isgq-github01
diff --git a/‎.github/agents/CIPP-Standards-Agent.md‎
Lines changed: 20 additions & 20 deletions b/‎.github/agents/CIPP-Standards-Agent.md‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎.github/instructions/auth-model.instructions.md‎
Lines changed: 6 additions & 5 deletions b/‎.github/instructions/auth-model.instructions.md‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎.github/instructions/cippdb.instructions.md‎
Lines changed: 1 addition & 1 deletion b/‎.github/instructions/cippdb.instructions.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/instructions/standards.instructions.md‎
Lines changed: 10 additions & 3 deletions b/‎.github/instructions/standards.instructions.md‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎.github/workflows/PR_Branch_Check.yml‎
Lines changed: 32 additions & 8 deletions b/‎.github/workflows/PR_Branch_Check.yml‎
Lines changed: 32 additions & 8 deletions
diff --git a/‎.github/workflows/dev_api.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/dev_api.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/publish_release.yml‎
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/publish_release.yml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/upload_dev.yml‎
Lines changed: 5 additions & 1 deletion b/‎.github/workflows/upload_dev.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎…Core/lib/data/AdditionalPermissions.json‎ ‎Config/AdditionalPermissions.json‎Modules/CIPPCore/lib/data/AdditionalPermissions.json renamed to Config/AdditionalPermissions.json b/‎…Core/lib/data/AdditionalPermissions.json‎ ‎Config/AdditionalPermissions.json‎Modules/CIPPCore/lib/data/AdditionalPermissions.json renamed to Config/AdditionalPermissions.json
@@ -30,41 +30,41 @@ For detailed scaffolding patterns, the three action modes (remediate/alert/repor
 
 Use this agent when a task involves:
 
-- Adding a new standard (e.g. “implement a standard to enable the audit log”)
+- Adding a new standard (e.g. "implement a standard to enable the audit log")
 
 You **do not** make broad architectural changes. Keep changes focused and minimal.
 
 ---
 
 ## Key Directories & Patterns
 
-When working on alerts, you should:
+When working on standards, you should:
 
-1. **Discover existing alerts and patterns**
+1. **Discover existing standards and patterns**
    - Use shell commands to explore:
-     - `Modules/CIPPCore/Public/Standards/`
-   - Inspect several existing alert files, e.g.:
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardAddDKIM.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardlaps.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardOutBoundSpamAlert.ps1`
+     - `Modules/CIPPStandards/Public/Standards/`
+   - Inspect several existing standard files, e.g.:
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardlaps.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1`
      - Other `Invoke-CIPPStandard*.ps1` files
-   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+   - Understand how standards are **named, parameterized, and how they call Graph / Exo and helper functions**.
 
-2. **Follow the standard alert pattern**
-   - Alert functions live in:  
-     `Modules/CIPPCore/Public/Standardss/`
-   - Alert functions are named:  
-     `Invoke-CIPPStandardAddDKIM.ps1`
+2. **Follow the standard pattern**
+   - Standard functions live in:
+     `Modules/CIPPStandards/Public/Standards/`
+   - Standard functions are named:
+     `Invoke-CIPPStandard<Name>.ps1`
    - Typical characteristics:
      - Standard parameter set, including `Tenant` and `Settings` which can be a complex object with subsettings, and similar common params.
      - Uses CIPP helper functions like:
-       - `New-GraphGetRequest`  for any graph requests
-       - `New-ExoReques` for creating exo requests
+       - `New-GraphGetRequest` for any Graph requests
+       - `New-ExoRequest` for Exchange Online requests
      - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
-     - Each standard requires a Remediate, alert, and report section.
+     - Each standard requires a Remediate, Alert, and Report section.
 
 3. **Rely on existing module loading**
-   - The CIPP module auto-loads `Public` functions recursively.
+   - The CIPPStandards module auto-loads `Public` functions recursively.
    - **Do not** modify module manifest or loader behavior just to pick up your new standard.
 
