# FlaskPaste Roadmap ## Current State FlaskPaste v1.2.0 is deployed with PKI integration and comprehensive security tooling. **Implemented:** - Full REST API (CRUD operations) - Binary content support with magic-byte MIME detection - Client certificate authentication - Minimal PKI (CA generation, certificate issuance, revocation) - Content-hash deduplication (abuse prevention) - Proof-of-work spam prevention - Entropy enforcement (require encrypted uploads) - E2E encryption in CLI (AES-256-GCM, key in URL fragment) - URL prefix support for reverse proxy deployments - /client endpoint for CLI distribution - Automatic paste expiry - Burn-after-read pastes - Custom expiry per paste - Security headers and request tracing - Container deployment support - Security tooling (ruff, bandit, mypy, pip-audit) - CI/CD pipeline with lint, security, and test jobs - Comprehensive test suite (147 tests) ## Phase 1: Hardening (Complete) Focus: Production readiness and operational excellence. ``` ┌───┬─────────────────────────────────┬────────────────────────────────────┐ │ # │ Milestone │ Status ├───┼─────────────────────────────────┼────────────────────────────────────┤ │ 1 │ Abuse prevention (dedup) │ Done │ 2 │ Security headers complete │ Done │ 3 │ Request tracing (X-Request-ID) │ Done │ 4 │ Proxy trust validation │ Done │ 5 │ Proof-of-work spam prevention │ Done │ 6 │ Entropy enforcement │ Done │ 7 │ Test coverage > 90% │ Done (147 tests) │ 8 │ Documentation complete │ Done └───┴─────────────────────────────────┴────────────────────────────────────┘ ``` ## Phase 2: Operations (Complete) Focus: Deployment, monitoring, and maintenance tooling. ``` ┌───┬─────────────────────────────────┬────────────────────────────────────┐ │ # │ Milestone │ Status ├───┼─────────────────────────────────┼────────────────────────────────────┤ │ 1 │ Prometheus metrics endpoint │ Done (prometheus-flask-exporter) │ 2 │ Structured JSON logging │ Done (production mode) │ 3 │ Security tooling (lint/scan) │ Done (ruff, bandit, mypy) │ 4 │ CI/CD pipeline │ Done (Gitea Actions) │ 5 │ Multi-stage Containerfile │ Done └───┴─────────────────────────────────┴────────────────────────────────────┘ ``` ## Phase 3: Features (Complete) Focus: User-requested enhancements within scope. ``` ┌───┬─────────────────────────────────┬────────────────────────────────────┐ │ # │ Feature │ Status ├───┼─────────────────────────────────┼────────────────────────────────────┤ │ 1 │ E2E encryption (client-side) │ Done (CLI -e flag, zero-knowledge) │ 2 │ URL prefix support │ Done │ 3 │ Custom expiry per paste │ Done (X-Expiry header) │ 4 │ Burn-after-read option │ Done (X-Burn-After-Read header) │ 5 │ Minimal PKI (CA + issuance) │ Done └───┴─────────────────────────────────┴────────────────────────────────────┘ ``` ### PKI Features Integrated certificate authority for mTLS: - `POST /pki/ca` - Generate CA (first-run bootstrap) - `GET /pki/status` - CA status and fingerprint - `GET /pki/ca.crt` - Download CA certificate - `POST /pki/issue` - Issue client certificate - `POST /pki/revoke/` - Revoke certificate - CLI: `fpaste pki status`, `fpaste pki issue`, `fpaste pki revoke` ## Phase 4: Ecosystem (In Progress) Focus: Integration with external systems. ``` ┌───┬─────────────────────────────────┬────────────────────────────────────┐ │ # │ Integration │ Status ├───┼─────────────────────────────────┼────────────────────────────────────┤ │ 1 │ CLI client (fpaste) │ Done (with E2E + PKI) │ 2 │ /client endpoint │ Done (downloadable CLI) │ 3 │ Ansible deployment role │ Planned │ 4 │ Kubernetes manifests │ Planned │ 5 │ Shell aliases/functions │ Planned └───┴─────────────────────────────────┴────────────────────────────────────┘ ``` ### CLI Client (Complete) Standalone Python CLI with encryption and PKI support: - `fpaste create file.txt` - Create paste from file - `fpaste create -e file.txt` - Create encrypted paste (E2E) - `fpaste get ` - Get paste (auto-decrypts with URL fragment key) - `fpaste delete ` - Delete paste - `fpaste info` - Show server info - `fpaste pki status` - Show PKI status - `fpaste pki issue -n "name"` - Request client certificate - `fpaste pki revoke ` - Revoke certificate - Config file for server URL and cert fingerprint - Downloadable via `curl https://server/client > fpaste` ## Non-Goals (Explicit) These features will not be implemented: - **Web UI** - Out of scope; use API directly - **User accounts** - PKI handles identity - **Syntax highlighting** - Client responsibility - **Search/discovery** - Pastes are private by design - **Clustering** - Scale via container orchestration - **S3/PostgreSQL backend** - SQLite is sufficient ## Decision Log | Date | Decision | Rationale |------------|------------------------------------|----------------------------------------- | 2024-11 | SQLite only | Simplicity; no external dependencies | 2024-11 | No web UI | API-first; reduces attack surface | 2024-11 | Client cert auth | Integrates with existing PKI | 2024-12 | Content-hash dedup | Prevent spam without IP tracking | 2024-12 | Proof-of-work | Computational cost deters spam bots | 2024-12 | Client-side E2E encryption | Zero-knowledge; key in URL fragment | 2024-12 | Entropy enforcement | Heuristic to require encrypted uploads | 2024-12 | URL prefix support | Reverse proxy path-based routing | 2024-12 | Burn-after-read | Single-use pastes for sensitive data | 2024-12 | Custom expiry | Per-paste TTL override | 2024-12 | Multi-stage Containerfile | Smaller production images | 2024-12 | Minimal PKI | Self-contained mTLS without external CA | 2024-12 | Security tooling (ruff/bandit) | Code quality and security scanning | 2024-12 | CI/CD with job dependencies | Tests wait for lint to pass ## Review Schedule - **Monthly**: Review TODO.md, refine TASKLIST.md - **Quarterly**: Evaluate roadmap phases, adjust priorities - **Yearly**: Major version planning, scope review