- **Research needed**: Check for external links to `/search` route, impact on bookmarks
#### R006: How to handle Sheet component state with Server Actions?
**Decision**: NEEDS CLARIFICATION
- **Option A**: Client Component manages open/close state, fetches detail via Server Action on open
- **Option B**: Pass full policy data to Sheet component on click (no additional fetch)
- **Option C**: Use URL params for selected policy ID (deep linking support)
- **Research needed**: Shadcn Sheet best practices, data freshness requirements
### Research Deliverables
- `research.md` documenting all decisions with rationale
- Code examples for Server/Client composition pattern
- Performance benchmarks for null-value filtering approaches
- Badge color mapping specification
## Phase 1: Design & Contracts
**Status**: ⏳ Pending Phase 0 completion
### Data Model
**No database schema changes required**. Feature uses existing `policySettings` table:
```typescript
// Existing schema (no modifications)
export const policySettings = pgTable('policy_settings', {
id: uuid('id').primaryKey().defaultRandom(),
tenantId: uuid('tenant_id').notNull(), // Multi-tenant isolation
policyName: text('policy_name').notNull(),
policyType: text('policy_type').notNull(),
settingName: text('setting_name').notNull(),
settingValue: text('setting_value').notNull(),
graphPolicyId: text('graph_policy_id'),
lastSyncedAt: timestamp('last_synced_at').notNull(),
createdAt: timestamp('created_at').notNull().defaultNow(),
});
```
**Filtering Logic** (to be documented in `data-model.md`):
- Null value detection: `settingValue === "null" || settingValue === null`
- Applied at: [TBD in Phase 0 - backend vs frontend]
- Performance impact: [TBD in Phase 0 - requires benchmarking]
### API Contracts
#### Server Action: `getRecentPolicySettings(limit?: number)`
**File**: `lib/actions/policySettings.ts` (new function)
```typescript
export async function getRecentPolicySettings(
limit: number = 50
): Promise<AllSettingsResult> {
// Returns: Recent policy settings, sorted by lastSyncedAt DESC
// Filters: tenantId (from session), exclude null values
// Security: Session validation, tenant isolation
}
```
**Contract**:
- **Input**: `limit` (optional, default 50, max 100)
- **Output**: `{ success: boolean, data?: PolicySettingSearchResult[], error?: string, totalCount?: number }`
- **Security**: Validates session, extracts tenantId, enforces tenant isolation
- **Performance**: Database query with LIMIT clause, DESC index on lastSyncedAt
#### Server Action: `searchPolicySettings(searchTerm: string, limit?: number)` [MODIFIED]
**File**: `lib/actions/policySettings.ts` (extend existing function)
**Changes**:
- Add optional `limit` parameter (default 100, max 200)
- Add null-value filtering (if backend approach chosen in Phase 0)
- Keep existing security and tenant isolation logic
#### Server Action: `getPolicySettingById(id: string)` [EXISTING]
**File**: `lib/actions/policySettings.ts` (already exists, line ~164)
**Usage**: Fetch full policy details for detail sheet (if on-click fetch approach chosen in Phase 0)
### Component Contracts
#### Component: `PolicyDetailSheet`
**File**: `components/policy-explorer/PolicyDetailSheet.tsx` (new)
**Props**:
```typescript
interface PolicyDetailSheetProps {
policy: PolicySettingSearchResult | null;
open: boolean;
onOpenChange: (open: boolean) => void;
}
```
**Features**:
- Shadcn Sheet component (slide-over from right)
- JSON detection: `settingValue.trim().startsWith('{') || settingValue.trim().startsWith('[')`
- JSON formatting: `JSON.stringify(JSON.parse(value), null, 2)` with error handling
- Fallback: Display as plain text if JSON.parse fails
#### Component: `PolicyTable`
**File**: `components/policy-explorer/PolicyTable.tsx` (new, refactored from ResultsTable.tsx)
**Props**:
```typescript
interface PolicyTableProps {
policies: PolicySettingSearchResult[];
onRowClick: (policy: PolicySettingSearchResult) => void;
}
```
**Features**:
- Badge rendering for `policyType` column
- Row hover effect: `hover:bg-accent cursor-pointer`
- Click handler on TableRow
- Date formatting with `date-fns` (existing dependency)
#### Component: `PolicySearchContainer`
**File**: `components/policy-explorer/PolicySearchContainer.tsx` (new)
**Props**:
```typescript
interface PolicySearchContainerProps {
initialPolicies: PolicySettingSearchResult[];
}
```
**Features**:
- Client Component wrapper ('use client')
- Manages search state and detail sheet state
- Calls `searchPolicySettings` Server Action on user input
- Filters null values (if frontend approach chosen in Phase 0)
- Renders SearchInput + PolicyTable + PolicyDetailSheet
### Page Design
#### Page: `/policy-explorer` (or refactored `/search`)
**File**: `app/(app)/policy-explorer/page.tsx` (new) or `app/(app)/search/page.tsx` (refactor)
**Composition**:
```tsx
export default async function PolicyExplorerPage() {
// Server Component - fetches initial data
const initialData = await getRecentPolicySettings(50);
return (
<main>
<Card>
<CardHeader>
<CardTitle>Policy Explorer</CardTitle>
<CardDescription>Browse and search Intune policy settings</CardDescription>
<SyncButton /> {/* Keep existing sync button */}
</CardHeader>
<CardContent>
<PolicySearchContainer initialPolicies={initialData.data ?? []} />
</CardContent>
</Card>
</main>
);
}
```
**Flow**:
1. Server Component fetches initial 50 policies (no search term)
2. Passes to Client Component as props
3. Client Component renders table with initial data
4. User searches → Client Component calls Server Action → Updates table
5. User clicks row → Client Component opens detail sheet
### Navigation Update
**File**: `config/nav.ts`
**Changes**:
- Replace `{ title: "Search", href: "/search" }` with `{ title: "Policy Explorer", href: "/policy-explorer" }`
- Remove `{ title: "All Settings", href: "/settings-overview" }` (if exists)
- Keep icon (or change to relevant icon like FileSearch or Database)
## Phase 2: Implementation Tasks
**Status**: ⏳ Pending Phase 1 completion
### Task Breakdown (High-Level)
#### Epic 1: Backend - Server Actions (P1)
- [ ] T001: Add `getRecentPolicySettings()` Server Action with null filtering
- [ ] T002: Extend `searchPolicySettings()` with optional limit parameter
- [ ] T003: Add null-value filtering to search results (if backend approach chosen)
- [ ] T004: Add unit tests for Server Actions
- [ ] T005: Verify tenant isolation in new query
#### Epic 2: Components - Detail Sheet (P1)
- [ ] T006: Install Shadcn Sheet component (if not present)
- [ ] T007: Install Shadcn Badge component (if not present)
- [ ] T008: Create `PolicyDetailSheet.tsx` with JSON detection logic
- [ ] T009: Create JSON formatting utility with error handling
- [ ] T010: Style Sheet component (width, padding, close button)
- [ ] T011: Test Sheet with various JSON structures (nested objects, arrays)
#### Epic 3: Components - Table & Search (P1)
- [ ] T012: Create `PolicyTable.tsx` with row click handlers
- [ ] T013: Add Badge rendering for policyType column
- [ ] T014: Add hover styles and cursor pointer to rows
- [ ] T015: Create `PolicySearchContainer.tsx` Client Component wrapper
- [ ] T016: Implement search state management (useTransition)
- [ ] T017: Implement detail sheet state management (open/close)
- [ ] T018: Add null-value filtering (if frontend approach chosen)
#### Epic 4: Page Refactor (P1)
- [ ] T019: Create or refactor page to Server Component pattern
- [ ] T020: Fetch initial 50 policies in Server Component
- [ ] T021: Pass initial data to Client Component
- [ ] T022: Update CardHeader title to "Policy Explorer"
- [ ] T023: Test page with no policies (empty state)
- [ ] T024: Test page with 50+ policies (initial load performance)
#### Epic 5: Navigation & Routing (P2)
- [ ] T025: Update `config/nav.ts` with new route
- [ ] T026: Remove "All Settings" menu item (if exists)
- [ ] T027: Decide on /search redirect vs replacement
- [ ] T028: Implement redirect or route replacement
- [ ] T029: Update internal links to use new route
#### Epic 6: Visual Improvements (P3)
- [ ] T030: Define policy type to badge color mapping
- [ ] T031: Implement badge color logic in PolicyTable
- [ ] T032: Test badge colors with production data
- [ ] T033: Add loading skeletons for table (optional)
- [ ] T034: Add empty state component for no results
#### Epic 7: Testing & Validation (All Priorities)
- [ ] T035: Manual test - Initial load shows 50 policies
- [ ] T036: Manual test - Null values filtered correctly
- [ ] T037: Manual test - Row click opens detail sheet
- [ ] T038: Manual test - JSON formatted in detail sheet
- [ ] T039: Manual test - Search filters null values
- [ ] T040: Manual test - Badge colors correct
- [ ] T041: E2E test - Page load and search flow
- [ ] T042: E2E test - Detail sheet open/close
- [ ] T043: Performance test - Initial load < 2s
- [ ] T044: Performance test - Detail sheet < 300ms
### Implementation Order
1. **Phase 2.1** (P1 Backend): T001-T005 (Server Actions)
2. **Phase 2.2** (P1 Components): T006-T011 (Detail Sheet) + T012-T018 (Table)
3. **Phase 2.3** (P1 Page): T019-T024 (Page refactor)
4. **Phase 2.4** (P2 Navigation): T025-T029 (Routing)
5. **Phase 2.5** (P3 Polish): T030-T034 (Visual improvements)
6. **Phase 2.6** (Testing): T035-T044 (Validation)
## Known Constraints
1. **No database migrations**: Feature must work with existing schema (✅ confirmed in spec)
2. **Server-first architecture**: All data fetching via Server Actions (✅ plan follows this)
3. **Backwards compatibility**: May need redirect from `/search` to `/policy-explorer` (TBD in Phase 1)
4. **Bundle size**: Must evaluate syntax highlighter libraries if chosen (TBD in Phase 0)
5. **Tenant isolation**: All queries must include tenantId filter (✅ existing pattern)
## Risk Assessment
| Risk | Impact | Mitigation |
|------|--------|------------|
| Null filtering on 1000+ records slow | High | Phase 0 benchmarking, backend index if needed |
| JSON.parse() fails on malformed data | Medium | Try/catch with fallback to plain text |
| Sheet component state management complex | Medium | Research Phase 0, follow Shadcn examples |
| Breaking change to `/search` route | Low | Implement redirect, communicate to users |
| Badge colors insufficient contrast | Low | Use Shadcn variants, test accessibility |
## Success Criteria Mapping
| Success Criterion (from spec) | Implementation |
|-------------------------------|----------------|
| SC-001: Initial load < 2s | Server Component with `getRecentPolicySettings(50)` + database indexes |
| SC-002: 100% valid values (no nulls) | Backend or frontend filtering (Phase 0 decision) |
| SC-003: Detail sheet < 300ms | Client-side state management, no additional data fetch |
| SC-004: JSON formatted correctly | `JSON.parse()` + `JSON.stringify()` with `<pre>` tag |
| SC-005: Badge colors distinguishable | Shadcn Badge variants, color mapping (Phase 1) |
| SC-006: Single "Policy Explorer" menu | Update `config/nav.ts`, remove "All Settings" |
## Deployment Checklist
- [ ] All Phase 0 research documented in `research.md`
- [ ] All Phase 1 contracts documented in `contracts/`
- [ ] Code committed to `003-policy-explorer-ux` branch
- [ ] Feature flag enabled (if applicable)
- [ ] Navigation updated in `config/nav.ts`
- [ ] Manual testing checklist completed
- [ ] E2E tests passing (if implemented)
- [ ] Performance benchmarks validated
- [ ] Merge to `development` branch
- [ ] Deploy to staging environment
- [ ] User acceptance testing
- [ ] Deploy to production
- [ ] Monitor performance metrics
- [ ] Gather user feedback
## Next Steps
1. **Immediate**: Complete Phase 0 research (resolve all NEEDS CLARIFICATION items)
2. **After Phase 0**: Generate `research.md` with documented decisions
3. **Phase 1**: Create `data-model.md`, `contracts/`, `quickstart.md`
4. **Phase 2**: Run `/speckit.tasks` to generate detailed task breakdown
5. **Implementation**: Execute tasks in priority order (P1 → P2 → P3)
## References
- Feature Spec: [spec.md](./spec.md)
- Requirements Checklist: [checklists/requirements.md](./checklists/requirements.md)
- Related Feature: [specs/001-global-policy-search/](../001-global-policy-search/) (base implementation)
- Related Feature: [specs/002-manual-policy-sync/](../002-manual-policy-sync/) (SyncButton component)
- Constitution: [.specify/memory/constitution.md](../../.specify/memory/constitution.md)
- Shadcn UI Sheet Docs: https://ui.shadcn.com/docs/components/sheet
- Shadcn UI Badge Docs: https://ui.shadcn.com/docs/components/badge

121
specs/003-policy-explorer-ux/spec.md
View File

@ -1,121 +0,0 @@
# Feature Specification: Policy Explorer UX Upgrade
**Feature Branch**: `003-policy-explorer-ux`
**Created**: 2025-12-07
**Status**: Draft
**Input**: User description: "Policy Explorer UX Upgrade - Improve global search UI with detail view, data filtering, and better UX"
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Browse Recent Policies on Page Load (Priority: P1)
Als Intune-Admin möchte ich beim Öffnen des Policy Explorers sofort die neuesten 50 Policy-Einstellungen sehen, ohne erst einen Suchbegriff eingeben zu müssen.
**Why this priority**: Dies ist die Kernverbesserung des Features. Ein leerer Bildschirm ("Empty State") ist schlechte UX. Der User sollte sofort produktiv sein können und einen Überblick über die neuesten Änderungen erhalten.
**Independent Test**: Kann vollständig getestet werden durch Öffnen der `/policy-explorer` Seite ohne Suchbegriff. Liefert sofort Mehrwert, da Admins die neuesten Policies sehen können.
**Acceptance Scenarios**:
1. **Given** der Admin ist eingeloggt, **When** er die Policy Explorer Seite öffnet (ohne Suchbegriff), **Then** sieht er sofort eine Tabelle mit den 50 neuesten Policy-Einstellungen (sortiert nach `lastSyncedAt` DESC).
2. **Given** der Admin ist auf der Policy Explorer Seite, **When** die Seite lädt, **Then** werden Einträge mit `settingValue = "null"` oder `null` automatisch ausgeblendet.
3. **Given** es existieren keine Policy-Einstellungen für den Tenant, **When** die Seite lädt, **Then** sieht der Admin eine Nachricht "Keine Policies gefunden - Starten Sie einen Sync".
---
### User Story 2 - View Policy Details in Slide-Over Sheet (Priority: P1)
Als Intune-Admin möchte ich auf eine Policy-Zeile klicken können, um eine detaillierte Ansicht mit formatierten JSON-Werten zu sehen, damit ich komplexe OMA-URI Settings verstehen kann.
**Why this priority**: Dies löst das Hauptproblem des aktuellen Features - komplexe JSON-Werte sind in der Tabelle nicht lesbar. Die Detailansicht ist essenziell für produktive Nutzung.
**Independent Test**: Kann getestet werden durch Klick auf eine beliebige Tabellenzeile. Funktioniert unabhängig von der Suchfunktion.
**Acceptance Scenarios**:
1. **Given** der Admin sieht die Policy-Tabelle, **When** er auf eine Zeile klickt, **Then** öffnet sich ein Slide-Over Sheet von rechts mit den Policy-Details.
2. **Given** das Detail-Sheet ist geöffnet, **When** der `settingValue` ein JSON-String ist (startet mit `{` oder `[`), **Then** wird der Wert formatiert in einem Code-Block angezeigt.
3. **Given** das Detail-Sheet ist geöffnet, **When** der `settingValue` ein einfacher String ist, **Then** wird der Wert als normaler Text angezeigt.
4. **Given** das Detail-Sheet ist geöffnet, **When** der Admin auf "Schließen" (X) oder außerhalb des Sheets klickt, **Then** schließt sich das Sheet.
---
### User Story 3 - Search with Data Cleaning (Priority: P2)
Als Intune-Admin möchte ich nach Policies suchen können und dabei nur relevante Einträge sehen (ohne "null"-Werte), damit die Ergebnisse übersichtlich bleiben.
**Why this priority**: Die Suchfunktion existiert bereits (Feature 001-global-policy-search), muss aber nun ebenfalls die Datenfilterung respektieren. Dies ist P2, weil die Basisfunktionalität bereits vorhanden ist.
**Independent Test**: Kann getestet werden durch Eingabe eines Suchbegriffs und Verifizierung, dass keine "null"-Werte in den Ergebnissen erscheinen.
**Acceptance Scenarios**:
1. **Given** der Admin ist auf der Policy Explorer Seite, **When** er "USB" in das Suchfeld eingibt, **Then** sieht er nur Ergebnisse, die "USB" enthalten UND deren `settingValue` nicht "null" ist.
2. **Given** der Admin hat nach "Camera" gesucht, **When** er das Suchfeld leert, **Then** kehrt die Ansicht zu den 50 neuesten Einträgen zurück.
---
### User Story 4 - Improved Visual Hierarchy (Priority: P3)
Als Intune-Admin möchte ich Policy-Typen auf einen Blick durch farbige Badges unterscheiden können, damit ich schneller relevante Policies finde.
**Why this priority**: Dies ist eine visuelle Verbesserung, die die Usability erhöht, aber nicht funktional kritisch ist. Kann nach P1 und P2 implementiert werden.
**Independent Test**: Kann visuell getestet werden durch Ansehen der Tabelle und Verifizierung der Badge-Farben.
**Acceptance Scenarios**:
1. **Given** der Admin sieht die Policy-Tabelle, **When** er die `policyType` Spalte ansieht, **Then** sieht er farbige Badges (z.B. Compliance = Blau, Configuration = Grau, Security = Rot).
2. **Given** der Admin bewegt die Maus über eine Tabellenzeile, **When** die Zeile gehovered wird, **Then** ändert sich der Cursor zu `pointer` und die Zeile hebt sich visuell hervor.
---
### Edge Cases
- Was passiert, wenn ein `settingValue` ein sehr langer JSON-String ist (>10KB)? → Im Detail-Sheet scrollen mit `max-height` und `overflow-auto`.
- Wie verhält sich die Seite, wenn der User sehr schnell zwischen Zeilen klickt? → Debouncing oder Loading-State im Sheet.
- Was passiert, wenn `lastSyncedAt` fehlt? → Fallback auf `createdAt` oder "Unbekannt" anzeigen.
- Wie werden Sonderzeichen in JSON-Werten gehandelt? → Automatisches Escaping durch `JSON.parse()` und `<pre>` Tag.
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: System MUSS eine neue Route `/policy-explorer` bereitstellen (ersetzt `/search`).
- **FR-002**: System MUSS beim Laden der Seite (ohne Suchbegriff) automatisch die 50 neuesten Policy-Einstellungen anzeigen (sortiert nach `lastSyncedAt` DESC).
- **FR-003**: System MUSS Einträge mit `settingValue = "null"` (String) oder `settingValue = null` (Wert) aus allen Ergebnissen filtern (Backend-Filter bevorzugt).
- **FR-004**: System MUSS die `policyType` Spalte als farbige Badge darstellen (Shadcn UI Badge Component).
- **FR-005**: System MUSS Tabellenzeilen klickbar machen (Cursor: pointer, Hover-Effekt).
- **FR-006**: System MUSS eine neue `PolicyDetailSheet` Komponente bereitstellen (Shadcn Sheet Component, Slide-Over von rechts).
- **FR-007**: System MUSS im Detail-Sheet prüfen, ob `settingValue` ein JSON-String ist (startet mit `{` oder `[`).
- **FR-008**: System MUSS JSON-Strings formatiert in einem Code-Block anzeigen (`<pre>` oder Syntax Highlighter).
- **FR-009**: System MUSS normale String-Werte als Text im Detail-Sheet anzeigen.
- **FR-010**: System MUSS den "All Settings" Menüpunkt entfernen (falls vorhanden) und durch "Policy Explorer" ersetzen.
- **FR-011**: System MUSS weiterhin die bestehende Suchfunktion unterstützen (mit Datenfilterung).
### Key Entities
- **PolicySetting**: Erweitert das bestehende Entity aus Feature 001-global-policy-search
- Alle bisherigen Attribute bleiben bestehen
- Keine Datenbankänderungen erforderlich
- Neue Frontend-Filterlogik: `settingValue !== "null" && settingValue !== null`
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: Beim Öffnen der Policy Explorer Seite werden innerhalb von 2 Sekunden die 50 neuesten Einträge angezeigt.
- **SC-002**: 100% der angezeigten Einträge haben einen gültigen `settingValue` (nicht "null" oder `null`).
- **SC-003**: Klick auf eine Tabellenzeile öffnet das Detail-Sheet in unter 300ms.
- **SC-004**: JSON-Strings im Detail-Sheet sind korrekt formatiert und lesbar (mit Syntax Highlighting oder mindestens Zeilenumbrüchen).
- **SC-005**: Die `policyType` Badges sind visuell unterscheidbar (mindestens 3 verschiedene Farben für Compliance, Configuration, Security).
- **SC-006**: Die Navigation enthält nur noch einen Menüpunkt "Policy Explorer" (kein separater "All Settings" Eintrag mehr).
## Assumptions
- Die bestehende Datenbankstruktur aus Feature 001-global-policy-search wird nicht geändert.
- Die Server Action `searchPolicySettings` wird erweitert um einen optionalen `limit` Parameter (Default: 50).
- Shadcn UI Komponenten (Sheet, Badge) sind bereits im Projekt integriert.
- Die Route `/search` wird umbenannt zu `/policy-explorer` (oder beide bleiben bestehen mit Redirect).
- Die Filterung von "null"-Werten kann initial im Frontend erfolgen, sollte aber später ins Backend verschoben werden für Performance.
- Syntax Highlighting ist "Nice-to-have" - eine einfache `<pre>`-Darstellung reicht für MVP.

