[pull] dev from KelvinTegelaar:dev

.github/agents/CIPP-Standards-Agent.md

@@ -30,41 +30,41 @@ For detailed scaffolding patterns, the three action modes (remediate/alert/repor
 
 Use this agent when a task involves:
 
-- Adding a new standard (e.g. “implement a standard to enable the audit log”)
+- Adding a new standard (e.g. "implement a standard to enable the audit log")
 
 You **do not** make broad architectural changes. Keep changes focused and minimal.
 
 ---
 
 ## Key Directories & Patterns
 
-When working on alerts, you should:
+When working on standards, you should:
 
-1. **Discover existing alerts and patterns**
+1. **Discover existing standards and patterns**
    - Use shell commands to explore:
-     - `Modules/CIPPCore/Public/Standards/`
-   - Inspect several existing alert files, e.g.:
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardAddDKIM.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardlaps.ps1`
-     - `\Modules\CIPPCore\Public\Standards\Invoke-CIPPStandardOutBoundSpamAlert.ps1`
+     - `Modules/CIPPStandards/Public/Standards/`
+   - Inspect several existing standard files, e.g.:
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardlaps.ps1`
+     - `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1`
      - Other `Invoke-CIPPStandard*.ps1` files
-   - Understand how alerts are **named, parameterized, and how they call Graph / Exo and helper functions**.
+   - Understand how standards are **named, parameterized, and how they call Graph / Exo and helper functions**.
 
-2. **Follow the standard alert pattern**
-   - Alert functions live in:  
-     `Modules/CIPPCore/Public/Standardss/`
-   - Alert functions are named:  
-     `Invoke-CIPPStandardAddDKIM.ps1`
+2. **Follow the standard pattern**
+   - Standard functions live in:
+     `Modules/CIPPStandards/Public/Standards/`
+   - Standard functions are named:
+     `Invoke-CIPPStandard<Name>.ps1`
    - Typical characteristics:
      - Standard parameter set, including `Tenant` and `Settings` which can be a complex object with subsettings, and similar common params.
      - Uses CIPP helper functions like:
-       - `New-GraphGetRequest`  for any graph requests
-       - `New-ExoReques` for creating exo requests
+       - `New-GraphGetRequest` for any Graph requests
+       - `New-ExoRequest` for Exchange Online requests
      - Uses CIPP logging and error-handling patterns (try/catch, consistent message formatting).
-     - Each standard requires a Remediate, alert, and report section.
+     - Each standard requires a Remediate, Alert, and Report section.
 
 3. **Rely on existing module loading**
-   - The CIPP module auto-loads `Public` functions recursively.
+   - The CIPPStandards module auto-loads `Public` functions recursively.
    - **Do not** modify module manifest or loader behavior just to pick up your new standard.
 
 ---
@@ -73,9 +73,9 @@ When working on alerts, you should:
 
 You **must** respect all of these:
 
-### 1. Always follow existing CIPP alert patterns
+### 1. Always follow existing CIPP standard patterns
 
-When adding or modifying alerts:
+When adding or modifying standards:
 
 - Use the **same structure** as existing `Invoke-CIPPStandard*.ps1` files:
   - Similar function signatures

