# Tasks: Windows Information Protection (WIP) Policies (029)

**Branch**: `feat/029-wip-policies`  
**Date**: 2026-01-04  
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)

## Phase 1: Setup
- [x] T001 Create spec/plan/tasks and checklist.

## Phase 2: Research & Design
- [ ] T002 Confirm Graph endpoints for WIP and MDM WIP policy collections.
- [ ] T003 Confirm assignment endpoints and body shape.
- [ ] T004 Confirm patchable fields and define sanitization rules.
- [ ] T005 Decide restore mode and risk classification.

## Phase 3: Tests (TDD)
- [ ] T006 Add sync test importing both WIP types.
- [ ] T007 Add snapshot capture test (payload + assignments).
- [ ] T008 Add restore preview test (preview-only gating).
- [ ] T009 Add restore execution test using derived endpoints (if enabled).

## Phase 4: Implementation
- [ ] T010 Add types to `config/tenantpilot.php`.
- [ ] T011 Add contracts in `config/graph_contracts.php`.
- [ ] T012 Update sync classification so WIP types are not treated as generic appProtectionPolicy.
- [ ] T013 Update restore/apply paths if Graph requires derived resources.
- [ ] T014 Add normalizer for readable settings.

## Phase 5: Verification
- [ ] T015 Run targeted tests.
- [ ] T016 Run Pint (`./vendor/bin/pint --dirty`).