feat(baseline): declarative Intune baseline deployer

- Add Deploy-IntuneBaseline.ps1 for YAML-driven policy + assignment deployment
- Add ConvertTo-IntuneBaseline.ps1 to convert export folders to baseline manifests
- Add example OpenIntuneBaseline YAML in Baselines/
- Supports mutations, group auto-creation, idempotency, and WhatIf mode

CHANGELOG_macOS_IntuneToolkit.md

@@ -47,3 +47,26 @@
   - Assignments use `#microsoft.graph.deviceManagementConfigurationPolicyAssignment` and the bulk `POST …/assign` endpoint
 - **TUI / `fzf`**
   - Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher
+
+
+## 2026-04-13 — Declarative Baseline Deployer
+
+### Added
+- **`Scripts/Deploy-IntuneBaseline.ps1`**
+  - YAML-driven one-click deployment of Intune policies + assignments to new tenants.
+  - Supports global and per-policy name mutations (`search`/`replace` or `prefix`).
+  - Auto-creates cloud-only security groups if missing.
+  - Idempotent imports with configurable conflict resolution (`Skip`, `Update`, `Error`).
+  - Full `-WhatIf` dry-run support.
+  - Handles 20+ policy types including Settings Catalog (`name` property), EndpointSecurity (settings file companion upload), and Applications.
+  - Integrates with existing auth stack (Settings.json / macOS Keychain).
+
+- **`Scripts/ConvertTo-IntuneBaseline.ps1`**
+  - Converts an existing toolkit export folder into a baseline YAML skeleton.
+  - Maps folder names to baseline types, extracts display names, and generates empty assignment blocks.
+
+- **`Baselines/OpenIntuneBaseline.example.yaml`**
+  - Example manifest demonstrating groups, mutations, policies, and assignments.
+
+### Dependencies
+- `powershell-yaml` module (auto-install prompt if missing).