release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints

- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log

README.md

@@ -15,22 +15,23 @@ This repository is now CLI-first. The old WPF application surface has been remov
 The easiest way to get started is the unified launcher. It provides a single terminal UI for every tool and remembers your tenants.
 
 ```powershell
-pwsh ./Scripts/Start-IntuneToolkit.ps1
+pwsh ./Start-IntuneToolkit.ps1
 ```
 
 If `fzf` is installed you get an interactive picker; otherwise you get a numbered menu. You can also pass a tenant directly:
 
 ```powershell
-pwsh ./Scripts/Start-IntuneToolkit.ps1 -TenantId "<tenant-id>"
+pwsh ./Start-IntuneToolkit.ps1 -TenantId "<tenant-id>"
 ```
 
 ## Entry points
 
-* [Scripts/Start-IntuneToolkit.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Start-IntuneToolkit.ps1) — unified launcher (recommended)
-* [Start-HeadlessIntune.ps1](/Users/avedelphina/Local/IntuneManagement/Start-HeadlessIntune.ps1) — single action wrapper with optional TUI
+* [Start-IntuneToolkit.ps1](/Users/avedelphina/Local/IntuneManagement/Start-IntuneToolkit.ps1) — unified launcher (recommended)
+* [Scripts/Start-HeadlessIntune.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Start-HeadlessIntune.ps1) — single action wrapper with optional TUI
 * [Scripts/Export-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Export-Policies.ps1)
 * [Scripts/Import-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Import-Policies.ps1)
 * [Scripts/Initialize-IntuneAuth.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1) — one-time Entra app + secret + Keychain setup
+* [Scripts/Export-SettingsReport.py](/Users/avedelphina/Local/IntuneManagement/Scripts/Export-SettingsReport.py) — generate a flat CSV of policy settings/values
 * [Headless/IntuneManagement.Headless.psd1](/Users/avedelphina/Local/IntuneManagement/Headless/IntuneManagement.Headless.psd1)
 
 ## Runtime
@@ -38,7 +39,7 @@ pwsh ./Scripts/Start-IntuneToolkit.ps1 -TenantId "<tenant-id>"
 * `pwsh` 7+
 * Microsoft Graph app registration
 * App-only auth with client secret or certificate, or browser auth with a public client redirect URI
-* `fzf` (optional) — for the best interactive menu experience in `Start-IntuneToolkit.ps1` and `Start-IntuneManagementTui.ps1`. Falls back to numbered menus if not installed.
+* `fzf` (optional) — for the best interactive menu experience in `Start-IntuneToolkit.ps1`. Falls back to numbered menus if not installed.
   * macOS: `brew install fzf`
   * Linux: `sudo apt install fzf` (or `dnf` / `pacman`)
   * Windows: `winget install junegunn.fzf` (or `choco install fzf`)
@@ -110,7 +111,7 @@ pwsh ./Scripts/Import-Policies.ps1 `
 ## Single action entry point
 
 ```powershell
-pwsh ./Start-HeadlessIntune.ps1 `
+pwsh ./Scripts/Start-HeadlessIntune.ps1 `
   -Action Export `
   -TenantId "<source-tenant-id>" `
   -AppId "<app-id>" `
@@ -119,7 +120,7 @@ pwsh ./Start-HeadlessIntune.ps1 `
 ```
 
 ```powershell
-pwsh ./Start-HeadlessIntune.ps1 `
+pwsh ./Scripts/Start-HeadlessIntune.ps1 `
   -Action Import `
   -TenantId "<target-tenant-id>" `
   -AppId "<app-id>" `
@@ -129,7 +130,7 @@ pwsh ./Start-HeadlessIntune.ps1 `
 ```
 
 ```powershell
-pwsh ./Start-HeadlessIntune.ps1 `
+pwsh ./Scripts/Start-HeadlessIntune.ps1 `
   -Action Export `
   -TenantId "<source-tenant-id>" `
   -AuthMode Browser `
@@ -140,11 +141,15 @@ pwsh ./Start-HeadlessIntune.ps1 `
 ## Additional toolkit scripts
 
 * **Baseline deployment** — [`Deploy-IntuneBaseline.ps1`](Scripts/Deploy-IntuneBaseline.ps1) deploys a YAML manifest of policies + assignments to a tenant, with dry-run support. [`ConvertTo-IntuneBaseline.ps1`](Scripts/ConvertTo-IntuneBaseline.ps1) turns an existing export folder into a baseline skeleton.
+* **CIS M365 baseline** — [`Deploy-CISM365Baseline.ps1`](Scripts/Deploy-CISM365Baseline.ps1) applies the CIS Microsoft 365 v7 benchmark to a tenant. See [`Baselines/M365-CIS-Rapid/`](Baselines/M365-CIS-Rapid/) for a config-driven rapid baseline.
 * **Bulk assignments** — [`Bulk-AssignmentManager.ps1`](Scripts/Bulk-AssignmentManager.ps1) adds or removes assignments for any policy type using the bulk `/assign` endpoint. [`Bulk-AppAssignment.ps1`](Scripts/Bulk-AppAssignment.ps1) does the same for applications.
 * **Backup / restore assignments** — [`Backup-Restore-Assignments.ps1`](Scripts/Backup-Restore-Assignments.ps1) saves assignments to JSON and can restore them with cross-tenant group name resolution.
 * **Bulk rename** — [`Bulk-RenamePolicies.ps1`](Scripts/Bulk-RenamePolicies.ps1) performs search/replace or prefix mutations across policy names and descriptions.
 * **Device operations** — [`Bulk-DeviceOperations.ps1`](Scripts/Bulk-DeviceOperations.ps1) supports delete, retire, wipe, lock, and sync with `-WhatIf` safeguards.
 * **Assignment documentation** — [`Export-AssignmentsToCsv.ps1`](Scripts/Export-AssignmentsToCsv.ps1) exports assignments to CSV and Markdown.
+* **Reporting utilities** — [`Export-SettingsReport.py`](Scripts/Export-SettingsReport.py), [`Export-AssignmentReport.py`](Scripts/Export-AssignmentReport.py), and [`Export-ObjectInventoryReport.py`](Scripts/Export-ObjectInventoryReport.py) generate CSV/Markdown reports from local exports.
+* **Baseline batch runner** — [`Invoke-BaselineBatch.ps1`](Scripts/Invoke-BaselineBatch.ps1) run multiple baseline manifests in one pass.
+* **Conditional Access wizard** — [`Start-CAWizard.ps1`](Scripts/Start-CAWizard.ps1) / [`ca-wizard.py`](Scripts/ca-wizard.py) generate Conditional Access baseline skeletons.
 
 ## Notes