 ---
@@ -73,9 +73,9 @@ When working on alerts, you should:
 
 You **must** respect all of these:
 
-### 1. Always follow existing CIPP alert patterns
+### 1. Always follow existing CIPP standard patterns
 
-When adding or modifying alerts:
+When adding or modifying standards:
 
 - Use the **same structure** as existing `Invoke-CIPPStandard*.ps1` files:
   - Similar function signatures
 
@@ -30,7 +30,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         ▼
     Get-GraphToken($tenantid, $scope, $AsApp)
         │
-        ├─ Check in-memory cache: $script:AccessTokens["{tenantid}-{scope}-{asApp}"]
+        ├─ Check process-wide .NET cache: [CIPP.CIPPTokenCache]::Lookup(key, 120)
         │    └─ Hit + not expired → return cached token
         │
         ├─ Determine grant type:
@@ -43,7 +43,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         │
         └─ POST to login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
              │
-             └─ Cache result in $script:AccessTokens with expires_on
+             └─ Cache result via [CIPP.CIPPTokenCache]::Store(key, json, expiresOn)
 ```
 
 The `-tenantid` parameter **drives token acquisition**, not just filtering. It determines which customer tenant the token is issued for.
@@ -116,10 +116,11 @@ Customer provides their own refresh token, stored in Key Vault per-tenant (keyed
 
 ## Token caching
 
-Tokens are cached in `$script:AccessTokens` — a synchronized hashtable keyed by `{tenantid}-{scope}-{asApp}`.
+Tokens are cached in `[CIPP.CIPPTokenCache]` — a process-wide `ConcurrentDictionary` backed by a static .NET class in `Shared/CIPPSharp/CIPPRestClient.cs`.
 
-- **Per-runspace**: Not shared across Azure Functions instances
-- **Expiry-aware**: Checks `expires_on` (Unix timestamp) before returning cached token
+- **Process-wide**: Shared across all runspaces in the worker process (unlike the old `$script:AccessTokens` which was per-runspace)
+- **Cache key**: Built via `[CIPP.CIPPTokenCache]::BuildKey($tenantid, $scope, $asApp, $clientId, $grantType)`
+- **Expiry-aware**: `Lookup()` accepts a buffer (seconds) and returns `$false` for expired or soon-to-expire tokens
 - **Auto-refresh**: Expired tokens trigger automatic re-acquisition — no manual refresh needed
 - **Skip cache**: Pass `-SkipCache $true` to force a fresh token (rare, for debugging)
 
 
@@ -119,7 +119,7 @@ Search-CIPPDbData -TenantFilter $Tenant -SearchTerms @('john', 'admin') -Types @
 
 ## Cache types
 
-Available types are defined in `CIPPDBCacheTypes.json`. Each type maps to a `Set-CIPPDBCache*` writer function. Check that file for the current type list — it covers identity, Exchange, security, Intune, compliance, and usage data.
+Available types are defined in `Config\CIPPDBCacheTypes.json`. Each type maps to a `Set-CIPPDBCache*` writer function. Check that file for the current type list — it covers identity, Exchange, security, Intune, compliance, and usage data.
 
 ## Writing a new Set-CIPPDBCache* function
 
 
@@ -1,11 +1,11 @@
 ---
-applyTo: "Modules/CIPPCore/Public/Standards/**"
+applyTo: "Modules/CIPPStandards/Public/Standards/**"
 description: "Use when creating, modifying, or reviewing CIPP standard functions (Invoke-CIPPStandard*). Contains scaffolding patterns, the three action modes (remediate/alert/report), $Settings conventions, API call patterns, and frontend JSON payloads."
 ---
 
 # CIPP Standard Functions
 
-Standard functions live in `Modules/CIPPCore/Public/Standards/` and are auto-loaded by the CIPPCore module. No manifest changes needed.
+Standard functions live in `Modules/CIPPStandards/Public/Standards/` and are auto-loaded by the CIPPStandards module. No manifest changes needed.
 
 ## Naming
 
@@ -51,6 +51,11 @@ function Invoke-CIPPStandard<Name> {
             True
         DISABLEDFEATURES
             {"report":false,"warn":false,"remediate":false}
+        REQUIREDCAPABILITIES
+            "CAPABILITY_1"
+            "CAPABILITY_2"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK
         https://docs.cipp.app/user-documentation/tenant/standards/list-standards
     #>
@@ -332,6 +337,8 @@ The comment-based help `.NOTES` block drives the frontend UI. Each field maps to
 | `RECOMMENDEDBY` | `recommendedBy` | `"CIS"`, `"CIPP"`, etc. |
 | `MULTIPLE` | `multiple` | `True` for template-based standards (can have multiple instances) |
 | `DISABLEDFEATURES` | `disabledFeatures` | JSON object disabling specific action modes |
+| `REQUIREDCAPABILITIES` | *(discovery only)* | One capability string per line; parsed for standards metadata/JSON generation. The explicit `Test-CIPPStandardLicense` call in the function body still performs the actual runtime license check. |
+| `UPDATECOMMENTBLOCK` | *(tooling only)* | Always include with the literal value `Run the Tools\Update-StandardsComments.ps1 script to update this comment block`. Signals the comment-update tooling to regenerate this block. |
 
 ### Valid CAT values
 
@@ -388,7 +395,7 @@ Impact colour mapping: `Low Impact` → `info`, `Medium Impact` → `warning`, `
 
