# TenantPilot Implementation Ledger

> **Status:** Active
> **Last reviewed:** 2026-06-15
> **Use for:** Repo-based implementation status and product-surface maturity assessment
> **Do not use for:** Roadmap priority, spec priority, or proof that tests were executed in the current branch
> **Scoped maintenance:** 2026-06-15 repo-truth sync after Specs 311-379, including completed Spec 311 surface-scope foundation, post-311 candidate reconciliation, Spec 377 UI closeout, and current working-tree Spec 379 management-report PDF runtime-gated status; 2026-05-15 Spec 310 product-truth/docs-drift reconciliation after Specs 307-309; 2026-05-15 Spec 309 RBAC role matrix and access boundary hardening update; 2026-05-15 Spec 308 customer-safe Decision Summary and Review Pack inclusion update; 2026-05-15 Decision Register proof-link implementation update after Spec 307; 2026-05-15 Decision Register reconciliation update after Spec 306; 2026-05-15 Tenant Panel dead-code retirement guardrail update after Spec 304; 2026-05-12 roadmap/ledger alignment after the admin workspace navigation and tenant-owned surface repair candidate intake from the repo-verified navigation/panel audit; 2026-05-06 ledger conflict cleanup plus alignment with `docs/product/roadmap.md` and `docs/product/spec-candidates.md` after the cross-domain indicator candidate intake and the current manual-promotion backlog review.

## Purpose

Dieses Dokument beschreibt den aktuellen repo-basierten Implementierungsstand von TenantPilot. Es ergaenzt `docs/product/roadmap.md` und `docs/product/spec-candidates.md`, ersetzt sie aber nicht.

Bewertungsregeln fuer dieses Ledger:

- Repo-basiert only: Aussagen zaehlen nur, wenn Code, Datenmodell, Workflow, UI-Adoption oder Test-Artefakte im Repo belastbar darauf hinweisen.
- Keine Roadmap- oder Spec-Absicht ohne Repo-Evidence.
- Produkt-Posture nutzt als Basis `foundation-only`, `implemented but not productized`, `fast sellable`, `sellable` oder `not implemented`; seit Spec 310 duerfen belegte Product-Truth-Labels wie `repo-real`, `open gap`, `historical` oder `security-hardening completed` in Statusnotizen oder kombinierten Tabellenzellen ergaenzen.
- `sellable` wird nur dort verwendet, wo UI, Workflow, Datenmodell, RBAC/Audit und passende Test-Artefakte plausibel zusammenpassen.
- `fast sellable` bedeutet: repo-real und kunden- oder operatornah genug, aber die letzte produktisierte Delivery-, Packaging- oder Self-Serve-Schicht fehlt noch.
- `implemented but not productized` bedeutet: reale Oberflaechen oder Workflows existieren, aber sie sind noch nicht als ruhige, wiederholbare Produkt-Slice zusammengezogen.
- `foundation-only` bleibt fuer Enablement-, Control-, Policy- oder technische Tragschichten reserviert.
- Wenn Tests unten als vorhanden markiert sind, bedeutet das: passende Test-Dateien existieren im Repo. Sie wurden fuer dieses Ledger nicht ausgefuehrt.

## Current Product Position

TenantPilot ist aktuell ein starkes Governance- und Operations-Produkt mit repo-realen Foundations fuer Execution Truth, Baselines/Drift, Findings, Evidence, Reviews, Review Packs, Supportability, Telemetry, Safety Controls, Commercial Lifecycle und governed AI policy. Seit Spec 311 ist der Workspace/Environment-Surface-Scope-Contract eine abgeschlossene Foundation: `/admin` und `/system` sind die aktiven Panels, `/admin/t` bleibt retired, workspace-wide versus environment-bound Scope ist route-owned, und `environment_id` ist ein expliziter Filter. Darauf sitzen inzwischen mehrere repo-real productization slices: Customer Review Workspace v1 Completion, Decision Register proof/run links, customer-safe Decision Summary und Review Pack inclusion, Governance Inbox operator workflow, Provider Connection scope hardening, canonical link/query cleanup, localization adoption/neutralization, support-access slices, commercial entitlement/lifecycle truth, UI productization closeout sowie current working-tree Management Report PDF runtime work. Die wichtigsten offenen Luecken sind nicht mehr diese Foundations, sondern runtime/productization follow-through: Management Report PDF staging/Dokploy renderer validation, Governance Artifact Lifecycle & Retention runtime, optional Provider readiness/onboarding polish, cross-domain indicator runtime adoption, manual system-panel browser fixture/procedure, durable self-serve commercial/subscription operations, and the first governed AI runtime consumer.

## Runtime Guardrails

- 2026-05-15 / Spec 304: Active Tenant Panel runtime is absent and guarded. `bootstrap/providers.php` registers no Tenant Panel provider, no active `TenantPanelProvider.php` exists under the platform app runtime paths, no `/admin/t` or legacy `/admin/tenants` route family is registered, and focused tests guard canonical workspace/environment link emission. Workspace remains the active Filament admin runtime context while Managed Environment surfaces stay under canonical workspace/environment routes.
- 2026-06-15 / Spec 311: Workspace / Environment Surface Scope Contract is a completed foundation. Do not reopen shell, sidebar, topbar, breadcrumb, or global workspace/environment scope unless fresh repo evidence shows regression. `environment_id` is an explicit page filter, not hidden global context.
- 2026-06-15 / Spec 377: post-productization browser reaudit is closed with follow-up; no P0/P1 productization findings remain in its accepted evidence. Remaining system-panel browser fixture/procedure work is validation follow-up, not a product runtime blocker.
- 2026-06-15 / current working-tree Spec 379: Management Report PDF generation is repo-real but runtime-gated. `TENANTPILOT_PDF_RENDERER_RUNTIME_VALIDATED=false` keeps generation disabled until deployed Gotenberg/Dokploy validation passes; current workspace code evidence must not be treated as production enablement.