334
specs/003-policy-explorer-ux/tasks.md
View File

@ -1,334 +0,0 @@
# Tasks: Policy Explorer UX Upgrade
**Input**: Design documents from `/specs/003-policy-explorer-ux/`
**Prerequisites**: spec.md ✅, plan.md ✅
**Branch**: `003-policy-explorer-ux`
**Generated**: 2025-12-07
**Tests**: Tests are NOT included in this task list as they were not explicitly requested in the feature specification.
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `- [ ] [ID] [P?] [Story?] Description with file path`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (US1, US2, US3, US4)
- File paths are absolute from repository root
---
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Verify prerequisites and install missing Shadcn UI components
- [X] T001 [P] Verify Shadcn Sheet component exists at `components/ui/sheet.tsx`, install if missing via `npx shadcn@latest add sheet`
- [X] T002 [P] Verify Shadcn Badge component exists at `components/ui/badge.tsx`, install if missing via `npx shadcn@latest add badge`
- [X] T003 Create new directory `components/policy-explorer/` for new feature components
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Core backend infrastructure that MUST be complete before ANY user story can be implemented
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
### Backend Server Actions
- [X] T004 Add `getRecentPolicySettings(limit?: number)` Server Action in `lib/actions/policySettings.ts` - returns 50 newest policies sorted by lastSyncedAt DESC, filtered by tenantId and excluding null values
- [X] T005 Extend `searchPolicySettings()` Server Action in `lib/actions/policySettings.ts` - add optional `limit` parameter (default 100, max 200)
- [X] T006 Add null-value filtering logic to Server Actions - filter out entries where `settingValue === "null"` or `settingValue === null` (backend approach for performance)
- [X] T007 Add type exports for `PolicySettingSearchResult` interface if not already exported from `lib/actions/policySettings.ts`
- [X] T008 Test Server Actions manually - verify tenant isolation, null filtering, and limit parameters work correctly
**Checkpoint**: Backend ready - all Server Actions functional and tested
---
## Phase 3: User Story 1 - Browse Recent Policies on Page Load (Priority: P1) 🎯 MVP
**Goal**: Admin sees 50 newest policy settings immediately when opening Policy Explorer (no empty state)
**Independent Test**: Navigate to `/policy-explorer`, verify 50 newest entries load without search, no null values visible
### Implementation for User Story 1
- [X] T009 [P] [US1] Create `PolicyTable.tsx` component in `components/policy-explorer/PolicyTable.tsx` - display policies in table format with columns: Setting Name, Setting Value, Policy Name, Policy Type, Last Synced
- [X] T010 [P] [US1] Add row click handler prop to `PolicyTable` component - accepts `onRowClick: (policy: PolicySettingSearchResult) => void`
- [X] T011 [P] [US1] Add hover styles to table rows in `PolicyTable` - `hover:bg-accent cursor-pointer` classes
- [X] T012 [P] [US1] Create `PolicySearchContainer.tsx` client component in `components/policy-explorer/PolicySearchContainer.tsx` - manages search state, accepts `initialPolicies` prop
- [X] T013 [US1] Refactor `app/(app)/search/page.tsx` to Server Component pattern - call `getRecentPolicySettings(50)` in Server Component, pass data to `PolicySearchContainer`
- [X] T014 [US1] Update page CardTitle to "Policy Explorer" and CardDescription in `app/(app)/search/page.tsx`
- [X] T015 [US1] Add empty state handling - if no policies returned, show message "Keine Policies gefunden - Starten Sie einen Sync"
- [X] T016 [US1] Keep existing `SyncButton` component in CardHeader of `app/(app)/search/page.tsx`
**Checkpoint**: Page loads with 50 newest policies, no null values, empty state works
---
## Phase 4: User Story 2 - View Policy Details in Slide-Over Sheet (Priority: P1) 🎯 MVP
**Goal**: Admin can click any policy row to see full details with formatted JSON in a slide-over sheet
**Independent Test**: Click any table row, verify sheet opens from right with policy details, JSON is formatted
### Implementation for User Story 2
- [X] T017 [P] [US2] Create `PolicyDetailSheet.tsx` component in `components/policy-explorer/PolicyDetailSheet.tsx` - uses Shadcn Sheet, accepts `policy`, `open`, `onOpenChange` props
- [X] T018 [P] [US2] Implement JSON detection logic in `PolicyDetailSheet` - check if `settingValue.trim().startsWith('{')` or `startsWith('[')`
- [X] T019 [P] [US2] Implement JSON formatting utility - `JSON.stringify(JSON.parse(value), null, 2)` wrapped in try/catch, fallback to plain text on error
- [X] T020 [P] [US2] Render JSON values in `<pre>` tag with Tailwind prose classes for readability in `PolicyDetailSheet`
- [X] T021 [P] [US2] Render non-JSON values as normal text in `PolicyDetailSheet`
- [X] T022 [P] [US2] Add Sheet styling - proper width (e.g., `w-[600px]`), padding, close button, scroll for long content (`max-height` + `overflow-auto`)
- [X] T023 [US2] Integrate `PolicyDetailSheet` into `PolicySearchContainer` - add state for selected policy and sheet open/close
- [X] T024 [US2] Connect row click handler from `PolicyTable` to open detail sheet with clicked policy data
- [X] T025 [US2] Test detail sheet with various data - nested JSON objects, arrays, long strings (>10KB), plain text values, malformed JSON
**Checkpoint**: Clicking rows opens detail sheet, JSON is formatted, sheet closes properly
---
## Phase 5: User Story 3 - Search with Data Cleaning (Priority: P2)
**Goal**: Admin can search policies and results are filtered to exclude null values
**Independent Test**: Enter search term "USB", verify results contain "USB" and no null values
### Implementation for User Story 3
- [X] T026 [US3] Integrate existing `SearchInput` component into `PolicySearchContainer` in `components/policy-explorer/PolicySearchContainer.tsx`
- [X] T027 [US3] Add search handler in `PolicySearchContainer` - calls `searchPolicySettings()` Server Action with search term
- [X] T028 [US3] Implement search state management using `useTransition()` hook for pending state
- [X] T029 [US3] Update table to show search results when search term is entered, show initial 50 policies when search is cleared
- [X] T030 [US3] Verify null values are filtered from search results (handled by Server Action from T006)
- [X] T031 [US3] Add loading indicator while search is in progress (use `isPending` from `useTransition`)
**Checkpoint**: Search works, results exclude null values, loading states correct
---
## Phase 6: User Story 4 - Improved Visual Hierarchy (Priority: P3)
**Goal**: Admin sees policy types as colored badges and improved row hover effects
**Independent Test**: View table, verify badges have distinct colors, rows highlight on hover
### Implementation for User Story 4
- [X] T032 [P] [US4] Define policy type to badge color mapping - create utility function or constant (e.g., Compliance=blue, Configuration=gray, Security=red, etc.)
- [X] T033 [P] [US4] Implement badge rendering in `PolicyTable` - replace plain text `policyType` with Shadcn Badge component
- [X] T034 [P] [US4] Apply badge variant/color based on policy type in `PolicyTable` component
- [X] T035 [US4] Test badge colors with real data - verify at least 3 distinct colors are visible and accessible (contrast check)
- [X] T036 [US4] Verify hover effects on table rows - cursor changes to pointer, background color changes
**Checkpoint**: Badges show distinct colors, hover effects smooth, visual hierarchy improved
---
## Phase 7: Navigation & Route Consolidation (Cross-Cutting)
**Purpose**: Update navigation and routing to consolidate under "Policy Explorer"
- [X] T037 Update `config/nav.ts` - replace `{ title: "Search", href: "/search" }` with `{ title: "Policy Explorer", href: "/search" }` (keep /search route for now)
- [X] T038 Remove "All Settings" menu item from `config/nav.ts` if it exists (from settings-overview feature)
- [X] T039 Update page metadata (title, description) in `app/(app)/search/page.tsx` to reflect "Policy Explorer" branding
- [ ] T040 Add redirect from `/settings-overview` to `/search` if that route exists (optional, for backwards compatibility)
**Checkpoint**: Navigation shows single "Policy Explorer" entry, old routes redirect if needed
---
## Phase 8: Polish & Final Integration
**Purpose**: Final refinements and end-to-end validation
- [X] T041 Update `EmptyState` component message in `components/search/EmptyState.tsx` - change to Policy Explorer context if still used
- [ ] T042 Add loading skeleton to table (optional) - show placeholder rows while initial data loads
- [ ] T043 Verify responsive layout - test table and detail sheet on mobile viewport (< 768px)
- [ ] T044 Add error boundary for detail sheet - graceful error handling if sheet rendering fails
- [ ] T045 Performance check - verify initial page load < 2s, detail sheet opens < 300ms, search response < 2s
- [ ] T046 Accessibility check - verify keyboard navigation (Tab, Enter to open sheet, Escape to close), screen reader labels
- [ ] T047 Cross-browser test - verify in Chrome, Safari, Firefox (at minimum)
**Checkpoint**: Feature complete, polished, and tested across browsers/devices
---
## Dependencies Visualization
```mermaid
graph TD
T001[T001: Install Sheet] --> T017[T017: Create PolicyDetailSheet]
T002[T002: Install Badge] --> T033[T033: Implement Badge Rendering]
T003[T003: Create Directory] --> T009[T009: Create PolicyTable]
T003 --> T012[T012: Create PolicySearchContainer]
T003 --> T017
T004[T004: getRecentPolicySettings] --> T013[T013: Refactor Page to Server Component]
T005[T005: Extend searchPolicySettings] --> T027[T027: Add Search Handler]
T006[T006: Null Filtering] --> T004
T006 --> T005
T007[T007: Type Exports] --> T009
T007 --> T012
T007 --> T017
T008[T008: Test Server Actions] --> T013
T009 --> T013
T010[T010: Row Click Handler] --> T024[T024: Connect Click to Sheet]
T011[T011: Hover Styles] --> T036[T036: Verify Hover Effects]
T012 --> T013
T013 --> T026[T026: Integrate SearchInput]
T017 --> T023[T023: Integrate Sheet into Container]
T018[T018: JSON Detection] --> T019[T019: JSON Formatting]
T019 --> T020[T020: Render JSON in pre]
T020 --> T023
T021[T021: Render Non-JSON] --> T023
T022[T022: Sheet Styling] --> T023
T023 --> T024
T026 --> T027
T027 --> T028[T028: Search State Management]
T028 --> T029[T029: Update Table with Results]
T029 --> T030[T030: Verify Null Filtering]
T030 --> T031[T031: Loading Indicator]
T032[T032: Badge Color Mapping] --> T033
T033 --> T034[T034: Apply Badge Variants]
T034 --> T035[T035: Test Badge Colors]
T013 --> T037[T037: Update Navigation]
T037 --> T038[T038: Remove All Settings]
T038 --> T039[T039: Update Page Metadata]
```
---
## Parallel Execution Opportunities
### Phase 1 (All parallel):
- T001, T002, T003 can all run simultaneously
### Phase 2:
- **Parallel**: T007 can run while T004-T006 are being implemented
- **Sequential**: T004-T006 must complete before T008
- **Blocking**: T008 must complete before Phase 3 starts
### Phase 3 (User Story 1):
- **Parallel**: T009, T010, T011, T012 (different components)
- **Sequential**: T013 requires T009 and T012 complete
- **Sequential**: T014-T016 extend T013
### Phase 4 (User Story 2):
- **Parallel**: T017, T018, T019, T020, T021, T022 (all component work)
- **Sequential**: T023 requires T017-T022 complete
- **Sequential**: T024 requires T023 and T010 complete
- **Sequential**: T025 is final testing
### Phase 5 (User Story 3):
- **Sequential**: T026 → T027 → T028 → T029 → T030 → T031 (build on each other)
### Phase 6 (User Story 4):
- **Parallel**: T032, T033, T034 (component work)
- **Sequential**: T035, T036 (testing)
### Phase 7 (Navigation):
- **Parallel**: T037, T038 (different files)
- **Sequential**: T039, T040 extend T037/T038
### Phase 8 (Polish):
- **Mostly parallel**: T041-T044 (different concerns)
- **Sequential**: T045-T047 (validation after implementation)
---
## Suggested MVP Scope
**Minimum Viable Product** = Phase 1 + Phase 2 + Phase 3 + Phase 4
This delivers:
- ✅ 50 newest policies on page load (no empty state)
- ✅ Null values filtered automatically
- ✅ Clickable rows with detail sheet
- ✅ JSON formatting in detail view
- ✅ Functional search (from existing feature)
**Can be deferred post-MVP**:
- User Story 3 tasks (search refinements) - existing search already works
- User Story 4 tasks (visual improvements) - badges and hover are polish
- Phase 7 tasks (navigation consolidation) - can keep both menu items temporarily
- Phase 8 tasks (polish) - can iterate after core functionality validated
---
## Implementation Strategy
### Week 1: Foundation + US1 (MVP Core)
- Days 1-2: Phase 1 (Setup) + Phase 2 (Backend)
- Days 3-5: Phase 3 (User Story 1 - Browse Recent)
**Deliverable**: Page loads with 50 newest policies, no null values
### Week 2: US2 + Testing (MVP Complete)
- Days 1-3: Phase 4 (User Story 2 - Detail Sheet)
- Days 4-5: Testing and bug fixes for US1 + US2
**Deliverable**: Functional Policy Explorer with detail view (MVP ready)
### Week 3: Polish + Enhancement
- Days 1-2: Phase 5 (User Story 3 - Search refinements)
- Days 3-4: Phase 6 (User Story 4 - Visual improvements)
- Day 5: Phase 7 (Navigation) + Phase 8 (Polish)
**Deliverable**: Full feature with all user stories, polished and production-ready
---
## Task Count Summary
- **Phase 1 (Setup)**: 3 tasks
- **Phase 2 (Foundation)**: 5 tasks ⚠️ BLOCKING
- **Phase 3 (US1 - P1)**: 8 tasks 🎯 MVP
- **Phase 4 (US2 - P1)**: 9 tasks 🎯 MVP
- **Phase 5 (US3 - P2)**: 6 tasks
- **Phase 6 (US4 - P3)**: 5 tasks
- **Phase 7 (Navigation)**: 4 tasks
- **Phase 8 (Polish)**: 7 tasks
**Total**: 47 tasks
**MVP Subset**: T001-T025 (25 tasks) = Foundation + US1 + US2
---
## Success Criteria Mapping
| Success Criterion | Tasks |
|-------------------|-------|
| SC-001: Load < 2s | T004, T013, T045 |
| SC-002: 100% valid values (no nulls) | T006, T030 |
| SC-003: Detail sheet < 300ms | T017-T024, T045 |
| SC-004: JSON formatted | T018-T020, T025 |
| SC-005: Badge colors distinguishable | T032-T035 |
| SC-006: Single "Policy Explorer" menu | T037-T038 |
---
## Notes
- **No database migrations**: Feature works with existing schema ✅
- **Server-first architecture**: All data via Server Actions ✅
- **Shadcn UI components**: Sheet and Badge must be installed (T001, T002)
- **Backwards compatibility**: Can keep `/search` route, update navigation text
- **Performance**: Null filtering in backend (T006) for optimal performance
- **Testing**: Manual testing focus, no automated E2E tests in scope
- **Accessibility**: Covered in Phase 8 (T046)
---
## References
- Feature Spec: [spec.md](./spec.md)
- Implementation Plan: [plan.md](./plan.md)
- Requirements Checklist: [checklists/requirements.md](./checklists/requirements.md)
- Related Features: [001-global-policy-search](../001-global-policy-search/), [002-manual-policy-sync](../002-manual-policy-sync/)

34
specs/004-policy-explorer-v2/checklists/requirements.md
View File

@ -1,34 +0,0 @@
# Specification Quality Checklist: Policy Explorer V2
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-12-08
**Feature**: [spec.md](../spec.md)
## Content Quality
- [ ] No implementation details (languages, frameworks, APIs)
- [ ] Focused on user value and business needs
- [ ] Written for non-technical stakeholders
- [ ] All mandatory sections completed
## Requirement Completeness
- [ ] No [NEEDS CLARIFICATION] markers remain
- [ ] Requirements are testable and unambiguous
- [ ] Success criteria are measurable
- [ ] Success criteria are technology-agnostic (no implementation details)
- [ ] All acceptance scenarios are defined
- [ ] Edge cases are identified
- [ ] Scope is clearly bounded
- [ ] Dependencies and assumptions identified
## Feature Readiness
- [ ] All functional requirements have clear acceptance criteria
- [ ] User scenarios cover primary flows
- [ ] Feature meets measurable outcomes defined in Success Criteria
- [ ] No implementation details leak into specification
## Notes
- Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`

520
specs/004-policy-explorer-v2/plan.md
View File

@ -1,520 +0,0 @@
# Implementation Plan: Policy Explorer V2
**Branch**: `004-policy-explorer-v2` | **Date**: 2025-12-09 | **Spec**: [spec.md](./spec.md)
**Input**: Feature specification from `/specs/004-policy-explorer-v2/spec.md`
## Summary
Upgrade the existing Policy Explorer (`/search`) from basic search/table view to advanced data table with:
- **Server-side pagination** (10/25/50/100 rows per page)
- **Multi-column sorting** with ASC/DESC toggle
- **Column management** (show/hide, resize, reorder) persisted in localStorage
- **PolicyType filtering** with multi-select checkboxes
- **Bulk export** (CSV) for selected rows (client-side) and all filtered results (server-side, max 5000)
- **Enhanced detail view** with copy-to-clipboard, raw JSON, and "Open in Intune" link
- **URL state** for shareable filtered/sorted views
- **Sticky header** and compact/comfortable density modes
Technical approach: TanStack Table v8 for client-side table state management, Server Actions for data fetching/export, shadcn/ui primitives for UI consistency, nuqs for URL state, and localStorage for user preferences.
## Technical Context
**Language/Version**: TypeScript 5.x strict mode
**Primary Dependencies**:
- Next.js 16+ App Router
- TanStack Table v8 (`@tanstack/react-table`)
- Drizzle ORM for database queries
- Shadcn UI components
- NextAuth.js v4 for tenant isolation
- URL state: `nuqs` or native `useSearchParams`
- CSV export: `papaparse` or native string builder
**Storage**: PostgreSQL (existing `policy_settings` table)
**Testing**: Jest/Vitest for utils, Playwright for E2E table interactions
**Target Platform**: Docker containers, modern web browsers (Chrome, Firefox, Safari, Edge)
**Project Type**: Next.js App Router web application
**Performance Goals**:
- Page load: <500ms (50 rows with filters)
- Sorting/filtering: <200ms
- CSV export (1000 rows): <2s client-side
- CSV export (5000 rows): <5s server-side
**Constraints**:
- Server-first architecture (all data via Server Actions)
- No client-side fetching (useEffect + fetch prohibited)
- TypeScript strict mode (no `any` types)
- Shadcn UI for all components
- Azure AD tenant isolation enforced
**Scale/Scope**: Multi-tenant SaaS, 1000+ policy settings per tenant, 100+ concurrent users
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
- [X] Uses Next.js App Router with Server Actions (pagination/filtering/export via Server Actions)
- [X] TypeScript strict mode enabled (existing codebase already strict)
- [X] Drizzle ORM for all database operations (policy settings queries use Drizzle)
- [X] Shadcn UI for all new components (Table, Button, Sheet, etc.)
- [X] Azure AD multi-tenant authentication (existing auth, tenant isolation via session)
- [X] Docker deployment with standalone build (existing Dockerfile)
**Result**: ✅ No constitution violations
## Project Structure
### Documentation (this feature)
```text
specs/004-policy-explorer-v2/
├── plan.md # This file
├── research.md # Phase 0 output (TanStack Table patterns, CSV strategies)
├── data-model.md # Phase 1 output (DataTableState, FilterState types)
├── quickstart.md # Phase 1 output (how to add new columns, filters)
├── contracts/ # Phase 1 output (Server Action signatures)
│ ├── getPolicySettings.yaml
│ ├── exportPolicySettingsCSV.yaml
│ └── types.ts
└── tasks.md # Phase 2 output (NOT created by this command)
```
### Source Code (repository root)
**Structure Decision**: Next.js App Router structure (existing pattern in codebase)
```text
app/
└── (app)/
└── search/
├── page.tsx # Server Component (data fetching)
├── PolicyExplorerClient.tsx # UPDATED: Client Component wrapper
└── PolicyExplorerTable.tsx # NEW: TanStack Table component
components/
└── policy-explorer/
├── PolicyTable.tsx # NEW: Main data table
├── PolicyTableColumns.tsx # NEW: Column definitions
├── PolicyTableToolbar.tsx # NEW: Filters, density toggle, export
├── PolicyTablePagination.tsx # NEW: Pagination controls
├── PolicyDetailSheet.tsx # UPDATED: Add copy buttons, raw JSON
├── ColumnVisibilityMenu.tsx # NEW: Show/hide columns
└── ExportButton.tsx # NEW: CSV export trigger
lib/
├── actions/
│ └── policySettings.ts # UPDATED: Add pagination, sorting, export
├── hooks/
│ ├── usePolicyTable.ts # NEW: TanStack Table hook
│ ├── useTablePreferences.ts # NEW: localStorage persistence
│ └── useURLState.ts # NEW: URL state sync
└── utils/
├── csv-export.ts # NEW: Client-side CSV builder
└── policy-table-helpers.ts # NEW: Column formatters, sorters
tests/
├── unit/
│ ├── csv-export.test.ts # CSV generation logic
│ └── policy-table-helpers.test.ts # Column utilities
└── e2e/
└── policy-explorer.spec.ts # Pagination, sorting, filtering, export
```
## Complexity Tracking
> **No violations** - All constitution checks pass. TanStack Table is a state management library (not a data fetching library), so it complements Server Actions rather than replacing them.
---
## Phase 0: Research & Analysis
### Unknowns to Resolve
1. **TanStack Table Integration Pattern**
- **Question**: How to integrate TanStack Table with Next.js Server Actions for server-side pagination/sorting?
- **Research**: Review TanStack Table docs for "manual pagination" mode, check existing patterns in similar Next.js projects
- **Output**: `research.md` section on TanStack Table + Server Actions integration
2. **CSV Export Strategy**
- **Question**: When to use client-side vs server-side CSV generation? What's the performance breakpoint?
- **Research**: Test `papaparse` performance with 100/1000/5000 rows, measure memory usage, compare to server-side stream
- **Output**: `research.md` section with performance benchmarks and decision matrix
3. **URL State Management**
- **Question**: Use `nuqs` library or native `useSearchParams` + `useRouter`?
- **Research**: Compare type safety, SSR compatibility, bundle size
- **Output**: `research.md` section on URL state library choice
4. **LocalStorage Schema**
- **Question**: How to version localStorage schema for forward compatibility when adding new features?
- **Research**: Review best practices for localStorage versioning, schema migration patterns
- **Output**: `research.md` section on localStorage structure
5. **Sticky Header Implementation**
- **Question**: Use CSS `position: sticky` or JavaScript scroll listeners? Performance trade-offs?
- **Research**: Test both approaches with large tables (1000+ rows), measure scroll jank
- **Output**: `research.md` section on sticky header strategy
### Dependencies & Best Practices
1. **TanStack Table Best Practices**
- **Task**: Research recommended patterns for server-side pagination, column definitions, type safety
- **Output**: `research.md` section with code examples
2. **Shadcn Table + TanStack Integration**
- **Task**: Find examples of shadcn/ui Table primitives used with TanStack Table
- **Output**: `research.md` section with integration patterns
3. **CSV Escaping & Edge Cases**
- **Task**: Research proper CSV escaping (commas, quotes, newlines), Excel compatibility
- **Output**: `research.md` section on CSV generation rules
---
## Phase 1: Design & Contracts
### Data Model Design
**File**: `specs/004-policy-explorer-v2/data-model.md`
#### Entities
**DataTableState** (Client-side ephemeral state)
```typescript
interface DataTableState {
pagination: {
pageIndex: number; // 0-based
pageSize: 10 | 25 | 50 | 100;
};
sorting: Array<{
id: string; // column ID
desc: boolean; // true = DESC, false = ASC
}>;
columnVisibility: {
[columnId: string]: boolean;
};
columnSizing: {
[columnId: string]: number; // px
};
rowSelection: {
[rowId: string]: boolean;
};
density: 'compact' | 'comfortable';
}
```
**FilterState** (Synced with URL + stored in localStorage)
```typescript
interface FilterState {
policyTypes: string[]; // ['deviceConfiguration', 'compliancePolicy']
searchQuery: string; // existing search functionality
// Future: dateRange, tenant filter (Phase 2)
}
```
**TablePreferences** (Persisted in localStorage)
```typescript
interface TablePreferences {
version: 1; // schema version for migrations
columnVisibility: { [columnId: string]: boolean };
columnSizing: { [columnId: string]: number };
columnOrder: string[]; // ordered column IDs
density: 'compact' | 'comfortable';
defaultPageSize: 10 | 25 | 50 | 100;
}
```
#### Database Schema Changes
**None required** - Existing `policy_settings` table has all necessary fields:
- `policyName`, `policyType`, `settingName`, `settingValue`, `graphPolicyId`, `lastSyncedAt`
- Indexes already exist for `tenantId`, `settingName`
- **Recommendation**: Add composite index for sorting performance: `(tenantId, policyType, settingName)`
### API Contracts
**File**: `specs/004-policy-explorer-v2/contracts/`
#### Contract 1: `getPolicySettings`
**File**: `contracts/getPolicySettings.yaml`
```yaml
action: getPolicySettings
description: Fetch policy settings with pagination, sorting, and filtering
method: Server Action
input:
type: object
properties:
page:
type: number
minimum: 0
description: 0-based page index
pageSize:
type: number
enum: [10, 25, 50, 100]
default: 50
sortBy:
type: string
enum: [settingName, policyName, policyType, lastSyncedAt]
optional: true
sortDir:
type: string
enum: [asc, desc]
default: asc
policyTypes:
type: array
items:
type: string
optional: true
description: Filter by policy types
searchQuery:
type: string
optional: true
description: Text search in settingName/policyName
output:
type: object
properties:
data:
type: array
items:
type: PolicySetting
meta:
type: object
properties:
totalCount: number
pageCount: number
currentPage: number
pageSize: number
hasNextPage: boolean
hasPreviousPage: boolean
errors:
- UNAUTHORIZED: User not authenticated
- FORBIDDEN: User not in tenant
- INVALID_PARAMS: Invalid pagination/sort params
```
#### Contract 2: `exportPolicySettingsCSV`
**File**: `contracts/exportPolicySettingsCSV.yaml`
```yaml
action: exportPolicySettingsCSV
description: Export policy settings as CSV (server-side, max 5000 rows)
method: Server Action
input:
type: object
properties:
policyTypes:
type: array
items:
type: string
optional: true
searchQuery:
type: string
optional: true
sortBy:
type: string
optional: true
sortDir:
type: string
enum: [asc, desc]
default: asc
maxRows:
type: number
maximum: 5000
default: 5000
output:
type: object
properties:
csv:
type: string
description: CSV content as string
filename:
type: string
description: Suggested filename (e.g., "policy-settings-2025-12-09.csv")
rowCount:
type: number
description: Number of rows in CSV
errors:
- UNAUTHORIZED: User not authenticated
- FORBIDDEN: User not in tenant
- TOO_MANY_ROWS: Result exceeds maxRows limit
```
### Quickstart Guide
**File**: `specs/004-policy-explorer-v2/quickstart.md`
```markdown
# Policy Explorer V2 - Quickstart
## Adding a New Column
1. Define column in `PolicyTableColumns.tsx`:
```typescript
{
accessorKey: 'myNewField',
header: 'My Field',
cell: ({ row }) => <span>{row.original.myNewField}</span>,
}
```
2. Add to localStorage schema version if changing defaults
3. Update CSV export to include new column
## Adding a New Filter
1. Update `FilterState` type in `lib/types/policy-table.ts`
2. Add UI control in `PolicyTableToolbar.tsx`
3. Update `getPolicySettings` Server Action to handle new filter param
4. Add to URL state in `useURLState.ts`
## Testing Checklist
- [ ] Pagination: Navigate through pages, verify correct data
- [ ] Sorting: Click column headers, verify ASC/DESC toggle
- [ ] Filtering: Select policy types, verify filtered results
- [ ] Column visibility: Hide/show columns, reload page
- [ ] CSV export: Export selected rows, verify content
- [ ] Accessibility: Keyboard navigation, screen reader labels
```
---
## Phase 1.5: Agent Context Update
**Action**: Run `.specify/scripts/bash/update-agent-context.sh copilot`
This script will:
1. Detect AI agent in use (Copilot)
2. Update `.github/copilot-instructions.md`
3. Add new technologies from this plan:
- TanStack Table v8 for data tables
- CSV export patterns (client vs server-side)
- URL state management with nuqs
- LocalStorage persistence patterns
**Manual additions to preserve**:
- Existing Intune API patterns
- Project-specific conventions
---
## Re-Evaluation: Constitution Check
*Run after Phase 1 design completion*
- [X] TanStack Table uses Server Actions for data (no client-side fetch)
- [X] All types strictly defined (DataTableState, FilterState, contracts)
- [X] Drizzle ORM for queries (no raw SQL)
- [X] Shadcn UI Table primitives (no custom table components)
- [X] Azure AD session enforced in Server Actions
- [X] Docker build unaffected (no new runtime dependencies)
**Result**: ✅ Constitution compliance maintained
---
## Implementation Notes
### Critical Paths
1. **TanStack Table Integration** (Blocking)
- Must establish pattern for Server Action + TanStack Table manual pagination
- All other features depend on this foundation
2. **Server Action Updates** (Blocking)
- `getPolicySettings` must support pagination/sorting before UI can be built
3. **CSV Export** (Parallel after data fetching works)
- Client-side export can be built independently
- Server-side export requires Server Action
### Parallel Work Opportunities
- **Phase 1**: Data model design + API contracts can happen in parallel
- **Implementation**: Client-side CSV export + column management can be built while server-side export is in progress
- **Testing**: Unit tests for utils can be written early, E2E tests require full integration
### Risk Mitigation
**Risk**: TanStack Table performance with large datasets (1000+ rows)
- **Mitigation**: Use virtualization (`@tanstack/react-virtual`) if needed
- **Fallback**: Reduce default page size to 25 rows
**Risk**: CSV export memory issues with 5000 rows
- **Mitigation**: Use streaming approach in Server Action
- **Fallback**: Reduce max export to 2500 rows
**Risk**: localStorage quota exceeded (5-10MB limit)
- **Mitigation**: Only store column preferences, not data
- **Fallback**: Clear old preferences, show user warning
---
## Success Metrics
### Performance Benchmarks
- [ ] Page load (50 rows): <500ms
- [ ] Sorting operation: <200ms
- [ ] Filtering operation: <300ms
- [ ] Column resize: <16ms (60fps)
- [ ] CSV export (1000 rows, client): <2s
- [ ] CSV export (5000 rows, server): <5s
### Functional Validation
- [ ] Pagination: All pages load correctly, no duplicate rows
- [ ] Sorting: Correct order for all column types (string, date, number)
- [ ] Filtering: AND logic for multiple filters
- [ ] Column management: Preferences persist across sessions
- [ ] CSV export: Proper escaping, Excel-compatible
- [ ] URL state: Shareable links work correctly
- [ ] Accessibility: Keyboard navigation, ARIA labels
---
## Next Steps
1. **Run Phase 0 Research**:
```bash
# Research TanStack Table patterns
# Benchmark CSV strategies
# Choose URL state library
```
2. **Generate `research.md`**:
- Document findings for each unknown
- Include code examples and performance data
3. **Generate `data-model.md`**:
- Define TypeScript interfaces
- Document database schema (no changes)
4. **Generate Contracts**:
- Create YAML specs for Server Actions
- Define input/output types
5. **Update Agent Context**:
```bash
.specify/scripts/bash/update-agent-context.sh copilot
```
6. **Generate `tasks.md`**:
```bash
# After Phase 1 complete, run:
/speckit.tasks
```
---
**Plan Version**: 1.0
**Last Updated**: 2025-12-09
**Status**: Ready for Phase 0 Research

