Semanticus
Documentation

Restore points & rollback

A push to a published model can delete things, and a live delete is permanent. So every committed push writes a restore point first. If the push later turns out wrong, you can put the model back. This is the safety net that makes a live write honestly reversible, and it is free at both tiers.

Why a push needs a safety net

When you deploy metadata back to a published Power BI or Fabric model, most changes are recoverable by redeploying: a redeploy can re-create measures, calculated columns, calculated tables and named expressions. But some object kinds are not. A relationship, a role (and its row-level security), a perspective, a hierarchy, a partition, a culture, a data source or a data table, once removed from a published model, is otherwise gone for good. There is no redeploy that brings it back.

That is the gap a restore point closes. Before Semanticus commits a push to an XMLA endpoint, it reads the target's current state and keeps a copy. That copy is the same snapshot the drift guard already takes to check nothing changed under you, so the restore point costs a push nothing extra. Instead of discarding it after the write, Semanticus keeps it.

No restore point, no delete

If a push contains deletes and the restore point cannot be written (the endpoint is unreachable, the disk is full), the push is refused before the endpoint is touched. A live delete is only allowed when the way back has been secured first. This fails closed on purpose.

What a restore point holds

A restore point is the target's full model metadata as it stood immediately before the push: measure and column definitions, M queries, role filters, relationships, connection strings, and so on. It never holds a single row of your data. Restore points live in ~/.semanticus/restore as files you are meant to be able to find and prune, not in a hidden temporary folder.

Rolling a push back

rollback_push restores a published model to one of its restore points. It is a dry run by default, and the dry run is the whole point: rather than trust a stored fingerprint, it diffs the restore point against the model as it stands live right now and tells you two things before you commit:

Only when you pass commit=true does it write. Rollback resolves each object by its lineage identity, so if something was republished under you (a different object now wears the same name), it is refused rather than overwritten. A rollback is itself a push: it is recorded in the audit trail like any other live write. See Edit History for that trail.

Over MCP

The restore-point operations are dual-drive, so your AI assistant can find, preview and run a rollback exactly as the Studio does. All of them are free.

list_restore_points                        # newest first, per target
rollback_push  id=<id>                      # DRY RUN: what would be restored + REMOVED
rollback_push  id=<id>  commit=true         # write the restore (audited)
purge_restore_points  olderThanDays=30      # prune snapshots you no longer need
Read the removal list before you commit

A rollback returns the model to the moment the snapshot was taken. Anything added to the target after that moment, by you or by anyone else, is in the list of objects the rollback would remove. The dry run shows you that list precisely so a recovery never quietly discards someone else's work.

Free at both tiers

Restore points and rollback are free, on Free and on Pro. The undo for an otherwise irreversible write is never something we would put behind a paywall. See Deploy for the push path these protect and Agent permissions for how a live delete by your AI assistant is gated on top of this.