## Status Model

- `foundation-only`: belastbare technische, policy- oder control-layer foundation ohne hinreichende Produktisierung
- `implemented but not productized`: reale Oberflaeche oder Workflow vorhanden, aber noch keine ruhige wiederholbare Produktschicht
- `fast sellable`: repo-real, kunden- oder operatornah und nah an wiederholbarer Delivery, aber letzte Produktisierungsluecken bleiben
- `sellable`: belastbare UI-, Workflow-, RBAC/Audit- und Test-Spur mit wiederholbarem Produktversprechen
- `not implemented`: noch kein belastbarer repo-real Slice fuer das eigentliche Ziel

Spec-310-Truth-Labels fuer Statusnotizen:

- `repo-real`: Code, Runtime-Oberflaeche, Tests oder akzeptierte Spec-Close-out-Evidence belegen den Slice im Repo
- `implemented`: Runtime existiert, Produktreife kann aber variieren
- `spec-backed`: formaler Spec existiert, Implementierung ist nicht automatisch vollstaendig
- `historical`: abgeschlossen, promoted oder nur noch Sequencing-Kontext
- `superseded`: durch spaetere Spec- oder Runtime-Wahrheit ersetzt
- `open gap`: braucht weiterhin Produkt- oder Technikarbeit
- `security-hardening completed`: Sicherheits-/Access-Hardening wurde spezifisch verifiziert und adressiert
- `decision needed`: Produkt- oder Architekturentscheidung vor Umsetzung noetig

Evidence-Level im Dokument:

- `none`: keine belastbare Repo-Evidence
- `weak`: duenne Code- oder Doc-Spur, aber kein belastbarer Gesamtworkflow
- `medium`: mehrere Repo-Signale, aber noch nicht durchgaengig
- `strong`: Datenmodell, Workflow, UI- oder Test-Spur greifen konsistent ineinander

## Roadmap Coverage Summary

| Roadmap Area | Product posture | Evidence Level | UI Ready | Tested | Sellable | Notes |
|---|---|---:|---|---|---|---|
| R1 Golden Master Governance | sellable | strong | yes | repo tests, not run | yes | Baselines, Drift, Findings und OperationRun-Truth sind breit im Produkt verankert. |
| R2 Tenant Reviews, Evidence & Control Foundation | fast sellable | strong | yes | repo tests, not run | near | Reviews, Evidence, Review Packs, Customer Review Workspace v1 completion, governance-package delivery, customer-safe Decision Summary / Review Pack inclusion, compliance interpretation overlays und Control-/Exception-Layer greifen als reale Governance-Surface zusammen; Management Report PDF bleibt bis zur Staging/Dokploy-Renderer-Validierung runtime-gated. |
| Alert escalation + notification routing | sellable | strong | partial | repo tests, not run | yes | Alert-Regeln, Dispatch, Cooldown und Quiet Hours sind real. |
| Governance & Architecture Hardening | foundation-only | strong | partial | repo tests, not run | no | Viele Hardening-Slices sind bereits im Code; Spec 309 ist `security-hardening completed`, Spec 311 ist completed surface-scope foundation, und Support Access Governance bleibt getrennt von RBAC-hardening. |
| UI & Product Maturity Polish | implemented but not productized | strong | partial | repo tests, not run | no | Empty States, Navigation, Localization, read-only Review-Polish, Customer Review Workspace v1, Governance Inbox final workflow, and Spec 377 closeout evidence are repo-real; remaining system-panel browser fixture/procedure is validation follow-up. |
| Secret & Security Hardening | fast sellable | strong | yes | repo tests, not run | yes | Provider-Verifikation, Permission-Diagnostics und Redaction sind belastbar. |
| Baseline Drift Engine (Cutover) | sellable | strong | yes | repo tests, not run | yes | Compare- und Drift-Workflow wirken als produktive Kernfunktion. |
| R1.9 Platform Localization v1 | implemented but not productized / repo-real | strong | yes | repo tests, not run | no | Locale-Resolver, Override/Praeferenz, Workspace-Default, Fallback, lokalisierte Notifications, and adoption/neutralization work through Specs 275 and 286 are repo-real; remaining copy QA is polish. |
| Product Scalability & Self-Service Foundation | fast sellable | strong | yes | repo tests, not run | near | Onboarding, Support, Help, Entitlements, commercial lifecycle state handling, billing-state maturity, support-access slices, and bounded support-desk handoff are repo-real; broader self-serve customer portal, trial/demo operations, and subscription ops remain productization decisions. |
| R2.0 Canonical Control Catalog Foundation | foundation-only | strong | partial | repo tests, not run | no | Bereits implementiert und in Evidence/Reviews referenziert, aber kein eigenstaendiger Kundennutzen-Surface. |
| R2 Completion: customer review, support, help | fast sellable | strong | yes | repo tests, not run | near | Customer Review Workspace v1 completion, released-review detail handoff, governance-package delivery, Support Diagnostics/Requests, support-access slices, and Help-Katalog are repo-real; production-grade management PDF output remains runtime-gated. |
| Compliance Evidence Mapping v1 | implemented but not productized | strong | yes | repo tests, not run | no | Canonical control interpretation is rendered in tenant reviews and the customer review workspace, but broader framework coverage and auditor-facing mapping remain open. |
| Governance-as-a-Service Packaging v1 | implemented but not productized | strong | yes | repo tests, not run | no | Governance package status, download messaging, current review-pack reuse, and management-report PDF artifact flow are repo-real; recurring delivery workflows and production PDF renderer validation remain open. |
| Findings Workflow v2 / Execution Layer | fast sellable | strong | yes | repo tests, not run | yes | Triage, Ownership, My Work, Intake, Governance Inbox, Exceptions und Alerts/Hygiene sind real; Cross-Tenant-Decisioning bleibt spaeter. |
| Provider-missing policy visibility follow-up | not implemented | weak | no | no | no | `specs/261-provider-missing-policy-visibility/spec.md` bleibt ein schmaler policy-only Follow-up; die breitere Lifecycle-Taxonomie ist getrennt. |
| Platform Operations Maturity | implemented but not productized | strong | yes | repo tests, not run | no | System Panel, Control Tower und Ops Controls sind real; CSV/Raw Drilldowns bleiben offen. |
| Product Usage, Customer Health & Operational Controls | implemented but not productized | strong | yes | repo tests, not run | no | Diese Mid-term-Lane ist im Repo bereits substanziell vorhanden, bleibt aber vor allem operatorseitige Produktisierung. |
| Private AI Execution Governance Foundation | foundation-only | strong | partial | repo tests, not run | no | `specs/248-private-ai-policy-foundation/spec.md` ist repo-real in Policy, Boundary, Settings und Ops Controls; der erste Runtime-Consumer fehlt noch. |
| MSP Portfolio & Operations | implemented but not productized | strong | yes | repo tests, not run | no | Portfolio-Triage, canonical compare preview, preflight audit and launch continuity are repo-real; actual promotion execution and the broader decision workboard remain open. |
| Human-in-the-Loop Autonomous Governance | not implemented | weak | no | no | no | Kein repo-verifizierter Decision-Pack- oder Approval-Workflow jenseits des jetzigen Exception-/Review-Layers. |
| Drift & Change Governance | fast sellable | strong | yes | repo tests, not run | yes | Drift review, accepted-risk governance, exception validity und Governance-Inbox-Surfaces sind repo-real; portfolio-weite Eskalation bleibt offen. |
| Standardization & Policy Quality | not implemented | none | no | no | no | Keine starke Repo-Evidence fuer eine Intune-Linting- oder Policy-Quality-Oberflaeche. |
| PSA / Ticketing Handoff | implemented but not productized | strong | yes | repo tests, not run | no | Support Requests include bounded external create/link handoff on the current tenant and operation-run contexts; broader multi-provider ITSM expansion remains separate work. |

