ahmido
1655cc481e
## Summary - migrate provider connections to the canonical three-dimension state model: lifecycle via `is_enabled`, consent via `consent_status`, and verification via `verification_status` - remove legacy provider status and health badge paths, update admin and system directory surfaces, and align onboarding, consent callback, verification, resolver, and mutation flows with the new model - add the Spec 188 artifact set, schema migrations, guard coverage, and expanded provider-state tests across admin, system, onboarding, verification, and rendering paths ## Verification - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/SystemPanelAuthTest.php tests/Feature/Filament/TenantGlobalSearchLifecycleScopeTest.php tests/Feature/ProviderConnections/ProviderConnectionEnableDisableTest.php tests/Feature/ProviderConnections/ProviderConnectionTruthCleanupSpec179Test.php` - integrated browser smoke: validated admin provider list/detail/edit, tenant provider summary, system directory tenant detail, provider-connection search exclusion, and cleaned up the temporary smoke record afterward ## Filament / implementation notes - Livewire v4.0+ compliance: preserved; this change targets Filament v5 on Livewire v4 and does not introduce older APIs - Provider registration location: unchanged; Laravel 11+ panel providers remain registered in `bootstrap/providers.php` - Globally searchable resources: `ProviderConnectionResource` remains intentionally excluded from global search; tenant global search remains enabled and continues to resolve to view pages - Destructive actions: no new destructive action surface was introduced without confirmation or authorization; existing capability checks continue to gate provider mutations - Asset strategy: unchanged; no new Filament assets were added, so deploy behavior for `php artisan filament:assets` remains unchanged - Testing plan covered: system auth, tenant global search, provider lifecycle enable/disable behavior, and provider truth cleanup cutover behavior Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #219
12 KiB
Product Roadmap
Strategic thematic blocks and release trajectory. This is the "big picture" — not individual specs.
Last updated: 2026-04-09
Release History
| Release | Theme | Status |
|---|---|---|
| R1 "Golden Master Governance" | Baseline drift as production feature, operations polish | Done |
| R1 cont. | Ops canonicalization, action surface contract, ops-ux enforcement | Done |
| R2 "Tenant Reviews & Evidence" | Evidence packs, stored reports, permission posture, alerts | Partial |
| R2 cont. | Alert escalation + notification routing | Done |
Active / Near-term
Governance & Architecture Hardening
Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction. Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands.
Active specs: 144 Next wave candidates: queued execution reauthorization and scope continuity, tenant-owned query canon and wrong-tenant guards, findings workflow enforcement and audit backstop, Livewire context locking and trusted-state reduction Operator truth initiative (sequenced): Operator Outcome Taxonomy → Reason Code Translation → Artifact Truth Semantics → Governance Operator Outcome Compression; Provider Dispatch Gate Unification continues as the adjacent hardening lane (see spec-candidates.md — "Operator Truth Initiative" sequencing note) Source: architecture audit 2026-03-15, audit constitution, semantic clarity audit 2026-03-21, product spec-candidates
UI & Product Maturity Polish
Empty state consistency, list-expand parity, workspace chooser refinement, navigation semantics. Goal: Every surface feels intentional and guided for first-run evaluation.
Active specs: 122, 121, 112
Secret & Security Hardening
Secret redaction integrity, provider access hardening, required permissions sidebar. Goal: Enterprise trust — no credential leaks, no permission gaps.
Active specs: 120, 108, 106
Baseline Drift Engine (Cutover)
Full content capture, cutover to unified engine, resume capability. Goal: Ship drift detection as the complete production governance feature.
Active specs: 119 (cutover)
R1.9 Platform Localization v1 (DE/EN)
UI-Sprache umschaltbar (de, en) mit sauberem Locale-Foundation-Layer.
Goal: Konsistente, durchgängige Lokalisierung aller Governance-Oberflächen — ohne Brüche in Export, Audit oder Maschinenformaten.
