This is the first public release of the PIMActivation Portal. Everything below is forward-looking and subject to change. Have an opinion? [Open a discussion](https://github.com/Noble-Effeciency13/PIMActivation-Portal/discussions) or a [feature request](https://github.com/Noble-Effeciency13/PIMActivation-Portal/issues/new?template=feature_request.yml).

## Near-term (next minor releases)

- **Activation history from the Entra audit log.** Surface a longer-lived activation history backed by `directoryAudits` and ARM activity logs, complementing today's in-session activity drawer.
- **Per-role notes inside profiles.** Optional free-text per role within a saved profile so you can document why you keep a particular combination together.
- **Approval-state polling.** Optional background polling for **Pending** roles so you don't have to refresh manually.

## Mid-term

- **Subresource Integrity for the MSAL.js bundle.** Pin the integrity hash of the `cdn.jsdelivr.net` MSAL bundle to defend against CDN tampering.
- **Keyboard-only navigation polish.** Ensure every action is reachable without a pointing device and that focus rings are obvious in all themes.
- **Localization scaffolding.** Externalize UI strings so translations become possible without a refactor.

## Wishlist (not yet committed)

- **Cross-device profile sync.** Optional sync of profiles via the user's OneDrive (delegated, end-to-end the user's own data).
- **PIM-for-Roles automation hooks.** A small surface for integrating with ticketing systems so the portal can pull a justification from an open ticket automatically.
- **Browser extension companion.** Tray-style indicator for time-remaining on active roles outside the portal tab.
- **PWA install with offline status only.** Install the portal as a PWA so it can show "no roles available — you're offline" without trying to render a stale state.

## Permanently out of scope

The constraints below are part of the security posture and are not on the roadmap to change:

- A backend, proxy, or any server-side component.
- Application permissions or any client secret in the SPA.
- Persisting access tokens outside `sessionStorage`.
- Telemetry, analytics, or any third-party API call beyond the Microsoft endpoints already listed in the CSP.

See also the [PIMActivation PowerShell module roadmap](https://github.com/Noble-Effeciency13/PIMActivation#%EF%B8%8F-roadmap) — features that benefit both projects often land in PowerShell first.