## Implemented Capabilities

| Capability | Product posture | Backend | UI | Tests | RBAC/Audit | Sellable | Evidence |
|---|---|---|---|---|---|---|---|
| OperationRun truth layer | foundation-only | yes | partial | repo tests, not run | yes | no | `app/Models/OperationRun.php`; `tests/Feature/System/*`; `tests/Feature/ReviewPack/*` |
| Baseline profiles, snapshots and compare | sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/BaselineProfile.php`; `app/Models/BaselineSnapshot.php`; `app/Services/Baselines/BaselineCompareService.php` |
| Drift findings and governance pressure | sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/Finding.php`; `app/Filament/Widgets/Dashboard/RecentDriftFindings.php`; `tests/Feature/Findings/*` |
| Findings inboxes and governance inbox | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Filament/Pages/Findings/MyFindingsInbox.php`; `app/Filament/Pages/Findings/FindingsIntakeQueue.php`; `app/Filament/Pages/Governance/GovernanceInbox.php`; `tests/Feature/Findings/MyWorkInboxTest.php`; `tests/Feature/Governance/*` |
| Finding exceptions and risk acceptance workflow | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/FindingException.php`; `app/Services/Findings/FindingExceptionService.php`; `app/Filament/Resources/FindingExceptionResource.php`; `tests/Feature/Findings/FindingExceptionWorkflowTest.php` |
| Decision Register operator surface | implemented but not productized / repo-real | yes | yes | repo tests, not run | yes | no | `specs/265-decision-register-approval/spec.md`; `specs/306-decision-register-reconciliation/decision-register-reconciliation.md`; `specs/307-decision-register-evidence-operationrun-link-polish/spec.md`; `app/Filament/Pages/Governance/DecisionRegister.php`; `app/Support/GovernanceDecisions/GovernanceDecisionRegisterBuilder.php`; `tests/Feature/Governance/DecisionRegisterPageTest.php`; `tests/Feature/Findings/FindingExceptionDecisionRegisterNavigationTest.php`; `tests/Feature/Findings/FindingExceptionDecisionRegisterBoundariesTest.php` |
| Decision Register proof/run links | fast sellable / repo-real | yes | yes | repo tests, not run | yes | no | `specs/307-decision-register-evidence-operationrun-link-polish/spec.md`; `specs/307-decision-register-evidence-operationrun-link-polish/tasks.md`; `app/Support/GovernanceDecisions/GovernanceDecisionRegisterBuilder.php`; `app/Filament/Pages/Governance/DecisionRegister.php`; `tests/Unit/Support/GovernanceDecisions/GovernanceDecisionRegisterBuilderTest.php`; `tests/Feature/Governance/DecisionRegisterPageTest.php` |
| Governance Inbox final operator workflow | fast sellable / repo-real / implemented | yes | yes | repo tests, not run | yes | near | `specs/327-governance-inbox-decision-first-workbench-productization/spec.md`; `specs/346-governance-inbox-final-operator-workflow/spec.md`; `app/Filament/Pages/Governance/GovernanceInbox.php`; `tests/Feature/Governance/*` |
| Restore workflow with safety gates | sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/OperationRun.php`; restore gates and tests in `tests/Feature/Restore/*` |
| Evidence snapshots | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Models/EvidenceSnapshot.php`; `app/Services/Evidence/EvidenceSnapshotService.php`; `tests/Feature/Evidence/*` |
| Tenant reviews | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/TenantReview.php`; `app/Services/TenantReviews/TenantReviewService.php`; `tests/Feature/TenantReview/*` |
| Review pack generation and export | fast sellable | yes | yes | repo tests, not run | yes | yes | `specs/109-review-pack-export/spec.md`; `specs/308-decision-register-summary-review-pack/plan.md`; `app/Models/ReviewPack.php`; `app/Services/ReviewPackService.php`; `app/Jobs/GenerateReviewPackJob.php`; `tests/Feature/ReviewPack/*` |
| Decision Summary in reviews and Review Packs | fast sellable / repo-real | yes | yes | repo tests, not run | yes | yes | `specs/308-decision-register-summary-review-pack/spec.md`; `specs/308-decision-register-summary-review-pack/plan.md`; `app/Services/EnvironmentReviews/EnvironmentReviewComposer.php`; `app/Jobs/GenerateReviewPackJob.php`; `tests/Feature/EnvironmentReview/EnvironmentReviewExecutivePackTest.php`; `tests/Feature/ReviewPack/EnvironmentReviewDerivedReviewPackTest.php` |
| Customer review workspace | fast sellable / repo-real / implemented | yes | yes | repo tests, not run | yes | near | `specs/258-customer-review-productization/spec.md`; `specs/312-customer-review-workspace-v1-completion/spec.md`; `specs/342-customer-review-workspace-final-consumption-productization/spec.md`; `app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`; `tests/Feature/Reviews/*`; `tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php` |
| Management Report PDF generation | implemented but not productized / repo-real / open gap | yes | yes | repo tests, not run | yes | no | `specs/378-management-report-pdf-v1/spec.md`; `specs/379-management-report-pdf-runtime/spec.md`; `app/Services/ManagementReports/ManagementReportPdfService.php`; `app/Jobs/GenerateManagementReportPdfJob.php`; `app/Http/Controllers/ManagementReportPdfDownloadController.php`; `app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php`; `tests/Feature/ReviewPack/Spec379ManagementReportPdfTest.php`; `tests/Browser/Spec379ManagementReportPdfSmokeTest.php`; runtime gate requires staging/Dokploy validation before production enablement |
| Governance package delivery surface | implemented but not productized | yes | yes | repo tests, not run | yes | no | `specs/260-governance-service-packaging/spec.md`; `app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`; `app/Filament/Resources/TenantReviewResource.php`; `tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php`; `tests/Feature/TenantReview/TenantReviewExplanationSurfaceTest.php` |
| Compliance evidence mapping overlay | implemented but not productized | yes | yes | repo tests, not run | partial | no | `specs/259-compliance-evidence-mapping/spec.md`; `app/Support/Governance/Controls/ComplianceEvidenceMappingV1.php`; `app/Services/TenantReviews/TenantReviewSectionFactory.php`; `tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php` |
| Alerts and notification routing | sellable | yes | partial | repo tests, not run | yes | yes | `app/Services/Alerts/AlertDispatchService.php`; `tests/Feature/*Alert*` |
| Provider health, onboarding readiness and required permissions | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Jobs/ProviderConnectionHealthCheckJob.php`; `app/Services/Onboarding/OnboardingLifecycleService.php`; `app/Filament/Pages/TenantRequiredPermissions.php` |
