TenantAtlas/specs/029-wip-policies/plan.md

# Plan: Windows Information Protection (WIP) Policies (029)

**Branch**: `feat/029-wip-policies`  
**Date**: 2026-01-04  
**Input**: [spec.md](./spec.md)

## Approach
1. Confirm Graph behavior:
   - endpoints for both WIP collections
   - assignment endpoints (list + assign/create shape)
   - patchable/read-only fields and required permissions
2. Add new types to `config/tenantpilot.php` (category “Apps/MAM”, platform windows, restore mode/risk).
3. Add graph contracts in `config/graph_contracts.php`:
   - resource paths
   - type families
   - assignment endpoints
4. Ensure restore uses the derived entity set endpoint (do not PATCH generic `managedAppPolicies/{id}` when Graph requires derived resources).
5. Add a normalizer for readable UI output.
6. Add targeted Pest coverage.

## Decisions / Notes
- **Restore mode**: default `preview-only` until endpoint + assignment behavior is confirmed with tests and real tenants.