# Product Roadmap

> Strategic thematic blocks and release trajectory.
> This is the "big picture" — not individual specs.

**Last updated**: 2026-03-21

---

## Release History

| Release | Theme | Status |
|---------|-------|--------|
| **R1 "Golden Master Governance"** | Baseline drift as production feature, operations polish | **Done** |
| **R1 cont.** | Ops canonicalization, action surface contract, ops-ux enforcement | **Done** |
| **R2 "Tenant Reviews & Evidence"** | Evidence packs, stored reports, permission posture, alerts | **Partial** |
| **R2 cont.** | Alert escalation + notification routing | **Done** |

---

## Active / Near-term

### Governance & Architecture Hardening
Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction.
Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands.

**Active specs**: 144
**Next wave candidates**: queued execution reauthorization and scope continuity, tenant-owned query canon and wrong-tenant guards, findings workflow enforcement and audit backstop, Livewire context locking and trusted-state reduction
**Operator truth initiative** (sequenced): Operator Outcome Taxonomy → Reason Code Translation → Provider Dispatch Gate Unification (see spec-candidates.md — "Operator Truth Initiative" sequencing note)
**Source**: architecture audit 2026-03-15, audit constitution, semantic clarity audit 2026-03-21, product spec-candidates

### UI & Product Maturity Polish
Empty state consistency, list-expand parity, workspace chooser refinement, navigation semantics.
Goal: Every surface feels intentional and guided for first-run evaluation.

**Active specs**: 122, 121, 112

### Secret & Security Hardening
Secret redaction integrity, provider access hardening, required permissions sidebar.
Goal: Enterprise trust — no credential leaks, no permission gaps.

**Active specs**: 120, 108, 106

### Baseline Drift Engine (Cutover)
Full content capture, cutover to unified engine, resume capability.
Goal: Ship drift detection as the complete production governance feature.

**Active specs**: 119 (cutover)

---

## Planned (Next Quarter)

### R2 Completion — Evidence & Exception Workflows
- Review pack export (Spec 109 — done)
- Exception/risk-acceptance workflow for Findings → **Not yet specced**
- Formal "evidence pack" entity → **Not yet specced**
- Workspace-level PII override for review packs → deferred from 109

### Policy Lifecycle / Ghost Policies
Soft delete detection, automatic restore, "Deleted" badge, restore from backup.
Draft exists (Spec 900). Needs spec refresh and prioritization.
**Risk**: Ghost policies create confusion for backup item references.

### Platform Operations Maturity
- CSV export for filtered run metadata (deferred from Spec 114)
- Raw error/context drilldowns for system console (deferred from Spec 114)
- Multi-workspace operator selection in `/system` (deferred from Spec 113)

---

## Mid-term (2–3 Quarters)

### MSP Portfolio & Operations (Multi-Tenant)
Multi-tenant health dashboard, SLA/compliance reports (PDF), cross-tenant troubleshooting center.
**Source**: 0800-future-features brainstorming, identified as highest priority pillar.
**Prerequisite**: Cross-tenant compare (Spec 043 — draft only).

### Drift & Change Governance ("Revenue Lever #1")
Change approval workflows (DEV→PROD with audit pack), guardrails/policy freeze windows, tamper detection.
**Source**: 0800-future-features brainstorming.
**Prerequisite**: Drift engine fully shipped, findings workflow mature.

### Standardization & Policy Quality ("Intune Linting")
Policy linter (naming, scope tag requirements, no All-Users on high-risk), company standards as templates, policy hygiene (duplicate finder, unassigned, orphaned, stale).
**Source**: 0800-future-features brainstorming.

### Compliance Readiness & Executive Review Packs
On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, and key security signals into one coherent deliverable. BSI-/NIS2-/CIS-oriented readiness views (without certification claims). Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs.
**Goal**: Make TenantPilot sellable as an MSP-facing governance and review platform for German midmarket and compliance-oriented customers who want structured tenant reviews and management-ready outputs on demand.
**Why it matters**: Turns existing governance data into a clear customer-facing value proposition. Strengthens MSP sales story beyond backup and restore. Creates a repeatable "review on demand" workflow for quarterly reviews, security health checks, and audit preparation.
**Depends on**: StoredReports / EvidenceItems foundation, Tenant Review runs, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity.
**Scope direction**: Start as compliance readiness and review packaging. Avoid formal certification language or promises. Position as governance evidence, management reporting, and audit preparation.