| Permission posture reporting | sellable | yes | yes | repo tests, not run | yes | yes | `app/Services/PermissionPosture/PermissionPostureFindingGenerator.php`; `tests/Feature/PermissionPosture/*` |
| Entra admin roles reporting | sellable | yes | yes | repo tests, not run | yes | yes | `app/Services/EntraAdminRoles/EntraAdminRolesReportService.php`; `tests/Feature/EntraAdminRoles/*` |
| Stored reports substrate and artifact surface | implemented but not productized / repo-real | yes | partial | repo tests, not run | partial | no | `specs/277-stored-reports-surface/spec.md`; `app/Models/StoredReport.php`; current working-tree Spec 379 management PDF artifact fields; `tests/Feature/PermissionPosture/StoredReportModelTest.php`; `tests/Feature/EntraAdminRoles/StoredReportFingerprintTest.php`; `tests/Feature/ReviewPack/Spec379ManagementReportPdfTest.php` |
| Support diagnostics | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php`; `app/Filament/Pages/TenantDashboard.php`; `tests/Feature/SupportDiagnostics/*` |
| In-app support requests | fast sellable | yes | yes | repo tests, not run | yes | yes | `app/Models/SupportRequest.php`; `app/Support/SupportRequests/*`; `tests/Feature/SupportRequests/*` |
| External support-desk handoff | implemented but not productized | yes | yes | repo tests, not run | yes | no | `app/Support/SupportRequests/ExternalSupportDeskHandoffService.php`; `app/Support/SupportRequests/SupportRequestSubmissionService.php`; `tests/Unit/Support/SupportRequests/ExternalSupportDeskHandoffServiceTest.php` |
| Product knowledge and contextual help | implemented but not productized | yes | yes | repo tests, not run | partial | no | `app/Support/ProductKnowledge/ContextualHelpCatalog.php`; `tests/Feature/Onboarding/ProductKnowledgeOnboardingHelpTest.php` |
| Localization foundation | foundation-only | yes | yes | repo tests, not run | partial | no | `specs/252-platform-localization-v1/spec.md`; `app/Services/Localization/LocaleResolver.php`; `app/Http/Controllers/LocalizationController.php`; `tests/Feature/Localization/*` |
| Product telemetry | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Models/ProductUsageEvent.php`; `app/Filament/System/Widgets/ProductTelemetryKpis.php`; `tests/Feature/System/ProductTelemetry/*` |
| Customer health scoring | foundation-only | yes | yes | repo tests, not run | partial | no | `app/Filament/System/Widgets/CustomerHealthKpis.php`; `app/Filament/System/Widgets/CustomerHealthTopWorkspaces.php`; `tests/Feature/System/CustomerHealth/*` |
| Operational controls | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Models/OperationalControlActivation.php`; `app/Support/OperationalControls/*`; `tests/Feature/System/OpsControls/*` |
| Governed AI policy foundation | foundation-only | yes | partial | repo tests, not run | yes | no | `specs/248-private-ai-policy-foundation/spec.md`; `app/Support/Ai/AiUseCaseCatalog.php`; `app/Support/Ai/GovernedAiExecutionBoundary.php`; `app/Support/Ai/AiDecisionAuditMetadataFactory.php`; `app/Filament/Pages/Settings/WorkspaceSettings.php`; `tests/Unit/Support/Ai/*`; `tests/Feature/SettingsFoundation/WorkspaceAiPolicySettingsTest.php`; `tests/Feature/System/OpsControls/AiExecutionOperationalControlTest.php` |
| Workspace entitlements | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Services/Entitlements/WorkspaceEntitlementResolver.php`; `tests/Feature/Filament/Settings/WorkspaceEntitlementsSettingsPageTest.php` |
| Commercial lifecycle state handling | implemented but not productized / repo-real | yes | yes | repo tests, not run | yes | no | `specs/251-commercial-entitlements-billing-state/spec.md`; `specs/274-billing-subscription-truth/spec.md`; `app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php`; `app/Filament/System/Pages/Directory/ViewWorkspace.php`; `tests/Feature/System/ViewWorkspaceEntitlementsTest.php`; `tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php` |
| Capability-first RBAC | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Services/Auth/CapabilityResolver.php`; `app/Services/Auth/RoleCapabilityMap.php`; many `tests/Feature/Rbac/*` |
| RBAC role matrix and access boundary hardening | security-hardening completed / repo-real | yes | yes | repo tests, not run | yes | no | `specs/309-rbac-role-matrix-access-boundary-audit/tasks.md`; `app/Services/Auth/WorkspaceRoleCapabilityMap.php`; `app/Models/User.php`; `tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php`; `tests/Feature/Rbac/PanelAccess/AdminPanelAccessBoundaryTest.php`; `tests/Feature/Rbac/PanelAccess/SystemPanelAccessBoundaryTest.php` |
| Workspace / Environment Surface Scope Contract | foundation-only / repo-real / implemented | yes | yes | repo tests, not run | yes | no | `specs/311-workspace-environment-surface-scope-contract/spec.md`; `bootstrap/providers.php`; `routes/web.php`; active `/admin` and `/system`; no active `/admin/t`; `environment_id` filter semantics |
| Provider Connection scope hardening | security-hardening completed / repo-real | yes | yes | repo tests, not run | yes | no | `specs/339-provider-connection-scope-hardening/spec.md`; `app/Filament/Resources/ProviderConnectionResource.php`; `app/Policies/ProviderConnectionPolicy.php`; `tests/Feature/ProviderConnections/*` |
| Canonical link / query cleanup | implemented / repo-real | yes | yes | repo tests, not run | partial | no | `specs/341-canonical-link-query-cleanup/spec.md`; `app/Support/Workspaces/WorkspaceHubNavigation.php`; `app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`; route/link guard tests |
| Audit log foundation | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Models/AuditLog.php`; `app/Services/Audit/WorkspaceAuditLogger.php`; many audit-focused feature tests |
| Canonical control catalog | foundation-only | yes | partial | repo tests, not run | partial | no | `app/Support/Governance/Controls/CanonicalControlCatalog.php`; `config/canonical_controls.php`; `tests/Unit/Governance/*` |
| Portfolio triage continuity | foundation-only | yes | yes | repo tests, not run | yes | no | `app/Services/PortfolioTriage/TenantTriageReviewService.php`; `app/Support/PortfolioTriage/*`; `tests/Feature/Filament/TenantRegistryTriageReviewStateTest.php` |
| Cross-tenant compare preview and promotion preflight | fast sellable | yes | yes | repo tests, not run | yes | yes | `specs/043-cross-tenant-compare-and-promotion/spec.md`; `app/Filament/Pages/CrossTenantComparePage.php`; `app/Support/PortfolioCompare/CrossTenantComparePreviewBuilder.php`; `app/Support/PortfolioCompare/CrossTenantPromotionPreflight.php`; `tests/Feature/PortfolioCompare/*`; `tests/Unit/Support/PortfolioCompare/*` |

