# Plan: Endpoint Security Policy Restore (023)

**Branch**: `feat/023-endpoint-security-restore`
**Date**: 2026-01-03
**Input**: [spec.md](./spec.md)
**Status**: Implemented (ready to merge)

## Goal
Enable full restore execution for Endpoint Security Policies (`endpointSecurityPolicy`) instead of preview-only, with defensive validation around templates and settings payloads.

## Approach
1. Enable restore execution in `config/tenantpilot.php` by switching `endpointSecurityPolicy.restore` from `preview-only` to `enabled`.
2. Add template existence validation during restore preview:
	- Resolve the snapshot’s `templateReference` (family/id/display name where available).
	- Confirm the referenced template is resolvable in the target tenant before execution.
	- Surface warnings in preview and fail execution with a clear error when missing.
3. Add settings instance validation prior to execution:
	- Resolve template definitions for the target tenant.
	- Validate that settings instances are structurally compatible with the resolved template.
	- Treat validation failures as preview warnings, and block execution when the payload cannot be made safe.
4. Ensure restore uses the existing generic configuration policy create/update flow:
	- Create when no match exists; update when matched (per existing restore matching rules).
	- Apply assignments using existing mapping logic.
5. Add targeted tests covering:
	- Create + update restore execution for `endpointSecurityPolicy`.
	- Preview warnings and execution failure when template is missing.
	- Settings validation failure paths.
	- Assignment application expectations.

## Decisions / Notes
- Assume template identifiers may differ across tenants; prefer mapping by `templateFamily` with display-name fallback when required.
- Safety-first: if template resolution is ambiguous, treat as missing and block execution.
 - Incident hardening: make restore failures actionable by surfacing Graph path/method and avoid unsafe fallback endpoints.