Merge pull request #80 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master

Author: pull[bot]

.github/agents/CIPP-Standards-Agent.md

@@ -30,41 +30,41 @@ For detailed scaffolding patterns, the three action modes (remediate/alert/repor
 
 Use this agent when a task involves:
 
-- Adding a new standard (e.g. “implement a standard to enable the audit log”)
+- Adding a new standard (e.g. "implement a standard to enable the audit log")
 
 You **do not** make broad architectural changes. Keep changes focused and minimal.
 
 ---
 
 ## Key Directories & Patterns
 
-When working on alerts, you should:
+When working on standards, you should:
 
-1. **Discover existing alerts and patterns**
+1. **Discover existing standards and patterns**
    - Use shell commands to explore:
-     - `Modules/CIPPCore/Public/Standards/`
-   - Inspect several existing alert files, e.g.:
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardAddDKIM.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardlaps.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardOutBoundSpamAlert.ps1`
+     - `Modules/CIPPStandards/Public/Standards/`
+   - Inspect several existing standard files, e.g.:
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardlaps.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1`
      - Other `Invoke-CIPPStandard*.ps1` files
-   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+   - Understand how standards are **named, parameterized, and how they call Graph / Exo and helper functions**.
 
-2. **Follow the standard alert pattern**
-   - Alert functions live in:  
-     `Modules/CIPPCore/Public/Standardss/`
-   - Alert functions are named:  
-     `Invoke-CIPPStandardAddDKIM.ps1`
+2. **Follow the standard pattern**
+   - Standard functions live in:
+     `Modules/CIPPStandards/Public/Standards/`
+   - Standard functions are named:
+     `Invoke-CIPPStandard<Name>.ps1`
    - Typical characteristics:
      - Standard parameter set, including `Tenant` and `Settings` which can be a complex object with subsettings, and similar common params.
      - Uses CIPP helper functions like:
-       - `New-GraphGetRequest`  for any graph requests
-       - `New-ExoReques` for creating exo requests
+       - `New-GraphGetRequest` for any Graph requests
+       - `New-ExoRequest` for Exchange Online requests
      - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
-     - Each standard requires a Remediate, alert, and report section.
+     - Each standard requires a Remediate, Alert, and Report section.
 
 3. **Rely on existing module loading**
-   - The CIPP module auto-loads `Public` functions recursively.
+   - The CIPPStandards module auto-loads `Public` functions recursively.
    - **Do not** modify module manifest or loader behavior just to pick up your new standard.
 
 ---
@@ -73,9 +73,9 @@ When working on alerts, you should:
 
 You **must** respect all of these:
 
-### 1. Always follow existing CIPP alert patterns
+### 1. Always follow existing CIPP standard patterns
 
-When adding or modifying alerts:
+When adding or modifying standards:
 
 - Use the **same structure** as existing `Invoke-CIPPStandard*.ps1` files:
   - Similar function signatures