## Foundation-Only Capabilities

- OperationRun truth and canonical operation typing: starke Execution-Foundation, aber kein eigenstaendiger Kundennutzen-Surface.
- Audit log foundation: breit genutzt und wichtig fuer Governance, aber allein nicht verkaufbar.
- Capability-first RBAC: belastbar und testnah, bleibt aber Enablement-Layer; Spec 309 ist die abgeschlossene `security-hardening completed` Korrektur fuer Owner-only membership management und admin/system panel boundaries, nicht die Support Access Governance Productization.
- Workspace entitlements und commercial lifecycle policy engine: reale Gate-, Lifecycle-, Billing-State- und Override-Logik; volle Self-Service-Billing-/Subscription-Ops bleiben spaetere Produktisierung.
- Canonical control catalog: starke semantische Foundation fuer Evidence, Findings und Reviews.
- Stored reports substrate: wichtig fuer Reports, Evidence, Diagnostics und Management Report PDF artifacts; Produktreife haengt weiter an lifecycle/retention semantics und Runtime-Validierung.
- Evidence snapshot substrate: tragende technische Basis fuer Reviews und Exports.
- Localization foundation: resolved locale precedence, Workspace-Default, User-Praeferenz/Override und Notification-Formatting sind real, aber Enablement statt eigener Produkt-Surface.
- Governed AI policy foundation: Use-Case-Katalog, Boundary, Audit-Metadata, Workspace-Policy-Surface und Ops-Control-Integration sind repo-real, aber noch ohne ersten Runtime-Consumer.
- Workspace / Environment Surface Scope Contract: completed foundation fuer route-owned scope; nicht als offener Produkt-Slice behandeln.
- Operational control registry and evaluator: starke Safety-Control-Foundation, primar operatorseitig.
- Product telemetry und customer health scoring: reale operatorseitige SaaS-Operations-Layer, aber noch keine eigenstaendige sellable Oberflaeche.
- Portfolio triage continuity: sinnvoller Multi-Tenant-Unterbau, aber noch kein vollstaendiges Portfolio-Produkt.