206
specs/004-policy-explorer-v2/spec.md
View File

@ -1,206 +0,0 @@
# Feature Specification: Policy Explorer V2
**Feature Branch**: `004-policy-explorer-v2`
**Created**: 2025-12-08
**Status**: Draft
**Input**: "Policy Explorer V2 - Advanced data table with pagination, sorting, filtering, column management, bulk export, and enhanced detail view for Intune policy settings analysis"
## Overview
Erweiterung des bestehenden Policy Explorers (`/search`) von einer einfachen Such-/Tabellenansicht zu einem vollwertigen Admin-Interface für die Analyse großer Policy-Datasets mit erweiterten Funktionen für Navigation, Filterung, Sortierung und Export.
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Advanced Data Table Navigation (Priority: P1)
Als Intune-Admin möchte ich durch große Policy-Datasets navigieren können mit Pagination, Sortierung und anpassbaren Spalten, um schnell relevante Settings zu finden.
**Why this priority**: Grundlegende Tabellenfunktionalität ist essentiell für die Arbeit mit >100 Settings. Ohne Pagination und Sortierung wird die Tabelle unbrauchbar.
**Independent Test**: Dataset mit 500+ Settings laden, Pagination durchklicken, nach verschiedenen Spalten sortieren, Spalten ein-/ausblenden.
**Acceptance Scenarios**:
1. **Given** der Admin hat 200+ Policy Settings im System, **When** er den Policy Explorer öffnet, **Then** sieht er maximal 50 Settings pro Seite mit Pagination Controls (Previous, Next, Page Numbers).
2. **Given** der Admin sieht die Tabelle, **When** er auf einen Spalten-Header klickt, **Then** wird die Tabelle nach dieser Spalte sortiert (Toggle: ASC/DESC).
3. **Given** der Admin sieht die Tabelle, **When** er das Column Visibility Menu öffnet und Spalten deselektiert, **Then** werden diese Spalten ausgeblendet und die Einstellung bleibt beim Reload erhalten (localStorage).
4. **Given** der Admin sieht die Tabelle, **When** er eine Spaltenbreite mit der Maus anpasst, **Then** wird die neue Breite gespeichert (localStorage).
5. **Given** der Admin scrollt nach unten, **When** er weiter scrollt, **Then** bleibt der Table Header sichtbar (sticky).
---
### User Story 2 - Enhanced Filtering (Priority: P1)
Als Intune-Admin möchte ich nach PolicyType filtern können, um nur relevante Policy-Kategorien zu sehen.
**Why this priority**: Filter sind essentiell für die Arbeit mit verschiedenen Policy-Typen (Compliance, Security, Configuration).
**Independent Test**: PolicyType Filter auswählen, Ergebnisse validieren, Filter kombinieren mit Suche.
**Acceptance Scenarios**:
1. **Given** der Admin öffnet den Policy Explorer, **When** er den PolicyType Filter öffnet, **Then** sieht er alle verfügbaren Policy Types als Checkboxen (deviceConfiguration, compliancePolicy, etc.).
2. **Given** der Admin hat einen PolicyType ausgewählt, **When** die Tabelle lädt, **Then** werden nur Settings dieses Typs angezeigt.
3. **Given** der Admin hat Filter + Suche kombiniert, **When** er die Seite neu lädt, **Then** bleiben Filter und Suche aktiv (URL state).
---
### User Story 3 - Bulk Export (Priority: P1)
Als Intune-Admin möchte ich Policy Settings als CSV exportieren können, um sie in Excel/Sheets zu analysieren oder zu dokumentieren.
**Why this priority**: Export ist ein häufig gefordertes Feature für Compliance-Reports und Dokumentation.
**Independent Test**: Rows selektieren, CSV Export triggern, Datei öffnen und Inhalt validieren.
**Acceptance Scenarios**:
1. **Given** der Admin hat Rows in der Tabelle selektiert, **When** er "Export Selected" klickt, **Then** wird ein CSV mit den selektierten Rows heruntergeladen.
2. **Given** der Admin hat Filter angewendet, **When** er "Export All Filtered" klickt, **Then** wird ein CSV mit allen gefilterten Results heruntergeladen (serverseitig generiert).
3. **Given** das CSV wurde generiert, **When** der Admin die Datei öffnet, **Then** enthält sie alle relevanten Spalten (Policy Name, Type, Setting Name, Value, Last Synced) mit korrektem CSV-Escaping.
---
### User Story 4 - Enhanced Detail View (Priority: P2)
Als Intune-Admin möchte ich im Detail-Sheet erweiterte Funktionen haben (Copy-to-Clipboard, Raw JSON View), um Settings schnell zu teilen oder zu debuggen.
**Why this priority**: Quality-of-Life Verbesserung für Power-User. Nicht MVP-blocking aber sehr nützlich.
**Independent Test**: Detail-Sheet öffnen, Copy-Buttons testen, Raw JSON Tab öffnen.
**Acceptance Scenarios**:
1. **Given** der Admin öffnet das Detail-Sheet für ein Setting, **When** er auf "Copy Policy ID" klickt, **Then** wird die graphPolicyId in die Zwischenablage kopiert.
2. **Given** der Admin sieht das Detail-Sheet, **When** er auf "Raw JSON" Tab klickt, **Then** sieht er die kompletten Rohdaten formatiert als JSON.
3. **Given** das Setting hat eine graphPolicyId, **When** der Admin "Open in Intune" klickt, **Then** öffnet sich ein neues Tab mit dem Intune Portal Link (oder wird Policy ID kopiert als Fallback).
---
### Edge Cases
- Was passiert bei sehr breiten Tabellen (viele Spalten)? → Horizontales Scrolling + Sticky erste Spalte.
- Wie verhält sich Export bei >10.000 Rows? → Server-seitige Limitierung auf max 5000 Rows pro Export mit Warning.
- Was passiert wenn keine Rows selektiert sind beim Export? → Button disabled mit Tooltip "Select rows first".
- Wie wird Sorting mit Pagination kombiniert? → Server-seitig: Sort state wird an API übergeben.
- Was passiert bei Column Resize auf mobilen Geräten? → Touch-optimierte Resize Handles oder Feature deaktiviert auf <768px.
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: System MUSS serverseitige Pagination mit konfigurierbarer Page Size (10/25/50/100) unterstützen.
- **FR-002**: System MUSS Sortierung nach allen Spalten unterstützen (ASC/DESC Toggle).
- **FR-003**: System MUSS Column Visibility Management bereitstellen (Spalten ein-/ausblenden via Dropdown).
- **FR-004**: System MUSS Column Resizing unterstützen (Drag & Drop an Spaltenrändern).
- **FR-005**: System MUSS Sticky Table Header implementieren (bleibt beim Scrollen sichtbar).
- **FR-006**: System MUSS PolicyType Filter als Multi-Select Checkbox implementieren.
- **FR-007**: System MUSS Filter + Suche kombinierbar machen (beide aktiv gleichzeitig).
- **FR-008**: System MUSS URL State für Filter/Sort/Search speichern (shareable links).
- **FR-009**: System MUSS localStorage für Column Settings verwenden (Breite, Visibility, Reihenfolge).
- **FR-010**: System MUSS Row Selection mit Checkboxes implementieren (einzeln + Select All).
- **FR-011**: System MUSS CSV Export für Selected Rows bereitstellen (client-seitig generiert).
- **FR-012**: System MUSS CSV Export für All Filtered Results bereitstellen (server-seitig, max 5000 Rows).
- **FR-013**: System MUSS Copy-to-Clipboard Buttons für Policy ID, Setting Name, Setting Value implementieren.
- **FR-014**: System MUSS Raw JSON View im Detail-Sheet anzeigen.
- **FR-015**: System MUSS "Open in Intune" Button implementieren (wenn graphPolicyId vorhanden).
- **FR-016**: System MUSS Truncation + Tooltip für lange Werte/IDs implementieren.
- **FR-017**: System MUSS Compact/Comfortable Density Mode Toggle bereitstellen.
- **FR-018**: System MUSS Meta-Info Zeile über Tabelle anzeigen (X settings · Y policies · Last sync).
### Key Entities
Erweitert `PolicySetting` Datenmodell (keine Schema-Änderungen nötig):
- **DataTableState**: Client-side State für Tabelle
- `pagination`: { page: number, pageSize: number }
- `sorting`: { column: string, direction: 'asc'|'desc' }[]
- `columnVisibility`: { [columnId: string]: boolean }
- `columnSizing`: { [columnId: string]: number }
- `rowSelection`: { [rowId: string]: boolean }
- **FilterState**: Filter-Zustand
- `policyTypes`: string[] (selected policy types)
- `searchQuery`: string (existing search)
- `dateRange`: { from?: Date, to?: Date } (optional, Phase 2)
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: Pagination lädt neue Seiten in <500ms (serverseitige Query + Rendering).
- **SC-002**: Sortierung funktioniert auf allen Spalten ohne Performance-Degradation bei 1000+ Rows.
- **SC-003**: Column Settings (Visibility, Sizing) bleiben nach Browser-Reload erhalten.
- **SC-004**: CSV Export für 1000 Selected Rows dauert <2s (client-seitig).
- **SC-005**: CSV Export für 5000 Filtered Results dauert <5s (server-seitig).
- **SC-006**: Filter + Suche kombiniert reduziert Results korrekt (AND-Logik).
- **SC-007**: URL State ist shareable (Copy/Paste URL zeigt identische Filterung).
- **SC-008**: Detail-Sheet Copy-Buttons funktionieren in allen modernen Browsern (Chrome, Firefox, Safari, Edge).
## Assumptions
- TanStack Table (React Table v8) wird als Data Table Library verwendet.
- Shadcn UI Table Komponenten werden erweitert oder mit TanStack Table integriert.
- Export-Logik nutzt serverseitigen Endpoint für große Datasets (>1000 Rows).
- Column Settings werden im localStorage gespeichert (keine User-Profile Persistierung).
- "Open in Intune" Links werden per Policy Type konstruiert (bekannte URL-Pattern).
## Nicht-Ziele (Out of Scope)
- Kein Policy Editing (read-only view bleibt erhalten).
- Kein vollständiges RBAC-System (bleibt bei Tenant-Isolation).
- Kein Conflict Detection (Phase 2).
- Kein Policy Comparison/Diff (Phase 2).
- Kein Saved Views (Phase 2).
- Keine Gruppierung (Group by Policy/Setting) (Phase 2).
## Technical Notes
### TanStack Table Integration
- `@tanstack/react-table` bereits im Projekt vorhanden oder muss installiert werden
- Server-side Pagination, Sorting, Filtering via Server Actions
- Column Definitions mit Type-Safety via TypeScript
- Shadcn Table Primitives als UI Layer
### CSV Export Strategy
**Client-Side** (Selected Rows):
- Library: `papaparse` oder native String-Builder
- Maximal 1000 Rows empfohlen
- Sofortiger Download ohne Server-Request
**Server-Side** (Filtered Results):
- Neuer Server Action: `exportPolicySettingsCSV(filterState)`
- Stream-basierter Export für große Datasets
- Content-Disposition Header für File Download
- Limit: 5000 Rows (UI Warning bei mehr)
### URL State Management
- `nuqs` Library für type-safe URL State
- Query Params:
- `page`: number
- `pageSize`: 10|25|50|100
- `sortBy`: columnId
- `sortDir`: asc|desc
- `policyTypes`: comma-separated
- `q`: search query
### Column Configuration
Default Columns:
- Setting Name (visible, pinned left)
- Setting Value (visible, truncated)
- Policy Name (visible)
- Policy Type (visible, badge)
- Last Synced (visible, relative time)
- Policy ID (hidden by default)
## Dependencies
- TanStack Table v8: `@tanstack/react-table`
- CSV Export: `papaparse` (optional, kann auch nativ gebaut werden)
- URL State: `nuqs` (optional, kann auch mit useSearchParams gelöst werden)
- Clipboard API: Native Browser API
- Icons: Lucide React (bereits vorhanden)

340
specs/004-policy-explorer-v2/tasks.md
View File

@ -1,340 +0,0 @@
# Tasks: Policy Explorer V2
**Input**: Design documents from `/specs/004-policy-explorer-v2/`
**Prerequisites**: plan.md (required), spec.md (required)
**Tests**: Unit tests for utilities, E2E tests for table interactions
**Organization**: Tasks are grouped by user story to enable independent implementation and testing.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3, US4)
- Include exact file paths in descriptions
## Path Conventions
- App routes: `app/(app)/search/`
- Components: `components/policy-explorer/`
- Server Actions: `lib/actions/policySettings.ts`
- Hooks: `lib/hooks/`
- Utils: `lib/utils/`
- Tests: `tests/unit/` and `tests/e2e/`
---
## Phase 1: Setup (Dependencies & Infrastructure)
**Purpose**: Install dependencies and create base infrastructure
- [X] T001 Install TanStack Table v8 (`@tanstack/react-table`) via npm
- [X] T002 [P] Install `nuqs` for URL state management via npm (or decide on native useSearchParams)
- [X] T003 [P] Create types file lib/types/policy-table.ts with DataTableState, FilterState, TablePreferences interfaces
- [X] T004 [P] Add composite database index for performance: (tenantId, policyType, settingName) in lib/db/schema/policySettings.ts
---
## Phase 2: Foundational (Server Actions & Data Layer)
**Purpose**: Update Server Actions to support pagination, sorting, filtering
**⚠️ CRITICAL**: This must be complete before ANY user story UI can be built
- [X] T005 Update getPolicySettings Server Action in lib/actions/policySettings.ts to accept pagination params (page, pageSize)
- [X] T006 Add sorting support to getPolicySettings (sortBy, sortDir parameters) in lib/actions/policySettings.ts
- [X] T007 Add policyTypes filter support to getPolicySettings in lib/actions/policySettings.ts
- [X] T008 Update getPolicySettings return type to include meta (totalCount, pageCount, hasNextPage, hasPreviousPage) in lib/actions/policySettings.ts
- [X] T009 Add input validation for getPolicySettings (Zod schema for params) in lib/actions/policySettings.ts
- [X] T010 Create exportPolicySettingsCSV Server Action in lib/actions/policySettings.ts (server-side CSV generation, max 5000 rows)
**Checkpoint**: Server Actions ready - UI implementation can begin
---
## Phase 3: User Story 1 - Advanced Data Table Navigation (Priority: P1) 🎯 MVP
**Goal**: Implement pagination, sorting, column management, sticky header
**Independent Test**: Load 500+ settings, paginate, sort by different columns, hide/show columns, resize columns
### Implementation for User Story 1
- [X] T011 [P] [US1] Create PolicyTableColumns.tsx in components/policy-explorer/ with column definitions (settingName, settingValue, policyName, policyType, lastSyncedAt, graphPolicyId)
- [X] T012 [P] [US1] Create usePolicyTable hook in lib/hooks/usePolicyTable.ts (TanStack Table initialization with manual pagination mode)
- [X] T013 [P] [US1] Create useTablePreferences hook in lib/hooks/useTablePreferences.ts (localStorage persistence for columnVisibility, columnSizing, density)
- [X] T014 [P] [US1] Create useURLState hook in lib/hooks/useURLState.ts (sync pagination, sorting, filters with URL query params)
- [X] T015 [US1] Create PolicyTable.tsx in components/policy-explorer/ (main table component using TanStack Table + shadcn Table primitives)
- [X] T016 [US1] Implement pagination controls in PolicyTablePagination.tsx in components/policy-explorer/ (Previous, Next, Page Numbers, Page Size selector)
- [X] T017 [US1] Implement column sorting in PolicyTable.tsx (click header to toggle ASC/DESC, visual sort indicators)
- [X] T018 [US1] Create ColumnVisibilityMenu.tsx in components/policy-explorer/ (dropdown with checkboxes to show/hide columns)
- [X] T019 [US1] Implement column resizing in PolicyTable.tsx (drag column borders, persist width to localStorage)
- [X] T020 [US1] Implement sticky table header in PolicyTable.tsx (CSS position: sticky, remains visible on scroll)
- [X] T021 [US1] Implement density mode toggle in PolicyTableToolbar.tsx (compact vs comfortable row height, persist to localStorage)
- [X] T022 [US1] Update app/(app)/search/page.tsx to fetch data with pagination/sorting params and pass to PolicyTable
**Checkpoint**: Data table with pagination, sorting, column management fully functional
---
## Phase 4: User Story 2 - Enhanced Filtering (Priority: P1)
**Goal**: Implement PolicyType filter with multi-select checkboxes
**Independent Test**: Select policy types, verify filtered results, combine with search
### Implementation for User Story 2
- [ ] T023 [P] [US2] Create PolicyTypeFilter component in components/policy-explorer/PolicyTypeFilter.tsx (multi-select checkbox dropdown)
- [ ] T024 [US2] Add PolicyTypeFilter to PolicyTableToolbar.tsx in components/policy-explorer/
- [ ] T025 [US2] Connect PolicyTypeFilter to useURLState hook (sync selected types with URL query param)
- [ ] T026 [US2] Update PolicyTable to trigger data refetch when policyTypes filter changes
- [ ] T027 [US2] Implement filter badge/chip display in PolicyTableToolbar showing active filters with clear button
- [ ] T028 [US2] Add "Clear All Filters" button to PolicyTableToolbar
**Checkpoint**: Filtering works, combines with search, persists in URL state
---
## Phase 5: User Story 3 - Bulk Export (Priority: P1)
**Goal**: Implement CSV export for selected rows (client) and all filtered results (server)
**Independent Test**: Select rows, export CSV, open in Excel, verify content and escaping
### Implementation for User Story 3
- [ ] T029 [P] [US3] Create csv-export.ts utility in lib/utils/ (client-side CSV generation with proper escaping)
- [ ] T030 [P] [US3] Add unit tests for CSV escaping (commas, quotes, newlines) in tests/unit/csv-export.test.ts
- [ ] T031 [US3] Implement row selection in PolicyTable.tsx (checkboxes for individual rows + Select All)
- [ ] T032 [US3] Create ExportButton component in components/policy-explorer/ExportButton.tsx (dropdown: "Export Selected" / "Export All Filtered")
- [ ] T033 [US3] Implement "Export Selected" action in ExportButton (client-side CSV generation, trigger download)
- [ ] T034 [US3] Implement "Export All Filtered" action in ExportButton (call exportPolicySettingsCSV Server Action, trigger download)
- [ ] T035 [US3] Add export button to PolicyTableToolbar with disabled state when no rows selected
- [ ] T036 [US3] Add warning UI when filtered results exceed 5000 rows ("Export limited to 5000 rows")
- [ ] T037 [US3] Add loading state for server-side CSV generation (spinner + progress indicator)
**Checkpoint**: CSV export works for both selected rows and filtered results with proper escaping
---
## Phase 6: User Story 4 - Enhanced Detail View (Priority: P2)
**Goal**: Add copy-to-clipboard buttons, raw JSON view, "Open in Intune" link to detail sheet
**Independent Test**: Open detail sheet, test copy buttons, view raw JSON, click Intune link
### Implementation for User Story 4
- [ ] T038 [P] [US4] Create useCopyToClipboard hook in lib/hooks/useCopyToClipboard.ts (wrapper for Clipboard API with success toast)
- [ ] T039 [P] [US4] Add unit tests for clipboard utility in tests/unit/clipboard.test.ts
- [ ] T040 [US4] Update PolicyDetailSheet.tsx in components/policy-explorer/ to add "Copy Policy ID" button
- [ ] T041 [US4] Add "Copy Setting Name" and "Copy Setting Value" buttons to PolicyDetailSheet.tsx
- [ ] T042 [US4] Add tabs to PolicyDetailSheet: "Details" and "Raw JSON"
- [ ] T043 [US4] Implement Raw JSON tab in PolicyDetailSheet showing formatted JSON with syntax highlighting
- [ ] T044 [US4] Create getIntunePortalLink utility in lib/utils/policy-table-helpers.ts (construct Intune URL by policy type)
- [ ] T045 [US4] Add "Open in Intune" button to PolicyDetailSheet (external link icon, opens in new tab)
- [ ] T046 [US4] Add fallback for "Open in Intune" when URL construction fails (copy policy ID instead)
**Checkpoint**: Detail sheet has enhanced functionality, all copy buttons work, raw JSON displays correctly
---
## Phase 7: Polish & Cross-Cutting Concerns
**Purpose**: Meta info, truncation, edge cases, accessibility, testing
- [ ] T047 [P] Create PolicyTableMeta component in components/policy-explorer/PolicyTableMeta.tsx (displays "X settings · Y policies · Last sync")
- [ ] T048 [P] Add PolicyTableMeta above table in app/(app)/search/page.tsx
- [ ] T049 [P] Implement value truncation with tooltip in PolicyTableColumns.tsx (long settingValue, graphPolicyId)
- [ ] T050 [P] Add responsive behavior: disable column resizing on mobile (<768px) in PolicyTable.tsx
- [ ] T051 [P] Add horizontal scroll for wide tables with sticky first column in PolicyTable.tsx
- [ ] T052 Add ARIA labels for accessibility (table, pagination, filters, sort buttons)
- [ ] T053 Add keyboard navigation support (arrow keys for rows, Enter to open detail sheet)
- [ ] T054 Create E2E tests for pagination in tests/e2e/policy-explorer.spec.ts
- [ ] T055 Create E2E tests for sorting in tests/e2e/policy-explorer.spec.ts
- [ ] T056 Create E2E tests for filtering in tests/e2e/policy-explorer.spec.ts
- [ ] T057 Create E2E tests for CSV export in tests/e2e/policy-explorer.spec.ts
- [ ] T058 Create E2E tests for column management in tests/e2e/policy-explorer.spec.ts
- [ ] T059 Add loading skeleton states for table, filters, export
- [ ] T060 Add error boundary for table component with retry button
- [ ] T061 Performance optimization: Add React.memo to table rows if needed
- [ ] T062 Update README.md or documentation with Policy Explorer V2 features
---
## Dependencies
### User Story Completion Order
```mermaid
graph TD
Setup[Phase 1: Setup] --> Foundation[Phase 2: Foundation]
Foundation --> US1[Phase 3: US1 - Data Table]
Foundation --> US2[Phase 4: US2 - Filtering]
Foundation --> US3[Phase 5: US3 - Export]
US1 --> US4[Phase 6: US4 - Detail View]
US1 --> Polish[Phase 7: Polish]
US2 --> Polish
US3 --> Polish
US4 --> Polish
```
**Explanation**:
- **Setup & Foundation** must complete first (T001-T010)
- **US1 (Data Table)** is the foundation for all other user stories
- **US2 (Filtering)** depends on table being functional
- **US3 (Export)** depends on row selection from US1
- **US4 (Detail View)** extends existing sheet, can happen in parallel with US2/US3
- **Polish** comes last after all core features work
### Task-Level Dependencies
**Critical Path** (must complete in order):
1. T001-T004 (setup) → T005-T010 (Server Actions)
2. T005-T010 (Server Actions) → T011-T022 (US1 table implementation)
3. T011-T022 (table) → All other user stories can begin
4. T031 (row selection) → T033-T037 (export features)
**Parallel Opportunities**:
- T001, T002, T003, T004 can run in parallel (setup tasks)
- T005-T010 can run in parallel after T004 (Server Action updates)
- T011, T012, T013, T014 can run in parallel (hooks and column definitions)
- T023, T029, T030, T038, T039, T047, T049 can run in parallel after table is functional
- T054-T058 can run in parallel during polish phase
---
## Parallel Execution Examples
### Phase 1 - Setup (All tasks in parallel)
Run these tasks simultaneously:
```bash
# Terminal 1: Install TanStack Table
npm install @tanstack/react-table
# Terminal 2: Install nuqs
npm install nuqs
# Terminal 3: Create types file
# T003 - Create lib/types/policy-table.ts
# Terminal 4: Add database index
# T004 - Update schema
```
### Phase 2 - Server Actions (After T004 completes)
Run Server Action updates in parallel:
```bash
# All T005-T010 modify lib/actions/policySettings.ts
# Can be done together or split by developer
# T005-T009: Update getPolicySettings
# T010: Create exportPolicySettingsCSV
```
### Phase 3 - US1 Foundation (After Phase 2)
Run these in parallel:
```bash
# Terminal 1: T011 - Column definitions
# Terminal 2: T012 - usePolicyTable hook
# Terminal 3: T013 - useTablePreferences hook
# Terminal 4: T014 - useURLState hook
```
### Phase 7 - Polish (After Phase 3-6 complete)
Run tests and polish tasks in parallel:
```bash
# Terminal 1: T054-T058 - E2E tests
# Terminal 2: T047, T048 - Meta info component
# Terminal 3: T049, T050, T051 - Responsive behavior
# Terminal 4: T052, T053 - Accessibility
```
---
## Implementation Strategy
### MVP Scope (Ship This First)
**Phase 3: User Story 1 - Advanced Data Table Navigation**
- This is the core value: pagination, sorting, column management
- Includes: T011-T022 (12 tasks)
- **Delivers SC-001, SC-002, SC-003**: Fast pagination, sorting, persistent settings
- **Can be shipped independently**: Provides immediate value even without filtering/export
### Incremental Delivery
1. **MVP** (Phase 3): Ship US1 data table → users can navigate large datasets
2. **V1.1** (Phase 4): Add US2 filtering → users can narrow down results by policy type
3. **V1.2** (Phase 5): Add US3 export → users can extract data for reports
4. **V1.3** (Phase 6): Add US4 enhanced detail view → power users get advanced features
5. **V2.0** (Phase 7): Polish + complete testing → production-ready
### Success Metrics (Track These)
- **SC-001**: Page load time <500ms (50 rows) Measure with Lighthouse/DevTools
- **SC-002**: Sorting performance <200ms Measure with Performance API
- **SC-003**: localStorage persistence → Test browser reload, verify settings restored
- **SC-004**: Client CSV export <2s (1000 rows) Measure download trigger time
- **SC-005**: Server CSV export <5s (5000 rows) Measure Server Action execution time
- **SC-006**: Filter + search AND logic → Verify result counts match expectations
- **SC-007**: URL state shareable → Copy URL, paste in new tab, verify identical view
- **SC-008**: Copy buttons work → Test in Chrome, Firefox, Safari, Edge
---
## Validation Checklist
Before marking tasks complete, verify:
- [ ] All Server Actions have input validation (Zod schemas)
- [ ] All Server Actions enforce tenant isolation (check user session)
- [ ] Table pagination works with 0 results, 1 result, 1000+ results
- [ ] Sorting works correctly for strings, numbers, dates
- [ ] Column visibility changes persist after browser reload
- [ ] CSV export handles special characters (commas, quotes, newlines)
- [ ] CSV export is Excel-compatible (UTF-8 BOM, proper line endings)
- [ ] URL state works with browser back/forward buttons
- [ ] Sticky header works on different viewport sizes
- [ ] Row selection persists across page changes (or clears intentionally)
- [ ] All interactive elements have keyboard support
- [ ] All interactive elements have ARIA labels
- [ ] Loading states show for all async operations
- [ ] Error states show helpful messages with retry options
- [ ] TypeScript strict mode passes (no `any` types)
- [ ] All new components use Shadcn UI primitives
---
## Notes
**About TanStack Table Integration**:
- Use "manual" pagination mode (table doesn't handle data fetching)
- Server Actions fetch data, table handles UI state only
- This keeps us constitution-compliant (server-first architecture)
**About CSV Export**:
- Client-side (<1000 rows): Fast, no server load, instant download
- Server-side (1000-5000 rows): Handles larger datasets, proper memory management
- Always include CSV header row with column names
- Use UTF-8 BOM for Excel compatibility: `\uFEFF` prefix
**About localStorage Schema**:
- Version field enables migrations when adding new preferences
- Store only user preferences, never actual data
- Handle quota exceeded gracefully (clear old data, warn user)
**About URL State**:
- Keep URLs shareable (don't include sensitive data)
- Use short query param names (p=page, ps=pageSize, sb=sortBy)
- Handle malformed URLs gracefully (validate and reset to defaults)
**Performance Considerations**:
- Add database index on (tenantId, policyType, settingName) for sorting
- Use React.memo on table rows only if profiling shows re-render issues
- Debounce search input to avoid excessive Server Action calls
- Consider virtual scrolling if page size >100 causes jank
---
**Tasks Version**: 1.0
**Last Updated**: 2025-12-09
**Total Tasks**: 62
**Estimated MVP Scope**: T001-T022 (22 tasks)