.github/instructions/auth-model.instructions.md

@@ -30,7 +30,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         ▼
     Get-GraphToken($tenantid, $scope, $AsApp)
         │
-        ├─ Check in-memory cache: $script:AccessTokens["{tenantid}-{scope}-{asApp}"]
+        ├─ Check process-wide .NET cache: [CIPP.CIPPTokenCache]::Lookup(key, 120)
         │    └─ Hit + not expired → return cached token
         │
         ├─ Determine grant type:
@@ -43,7 +43,7 @@ New-GraphGetRequest / New-ExoRequest / New-TeamsRequest / etc.
         │
         └─ POST to login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
              │
-             └─ Cache result in $script:AccessTokens with expires_on
+             └─ Cache result via [CIPP.CIPPTokenCache]::Store(key, json, expiresOn)
 ```
 
 The `-tenantid` parameter **drives token acquisition**, not just filtering. It determines which customer tenant the token is issued for.
@@ -116,10 +116,11 @@ Customer provides their own refresh token, stored in Key Vault per-tenant (keyed
 
 ## Token caching
 
-Tokens are cached in `$script:AccessTokens` — a synchronized hashtable keyed by `{tenantid}-{scope}-{asApp}`.
+Tokens are cached in `[CIPP.CIPPTokenCache]` — a process-wide `ConcurrentDictionary` backed by a static .NET class in `Shared/CIPPSharp/CIPPRestClient.cs`.
 
-- **Per-runspace**: Not shared across Azure Functions instances
-- **Expiry-aware**: Checks `expires_on` (Unix timestamp) before returning cached token
+- **Process-wide**: Shared across all runspaces in the worker process (unlike the old `$script:AccessTokens` which was per-runspace)
+- **Cache key**: Built via `[CIPP.CIPPTokenCache]::BuildKey($tenantid, $scope, $asApp, $clientId, $grantType)`
+- **Expiry-aware**: `Lookup()` accepts a buffer (seconds) and returns `$false` for expired or soon-to-expire tokens
 - **Auto-refresh**: Expired tokens trigger automatic re-acquisition — no manual refresh needed
 - **Skip cache**: Pass `-SkipCache $true` to force a fresh token (rare, for debugging)
 

.github/instructions/standards.instructions.md

@@ -1,11 +1,11 @@
 ---
-applyTo: "Modules/CIPPCore/Public/Standards/**"
+applyTo: "Modules/CIPPStandards/Public/Standards/**"
 description: "Use when creating, modifying, or reviewing CIPP standard functions (Invoke-CIPPStandard*). Contains scaffolding patterns, the three action modes (remediate/alert/report), $Settings conventions, API call patterns, and frontend JSON payloads."
 ---
 
 # CIPP Standard Functions
 
-Standard functions live in `Modules/CIPPCore/Public/Standards/` and are auto-loaded by the CIPPCore module. No manifest changes needed.
+Standard functions live in `Modules/CIPPStandards/Public/Standards/` and are auto-loaded by the CIPPStandards module. No manifest changes needed.
 
 ## Naming
 
@@ -51,6 +51,11 @@ function Invoke-CIPPStandard<Name> {
             True
         DISABLEDFEATURES
             {"report":false,"warn":false,"remediate":false}
+        REQUIREDCAPABILITIES
+            "CAPABILITY_1"
+            "CAPABILITY_2"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK
         https://docs.cipp.app/user-documentation/tenant/standards/list-standards
     #>
@@ -332,6 +337,8 @@ The comment-based help `.NOTES` block drives the frontend UI. Each field maps to
 | `RECOMMENDEDBY` | `recommendedBy` | `"CIS"`, `"CIPP"`, etc. |
 | `MULTIPLE` | `multiple` | `True` for template-based standards (can have multiple instances) |
 | `DISABLEDFEATURES` | `disabledFeatures` | JSON object disabling specific action modes |
+| `REQUIREDCAPABILITIES` | *(discovery only)* | One capability string per line; parsed for standards metadata/JSON generation. The explicit `Test-CIPPStandardLicense` call in the function body still performs the actual runtime license check. |
+| `UPDATECOMMENTBLOCK` | *(tooling only)* | Always include with the literal value `Run the Tools\Update-StandardsComments.ps1 script to update this comment block`. Signals the comment-update tooling to regenerate this block. |
 
 ### Valid CAT values
 
@@ -388,7 +395,7 @@ Impact colour mapping: `Low Impact` → `info`, `Medium Impact` → `warning`, `
 
 ## Checklist for new standards
 
-1. Create `Modules/CIPPCore/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
+1. Create `Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandard<Name>.ps1`
 2. Include the full `.NOTES` metadata block (CAT, TAG, IMPACT, ADDEDCOMPONENT, etc.)
 3. Implement all three modes: remediate, alert, report
 4. Add license gating if the data source requires a specific SKU

.github/workflows/dev_api.yml

@@ -33,6 +33,10 @@ jobs:
           tenant-id: ${{ secrets.DEV_TENANTID }}
           subscription-id: ${{ secrets.DEV_SUBSCRIPTIONID }}
 
+      - name: Build and stage modules
+        shell: pwsh
+        run: ./Tools/Build-DevApiModules.ps1
+
       - name: "Run Azure Functions Action"
         uses: Azure/functions-action@v1
         id: fa

.gitignore

@@ -13,6 +13,7 @@ SendNotifications/config.json
 Output/
 node_modules/.yarn-integrity
 yarn.lock
+Shared/CIPPSharp/obj/
 
 # Cursor IDE
 .cursor/rules

CIPPDBCacheTypes.json

@@ -204,26 +204,6 @@
     "friendlyName": "Exchange Hosted Outbound Spam Filter Policy",
     "description": "Exchange Online hosted outbound spam filter policy"
   },
-  {
-    "type": "ExoAntiPhishPolicy",
-    "friendlyName": "Exchange Anti-Phish Policy",
-    "description": "Exchange Online anti-phishing policy"
-  },
-  {
-    "type": "ExoSafeLinksPolicy",
-    "friendlyName": "Exchange Safe Links Policy",
-    "description": "Exchange Online Safe Links policy"
-  },
-  {
-    "type": "ExoSafeAttachmentPolicy",
-    "friendlyName": "Exchange Safe Attachment Policy",
-    "description": "Exchange Online Safe Attachment policy"
-  },
-  {
-    "type": "ExoMalwareFilterPolicy",
-    "friendlyName": "Exchange Malware Filter Policy",
-    "description": "Exchange Online malware filter policy"
-  },
   {
     "type": "ExoAtpPolicyForO365",
     "friendlyName": "Exchange ATP Policy for O365",