## Fast-Sellable Or Not-Yet-Productized Capabilities

- Customer-facing review consumption: Tenant Reviews, Evidence Snapshots, Review Packs, the Customer Review Workspace, the customer-safe released-review detail mode, governance-package delivery cues, Spec 308 Decision Summary / Review Pack inclusion, compliance interpretation overlays, commercial-lifecycle-aware access states, and post-311 Customer Review Workspace v1 completion are repo-real; future external portal/consumption would be a separate product decision.
- Findings Workflow v2: Triage, Assignment, My Work, Intake, Governance Inbox, Exceptions, notifications, and the three queue-facing cleanup/hardening follow-through packages are now repo-backed; later cross-tenant action layers remain separate work.
- Decision Register and Governance Inbox: Spec 265 operator register runtime, Spec 306 reconciliation, Spec 307 direct evidence/report plus source/evidence OperationRun proof-link polish, Spec 308 customer-safe Decision Summary / Review Pack inclusion, and Specs 327/346 Governance Inbox productization are repo-backed; do not treat Decision-Based Governance Inbox v1 as Greenfield.
- Product scalability and self-service: Onboarding, Support, Help, Entitlements, commercial lifecycle state handling, support-access slices, billing-state maturity, and external support-desk handoff are repo-real; broader trial/demo, self-serve subscription operations, and customer portal packaging remain.
- Management reporting: current working-tree management-report PDF runtime and artifact flow are repo-real, but production enablement remains gated on staging/Dokploy renderer validation.
- MSP portfolio operations: Portfolio-Triage plus cross-tenant compare preview and promotion preflight are repo-real; actual promotion execution and broader portfolio action orchestration remain open.
- Platform operations maturity: Control Tower und Ops Controls sind stark, aber einige geplante operatorseitige Drilldowns/Exports fehlen noch.
- Product knowledge rollout: Help-Katalog und Resolver sind real, aber noch nicht breit genug adoptiert fuer "fertig".

## Not Implemented

- Governance Artifact Lifecycle & Retention v1
- Management Report PDF staging/Dokploy runtime validation and production enablement
- Durable self-serve Billing / Subscription Operations beyond existing entitlement and lifecycle truth
- Workspace & Tenant Closure Lifecycle runtime follow-through beyond existing taxonomy/current slices
- First Governed AI Runtime Consumer v1
- Human-in-the-Loop Autonomous Governance
- Standardization & Policy Quality / Intune Linting
- Provider-Missing Policy Visibility & Restore Continuity v1 (`specs/261-provider-missing-policy-visibility/spec.md`, spec-backed prep only)
- Broader compliance frameworks and auditor-facing mapping beyond the current evidence overlay

## Release Readiness

| Release / Theme | Readiness | Notes |
|---|---|---|
| R1 Golden Master Governance | sellable | Die zentrale Governance- und Execution-Layer ist repo-verifiziert und breit adoptiert. |
| R2 Tenant Reviews & Evidence Packs | fast sellable | Reviews, Evidence Snapshots, Review Packs, Customer Review Workspace v1 completion, released-review detail handoff, governance-package delivery, compliance interpretation overlays, Exception-/Accepted-Risk-Workflow und Management Report PDF runtime work are repo-real; PDF production enablement remains gated by staging/Dokploy renderer validation. |
| R3 MSP Portfolio OS | implemented but not productized | Portfolio-Triage sowie canonical compare preview/preflight sind da, aber actual promotion execution und portfolio-weite Action-Layer fehlen weiter. |
| Compliance Evidence Mapping v1 | implemented but not productized | Compliance interpretation overlays sind repo-real in Tenant Reviews und Customer Review Workspace, aber breitere Framework-Abdeckung und auditor-facing mapping fehlen weiter. |
| Governance-as-a-Service Packaging v1 | implemented but not productized | Governance package status, delivery messaging, current review-pack reuse, and management-report PDF artifact flow are repo-real; recurring delivery workflow and production renderer validation remain incomplete. |

## Commercial Readiness

### Demo-ready

- Baseline compare and drift walkthroughs
- Review pack generation and export
- Customer review workspace walkthroughs with operator guidance
- Cross-tenant compare preview and promotion preflight walkthroughs
- Provider health, onboarding readiness and required permissions
- Support diagnostics
- Permission posture and Entra admin roles reporting

### Fast sellable

- Review-driven governance workflow rund um Tenant Reviews, Customer Review Workspace, governance-package delivery, Spec 308 Decision Summary / Review Pack inclusion, compliance interpretation overlays, accepted risks und Review Packs, aber noch nicht als vollstaendig productisierte customer-safe consumption experience
- Baseline drift and restore governance
- Findings workflow mit persönlicher Inbox, Intake, Governance Inbox und Exception-Handling
- Alerting and run visibility for governance operations
- Support requests with contextual diagnostics and bounded external create/link handoff
- Provider readiness and permission posture reporting

### Implemented but not productized

- Review pack generation and export als wiederholbare auditor-/executive-ready delivery layer
- Broader compliance evidence mapping surface
- Standalone governance-as-a-service packaging workflow
- Cross-tenant compare preview and promotion preflight without execution
- Product knowledge and contextual help rollout