- Locale-Priorität: expliziter Override → User Preference → Workspace Default → System Default
- Workspace Default Language für neue Nutzer, User kann persönliche Sprache überschreiben
- Core-Surfaces zuerst: Navigation, Dashboard, Tenant Views, Findings, Baseline Compare, Risk Exceptions, Alerts, Operations, Audit-nahe Grundtexte
- Canonical Glossary für Governance-Begriffe (Finding, Baseline, Drift, Risk Accepted, Evidence Gap, Run) — konsistente Terminologie über alle Views
- Locale-aware Anzeigeformate für Datum, Uhrzeit, Zahlen und relative Zeiten
- Maschinen- und Exportformate bleiben invariant/stabil (keine lokalisierte Semantik in CSV/JSON/Audit-Artefakten)
- Notifications, E-Mails und operatorseitige Systemtexte nutzen die aufgelöste Locale des Empfängers
- Fallback-Regel: fehlende Übersetzungen fallen kontrolliert auf Englisch zurück; keine leeren/rohen Keys im UI
- Translation-Key Governance für Labels, Actions, Statuswerte, Empty States, Table Filters, Notifications und Validation-/Systemtexte
- HTML/UI i18n-Foundation: korrektes
lang/Locale-Setup, keine hartcodierten kritischen UI-Strings, layouts sprachrobust - Search/Sort/Filter auf kritischen Listen für locale-sensitives Verhalten prüfen
- QA/Foundation: Missing-Key Detection, Locale Regression Tests, Pseudolocalization Smoke Tests für kritische Flows
Active specs: — (not yet specced)
Planned (Next Quarter)
R2 Completion — Evidence & Exception Workflows
- Review pack export (Spec 109 — done)
- Exception/risk-acceptance workflow for Findings → Not yet specced
- Formal "evidence pack" entity → Not yet specced
- Workspace-level PII override for review packs → deferred from 109
Policy Lifecycle / Ghost Policies
Soft delete detection, automatic restore, "Deleted" badge, restore from backup. Draft exists (Spec 900). Needs spec refresh and prioritization. Risk: Ghost policies create confusion for backup item references.
Platform Operations Maturity
- CSV export for filtered run metadata (deferred from Spec 114)
- Raw error/context drilldowns for system console (deferred from Spec 114)
- Multi-workspace operator selection in
/system(deferred from Spec 113)
Mid-term (2–3 Quarters)
MSP Portfolio & Operations (Multi-Tenant)
Multi-tenant health dashboard, SLA/compliance reports (PDF), cross-tenant troubleshooting center. Source: 0800-future-features brainstorming, identified as highest priority pillar. Prerequisite: Cross-tenant compare (Spec 043 — draft only).
Drift & Change Governance ("Revenue Lever #1")
Change approval workflows (DEV→PROD with audit pack), guardrails/policy freeze windows, tamper detection. Source: 0800-future-features brainstorming. Prerequisite: Drift engine fully shipped, findings workflow mature.
Standardization & Policy Quality ("Intune Linting")
Policy linter (naming, scope tag requirements, no All-Users on high-risk), company standards as templates, policy hygiene (duplicate finder, unassigned, orphaned, stale). Source: 0800-future-features brainstorming.
Compliance Readiness & Executive Review Packs
On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, and key security signals into one coherent deliverable. BSI-/NIS2-/CIS-oriented readiness views (without certification claims). Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs. Goal: Make TenantPilot sellable as an MSP-facing governance and review platform for German midmarket and compliance-oriented customers who want structured tenant reviews and management-ready outputs on demand. Why it matters: Turns existing governance data into a clear customer-facing value proposition. Strengthens MSP sales story beyond backup and restore. Creates a repeatable "review on demand" workflow for quarterly reviews, security health checks, and audit preparation. Depends on: StoredReports / EvidenceItems foundation, Tenant Review runs, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity. Scope direction: Start as compliance readiness and review packaging. Avoid formal certification language or promises. Position as governance evidence, management reporting, and audit preparation. Modeling principle: Compliance and governance requirements are modeled as versioned control catalogs, TenantPilot technical interpretations, evidence mappings, evaluation rules, manual attestations, and customer/MSP profiles, not as hardcoded framework-specific rules. Readiness views, evidence packs, and auditor outputs are generated from that shared domain model.