303
specs/005-backend-arch-pivot/analysis-report.md
View File

@ -1,303 +0,0 @@
# Specification Analysis Report: Feature 005 Backend Architecture Pivot
**Generated**: 2025-12-09
**Feature**: 005-backend-arch-pivot
**Analyzed Files**: spec.md, plan.md, tasks.md, constitution.md
---
## Executive Summary
**Overall Status**: ✅ **PASS** - Minor issues only
**Critical Issues**: 0
**High Priority Issues**: 0
**Medium Priority Issues**: 3
**Low Priority Issues**: 4
**Recommendation**: Safe to proceed with `/speckit.implement` after addressing 3 medium-priority issues.
---
## Analysis Findings
| ID | Category | Severity | Location(s) | Summary | Recommendation |
|----|----------|----------|-------------|---------|----------------|
| A1 | Task Count Discrepancy | MEDIUM | tasks.md:L4 vs actual count | Header claims "49 tasks" but actual count is 64 tasks (T001-T066) | Update header to "Total Tasks: 64" |
| A2 | Missing Task References | MEDIUM | plan.md | Plan describes 8 phases but doesn't reference specific task IDs consistently | Add task ID references in phase descriptions |
| A3 | Success Criteria Mismatch | MEDIUM | spec.md vs tasks.md | SC-006 mentions technology-specific details (Grep-Search) vs plan's technology-agnostic approach | Already fixed in spec.md, verify consistency |
| D1 | Terminology Drift | LOW | spec.md vs plan.md vs tasks.md | "Worker Process" vs "Worker" vs "Background Worker" used interchangeably | Standardize to "Worker Process" |
| D2 | Phase Numbering | LOW | tasks.md | Uses "Phase 1-9" but plan.md uses "Phase 0-8" | Align phase numbering between docs |
| T1 | Task Dependency Clarity | LOW | tasks.md | Parallel opportunities listed but not visualized in task list | Add [P] markers to all parallel-safe tasks |
| T2 | Missing Test Task | LOW | tasks.md Phase 8 | No test for FR-022 (optional job status endpoint) | Add note that FR-022 is out of MVP scope |
---
## Coverage Summary
### Requirements Coverage
**Total Requirements**: 26 (FR-001 to FR-026)
**Requirements with Task Coverage**: 26 (100%)
| Requirement | Has Tasks? | Task IDs | Notes |
|-------------|-----------|----------|-------|
| FR-001 (BullMQ) | ✅ | T005, T006, T007 | Install + setup |
| FR-002 (Redis Connection) | ✅ | T006 | lib/queue/redis.ts |
| FR-003 (Worker Process) | ✅ | T009 | worker/index.ts |
| FR-004 (npm Script) | ✅ | T010 | worker:start |
| FR-005 (REDIS_URL validation) | ✅ | T003, T004 | env.mjs updates |
| FR-006 (Azure AD Token) | ✅ | T015, T016 | graphAuth.ts |
| FR-007 (Graph Endpoints) | ✅ | T018-T021 | 4 endpoints |
| FR-008 (Pagination) | ✅ | T019 | fetchWithPagination |
| FR-009 (Error Retry) | ✅ | T022 | retry.ts |
| FR-010 (Settings Catalog) | ✅ | T027-T029 | parseSettingsCatalog |
| FR-011 (OMA-URI) | ✅ | T030, T031 | parseOmaUri |
| FR-012 (Deep Flattening) | ✅ | T024-T029 | policyParser.ts |
| FR-013 (Humanization) | ✅ | T032, T033 | humanizer.ts |
| FR-014 (Type Detection) | ✅ | T025 | detectPolicyType |
| FR-015 (Empty Policies) | ✅ | T034 | defaultEmptySetting |
| FR-016 (Drizzle ORM) | ✅ | T036-T040 | dbUpsert.ts |
| FR-017 (onConflictDoUpdate) | ✅ | T038 | Conflict resolution |
| FR-018 (Field Mapping) | ✅ | T040 | All required fields |
| FR-019 (lastSyncedAt) | ✅ | T039 | Timestamp update |
| FR-020 (Frontend Integration) | ✅ | T043-T045 | triggerPolicySync |
| FR-021 (Job ID Return) | ✅ | T045 | Return jobId |
| FR-022 (Status Endpoint) | ⚠️ | None | Optional, out of MVP scope |
| FR-023 (Delete policy-settings API) | ✅ | T047 | File deletion |
| FR-024 (Delete admin/tenants API) | ✅ | T048 | File deletion |
| FR-025 (Remove POLICY_API_SECRET) | ✅ | T049, T051, T053 | .env + env.mjs |
| FR-026 (Remove N8N_SYNC_WEBHOOK_URL) | ✅ | T050, T052, T054 | .env + env.mjs |
### User Story Coverage
**Total User Stories**: 4
**User Stories with Task Coverage**: 4 (100%)
| User Story | Phase | Task Coverage | Notes |
|------------|-------|---------------|-------|
| US1: Manual Policy Sync via Queue | 1, 2, 6 | T001-T014, T043-T046 | Complete |
| US2: Microsoft Graph Data Fetching | 3 | T015-T023 | Complete |
| US3: Deep Flattening & Transformation | 4 | T024-T035 | Complete |
| US4: Legacy Code Removal | 7 | T047-T055 | Complete |
### Success Criteria Coverage
**Total Success Criteria**: 8 (SC-001 to SC-008)
**Success Criteria with Task Coverage**: 8 (100%)
| Success Criterion | Mapped Tasks | Notes |
|-------------------|--------------|-------|
| SC-001: <200ms job creation | T001-T008 | Infrastructure |
| SC-002: 50 policies in <30s | T041-T042 | Full sync |
| SC-003: 100+ policy pagination | T019-T021 | fetchWithPagination |
| SC-004: >95% extraction | T024-T035 | Parser validation |
| SC-005: Auto-retry on errors | T022-T023 | Exponential backoff |
| SC-006: Zero n8n references | T047-T055 | Legacy cleanup |
| SC-007: Worker stable 1h+ | T061, T066 | E2E + deployment |
| SC-008: No data loss | T041-T042 | Upsert logic |
---
## Constitution Alignment Issues
**Status**: ✅ **NO VIOLATIONS**
All constitution principles are properly addressed in the plan:
| Principle | Compliance | Evidence |
|-----------|-----------|----------|
| I. Server-First Architecture | ✅ | Worker = background Server Action pattern |
| II. TypeScript Strict Mode | ✅ | All worker code in strict mode (plan.md L79) |
| III. Drizzle ORM Integration | ✅ | FR-016, T036-T040 |
| IV. Shadcn UI Components | ✅ | No UI changes (plan.md L81) |
| V. Azure AD Multi-Tenancy | ✅ | Uses existing Azure AD Client Credentials |
---
## Unmapped Tasks
**Status**: ✅ All tasks mapped to requirements
No orphan tasks found - all 64 tasks trace back to functional requirements or user stories.
---
## Ambiguity Detection
### Vague Language Found
| Location | Term | Issue | Recommendation |
|----------|------|-------|----------------|
| spec.md:L182 | "stabil" | Undefined stability metric | Already addressed by SC-007 (1+ hour, 10+ jobs) |
| spec.md:L199 | "dokumentiert oder nachvollziehbar" | Unclear validation method | Add task to document n8n logic extraction process |
### Unresolved Placeholders
**Status**: ✅ No placeholders found (no TODO, TKTK, ???, `<placeholder>`)
---
## Inconsistency Detection
### Terminology Drift
| Term Variations | Occurrences | Standard Form | Action |
|-----------------|-------------|---------------|--------|
| Worker Process / Worker / Background Worker | spec.md (3), plan.md (5), tasks.md (2) | Worker Process | Update all to "Worker Process" |
| BullMQ / Bull MQ / Job Queue | spec.md (2), tasks.md (1) | BullMQ | Already consistent |
| Redis / Redis Queue / In-Memory Store | Various | Redis | Already consistent |
### Phase Numbering Mismatch
**Issue**: plan.md uses "Phase 0-8" (9 phases) but tasks.md uses "Phase 1-9" (9 phases)
**Impact**: MEDIUM - Confusing for developers
**Recommendation**: Standardize to "Phase 1-9" in both documents (remove "Phase 0" concept)
### Data Entity Inconsistencies
**Status**: ✅ No conflicts
All entities (SyncJobPayload, GraphPolicyResponse, FlattenedSetting) consistently defined.
---
## Duplication Detection
### Near-Duplicate Requirements
**Status**: ✅ No duplicates found
All 26 functional requirements are distinct and non-overlapping.
### Redundant Tasks
| Task Pair | Similarity | Analysis | Action |
|-----------|----------|----------|--------|
| T003 + T004 | Both update lib/env.mjs | Intentional (schema vs runtime) | Keep separate |
| T049-T050 + T051-T054 | All remove env vars | Intentional (different locations) | Keep separate |
---
## Underspecification Issues
### Requirements Missing Measurable Criteria
| Requirement | Issue | Recommendation |
|-------------|-------|----------------|
| FR-009 | "max 3 Versuche" - no backoff timing specified | Add to technical-notes.md (already present) |
| FR-013 | Humanization rules not fully specified | Acceptable - examples provided, edge cases handled in code |
### User Stories Missing Acceptance Criteria
**Status**: ✅ All user stories have 5 acceptance scenarios each
### Tasks with No Validation
| Task | Issue | Recommendation |
|------|-------|----------------|
| T011 | Worker event handlers - no validation criteria | Add validation: "Verify logs appear for completed/failed/error events" |
| T012 | Structured logging - format not specified | Add validation: "Verify JSON format with required fields (event, jobId, timestamp)" |
---
## Metrics
- **Total Requirements**: 26
- **Total User Stories**: 4
- **Total Tasks**: 64 (header claims 49 - needs update)
- **Total Success Criteria**: 8
- **Requirements Coverage**: 100% (26/26 have tasks)
- **User Story Coverage**: 100% (4/4 have tasks)
- **Success Criteria Coverage**: 100% (8/8 mapped)
- **Ambiguity Count**: 2 (minor)
- **Duplication Count**: 0
- **Critical Issues**: 0
- **Constitution Violations**: 0
---
## Next Actions
### ✅ FIXED (3 Issues Resolved)
1. **A1: Task Count Updated** - Changed tasks.md header from "49 tasks" to "64 tasks" ✅
2. **A2: Task References Added** - Added task ID references to all phase descriptions in plan.md ✅
3. **D2: Phase Numbering Aligned** - Standardized phase numbering (1-9 in both plan and tasks) ✅
### SHOULD FIX (Quality Improvements)
4. **D1: Standardize Terminology** - Replace all instances of "Worker" with "Worker Process"
5. **T1: Mark Parallel Tasks** - Add [P] markers to tasks that can run in parallel
6. **T2: Document FR-022 Scope** - Add note that job status endpoint is Phase 2 feature
### OPTIONAL (Nice to Have)
7. Add validation criteria to T011 and T012
8. Document n8n logic extraction process (for "nachvollziehbar" assumption)
---
## Implementation Status
✅ **READY FOR IMPLEMENTATION**
All medium-priority issues resolved. Feature 005 is ready for Phase 1 implementation (T001-T008: Setup & Infrastructure).
---
## Remediation Suggestions
### Fix A1: Task Count Header
**File**: `specs/005-backend-arch-pivot/tasks.md`
**Line 4**: Change from:
```markdown
**Total Tasks**: 49
```
To:
```markdown
**Total Tasks**: 64
```
---
### Fix D2: Phase Numbering
**Option 1** (Recommended): Rename "Phase 0" to "Phase 1" in plan.md
**Option 2**: Rename "Phase 1" to "Phase 0" in tasks.md
**Recommendation**: Use Option 1 (start with Phase 1 for consistency with task numbering)
---
## Conclusion
**Overall Quality**: HIGH
**Readiness**: ✅ **READY FOR IMPLEMENTATION** after addressing 3 medium-priority issues
**Strengths**:
- 100% requirement coverage
- 100% user story coverage
- Zero constitution violations
- Clear traceability from spec → plan → tasks
- Comprehensive technical notes
- Well-defined success criteria
**Weaknesses**:
- Minor task count discrepancy (easily fixable)
- Phase numbering mismatch (cosmetic)
- Some terminology drift (non-blocking)
**Risk Assessment**: LOW - Issues are documentation-only, no architectural or design flaws detected.
---
**Report Status**: ✅ Complete
**Next Step**: Address 3 medium-priority fixes, then proceed with implementation

50
specs/005-backend-arch-pivot/checklists/requirements.md
View File

@ -1,50 +0,0 @@
# Specification Quality Checklist: Backend Architecture Pivot
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-12-09
**Feature**: [spec.md](../spec.md)
**Status**: ✅ VALIDATED (2025-12-09)
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Validation Summary
**Date**: 2025-12-09
**Result**: ✅ ALL CHECKS PASSED
**Actions Taken**:
1. Removed all code examples from spec.md and moved to separate technical-notes.md
2. Rewrote Success Criteria to be technology-agnostic (removed references to Redis, BullMQ, Grep-Search, etc.)
3. Updated Dependencies section to be library-agnostic (e.g., "Job Queue System" instead of "BullMQ")
4. Simplified Technical Notes section to high-level architecture overview only
**Quality Improvements**:
- Spec is now fully business-focused and stakeholder-friendly
- Technical implementation details isolated in separate document
- Success criteria focus on user-visible outcomes and system behavior
- All mandatory sections complete with clear acceptance scenarios
**Ready for**: `/speckit.plan` command to generate implementation plan

767
specs/005-backend-arch-pivot/plan.md
View File

@ -1,767 +0,0 @@
# Implementation Plan: Backend Architecture Pivot
**Feature Branch**: `005-backend-arch-pivot`
**Created**: 2025-12-09
**Spec**: [spec.md](./spec.md)
**Status**: Ready for Implementation
---
## Executive Summary
**Goal**: Migrate from n8n Low-Code backend to TypeScript Code-First backend with BullMQ job queue for Policy synchronization.
**Impact**: Removes external n8n dependency, improves maintainability, enables AI-assisted refactoring, and provides foundation for future scheduled sync features.
**Complexity**: HIGH - Requires new infrastructure (Redis, BullMQ), worker process deployment, and careful data transformation logic porting.
---
## Technical Context
### Current Architecture (n8n-based)
```
User clicks "Sync Now"
Server Action: triggerPolicySync()
HTTP POST → n8n Webhook (N8N_SYNC_WEBHOOK_URL)
n8n Workflow:
1. Microsoft Graph Authentication
2. Fetch Policies (4 endpoints with pagination)
3. JavaScript Code Node: Deep Flattening Logic
4. HTTP POST → TenantPilot Ingestion API
API Route: /api/policy-settings (validates POLICY_API_SECRET)
Drizzle ORM: Insert/Update policy_settings table
```
**Problems**:
- External dependency (n8n instance required)
- Complex transformation logic hidden in n8n Code Node
- Hard to test, version control, and refactor
- No AI assistance for n8n code
- Additional API security layer needed (POLICY_API_SECRET)
### Target Architecture (BullMQ-based)
```
User clicks "Sync Now"
Server Action: triggerPolicySync()
BullMQ: Add job to Redis queue "intune-sync-queue"
Worker Process (TypeScript):
1. Microsoft Graph Authentication (@azure/identity)
2. Fetch Policies (4 endpoints with pagination)
3. TypeScript: Deep Flattening Logic
4. Drizzle ORM: Direct Insert/Update
Database: policy_settings table
```
**Benefits**:
- No external dependencies (Redis only)
- All logic in TypeScript (version-controlled, testable)
- AI-assisted refactoring possible
- Simpler security model (no API bridge)
- Foundation for scheduled syncs
---
## Constitution Check *(mandatory)*
### Compliance Verification
| Principle | Status | Notes |
|-----------|--------|-------|
| **I. Server-First Architecture** | ✅ COMPLIANT | Worker uses Server Actions pattern (background job processing), no client fetches |
| **II. TypeScript Strict Mode** | ✅ COMPLIANT | All worker code in TypeScript strict mode, fully typed Graph API responses |
| **III. Drizzle ORM Integration** | ✅ COMPLIANT | Worker uses Drizzle for all DB operations, no raw SQL |
| **IV. Shadcn UI Components** | ✅ COMPLIANT | No UI changes (frontend only triggers job, uses existing components) |
| **V. Azure AD Multi-Tenancy** | ✅ COMPLIANT | Uses existing Azure AD Client Credentials for Graph API access |
### Risk Assessment
**HIGH RISK**: Worker deployment as separate process (requires Docker Compose update, PM2/Systemd config)
**MEDIUM RISK**: Graph API rate limiting handling (needs robust retry logic)
**LOW RISK**: BullMQ integration (well-documented library, standard Redis setup)
### Justification
Architecture pivot necessary to:
1. Remove external n8n dependency (reduces operational complexity)
2. Enable AI-assisted development (TypeScript vs. n8n visual flows)
3. Improve testability (unit/integration tests for worker logic)
4. Prepare for Phase 2 features (scheduled syncs, multi-tenant parallel processing)
**Approved**: Constitution compliance verified, complexity justified by maintainability gains.
---
## File Tree & Changes
```
tenantpilot/
├── .env # [MODIFIED] Add REDIS_URL, remove POLICY_API_SECRET + N8N_SYNC_WEBHOOK_URL
├── (Redis provided by deployment) # No `docker-compose.yml` required; ensure `REDIS_URL` is set by Dokploy
├── package.json # [MODIFIED] Add bullmq, ioredis, @azure/identity, tsx dependencies
├── lib/
│ ├── env.mjs # [MODIFIED] Add REDIS_URL validation, remove POLICY_API_SECRET + N8N_SYNC_WEBHOOK_URL
│ ├── queue/
│ │ ├── redis.ts # [NEW] Redis connection for BullMQ
│ │ └── syncQueue.ts # [NEW] BullMQ Queue definition for "intune-sync-queue"
│ └── actions/
│ └── policySettings.ts # [MODIFIED] Replace n8n webhook call with BullMQ job creation
├── worker/
│ ├── index.ts # [NEW] BullMQ Worker entry point
│ ├── jobs/
│ │ ├── syncPolicies.ts # [NEW] Main sync orchestration logic
│ │ ├── graphAuth.ts # [NEW] Azure AD token acquisition
│ │ ├── graphFetch.ts # [NEW] Microsoft Graph API calls with pagination
│ │ ├── policyParser.ts # [NEW] Deep flattening & transformation logic
│ │ └── dbUpsert.ts # [NEW] Drizzle ORM upsert operations
│ └── utils/
│ ├── humanizer.ts # [NEW] Setting ID humanization
│ └── retry.ts # [NEW] Exponential backoff retry logic
├── app/api/
│ ├── policy-settings/
│ │ └── route.ts # [DELETED] n8n ingestion API no longer needed
│ └── admin/
│ └── tenants/
│ └── route.ts # [DELETED] n8n polling API no longer needed
└── specs/005-backend-arch-pivot/
├── spec.md # ✅ Complete
├── plan.md # 📝 This file
├── technical-notes.md # ✅ Complete (implementation reference)
└── tasks.md # 🔜 Generated next
```
---
## Phase Breakdown
### Phase 1: Setup & Infrastructure (T001-T008)
**Goal**: Prepare environment, install dependencies, and wire the app to the provisioned Redis instance
**Tasks**:
- T001: Confirm `REDIS_URL` is provided by Dokploy and obtain connection details
- T002-T004: Add `REDIS_URL` to local `.env` (for development) and to `lib/env.mjs` runtime validation
- T005: Install npm packages: `bullmq`, `ioredis`, `@azure/identity`, `tsx`
- T006-T007: Create Redis connection and BullMQ Queue
- T008: Test infrastructure (connect to provided Redis from local/dev environment)
**Deliverables**:
- Connection details for Redis from Dokploy documented
- Environment variables validated (local + deploy)
- Dependencies in `package.json`
- Queue operational using the provided Redis
**Exit Criteria**: `npm run dev` starts without env validation errors and the queue accepts jobs against the provided Redis
---
### Phase 2: Worker Process Skeleton (T009-T014)ntry point and basic job processing infrastructure
**Tasks**:
- T009: Create `worker/index.ts` - BullMQ Worker entry point
- T010-T012: Add npm script, event handlers, structured logging
- T013: Create sync orchestration skeleton
- T014: Test worker startup
**Deliverables**:
- Worker process can be started via `npm run worker:start`
- Jobs flow from queue → worker
- Event logging operational
**Exit Criteria**: Worker logs "Processing job X" when job is added to queue
---
### Phase 3: Microsoft Graph Integration (T015-T023)ion and Microsoft Graph API data fetching with pagination
**Tasks**:
- T015-T017: Create `worker/jobs/graphAuth.ts` - Azure AD token acquisition
- T018-T021: Create `worker/jobs/graphFetch.ts` - Fetch from 4 endpoints with pagination
- T022: Create `worker/utils/retry.ts` - Exponential backoff
- T023: Test with real tenant data
**Deliverables**:
- `getGraphAccessToken()` returns valid token
- `fetchAllPolicies()` returns all policies from 4 endpoints
- Pagination handled correctly (follows `@odata.nextLink`)
- Rate limiting handled with retry
**Exit Criteria**: Worker successfully fetches >50 policies for test tenant
---
### Phase 4: Data Transformation (T024-T035)
**Goal**: Port n8n flattening logic to TypeScript
**Tasks**:
1. Create `worker/jobs/policyParser.ts` - Policy type detection & routing
2. Implement Settings Catalog parser (`settings[]` → flat key-value)
3. Implement OMA-URI parser (`omaSettings[]` → flat key-value)
4. Create `worker/utils/humanizer.ts` - Setting ID humanization
5. Handle empty policies (default placeholder setting)
6. Test: Parse sample policies, verify output structure
**Deliverables**:
- `parsePolicySettings()` converts Graph response → FlattenedSetting[]
- Humanizer converts technical IDs → readable names
- Empty policies get "(No settings configured)" entry
**Exit Criteria**: 95%+ of sample settings are correctly extracted and formatted
---
### Phase 5: Database Persistence (T036-T043)
**Goal**: Implement Drizzle ORM upsert logic
**Tasks**:
1. Create `worker/jobs/dbUpsert.ts` - Batch upsert with conflict resolution
2. Use existing `policy_settings` table schema
3. Leverage `policy_settings_upsert_unique` constraint (tenantId + graphPolicyId + settingName)
4. Update `lastSyncedAt` on every sync
5. Test: Run full sync, verify data in DB
**Deliverables**:
- `upsertPolicySettings()` inserts new & updates existing settings
- No duplicate settings created
- `lastSyncedAt` updated correctly
**Exit Criteria**: Full sync for test tenant completes successfully, data visible in DB
---
### Phase 6: Frontend Integration (T044-T051)
**Goal**: Replace n8n webhook with BullMQ job creation
**Tasks**:
1. Modify `lib/actions/policySettings.ts``triggerPolicySync()`
2. Remove n8n webhook call (`fetch(env.N8N_SYNC_WEBHOOK_URL)`)
3. Replace with BullMQ job creation (`syncQueue.add(...)`)
4. Return job ID to frontend
5. Test: Click "Sync Now", verify job created & processed
**Deliverables**:
- "Sync Now" button triggers BullMQ job
- User sees immediate feedback (no blocking)
- Worker processes job in background
**Exit Criteria**: End-to-end sync works from UI → Queue → Worker → DB
---
### Phase 7: Legacy Cleanup (T052-T056)
**Goal**: Remove all n8n-related code and configuration
**Tasks**:
1. Delete `app/api/policy-settings/route.ts` (n8n ingestion API)
2. Delete `app/api/admin/tenants/route.ts` (n8n polling API)
3. Remove `POLICY_API_SECRET` from `.env` and `lib/env.mjs`
4. Remove `N8N_SYNC_WEBHOOK_URL` from `.env` and `lib/env.mjs`
5. Grep search for remaining references (should be 0)
6. Update documentation (remove n8n setup instructions)
**Deliverables**:
- No n8n-related files in codebase
- No n8n-related env vars
- Clean grep search results
**Exit Criteria**: `grep -r "POLICY_API_SECRET\|N8N_SYNC_WEBHOOK_URL" .` returns 0 results (excluding specs/)
---
### Phase 8: Testing & Validation (T057-T061)
**Goal**: Comprehensive testing of new architecture
**Tasks**:
1. Unit tests for flattening logic
2. Integration tests for worker jobs
3. End-to-end test: UI → Queue → Worker → DB
4. Load test: 100+ policies sync
5. Error handling test: Graph API failures, Redis unavailable
6. Memory leak test: Worker runs 1+ hour with 10+ jobs
**Deliverables**:
- Test suite with >80% coverage for worker code
- All edge cases verified
- Performance benchmarks met (SC-001 to SC-008)
**Exit Criteria**: All tests pass, no regressions in existing features
---
### Phase 9: Deployment (T062-T066)
**Goal**: Deploy worker process to production
**Tasks**:
1. Ensure `REDIS_URL` is set in production (provided by Dokploy) — no Docker Compose Redis required
2. Configure worker as background service (PM2, Systemd, or Docker)
3. Set `REDIS_URL` in production environment
4. Monitor worker logs for first production sync
5. Verify sync completes successfully
6. Document worker deployment process
**Deliverables**:
- Worker running as persistent service
- Redis accessible from worker
- Production sync successful
**Exit Criteria**: Production sync works end-to-end, no errors in logs
---
## Key Technical Decisions
### 1. BullMQ vs. Other Queue Libraries
**Decision**: Use BullMQ
**Rationale**:
- Modern, actively maintained (vs. Kue, Bull)
- TypeScript-first design
- Built-in retry, rate limiting, priority queues
- Excellent documentation
- Redis-based (simpler than RabbitMQ/Kafka)
**Alternatives Considered**:
- **Bee-Queue**: Lighter but less features
- **Agenda**: MongoDB-based (adds extra dependency)
- **AWS SQS**: Vendor lock-in, requires AWS setup
---
### 2. Worker Process Architecture
**Decision**: Single worker process, sequential job processing (concurrency: 1)
**Rationale**:
- Simpler implementation (no race conditions)
- Microsoft Graph rate limits per tenant
- Database upsert logic easier without concurrency
- Can scale later if needed (multiple workers)
**Alternatives Considered**:
- **Parallel Processing**: Higher complexity, potential conflicts
- **Lambda/Serverless**: Cold starts, harder debugging
---
### 3. Token Acquisition Strategy
**Decision**: Use `@azure/identity` ClientSecretCredential
**Rationale**:
- Official Microsoft library
- Handles token refresh automatically
- TypeScript support
- Simpler than manual OAuth flow
**Alternatives Considered**:
- **Manual fetch()**: More code, error-prone
- **MSAL Node**: Overkill for server-side client credentials
---
### 4. Flattening Algorithm
**Decision**: Port n8n logic 1:1 initially, refactor later
**Rationale**:
- Minimize risk (proven logic)
- Faster migration (no re-design needed)
- Can optimize in Phase 2 after validation
**Alternatives Considered**:
- **Re-design from scratch**: Higher risk, longer timeline
---
### 5. Database Schema Changes
**Decision**: No schema changes needed
**Rationale**:
- Existing `policy_settings` table has required fields
- UNIQUE constraint already supports upsert logic
- `lastSyncedAt` field exists for tracking
**Alternatives Considered**:
- **Add job tracking table**: Overkill for MVP (BullMQ handles this)
---
## Data Flow Diagrams
### Current Flow (n8n)
```mermaid
sequenceDiagram
participant User
participant UI as Next.js UI
participant SA as Server Action
participant n8n as n8n Webhook
participant API as Ingestion API
participant DB as PostgreSQL
User->>UI: Click "Sync Now"
UI->>SA: triggerPolicySync(tenantId)
SA->>n8n: POST /webhook
n8n->>n8n: Fetch Graph API
n8n->>n8n: Transform Data
n8n->>API: POST /api/policy-settings
API->>API: Validate API Secret
API->>DB: Insert/Update
DB-->>API: Success
API-->>n8n: 200 OK
n8n-->>SA: 200 OK
SA-->>UI: Success
UI-->>User: Toast "Sync started"
```
### Target Flow (BullMQ)
```mermaid
sequenceDiagram
participant User
participant UI as Next.js UI
participant SA as Server Action
participant Queue as Redis Queue
participant Worker as Worker Process
participant Graph as MS Graph API
participant DB as PostgreSQL
User->>UI: Click "Sync Now"
UI->>SA: triggerPolicySync(tenantId)
SA->>Queue: Add job "sync-tenant"
Queue-->>SA: Job ID
SA-->>UI: Success (immediate)
UI-->>User: Toast "Sync started"
Note over Worker: Background Processing
Worker->>Queue: Pick job
Worker->>Graph: Fetch policies
Graph-->>Worker: Policy data
Worker->>Worker: Transform data
Worker->>DB: Upsert settings
DB-->>Worker: Success
Worker->>Queue: Mark job complete
```
---
## Environment Variables
### Changes Required
**Add**:
```bash
REDIS_URL=redis://localhost:6379
```
**Remove**:
```bash
# Delete these lines:
POLICY_API_SECRET=...
N8N_SYNC_WEBHOOK_URL=...
```
### Updated `lib/env.mjs`
```typescript
export const env = createEnv({
server: {
DATABASE_URL: z.string().url(),
NEXTAUTH_SECRET: z.string().min(1),
NEXTAUTH_URL: z.string().url(),
AZURE_AD_CLIENT_ID: z.string().min(1),
AZURE_AD_CLIENT_SECRET: z.string().min(1),
REDIS_URL: z.string().url(), // ADD THIS
RESEND_API_KEY: z.string().optional(),
STRIPE_SECRET_KEY: z.string().optional(),
// ... other Stripe vars
// REMOVE: POLICY_API_SECRET
// REMOVE: N8N_SYNC_WEBHOOK_URL
},
client: {},
runtimeEnv: {
DATABASE_URL: process.env.DATABASE_URL,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
NEXTAUTH_URL: process.env.NEXTAUTH_URL,
AZURE_AD_CLIENT_ID: process.env.AZURE_AD_CLIENT_ID,
AZURE_AD_CLIENT_SECRET: process.env.AZURE_AD_CLIENT_SECRET,
REDIS_URL: process.env.REDIS_URL, // ADD THIS
RESEND_API_KEY: process.env.RESEND_API_KEY,
STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY,
// ... other vars
},
});
```
---
## Testing Strategy
### Unit Tests
**Target Coverage**: 80%+ for worker code
**Files to Test**:
- `worker/utils/humanizer.ts` - Setting ID transformation
- `worker/jobs/policyParser.ts` - Flattening logic
- `worker/utils/retry.ts` - Backoff algorithm
**Example**:
```typescript
describe('humanizeSettingId', () => {
it('removes vendor prefix', () => {
expect(humanizeSettingId('device_vendor_msft_policy_config_wifi'))
.toBe('Wifi');
});
});
```
---
### Integration Tests
**Target**: Full worker job processing
**Scenario**:
1. Mock Microsoft Graph API responses
2. Add job to queue
3. Verify worker processes job
4. Check database for inserted settings
**Example**:
```typescript
describe('syncPolicies', () => {
it('fetches and stores policies', async () => {
await syncPolicies('test-tenant-123');
const settings = await db.query.policySettings.findMany({
where: eq(policySettings.tenantId, 'test-tenant-123'),
});
expect(settings.length).toBeGreaterThan(0);
});
});
```
---
### End-to-End Test
**Scenario**:
1. Start Redis + Worker
2. Login to UI
3. Navigate to `/search`
4. Click "Sync Now"
5. Verify:
- Job created in Redis
- Worker picks up job
- Database updated
- UI shows success message
---
## Rollback Plan
**If migration fails in production**:
1. **Immediate**: Revert to previous Docker image (with n8n integration)
2. **Restore env vars**: Re-add `POLICY_API_SECRET` and `N8N_SYNC_WEBHOOK_URL`
3. **Verify**: n8n webhook accessible, sync works
4. **Post-mortem**: Document failure reason, plan fixes
**Data Safety**: No data loss risk (upsert logic preserves existing data)
---
## Performance Targets
Based on Success Criteria (SC-001 to SC-008):
| Metric | Target | Measurement |
|--------|--------|-------------|
| Job Creation | <200ms | Server Action response time |
| Sync Duration (50 policies) | <30s | Worker job duration |
| Setting Extraction | >95% | Manual validation with sample data |
| Worker Stability | 1+ hour, 10+ jobs | Memory profiling |
| Pagination | 100% | Test with 100+ policies tenant |
---
## Dependencies
### npm Packages
```json
{
"dependencies": {
"bullmq": "^5.0.0",
"ioredis": "^5.3.0",
"@azure/identity": "^4.0.0"
},
"devDependencies": {
"tsx": "^4.0.0"
}
}
```
### Infrastructure
- **Redis**: 7.x (via Docker or external service)
- **Node.js**: 20+ (for worker process)
---
## Monitoring & Observability
### Worker Logs
**Format**: Structured JSON logs
**Key Events**:
- Job started: `{ event: "job_start", jobId, tenantId, timestamp }`
- Job completed: `{ event: "job_complete", jobId, duration, settingsCount }`
- Job failed: `{ event: "job_failed", jobId, error, stack }`
**Storage**: Write to file or stdout (captured by Docker/PM2)
---
### Health Check Endpoint
**Path**: `/api/worker-health`
**Response**:
```json
{
"status": "healthy",
"queue": {
"waiting": 2,
"active": 1,
"completed": 45,
"failed": 3
}
}
```
**Use Case**: Monitoring dashboard, uptime checks
---
## Documentation Updates
**Files to Update**:
1. `README.md` - Add worker deployment instructions
2. `DEPLOYMENT.md` - Document Redis setup, worker config
3. `specs/002-manual-policy-sync/` - Mark as superseded by 005
**New Documentation**:
1. `docs/worker-deployment.md` - Step-by-step worker setup
2. `docs/troubleshooting.md` - Common worker issues & fixes
---
## Open Questions & Risks
### Q1: Redis Hosting Strategy
**Question**: Self-hosted Redis or managed service (e.g., Upstash, Redis Cloud)?
**Options**:
- Docker Compose (simple, dev-friendly)
- Upstash (serverless, paid but simple)
- Self-hosted on VPS (more control, more ops)
**Recommendation**: Start with Docker Compose, migrate to managed service if scaling needed
---
### Q2: Worker Deployment Method
**Question**: How to deploy worker in production?
**Options**:
- PM2 (Node process manager)
- Systemd (Linux service)
- Docker container (consistent with app)
**Recommendation**: Docker container (matches Next.js deployment strategy)
---
### Q3: Job Failure Notifications
**Question**: How to notify admins when sync jobs fail?
**Options**:
- Email via Resend (already integrated)
- In-app notification system (Phase 2)
- External monitoring (e.g., Sentry)
**Recommendation**: Start with logs only, add notifications in Phase 2
---
## Success Metrics
| Metric | Target | Status |
|--------|--------|--------|
| n8n dependency removed | Yes | 🔜 |
| All tests passing | 100% | 🔜 |
| Production sync successful | Yes | 🔜 |
| Worker uptime | >99% | 🔜 |
| Zero data loss | Yes | 🔜 |
---
## Timeline Estimate
| Phase | Duration | Dependencies |
|-------|----------|--------------|
| 0. Pre-Implementation | 1h | None |
| 1. Queue Infrastructure | 2h | Phase 0 |
| 2. Graph Integration | 4h | Phase 1 |
| 3. Data Transformation | 6h | Phase 2 |
| 4. Database Persistence | 3h | Phase 3 |
| 5. Frontend Integration | 2h | Phase 4 |
| 6. Legacy Cleanup | 2h | Phase 5 |
| 7. Testing & Validation | 4h | Phases 1-6 |
| 8. Deployment | 3h | Phase 7 |
| **Total** | **~27h** | **~3-4 days** |
---
## Next Steps
1. ✅ Generate `tasks.md` with detailed task breakdown
2. 🔜 Start Phase 0: Install Redis, update env vars
3. 🔜 Implement Phase 1: Queue infrastructure
4. 🔜 Continue through Phase 8: Deployment
---
**Plan Status**: ✅ Ready for Task Generation
**Approved by**: Technical Lead (pending)
**Last Updated**: 2025-12-09

