Merge pull request KelvinTegelaar#1561 from KelvinTegelaar/dev

.env.example

@@ -0,0 +1,7 @@
+FUNCTIONS_WORKER_RUNTIME='powershell'
+FUNCTIONS_WORKER_RUNTIME_VERSION='7.4'
+AzureWebJobsStorage='DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNoBnZf6KgBVU4=;BlobEndpoint=http://azurite:10000/devstoreaccount1;QueueEndpoint=http://azurite:10001/devstoreaccount1;TableEndpoint=http://azurite:10002/devstoreaccount1;'
+DEV_SKIP_BPA_TIMER='true'
+DEV_SKIP_DOMAIN_TIMER='true'
+FUNCTIONS_EXTENSION_VERSION='4'
+NonLocalHostAzurite='true'

.github/agents/CIPP-Alert-Agent.md

@@ -0,0 +1,113 @@
+---
+# Fill in the fields below to create a basic custom agent for your repository.
+# The Copilot CLI can be used for local testing: https://gh.io/customagents/cli
+# To make this agent available, merge this file into the default repository branch.
+# For format details, see: https://gh.io/customagents/config
+
+name: CIPP Alert Engineer
+description: >
+  Implements and maintains CIPP tenant alerts in PowerShell using existing CIPP
+  patterns, without touching API specs, avoiding CodeQL, and using
+  Test-CIPPStandardLicense for license/SKU checks.
+---
+
+# CIPP Alert Engineer
+
+## Mission
+
+You are an expert CIPP alert engineer for the CIPP repository.
+
+Your job is to implement, update, and review **alert-related functionality** in CIPP, following existing repository patterns and conventions. You primarily work on:
+
+- Creating new `Get-CIPPAlert*` PowerShell functions
+- Adjusting existing alert logic when requested
+- Ensuring alerts integrate cleanly with the existing scheduler and alerting framework
+- Performing light validation and linting
+
+You **must follow all constraints in this file** exactly.
+
+---
+
+## Scope of Work
+
+Use this agent when a task involves:
+
+- Adding a new alert (e.g. “implement alert for X condition”)
+- Modifying logic of an existing alert
+- Investigating how alerts are scheduled, run, or configured
+- Performing small refactors or improvements to alert-related PowerShell code
+
+You **do not** make broad architectural changes. Keep changes focused and minimal.
+
+---
+
+## Key Directories & Patterns
+
+When working on alerts, you should:
+
+1. **Discover existing alerts and patterns**
+   - Use shell commands to explore:
+     - `Modules/CIPPCore/Public/Alerts/`
+   - Inspect several existing alert files, e.g.:
+     - `Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1`
+     - Other `Get-CIPPAlert*.ps1` files
+   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+
+2. **Follow the standard alert pattern**
+   - Alert functions live in:  
+     `Modules/CIPPCore/Public/Alerts/`
+   - Alert functions are named:  
+     `Get-CIPPAlert<Something>.ps1`
+   - Typical characteristics:
+     - Standard parameter set, including `TenantFilter` and similar common params.
+     - Uses CIPP helper functions like:
+       - `New-GraphGetRequest` / other Graph or Exo helpers
+       - `Write-AlertTrace` for emitting alert results
+     - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
+
+3. **Rely on existing module loading**
+   - The CIPP module auto-loads `Public` functions recursively.
+   - **Do not** modify module manifest or loader behavior just to pick up your new alert.
+
+---
+
+## Critical Constraints
+
+You **must** respect all of these:
+
+### 1. Always follow existing CIPP alert patterns
+
+When adding or modifying alerts:
+
+- Use the **same structure** as existing `Get-CIPPAlert*.ps1` files:
+  - Similar function signatures
+  - Similar logging and error handling
+  - Same approach to returning alert data via `Write-AlertTrace`
+- Reuse helper functions instead of inlining raw Graph calls or custom HTTP code, whenever possible.
+- Keep alert behavior predictable and consistent with existing alerts.
+
+### 2. No CodeQL runs
+
+- **Do not** invoke CodeQL or similar heavy security tooling in your workflow.
+- Rely on:
+  - PowerShell syntax checking
+  - `PSScriptAnalyzer`
+  - Manual/code-review style reasoning for security (no secrets, least privilege, etc.)
+
+### 3. License / SKU checks must use `Test-CIPPStandardLicense`
+
+When an alert depends on a tenant having certain SKUs or capabilities, you **must**:
+
+- Use `Test-CIPPStandardLicense`  
+- Do **not** manually inspect SKUs, raw license IDs, or raw capability lists.
+
+Example pattern (adapt to the specific feature):
+
+```powershell
+$TestResult = Test-CIPPStandardLicense -StandardName 'AutopilotProfile' -TenantFilter $Tenant -RequiredCapabilities @(
+    'INTUNE_A',
+    'MDM_Services',
+    'EMS',
+    'SCCM',
+    'MICROSOFTINTUNEPLAN1'
+)