### Foundation-only

- OperationRun truth layer
- Audit foundation
- Capability-first RBAC
- Workspace entitlements
- Canonical control catalog
- Stored reports substrate
- Evidence snapshot substrate
- Localization foundation
- Governed AI policy foundation
- Product telemetry
- Customer health scoring
- Operational controls
- Portfolio triage continuity

### Not implemented

- Auditor-ready executive export / auditor pack delivery
- Portfolio-wide promotion execution and governance decision-pack workflow
- Billing and subscription truth layer
- Stored reports product surface
- Customer-facing localization adoption
- Workspace and tenant closure lifecycle runtime follow-through
- First governed AI runtime consumer

## Open Gaps & Blockers

Queue audit note: no safe automatic next-best-prep target remains active. The remaining open lanes are now tracked as explicit manual promotions in `docs/product/spec-candidates.md` instead of being re-opened through automatic queue logic.

| Gap | Type | Impact | Roadmap Area | Recommended Spec |
|---|---|---|---|---|
| No safe automatic next-best-prep target is currently active | Planning boundary | `docs/product/spec-candidates.md` now keeps the active queue empty, so the next slice must be promoted deliberately instead of selected automatically | Product planning / queue hygiene | none - require explicit manual promotion |
| Management Report PDF production enablement remains gated | Runtime validation blocker | Current-branch Spec 379 implements the generation/download/audit flow, but staging/Dokploy Gotenberg validation must pass before enabling production runtime | Management reporting / review delivery | current Spec 379 follow-through, no new feature spec |
| Governance-artifact lifecycle runtime is still missing | Trust / auditability blocker | Lifecycle taxonomy and point retention rules exist, but governance artifacts still lack immutable-reference, hold, export, delete, and suspended/read-only runtime semantics | Lifecycle governance / enterprise trust | `Governance Artifact Lifecycle & Retention v1` |
| Provider readiness / onboarding polish may remain | Optional productization gap | Provider scope is hardened, but setup and resolution guidance should be promoted only if fresh operator evidence shows friction | Provider readiness | manual promotion only |
| Cross-domain progress and indicator runtime adoption may remain | UX / trust guardrail | Spec 278 provides the standardization path, but runtime adoption should follow only where actual indicator drift is visible | UI semantics / product trust | `Cross-Domain Progress / Indicator Semantics candidate group` |
| System-panel browser fixture/procedure remains manual | Validation follow-up | Spec 377 closed post-productization browser re-audit with no P0/P1 findings, but system-panel in-app browser fixture coverage remains procedure-dependent | Release validation | manual fixture/procedure follow-up |
| Durable self-serve subscription operations are not productized | Commercial productization gap | Entitlement and billing-state truth exist, but customer self-serve subscription operations, payment/invoice workflows, or commercial portal behavior remain outside the current product | Commercial readiness | manual promotion only |
| Future customer portal/external consumption is not productized | Productization decision | Customer Review Workspace v1 is repo-real in the admin context; a broader external customer portal is separate work | Customer consumption | manual promotion only |
| First governed AI runtime consumer is missing | Architecture blocker | The policy foundation exists, but there is no bounded runtime consumer proving the model end-to-end | Governed AI follow-through | `First Governed AI Runtime Consumer v1` |

## Recommended Manual Promotions

- `Management Report PDF staging/runtime validation and release hardening` -> anchored by `specs/378-management-report-pdf-v1/spec.md`, `specs/379-management-report-pdf-runtime/spec.md`, `apps/platform/app/Services/ManagementReports/ManagementReportPdfService.php`, `apps/platform/app/Jobs/GenerateManagementReportPdfJob.php`, `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`, `apps/platform/app/Models/StoredReport.php`, and the Spec 379 runtime-validation artifacts.
- `Governance Artifact Lifecycle & Retention runtime` -> anchored by `specs/158-artifact-truth-semantics/spec.md`, `specs/262-lifecycle-governance-taxonomy/spec.md`, `specs/267-artifact-lifecycle-retention/spec.md`, and `docs/product/standards/lifecycle-governance.md`.
- `Provider readiness / onboarding productization` -> anchored by `specs/281-provider-connection-provider-scope-microsoft-profile-extraction/spec.md`, `specs/339-provider-connection-scope-hardening/spec.md`, `specs/353-provider-connections-resolution-guidance-v1/spec.md`, `apps/platform/app/Filament/Resources/ProviderConnectionResource.php`, and `apps/platform/app/Policies/ProviderConnectionPolicy.php`; promote only for fresh UX friction, not scope authority.
- `Cross-Domain Progress / Indicator runtime follow-through` -> anchored by `specs/278-cross-domain-progress-indicator-semantics/spec.md`, `docs/ui/tenantpilot-enterprise-ui-standards.md`, and current progress-like UI seams called out in `docs/product/spec-candidates.md`.
- `Manual system-panel browser fixture or audit procedure` -> anchored by `specs/376-*`, `specs/377-post-productization-browser-reaudit-closeout-gate/artifacts/closeout-decision.md`, and the system-panel authentication/fixture limits recorded there.
- `First Governed AI Runtime Consumer v1` -> anchored by `specs/248-private-ai-policy-foundation/spec.md`.

