# Product Roadmap > Strategic thematic blocks and release trajectory. > This is the "big picture" — not individual specs. **Last updated**: 2026-04-25 --- ## Release History | Release | Theme | Status | |---------|-------|--------| | **R1 "Golden Master Governance"** | Baseline drift as production feature, operations polish | **Done** | | **R1 cont.** | Ops canonicalization, action surface contract, ops-ux enforcement | **Done** | | **R2 "Tenant Reviews, Evidence & Control Foundation"** | Evidence packs, stored reports, canonical control catalog, permission posture, alerts | **Partial** | | **R2 cont.** | Alert escalation + notification routing | **Done** | --- ## Active / Near-term ### Governance & Architecture Hardening Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction, operation-type canonicalization, provider-boundary hardening, target-scope neutrality, and governed-subject vocabulary enforcement. Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands, while preventing the Governance-of-Record platform core from drifting into provider-specific or operation-type dual semantics. **Active specs**: 144 **Specced follow-through (draft)**: 149 (queued execution reauthorization), 150 (tenant-owned query canon), 151 (findings workflow backstop), 152 (Livewire context locking), 214 (governance outcome compression), 216 (provider dispatch gate), 237 (provider boundary hardening). Next foundation candidates: Canonical Operation Type Source of Truth, Provider Identity & Target Scope Neutrality, Platform Vocabulary Boundary Enforcement for Governed Subject Keys. **Operator truth initiative** (sequenced): Operator Outcome Taxonomy (Spec 156) → Reason Code Translation (Spec 157) → Artifact Truth Semantics (Spec 158) → Governance Operator Outcome Compression (Spec 214, draft). Humanized Diagnostic Summaries for Governance Operations is now Spec 220 (draft) as the run-detail adoption slice, while Provider Dispatch Gate Unification is now Spec 216 (draft) as the adjacent hardening lane. **Source**: architecture audit 2026-03-15, audit constitution, semantic clarity audit 2026-03-21, product spec-candidates ### UI & Product Maturity Polish Empty state consistency, list-expand parity, workspace chooser refinement, navigation semantics. Goal: Every surface feels intentional and guided for first-run evaluation. **Active specs**: 122, 121, 112 ### Secret & Security Hardening Secret redaction integrity, provider access hardening, required permissions sidebar. Goal: Enterprise trust — no credential leaks, no permission gaps. **Active specs**: 120, 108, 106 ### Baseline Drift Engine (Cutover) Full content capture, cutover to unified engine, resume capability. Goal: Ship drift detection as the complete production governance feature. **Active specs**: 119 (cutover) ### R1.9 Platform Localization v1 (DE/EN) UI-Sprache umschaltbar (`de`, `en`) mit sauberem Locale-Foundation-Layer. Goal: Konsistente, durchgängige Lokalisierung aller Governance-Oberflächen — ohne Brüche in Export, Audit oder Maschinenformaten. - Locale-Priorität: expliziter Override → User Preference → Workspace Default → System Default - Workspace Default Language für neue Nutzer, User kann persönliche Sprache überschreiben - Core-Surfaces zuerst: Navigation, Dashboard, Tenant Views, Findings, Baseline Compare, Risk Exceptions, Alerts, Operations, Audit-nahe Grundtexte - Canonical Glossary für Governance-Begriffe (Finding, Baseline, Drift, Risk Accepted, Evidence Gap, Run) — konsistente Terminologie über alle Views - Locale-aware Anzeigeformate für Datum, Uhrzeit, Zahlen und relative Zeiten - Maschinen- und Exportformate bleiben invariant/stabil (keine lokalisierte Semantik in CSV/JSON/Audit-Artefakten) - Notifications, E-Mails und operatorseitige Systemtexte nutzen die aufgelöste Locale des Empfängers - Fallback-Regel: fehlende Übersetzungen fallen kontrolliert auf Englisch zurück; keine leeren/rohen Keys im UI - Translation-Key Governance für Labels, Actions, Statuswerte, Empty States, Table Filters, Notifications und Validation-/Systemtexte - HTML/UI i18n-Foundation: korrektes `lang`/Locale-Setup, keine hartcodierten kritischen UI-Strings, layouts sprachrobust - Search/Sort/Filter auf kritischen Listen für locale-sensitives Verhalten prüfen - QA/Foundation: Missing-Key Detection, Locale Regression Tests, Pseudolocalization Smoke Tests für kritische Flows **Active specs**: — (not yet specced) ### Product Scalability & Self-Service Foundation Self-service and supportability foundation that keeps TenantPilot operable as a low-headcount, AI-assisted SaaS instead of drifting into manual onboarding, manual support, and founder-dependent customer operations. **Goal**: Productize the recurring work around onboarding, diagnostics, support context, plan limits, and customer guidance so that new customers can evaluate, onboard, operate, and request help with minimal manual intervention. - Self-Service Tenant Onboarding & Connection Readiness: guided