### Entra Role Governance
Expand TenantPilot's governance coverage into Microsoft Entra role definitions and assignments as a first-class identity administration surface.
**What it means**: Inventory and visibility for built-in and custom role definitions. Visibility into role assignments and governance-relevant changes. Review-ready representation of identity administration posture.
**Why it matters**: Identity role governance is central to audit readiness and privilege control. Strengthens TenantPilot beyond device configuration into identity governance.
**Scope direction**: Start with visibility, inventory, and governance-oriented reviewability. Avoid prematurely turning this into a full attestation workflow block.

### SharePoint Tenant-Level Sharing Governance
Extend TenantPilot into high-value Microsoft 365 data-governance controls by covering tenant-level SharePoint and OneDrive sharing settings.
**What it means**: Visibility into tenant-wide sharing and external access posture. Governance-oriented review surface for high-risk sharing controls. Alignment with customer demand for audit-ready data-sharing posture.
**Why it matters**: Tenant-level sharing controls are critical for data exposure and external collaboration governance. Expands TenantPilot into a high-value non-Intune policy domain without becoming a generic M365 admin mirror.
**Scope direction**: Start at tenant-level settings, not full site-level governance. Position as governance and reviewability, not full SharePoint administration.

### Enterprise App / Service Principal Governance
Add governance coverage for enterprise applications and service principals, especially around privileged permissions, expiring credentials, and review workflows.
**What it means**: Visibility into enterprise apps and service principals. Detection of expiring secrets and certificates. Governance surfaces for privileged app access and renewal workflows.
**Why it matters**: App identities are a major cloud governance and security pain point for MSPs and enterprise customers. Creates strong customer-facing value beyond tenant configuration backup and restore.
**Scope direction**: Start with visibility, expiry monitoring, and governance workflows. Avoid collapsing this into app-consent policy coverage alone.

### Security Posture Signals
Expand TenantPilot's evidence layer with high-value security posture signals that support customer reviews, audit preparation, and recurring governance reporting.
**What it means**: Defender Vulnerability Management exposure and remediation-oriented signals. Backup success/failure and protection-state signals. Additional evidence inputs for review packs and executive reporting.
**Why it matters**: Strengthens TenantPilot's audit and review story without turning it into a remediation engine. Helps prove operational effectiveness in recurring customer reviews.
**Scope direction**: Treat these as evidence/signal domains, not policy domains. Prioritize reporting, history, and correlation over operational ownership.

---

## Long-term

### Tenant-to-Tenant / Staging→Prod Promotion
Compare/diff between tenants, mapping UI (groups, scope tags, filters, named locations, app refs), promotion plan (preview → dry-run → cutover → verify).
**Source**: 0800-future-features, Spec 043 draft.

### Recovery Confidence ("Killer Feature")
Automated restore tests in test tenants, recovery readiness report, preflight score.
**Source**: 0800-future-features brainstorming.

### Security Suite Layer
Security posture score, blast radius display, opt-in high-risk enablement.
**Source**: 0800-future-features brainstorming.

### Script & Secrets Governance
Script diff + approval + rollback, secret scanning, allowlist/signing workflow.
**Source**: 0800-future-features brainstorming.

---

## Infrastructure & Platform Debt

| Item | Risk | Status |
|------|------|--------|
| No `.env.example` in repo | Onboarding friction | Open |
| No CI pipeline config | No automated quality gate | Open |
| No PHPStan/Larastan | No static analysis | Open |
| SQLite for tests vs PostgreSQL in prod | Schema drift risk | Open |
| No formal release process | Manual deploys | Open |
| Dokploy config external to repo | Env drift | Open |

---

## Priority Ranking (from Product Brainstorming)

1. MSP Portfolio + Alerting
2. Drift + Approval Workflows
3. Standardization / Linting
4. Promotion DEV→PROD
5. Recovery Confidence

---

## How to use this file

- **Big themes** live here.
- **Concrete spec candidates** → see [spec-candidates.md](spec-candidates.md)
- **Small discoveries from implementation** → see [discoveries.md](discoveries.md)
- **Product principles** → see [principles.md](principles.md)