TenantAtlas/docs/product/roadmap.md

Product Roadmap

Strategic thematic blocks and release trajectory. This is the "big picture" — not individual specs.

Last updated: 2026-03-21

---

Release History

Release	Theme	Status
R1 "Golden Master Governance"	Baseline drift as production feature, operations polish	Done
R1 cont.	Ops canonicalization, action surface contract, ops-ux enforcement	Done
R2 "Tenant Reviews & Evidence"	Evidence packs, stored reports, permission posture, alerts	Partial
R2 cont.	Alert escalation + notification routing	Done

---

Active / Near-term

Governance & Architecture Hardening

Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction. Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands.

Active specs: 144 Next wave candidates: queued execution reauthorization and scope continuity, tenant-owned query canon and wrong-tenant guards, findings workflow enforcement and audit backstop, Livewire context locking and trusted-state reduction Operator truth initiative (sequenced): Operator Outcome Taxonomy → Reason Code Translation → Provider Dispatch Gate Unification (see spec-candidates.md — "Operator Truth Initiative" sequencing note) Source: architecture audit 2026-03-15, audit constitution, semantic clarity audit 2026-03-21, product spec-candidates

UI & Product Maturity Polish

Empty state consistency, list-expand parity, workspace chooser refinement, navigation semantics. Goal: Every surface feels intentional and guided for first-run evaluation.

Active specs: 122, 121, 112

Secret & Security Hardening

Secret redaction integrity, provider access hardening, required permissions sidebar. Goal: Enterprise trust — no credential leaks, no permission gaps.

Active specs: 120, 108, 106

Baseline Drift Engine (Cutover)

Full content capture, cutover to unified engine, resume capability. Goal: Ship drift detection as the complete production governance feature.

Active specs: 119 (cutover)

---

Planned (Next Quarter)

R2 Completion — Evidence & Exception Workflows

• Review pack export (Spec 109 — done)
• Exception/risk-acceptance workflow for Findings → Not yet specced
• Formal "evidence pack" entity → Not yet specced
• Workspace-level PII override for review packs → deferred from 109

Policy Lifecycle / Ghost Policies

Soft delete detection, automatic restore, "Deleted" badge, restore from backup. Draft exists (Spec 900). Needs spec refresh and prioritization. Risk: Ghost policies create confusion for backup item references.

Platform Operations Maturity

• CSV export for filtered run metadata (deferred from Spec 114)
• Raw error/context drilldowns for system console (deferred from Spec 114)
• Multi-workspace operator selection in /system (deferred from Spec 113)

---

Mid-term (2–3 Quarters)

MSP Portfolio & Operations (Multi-Tenant)

Multi-tenant health dashboard, SLA/compliance reports (PDF), cross-tenant troubleshooting center. Source: 0800-future-features brainstorming, identified as highest priority pillar. Prerequisite: Cross-tenant compare (Spec 043 — draft only).

Drift & Change Governance ("Revenue Lever #1")

Change approval workflows (DEV→PROD with audit pack), guardrails/policy freeze windows, tamper detection. Source: 0800-future-features brainstorming. Prerequisite: Drift engine fully shipped, findings workflow mature.

Standardization & Policy Quality ("Intune Linting")

Policy linter (naming, scope tag requirements, no All-Users on high-risk), company standards as templates, policy hygiene (duplicate finder, unassigned, orphaned, stale). Source: 0800-future-features brainstorming.

Compliance Readiness & Executive Review Packs

On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, and key security signals into one coherent deliverable. BSI-/NIS2-/CIS-oriented readiness views (without certification claims). Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs. Goal: Make TenantPilot sellable as an MSP-facing governance and review platform for German midmarket and compliance-oriented customers who want structured tenant reviews and management-ready outputs on demand. Why it matters: Turns existing governance data into a clear customer-facing value proposition. Strengthens MSP sales story beyond backup and restore. Creates a repeatable "review on demand" workflow for quarterly reviews, security health checks, and audit preparation. Depends on: StoredReports / EvidenceItems foundation, Tenant Review runs, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity. Scope direction: Start as compliance readiness and review packaging. Avoid formal certification language or promises. Position as governance evidence, management reporting, and audit preparation.