tenant setup, consent readiness, provider connection checks, permission diagnostics, setup progress, completion score, and concrete next actions - Support Diagnostic Pack: diagnostic bundles for workspace, tenant, OperationRun, Finding, ProviderConnection, and report contexts with relevant health state, permissions, run context, errors, audit references, and AI-readable summaries - In-App Support Request with Context: support entry points that attach workspace, tenant, run/finding/report references, severity, diagnostic pack reference, and ticket reference back into TenantPilot - Product Knowledge & Contextual Help: help registry for feature explanations, status meanings, error guidance, permission rationale, troubleshooting hints, and docs links; also usable as the source layer for later AI support - Plans, Entitlements & Billing Readiness: plan model, feature gates, tenant/workspace/user/report/export/retention limits, trial state, grace periods, billing status, and audited plan changes - Demo & Trial Readiness: seeded demo workspaces, sample tenants, sample baselines/findings/reports, demo reset support, trial provisioning checklist, and sample-data mode where appropriate - Customer-facing transparency hooks: product surfaces should be designed so customer read-only views, review workspaces, support requests, and review-pack downloads can reuse the same underlying entities instead of becoming parallel one-off features **Active specs**: — (not yet specced) --- ## Planned (Next Quarter) ### R2.0 Canonical Control Catalog Foundation Framework-neutral canonical control core that bridges the shipped governance engine and later readiness or reporting overlays. **Goal**: Give baselines, drift, findings, exceptions, evidence, and reports one shared control object before framework-specific mappings land. - Framework-neutral canonical domains, subdomains, and control themes - Detectability classes, evaluation strategies, evidence archetypes, and artifact suitability - Microsoft subject and workload bindings for tenant-near technical controls - Small seed catalog for v1 families such as strong authentication, conditional access, privileged access, endpoint baseline or hardening, sharing boundaries, mail protection, audit retention, and delegated admin boundaries - Referenceable from Baseline Profiles, Compare and Drift, Findings, Exceptions, StoredReports, and EvidenceItems - Foundation for later framework mappings, readiness views, customer review workspaces, and auditor packs - Explicitly not a late compliance feature: this is the semantic platform layer for tenant reviews, evidence packs, findings, exceptions, stored reports, and future readiness views ### R1.x Foundation Hardening — Governance Platform Anti-Drift Stabilize the Governance-of-Record platform semantics before additional Microsoft domains, compliance overlays, or multi-cloud execution expand the surface area. **Goal**: Keep Golden Master Governance from becoming provider-specific feature growth by hardening the platform seams underneath OperationRuns, ProviderConnections, governed subjects, and shared vocabulary. - Canonical Operation Type Source of Truth for persistence, dispatch, UI labels, audit, alerts, notifications, and reporting - Provider Boundary Hardening so provider-specific behavior stays inside provider adapters and registries - Provider Identity & Target Scope Neutrality so Entra-specific identifiers do not become generic platform truth - Platform Vocabulary Boundary Enforcement for Governed Subject Keys so `policy_type` and similar provider/domain terms do not leak into the platform core - Codebase Quality & Engineering Maturity hardening so the platform remains enterprise-maintainable while the governance surface grows: System Panel least-privilege capabilities, static-analysis baseline, architecture-boundary guard tests, and targeted decomposition of large Filament/service hotspots - No AWS/GCP/SaaS connector implementation in this slice; this is anti-drift foundation work only ### R2 Completion — Evidence & Exception Workflows - Review pack export (Spec 109 — done) - Exception/risk-acceptance workflow for Findings → Spec 154 (draft) - Formal evidence/review-pack entity foundation → Spec 153 (evidence snapshots, draft) + Spec 155 (tenant review layer / review packs, draft) - Workspace-level PII override for review packs → deferred from 109 - Customer Review Workspace / Read-only View v1 → sharpen customer-facing review consumption: baseline status, latest reviews, findings, accepted risks, evidence/review-pack downloads, customer-safe redaction, and no admin/remediation actions - Support Diagnostic Pack → connect tenant/review/finding/report/operation contexts into a reusable support bundle before support demand scales - In-App Support Request with Context → attach the relevant diagnostic pack and ticket reference to support workflows without creating a separate support data model - Product Knowledge & Contextual Help → reuse canonical glossary, outcome/reason semantics, and report/finding terminology as the product-help source layer ### Findings Workflow v2 / Execution Layer Turn findings from a reviewable register into an accountable operating flow with clear ownership, personal queues, intake, hygiene, and minimal escalation. **Scope direction**: - Clarify owner versus assignee semantics and accountability language first - Add operator work surfaces such as "Assigned to me" and an unassigned intake queue with basic claim flow - Harden assignment hygiene, stale-work detection, and resolved-versus-verified outcome semantics - Reuse the existing alerting foundation for assignment, reopen, due-soon, and overdue notification flows - Keep comments, external ticket handoff, and cross-tenant workboards as later slices instead of forcing them into the first workflow iteration ### Policy Lifecycle / Ghost Policies Soft delete detection, automatic restore, "Deleted" badge, restore from backup. Draft exists (Spec 900). Needs spec refresh and prioritization. **Risk**: Ghost policies create confusion for backup item references. ### Platform Operations Maturity - CSV export for filtered run metadata (deferred from Spec 114) - Raw error/context drilldowns for system console (deferred from Spec 114) - Multi-workspace operator selection in `/system` (deferred from Spec 113) ### Solo-Founder SaaS Automation & Operating Readiness Internal operating-system track for running TenantPilot as a lean, AI-assisted SaaS company with repeatable customer acquisition, onboarding, support, billing, security review, and release communication. **Goal**: Keep company operations from becoming founder-only manual work while the product moves from pilots to repeatable customer delivery. - Lead Capture & CRM Pipeline: website lead forms, demo requests, waitlist, lead status, pilot status, customer status, follow-up reminders, and meeting notes capture - Demo Environment Automation: repeatable demo workspace, sample tenant data, reset flow, demo scripts, and separate demo stories for MSP and enterprise IT buyers - Trial Provisioning Workflow: trial request intake, plan/limit assignment, provisioning checklist, onboarding status, trial expiry, conversion path, and grace handling - Billing & Contract Readiness: plan matrix, offer templates, invoicing flow, payment/billing status, trial-to-paid process, cancellation process, and grace-period handling - AVV / DPA / TOM / Legal Pack: reusable customer-facing legal and data-processing artifacts aligned with the actual product data model and hosting setup - Security Trust Pack Light: hosting overview, data categories, least-privilege permission model, RBAC model, retention, backup, audit logging, subprocessors, and “what we do not store” documentation - Support Desk + AI Triage: support mailbox or ticket system, categories, priorities, macros, known issues, AI triage, answer drafts, and linkage to TenantPilot diagnostic packs - Knowledge Base Pipeline: public docs, onboarding docs, troubleshooting docs, internal runbooks, and a maintained source set for AI-assisted support - Monitoring & Incident Runbooks: uptime, queues, failed jobs, error tracking, backups, storage, certificates, Graph failure rates, status page, incident templates, postmortem templates, and customer communication templates - Release & Customer Communication Automation: customer changelog, release notes, support notes, migration notes, breaking-change markers, known limitations, and docs-update checklist **Active specs**: — (not yet specced; company-ops track, not all items need product specs) ### Additional Solo-Founder Scale Guardrails Cross-cutting operating guardrails that prevent TenantPilot from scaling through hidden manual work, unclear customer health, missing operational controls, ad-hoc customer communication, or unmanaged founder dependency. **Goal**: Make repeatability, observability, controllability, and delegability explicit before customer volume makes the gaps expensive. - Product Usage & Adoption Telemetry: privacy-aware usage signals for onboarding completion, feature adoption, report exports, failed flows, support-triggering surfaces, inactive customers, and trial conversion indicators - Customer Health Score: derived customer/workspace health indicators from login/activity, provider health, last sync, baseline compare freshness, open high findings, overdue SLAs, expiring risk acceptances, failed runs, support load, and review-pack readiness - Operational Controls & Feature Flags: global/workspace kill switches and scoped controls for risky features, restore actions, exports, AI functions, provider actions, trials, maintenance scenarios, and temporary read-only states - Customer Lifecycle Communication: structured lifecycle messages for welcome, onboarding, trial reminders, provider health warnings, review-pack readiness, risk-expiry reminders, release updates, incidents, renewal, payment issues, and churn feedback - Vendor Questionnaire Answer Bank: reusable security/procurement answers aligned with the Security Trust Pack, product data model, Microsoft permissions, hosting, AI usage, subprocessors, retention, backup, deletion, and incident handling - Product Intake & No-Customization Governance: feature-request intake, roadmap-fit classification, no-custom-work policy, customer exception handling, productization rules, and a clear path from request → candidate → spec → release or rejection - Support Severity Matrix & Runbooks: P1–P4 definitions, incident vs support vs bug vs feature request distinction, response expectations by plan, escalation rules, known-issue handling, and internal support runbooks - Data Retention, Export & Deletion Self-Service: customer-facing and operator-facing flows for export, archive, deletion request handling, trial data expiry, workspace deactivation, and evidence/report retention visibility - Business Continuity / Founder Backup Plan: access documentation, secret management, emergency contacts, deployment and restore runbooks, incident templates, DNS/domain/hosting ownership, billing access, and vacation/sickness fallback **Active specs**: — (not yet specced; guardrail track, only product-impacting items should become specs) --- ## Mid-term (2–3 Quarters) ### Product Usage, Customer Health & Operational Controls Product-side implementation lane for the highest-impact solo-founder guardrails: adoption telemetry, customer/workspace health scoring, and operator controls/feature flags. **Goal**: Give the founder/operator a measurable, controllable view of customer adoption, risk, and operational safety without relying on manual checks across logs, support tools, billing tools, and product screens. **Why it matters**: Low-headcount SaaS only works if the product shows where customers are stuck, which workspaces are unhealthy, and which features can be safely paused or limited during incidents. **Depends on**: Self-Service Tenant Onboarding & Connection Readiness, Support Diagnostic Pack, Plans / Entitlements & Billing Readiness, ProviderConnection health, OperationRun truth, Findings workflow, StoredReports / EvidenceItems, and audit log foundation. **Scope direction**: Start with privacy-aware product telemetry, derived customer/workspace health indicators, and a minimal operational controls registry. Avoid building a full analytics platform, CRM, or customer-success suite in the first slice. ### AI-Assisted Customer Operations AI-assisted customer operations layer for support, reviews, summaries, release communication, and customer-facing explanations, explicitly bounded by human approval and product auditability. **Goal**: Use AI to prepare, summarize, classify, and draft customer operations work while keeping tenant-changing actions, customer commitments, legal statements, and external communications under human approval. **Why it matters**: TenantPilot can stay lean only if support, customer reviews, release communication, and diagnostics are structured enough for AI assistance without becoming ungoverned automation. **Depends on**: Product Knowledge & Contextual Help, Support Diagnostic Pack, In-App Support Request, StoredReports / EvidenceItems, Findings workflow maturity, release-note discipline, and company support-desk structure. **Scope direction**: Start with AI-generated support summaries, finding explanations, tenant review summaries, diagnostic summaries, release-note drafts, and support-response drafts. Avoid autonomous tenant remediation, automatic risk acceptance, automatic legal commitments, or customer-facing messages without review. ### Decision-Based Operating Foundations Constitution hardening for decision-first governance, workflow-first navigation, surface taxonomy, and primary-vs-evidence surface refactoring. **Goal**: Prepare TenantPilot for a quieter, decision-centered operating model where primary surfaces ask for action and deeper technical detail stays available on demand. **Why it matters**: Governance inboxes, actionable alerts, and later autonomous-governance features will fail if they land on top of detail-heavy, entity-first navigation. This is the UX/product prerequisite layer for the later MSP Portfolio OS direction. **Depends on**: Current constitution and action-surface hardening, operator-truth work, existing navigation/context specs. **Scope direction**: First the constitution/rule delta, then a surface / IA classification of current product surfaces, then bounded retrofits that demote detail-first flows behind progressive disclosure instead of creating more top-level pages. ### MSP Portfolio & Operations (Multi-Tenant) Multi-tenant health dashboard, SLA/compliance reports (PDF), cross-tenant troubleshooting center. **Source**: 0800-future-features brainstorming, identified as highest priority pillar. **Prerequisites**: Decision-Based Operating Foundations, Cross-tenant compare (Spec 043 — draft only). **Later expansion**: portfolio