# Tasks: Endpoint Security Policy Restore (023) **Branch**: `feat/023-endpoint-security-restore` **Date**: 2026-01-03 **Input**: [spec.md](./spec.md), [plan.md](./plan.md) ## Phase 1: Setup - [x] T001 Create spec/plan/tasks and checklist. ## Phase 2: Inventory & Design - [x] T002 Confirm current restore mode + code paths for `endpointSecurityPolicy` (`config/tenantpilot.php`, restore services). - [x] T003 Decide template resolution strategy (ID vs family/display name) and required Graph calls. - [x] T004 Define settings instance validation rules (warning vs block) for restore preview/execution. ## Phase 3: Tests (TDD) - [x] T005 Add feature tests for restore execution create/update for `endpointSecurityPolicy`. - [x] T006 Add feature tests for preview warnings when template is missing. - [x] T007 Add feature tests asserting restore execution fails gracefully when template is missing. - [x] T008 Add tests for settings validation failure paths (invalid/unknown settings instances). - [x] T009 Add feature tests asserting assignments are applied for endpoint security policies. ## Phase 4: Implementation - [x] T010 Enable restore for `endpointSecurityPolicy` in `config/tenantpilot.php`. - [x] T011 Implement template existence validation in restore preview and execution gating. - [x] T012 Implement settings instance validation against resolved template definitions. - [x] T013 Implement template mapping (if required) and ensure restore payload uses mapped template reference. - [x] T014 Ensure restore applies assignments for endpoint security policies using existing mapping logic. ## Phase 5: Verification - [x] T015 Run targeted tests. - [x] T016 Run Pint (`./vendor/bin/pint --dirty`). ## Phase 6: Hardening (Incident-driven) - [x] T017 Default unknown policy types to `preview-only` to avoid invalid Graph endpoints. - [x] T018 Harden endpoint resolution fallback for configuration policy types (avoid `deviceManagement/{policyType}`). - [x] T019 Surface Graph method/path in RestoreRun Results for faster debugging. - [x] T020 Strip non-patchable fields for `endpointSecurityIntent` PATCH (`isAssigned`, `templateId`, `isMigratingToConfigurationPolicy`).