Sync from dev @ 252c1cf

Source: main (252c1cf)
Excluded: live tenant exports, generated artifacts, and dev-only tooling.

docs/security-review-email-draft.md

@@ -0,0 +1,39 @@
+# Security Review Email Draft
+
+## Subject
+
+Security review package for ASTRAL
+
+## Email Body
+
+Hello,
+
+As discussed, I am sending the security review package for ASTRAL.
+
+ASTRAL stands for Admin Security Through Review, Automation & Least-privilege.
+
+Attached are:
+
+- `security-review-package.pdf` - product security overview, architecture, deployment modes, permissions, data flows, and key security considerations
+- `security-review-questionnaire.pdf` - short-form questionnaire answers for easier circulation within your security review process
+
+A few points to highlight up front:
+
+- the platform supports multiple deployment modes, from backup-only through full review and remediation workflows
+- AI-assisted review summaries are optional and can be enabled or disabled independently of the backup and restore functions
+- when AI is enabled, the intended model is a customer-controlled Azure OpenAI deployment rather than an unrelated public AI service
+- the AI summary feature is advisory and is intended to help non-technical reviewers such as PMs or management understand technical Intune and Entra changes in plain language
+
+The source repository is private because it contains operational implementation details and tenant-specific configuration material. If your review requires deeper technical evidence, we can provide a controlled walkthrough of the implementation, configuration, and pipeline behavior.
+
+If useful, I can also provide:
+
+- a live architecture walkthrough
+- a permission-by-permission review of the Microsoft Graph access model
+- a demonstration of deployment modes and AI-assisted review summaries
+
+Please let me know if your team would like any additional material in a different format.
+
+Best regards,
+
+[Your Name]