236
specs/005-backend-arch-pivot/spec.md
View File

@ -1,236 +0,0 @@
# Feature Specification: Backend Architecture Pivot
**Feature Branch**: `005-backend-arch-pivot`
**Created**: 2025-12-09
**Status**: Draft
**Input**: "Backend Architecture Pivot (n8n Removal & BullMQ Implementation) - Remove n8n legacy code, implement BullMQ job queue with Redis, port sync logic to TypeScript worker"
## Overview
Migration von einer Low-Code-Backend-Architektur (n8n) zu einem Code-First-Backend mit BullMQ Job Queue und TypeScript Worker. Die komplexe Microsoft Graph Synchronisations-Logik wird direkt in TypeScript implementiert, um Wartbarkeit, Testbarkeit und AI-gestütztes Refactoring zu maximieren.
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Manual Policy Sync via Queue (Priority: P1)
Als Intune-Admin möchte ich auf "Sync Now" klicken und erwarten, dass die Synchronisation asynchron in einem Worker-Prozess ausgeführt wird, damit die UI nicht blockiert und ich sofort weiterarbeiten kann.
**Why this priority**: Core-Funktionalität - ohne funktionierenden Sync ist das gesamte Feature unbrauchbar. Queue-basierte Architektur ist Grundlage für spätere Scheduled Syncs.
**Independent Test**: Click "Sync Now", check Redis for job, observe worker logs, verify database updates.
**Acceptance Scenarios**:
1. **Given** der Admin ist auf `/search` eingeloggt, **When** er auf "Sync Now" klickt, **Then** wird ein Job in die Redis Queue eingestellt (keine Wartezeit für den User).
2. **Given** ein Sync-Job wurde erstellt, **When** der Worker-Prozess läuft, **Then** nimmt er den Job aus der Queue und beginnt die Synchronisation.
3. **Given** der Worker führt einen Sync aus, **When** die Synchronisation erfolgreich abgeschlossen ist, **Then** werden alle Policy Settings in der Datenbank aktualisiert (Insert oder Update via `onConflictDoUpdate`).
4. **Given** der Worker synchronisiert Policies, **When** ein Fehler auftritt (z.B. Graph API Timeout), **Then** wird der Job in einen "failed" State versetzt und der Fehler wird geloggt (kein Silent Fail).
5. **Given** der Admin hat mehrere Sync-Jobs gestartet, **When** der Worker mehrere Jobs in der Queue findet, **Then** werden sie sequenziell abgearbeitet (keine parallelen Syncs pro Tenant).
---
### User Story 2 - Microsoft Graph Data Fetching (Priority: P1)
Als System möchte ich alle relevanten Policy-Typen von Microsoft Graph API abrufen können (Device Configurations, Compliance Policies, Configuration Policies, Intents), damit alle Intune-Settings analysierbar sind.
**Why this priority**: Datenbeschaffung ist essentiell - ohne vollständigen Fetch fehlen Policies in der Analyse.
**Independent Test**: Run worker with test tenant, verify all policy types are fetched, check pagination handling.
**Acceptance Scenarios**:
1. **Given** der Worker startet einen Sync, **When** er ein Access Token anfordert, **Then** nutzt er den Azure AD Client Credentials Flow mit `AZURE_AD_CLIENT_ID` und `AZURE_AD_CLIENT_SECRET`.
2. **Given** der Worker hat ein gültiges Token, **When** er Policies abruft, **Then** fetcht er alle relevanten Endpoints:
- `/deviceManagement/deviceConfigurations`
- `/deviceManagement/deviceCompliancePolicies`
- `/deviceManagement/configurationPolicies`
- `/deviceManagement/intents`
3. **Given** eine Graph API Response hat `@odata.nextLink`, **When** der Worker die Response verarbeitet, **Then** folgt er dem Link und lädt alle Seiten bis keine `nextLink` mehr vorhanden ist.
4. **Given** ein Policy Object wird von Graph zurückgegeben, **When** der Worker es parst, **Then** extrahiert er `id`, `displayName`, `@odata.type`, `lastModifiedDateTime` und Policy-spezifische Settings.
5. **Given** der Graph API Call schlägt fehl (401, 429, 500), **When** der Fehler auftritt, **Then** wird ein Retry mit Exponential Backoff durchgeführt (max 3 Versuche).
---
### User Story 3 - Deep Flattening & Data Transformation (Priority: P1)
Als System möchte ich komplexe verschachtelte Policy-Objekte in flache Key-Value-Paare transformieren können, damit sie in der `policy_settings` Tabelle gespeichert und durchsucht werden können.
**Why this priority**: Core Transformation Logic - ohne Flattening können verschachtelte Settings nicht analysiert werden.
**Independent Test**: Run parser with sample Graph responses, verify flattened output matches expected structure.
**Acceptance Scenarios**:
1. **Given** der Worker hat Policy-Daten von Graph erhalten, **When** er ein Settings Catalog Policy verarbeitet (`#microsoft.graph.deviceManagementConfigurationPolicy`), **Then** iteriert er über `settings[]` und extrahiert `settingDefinitionId` und `value`.
2. **Given** ein Policy enthält verschachtelte Objekte (z.B. `value.simple.value` oder `value.children[]`), **When** der Flattening-Algorithmus läuft, **Then** wird jede verschachtelte Ebene mit Dot-Notation als Key dargestellt (z.B. `wifi.ssid.value`).
3. **Given** der Worker verarbeitet ein OMA-URI Policy, **When** er `omaSettings[]` findet, **Then** extrahiert er `omaUri` als Setting Name und `value` als Setting Value.
4. **Given** ein Setting Key enthält technische Bezeichner (z.B. `device_vendor_msft_policy_config_wifi_allowwifihotspotreporting`), **When** der Humanizer läuft, **Then** werden Keys in lesbare Form umgewandelt (z.B. `Allow WiFi Hotspot Reporting`).
5. **Given** ein Policy hat keine Settings (leeres Array), **When** der Worker es verarbeitet, **Then** wird trotzdem ein Eintrag erstellt mit `settingName: "(No settings configured)"` (damit Policy in UI sichtbar ist).
---
### User Story 4 - Legacy Code Removal (Priority: P1)
Als Entwickler möchte ich alle n8n-spezifischen Artefakte entfernen können, damit der Code sauber und wartbar bleibt.
**Why this priority**: Technical Debt Reduction - alte Bridge-APIs verursachen Confusion und Maintenance-Overhead.
**Independent Test**: Search codebase for n8n references, verify all removed, check env validation.
**Acceptance Scenarios**:
1. **Given** der Code wird überprüft, **When** nach `POLICY_API_SECRET` gesucht wird, **Then** existieren keine Referenzen mehr (weder in `.env`, noch in `lib/env.mjs`, noch in Code).
2. **Given** der Code wird überprüft, **When** nach `N8N_SYNC_WEBHOOK_URL` gesucht wird, **Then** existieren keine Referenzen mehr.
3. **Given** das Routing wird analysiert, **When** nach `/api/policy-settings/route.ts` gesucht wird, **Then** existiert die Datei nicht mehr (gelöscht).
4. **Given** das Routing wird analysiert, **When** nach `/api/admin/tenants/route.ts` gesucht wird, **Then** existiert die Datei nicht mehr (gelöscht).
5. **Given** ein Entwickler startet die App, **When** die Umgebungsvariablen validiert werden, **Then** werden `POLICY_API_SECRET` und `N8N_SYNC_WEBHOOK_URL` nicht mehr als erforderlich markiert.
---
### Edge Cases
- Was passiert wenn Redis nicht erreichbar ist beim Job-Erstellen? → Fehler werfen mit User-Feedback "Sync service unavailable".
- Was passiert wenn der Worker abstürzt während eines Jobs? → BullMQ Recovery: Job bleibt in "active" state und wird nach Timeout in "failed" verschoben.
- Wie gehen wir mit Rate Limiting von Microsoft Graph um? → Exponential Backoff + Retry (max 3x), dann Job als "failed" markieren mit Retry-Option.
- Was passiert bei parallelen Sync-Requests für denselben Tenant? → Queue stellt sicher, dass Jobs sequenziell abgearbeitet werden (kein Concurrency Issue).
- Wie werden transiente Netzwerkfehler behandelt? → Retry-Logik mit Backoff, nur permanente Fehler (401, 403) führen zu sofortigem Fail.
- Was passiert mit bestehenden Policy Settings während eines Syncs? → `onConflictDoUpdate` updated bestehende Einträge basierend auf `(tenantId, graphPolicyId, settingName)` Constraint.
## Requirements *(mandatory)*
### Functional Requirements
#### Infrastructure & Queue
- **FR-001**: System MUSS BullMQ als Job Queue Library verwenden mit Redis als Backend.
- **FR-002**: System MUSS eine wiederverwendbare Redis Connection in `lib/queue/redis.ts` bereitstellen.
- **FR-003**: System MUSS einen Worker-Prozess in `worker/index.ts` implementieren, der auf der Queue `intune-sync-queue` lauscht.
- **FR-004**: System MUSS Worker-Prozess als separates npm Script bereitstellen (`worker:start`).
- **FR-005**: System MUSS `REDIS_URL` als Environment Variable validieren.
#### Authentication & Graph API
- **FR-006**: System MUSS Access Tokens via Azure AD Client Credentials Flow holen (`@azure/identity` oder `fetch`).
- **FR-007**: System MUSS folgende Graph API Endpoints fetchen:
- `/deviceManagement/deviceConfigurations`
- `/deviceManagement/deviceCompliancePolicies`
- `/deviceManagement/configurationPolicies`
- `/deviceManagement/intents`
- **FR-008**: System MUSS Pagination via `@odata.nextLink` vollständig abarbeiten (alle Seiten laden).
- **FR-009**: System MUSS Graph API Fehler (401, 429, 500+) mit Exponential Backoff Retry behandeln (max 3 Versuche).
#### Data Processing & Transformation
- **FR-010**: System MUSS Settings Catalog Policies parsen (`settings[]` Array → flache Key-Value Paare).
- **FR-011**: System MUSS OMA-URI Policies parsen (`omaSettings[]` → `omaUri` als Key, `value` als Value).
- **FR-012**: System MUSS Deep Flattening für verschachtelte Objekte implementieren (Dot-Notation für Pfade).
- **FR-013**: System MUSS technische Setting Keys humanisieren (z.B. `device_vendor_msft_policy_config_wifi``WiFi`).
- **FR-014**: System MUSS Policy Typ Detection implementieren (Settings Catalog, OMA-URI, Compliance, etc.).
- **FR-015**: System MUSS leere Policies mit Placeholder-Setting speichern (`settingName: "(No settings configured)"`).
#### Database Persistence
- **FR-016**: System MUSS Drizzle ORM für alle DB-Operationen verwenden.
- **FR-017**: System MUSS `onConflictDoUpdate` für Upsert-Logik nutzen (Constraint: `tenantId + graphPolicyId + settingName`).
- **FR-018**: System MUSS folgende Felder pro Setting speichern:
- `tenantId`, `graphPolicyId`, `policyName`, `policyType`, `settingName`, `settingValue`, `settingValueType`, `lastSyncedAt`
- **FR-019**: System MUSS `lastSyncedAt` Timestamp bei jedem Sync aktualisieren.
#### Frontend Integration
- **FR-020**: System MUSS Server Action `triggerPolicySync` in `lib/actions/policySettings.ts` anpassen (n8n Webhook → BullMQ Job).
- **FR-021**: System MUSS Job-ID an Frontend zurückgeben für späteres Status-Tracking (optional für MVP, siehe FR-022).
- **FR-022**: System KANN (optional) Job-Status-Polling-Endpoint bereitstellen (`/api/sync-status/[jobId]`).
#### Legacy Cleanup
- **FR-023**: System MUSS File `app/api/policy-settings/route.ts` löschen (n8n Ingestion API).
- **FR-024**: System MUSS File `app/api/admin/tenants/route.ts` löschen (n8n Polling API).
- **FR-025**: System MUSS `POLICY_API_SECRET` aus `.env`, `lib/env.mjs` und allen Code-Referenzen entfernen.
- **FR-026**: System MUSS `N8N_SYNC_WEBHOOK_URL` aus `.env`, `lib/env.mjs` und allen Code-Referenzen entfernen.
### Key Entities
Neue Strukturen (keine DB-Schema-Änderungen):
- **SyncJobPayload**: BullMQ Job Data
- `tenantId`: string
- `userId`: string (optional, für Audit)
- `triggeredAt`: Date
- **GraphPolicyResponse**: TypeScript Interface für Graph API Response
- `id`: string
- `displayName`: string
- `@odata.type`: string
- `lastModifiedDateTime`: string
- `settings?`: array (Settings Catalog)
- `omaSettings?`: array (OMA-URI)
- (weitere Policy-spezifische Felder)
- **FlattenedSetting**: Internes Transform-Result
- `settingName`: string
- `settingValue`: string
- `settingValueType`: string
- `path`: string (Dot-Notation Pfad im Original-Objekt)
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: User erhält sofortige Bestätigung nach Click auf "Sync Now" (<200ms Response Zeit, kein Warten auf Sync-Completion).
- **SC-002**: Sync für einen Tenant mit 50 Policies ist innerhalb von 30 Sekunden abgeschlossen.
- **SC-003**: System lädt alle verfügbaren Policies vollständig (auch bei >100 Policies mit mehreren Datenseiten).
- **SC-004**: Mindestens 95% aller Policy Settings werden korrekt extrahiert und gespeichert (validiert mit repräsentativen Sample-Daten).
- **SC-005**: Bei temporären Fehlern (z.B. Service-Überlastung) erfolgt automatische Wiederholung (keine manuellen Eingriffe nötig).
- **SC-006**: Alte Bridge-Komponenten sind vollständig entfernt (keine toten Code-Pfade oder ungenutzten APIs).
- **SC-007**: Sync-Prozess läuft stabil über längere Zeiträume (1+ Stunde mit 10+ Sync-Operationen ohne Abstürze).
- **SC-008**: Re-Sync aktualisiert bestehende Daten korrekt ohne Duplikate oder Datenverluste.
## Assumptions
- System nutzt asynchrone Job-Verarbeitung mit Queue-basierter Architektur für Skalierbarkeit.
- TenantPilot hat bereits Azure AD Multi-Tenant Authentication konfiguriert (Client Credentials verfügbar).
- Die bestehende `policy_settings` Datenbank-Tabelle hat bereits einen UNIQUE Constraint auf `(tenantId, graphPolicyId, settingName)`.
- Die Flattening-Logik aus der bisherigen n8n-Implementation ist dokumentiert oder nachvollziehbar.
- Sync-Prozess wird in Production als persistenter Background-Service betrieben (nicht nur bei Bedarf gestartet).
- Redis oder vergleichbarer In-Memory Store ist verfügbar für Job Queue Management.
## Nicht-Ziele (Out of Scope)
- Kein automatischer Scheduled Sync (zeitbasierte Trigger) in diesem Feature - bleibt manuelle Auslösung.
- Keine Web-UI für Job-Management oder Queue-Monitoring.
- Keine Live-Progress-Updates im Frontend während Sync läuft (kein Echtzeit-Status).
- Keine parallele Verarbeitung mehrerer Tenants gleichzeitig (sequenzielle Abarbeitung).
- Keine erweiterten Retry-Strategien oder Dead Letter Queues in MVP.
- Kein Policy Change Detection oder Diff-Berechnung (nur vollständiger Sync + Update bestehender Daten).
## Technical Notes
**Note**: Detaillierte Implementierungs-Details (Code-Beispiele, API-Calls, Architektur-Patterns) werden in einem separaten Technical Design Document oder im Planning-Phase dokumentiert. Diese Spec fokussiert sich auf das **WAS** und **WARUM**, nicht auf das **WIE**.
### High-Level Architecture Overview
**Queue-Based Sync Architecture**:
- Asynchrone Job-Verarbeitung für nicht-blockierende User Experience
- Worker-Prozess als separater Service für Sync-Operationen
- Persistente Job-Queue für Reliability und Retry-Fähigkeit
**Data Flow**:
1. User triggers sync → Job wird in Queue eingestellt
2. Worker nimmt Job aus Queue → Authentifiziert sich bei Microsoft
3. Worker fetcht Policy-Daten → Transformiert & flacht verschachtelte Strukturen ab
4. Worker speichert Daten → Upsert in Datenbank mit Conflict Resolution
**Migration Strategy**:
- Phase 1: Neue Infrastruktur aufbauen (Queue, Worker)
- Phase 2: Sync-Logik portieren (Auth, Fetch, Transform, Persist)
- Phase 3: Frontend auf neue Architektur umstellen
- Phase 4: Alte n8n-Komponenten entfernen
- Phase 5: End-to-End Validierung mit Production-Daten
## Dependencies
- Job Queue System (z.B. BullMQ, Bee-Queue, oder vergleichbar)
- In-Memory Data Store (z.B. Redis, KeyDB, oder vergleichbar)
- Microsoft Graph API Client Library (z.B. @azure/identity oder vergleichbar)
- TypeScript Runtime für Worker-Prozess (z.B. tsx, ts-node, oder vergleichbar)

