# Plan: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)

**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines`
**Date**: 2026-01-02
**Input**: [spec.md](./spec.md)

## Approach
1. Inventory current supported types (config + graph contracts) and identify gaps.
2. Define new type keys and metadata in `config/tenantpilot.php`.
3. Add graph contracts in `config/graph_contracts.php` (resource, assigns, scope tags, create/update methods).
4. Extend snapshot/capture and restore services as needed (special casing only when required).
5. Add tests for: sync listing + backup capture + restore preview entry.

## Decisions

### Type keys + Graph resources
- `mamAppConfiguration` (MAM App Config)
	- Graph collection: `deviceAppManagement/targetedManagedAppConfigurations`
	- Primary `@odata.type`: `#microsoft.graph.targetedManagedAppConfiguration`
- `endpointSecurityPolicy` (Endpoint Security Policies)
	- Graph collection: `deviceManagement/configurationPolicies`
	- Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy`
	- Classification: configuration policies where the snapshot indicates Endpoint Security via `technologies` and/or `templateReference`.
- `securityBaselinePolicy` (Security Baselines)
	- Graph collection: `deviceManagement/configurationPolicies`
	- Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy`
	- Classification: configuration policies where the snapshot indicates a baseline via `templateReference` (template family/type).

### Restore modes
- `mamAppConfiguration`: `enabled` (risk: medium-high)
- `endpointSecurityPolicy`: `preview-only` (risk: high)
- `securityBaselinePolicy`: `preview-only` (risk: high)

### Test plan
- Sync: new types show up with correct labels and do not leak into `settingsCatalogPolicy` / `appProtectionPolicy`.
- Backup: items created and snapshots captured for each new type.
- Restore: at minimum, restore preview produces entries; execution remains blocked for preview-only types.

## Notes
- Default restore mode for security-sensitive types should be conservative (preview-only) unless we already have safe restore semantics.
- Prefer using existing generic graph-contract-driven code paths.