operations should eventually include a cross-tenant findings workboard once tenant-level inbox and intake flows are stable. ### Human-in-the-Loop Autonomous Governance (Microsoft-first, Provider-extensible Decision-Based Operating) Continuous detection, triage, decision drafting, approval-driven execution, and closed-loop evidence for governance actions across the Microsoft-first workspace portfolio, while keeping the decision model provider-extensible for later non-Microsoft domains. **Goal**: Move TenantPilot from Microsoft tenant search-and-troubleshoot workflows to decision-based governance operations. Customers and operators should not have to click through tenants, runs, findings, reports, logs, and evidence to discover what needs attention. TenantPilot should detect relevant work, gather context, summarize impact, propose safe next actions, and present decision-ready items. The first product scope stays Microsoft tenant governance; the underlying decision model should avoid hard-coding Microsoft-only assumptions where a provider-neutral abstraction is already available. **Why it matters**: This is the longer-term MSP Portfolio OS layer. TenantPilot becomes the decision control plane for accountable Microsoft tenant governance first, not just a browser for runs, evidence, and tenant state. Detail pages remain available as evidence and diagnostics, but the default operating model becomes guided decisions, not manual investigation. **Depends on**: Decision-Based Operating Foundations, Product Knowledge & Contextual Help, Support Diagnostic Pack, Customer Health Score, MSP Portfolio & Operations surfaces, drift/findings/exception maturity, actionable alerts with structured payloads, canonical operation/evidence truth, operational controls, and human approval gates. **Scope direction**: Start with a Governance Inbox / Action Center, decision items, decision packs, actionable alerts, and approval-gated workflows for Microsoft tenant governance. Later add automation policies, guardrails, maintenance windows, dual approval, before/after evidence automation, and limited remediation execution. Keep human approval and auditability central; avoid blind autopilot remediation. **Core workflow**: - Detect relevant governance work automatically - Group, deduplicate, and prioritize related signals - Generate a decision pack with summary, impact, evidence, affected tenants/policies, recommended actions, and confidence - Present clear actions such as approve, reject, snooze, assign, accept risk, create ticket, run compare, generate review pack, or request evidence - Require human approval for tenant-changing, customer-facing, or risk-accepting actions - Execute approved follow-up through OperationRuns or controlled workflows - Verify outcome and attach before/after evidence - Keep audit trail across detection, recommendation, approval, execution, and verification **Anti-pattern**: Do not make customers manually troubleshoot by navigating through raw runs, logs, tables, and details as the primary workflow. Raw surfaces are evidence and diagnostics, not the main operating model. ### Drift & Change Governance ("Revenue Lever #1") Change approval workflows (DEV→PROD with audit pack), guardrails/policy freeze windows, tamper detection. **Source**: 0800-future-features brainstorming. **Prerequisite**: Drift engine fully shipped, findings workflow mature. ### Standardization & Policy Quality ("Intune Linting") Policy linter (naming, scope tag requirements, no All-Users on high-risk), company standards as templates, policy hygiene (duplicate finder, unassigned, orphaned, stale). **Source**: 0800-future-features brainstorming. ### PSA / Ticketing Handoff Outbound handoff from findings into external service-desk or PSA systems with visible `ticket_ref` linkage and auditable "ticket created/linked" events. **Scope direction**: start with one-way handoff and internal visibility, not full bidirectional sync or full ITSM modeling. ### Compliance Readiness & Executive Review Packs On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, canonical control coverage, and key security signals into one coherent deliverable. CIS-aligned baseline libraries plus NIS2-/BSI-oriented readiness views depend on the Canonical Control Catalog and Evidence-to-Control mapping and remain explicitly without certification claims. Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs. **Goal**: Make TenantPilot sellable as an MSP-facing governance and review platform for German midmarket and compliance-oriented customers who want structured tenant reviews and management-ready outputs on demand. **Why it matters**: Turns existing governance data into a clear customer-facing value proposition. Strengthens MSP sales story beyond backup and restore. Creates a repeatable "review on demand" workflow for quarterly reviews, security health checks, and audit preparation. **Depends on**: Canonical Control Catalog Foundation, Evidence-to-Control mapping, StoredReports / EvidenceItems foundation, Tenant Review runs, Customer Review Workspace / Read-only View, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity. **Scope direction**: Start as compliance readiness and review packaging. Avoid formal certification language or promises. Position as governance evidence, management reporting, and audit preparation. **Modeling principle**: Compliance and governance requirements are modeled through a framework-neutral canonical control catalog plus technical interpretations and versioned framework overlays, not as separate technical object worlds per framework. Readiness views, evidence packs, baseline libraries, and auditor outputs are generated from that shared domain model. **Layering**: - **S1**: framework-neutral Canonical Control Catalog plus TenantPilot technical interpretations as the normative control core - **S2**: CIS Baseline Library as a template and library layer built on top of the canonical catalog, not a separate control object model - **S3**: NIS2 and BSI readiness views as mapping and readiness layers built on the same canonical catalog and evidence model - ISO and COBIT belong primarily in governance, assurance, ISMS, and readiness overlays on top of the shared catalog, not as separate technical subject or control worlds - Separate canonical control catalog versions, technical interpretation versions, framework overlay versions, and customer/MSP profile versions - Map canonical controls to evidence sources, evaluation rules, and manual attestations when automation is partial - Keep CIS baseline templates and NIS2 / BSI readiness views as downstream layers on top of the shared canonical control model - Keep ISO / COBIT semantics in governance-assurance and ISMS-oriented overlays rather than introducing a second technical control universe - Avoid framework-specific one-off reports that bypass the common evidence, findings, exception, and export pipeline ### Entra Role Governance Expand TenantPilot's governance coverage into Microsoft Entra role definitions and assignments as a first-class identity administration surface. **What it means**: Inventory and visibility for built-in and custom role definitions. Visibility into role assignments and governance-relevant changes. Review-ready representation of identity administration posture. **Why it matters**: Identity role governance is central to audit readiness and privilege control. Strengthens TenantPilot beyond device configuration into identity governance. **Scope direction**: Start with visibility, inventory, and governance-oriented reviewability. Avoid prematurely turning this into a full attestation workflow block. ### SharePoint Tenant-Level Sharing Governance Extend TenantPilot into high-value Microsoft 365 data-governance controls by covering tenant-level SharePoint and OneDrive sharing settings. **What it means**: Visibility into tenant-wide sharing and external access posture. Governance-oriented review surface for high-risk sharing controls. Alignment with customer demand for audit-ready data-sharing posture. **Why it matters**: Tenant-level sharing controls are critical for data exposure and external collaboration governance. Expands TenantPilot into a high-value non-Intune policy domain without becoming a generic M365 admin mirror. **Scope direction**: Start at tenant-level settings, not full site-level governance. Position as governance and reviewability, not full SharePoint administration. ### Enterprise App / Service Principal Governance Add governance coverage for enterprise applications and service principals, especially around privileged permissions, expiring credentials, and review workflows. **What it means**: Visibility into enterprise apps and service principals. Detection of expiring secrets and certificates. Governance surfaces for privileged app access and renewal workflows. **Why it matters**: App identities are a major cloud governance and security pain point for MSPs and enterprise customers. Creates strong customer-facing value beyond tenant configuration backup and restore. **Scope direction**: Start with visibility, expiry monitoring, and governance workflows. Avoid collapsing this into app-consent policy coverage alone. ### Security Posture Signals Expand TenantPilot's evidence layer with high-value security posture signals that support customer reviews, audit preparation, and recurring governance reporting. **What it means**: Defender Vulnerability Management exposure and remediation-oriented signals. Backup success/failure and protection-state signals. Additional evidence inputs for review packs and executive reporting. **Why it matters**: Strengthens TenantPilot's audit and review story without turning it into a remediation engine. Helps prove operational effectiveness in recurring customer reviews. **Scope direction**: Treat these as evidence/signal domains, not policy domains. Prioritize reporting, history, and correlation over operational