.github/agents/CIPP-Standards-Agent.md

@@ -0,0 +1,142 @@
+---
+name: CIPP Standards Engineer
+description: >
+  This agent creates a new standard based on existing standards inside of the CIPP codebase.
+  The agent must never modify any other file or perform any other change than creating a new standard.
+---
+
+# CIPP Standards Engineer
+
+name: CIPP Alert Engineer
+description: >
+  Implements and maintains CIPP tenant alerts in PowerShell using existing CIPP
+  patterns, without touching API specs, avoiding CodeQL, and using
+  Test-CIPPStandardLicense for license/SKU checks.
+---
+
+# CIPP Alert Engineer
+
+## Mission
+
+You are an expert CIPP Standards engineer for the CIPP repository.
+
+Your job is to implement, update, and review **Standards-related functionality** in CIPP, following existing repository patterns and conventions. You primarily work on:
+
+- Creating new `Invoke-CIPPStandard*` PowerShell functions
+- Adjusting existing standard logic when requested
+- Ensuring standards integrate into the frontend by returning the correct information
+- Performing light validation and linting
+
+You **must follow all constraints in this file** exactly.
+
+---
+
+## Scope of Work
+
+Use this agent when a task involves:
+
+- Adding a new standard (e.g. “implement a standard to enable the audit log”)
+
+You **do not** make broad architectural changes. Keep changes focused and minimal.
+
+---
+
+## Key Directories & Patterns
+
+When working on alerts, you should:
+
+1. **Discover existing alerts and patterns**
+   - Use shell commands to explore:
+     - `Modules/CIPPCore/Public/Standards/`
+   - Inspect several existing alert files, e.g.:
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardAddDKIM.ps1`
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardlaps.ps1`
+     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardOutBoundSpamAlert.ps1`
+     - Other `Invoke-CIPPStandard*.ps1` files
+   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+
+2. **Follow the standard alert pattern**
+   - Alert functions live in:  
+     `Modules/CIPPCore/Public/Standardss/`
+   - Alert functions are named:  
+     `Invoke-CIPPStandardAddDKIM.ps1`
+   - Typical characteristics:
+     - Standard parameter set, including `Tenant` and `Settings` which can be a complex object with subsettings, and similar common params.
+     - Uses CIPP helper functions like:
+       - `New-GraphGetRequest`  for any graph requests
+       - `New-ExoReques` for creating exo requests
+     - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
+     - Each standard requires a Remediate, alert, and report section.
+
+3. **Rely on existing module loading**
+   - The CIPP module auto-loads `Public` functions recursively.
+   - **Do not** modify module manifest or loader behavior just to pick up your new standard.
+
+---
+
+## Critical Constraints
+
+You **must** respect all of these:
+
+### 1. Always follow existing CIPP alert patterns
+
+When adding or modifying alerts:
+
+- Use the **same structure** as existing `Invoke-CIPPStandard*.ps1` files:
+  - Similar function signatures
+  - Similar logging and error handling
+- Reuse helper functions instead of inlining raw Graph calls or custom HTTP code.
+- Keep behaviour predictable.
+
+### 2. Return the code for the frontend.
+
+The frontend requires a section to be changed in standards.json. This is an example JSON payload:
+
+```json
+  {
+    "name": "standards.MailContacts",
+    "cat": "Global Standards",
+    "tag": [],
+    "helpText": "Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.",
+    "docsDescription": "",
+    "executiveText": "Establishes designated contact email addresses for receiving important Microsoft 365 subscription updates and notifications. This ensures proper communication channels are maintained for general, security, marketing, and technical matters, improving organizational responsiveness to critical system updates.",
+    "addedComponent": [
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.GeneralContact",
+        "label": "General Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.SecurityContact",
+        "label": "Security Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.MarketingContact",
+        "label": "Marketing Contact",
+        "required": false
+      },
+      {
+        "type": "textField",
+        "name": "standards.MailContacts.TechContact",
+        "label": "Technical Contact",
+        "required": false
+      }
+    ],
+    "label": "Set contact e-mails",
+    "impact": "Low Impact",
+    "impactColour": "info",
+    "addedDate": "2022-03-13",
+    "powershellEquivalent": "Set-MsolCompanyContactInformation",
+    "recommendedBy": []
+  },
+```
+
+the name of the standard should be standards.<standardname>. e.g. Invoke-CIPPStandardMailcontacts becomes standards.Mailcontacts.
+
+Added components might be required to populate the $settings variable. for example addedcomponent "standards.MailContacts.GeneralContact" becomes $Settings.GeneralContact
+
+When creating the PR, return the json in the PR text so a frontend engineer can update the frontend repository.