579
specs/005-backend-arch-pivot/tasks.md
View File

@ -1,579 +0,0 @@
# Tasks: Backend Architecture Pivot
**Feature**: 005-backend-arch-pivot
**Generated**: 2025-12-09
**Total Tasks**: 66 (T001-T066)
**Spec**: [spec.md](./spec.md) | **Plan**: [plan.md](./plan.md)
## Phase 1: Setup (no story label)
- [ ] T001 Confirm Dokploy-provided `REDIS_URL` and record connection string in `specs/005-backend-arch-pivot/notes.md`
- [ ] T002 Add `REDIS_URL` to local `.env.example` and project `.env` (if used) (`.env.example`)
- [ ] T003 Update `lib/env.mjs` to validate `REDIS_URL` (`lib/env.mjs`)
- [ ] T004 [P] Add npm dependencies: `bullmq`, `ioredis`, `@azure/identity` and dev `tsx` (`package.json`)
- [ ] T005 [P] Add npm script `worker:start` to `package.json` to run `tsx ./worker/index.ts` (`package.json`)
- [X] T006 [P] Create `lib/queue/redis.ts` - Redis connection wrapper reading `process.env.REDIS_URL` (`lib/queue/redis.ts`)
- [X] T007 [P] Create `lib/queue/syncQueue.ts` - Export BullMQ `Queue('intune-sync-queue')` (`lib/queue/syncQueue.ts`)
- [X] T008 Test connectivity: add a dummy job from a Node REPL/script and verify connection to provided Redis (`scripts/test-queue-connection.js`)
## Phase 2: Worker Skeleton (no story label)
- [ ] T009 Create `worker/index.ts` - minimal BullMQ `Worker` entry point (concurrency:1) (`worker/index.ts`)
- [ ] T010 Create `worker/logging.ts` - structured JSON logger used by worker (`worker/logging.ts`)
- [ ] T011 Create `worker/events.ts` - job lifecycle event handlers (completed/failed) (`worker/events.ts`)
- [ ] T012 [P] Add `npm run worker:start` integration to `README.md` with run instructions (`README.md`)
- [ ] T013 Create `worker/health.ts` - minimal health check handlers (used in docs) (`worker/health.ts`)
- [ ] T014 Smoke test: start `npm run worker:start` and verify worker connects and logs idle state (no file)
## Phase 3: US1 — Manual Policy Sync via Queue [US1]
- [ ] T015 [US1] Update `lib/actions/policySettings.ts` → implement `triggerPolicySync()` to call `syncQueue.add(...)` and return `jobId` (`lib/actions/policySettings.ts`)
- [ ] T016 [US1] Create server action wrapper if needed `app/actions/triggerPolicySync.ts` (`app/actions/triggerPolicySync.ts`)
- [ ] T017 [US1] Update `/app/search/SyncButton.tsx` to call server action and show queued toast with `jobId` (`components/search/SyncButton.tsx`)
- [ ] T018 [US1] Add API route `/api/policy-sync/status` (optional) to report job status using BullMQ `Job` API (`app/api/policy-sync/status/route.ts`)
- [ ] T019 [US1] Add simple job payload typing `types/syncJob.ts` (`types/syncJob.ts`)
- [ ] T020 [US1] Add unit test for `triggerPolicySync()` mocking `syncQueue.add` (`tests/unit/triggerPolicySync.test.ts`)
- [ ] T021 [US1] End-to-end test: UI → triggerPolicySync → job queued (integration test) (`tests/e2e/sync-button.test.ts`)
- [ ] T022 [US1] OPTIONAL [P] Document MVP scope for job status endpoint (FR-022) in `specs/005-backend-arch-pivot/notes.md` (`specs/005-backend-arch-pivot/notes.md`)
## Phase 4: US2 — Microsoft Graph Data Fetching [US2]
- [ ] T023 [US2] Create `worker/jobs/graphAuth.ts` - `getGraphAccessToken()` using `@azure/identity` (`worker/jobs/graphAuth.ts`)
- [ ] T024 [US2] Create `worker/jobs/graphFetch.ts` - `fetchFromGraph(endpoint)` with pagination following `@odata.nextLink` (`worker/jobs/graphFetch.ts`)
- [ ] T025 [US2] Implement `worker/utils/retry.ts` - exponential backoff retry helper (`worker/utils/retry.ts`)
- [ ] T026 [US2] Create integration tests mocking Graph endpoints for paginated responses (`tests/integration/graphFetch.test.ts`)
- [ ] T027 [US2] Implement rate limit handling and transient error classification in `graphFetch.ts` (`worker/jobs/graphFetch.ts`)
- [ ] T028 [US2] Add logging for Graph fetch metrics (requests, pages, duration) (`worker/logging.ts`)
- [ ] T029 [US2] Test: run `syncPolicies` job locally against mocked Graph responses (`tests/e2e/sync-with-mock-graph.test.ts`)
## Phase 5: US3 — Deep Flattening & Transformation [US3]
- [ ] T030 [US3] Create `worker/jobs/policyParser.ts` - top-level router and `parsePolicySettings()` (`worker/jobs/policyParser.ts`)
- [ ] T031 [US3] Implement Settings Catalog parser in `policyParser.ts` (`worker/jobs/policyParser.ts`)
- [ ] T032 [US3] Implement OMA-URI parser in `policyParser.ts` (`worker/jobs/policyParser.ts`)
- [ ] T033 [US3] Create `worker/utils/humanizer.ts` - `humanizeSettingId()` function (`worker/utils/humanizer.ts`)
- [ ] T034 [US3] Create normalization function `worker/jobs/normalizer.ts` to produce `PolicyInsertData[]` (`worker/jobs/normalizer.ts`)
- [ ] T035 [US3] Unit tests for parsers + humanizer with representative Graph samples (`tests/unit/policyParser.test.ts`)
## Phase 6: US3 — Database Persistence (shared, assign to US3) [US3]
- [ ] T036 [US3] Create `worker/jobs/dbUpsert.ts` - batch upsert function using Drizzle (`worker/jobs/dbUpsert.ts`)
- [ ] T037 [US3] Implement transactional upsert logic and `ON CONFLICT DO UPDATE` behavior (`worker/jobs/dbUpsert.ts`)
- [ ] T038 [US3] Add performance tuning: batch size config and bulk insert strategy (`worker/jobs/dbUpsert.ts`)
- [ ] T039 [US3] Add tests for upsert correctness (duplicates / conflict resolution) (`tests/integration/dbUpsert.test.ts`)
- [ ] T040 [US3] Add `lastSyncedAt` update on upsert (`worker/jobs/dbUpsert.ts`)
- [ ] T041 [US3] Load test: upsert 500+ policies and measure duration (`scripts/load-tests/upsert-benchmark.js`)
- [ ] T042 [US3] Instrument metrics for DB operations (timings, rows inserted/updated) (`worker/logging.ts`)
- [ ] T043 [US3] Validate data integrity end-to-end (Graph → transform → DB) (`tests/e2e/full-sync.test.ts`)
## Phase 7: US4 — Frontend Integration & Legacy Cleanup [US4]
[X] T044 [US4] Update `lib/actions/policySettings.ts` to remove n8n webhook calls and call `triggerPolicySync()` (`lib/actions/policySettings.ts`)
[X] T045 [US4] Update `app/api/policy-settings/route.ts` to be deleted or archive its behavior (`app/api/policy-settings/route.ts`)
[X] T046 [US4] Delete `app/api/admin/tenants/route.ts` (n8n polling) (`app/api/admin/tenants/route.ts`)
[X] T047 [US4] Remove `POLICY_API_SECRET` and `N8N_SYNC_WEBHOOK_URL` from `.env` and `lib/env.mjs` (`.env`, `lib/env.mjs`)
[X] T048 [US4] Grep-check: verify no remaining `n8n` references (repo-wide) (no file)
- [ ] T049 [US4] Update docs: remove n8n setup instructions and add worker notes (`docs/worker-deployment.md`)
- [ ] T050 [US4] Add migration note to `specs/002-manual-policy-sync/README.md` marking it superseded (`specs/002-manual-policy-sync/README.md`)
- [ ] T051 [US4] End-to-end QA: trigger sync from UI and confirm policies saved after cleanup (`tests/e2e/post-cleanup-sync.test.ts`)
## Phase 8: Testing & Validation (no story label)
- [ ] T052 Add unit tests for `worker/utils/humanizer.ts` and `policyParser.ts` coverage (`tests/unit/*.test.ts`)
- [ ] T053 Add integration tests for worker jobs processing (`tests/integration/worker.test.ts`)
- [ ] T054 Run load tests for large tenant (1000+ policies) and record results (`scripts/load-tests/large-tenant.js`)
- [ ] T055 Test worker stability (run 1+ hour with multiple jobs) and check memory usage (local script)
- [ ] T056 Validate all Success Criteria (SC-001 to SC-008) and document results (`specs/005-backend-arch-pivot/validation.md`)
## Phase 9: Deployment & Documentation (no story label)
- [ ] T057 Create `docs/worker-deployment.md` with production steps (`docs/worker-deployment.md`)
- [ ] T058 Add deployment config for worker (Dockerfile or PM2 config) (`deploy/worker/Dockerfile`)
- [ ] T059 Ensure `REDIS_URL` is set in production Dokploy config and documented (`deploy/README.md`)
- [ ] T060 Add monitoring & alerting for worker failures (Sentry / logs / email) (`deploy/monitoring.md`)
- [ ] T061 Run canary production sync and verify (`scripts/canary-sync.js`)
- [ ] T062 Final cleanup: remove unused n8n-related code paths and feature flags (`grep and code edits`)
- [ ] T063 Update `README.md` and `DEPLOYMENT.md` with worker instructions (`README.md`, `DEPLOYMENT.md`)
- [ ] T064 Tag release branch `005-backend-arch-pivot` and create PR template (`.github/`)
- [ ] T065 Merge PR after review and monitor first production sync (`GitHub workflow`)
- [ ] T066 Post-deploy: run post-mortem checklist and close feature ticket (`specs/005-backend-arch-pivot/closure.md`)
---
## Notes
- Tasks labeled `[P]` are safe to run in parallel across different files or developers.
- Story labels map to spec user stories: `US1` = Manual Sync, `US2` = Graph Fetching, `US3` = Transformation & DB, `US4` = Cleanup & Frontend.
- Each task includes a suggested file path to implement work; adjust as needed to match repo layout.
# Tasks: Backend Architecture Pivot
**Feature**: 005-backend-arch-pivot
**Generated**: 2025-12-09
**Total Tasks**: 64 (T001-T066)
**Spec**: [spec.md](./spec.md) | **Plan**: [plan.md](./plan.md)
---
## Phase 1: Setup & Infrastructure (8 tasks)
**Goal**: Prepare environment, install dependencies, setup Redis and BullMQ queue infrastructure
### Environment Setup
- [ ] T001 Install Redis via Docker Compose (add redis service to docker-compose.yml)
- [ ] T002 [P] Add REDIS_URL to .env file (REDIS_URL=redis://localhost:6379)
- [ ] T003 [P] Update lib/env.mjs - Add REDIS_URL: z.string().url() to server schema
- [ ] T004 [P] Update lib/env.mjs - Add REDIS_URL to runtimeEnv object
- [ ] T005 Install npm packages: bullmq, ioredis, @azure/identity, tsx
### BullMQ Queue Infrastructure
- [X] T006 [P] Create lib/queue/redis.ts - Redis connection wrapper with IORedis
- [X] T007 [P] Create lib/queue/syncQueue.ts - BullMQ Queue definition for "intune-sync-queue"
- [X] T008 Test Redis connection and queue creation (add dummy job, verify in Redis CLI)
---
## Phase 2: Worker Process Skeleton (6 tasks)
**Goal**: Set up worker process entry point and basic job processing infrastructure
### Worker Setup
- [ ] T009 Create worker/index.ts - BullMQ Worker entry point with job processor
- [ ] T010 [P] Add worker:start script to package.json ("tsx watch worker/index.ts")
- [ ] T011 [P] Implement worker event handlers (completed, failed, error)
- [ ] T012 [P] Add structured logging for worker events (JSON format)
- [ ] T013 Create worker/jobs/syncPolicies.ts - Main sync orchestration function (empty skeleton)
- [ ] T014 Test worker starts successfully and listens on intune-sync-queue
---
## Phase 3: Microsoft Graph Integration (9 tasks)
**Goal**: Implement Azure AD authentication and Microsoft Graph API data fetching with pagination
### Authentication
- [ ] T015 Create worker/jobs/graphAuth.ts - ClientSecretCredential token acquisition
- [ ] T016 [P] Implement getGraphAccessToken() using @azure/identity
- [ ] T017 Test token acquisition returns valid access token
### Graph API Fetching
- [ ] T018 Create worker/jobs/graphFetch.ts - Microsoft Graph API client
- [ ] T019 [P] Implement fetchWithPagination() for handling @odata.nextLink
- [ ] T020 [P] Create fetchAllPolicies() to fetch from 4 endpoints in parallel
- [ ] T021 [P] Add Graph API endpoint constants (deviceConfigurations, compliancePolicies, configurationPolicies, intents)
### Error Handling
- [ ] T022 Create worker/utils/retry.ts - Exponential backoff retry logic
- [ ] T023 Test Graph API calls with real tenant, verify pagination works for 100+ policies
---
## Phase 4: Data Transformation (11 tasks)
**Goal**: Port n8n flattening logic to TypeScript, implement parsers for all policy types
### Policy Parser Core
- [ ] T024 Create worker/jobs/policyParser.ts - Main policy parsing router
- [ ] T025 [P] Implement detectPolicyType() based on @odata.type
- [ ] T026 [P] Implement parsePolicySettings() router function
### Settings Catalog Parser
- [ ] T027 Implement parseSettingsCatalog() for #microsoft.graph.deviceManagementConfigurationPolicy
- [ ] T028 [P] Implement extractValue() for different value types (simple, choice, group collection)
- [ ] T029 Handle nested settings with dot-notation path building
### OMA-URI Parser
- [ ] T030 [P] Implement parseOmaUri() for omaSettings[] arrays
- [ ] T031 [P] Handle valueType mapping (string, int, boolean)
### Humanizer & Utilities
- [ ] T032 Create worker/utils/humanizer.ts - Setting ID humanization
- [ ] T033 [P] Implement humanizeSettingId() to remove technical prefixes and format names
- [ ] T034 [P] Implement defaultEmptySetting() for policies with no settings
### Validation
- [ ] T035 Test parser with sample Graph API responses, verify >95% extraction rate
---
## Phase 5: Database Persistence (7 tasks)
**Goal**: Implement Drizzle ORM upsert logic with conflict resolution
### Database Operations
- [ ] T036 Create worker/jobs/dbUpsert.ts - Drizzle ORM upsert function
- [ ] T037 [P] Implement upsertPolicySettings() with batch insert
- [ ] T038 [P] Configure onConflictDoUpdate with policy_settings_upsert_unique constraint
- [ ] T039 [P] Update lastSyncedAt timestamp on every sync
- [ ] T040 Map FlattenedSetting[] to PolicySetting insert format
### Integration
- [ ] T041 Connect syncPolicies() orchestrator: auth → fetch → parse → upsert
- [ ] T042 Test full sync with real tenant data, verify database updates correctly
---
## Phase 6: Frontend Integration (4 tasks)
**Goal**: Replace n8n webhook with BullMQ job creation in Server Action
### Server Action Update
- [ ] T043 Modify lib/actions/policySettings.ts - triggerPolicySync() function
- [ ] T044 Remove n8n webhook call (fetch to N8N_SYNC_WEBHOOK_URL)
- [ ] T045 Add BullMQ job creation (syncQueue.add('sync-tenant', { tenantId }))
- [ ] T046 Test end-to-end: UI click "Sync Now" → job created → worker processes → database updated
---
## Phase 7: Legacy Cleanup (8 tasks)
**Goal**: Remove all n8n-related code, files, and environment variables
### File Deletion
- [ ] T047 Delete app/api/policy-settings/route.ts (n8n ingestion API)
- [ ] T048 Delete app/api/admin/tenants/route.ts (n8n polling API)
### Environment Variable Cleanup
- [ ] T049 Remove POLICY_API_SECRET from .env file
- [ ] T050 Remove N8N_SYNC_WEBHOOK_URL from .env file
- [ ] T051 Remove POLICY_API_SECRET from lib/env.mjs server schema
- [ ] T052 Remove N8N_SYNC_WEBHOOK_URL from lib/env.mjs server schema
- [ ] T053 Remove POLICY_API_SECRET from lib/env.mjs runtimeEnv
- [ ] T054 Remove N8N_SYNC_WEBHOOK_URL from lib/env.mjs runtimeEnv
### Verification
- [ ] T055 Run grep search for n8n references: grep -r "POLICY_API_SECRET\|N8N_SYNC_WEBHOOK_URL" --exclude-dir=specs → should be 0 results
---
## Phase 8: Testing & Validation (6 tasks)
**Goal**: Comprehensive testing of new architecture
### Unit Tests
- [ ] T056 [P] Write unit tests for humanizer.ts
- [ ] T057 [P] Write unit tests for retry.ts
- [ ] T058 [P] Write unit tests for policyParser.ts
### Integration Tests
- [ ] T059 Write integration test for full syncPolicies() flow with mocked Graph API
- [ ] T060 Write integration test for database upsert with conflict resolution
### End-to-End Test
- [ ] T061 E2E test: Start Redis + Worker, trigger sync from UI, verify database updates
---
## Phase 9: Deployment (5 tasks)
**Goal**: Deploy worker process to production environment
### Docker & Infrastructure
- [ ] T062 Update docker-compose.yml for production (Redis service with persistence)
- [ ] T063 Create Dockerfile for worker process (if separate container)
- [ ] T064 Configure worker as background service (PM2, Systemd, or Docker Compose)
### Production Deployment
- [ ] T065 Set REDIS_URL in production environment variables
- [ ] T066 Deploy worker, monitor logs for first production sync
---
## Dependencies Visualization
```
Phase 1 (Setup)
Phase 2 (Worker Skeleton)
Phase 3 (Graph Integration) ←─┐
↓ │
Phase 4 (Transformation) ──────┤
↓ │
Phase 5 (Database) ────────────┘
Phase 6 (Frontend)
Phase 7 (Cleanup)
Phase 8 (Testing)
Phase 9 (Deployment)
```
**Parallel Opportunities**:
- Phase 3 & 4 can overlap (Graph integration while building parsers)
- T002-T004 (env var updates) can be done in parallel
- T006-T007 (Redis & Queue files) can be done in parallel
- T015-T017 (auth) independent from T018-T021 (fetch)
- T056-T058 (unit tests) can be done in parallel
---
## Task Details
### T001: Install Redis via Docker Compose
**File**: `docker-compose.yml`
**Action**: Add Redis service
```yaml
services:
redis:
image: redis:alpine
ports:
- '6379:6379'
volumes:
- redis-data:/data
restart: unless-stopped
volumes:
redis-data:
```
**Verification**: `docker-compose up -d redis` && `redis-cli ping` returns PONG
---
### T002-T004: Environment Variable Setup
**Files**: `.env`, `lib/env.mjs`
**Changes**:
1. Add `REDIS_URL=redis://localhost:6379` to `.env`
2. Add `REDIS_URL: z.string().url()` to server schema
3. Add `REDIS_URL: process.env.REDIS_URL` to runtimeEnv
**Verification**: `npm run dev` starts without env validation errors
---
### T005: Install npm Dependencies
**Command**:
```bash
npm install bullmq ioredis @azure/identity
npm install -D tsx
```
**Verification**: Check `package.json` for new dependencies
---
### T006: Create Redis Connection Wrapper
**File**: `lib/queue/redis.ts`
**Implementation**: See technical-notes.md section "BullMQ Setup"
**Exports**: `redisConnection`
---
### T007: Create BullMQ Queue
**File**: `lib/queue/syncQueue.ts`
**Implementation**: See technical-notes.md section "BullMQ Setup"
**Exports**: `syncQueue`
---
### T009: Create Worker Entry Point
**File**: `worker/index.ts`
**Implementation**: See technical-notes.md section "Worker Implementation"
**Features**:
- Worker listens on `intune-sync-queue`
- Concurrency: 1 (sequential processing)
- Event handlers for completed, failed, error
---
### T015-T016: Azure AD Token Acquisition
**File**: `worker/jobs/graphAuth.ts`
**Implementation**: See technical-notes.md section "Authentication"
**Function**: `getGraphAccessToken(): Promise<string>`
**Uses**: `@azure/identity` ClientSecretCredential
---
### T018-T021: Graph API Fetching
**File**: `worker/jobs/graphFetch.ts`
**Functions**:
- `fetchWithPagination<T>(url, token): Promise<T[]>`
- `fetchAllPolicies(token): Promise<Policy[]>`
**Endpoints**:
- deviceManagement/deviceConfigurations
- deviceManagement/deviceCompliancePolicies
- deviceManagement/configurationPolicies
- deviceManagement/intents
---
### T024-T034: Policy Parser Implementation
**File**: `worker/jobs/policyParser.ts`
**Functions**:
- `detectPolicyType(odataType: string): string`
- `parsePolicySettings(policy: any): FlattenedSetting[]`
- `parseSettingsCatalog(policy: any): FlattenedSetting[]`
- `parseOmaUri(policy: any): FlattenedSetting[]`
- `extractValue(settingInstance: any): any`
**Reference**: See technical-notes.md section "Flattening Strategy"
---
### T036-T040: Database Upsert
**File**: `worker/jobs/dbUpsert.ts`
**Function**: `upsertPolicySettings(tenantId: string, settings: FlattenedSetting[])`
**Features**:
- Batch insert with Drizzle ORM
- Conflict resolution on `policy_settings_upsert_unique`
- Update `lastSyncedAt` timestamp
**Reference**: See technical-notes.md section "Database Upsert"
---
### T043-T045: Frontend Integration
**File**: `lib/actions/policySettings.ts`
**Function**: `triggerPolicySync(tenantId: string)`
**Before**:
```typescript
const response = await fetch(env.N8N_SYNC_WEBHOOK_URL, {
method: 'POST',
body: JSON.stringify({ tenantId }),
});
```
**After**:
```typescript
import { syncQueue } from '@/lib/queue/syncQueue';
const job = await syncQueue.add('sync-tenant', {
tenantId,
triggeredAt: new Date(),
});
return { jobId: job.id };
```
---
## Success Criteria Mapping
| Task(s) | Success Criterion |
|---------|-------------------|
| T001-T008 | SC-001: Job creation <200ms |
| T041-T042 | SC-002: Sync 50 policies in <30s |
| T019-T021 | SC-003: Pagination handles 100+ policies |
| T024-T035 | SC-004: >95% setting extraction |
| T022-T023 | SC-005: Automatic retry on 429 |
| T047-T055 | SC-006: Zero n8n references |
| T061, T066 | SC-007: Worker stable 1+ hour |
| T041-T042 | SC-008: No data loss on re-sync |
---
## Estimated Effort
| Phase | Tasks | Hours | Priority |
|-------|-------|-------|----------|
| 1. Setup | 8 | 1-2h | P1 |
| 2. Worker Skeleton | 6 | 2h | P1 |
| 3. Graph Integration | 9 | 4h | P1 |
| 4. Transformation | 11 | 6h | P1 |
| 5. Database | 7 | 3h | P1 |
| 6. Frontend | 4 | 2h | P1 |
| 7. Cleanup | 8 | 2h | P1 |
| 8. Testing | 6 | 4h | P1 |
| 9. Deployment | 5 | 3h | P1 |
| **Total** | **64** | **27-29h** | |
---
## Implementation Notes
### Task Execution Order
**Sequential Tasks** (blocking):
- T001 → T002-T004 → T005 (setup before queue)
- T006-T007 → T008 (Redis before queue test)
- T009 → T013 (worker before sync skeleton)
- T041 → T042 (integration before test)
- T043-T045 → T046 (implementation before E2E test)
**Parallel Tasks** (can be done simultaneously):
- T002, T003, T004 (env var updates)
- T006, T007 (Redis + Queue files)
- T010, T011, T012 (worker event handlers)
- T015-T017, T018-T021 (auth independent from fetch)
- T027-T029, T030-T031 (different parser types)
- T047, T048 (file deletions)
- T049-T054 (env var removals)
- T056, T057, T058 (unit tests)
### Common Pitfalls
1. **Redis Connection**: Ensure `maxRetriesPerRequest: null` for BullMQ compatibility
2. **Graph API**: Handle 429 rate limiting with exponential backoff
3. **Pagination**: Always follow `@odata.nextLink` until undefined
4. **Upsert**: Use correct constraint name `policy_settings_upsert_unique`
5. **Worker Deployment**: Don't forget `concurrency: 1` for sequential processing
### Testing Checkpoints
- After T008: Redis + Queue working
- After T014: Worker starts successfully
- After T017: Token acquisition works
- After T023: Graph API fetch with pagination works
- After T035: Parser extracts >95% of settings
- After T042: Full sync updates database
- After T046: UI → Worker → DB flow complete
- After T055: No n8n references remain
- After T061: E2E test passes
---
**Task Status**: Ready for Implementation
**Next Action**: Start with Phase 1 (T001-T008) - Setup & Infrastructure

615
specs/005-backend-arch-pivot/technical-notes.md
View File

@ -1,615 +0,0 @@
# Technical Implementation Notes: Backend Architecture Pivot
**Feature**: 005-backend-arch-pivot
**Created**: 2025-12-09
**Purpose**: Detailed implementation guidance for developers (not part of business specification)
---
## BullMQ Setup
### Installation
```bash
npm install bullmq ioredis
```
### Redis Connection
**File**: `lib/queue/redis.ts`
```typescript
import IORedis from 'ioredis';
import { env } from '@/lib/env.mjs';
export const redisConnection = new IORedis(env.REDIS_URL, {
maxRetriesPerRequest: null, // BullMQ requirement
});
```
### Queue Definition
**File**: `lib/queue/syncQueue.ts`
```typescript
import { Queue } from 'bullmq';
import { redisConnection } from './redis';
export const syncQueue = new Queue('intune-sync-queue', {
connection: redisConnection,
});
```
---
## Worker Implementation
### Worker Entry Point
**File**: `worker/index.ts`
```typescript
import { Worker } from 'bullmq';
import { redisConnection } from '@/lib/queue/redis';
import { syncPolicies } from './jobs/syncPolicies';
const worker = new Worker(
'intune-sync-queue',
async (job) => {
console.log(`Processing job ${job.id} for tenant ${job.data.tenantId}`);
await syncPolicies(job.data.tenantId);
},
{
connection: redisConnection,
concurrency: 1, // Sequential processing
}
);
worker.on('completed', (job) => {
console.log(`Job ${job.id} completed`);
});
worker.on('failed', (job, err) => {
console.error(`Job ${job?.id} failed:`, err);
});
console.log('Worker started, listening on intune-sync-queue...');
```
### Package.json Script
```json
{
"scripts": {
"worker:start": "tsx watch worker/index.ts"
}
}
```
---
## Sync Logic Architecture
### Main Function
**File**: `worker/jobs/syncPolicies.ts`
```typescript
export async function syncPolicies(tenantId: string) {
// 1. Get Access Token
const token = await getGraphAccessToken();
// 2. Fetch all policy types
const policies = await fetchAllPolicies(token);
// 3. Parse & Flatten
const flattenedSettings = policies.flatMap(policy =>
parsePolicySettings(policy)
);
// 4. Upsert to Database
await upsertPolicySettings(tenantId, flattenedSettings);
}
```
### Authentication (Client Credentials)
```typescript
import { ClientSecretCredential } from '@azure/identity';
async function getGraphAccessToken(): Promise<string> {
const credential = new ClientSecretCredential(
'common', // or specific tenant ID
env.AZURE_AD_CLIENT_ID,
env.AZURE_AD_CLIENT_SECRET
);
const token = await credential.getToken('https://graph.microsoft.com/.default');
return token.token;
}
```
### Pagination Handling
```typescript
async function fetchWithPagination<T>(url: string, token: string): Promise<T[]> {
let results: T[] = [];
let nextLink: string | undefined = url;
while (nextLink) {
const response = await fetch(nextLink, {
headers: { Authorization: `Bearer ${token}` }
});
const data = await response.json();
results = results.concat(data.value);
nextLink = data['@odata.nextLink'];
}
return results;
}
```
### Graph API Endpoints
```typescript
const GRAPH_ENDPOINTS = {
deviceConfigurations: 'https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations',
compliancePolicies: 'https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies',
configurationPolicies: 'https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies',
intents: 'https://graph.microsoft.com/v1.0/deviceManagement/intents',
};
async function fetchAllPolicies(token: string) {
const [configs, compliance, configPolicies, intents] = await Promise.all([
fetchWithPagination(GRAPH_ENDPOINTS.deviceConfigurations, token),
fetchWithPagination(GRAPH_ENDPOINTS.compliancePolicies, token),
fetchWithPagination(GRAPH_ENDPOINTS.configurationPolicies, token),
fetchWithPagination(GRAPH_ENDPOINTS.intents, token),
]);
return [...configs, ...compliance, ...configPolicies, ...intents];
}
```
---
## Flattening Strategy
### Settings Catalog (Most Complex)
```typescript
function parseSettingsCatalog(policy: any): FlattenedSetting[] {
if (!policy.settings) return [defaultEmptySetting(policy)];
return policy.settings.flatMap(setting => {
const settingId = setting.settingInstance.settingDefinitionId;
const value = extractValue(setting.settingInstance);
return {
settingName: humanizeSettingId(settingId),
settingValue: JSON.stringify(value),
settingValueType: typeof value,
};
});
}
function extractValue(settingInstance: any): any {
// Handle different value types
if (settingInstance.simpleSettingValue) {
return settingInstance.simpleSettingValue.value;
}
if (settingInstance.choiceSettingValue) {
return settingInstance.choiceSettingValue.value;
}
if (settingInstance.groupSettingCollectionValue) {
return settingInstance.groupSettingCollectionValue.children.map(
(child: any) => extractValue(child)
);
}
return null;
}
```
### OMA-URI
```typescript
function parseOmaUri(policy: any): FlattenedSetting[] {
if (!policy.omaSettings) return [defaultEmptySetting(policy)];
return policy.omaSettings.map(oma => ({
settingName: oma.omaUri,
settingValue: oma.value,
settingValueType: oma.valueType || 'string',
}));
}
```
### Humanizer
```typescript
function humanizeSettingId(id: string): string {
return id
.replace(/^device_vendor_msft_policy_config_/i, '')
.replace(/_/g, ' ')
.replace(/\b\w/g, c => c.toUpperCase());
}
```
### Default Empty Setting
```typescript
function defaultEmptySetting(policy: any): FlattenedSetting {
return {
policyId: policy.id,
policyName: policy.displayName,
policyType: detectPolicyType(policy['@odata.type']),
settingName: '(No settings configured)',
settingValue: '',
settingValueType: 'empty',
path: '',
};
}
```
### Policy Type Detection
```typescript
function detectPolicyType(odataType: string): string {
const typeMap: Record<string, string> = {
'#microsoft.graph.deviceManagementConfigurationPolicy': 'configurationPolicy',
'#microsoft.graph.windows10CustomConfiguration': 'deviceConfiguration',
'#microsoft.graph.windows10EndpointProtectionConfiguration': 'endpointSecurity',
'#microsoft.graph.deviceCompliancePolicy': 'compliancePolicy',
'#microsoft.graph.windowsUpdateForBusinessConfiguration': 'windowsUpdateForBusiness',
'#microsoft.graph.iosCustomConfiguration': 'deviceConfiguration',
'#microsoft.graph.androidManagedAppProtection': 'appConfiguration',
};
return typeMap[odataType] || 'unknown';
}
```
---
## Database Upsert
**File**: `worker/jobs/upsertPolicySettings.ts`
```typescript
import { db } from '@/lib/db';
import { policySettings } from '@/lib/db/schema/policySettings';
import { sql } from 'drizzle-orm';
async function upsertPolicySettings(
tenantId: string,
settings: FlattenedSetting[]
) {
const records = settings.map(s => ({
tenantId,
graphPolicyId: s.policyId,
policyName: s.policyName,
policyType: s.policyType,
settingName: s.settingName,
settingValue: s.settingValue,
settingValueType: s.settingValueType,
lastSyncedAt: new Date(),
}));
// Batch insert with conflict resolution
await db.insert(policySettings)
.values(records)
.onConflictDoUpdate({
target: [
policySettings.tenantId,
policySettings.graphPolicyId,
policySettings.settingName
],
set: {
policyName: sql`EXCLUDED.policy_name`,
policyType: sql`EXCLUDED.policy_type`,
settingValue: sql`EXCLUDED.setting_value`,
settingValueType: sql`EXCLUDED.setting_value_type`,
lastSyncedAt: sql`EXCLUDED.last_synced_at`,
},
});
}
```
---
## Frontend Integration
### Server Action Update
**File**: `lib/actions/policySettings.ts`
**Before** (n8n Webhook):
```typescript
const response = await fetch(env.N8N_SYNC_WEBHOOK_URL, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ tenantId }),
});
```
**After** (BullMQ Job):
```typescript
import { syncQueue } from '@/lib/queue/syncQueue';
export async function triggerPolicySync(tenantId: string) {
const job = await syncQueue.add('sync-tenant', {
tenantId,
triggeredAt: new Date(),
});
return {
success: true,
jobId: job.id,
message: 'Sync job created successfully'
};
}
```
---
## Environment Variables
### .env Changes
**Add**:
```bash
REDIS_URL=redis://localhost:6379
```
**Remove**:
```bash
# POLICY_API_SECRET=... (DELETE)
# N8N_SYNC_WEBHOOK_URL=... (DELETE)
```
### lib/env.mjs Updates
```typescript
import { createEnv } from "@t3-oss/env-nextjs";
import { z } from "zod";
export const env = createEnv({
server: {
DATABASE_URL: z.string().url(),
NEXTAUTH_SECRET: z.string().min(1),
NEXTAUTH_URL: z.string().url(),
AZURE_AD_CLIENT_ID: z.string().min(1),
AZURE_AD_CLIENT_SECRET: z.string().min(1),
REDIS_URL: z.string().url(), // ADD THIS
// REMOVE: POLICY_API_SECRET, N8N_SYNC_WEBHOOK_URL
},
client: {},
runtimeEnv: {
DATABASE_URL: process.env.DATABASE_URL,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
NEXTAUTH_URL: process.env.NEXTAUTH_URL,
AZURE_AD_CLIENT_ID: process.env.AZURE_AD_CLIENT_ID,
AZURE_AD_CLIENT_SECRET: process.env.AZURE_AD_CLIENT_SECRET,
REDIS_URL: process.env.REDIS_URL, // ADD THIS
},
});
```
---
## Retry & Error Handling
### Exponential Backoff
```typescript
async function fetchWithRetry<T>(
url: string,
token: string,
maxRetries = 3
): Promise<T> {
let lastError: Error | null = null;
for (let attempt = 0; attempt < maxRetries; attempt++) {
try {
const response = await fetch(url, {
headers: { Authorization: `Bearer ${token}` }
});
if (response.status === 429) {
// Rate limit - exponential backoff
const delay = Math.pow(2, attempt) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
continue;
}
if (!response.ok) {
throw new Error(`HTTP ${response.status}: ${response.statusText}`);
}
return await response.json();
} catch (error) {
lastError = error as Error;
// Don't retry on auth errors
if (error instanceof Error && error.message.includes('401')) {
throw error;
}
// Exponential backoff for transient errors
if (attempt < maxRetries - 1) {
const delay = Math.pow(2, attempt) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
}
}
}
throw lastError || new Error('Max retries exceeded');
}
```
---
## Docker Compose Setup (Optional)
**File**: `docker-compose.yml`
```yaml
version: '3.8'
services:
redis:
image: redis:alpine
ports:
- '6379:6379'
volumes:
- redis-data:/data
restart: unless-stopped
volumes:
redis-data:
```
Start Redis:
```bash
docker-compose up -d redis
```
---
## Production Deployment
### Worker as Systemd Service
**File**: `/etc/systemd/system/tenantpilot-worker.service`
```ini
[Unit]
Description=TenantPilot Policy Sync Worker
After=network.target redis.service
[Service]
Type=simple
User=www-data
WorkingDirectory=/var/www/tenantpilot
ExecStart=/usr/bin/node /var/www/tenantpilot/worker/index.js
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
```
Enable & Start:
```bash
sudo systemctl enable tenantpilot-worker
sudo systemctl start tenantpilot-worker
sudo systemctl status tenantpilot-worker
```
---
## Testing Strategy
### Unit Tests
```typescript
import { describe, it, expect, vi } from 'vitest';
import { humanizeSettingId } from './humanizer';
describe('humanizeSettingId', () => {
it('removes device_vendor_msft_policy_config prefix', () => {
const result = humanizeSettingId('device_vendor_msft_policy_config_wifi_allowwifihotspotreporting');
expect(result).toBe('Wifi Allowwifihotspotreporting');
});
});
```
### Integration Tests
```typescript
describe('syncPolicies', () => {
it('fetches and stores policies for tenant', async () => {
const testTenantId = 'test-tenant-123';
await syncPolicies(testTenantId);
const settings = await db.query.policySettings.findMany({
where: eq(policySettings.tenantId, testTenantId),
});
expect(settings.length).toBeGreaterThan(0);
});
});
```
---
## Monitoring & Logging
### Structured Logging
```typescript
import winston from 'winston';
const logger = winston.createLogger({
level: 'info',
format: winston.format.json(),
transports: [
new winston.transports.File({ filename: 'worker-error.log', level: 'error' }),
new winston.transports.File({ filename: 'worker-combined.log' }),
],
});
// In worker:
logger.info('Job started', { jobId: job.id, tenantId: job.data.tenantId });
logger.error('Job failed', { jobId: job.id, error: err.message });
```
### Health Check Endpoint
**File**: `app/api/worker-health/route.ts`
```typescript
import { syncQueue } from '@/lib/queue/syncQueue';
export async function GET() {
try {
const jobCounts = await syncQueue.getJobCounts();
return Response.json({
status: 'healthy',
queue: jobCounts,
});
} catch (error) {
return Response.json(
{ status: 'unhealthy', error: (error as Error).message },
{ status: 500 }
);
}
}
```
---
## Migration Checklist
- [ ] Install dependencies (`bullmq`, `ioredis`, `@azure/identity`)
- [ ] Add `REDIS_URL` to `.env`
- [ ] Create `lib/queue/redis.ts` and `lib/queue/syncQueue.ts`
- [ ] Create `worker/index.ts` with BullMQ Worker
- [ ] Implement `worker/jobs/syncPolicies.ts` with full logic
- [ ] Update `lib/actions/policySettings.ts` → replace n8n webhook with BullMQ
- [ ] Remove `app/api/policy-settings/route.ts`
- [ ] Remove `app/api/admin/tenants/route.ts`
- [ ] Remove `POLICY_API_SECRET` from `.env` and `lib/env.mjs`
- [ ] Remove `N8N_SYNC_WEBHOOK_URL` from `.env` and `lib/env.mjs`
- [ ] Add `worker:start` script to `package.json`
- [ ] Test locally: Start Redis, Start Worker, Trigger Sync from UI
- [ ] Deploy Worker as background service (PM2/Systemd/Docker)
- [ ] Verify end-to-end: Job creation → Worker processing → Database updates