.github/instructions/auth-model.instructions.md

@@ -30,7 +30,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         ▼
     Get-GraphToken($tenantid, $scope, $AsApp)
         │
-        ├─ Check in-memory cache: $script:AccessTokens["{tenantid}-{scope}-{asApp}"]
+        ├─ Check process-wide .NET cache: [CIPP.CIPPTokenCache]::Lookup(key, 120)
         │    └─ Hit + not expired → return cached token
         │
         ├─ Determine grant type:
@@ -43,7 +43,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         │
         └─ POST to login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
              │
-             └─ Cache result in $script:AccessTokens with expires_on
+             └─ Cache result via [CIPP.CIPPTokenCache]::Store(key, json, expiresOn)
 ```
 
 The `-tenantid` parameter **drives token acquisition**, not just filtering. It determines which customer tenant the token is issued for.
@@ -116,10 +116,11 @@ Customer provides their own refresh token, stored in Key Vault per-tenant (keyed
 
 ## Token caching
 
-Tokens are cached in `$script:AccessTokens` — a synchronized hashtable keyed by `{tenantid}-{scope}-{asApp}`.
+Tokens are cached in `[CIPP.CIPPTokenCache]` — a process-wide `ConcurrentDictionary` backed by a static .NET class in `Shared/CIPPSharp/CIPPRestClient.cs`.
 
-- **Per-runspace**: Not shared across Azure Functions instances
-- **Expiry-aware**: Checks `expires_on` (Unix timestamp) before returning cached token
+- **Process-wide**: Shared across all runspaces in the worker process (unlike the old `$script:AccessTokens` which was per-runspace)
+- **Cache key**: Built via `[CIPP.CIPPTokenCache]::BuildKey($tenantid, $scope, $asApp, $clientId, $grantType)`
+- **Expiry-aware**: `Lookup()` accepts a buffer (seconds) and returns `$false` for expired or soon-to-expire tokens
 - **Auto-refresh**: Expired tokens trigger automatic re-acquisition — no manual refresh needed
 - **Skip cache**: Pass `-SkipCache $true` to force a fresh token (rare, for debugging)
 

.github/instructions/standards.instructions.md

@@ -1,11 +1,11 @@
 ---
-applyTo: "Modules/CIPPCore/Public/Standards/**"
+applyTo: "Modules/CIPPStandards/Public/Standards/**"
 description: "Use when creating, modifying, or reviewing CIPP standard functions (Invoke-CIPPStandard*). Contains scaffolding patterns, the three action modes (remediate/alert/report), $Settings conventions, API call patterns, and frontend JSON payloads."
 ---
 
 # CIPP Standard Functions
 
-Standard functions live in `Modules/CIPPCore/Public/Standards/` and are auto-loaded by the CIPPCore module. No manifest changes needed.
+Standard functions live in `Modules/CIPPStandards/Public/Standards/` and are auto-loaded by the CIPPStandards module. No manifest changes needed.
 
 ## Naming
 
@@ -51,6 +51,11 @@ function Invoke-CIPPStandard<Name> {
             True
         DISABLEDFEATURES
             {"report":false,"warn":false,"remediate":false}
+        REQUIREDCAPABILITIES
+            "CAPABILITY_1"
+            "CAPABILITY_2"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK
         https://docs.cipp.app/user-documentation/tenant/standards/list-standards
     #>
@@ -332,6 +337,8 @@ The comment-based help `.NOTES` block drives the frontend UI. Each field maps to
 | `RECOMMENDEDBY` | `recommendedBy` | `"CIS"`, `"CIPP"`, etc. |
 | `MULTIPLE` | `multiple` | `True` for template-based standards (can have multiple instances) |
 | `DISABLEDFEATURES` | `disabledFeatures` | JSON object disabling specific action modes |
+| `REQUIREDCAPABILITIES` | *(discovery only)* | One capability string per line; parsed for standards metadata/JSON generation. The explicit `Test-CIPPStandardLicense` call in the function body still performs the actual runtime license check. |
+| `UPDATECOMMENTBLOCK` | *(tooling only)* | Always include with the literal value `Run the Tools\Update-StandardsComments.ps1 script to update this comment block`. Signals the comment-update tooling to regenerate this block. |
 
 ### Valid CAT values
 
@@ -388,7 +395,7 @@ Impact colour mapping: `Low Impact` → `info`, `Medium Impact` → `warning`, `
 
 ## Checklist for new standards
 
-1. Create `Modules/CIPPCore/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
