TenantAtlas/specs/029-wip-policies/spec.md

# Feature Specification: Windows Information Protection (WIP) Policies (029)

**Feature Branch**: `feat/029-wip-policies`  
**Created**: 2026-01-04  
**Status**: Draft  
**Priority**: P2

## Context
Some tenants rely on WIP (MAM/WIP). These policies live under `deviceAppManagement` and should be treated as first-class objects for backup/restore.

## User Scenarios & Testing

### User Story 1 — Inventory shows WIP policies separately (Priority: P1)
As an admin, I can see WIP policies as their own types (not mixed into generic MAM policies).

**Acceptance Scenarios**
1. Sync lists WIP policies from Graph and stores them as `windowsInformationProtectionPolicy`.
2. Sync lists MDM WIP policies and stores them as `mdmWindowsInformationProtectionPolicy`.

### User Story 2 — Backup + restore (Priority: P2)
As an admin, I can back up and restore WIP policies with assignments safely.

**Acceptance Scenarios**
1. Snapshot capture stores the full policy payload and assignments.
2. Restore execution uses the correct derived entity set endpoint for create/update.

## Requirements

### Functional Requirements
- **FR-001**: Add policy types:
  - `windowsInformationProtectionPolicy` → `deviceAppManagement/windowsInformationProtectionPolicies`
  - `mdmWindowsInformationProtectionPolicy` → `deviceAppManagement/mdmWindowsInformationProtectionPolicies`
- **FR-002**: Capture full payload + assignments.
- **FR-003**: Restore supports create/update with contract-driven sanitization and assignment apply.
- **FR-004**: Add normalized display for key WIP fields (protected apps/identities, enforcement level, exemptions, etc.).
- **FR-005**: Add Pest tests for sync + snapshot + restore preview/execution.

## Success Criteria
- **SC-001**: WIP policies appear and can be backed up.
- **SC-002**: Restore preview/execution uses correct endpoints and is auditable.