# derp - Roadmap ## v0.1.0 -- Foundation (done) - [x] IRC protocol: connect, parse, send - [x] TLS support with optional verification - [x] Plugin system with `@command` and `@event` - [x] TOML configuration with defaults merging - [x] Built-in plugins: ping, help, version - [x] Auto PING/PONG, nick recovery, reconnect - [x] CLI entry point with argparse ## v0.2.0 -- Operational Toolkit (done) - [x] Plugin hot-reload (!load, !reload, !unload, !plugins) - [x] Command shorthand (unambiguous prefix matching) - [x] Plugin help (!help ) - [x] Container support (Containerfile, podman-compose) - [x] DNS plugin (raw UDP resolver, all record types) - [x] Encode/decode plugin (b64, hex, url, rot13) - [x] Hash plugin (generation + type identification) - [x] Defang/refang plugin (IOC sanitization) - [x] Reverse shell generator (11 languages) - [x] CIDR calculator plugin - [x] Bot uptime command - [x] SASL PLAIN authentication - [x] Rate limiting (anti-flood, token bucket) - [x] CTCP VERSION/TIME/PING responses ## v0.3.0 -- Wave 2 + Admin (done) - [x] WHOIS plugin (raw socket, port 43) - [x] Port scanner plugin (async TCP connect) - [x] HTTP check plugin (status, redirects, timing) - [x] TLS check plugin (cipher, cert chain, expiry) - [x] DNSBL/blacklist check plugin - [x] Random generator plugin (passwords, UUIDs, hex) - [x] Timer plugin (countdown for time-boxed ops) - [x] Admin/owner permission system (hostmask + IRCOP) - [x] !whoami and !admins commands ## v0.4.0 -- Wave 3 Plugins (Local Databases) (done) - [x] GeoIP plugin (MaxMind GeoLite2-City mmdb) - [x] ASN plugin (GeoLite2-ASN mmdb) - [x] Tor exit node check (local list, daily refresh) - [x] IP reputation plugin (Firehol blocklist feeds) - [x] CVE lookup plugin (local NVD JSON feed) - [x] Data update script (cron-friendly, all local DBs) ## v0.5.0 -- Wave 4 Plugins (Advanced) (done) - [x] