diff --git a/.planning/REQUIREMENTS.md b/.planning/REQUIREMENTS.md
index 9e84afe..dedeb30 100644
--- a/.planning/REQUIREMENTS.md
+++ b/.planning/REQUIREMENTS.md
@@ -115,54 +115,54 @@ Which phases cover which requirements. Updated during roadmap creation.
 
 | Requirement | Phase | Status |
 |-------------|-------|--------|
-| FOUND-01 | — | Pending |
-| FOUND-02 | — | Pending |
-| FOUND-03 | — | Pending |
-| FOUND-04 | — | Pending |
-| FOUND-05 | — | Pending |
-| FOUND-06 | — | Pending |
-| FOUND-07 | — | Pending |
-| FOUND-08 | — | Pending |
-| FOUND-09 | — | Pending |
-| FOUND-10 | — | Pending |
-| FOUND-11 | — | Pending |
-| FOUND-12 | — | Pending |
-| PERM-01 | — | Pending |
-| PERM-02 | — | Pending |
-| PERM-03 | — | Pending |
-| PERM-04 | — | Pending |
-| PERM-05 | — | Pending |
-| PERM-06 | — | Pending |
-| PERM-07 | — | Pending |
-| STOR-01 | — | Pending |
-| STOR-02 | — | Pending |
-| STOR-03 | — | Pending |
-| STOR-04 | — | Pending |
-| STOR-05 | — | Pending |
-| SRCH-01 | — | Pending |
-| SRCH-02 | — | Pending |
-| SRCH-03 | — | Pending |
-| SRCH-04 | — | Pending |
-| DUPL-01 | — | Pending |
-| DUPL-02 | — | Pending |
-| DUPL-03 | — | Pending |
-| TMPL-01 | — | Pending |
-| TMPL-02 | — | Pending |
-| TMPL-03 | — | Pending |
-| TMPL-04 | — | Pending |
-| FOLD-01 | — | Pending |
-| FOLD-02 | — | Pending |
-| BULK-01 | — | Pending |
-| BULK-02 | — | Pending |
-| BULK-03 | — | Pending |
-| BULK-04 | — | Pending |
-| BULK-05 | — | Pending |
+| FOUND-01 | Phase 1 | Pending |
+| FOUND-02 | Phase 1 | Pending |
+| FOUND-03 | Phase 1 | Pending |
+| FOUND-04 | Phase 1 | Pending |
+| FOUND-05 | Phase 1 | Pending |
+| FOUND-06 | Phase 1 | Pending |
+| FOUND-07 | Phase 1 | Pending |
+| FOUND-08 | Phase 1 | Pending |
+| FOUND-09 | Phase 1 | Pending |
+| FOUND-10 | Phase 1 | Pending |
+| FOUND-11 | Phase 5 | Pending |
+| FOUND-12 | Phase 1 | Pending |
+| PERM-01 | Phase 2 | Pending |
+| PERM-02 | Phase 2 | Pending |
+| PERM-03 | Phase 2 | Pending |
+| PERM-04 | Phase 2 | Pending |
+| PERM-05 | Phase 2 | Pending |
+| PERM-06 | Phase 2 | Pending |
+| PERM-07 | Phase 2 | Pending |
+| STOR-01 | Phase 3 | Pending |
+| STOR-02 | Phase 3 | Pending |
+| STOR-03 | Phase 3 | Pending |
+| STOR-04 | Phase 3 | Pending |
+| STOR-05 | Phase 3 | Pending |
+| SRCH-01 | Phase 3 | Pending |
+| SRCH-02 | Phase 3 | Pending |
+| SRCH-03 | Phase 3 | Pending |
+| SRCH-04 | Phase 3 | Pending |
+| DUPL-01 | Phase 3 | Pending |
+| DUPL-02 | Phase 3 | Pending |
+| DUPL-03 | Phase 3 | Pending |
+| TMPL-01 | Phase 4 | Pending |
+| TMPL-02 | Phase 4 | Pending |
+| TMPL-03 | Phase 4 | Pending |
+| TMPL-04 | Phase 4 | Pending |
+| FOLD-01 | Phase 4 | Pending |
+| FOLD-02 | Phase 4 | Pending |
+| BULK-01 | Phase 4 | Pending |
+| BULK-02 | Phase 4 | Pending |
+| BULK-03 | Phase 4 | Pending |
+| BULK-04 | Phase 4 | Pending |
+| BULK-05 | Phase 4 | Pending |
 
 **Coverage:**
 - v1 requirements: 42 total
-- Mapped to phases: 0
-- Unmapped: 42
+- Mapped to phases: 42
+- Unmapped: 0
 
 ---
 *Requirements defined: 2026-04-02*
-*Last updated: 2026-04-02 after initial definition*
+*Last updated: 2026-04-02 after roadmap creation — all 42 v1 requirements mapped*
diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md
new file mode 100644
index 0000000..56cb28f
--- /dev/null
+++ b/.planning/ROADMAP.md
@@ -0,0 +1,101 @@
+# Roadmap: SharePoint Toolbox v2
+
+## Overview
+
+A full C#/WPF rewrite of a 6,400-line PowerShell-based SharePoint Online administration tool. The
+project delivers a self-contained Windows desktop application that lets MSP administrators audit
+and manage permissions, storage, and site provisioning across multiple client tenants from a single
+tool. Foundation infrastructure (multi-tenant auth, async patterns, error handling, DI) must be
+solid before any feature work begins — all 10 identified pitfalls in the existing codebase map
+entirely to Phase 1. Subsequent phases deliver complete, verifiable feature areas in dependency
+order: permissions first (validates auth and pagination), then storage and search (reuse those
+patterns), then bulk and provisioning operations (highest write-risk features last), then
+hardening and packaging.
+
+## Phases
+
+**Phase Numbering:**
+- Integer phases (1, 2, 3): Planned milestone work
+- Decimal phases (2.1, 2.2): Urgent insertions (marked with INSERTED)
+
+Decimal phases appear between their surrounding integers in numeric order.
+
+- [ ] **Phase 1: Foundation** - WPF shell, multi-tenant auth, DI, async patterns, error handling, logging, localization, JSON persistence
+- [ ] **Phase 2: Permissions** - Permissions scan (single and multi-site), CSV and HTML report export
+- [ ] **Phase 3: Storage and File Operations** - Storage metrics, file search, and duplicate detection
+- [ ] **Phase 4: Bulk Operations and Provisioning** - Bulk member/site/transfer operations, site templates, folder structure provisioning
+- [ ] **Phase 5: Distribution and Hardening** - Self-contained EXE packaging, end-to-end validation, FR locale completeness
+
+## Phase Details
+
+### Phase 1: Foundation
+**Goal**: The application shell runs, users can authenticate to multiple tenants and switch between them without re-logging in, all long-running operations are cancellable and report progress, all errors surface visibly, and the infrastructure patterns that prevent the existing app's 10 known pitfalls are in place before any feature work begins.
+**Depends on**: Nothing (first phase)
+**Requirements**: FOUND-01, FOUND-02, FOUND-03, FOUND-04, FOUND-05, FOUND-06, FOUND-07, FOUND-08, FOUND-09, FOUND-10, FOUND-12
+**Success Criteria** (what must be TRUE):
+  1. User can create, rename, delete, and switch between tenant profiles via the UI — each profile stores tenant URL, client ID, and display name in a JSON file
+  2. User can authenticate to a tenant via interactive browser login and the session persists across tenant switches without re-entering credentials (MSAL token cache per tenant)
+  3. User can see real-time progress on any long-running operation and cancel it mid-execution with a button — the operation stops cleanly with no silent continuation
+  4. When any operation fails, the user sees an actionable error message in the UI — no operation fails silently or swallows an exception
+  5. UI language switches between English and French dynamically without restarting the application
+**Plans**: TBD
+
+### Phase 2: Permissions
+**Goal**: Users can scan SharePoint permissions on one or many sites and export the results as both a raw CSV and a sortable, filterable HTML report — with no silent failures on large libraries and full control over scan scope.
+**Depends on**: Phase 1
+**Requirements**: PERM-01, PERM-02, PERM-03, PERM-04, PERM-05, PERM-06, PERM-07
+**Success Criteria** (what must be TRUE):
+  1. User can select one site or multiple sites and run a permissions scan that returns owners, members, guests, external users, and broken inheritance items
+  2. User can choose configurable scan depth and whether to include or exclude inherited permissions before running
+  3. User can export the permissions results to a CSV file with all raw permission data
+  4. User can export the permissions results to an interactive HTML report where rows are sortable, filterable, and groupable by user
+  5. Scanning a library with more than 5,000 items completes successfully — the tool paginates automatically and does not silently truncate or fail
+**Plans**: TBD
+
+### Phase 3: Storage and File Operations
+**Goal**: Users can view and export storage metrics per site and library, search for files across sites using multiple criteria, and detect duplicate files and folders — all with consistent export options and no silent failures on large datasets.
+**Depends on**: Phase 2
+**Requirements**: STOR-01, STOR-02, STOR-03, STOR-04, STOR-05, SRCH-01, SRCH-02, SRCH-03, SRCH-04, DUPL-01, DUPL-02, DUPL-03
+**Success Criteria** (what must be TRUE):
+  1. User can view storage consumption per library and per site (with configurable folder depth), including total size, version size, item count, and last modified date
+  2. User can export storage metrics to CSV and to an interactive HTML with a collapsible tree view
+  3. User can search for files across sites using at least extension, name/regex, date range, creator, and editor as criteria — with a configurable result cap up to 50,000 items
+  4. User can export file search results to CSV and to an interactive sortable/filterable HTML
+  5. User can scan for duplicate files (by name, size, creation date, modification date) and duplicate folders (by name, subfolder count, file count) and export the results to an HTML with grouped display
+**Plans**: TBD
+
+### Phase 4: Bulk Operations and Provisioning
+**Goal**: Users can execute bulk write operations (member additions, site creation, file transfer) with per-item error reporting and cancellation, capture site structures as reusable templates, apply templates to create new sites, and provision folder structures from CSV — all without silent partial failures.
+**Depends on**: Phase 3
+**Requirements**: BULK-01, BULK-02, BULK-03, BULK-04, BULK-05, TMPL-01, TMPL-02, TMPL-03, TMPL-04, FOLD-01, FOLD-02
+**Success Criteria** (what must be TRUE):
+  1. User can transfer files and folders between sites with real-time progress tracking and can cancel mid-operation — transferred items are confirmed and failures are reported per-item
+  2. User can add members to groups in bulk from a CSV file — each row that fails is reported individually, not silently skipped
+  3. User can create multiple sites in bulk from a CSV file with per-site error reporting and mid-operation cancellation
+  4. User can capture an existing site's structure (libraries, folders, permission groups, logo, settings) as a named template stored in JSON, then apply that template to create a new Communication or Teams site
+  5. User can manage saved templates (create, rename, delete) and create folder structures on a target site from a CSV template
+**Plans**: TBD
+
+### Phase 5: Distribution and Hardening
+**Goal**: The application ships as a single self-contained EXE that runs on a machine with no .NET runtime installed, all previously identified reliability constraints are verified end-to-end (5,000-item pagination, JSON corruption recovery, throttling retry, cancellation), and the French locale is complete and tested.
+**Depends on**: Phase 4
+**Requirements**: FOUND-11
+**Success Criteria** (what must be TRUE):
+  1. Running the published EXE on a clean machine with no .NET runtime installed launches the application and all features function correctly
+  2. The application recovers gracefully when a SharePoint API call is throttled (429/503) — the user sees a retry progress message and the operation eventually completes or surfaces a clear failure
+  3. The French locale is complete for all UI strings — no English fallback text appears when the language is set to French
+  4. A scan against a library with more than 5,000 items returns complete, correct results with no silent truncation verified against a known dataset
+**Plans**: TBD
+
+## Progress
+
+**Execution Order:**
+Phases execute in numeric order: 1 → 2 → 3 → 4 → 5
+
+| Phase | Plans Complete | Status | Completed |
+|-------|----------------|--------|-----------|
+| 1. Foundation | 0/? | Not started | - |
+| 2. Permissions | 0/? | Not started | - |
+| 3. Storage and File Operations | 0/? | Not started | - |
+| 4. Bulk Operations and Provisioning | 0/? | Not started | - |
+| 5. Distribution and Hardening | 0/? | Not started | - |
diff --git a/.planning/STATE.md b/.planning/STATE.md
new file mode 100644
index 0000000..83dd60f
--- /dev/null
+++ b/.planning/STATE.md
@@ -0,0 +1,64 @@
+# Project State
+
+## Project Reference
+
+See: .planning/PROJECT.md (updated 2026-04-02)
+
+**Core value:** Administrators can audit and manage SharePoint/Teams permissions and storage across multiple client tenants from a single, reliable desktop application.
+**Current focus:** Phase 1 — Foundation
+
+## Current Position
+
+Phase: 1 of 5 (Foundation)
+Plan: 0 of ? in current phase
+Status: Ready to plan
+Last activity: 2026-04-02 — Roadmap created, requirements mapped, all 42 v1 requirements assigned to phases
+
+Progress: [░░░░░░░░░░] 0%
+
+## Performance Metrics
+
+**Velocity:**
+- Total plans completed: 0
+- Average duration: —
+- Total execution time: 0 hours
+
+**By Phase:**
+
+| Phase | Plans | Total | Avg/Plan |
+|-------|-------|-------|----------|
+| - | - | - | - |
+
+**Recent Trend:**
+- Last 5 plans: —
+- Trend: —
+
+*Updated after each plan completion*
+
+## Accumulated Context
+
+### Decisions
+
+Decisions are logged in PROJECT.md Key Decisions table.
+Recent decisions affecting current work:
+
+- Foundation: Use PnP.Framework 1.18.0 (not PnP.Core SDK) — PnP Provisioning Engine lives only in PnP.Framework
+- Foundation: Use MsalCacheHelper for per-tenant token cache serialization — scope IPublicClientApplication per ClientId
+- Foundation: Never set PublishTrimmed=true — PnP.Framework and MSAL use reflection; accept ~150-200 MB EXE
+- Foundation: Establish AsyncRelayCommand + IProgress<T> + CancellationToken patterns before any feature work — retrofitting is the most expensive WPF refactor
+
+### Pending Todos
+
+None yet.
+
+### Blockers/Concerns
+
+- Phase 3 planning: Duplicate detection at scale (100k+ files) — Graph API hash enumeration limits and client-side SHA256 approach need targeted research before planning
+- Phase 4 planning: PnP Provisioning Engine behavior for Teams-connected modern sites — edge cases need validation spike before planning
+- Phase 5: User access export (v2 requirement UACC-01/02) depends on Phase 2 PermissionsService — confirm scope before Phase 5 planning
+
+## Session Continuity
+
+Last session: 2026-04-02
+Stopped at: Roadmap created, STATE.md initialized — ready to run /gsd:plan-phase 1
+Resume file: None