 ## Checklist for new standards
 
-1. Create `Modules/CIPPCore/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
+1. Create `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
 2. Include the full `.NOTES` metadata block (CAT, TAG, IMPACT, ADDEDCOMPONENT, etc.)
 3. Implement all three modes: remediate, alert, report
 4. Add license gating if the data source requires a specific SKU
 
@@ -16,22 +16,46 @@ permissions:
 
 jobs:
   check-branch:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Check and Comment on PR
         # Only process fork PRs with specific branch conditions
         # Must be a fork AND (source is main/master OR target is main/master)
         if: |
-          github.event.pull_request.head.repo.fork == true && 
+          github.event.pull_request.head.repo.fork == true &&
           ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') ||
           (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master'))
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             let message = '';
 
-            message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating ';
+            // Check if the fork has open PRs (indicates pull bot or similar is active)
+            const forkOwner = context.payload.pull_request.head.repo.owner.login;
+            const forkRepo = context.payload.pull_request.head.repo.name;
+            const forkPullsUrl = context.payload.pull_request.head.repo.html_url + '/pulls';
+
+            let openPRs = [];
+            try {
+              const { data: prs } = await github.rest.pulls.list({
+                owner: forkOwner,
+                repo: forkRepo,
+                state: 'open',
+                per_page: 5
+              });
+              openPRs = prs;
+            } catch (e) {
+              // Can't read fork PRs — skip
+            }
+
+            message += '🔄 If you are attempting to update your CIPP-API repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating. Are you a sponsor? Contact the helpdesk for direct assistance with updating to the latest version.';
+
+            if (openPRs.length > 0) {
+              message += ` It looks like you may already have a pending update PR on your fork — check your [open pull requests](${forkPullsUrl}) to accept it.`;
+            } else {
+              message += ` You can enable [Pull Bot](https://github.com/apps/pull) or [Repo Sync](https://github.com/apps/repo-sync) to automatically keep your fork up to date.`;
+            }
             message += '\n\n';
 
             // Check if PR is targeting main/master
@@ -40,20 +64,20 @@ jobs:
             }
 
             // Check if PR is from a fork's main/master branch
-            if (context.payload.pull_request.head.repo.fork && 
+            if (context.payload.pull_request.head.repo.fork &&
                 (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) {
               message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n';
             }
 
-            message += '🔒 This PR will now be automatically closed due to the above violation(s).';
-            
+            message += '🔒 This PR will now be automatically closed due to the above rules.';
+
             // Post the comment
             await github.rest.issues.createComment({
               ...context.repo,
               issue_number: context.issue.number,
               body: message
             });
-            
+
             // Close the PR
             await github.rest.pulls.update({
               ...context.repo,
 
@@ -33,6 +33,10 @@ jobs:
           tenant-id: ${{ secrets.DEV_TENANTID }}
           subscription-id: ${{ secrets.DEV_SUBSCRIPTIONID }}
 
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       - name: "Run Azure Functions Action"
         uses: Azure/functions-action@v1
         id: fa
 
@@ -95,6 +95,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # Create version.json with version and commit hash
+      - name: Create version.json
+        run: |
+          VERSION=$(cat version_latest.txt | tr -d '[:space:]')
+          SHORT_SHA="${GITHUB_SHA::7}"
+          echo "{\"version\": \"${VERSION}\", \"commit\": \"${SHORT_SHA}\"}" > version.json
+
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       # Create ZIP File in a New Source Directory
       - name: Prepare and Zip Release Files
         if: env.tag_exists == 'false'
 
@@ -21,10 +21,14 @@ jobs:
       # Create version.json with version and commit hash
       - name: Create version.json
         run: |
-          VERSION=$(cat version_latest.txt | tr -d '[:space:]')
+          VERSION=$(cat ./version_latest.txt | tr -d '[:space:]')
           SHORT_SHA="${GITHUB_SHA::7}"
           echo "{\"version\": \"${VERSION}\", \"commit\": \"${SHORT_SHA}\"}" > version.json
 
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       # Create ZIP File in a New Source Directory
       - name: Prepare and Zip Release Files
         run: |
 
@@ -13,6 +13,7 @@ SendNotifications/config.json
 Output/
 node_modules/.yarn-integrity
 yarn.lock
+Shared/CIPPSharp/obj/
 
 # Cursor IDE
 .cursor/rules