diff --git a/ROADMAP.md b/ROADMAP.md
index bd2b445..9c288f2 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -97,9 +97,23 @@
 - [x] Graceful SIGTERM shutdown
 - [x] InnerTube-based YouTube channel resolution for video URLs
 
-## v2.0.0 -- Multi-Server + Stable API
+## v2.0.0 -- Multi-Server + Integrations
 
 - [ ] Multi-server support (per-server config, shared plugins)
 - [ ] Stable plugin API (versioned, breaking change policy)
+- [ ] Paste overflow (auto-paste long output to FlaskPaste, return link)
+- [ ] URL shortener integration (shorten URLs in alerts and long output)
+- [ ] Webhook listener (HTTP endpoint for push events to channels)
+- [ ] Granular ACLs (per-command permission tiers: trusted, operator, admin)
+- [ ] `paste` plugin (manual paste to FlaskPaste)
+- [ ] `shorten` plugin (manual URL shortening)
 - [ ] `emailcheck` plugin (SMTP VRFY/RCPT TO)
 - [ ] `canary` plugin (canary token generator/tracker)
+- [ ] `virustotal` plugin (hash/URL/IP/domain lookup, free API)
+- [ ] `abuseipdb` plugin (IP abuse confidence scoring, free tier)
+- [ ] `jwt` plugin (decode tokens, show claims/expiry, flag weaknesses)
+- [ ] `mac` plugin (OUI vendor lookup, local IEEE database)
+- [ ] `pastemoni` plugin (monitor paste sites for keywords)
+- [ ] `cron` plugin (scheduled bot commands on a timer)
+- [ ] Plugin command unit tests (encode, hash, dns, cidr, defang)
+- [ ] CI pipeline
diff --git a/TODO.md b/TODO.md
index bdfcbc0..92247d8 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,15 +1,31 @@
 # derp - Backlog
 
-## Plugins
-
-- [ ] `emailcheck` -- SMTP VRFY/RCPT TO verification
-- [ ] `canary` -- canary token generator/tracker
-
-## Bot Features
+## Core
 
 - [ ] Multi-server support (per-server config, shared plugins)
 - [ ] Stable plugin API (versioned, breaking change policy)
+- [ ] Paste overflow (auto-paste long output to FlaskPaste)
+- [ ] URL shortener integration (shorten URLs in alerts/output)
+- [ ] Webhook listener (HTTP endpoint for push events to channels)
+- [ ] Granular ACLs (per-command: trusted, operator, admin)
+
+## Plugins -- Security/OSINT
+
+- [ ] `emailcheck` -- SMTP VRFY/RCPT TO verification
+- [ ] `canary` -- canary token generator/tracker
+- [ ] `virustotal` -- hash/URL/IP/domain lookup (free API)
+- [ ] `abuseipdb` -- IP abuse confidence scoring (free tier)
+- [ ] `jwt` -- decode tokens, show claims/expiry, flag weaknesses
+- [ ] `mac` -- OUI vendor lookup (local IEEE database)
+- [ ] `pastemoni` -- monitor paste sites for keywords
+
+## Plugins -- Utility
+
+- [ ] `paste` -- manual paste to FlaskPaste
+- [ ] `shorten` -- manual URL shortening
+- [ ] `cron` -- scheduled bot commands on a timer
 
 ## Testing
 
-- [ ] Plugin command tests (encode, hash, dns, etc.)
+- [ ] Plugin command unit tests (encode, hash, dns, cidr, defang)
+- [ ] CI pipeline