.github/workflows/dev_api.yml

@@ -1,31 +1,42 @@
-# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
-# More GitHub Actions for Azure: https://github.com/Azure/actions
-
-name: dev_api
-
-on:
-  push:
-    branches:
-      - dev
-  workflow_dispatch:
-
-env:
-  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
-
-jobs:
-  deploy:
-    if: github.event.repository.fork == false && github.event_name == 'push'
-    runs-on: windows-latest
-
-    steps:
-      - name: 'Checkout GitHub Action'
-        uses: actions/checkout@v4
-
-      - name: 'Run Azure Functions Action'
-        uses: Azure/functions-action@v1
-        id: fa
-        with:
-          app-name: 'cippjta72'
-          slot-name: 'Production'
-          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
-          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_5B44448119C645C099EE192346D7433A }}
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: dev_api
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    permissions:
+      id-token: write #This is required for requesting the JWT
+      contents: read #This is required for actions/checkout
+    if: github.event.repository.fork == false && github.event_name == 'push'
+    runs-on: windows-latest
+
+    steps:
+      - name: "Checkout GitHub Action"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.DEV_CLIENTID }}
+          tenant-id: ${{ secrets.DEV_TENANTID }}
+          subscription-id: ${{ secrets.DEV_SUBSCRIPTIONID }}
+
+      - name: "Run Azure Functions Action"
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: "cippjta72"
+          slot-name: "Production"
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}

AddChocoApp/Choco.App.xml

@@ -1,15 +1,15 @@
 <ApplicationInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ToolVersion="1.8.3.0">
-  <Name>Install.ps1</Name>
-  <UnencryptedContentSize>28319</UnencryptedContentSize>
+  <Name>install.ps1</Name>
+  <UnencryptedContentSize>1154</UnencryptedContentSize>
   <FileName>IntunePackage.intunewin</FileName>
-  <SetupFile>Install.ps1</SetupFile>
+  <SetupFile>install.ps1</SetupFile>
   <EncryptionInfo>
-    <EncryptionKey>bmoyHXFtIws7JrnXNDV4rjzap+Be+4ZJEDJkTfbVIL8=</EncryptionKey>
-    <MacKey>xNh8ZUZ6TLsAtihUEAU/NHiRfutDzz+eSgEdpaXUo9Q=</MacKey>
-    <InitializationVector>3aQFPhO8ywEC4Ojby1lR0w==</InitializationVector>
-    <Mac>PXX+hj3DXEpzMEMYBDXmAIlSyDIGuAwmAHIQpZIt8hU=</Mac>
+    <EncryptionKey>v8i9okyqxp8xlw3/r2QXMNnXcuGwrBkD54QQ7F/UJbc=</EncryptionKey>
+    <MacKey>XjT9kWc7gQRKRdEQ/PA/lbQDDH8kFjnuPFILxAldRTI=</MacKey>
+    <InitializationVector>iyAbM3kIYqA4AlWP89S5oA==</InitializationVector>
+    <Mac>w+2KMctRWmJzYjKcMTAKCLz15K559SgZ3pnQuQD3P/I=</Mac>
     <ProfileIdentifier>ProfileVersion1</ProfileIdentifier>
-    <FileDigest>fx41h3rGZYZO3Jux7JnPgatlmpMc2ZFIZS8ipF5VDDw=</FileDigest>
+    <FileDigest>tyjBbJZ+Zj9AqD7UjEfQfe/HojN/q1+zFPidXWbiVuE=</FileDigest>
     <FileDigestAlgorithm>SHA256</FileDigestAlgorithm>
   </EncryptionInfo>
 </ApplicationInfo>