flaskpaste/ROADMAP.md

# FlaskPaste Roadmap

## Current State

FlaskPaste v1.1.0 is deployed and feature-complete for its core mission: a secure, minimal pastebin API with zero-knowledge encryption support.

**Implemented:**
- Full REST API (CRUD operations)
- Binary content support with magic-byte MIME detection
- Client certificate authentication
- Content-hash deduplication (abuse prevention)
- Proof-of-work spam prevention
- Entropy enforcement (require encrypted uploads)
- E2E encryption in CLI (AES-256-GCM, key in URL fragment)
- URL prefix support for reverse proxy deployments
- /client endpoint for CLI distribution
- Automatic paste expiry
- Security headers and request tracing
- Container deployment support
- Comprehensive test suite (98 tests)

## Phase 1: Hardening (Complete)

Focus: Production readiness and operational excellence.

```
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
│ # │ Milestone                           │ Status
├───┼─────────────────────────────────────┼────────────────────────────────────┤
│ 1 │ Abuse prevention (dedup)            │ Done
│ 2 │ Security headers complete           │ Done
│ 3 │ Request tracing (X-Request-ID)      │ Done
│ 4 │ Proxy trust validation              │ Done
│ 5 │ Proof-of-work spam prevention       │ Done
│ 6 │ Entropy enforcement                 │ Done
│ 7 │ Test coverage > 90%                 │ Done (98 tests)
│ 8 │ Documentation complete              │ Done
└───┴─────────────────────────────────────┴────────────────────────────────────┘
```

## Phase 2: Operations

Focus: Deployment, monitoring, and maintenance tooling.

```
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
│ # │ Milestone                           │ Dependencies
├───┼─────────────────────────────────────┼────────────────────────────────────┤
│ 1 │ Prometheus metrics endpoint         │ None
│ 2 │ Structured JSON logging             │ None
│ 3 │ Admin API (stats, cleanup)          │ Auth improvements
│ 4 │ Ansible deployment role             │ None
│ 5 │ CI/CD pipeline                      │ Container registry access
└───┴─────────────────────────────────────┴────────────────────────────────────┘
```

### Prometheus Metrics

Expose `/metrics` endpoint with:
- `flaskpaste_pastes_total` (counter)
- `flaskpaste_pastes_created` (counter)
- `flaskpaste_pastes_deleted` (counter)
- `flaskpaste_pastes_expired` (counter)
- `flaskpaste_storage_bytes` (gauge)
- `flaskpaste_request_duration_seconds` (histogram)

### Structured Logging

Replace text logs with JSON format:
- Timestamp, level, message, request_id
- Consistent field names across all log entries
- Compatible with log aggregation (Loki, ELK)

## Phase 3: Features (Complete)

Focus: User-requested enhancements within scope.

```
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
│ # │ Feature                             │ Status
├───┼─────────────────────────────────────┼────────────────────────────────────┤
│ 1 │ E2E encryption (client-side)        │ Done (CLI -e flag, zero-knowledge)
│ 2 │ URL prefix support                  │ Done
│ 3 │ Custom expiry per paste             │ Done (X-Expiry header)
│ 4 │ Burn-after-read option              │ Done (X-Burn-After-Read header)
│ 5 │ Paste password protection           │ Planned
└───┴─────────────────────────────────────┴────────────────────────────────────┘
```

### Burn-After-Read

Single-access pastes that delete after first retrieval:
- `POST /` with `X-Burn-After-Read: true` header
- Paste deleted after first `GET /<id>/raw`
- Metadata `GET /<id>` does not trigger burn

### Custom Expiry

Allow per-paste expiry override:
- `POST /` with `X-Expiry: 3600` header (seconds)
- Capped at server maximum (e.g., 30 days)
- Default unchanged for pastes without header

## Phase 4: Ecosystem

Focus: Integration with external systems.

```
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
│ # │ Integration                         │ Status
├───┼─────────────────────────────────────┼────────────────────────────────────┤
│ 1 │ CLI client (fpaste)                 │ Done (with E2E encryption)
│ 2 │ /client endpoint                    │ Done (downloadable CLI)
│ 3 │ Neovim/Vim plugin                   │ Planned
│ 4 │ Shell aliases/functions             │ Planned
│ 5 │ Webhook notifications               │ Planned
└───┴─────────────────────────────────────┴────────────────────────────────────┘
```

### CLI Client (Complete)

Standalone Python CLI with encryption support:
- `fpaste create file.txt` - Create paste from file
- `fpaste create -e file.txt` - Create encrypted paste (E2E)
- `fpaste get <id>` - Get paste (auto-decrypts with URL fragment key)
- `fpaste delete <id>` - Delete paste
- `fpaste info` - Show server info
- Config file for server URL and cert fingerprint
- Downloadable via `curl https://server/client > fpaste`

## Non-Goals (Explicit)

These features will not be implemented:

- **Web UI** - Out of scope; use API directly
- **User accounts** - PKI handles identity
- **Syntax highlighting** - Client responsibility
- **Search/discovery** - Pastes are private by design
- **Clustering** - Scale via container orchestration
- **S3/PostgreSQL backend** - SQLite is sufficient

## Decision Log

| Date       | Decision                           | Rationale
|------------|------------------------------------|-----------------------------------------
| 2024-11    | SQLite only                        | Simplicity; no external dependencies
| 2024-11    | No web UI                          | API-first; reduces attack surface
| 2024-11    | Client cert auth                   | Integrates with existing PKI
| 2024-12    | Content-hash dedup                 | Prevent spam without IP tracking
| 2024-12    | Proof-of-work                      | Computational cost deters spam bots
| 2024-12    | Client-side E2E encryption         | Zero-knowledge; key in URL fragment
| 2024-12    | Entropy enforcement                | Heuristic to require encrypted uploads
| 2024-12    | URL prefix support                 | Reverse proxy path-based routing
| 2024-12    | Burn-after-read                    | Single-use pastes for sensitive data
| 2024-12    | Custom expiry                      | Per-paste TTL override
| 2024-12    | Multi-stage Containerfile          | Smaller production images

## Review Schedule

- **Monthly**: Review TODO.md, refine TASKLIST.md
- **Quarterly**: Evaluate roadmap phases, adjust priorities
- **Yearly**: Major version planning, scope review