328
specs/006-intune-reverse-engineering-guide/analysis-report.md
View File

@ -1,328 +0,0 @@
# Specification Analysis Report: Feature 006 - Intune Reverse Engineering Strategy
**Analyzed**: 2025-12-09
**Artifacts**: spec.md, tasks.md
**Constitution**: v1.0.0
**Note**: No plan.md exists (documentation feature - direct spec-to-tasks workflow)
---
## Executive Summary
**Overall Status**: ✅ **READY FOR IMPLEMENTATION**
This analysis examined Feature 006 against the project constitution, checked internal consistency between spec.md and tasks.md, and validated requirement coverage. The feature is a **documentation/guideline project** (not code implementation), which explains the absence of plan.md.
**Key Findings**:
- ✅ Zero CRITICAL issues
- ⚠️ 3 MEDIUM issues (terminology clarification, missing plan.md rationale, scope boundary)
- 4 LOW issues (style improvements, edge case examples)
- ✅ 100% requirement-to-task coverage (all 8 FRs mapped)
- ✅ Constitution alignment: This is a **process documentation feature** - constitution doesn't apply to non-code artifacts
---
## Findings
| ID | Category | Severity | Location(s) | Summary | Recommendation |
|----|----------|----------|-------------|---------|----------------|
| C1 | Constitution | CRITICAL | N/A | Constitution principles (TypeScript, Server Actions, Drizzle) don't apply to documentation features | **RESOLVED**: Feature is process documentation, not code. Constitution correctly doesn't restrict documentation artifacts. |
| A1 | Ambiguity | MEDIUM | spec.md:FR-004 | "Concrete examples" lacks quantitative threshold | Add minimum: "MUST provide at least 3 PowerShell-to-TypeScript mapping examples" |
| A2 | Ambiguity | MEDIUM | spec.md:SC-003 | "Zero API surprises" is subjective without measurement method | Clarify: "verified by developer survey after guide usage" or "tracked via incident reports" |
| I1 | Inconsistency | MEDIUM | spec.md vs tasks.md | Spec mentions "docs/architecture/intune-migration-guide.md" but doesn't explain why no plan.md | Add note in spec.md explaining this is documentation feature requiring direct implementation |
| U1 | Underspecification | LOW | spec.md:FR-006 | "Extensive testing" undefined | Define: "at least 2 test tenants, 5 resource instances, validation against official docs" |
| U2 | Underspecification | LOW | spec.md:Edge Case 4 | "[POWERSHELL QUIRK]" marker syntax not formalized | Specify format: "Use code comment: `// [POWERSHELL QUIRK]: <description>`" |
| D1 | Duplication | LOW | tasks.md:T010 & T011 | Both tasks add "concrete examples" to same section - might overlap | Ensure T010 covers discovery process, T011 covers parameter implementation separately |
| S1 | Scope | MEDIUM | spec.md + tasks.md | Boundary between "implementation guide" and "actual TypeScript code changes" unclear | Add note: Guide documents process; doesn't modify existing worker/jobs/ code |
---
## Coverage Analysis
### Requirements Inventory
| Requirement Key | Description | Has Task? | Task IDs | Coverage Status |
|-----------------|-------------|-----------|----------|-----------------|
| fr-001-step-by-step-process | Documentation MUST include step-by-step process | ✅ | T008 | Full coverage |
| fr-002-powershell-location | Guide MUST specify PowerShell reference location | ✅ | T007, T002 | Full coverage |
| fr-003-data-points-extract | Process MUST define data extraction points | ✅ | T009 | Full coverage |
| fr-004-concrete-examples | Guide MUST provide concrete PS→TS examples | ✅ | T010, T011, T012, T013, T014 | Full coverage (5 tasks) |
| fr-005-troubleshooting | Documentation MUST include troubleshooting section | ✅ | T015, T016, T017, T018 | Full coverage |
| fr-006-fallback-process | Guide MUST define fallback for missing PS reference | ✅ | T024 | Full coverage |
| fr-007-versioning-strategy | Process MUST include versioning strategy | ✅ | T003, T023 | Full coverage |
| fr-008-replicate-vs-document | Guide MUST distinguish replicate vs document behaviors | ✅ | T027 | Full coverage |
### User Story Coverage
| Story | Priority | Has Tasks? | Task Count | Coverage Status |
|-------|----------|------------|------------|-----------------|
| US1 - Developer Implements Feature | P1 | ✅ | 7 (T008-T014) | Full coverage |
| US2 - Developer Troubleshoots | P2 | ✅ | 4 (T015-T018) | Full coverage |
| US3 - Onboarding New Team Member | P3 | ✅ | 4 (T019-T022) | Full coverage |
### Edge Case Coverage
| Edge Case | Description | Covered By | Status |
|-----------|-------------|------------|--------|
| EC1 | PowerShell reference updates | T025 | ✅ Covered |
| EC2 | Deprecated features | T026 | ✅ Covered |
| EC3 | Missing PowerShell equivalent | T024 (FR-006) | ✅ Covered |
| EC4 | Undocumented PS behaviors/bugs | T027 (FR-008) | ✅ Covered |
### Unmapped Tasks
**None** - All 34 implementation tasks trace back to either:
- Functional requirements (FR-001 to FR-008)
- User stories (US1, US2, US3)
- Edge cases (EC1-EC4)
- Polish/validation activities (T028-T034)
---
## Constitution Alignment
### Applicable Principles
**Result**: ✅ **NO VIOLATIONS**
**Rationale**: This feature produces **documentation artifacts** (markdown files), not code. The constitution explicitly governs:
- Code architecture (Server Actions, TypeScript strict mode)
- Database interactions (Drizzle ORM)
- UI components (Shadcn UI)
- Authentication (Azure AD)
**Documentation features are exempt** from these technical constraints. The guide *references* TypeScript and PowerShell in examples, but doesn't implement new code that would trigger constitution requirements.
### Non-Applicable Constitution Checks
| Constitution Principle | Applies? | Reason |
|------------------------|----------|--------|
| I. Server-First Architecture | ❌ No | No Next.js code being written |
| II. TypeScript Strict Mode | ❌ No | Documentation feature; code examples are illustrative |
| III. Drizzle ORM Integration | ❌ No | No database schema changes |
| IV. Shadcn UI Components | ❌ No | No UI components being created |
| V. Azure AD Multi-Tenancy | ❌ No | No authentication changes |
### Future Constitution Impact
⚠️ **Note for Implementers**: When developers **use this guide** to implement sync jobs, those implementations MUST follow constitution principles:
- TypeScript strict mode (Principle II)
- Type-safe Graph API clients
- This guide should reference constitution requirements in examples
**Recommendation**: Add task to Phase 7 polish:
- **T035**: Add constitution compliance notes to guide examples (remind developers to use TypeScript strict, type-safe API calls)
---
## Metrics
- **Total Requirements**: 8 functional requirements (FR-001 to FR-008)
- **Total User Stories**: 3 (US1, US2, US3)
- **Total Tasks**: 34 implementation tasks + 10 validation checklist items
- **Coverage %**: 100% (all requirements have >=1 task)
- **Parallelizable Tasks**: 12 tasks marked [P]
- **Ambiguity Count**: 2 (A1, A2)
- **Duplication Count**: 1 (D1)
- **Critical Issues**: 0
- **Constitution Violations**: 0
---
## Detailed Analysis
### Duplication Detection
**Finding D1**: Tasks T010 and T011 both add "concrete examples" to intune-migration-guide.md
- **Severity**: LOW
- **Impact**: Potential overlap in content without clear boundaries
- **Recommendation**:
- T010 should focus on: Discovery workflow (how to find endpoint in .psm1 file)
- T011 should focus on: Parameter implementation (how to add discovered $expand to TypeScript)
- Update task descriptions to clarify distinction
### Ambiguity Detection
**Finding A1**: FR-004 requires "concrete examples" but doesn't specify minimum quantity
- **Severity**: MEDIUM
- **Location**: spec.md:L108
- **Current Text**: "Guide MUST provide concrete examples mapping PowerShell patterns to TypeScript implementations"
- **Issue**: "Concrete examples" is vague - could be 1 example or 10 examples
- **Recommendation**: Update to: "Guide MUST provide at least 3 concrete examples mapping PowerShell patterns to TypeScript implementations (e.g., how PowerShell's `Invoke-MSGraphRequest` translates to `graphClient.api().get()`)"
**Finding A2**: SC-003 uses subjective success criteria
- **Severity**: MEDIUM
- **Location**: spec.md:L155
- **Current Text**: "Zero 'undocumented Graph API behavior' surprises after implementation"
- **Issue**: "Surprises" is not measurable without defining measurement method
- **Recommendation**: Update to: "Zero 'undocumented Graph API behavior' incidents after implementation (tracked via developer incident reports and code review feedback)"
### Underspecification
**Finding U1**: FR-006 mentions "extensive testing" without definition
- **Severity**: LOW
- **Location**: spec.md:L112
- **Current Text**: "use official docs + extensive testing"
- **Issue**: "Extensive testing" lacks concrete criteria
- **Recommendation**: Define in guide: "Test against at least 2 different tenants, validate with 5+ resource instances, compare against official Microsoft Graph documentation"
**Finding U2**: Edge Case 4 introduces `[POWERSHELL QUIRK]` marker without format specification
- **Severity**: LOW
- **Location**: spec.md:L85
- **Current Text**: "Document them explicitly with `[POWERSHELL QUIRK]` markers"
- **Issue**: Marker syntax not formalized (inline comment? separate doc section? code annotation?)
- **Recommendation**: Specify format in FR-008 implementation (T027): "Use TypeScript comment format: `// [POWERSHELL QUIRK]: <description of non-standard behavior>`"
### Inconsistency Detection
**Finding I1**: Spec assumes tasks.md without explaining missing plan.md
- **Severity**: MEDIUM
- **Location**: spec.md (overall structure)
- **Current State**: Spec jumps directly to tasks.md; no plan.md exists
- **Issue**: Speckit framework typically requires spec.md → plan.md → tasks.md flow. This feature skips plan.md, but spec doesn't explain why
- **Recommendation**: Add note to spec.md header:
```markdown
**Implementation Approach**: This is a documentation feature (creating markdown guide).
No plan.md required - tasks directly implement documentation sections from FR requirements.
```
**Finding S1**: Scope boundary between guide and codebase modifications unclear
- **Severity**: MEDIUM
- **Location**: spec.md + tasks.md (cross-cutting)
- **Issue**: Tasks focus on writing guide content, but spec.md user stories mention "implement in TypeScript" which could be misinterpreted as modifying existing worker/jobs/ code
- **Recommendation**: Add clarification to spec.md Introduction section:
```markdown
**Scope**: This feature creates a *process guide* document. It does NOT modify existing
TypeScript sync job implementations. Developers will use the guide for future implementations.
```
### Constitution Violations
**Finding C1**: RESOLVED - No constitution violations
- **Severity**: N/A
- **Explanation**: Constitution governs code implementation patterns (Server Actions, TypeScript strict, Drizzle, Shadcn, Azure AD). This feature produces documentation, which is outside constitution scope.
- **Future Note**: When developers use this guide to implement sync jobs, those implementations MUST follow constitution (see recommendation for T035 above)
---
## Recommendations Summary
### High Priority (Before Implementation)
1. **Clarify Scope Boundary** (Finding I1, S1)
- Add note to spec.md explaining why no plan.md exists
- Clarify that guide documents process, doesn't modify existing code
2. **Quantify Ambiguous Requirements** (Finding A1, A2)
- FR-004: Specify "at least 3 concrete examples"
- SC-003: Define measurement method for "zero surprises"
### Medium Priority (During Implementation)
3. **Distinguish Overlapping Tasks** (Finding D1)
- Update T010/T011 descriptions to clarify scope difference
4. **Define Underspecified Terms** (Finding U1, U2)
- FR-006: Define "extensive testing" criteria
- T027: Formalize `[POWERSHELL QUIRK]` marker syntax
### Low Priority (Nice to Have)
5. **Add Constitution Reference** (New suggestion)
- Create T035: Add constitution compliance notes to guide examples
- Remind developers using guide to follow TypeScript strict mode, type-safe patterns
---
## Next Actions
### Recommended Path: Proceed with Implementation
**This specification is READY for implementation** with optional refinements:
1. **Option A - Start Implementation Now**
- Current spec has 100% requirement coverage
- Zero critical issues
- Medium/Low issues can be addressed during implementation (Phase 7 polish)
- Begin with Phase 1 (T001-T003) immediately
2. **Option B - Quick Refinement Pass (15 minutes)**
- Update spec.md header to explain missing plan.md (Finding I1)
- Update FR-004 to specify "at least 3 examples" (Finding A1)
- Update SC-003 to define measurement method (Finding A2)
- Then proceed to implementation
3. **Option C - Comprehensive Refinement (30 minutes)**
- Address all recommendations above
- Create T035 for constitution compliance notes
- Re-run `/speckit.analyze` to validate fixes
- Then proceed to implementation
### Implementation Strategy
**Recommended MVP** (Phase 3 - User Story 1):
- Delivers immediate value: developers can implement new features correctly
- Achieves SC-001 (2-hour implementation time) and SC-002 (95% accuracy)
- Can ship and iterate on remaining phases
**Parallel Execution**:
- After T004 (foundation), run T008, T009, T015, T019 in parallel
- After Phase 3-5 complete, run T023-T027 (edge cases) in parallel
- Polish phase (T028-T034) can have multiple parallel streams
---
## Validation Notes
**Analysis Methodology**:
1. Loaded spec.md requirements inventory (8 FRs, 3 user stories, 6 success criteria, 4 edge cases)
2. Loaded tasks.md task inventory (34 implementation tasks, 7 phases)
3. Mapped each requirement to covering tasks - achieved 100% coverage
4. Checked constitution alignment - confirmed documentation exemption
5. Identified ambiguities using keyword search (fast, scalable, secure, intuitive, robust, TODO, TKTK) - found 2 instances
6. Identified duplications via semantic similarity - found 1 instance
7. Identified inconsistencies via cross-artifact comparison - found 2 instances
**Confidence Level**: HIGH
- All mandatory sections present in spec.md
- All requirements traced to tasks
- Constitution correctly doesn't apply to documentation features
- Findings are actionable with specific recommendations
---
## Appendix: Constitution Compliance for Future Implementations
While this **documentation feature** is constitution-exempt, **implementations using this guide** MUST comply:
### When Implementing Sync Jobs (Using This Guide)
**MUST Follow**:
- TypeScript strict mode (Constitution II)
- Type-safe Graph API client usage
- Server-side execution patterns
- Error handling and logging standards
**MUST AVOID**:
- Client-side Graph API calls
- `any` types in TypeScript
- Inconsistent error handling
### Recommendation for Guide Content
Add section to intune-migration-guide.md (during T032 review):
```markdown
## Constitution Compliance
When implementing sync jobs using this guide:
- All TypeScript MUST use strict mode (`strict: true` in tsconfig.json)
- Graph API calls MUST be type-safe (define interfaces for all API responses)
- Sync jobs run server-side (worker process) - client-side fetching prohibited
- Follow project's error handling patterns (see worker/utils/errorHandler.ts)
```
This ensures developers using the guide produce constitution-compliant implementations.
---
**Report Complete** | **Status**: ✅ Ready for Implementation | **Next Step**: Choose Option A, B, or C above

157
specs/006-intune-reverse-engineering-guide/checklists/requirements.md
View File

@ -1,157 +0,0 @@
# Specification Quality Checklist: Technical Standard - Intune Reverse Engineering Strategy
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-12-09
**Feature**: [spec.md](../spec.md)
## Content Quality
- [✓] No implementation details (languages, frameworks, APIs)
- [✓] Focused on user value and business needs
- [✓] Written for non-technical stakeholders
- [✓] All mandatory sections completed
## Requirement Completeness
- [✓] No [NEEDS CLARIFICATION] markers remain
- [✓] Requirements are testable and unambiguous
- [✓] Success criteria are measurable
- [✓] Success criteria are technology-agnostic (no implementation details)
- [✓] All acceptance scenarios are defined
- [✓] Edge cases are identified
- [✓] Scope is clearly bounded
- [✓] Dependencies and assumptions identified
## Feature Readiness
- [✓] All functional requirements have clear acceptance criteria
- [✓] User scenarios cover primary flows
- [✓] Feature meets measurable outcomes defined in Success Criteria
- [✓] No implementation details leak into specification
## Validation Summary
**Status**: ✅ PASSED
All checklist items have been validated successfully:
### Content Quality Analysis
- ✅ The spec focuses on WHAT developers need (reverse engineering process) without specifying HOW to build the documentation system
- ✅ User stories describe developer workflows and business outcomes (reduced onboarding time, fewer bugs)
- ✅ Language is accessible - explains concepts like "PowerShell reference module" and "API endpoint pattern"
- ✅ All 3 mandatory sections present: User Scenarios & Testing, Requirements, Success Criteria
### Requirement Completeness Analysis
- ✅ Zero [NEEDS CLARIFICATION] markers in the spec
- ✅ All 8 functional requirements (FR-001 to FR-008) are testable: can verify if documentation includes each specified element
- ✅ All 6 success criteria (SC-001 to SC-006) have numeric targets: 2 hours, 95% accuracy, 50% reduction, etc.
- ✅ Success criteria avoid implementation details (e.g., "developer can implement" not "TypeScript code compiles")
- ✅ Each user story includes 2-3 acceptance scenarios with Given/When/Then format
- ✅ Edge cases section covers 4 scenarios: PowerShell updates, deprecated features, missing references, quirky behaviors
- ✅ Scope is bounded: focuses on reverse engineering strategy, not the actual implementation of sync jobs
- ✅ Dependencies documented: requires `IntuneManagement-master/` directory as reference source (FR-002)
### Feature Readiness Analysis
- ✅ All functional requirements map to user story acceptance scenarios:
- FR-001 (step-by-step process) → User Story 1 Scenario 1
- FR-003 (data points to extract) → User Story 1 Scenario 2
- FR-005 (troubleshooting section) → User Story 2 Scenarios
- FR-007 (versioning strategy) → Edge Case 1
- ✅ User stories cover complete workflow: implementation (P1) → troubleshooting (P2) → knowledge transfer (P3)
- ✅ Success criteria align with user outcomes: SC-001 (time savings) validates User Story 1, SC-004 (onboarding) validates User Story 3
- ✅ No implementation leakage detected (e.g., doesn't specify markdown vs wiki vs code comments for documentation format)
## Notes
This specification is ready for `/speckit.plan` or implementation. No further clarifications or revisions needed.
**Next Steps**:
1. ✅ Implementation complete - all tasks executed
2. ✅ All 8 functional requirements validated in guide
3. ✅ Guide published at `docs/architecture/intune-migration-guide.md`
---
## Implementation Validation (2025-12-09)
### Functional Requirements Validation
**FR-001**: Step-by-step process ✅
- Section "Step-by-Step Implementation Process" includes 6-phase workflow
- Each phase has concrete actions (e.g., "Find the Graph API call", "Look for property deletions")
**FR-002**: PowerShell reference location ✅
- Section "PowerShell Reference Location" specifies `reference/IntuneManagement-master/`
- Lists key directories: Modules/, Extensions/, Core.psm1
- Provides search examples for finding modules
**FR-003**: Data points to extract ✅
- Section "Data Points to Extract" has comprehensive checklist
- Required: endpoints, query parameters ($filter, $expand, $select), property cleanup, type transformations
- Optional: nested objects, conditional logic, batch operations
**FR-004**: Concrete examples ✅
- 4 detailed examples in "Concrete Examples" section
- Example 1: Windows Update Rings (full implementation)
- Example 2: Settings Catalog ($expand discovery)
- Example 3: Invoke-MSGraphRequest translation patterns
- Example 4: Property cleanup patterns
- Plus: Complete end-to-end example (Compliance Policies)
**FR-005**: Troubleshooting section ✅
- Section "Troubleshooting API Discrepancies" with 8-point checklist
- Example 1: Missing $expand parameter causing incomplete data
- Example 2: 400 Bad Request due to wrong API version
**FR-006**: Fallback process ✅
- Section "Fallback Process for Missing PowerShell Reference"
- 5-step process: Check docs → Use Graph Explorer → Extensive testing (2 tenants, 5 resources) → Document assumptions → Monitor for updates
**FR-007**: Versioning strategy ✅
- Section "Versioning Strategy" documents commit tracking
- Example comment format showing PowerShell reference version
- Process for updating when PowerShell changes
**FR-008**: Replicate vs document behaviors ✅
- Section "PowerShell Quirks vs Intentional Patterns"
- Decision framework: What to replicate (property cleanup, $expand, API versions)
- What not to replicate (PowerShell-specific syntax, Windows paths)
- Marking convention: `// [POWERSHELL QUIRK]: <description>`
### Success Criteria Achievability
**SC-001**: 2-hour implementation time ✅
- Guide provides step-by-step process reducing discovery time
- Concrete examples accelerate pattern recognition
- Expected to reduce 8-hour trial-and-error to 2 hours
**SC-002**: 95% first-attempt accuracy ✅
- Comprehensive data extraction checklist prevents missing parameters
- Troubleshooting section catches common mistakes
- Validation process ensures correctness
**SC-003**: Zero API surprises ✅
- PowerShell analysis discovers undocumented behaviors upfront
- Examples show hidden requirements (e.g., $expand=settings)
**SC-004**: 30-minute onboarding ✅
- "Understanding Existing Implementation Patterns" section explains rationale
- FAQ addresses common questions
- Real-world examples provide context
**SC-005**: 50% code review reduction ✅
- Reviewers can verify against PowerShell reference
- Version comments enable quick validation
- Standardized patterns reduce questions
**SC-006**: Zero "why beta API?" questions ✅
- "When to Use Beta vs V1.0 API" section documents decision process
- Examples show PowerShell reference as source of truth
### Coverage Summary
- ✅ All 8 functional requirements fully implemented
- ✅ All 6 success criteria supported by guide content
- ✅ All 4 edge cases documented with processes
- ✅ 3 user stories covered (US1: implementation, US2: troubleshooting, US3: onboarding)
- ✅ Guide is 1,400+ lines with comprehensive examples and patterns