- Separate framework source versions, TenantPilot interpretation versions, and customer/MSP profile versions
- Map controls to evidence sources, evaluation rules, and manual attestations when automation is partial
- Keep BSI / NIS2 / CIS views as reporting layers on top of the shared control model
- Avoid framework-specific one-off reports that bypass the common evidence, findings, exception, and export pipeline
Entra Role Governance
Expand TenantPilot's governance coverage into Microsoft Entra role definitions and assignments as a first-class identity administration surface. What it means: Inventory and visibility for built-in and custom role definitions. Visibility into role assignments and governance-relevant changes. Review-ready representation of identity administration posture. Why it matters: Identity role governance is central to audit readiness and privilege control. Strengthens TenantPilot beyond device configuration into identity governance. Scope direction: Start with visibility, inventory, and governance-oriented reviewability. Avoid prematurely turning this into a full attestation workflow block.
SharePoint Tenant-Level Sharing Governance
Extend TenantPilot into high-value Microsoft 365 data-governance controls by covering tenant-level SharePoint and OneDrive sharing settings. What it means: Visibility into tenant-wide sharing and external access posture. Governance-oriented review surface for high-risk sharing controls. Alignment with customer demand for audit-ready data-sharing posture. Why it matters: Tenant-level sharing controls are critical for data exposure and external collaboration governance. Expands TenantPilot into a high-value non-Intune policy domain without becoming a generic M365 admin mirror. Scope direction: Start at tenant-level settings, not full site-level governance. Position as governance and reviewability, not full SharePoint administration.
Enterprise App / Service Principal Governance
Add governance coverage for enterprise applications and service principals, especially around privileged permissions, expiring credentials, and review workflows. What it means: Visibility into enterprise apps and service principals. Detection of expiring secrets and certificates. Governance surfaces for privileged app access and renewal workflows. Why it matters: App identities are a major cloud governance and security pain point for MSPs and enterprise customers. Creates strong customer-facing value beyond tenant configuration backup and restore. Scope direction: Start with visibility, expiry monitoring, and governance workflows. Avoid collapsing this into app-consent policy coverage alone.
Security Posture Signals
Expand TenantPilot's evidence layer with high-value security posture signals that support customer reviews, audit preparation, and recurring governance reporting. What it means: Defender Vulnerability Management exposure and remediation-oriented signals. Backup success/failure and protection-state signals. Additional evidence inputs for review packs and executive reporting. Why it matters: Strengthens TenantPilot's audit and review story without turning it into a remediation engine. Helps prove operational effectiveness in recurring customer reviews. Scope direction: Treat these as evidence/signal domains, not policy domains. Prioritize reporting, history, and correlation over operational ownership.
Long-term
Tenant-to-Tenant / Staging→Prod Promotion
Compare/diff between tenants, mapping UI (groups, scope tags, filters, named locations, app refs), promotion plan (preview → dry-run → cutover → verify). Source: 0800-future-features, Spec 043 draft.
Recovery Confidence ("Killer Feature")
Automated restore tests in test tenants, recovery readiness report, preflight score. Source: 0800-future-features brainstorming.
Security Suite Layer
Security posture score, blast radius display, opt-in high-risk enablement. Source: 0800-future-features brainstorming.
Script & Secrets Governance
Script diff + approval + rollback, secret scanning, allowlist/signing workflow. Source: 0800-future-features brainstorming.
Infrastructure & Platform Debt
| Item | Risk | Status |
|---|---|---|
No .env.example in repo |
Onboarding friction | Open |
| No CI pipeline config | No automated quality gate | Open |
| No PHPStan/Larastan | No static analysis | Open |
| SQLite for tests vs PostgreSQL in prod | Schema drift risk | Open |
| No formal release process | Manual deploys | Open |
| Dokploy config external to repo | Env drift | Open |
Priority Ranking (from Product Brainstorming)
- MSP Portfolio + Alerting
- Drift + Approval Workflows
- Standardization / Linting
- Promotion DEV→PROD
- Recovery Confidence
How to use this file
- Big themes live here.
- Concrete spec candidates → see spec-candidates.md
- Small discoveries from implementation → see discoveries.md
- Product principles → see principles.md