+1. Create `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
 2. Include the full `.NOTES` metadata block (CAT, TAG, IMPACT, ADDEDCOMPONENT, etc.)
 3. Implement all three modes: remediate, alert, report
 4. Add license gating if the data source requires a specific SKU

.github/workflows/dev_api.yml

@@ -33,6 +33,10 @@ jobs:
           tenant-id: ${{ secrets.DEV_TENANTID }}
           subscription-id: ${{ secrets.DEV_SUBSCRIPTIONID }}
 
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       - name: "Run Azure Functions Action"
         uses: Azure/functions-action@v1
         id: fa

.github/workflows/publish_release.yml

@@ -95,6 +95,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # Create version.json with version and commit hash
+      - name: Create version.json
+        run: |
+          VERSION=$(cat version_latest.txt | tr -d '[:space:]')
+          SHORT_SHA="${GITHUB_SHA::7}"
+          echo "{\"version\": \"${VERSION}\", \"commit\": \"${SHORT_SHA}\"}" > version.json
+
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       # Create ZIP File in a New Source Directory
       - name: Prepare and Zip Release Files
         if: env.tag_exists == 'false'

.github/workflows/upload_dev.yml

@@ -25,6 +25,10 @@ jobs:
           SHORT_SHA="${GITHUB_SHA::7}"
           echo "{\"version\": \"${VERSION}\", \"commit\": \"${SHORT_SHA}\"}" > version.json
 
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       # Create ZIP File in a New Source Directory
       - name: Prepare and Zip Release Files
         run: |

.gitignore

@@ -13,6 +13,7 @@ SendNotifications/config.json
 Output/
 node_modules/.yarn-integrity
 yarn.lock
+Shared/CIPPSharp/obj/
 
 # Cursor IDE
 .cursor/rules

CIPPDBCacheTypes.json

@@ -204,26 +204,6 @@
     "friendlyName": "Exchange Hosted Outbound Spam Filter Policy",
     "description": "Exchange Online hosted outbound spam filter policy"
   },
-  {
-    "type": "ExoAntiPhishPolicy",
-    "friendlyName": "Exchange Anti-Phish Policy",
-    "description": "Exchange Online anti-phishing policy"
-  },
-  {
-    "type": "ExoSafeLinksPolicy",
-    "friendlyName": "Exchange Safe Links Policy",
-    "description": "Exchange Online Safe Links policy"
-  },
-  {
-    "type": "ExoSafeAttachmentPolicy",
-    "friendlyName": "Exchange Safe Attachment Policy",
-    "description": "Exchange Online Safe Attachment policy"
-  },
-  {
-    "type": "ExoMalwareFilterPolicy",
-    "friendlyName": "Exchange Malware Filter Policy",
-    "description": "Exchange Online malware filter policy"
-  },
   {
     "type": "ExoAtpPolicyForO365",
     "friendlyName": "Exchange ATP Policy for O365",

CIPPTimers.json

@@ -135,7 +135,7 @@
     "Id": "c2ebde3f-fa35-45aa-8a6b-91c835050b79",
     "Command": "Start-DomainOrchestrator",
     "Description": "Orchestrator to process domains",
-    "Cron": "0 30 3 * * *",
+    "Cron": "0 30 5 * * *",
     "Priority": 22,
     "RunOnProcessor": true
   },

CommunityRepos.json

@@ -1,6 +1,7 @@
 [
   {
     "Id": "1041442982",
+    "BuiltIn": true,
     "Name": "CISTemplates",
     "Description": "CIPP CIS Templates",
     "URL": "https://github.com/CyberDrain/CyberDrain-CIS-Templates",
@@ -19,6 +20,7 @@
   },
   {
     "Id": "930523724",
+    "BuiltIn": true,
     "Name": "CIPP-Templates",
     "Description": "CIPP Community Templates",
     "URL": "https://github.com/CyberDrain/CIPP-Templates",
@@ -37,6 +39,7 @@
   },
   {
     "Id": "784230225",
+    "BuiltIn": true,
     "Name": "ConditionalAccessBaseline",
     "Description": "",
     "URL": "https://github.com/j0eyv/ConditionalAccessBaseline",
@@ -55,6 +58,7 @@
   },
   {
     "Id": "493403016",
+    "BuiltIn": true,
     "Name": "OpenIntuneBaseline",
     "Description": "Community-driven baseline to accelerate Intune adoption and learning.",
     "URL": "https://github.com/SkipToTheEndpoint/OpenIntuneBaseline",
@@ -73,6 +77,7 @@
   },
   {
     "Id": "863076113",
+    "BuiltIn": true,
     "Name": "IntuneBaseLines",
     "Description": "In this repo, you will find Intune profiles in JSON format, which can be used in setting up your Modern Workplace. All policies were created in Microsoft Intune and exported to share with the community.",
     "URL": "https://github.com/IntuneAdmin/IntuneBaselines",