109
specs/006-intune-reverse-engineering-guide/plan.md
View File

@ -1,109 +0,0 @@
# Implementation Plan: [FEATURE]
**Branch**: `[###-feature-name]` | **Date**: [DATE] | **Spec**: [link]
**Input**: Feature specification from `/specs/[###-feature-name]/spec.md`
**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/commands/plan.md` for the execution workflow.
## Summary
[Extract from feature spec: primary requirement + technical approach from research]
## Technical Context
<!--
ACTION REQUIRED: Replace the content in this section with the technical details
for the project. The structure here is presented in advisory capacity to guide
the iteration process.
-->
**Language/Version**: TypeScript 5.x strict mode
**Primary Dependencies**: Next.js 16+, Drizzle ORM, Shadcn UI, NextAuth.js
**Storage**: PostgreSQL
**Testing**: Jest/Vitest for unit tests, Playwright for E2E
**Target Platform**: Docker containers, web browsers
**Project Type**: Web application (Next.js)
**Performance Goals**: <2s page load, <500ms API responses
**Constraints**: Server-first architecture, no client fetches, Azure AD only
**Scale/Scope**: Multi-tenant SaaS, 1000+ concurrent users
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
- [ ] Uses Next.js App Router with Server Actions (no client-side fetches)
- [ ] TypeScript strict mode enabled
- [ ] Drizzle ORM for all database operations
- [ ] Shadcn UI for all new components
- [ ] Azure AD multi-tenant authentication
- [ ] Docker deployment with standalone build
## Project Structure
### Documentation (this feature)
```text
specs/[###-feature]/
├── plan.md # This file (/speckit.plan command output)
├── research.md # Phase 0 output (/speckit.plan command)
├── data-model.md # Phase 1 output (/speckit.plan command)
├── quickstart.md # Phase 1 output (/speckit.plan command)
├── contracts/ # Phase 1 output (/speckit.plan command)
└── tasks.md # Phase 2 output (/speckit.tasks command - NOT created by /speckit.plan)
```
### Source Code (repository root)
<!--
ACTION REQUIRED: Replace the placeholder tree below with the concrete layout
for this feature. Delete unused options and expand the chosen structure with
real paths (e.g., apps/admin, packages/something). The delivered plan must
not include Option labels.
-->
```text
# [REMOVE IF UNUSED] Option 1: Single project (DEFAULT)
src/
├── models/
├── services/
├── cli/
└── lib/
tests/
├── contract/
├── integration/
└── unit/
# [REMOVE IF UNUSED] Option 2: Web application (when "frontend" + "backend" detected)
backend/
├── src/
│ ├── models/
│ ├── services/
│ └── api/
└── tests/
frontend/
├── src/
│ ├── components/
│ ├── pages/
│ └── services/
└── tests/
# [REMOVE IF UNUSED] Option 3: Mobile + API (when "iOS/Android" detected)
api/
└── [same as backend above]
ios/ or android/
└── [platform-specific structure: feature modules, UI flows, platform tests]
```
**Structure Decision**: [Document the selected structure and reference the real
directories captured above]
## Complexity Tracking
> **Fill ONLY if Constitution Check has violations that must be justified**
| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
| [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |

96
specs/006-intune-reverse-engineering-guide/spec.md
View File

@ -1,96 +0,0 @@
# Feature Specification: Technical Standard - Intune Reverse Engineering Strategy
**Feature Branch**: `006-intune-reverse-engineering-guide`
**Created**: 2025-12-09
**Status**: Draft
**Input**: User description: "Technical Standard - Intune Reverse Engineering Strategy"
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Developer Implements New Intune Feature (Priority: P1)
A backend developer receives a request to add support for a new Intune resource type (e.g., "App Protection Policies"). They need a clear process to ensure the implementation matches Microsoft's actual Graph API behavior and includes all necessary parameters, filters, and data transformations.
**Why this priority**: This is the core workflow that enables all future Intune feature additions. Without this guideline, developers will make inconsistent API calls, miss critical parameters, and create technical debt.
**Independent Test**: Can be fully tested by having a developer follow the guide to implement one new resource type (e.g., Compliance Policies) and verify that the TypeScript implementation matches the PowerShell reference behavior exactly (same endpoints, same filters, same data shape).
**Acceptance Scenarios**:
1. **Given** a feature request for "Windows Update Rings", **When** developer follows the guide to analyze `IntuneManagement/Modules/WindowsUpdateRings.psm1`, **Then** they identify the exact Graph endpoint (`/deviceManagement/windowsUpdateForBusinessConfigurations`), required filters (`$filter=`), and property cleanup logic before writing any TypeScript code.
2. **Given** a new Settings Catalog policy type needs to be synced, **When** developer references the PowerShell code for Settings Catalog, **Then** they discover the `$expand=settings` parameter is required (not documented in Graph API docs) and implement it in TypeScript.
3. **Given** an AI agent is tasked with implementing a new sync job, **When** the agent reads this guide, **Then** it knows to search for the corresponding `.psm1` file first, extract API patterns, and document any undocumented behaviors before generating TypeScript code.
---
### User Story 2 - Developer Troubleshoots API Discrepancy (Priority: P2)
A developer notices that the TypeScript implementation returns different data than the PowerShell tool for the same Intune resource. They need a systematic way to identify what's missing in the TypeScript implementation.
**Why this priority**: This handles maintenance and bug fixes for existing features. It's less critical than the initial implementation process but essential for long-term reliability.
**Independent Test**: Can be tested by intentionally creating a "broken" implementation (missing an `$expand` parameter), then using the guide to trace back to the PowerShell reference and identify the fix.
**Acceptance Scenarios**:
1. **Given** TypeScript sync returns incomplete data for Configuration Policies, **When** developer compares against the PowerShell reference module, **Then** they discover a missing `$expand=assignments` parameter and add it to the TypeScript implementation.
2. **Given** a sync job fails with "400 Bad Request", **When** developer checks the PowerShell reference for that resource type, **Then** they find undocumented query parameter requirements (e.g., API version must be `beta` not `v1.0`).
---
### User Story 3 - Onboarding New Team Member (Priority: P3)
A new developer joins the project and needs to understand why the codebase uses specific Graph API patterns that seem to differ from official Microsoft documentation.
**Why this priority**: Good documentation reduces onboarding time and prevents future developers from "fixing" intentional design decisions that match the PowerShell reference.
**Independent Test**: A new developer can read the guide and understand the rationale for existing implementation choices without needing to ask the original author.
**Acceptance Scenarios**:
1. **Given** a new developer sees code that deletes certain properties before saving (e.g., `delete policy.createdDateTime`), **When** they read the migration guide, **Then** they understand this matches the PowerShell cleanup logic and shouldn't be "refactored away".
2. **Given** a developer wonders why some endpoints use beta API, **When** they consult the guide, **Then** they learn to check the PowerShell reference first before attempting to "upgrade" to v1.0.
---
### Edge Cases
- What happens when the PowerShell reference module is updated with breaking changes? (Guide should include a versioning strategy: document which PowerShell commit/version was used as reference)
- How does the system handle Intune features that exist in PowerShell but are deprecated by Microsoft? (Mark as "reference only, do not implement new features")
- What if a new Intune feature has no PowerShell equivalent yet? (Define a fallback process: use official Graph docs + extensive testing, document assumptions)
- How do we handle undocumented PowerShell behaviors that seem like bugs? (Document them explicitly with `[POWERSHELL QUIRK]` markers and decide case-by-case whether to replicate)
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: Documentation MUST include a step-by-step process for analyzing PowerShell reference code before implementing TypeScript equivalents
- **FR-002**: Guide MUST specify the location of the PowerShell reference source (`IntuneManagement-master/` directory in the repo)
- **FR-003**: Process MUST define which data points to extract from PowerShell code: exact API endpoints, query parameters (`$filter`, `$expand`, `$select`), API version (beta vs v1.0), property cleanup/transformation logic
- **FR-004**: Guide MUST provide concrete examples mapping PowerShell patterns to TypeScript implementations (e.g., how PowerShell's `Invoke-MSGraphRequest` translates to `graphClient.api().get()`)
- **FR-005**: Documentation MUST include a troubleshooting section for when TypeScript behavior doesn't match PowerShell reference
- **FR-006**: Guide MUST define a fallback process for Intune features that have no PowerShell reference (use official docs + extensive testing)
- **FR-007**: Process MUST include versioning strategy: document which PowerShell commit/version is used as reference for each implemented feature
- **FR-008**: Guide MUST distinguish between "must replicate" behaviors (intentional API patterns) and "document but don't replicate" behaviors (PowerShell-specific quirks)
### Key Entities
- **PowerShell Reference Module**: A `.psm1` file in `IntuneManagement-master/Modules/` that implements sync logic for a specific Intune resource type (e.g., `ConfigurationPolicies.psm1`, `Applications.psm1`)
- **API Endpoint Pattern**: The exact Microsoft Graph URL path, API version, and query parameters required to fetch an Intune resource
- **Data Transformation Rule**: Logic that modifies API response data before storage (e.g., property deletion, type conversions, flattening nested structures)
- **Implementation Mapping**: The relationship between a PowerShell function (e.g., `Get-IntuneConfigurationPolicies`) and its TypeScript equivalent (e.g., `worker/jobs/syncConfigurationPolicies.ts`)
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: A developer can implement a new Intune resource type sync job in under 2 hours by following the guide (compared to 8+ hours of trial-and-error without it)
- **SC-002**: 95% of newly implemented sync jobs match PowerShell reference behavior on first attempt (verified by comparing API calls and returned data)
- **SC-003**: Zero "undocumented Graph API behavior" surprises after implementation (all quirks are discovered during PowerShell analysis phase)
- **SC-004**: New team members can understand existing API implementation choices within 30 minutes of reading the guide (verified by onboarding feedback)
- **SC-005**: Code review time for new Intune features reduced by 50% (reviewers can verify against PowerShell reference instead of testing manually)
- **SC-006**: Technical debt reduced: zero instances of "why is this endpoint using beta API?" questions after guide adoption (rationale is documented in the guide or feature spec)

247
specs/006-intune-reverse-engineering-guide/tasks.md
View File

@ -1,247 +0,0 @@
# Tasks: Technical Standard - Intune Reverse Engineering Strategy
**Input**: Design documents from `/specs/006-intune-reverse-engineering-guide/`
**Prerequisites**: spec.md (required)
**Tests**: Tests are NOT included for this feature - this is a documentation/guideline feature
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each documentation section.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
- Include exact file paths in descriptions
## Path Conventions
- Documentation: `docs/architecture/`
- PowerShell Reference: `reference/IntuneManagement-master/`
---
## Phase 1: Setup (Documentation Infrastructure)
**Purpose**: Create basic documentation structure and validate PowerShell reference availability
- [X] T001 Create docs/architecture/ directory structure if not exists
- [X] T002 [P] Verify reference/IntuneManagement-master/ directory exists and contains .psm1 modules
- [X] T003 [P] Document PowerShell reference version/commit in docs/architecture/intune-reference-version.md
---
## Phase 2: Foundational (Core Documentation Framework)
**Purpose**: Create the main migration guide document with foundational sections
**⚠️ CRITICAL**: This must be complete before user story-specific sections can be added
- [X] T004 Create docs/architecture/intune-migration-guide.md with header and introduction
- [X] T005 Add table of contents structure to docs/architecture/intune-migration-guide.md
- [X] T006 Add "Overview" section explaining the reverse engineering strategy in docs/architecture/intune-migration-guide.md
- [X] T007 Add "PowerShell Reference Location" section (FR-002) in docs/architecture/intune-migration-guide.md
**Checkpoint**: Foundation ready - user story sections can now be written in parallel
---
## Phase 3: User Story 1 - Implementation Process Guide (Priority: P1) 🎯 MVP
**Goal**: Create step-by-step guide for developers implementing new Intune features
**Independent Test**: A developer can follow the guide to implement a new resource type (e.g., Compliance Policies) and extract all required API patterns from PowerShell reference
### Implementation for User Story 1
- [X] T008 [P] [US1] Write "Step-by-Step Implementation Process" section (FR-001) in docs/architecture/intune-migration-guide.md
- [X] T009 [P] [US1] Create "Data Points to Extract" checklist (FR-003) in docs/architecture/intune-migration-guide.md
- [X] T010 [US1] Add concrete example: Windows Update Rings PowerShell → TypeScript mapping in docs/architecture/intune-migration-guide.md
- [X] T011 [US1] Add concrete example: Settings Catalog with $expand parameter discovery in docs/architecture/intune-migration-guide.md
- [X] T012 [US1] Create "PowerShell to TypeScript Pattern Mapping" section (FR-004) in docs/architecture/intune-migration-guide.md
- [X] T013 [US1] Add example: Invoke-MSGraphRequest → graphClient.api().get() translation in docs/architecture/intune-migration-guide.md
- [X] T014 [US1] Add example: Property cleanup/transformation patterns in docs/architecture/intune-migration-guide.md
**Checkpoint**: At this point, a developer should be able to implement a new sync job by following US1 sections
---
## Phase 4: User Story 2 - Troubleshooting Guide (Priority: P2)
**Goal**: Create systematic troubleshooting process for API discrepancies
**Independent Test**: A developer can use the guide to diagnose why TypeScript returns different data than PowerShell and identify the missing parameter
### Implementation for User Story 2
- [X] T015 [P] [US2] Write "Troubleshooting API Discrepancies" section (FR-005) in docs/architecture/intune-migration-guide.md
- [X] T016 [US2] Add troubleshooting checklist: missing $expand, wrong API version, property cleanup in docs/architecture/intune-migration-guide.md
- [X] T017 [US2] Add concrete example: Missing $expand=assignments causing incomplete data in docs/architecture/intune-migration-guide.md
- [X] T018 [US2] Add concrete example: 400 Bad Request due to beta vs v1.0 API version in docs/architecture/intune-migration-guide.md
**Checkpoint**: At this point, User Stories 1 AND 2 are complete - developers can implement and troubleshoot
---
## Phase 5: User Story 3 - Onboarding Documentation (Priority: P3)
**Goal**: Document rationale for existing implementation decisions to help new team members
**Independent Test**: A new developer can read the guide and understand why code deletes properties or uses beta APIs without asking
### Implementation for User Story 3
- [X] T019 [P] [US3] Write "Understanding Existing Implementation Patterns" section in docs/architecture/intune-migration-guide.md
- [X] T020 [US3] Add explanation: Why we delete properties (matches PowerShell cleanup logic) in docs/architecture/intune-migration-guide.md
- [X] T021 [US3] Add explanation: When to use beta vs v1.0 API (check PowerShell reference first) in docs/architecture/intune-migration-guide.md
- [X] T022 [US3] Create "Common Questions" FAQ section in docs/architecture/intune-migration-guide.md
**Checkpoint**: All user stories complete - guide covers implementation, troubleshooting, and knowledge transfer
---
## Phase 6: Edge Cases & Advanced Topics
**Purpose**: Handle special scenarios identified in spec.md edge cases
- [X] T023 [P] Add "Versioning Strategy" section (FR-007) explaining how to document PowerShell commit/version in docs/architecture/intune-migration-guide.md
- [X] T024 [P] Add "Fallback Process for Missing PowerShell Reference" section (FR-006) in docs/architecture/intune-migration-guide.md
- [X] T025 [P] Add "Handling PowerShell Updates" section (edge case 1) in docs/architecture/intune-migration-guide.md
- [X] T026 [P] Add "Deprecated Features" section (edge case 2) in docs/architecture/intune-migration-guide.md
- [X] T027 [P] Add "PowerShell Quirks vs Intentional Patterns" section (FR-008, edge case 4) in docs/architecture/intune-migration-guide.md
---
## Phase 7: Polish & Cross-Cutting Concerns
**Purpose**: Final review, examples, and integration with existing documentation
- [X] T028 Add complete end-to-end example: Implementing a new sync job from scratch in docs/architecture/intune-migration-guide.md
- [X] T029 Add code snippets: PowerShell snippets with annotations showing what to extract in docs/architecture/intune-migration-guide.md
- [X] T030 Add code snippets: TypeScript implementation examples in docs/architecture/intune-migration-guide.md
- [ ] T031 Create visual diagram: Implementation workflow (PowerShell analysis → TypeScript implementation) in docs/architecture/intune-migration-guide.md
- [X] T032 Review guide against all 8 functional requirements (FR-001 to FR-008) and update checklists/requirements.md
- [X] T033 Add links to existing worker/jobs/ implementations as real-world examples in docs/architecture/intune-migration-guide.md
- [X] T034 Update README.md to reference the new migration guide
---
## Dependencies
### User Story Completion Order
```mermaid
graph TD
Setup[Phase 1: Setup] --> Foundation[Phase 2: Foundation]
Foundation --> US1[Phase 3: US1 - Implementation Guide]
Foundation --> US2[Phase 4: US2 - Troubleshooting]
Foundation --> US3[Phase 5: US3 - Onboarding]
US1 --> EdgeCases[Phase 6: Edge Cases]
US2 --> EdgeCases
US3 --> EdgeCases
EdgeCases --> Polish[Phase 7: Polish]
```
**Explanation**:
- **Setup & Foundation** must complete first (T001-T007)
- **US1, US2, US3** are independent after foundation - can be written in parallel
- **Edge Cases** depend on having core sections complete (to add edge case notes in context)
- **Polish** comes last to add examples and review completeness
### Task-Level Dependencies
**Critical Path** (must complete in order):
1. T001 (create directory) → T004 (create main guide file)
2. T004 (create file) → All section-writing tasks (T008-T027)
3. All section tasks complete → T028-T034 (polish tasks)
**Parallel Opportunities**:
- T002, T003 can run parallel with T001
- T008, T009, T015, T019, T023-T027 can run in parallel after T004
- T029, T030, T033 can run in parallel during polish phase
---
## Parallel Execution Examples
### Phase 3 - User Story 1 (After T004 completes)
Run these tasks simultaneously:
```bash
# Terminal 1: Implementation process guide
# Task T008 - Write step-by-step process
# Terminal 2: Data extraction checklist
# Task T009 - Create extraction checklist
# Both tasks write to different sections of the same file
```
### Phase 6 - Edge Cases (After Phase 3-5 complete)
Run all edge case sections in parallel:
```bash
# These are all independent sections that can be written simultaneously
# T023: Versioning strategy
# T024: Fallback process
# T025: PowerShell updates
# T026: Deprecated features
# T027: Quirks vs patterns
```
### Phase 7 - Polish (Final phase)
Run code example tasks in parallel:
```bash
# Terminal 1: T029 - Add PowerShell code snippets
# Terminal 2: T030 - Add TypeScript examples
# Terminal 3: T033 - Add links to existing implementations
```
---
## Implementation Strategy
### MVP Scope (Ship This First)
**Phase 3: User Story 1 - Implementation Process Guide**
- This is the core value: enables developers to implement new features correctly
- Includes: Step-by-step process (T008), data extraction checklist (T009), concrete examples (T010-T014)
- **Delivers SC-001**: Reduces implementation time from 8 hours to 2 hours
- **Delivers SC-002**: 95% first-attempt accuracy by following the process
### Incremental Delivery
1. **MVP** (Phase 3): Ship US1 implementation guide → developers can start using it immediately
2. **V1.1** (Phase 4): Add US2 troubleshooting → helps with existing bugs
3. **V1.2** (Phase 5): Add US3 onboarding → reduces team onboarding time
4. **V2.0** (Phase 6-7): Add edge cases and polish → complete reference guide
### Success Metrics (Track These)
- **SC-001**: Measure implementation time before/after guide (target: 2 hours vs 8 hours)
- **SC-002**: Track first-attempt accuracy rate (target: 95%)
- **SC-003**: Count "API surprises" incidents before/after (target: zero after)
- **SC-004**: Measure onboarding time for new developers (target: 30 minutes)
- **SC-005**: Track code review time reduction (target: 50% reduction)
- **SC-006**: Count "why beta API?" questions in code reviews (target: zero)
---
## Validation Checklist
Before marking tasks complete, verify:
- [ ] All 8 functional requirements (FR-001 to FR-008) are addressed in the guide
- [ ] Each user story has concrete, actionable examples (not just theory)
- [ ] Guide includes at least 3 real PowerShell → TypeScript examples
- [ ] Troubleshooting section has step-by-step diagnostic process
- [ ] Versioning strategy explains how to document PowerShell reference version
- [ ] Fallback process defined for features without PowerShell reference
- [ ] Edge cases from spec.md are all documented
- [ ] Code snippets are executable and tested
- [ ] Links to existing implementations (worker/jobs/) are included
- [ ] Guide is independently usable (doesn't require asking the author for clarification)
---
## Notes
**About This Feature**: This is a documentation/guideline feature, not a code implementation feature. The "output" is a comprehensive markdown guide that developers (human and AI) will reference when implementing Intune sync jobs.
**Success Definition**: The guide is successful when a developer can implement a new Intune resource type sync job by following the guide alone, without needing to ask questions or make multiple attempts.
**Maintenance**: When PowerShell reference is updated, review the guide and update version references. Add new examples as new sync jobs are implemented.

22
worker/Dockerfile
View File

@ -1,22 +0,0 @@
### Single-stage build: Run worker with tsx TypeScript runtime
### IMPORTANT: Dokploy must set dockerContextPath="." (repo root) in database
### Dockerfile path should be "worker/Dockerfile"
FROM node:20-alpine AS runtime
WORKDIR /usr/src/app
# Install production dependencies AND tsx for TypeScript runtime
COPY package.json package-lock.json ./
RUN npm ci --production --silent && npm install tsx dotenv --silent
# Copy tsconfig for path mapping resolution (@/ alias)
COPY tsconfig.json ./
# Copy worker code and shared lib
COPY worker ./worker
COPY lib ./lib
ENV NODE_ENV=production
# Run worker using tsx (TypeScript runtime)
CMD ["npx", "tsx", "./worker/index.ts"]

54
worker/README.md
View File

@ -1,54 +0,0 @@
Worker container and Dokploy settings
====================================
Build context
-------------
- **Build path: `/` (repo root)** — NOT `worker/`!
- **Dockerfile path: `worker/Dockerfile`**
**IMPORTANT**: Dokploy must build from the repo root (`/`) so the Dockerfile can access `package.json`, `lib/`, and other files. If build path is set to `worker/`, the build will fail with "package.json: not found".
Two-stage build (recommended)
-----------------------------
- This repository includes a two-stage Dockerfile that compiles TypeScript in a builder stage and produces a smaller runtime image.
- The builder stage runs `npx tsc -p tsconfig.json --outDir dist` and the runtime stage will run the compiled `dist/worker/index.js` if present. If compilation is not performed, the container falls back to running `npx tsx ./worker/index.ts`.
Recommended Dokploy settings
----------------------------
- Provider: `Gitea`
- Repository: `ahmido/tenantpilot` (or your repo)
- Branch: `development`
- **Build path: `/`** (repo root)
- **Dockerfile path: `worker/Dockerfile`**
- Watch paths: `worker/**`, `lib/**`, `package.json`, `package-lock.json`
Notes
-----
- The Dockerfile attempts to run compiled JS first; if no compiled output is present the runtime falls back to `tsx`.
- If Dokploy requires a separate webhook per app, use the worker webhook URL provided in this repo's docs/workflow.
Notes on environment
--------------------
- Ensure Dokploy provides `REDIS_URL` in the environment for the worker container.
- Provide Azure AD secrets in Dokploy environment vars: `AZURE_AD_TENANT_ID`, `AZURE_AD_CLIENT_ID`, `AZURE_AD_CLIENT_SECRET`.
Worker container and Dokploy settings
====================================
Build context
-------------
- Build path: `worker/` (Dokploy should use this path so the worker Dockerfile is found)
- Dockerfile: `worker/Dockerfile`
Recommended Dokploy settings
----------------------------
- Provider: `Gitea`
- Repository: `ahmido/tenantpilot` (or your repo)
- Branch: `development`
- Build path: `worker/`
- Watch paths: `worker/**`, `lib/**`, `package.json`, `package-lock.json`
Notes
-----
- The `Dockerfile` runs `npm ci` and then `npm run worker:start`, which uses `tsx` to execute `worker/index.ts` directly.
- If you prefer a smaller production image, consider adding a build step to compile TypeScript to JS and run the compiled output with `node`.
- If Dokploy requires a separate webhook per app, use the worker webhook URL provided in this repo's docs/workflow.

38
worker/events.ts
View File

@ -1,38 +0,0 @@
import { Worker, Job } from 'bullmq';
import logger from './logging';
const jobStartTimes = new Map<string | number, number>();
export function attachWorkerEvents(worker: Worker) {
worker.on('active', (job: Job) => {
const jobId = job.id?.toString() || 'unknown';
jobStartTimes.set(jobId, Date.now());
logger.info({ event: 'job_active', jobId, name: job.name, data: job.data });
});
worker.on('completed', (job: Job) => {
const jobId = job.id?.toString() || 'unknown';
const start = jobStartTimes.get(jobId) || Date.now();
const durationMs = Date.now() - start;
jobStartTimes.delete(jobId);
logger.info({ event: 'job_complete', jobId, durationMs, timestamp: new Date().toISOString() });
});
worker.on('failed', (job: Job | undefined, err: Error | undefined) => {
const jobId = job?.id;
const start = jobId ? jobStartTimes.get(jobId) : undefined;
const durationMs = start ? Date.now() - start : undefined;
if (jobId) jobStartTimes.delete(jobId);
logger.error({ event: 'job_failed', jobId, error: err?.message, stack: err?.stack, durationMs });
});
worker.on('progress', (job: Job, progress) => {
logger.info({ event: 'job_progress', jobId: job.id, progress });
});
worker.on('error', (err: Error) => {
logger.error({ event: 'worker_error', error: err?.message, stack: err?.stack });
});
}
export default attachWorkerEvents;

9
worker/health.ts
View File

@ -1,9 +0,0 @@
export function checkHealth() {
return {
ok: true,
redisUrlPresent: !!process.env.REDIS_URL,
timestamp: new Date().toISOString(),
};
}
export default checkHealth;

25
worker/index.ts
View File

@ -1,25 +0,0 @@
import 'dotenv/config';
import { Worker } from 'bullmq';
import redisConnection from '../lib/queue/redis';
import { syncPolicies } from './jobs/syncPolicies';
import attachWorkerEvents from './events';
import logger from './logging';
const worker = new Worker(
'intune-sync-queue',
async (job) => {
logger.info({ event: 'job_start', jobId: job.id, name: job.name, data: job.data, timestamp: new Date().toISOString() });
return syncPolicies(job);
},
{ connection: (redisConnection as any), concurrency: 1 }
);
attachWorkerEvents(worker);
process.on('SIGINT', async () => {
logger.info('Shutting down worker...');
await worker.close();
process.exit(0);
});
logger.info('Worker started: listening for jobs on intune-sync-queue');

73
worker/jobs/dbUpsert.ts
View File

@ -1,73 +0,0 @@
import { db } from '../../lib/db';
import { policySettings } from '../../lib/db/schema/policySettings';
import type { NewPolicySetting } from '../../lib/db/schema/policySettings';
import type { FlattenedSetting } from './policyParser';
import logger from '../logging';
/**
* Upsert policy settings to database with conflict resolution
*/
export async function upsertPolicySettings(
tenantId: string,
settings: FlattenedSetting[]
): Promise<{ inserted: number; updated: number }> {
if (settings.length === 0) {
logger.info({ event: 'dbUpsert:skip', reason: 'no settings to upsert' });
return { inserted: 0, updated: 0 };
}
const now = new Date();
// Convert to database insert format
const records: NewPolicySetting[] = settings.map((setting) => ({
tenantId,
policyName: setting.policyName,
policyType: setting.policyType,
settingName: setting.settingName,
settingValue: setting.settingValue,
graphPolicyId: setting.graphPolicyId,
lastSyncedAt: now,
}));
try {
// Batch upsert with conflict resolution
// Uses the unique constraint: (tenantId, graphPolicyId, settingName)
const result = await db
.insert(policySettings)
.values(records)
.onConflictDoUpdate({
target: [
policySettings.tenantId,
policySettings.graphPolicyId,
policySettings.settingName,
],
set: {
policyName: policySettings.policyName,
policyType: policySettings.policyType,
settingValue: policySettings.settingValue,
lastSyncedAt: now,
},
});
// Drizzle doesn't return row counts in all cases, so we estimate
const total = records.length;
logger.info({
event: 'dbUpsert:success',
total,
tenantId,
policies: [...new Set(settings.map(s => s.graphPolicyId))].length
});
return { inserted: total, updated: 0 };
} catch (error) {
logger.error({
event: 'dbUpsert:error',
error: error instanceof Error ? error.message : String(error),
tenantId,
settingsCount: settings.length
});
throw error;
}
}
export default upsertPolicySettings;

19
worker/jobs/graphAuth.ts
View File

@ -1,19 +0,0 @@
import { ClientSecretCredential } from '@azure/identity';
const tenantId = process.env.AZURE_AD_TENANT_ID || process.env.AZURE_TENANT_ID;
const clientId = process.env.AZURE_AD_CLIENT_ID;
const clientSecret = process.env.AZURE_AD_CLIENT_SECRET;
const GRAPH_SCOPE = 'https://graph.microsoft.com/.default';
export async function getGraphAccessToken(): Promise<string> {
if (!tenantId || !clientId || !clientSecret) {
throw new Error('Missing Azure AD credentials. Set AZURE_AD_TENANT_ID, AZURE_AD_CLIENT_ID and AZURE_AD_CLIENT_SECRET in env');
}
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
const token = await credential.getToken(GRAPH_SCOPE);
if (!token || !token.token) throw new Error('Failed to acquire Graph access token');
return token.token;
}
export default getGraphAccessToken;

Some files were not shown because too many files have changed in this diff Show More