ownership. --- ## Long-term ### Tenant-to-Tenant / Staging→Prod Promotion Compare/diff between tenants, mapping UI (groups, scope tags, filters, named locations, app refs), promotion plan (preview → dry-run → cutover → verify). **Source**: 0800-future-features, Spec 043 draft. ### Recovery Confidence ("Killer Feature") Automated restore tests in test tenants, recovery readiness report, preflight score. **Source**: 0800-future-features brainstorming. ### Security Suite Layer Security posture score, blast radius display, opt-in high-risk enablement. **Source**: 0800-future-features brainstorming. ### Script & Secrets Governance Script diff + approval + rollback, secret scanning, allowlist/signing workflow. **Source**: 0800-future-features brainstorming. --- ## Infrastructure & Platform Debt | Item | Risk | Status | |------|------|--------| | No explicit company automation roadmap linkage | Risk that sales, support, billing, legal, and customer communication become founder-only manual work | Covered by Solo-Founder SaaS Automation & Operating Readiness | | No product-level entitlement foundation yet | Later pricing, trial, retention, export, user, and tenant limits may require invasive retrofits | Covered by Product Scalability & Self-Service Foundation | | No structured support diagnostic bundle yet | Support cases require manual context gathering across tenants, runs, findings, providers, and reports | Covered by Product Scalability & Self-Service Foundation | | No formal security trust pack yet | Enterprise sales and customer security reviews require repeated manual explanations | Covered by Solo-Founder SaaS Automation & Operating Readiness | | No product usage/adoption telemetry yet | Founder cannot see onboarding drop-off, feature adoption, trial health, or support-triggering surfaces without manual investigation | Covered by Additional Solo-Founder Scale Guardrails | | No customer health score yet | Churn, inactive customers, stale reviews, unhealthy provider connections, and unresolved high-risk findings may be noticed too late | Covered by Additional Solo-Founder Scale Guardrails | | No explicit operational controls / feature flags lane | Incidents or risky features may require code changes or manual database intervention instead of safe operator controls | Covered by Additional Solo-Founder Scale Guardrails | | No no-customization governance yet | Customer-specific requests can silently turn the product into consulting work and create hidden maintenance obligations | Covered by Additional Solo-Founder Scale Guardrails | | No business-continuity / founder-backup plan yet | Solo-founder operations create continuity risk for incidents, illness, vacation, access recovery, and customer trust | Covered by Additional Solo-Founder Scale Guardrails | | No `.env.example` in repo | Onboarding friction | Open | | CI pipeline config status drift | Roadmap debt list may be stale because workflow files exist and should be re-audited; align with static-analysis and architecture-boundary gates | Review needed | | No PHPStan/Larastan | No static analysis; covered by `Static Analysis Baseline for Platform Code` spec candidate | Open | | Thin architecture-boundary enforcement | Product tests are strong, but architecture-level guardrails need expansion; covered by `Architecture Boundary Guard Tests` spec candidate | Open | | SQLite for tests vs PostgreSQL in prod | Schema drift risk | Open | | No formal release process | Manual deploys | Open | | Dokploy config external to repo | Env drift | Open | --- ## Priority Ranking (from Product Brainstorming) 1. Product Scalability & Self-Service Foundation 2. Product Usage, Customer Health & Operational Controls 3. Decision-Based Operating / Governance Inbox 4. MSP Portfolio + Alerting 5. Drift + Approval Workflows 6. Evidence / Review Packs + Customer Review Workspace 7. Standardization / Linting 8. Promotion DEV→PROD 9. Recovery Confidence 10. Solo-Founder SaaS Automation & Operating Readiness 11. Additional Solo-Founder Scale Guardrails --- ## How to use this file - **Big product and operating themes** live here. - **Concrete spec candidates** → see [spec-candidates.md](spec-candidates.md) - **Company automation / solo-founder operating items** live here as strategic tracks first; only product-impacting or repeatable engineering work should become spec candidates. - **Solo-founder guardrails** should remain visible even when they are not immediate product specs, because they define what must become measurable, controllable, delegable, or documented before customer volume grows. - **Governance positioning is Microsoft-first, provider-extensible**: roadmap language should keep the initial product scope focused on Microsoft tenant governance while avoiding unnecessary Microsoft-only coupling in platform-level abstractions. - **Small discoveries from implementation** → see [discoveries.md](discoveries.md) - **Product principles** → see [principles.md](principles.md)