Entra Role Governance

Expand TenantPilot's governance coverage into Microsoft Entra role definitions and assignments as a first-class identity administration surface. What it means: Inventory and visibility for built-in and custom role definitions. Visibility into role assignments and governance-relevant changes. Review-ready representation of identity administration posture. Why it matters: Identity role governance is central to audit readiness and privilege control. Strengthens TenantPilot beyond device configuration into identity governance. Scope direction: Start with visibility, inventory, and governance-oriented reviewability. Avoid prematurely turning this into a full attestation workflow block.

SharePoint Tenant-Level Sharing Governance

Extend TenantPilot into high-value Microsoft 365 data-governance controls by covering tenant-level SharePoint and OneDrive sharing settings. What it means: Visibility into tenant-wide sharing and external access posture. Governance-oriented review surface for high-risk sharing controls. Alignment with customer demand for audit-ready data-sharing posture. Why it matters: Tenant-level sharing controls are critical for data exposure and external collaboration governance. Expands TenantPilot into a high-value non-Intune policy domain without becoming a generic M365 admin mirror. Scope direction: Start at tenant-level settings, not full site-level governance. Position as governance and reviewability, not full SharePoint administration.

Enterprise App / Service Principal Governance

Add governance coverage for enterprise applications and service principals, especially around privileged permissions, expiring credentials, and review workflows. What it means: Visibility into enterprise apps and service principals. Detection of expiring secrets and certificates. Governance surfaces for privileged app access and renewal workflows. Why it matters: App identities are a major cloud governance and security pain point for MSPs and enterprise customers. Creates strong customer-facing value beyond tenant configuration backup and restore. Scope direction: Start with visibility, expiry monitoring, and governance workflows. Avoid collapsing this into app-consent policy coverage alone.

Security Posture Signals

Expand TenantPilot's evidence layer with high-value security posture signals that support customer reviews, audit preparation, and recurring governance reporting. What it means: Defender Vulnerability Management exposure and remediation-oriented signals. Backup success/failure and protection-state signals. Additional evidence inputs for review packs and executive reporting. Why it matters: Strengthens TenantPilot's audit and review story without turning it into a remediation engine. Helps prove operational effectiveness in recurring customer reviews. Scope direction: Treat these as evidence/signal domains, not policy domains. Prioritize reporting, history, and correlation over operational ownership.

---

Long-term

Tenant-to-Tenant / Staging→Prod Promotion

Compare/diff between tenants, mapping UI (groups, scope tags, filters, named locations, app refs), promotion plan (preview → dry-run → cutover → verify). Source: 0800-future-features, Spec 043 draft.

Recovery Confidence ("Killer Feature")

Automated restore tests in test tenants, recovery readiness report, preflight score. Source: 0800-future-features brainstorming.

Security Suite Layer

Security posture score, blast radius display, opt-in high-risk enablement. Source: 0800-future-features brainstorming.

Script & Secrets Governance

Script diff + approval + rollback, secret scanning, allowlist/signing workflow. Source: 0800-future-features brainstorming.

---

Infrastructure & Platform Debt

Item	Risk	Status
No .env.example in repo	Onboarding friction	Open
No CI pipeline config	No automated quality gate	Open
No PHPStan/Larastan	No static analysis	Open
SQLite for tests vs PostgreSQL in prod	Schema drift risk	Open
No formal release process	Manual deploys	Open
Dokploy config external to repo	Env drift	Open

---

Priority Ranking (from Product Brainstorming)

1. MSP Portfolio + Alerting
2. Drift + Approval Workflows
3. Standardization / Linting
4. Promotion DEV→PROD
5. Recovery Confidence

---

How to use this file

• Big themes live here.
• Concrete spec candidates → see spec-candidates.md
• Small discoveries from implementation → see discoveries.md
• Product principles → see principles.md