## Roadmap Drift Notes

- `docs/product/roadmap.md` and `docs/product/spec-candidates.md` are aligned through 2026-06-15, including Spec 311 completed surface-scope foundation, Specs 312/342/343/344/349/351/372 Customer Review Workspace v1 completion lineage, Specs 327/346 Governance Inbox lineage, Specs 339/341 provider/link cleanup, Spec 377 closeout evidence, and current working-tree Spec 379 runtime-gated Management Report PDF status.
- The remaining documentation risk is overstating current working-tree or local runtime evidence as production-ready. Management Report PDF remains disabled by runtime gate until staging/Dokploy renderer validation passes.
- This ledger therefore treats review-driven governance as `fast sellable`, Management Report PDF as `implemented but not productized`, and broad shell/scope/Decision Register/customer-review foundations as historical/completed rather than active candidates.
- Tests referenced here remain repo-present only. They were not executed for this ledger update.

## Evidence Sources

Wichtigste Strategie- und Scope-Quellen:

- `docs/product/roadmap.md`
- `docs/product/spec-candidates.md`

Wichtige Plattform- und UI-Anker:

- `apps/platform/bootstrap/providers.php`
- `apps/platform/app/Providers/Filament/AdminPanelProvider.php`
- `apps/platform/app/Providers/Filament/SystemPanelProvider.php`
- `apps/platform/app/Filament/Pages/TenantDashboard.php`
- `apps/platform/app/Filament/Pages/CrossTenantComparePage.php`
- `apps/platform/app/Filament/System/Pages/Dashboard.php`
- `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`
- `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
- `apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php`
- `apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php`
- `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php`
- `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`

Wichtige Models:

- `apps/platform/app/Models/OperationRun.php`
- `apps/platform/app/Models/Finding.php`
- `apps/platform/app/Models/FindingException.php`
- `apps/platform/app/Models/FindingExceptionDecision.php`
- `apps/platform/app/Models/FindingExceptionEvidenceReference.php`
- `apps/platform/app/Models/BaselineProfile.php`
- `apps/platform/app/Models/BaselineSnapshot.php`
- `apps/platform/app/Models/EvidenceSnapshot.php`
- `apps/platform/app/Models/TenantReview.php`
- `apps/platform/app/Models/ReviewPack.php`
- `apps/platform/app/Models/StoredReport.php`
- `apps/platform/app/Models/SupportRequest.php`
- `apps/platform/app/Models/ProductUsageEvent.php`
- `apps/platform/app/Models/OperationalControlActivation.php`
- `apps/platform/app/Models/AuditLog.php`

Wichtige Services und Jobs:

- `apps/platform/app/Services/ReviewPackService.php`
- `apps/platform/app/Services/TenantReviews/TenantReviewService.php`
- `apps/platform/app/Services/Evidence/EvidenceSnapshotService.php`
- `apps/platform/app/Services/Baselines/BaselineCompareService.php`
- `apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php`
- `apps/platform/app/Services/Alerts/AlertDispatchService.php`
- `apps/platform/app/Services/Findings/FindingExceptionService.php`
- `apps/platform/app/Jobs/ProviderConnectionHealthCheckJob.php`
- `apps/platform/app/Services/Onboarding/OnboardingLifecycleService.php`
- `apps/platform/app/Services/Entitlements/WorkspaceEntitlementResolver.php`
- `apps/platform/app/Services/PortfolioTriage/TenantTriageReviewService.php`
- `apps/platform/app/Support/Ai/AiUseCaseCatalog.php`
- `apps/platform/app/Support/Ai/GovernedAiExecutionBoundary.php`
- `apps/platform/app/Support/Ai/AiDecisionAuditMetadataFactory.php`
- `apps/platform/app/Support/Governance/Controls/ComplianceEvidenceMappingV1.php`
- `apps/platform/app/Support/PortfolioCompare/CrossTenantComparePreviewBuilder.php`
- `apps/platform/app/Support/PortfolioCompare/CrossTenantPromotionPreflight.php`
- `apps/platform/app/Support/SupportRequests/ExternalSupportDeskHandoffService.php`
- `apps/platform/app/Support/Governance/Controls/CanonicalControlCatalog.php`
- `apps/platform/app/Services/Audit/WorkspaceAuditLogger.php`
- `apps/platform/app/Services/Auth/CapabilityResolver.php`
- `apps/platform/app/Filament/Pages/Settings/WorkspaceSettings.php`
- `apps/platform/app/Services/Localization/LocaleResolver.php`

Wichtige Test-Anker im Repo:

- `apps/platform/tests/Feature/PortfolioCompare/*`
- `apps/platform/tests/Feature/ReviewPack/*`
- `apps/platform/tests/Feature/Evidence/*`
- `apps/platform/tests/Feature/PermissionPosture/*`
- `apps/platform/tests/Feature/EntraAdminRoles/*`
- `apps/platform/tests/Feature/SupportDiagnostics/*`
- `apps/platform/tests/Feature/SupportRequests/*`
- `apps/platform/tests/Feature/System/ViewWorkspaceEntitlementsTest.php`
- `apps/platform/tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php`
- `apps/platform/tests/Feature/System/CustomerHealth/*`
- `apps/platform/tests/Feature/System/ProductTelemetry/*`
- `apps/platform/tests/Feature/System/OpsControls/*`
- `apps/platform/tests/Feature/System/OpsControls/AiExecutionOperationalControlTest.php`
- `apps/platform/tests/Feature/SettingsFoundation/WorkspaceAiPolicySettingsTest.php`
- `apps/platform/tests/Feature/Filament/TenantRegistryTriageReviewStateTest.php`
- `apps/platform/tests/Unit/Governance/*`
- `apps/platform/tests/Unit/Support/Ai/*`
- `apps/platform/tests/Unit/Support/PortfolioCompare/*`
- `apps/platform/tests/Unit/Support/SupportRequests/ExternalSupportDeskHandoffServiceTest.php`
- `apps/platform/tests/Unit/Entitlements/*`

## Last Updated

2026-05-02 on branch `platform-dev` (ledger drift correction and alignment with `docs/product/roadmap.md` plus `docs/product/spec-candidates.md` after the manual-promotion split)