feat(toolkit): complete macOS Intune Toolkit v1

Core enhancements:
- Expanded default export/import scope to ~45 object types including DeviceManagementIntents
- Added -AllPages pagination support across Graph queries for large tenants
- Invoke-GraphRequest now throws on 4xx/5xx instead of silently returning null
- Added macOS Keychain fallback for secret retrieval in headless auth flow
- Added NameSearchPattern/NameReplacePattern mutation support through export/import forms

New toolkit scripts:
- Bulk-AppAssignment.ps1: bulk-assign apps to groups/All Users/All Devices
- Bulk-AssignmentManager.ps1: add/remove assignments for any policy type with correct @odata.type
- Backup-Restore-Assignments.ps1: JSON backup with cross-tenant group resolution
- Export-AssignmentsToCsv.ps1: CSV/Markdown documentation output
- Bulk-RenamePolicies.ps1: regex search/replace and prefix mutations
- Bulk-DeviceOperations.ps1: delete/retire/wipe/lock/sync with -WhatIf safeguards
- Start-IntuneManagementTui.ps1: interactive terminal UI for headless operations
- Create-IntuneManagementApp.ps1: helper for app registration setup

Updated existing scripts:
- Export-Policies.ps1 / Import-Policies.ps1: wired mutation params through
- Start-HeadlessIntune.ps1: integrated TUI and new parameter forwarding

Runtime/IntuneManagement.Runtime.psd1

@@ -5,7 +5,7 @@ GUID = 'c7aa4c71-d00d-44bc-9c09-b4741e7435ab'
 Author = 'Mikael Karlsson'
 Copyright = '(c) 2026 Mikael Karlsson. Software released under MIT License.'
 Description = 'Headless Intune policy export and import runtime'
-FunctionsToExport = @('Initialize-IntuneManagementRuntime', 'Test-IsWindowsPlatform')
+FunctionsToExport = @('Initialize-IntuneManagementRuntime', 'Test-IsWindowsPlatform', 'Expand-FileName')
 AliasesToExport = @()
 ModuleList = @('IntuneManagement.Runtime.psm1')
 PrivateData = @{

Runtime/IntuneManagement.Runtime.psm1

@@ -3,6 +3,18 @@ function Test-IsWindowsPlatform
     [Environment]::OSVersion.Platform -eq [System.PlatformID]::Win32NT
 }
 
+function Expand-FileName
+{
+    param([string]$Path)
+    if(-not $Path) { return $Path }
+    $expanded = [Environment]::ExpandEnvironmentVariables($Path)
+    if($expanded -like "~/*" -or $expanded -eq "~")
+    {
+        $expanded = $expanded -replace "^~", $HOME
+    }
+    return $expanded
+}
+
 function Initialize-IntuneManagementRuntime
 {
     [CmdletBinding()]
@@ -17,7 +29,7 @@ function Initialize-IntuneManagementRuntime
         [string]$AppId,
         [string]$Secret,
         [string]$Certificate,
-        [ValidateSet("AppOnly","Browser")]
+        [ValidateSet("AppOnly","Browser","DeviceCode")]
         [string]$AuthMode = "AppOnly",
         [string]$RedirectUri,
         [string]$GraphEnvironment,
@@ -77,6 +89,10 @@ function Initialize-IntuneManagementRuntime
     {
         Write-Host "Using browser authentication"
     }
+    elseif($global:HeadlessAuthMode -eq "DeviceCode")
+    {
+        Write-Host "Using device code authentication"
+    }
     else
     {
         Write-Warning "Azure App Secret or Certificate is missing. Use -Secret <Secret> or -Certificate <Certificate>."
@@ -91,4 +107,4 @@ function Initialize-IntuneManagementRuntime
     Start-CoreApp $View
 }
 
-Export-ModuleMember -Function Initialize-IntuneManagementRuntime, Test-IsWindowsPlatform
+Export-ModuleMember -Function Initialize-IntuneManagementRuntime, Test-IsWindowsPlatform, Expand-FileName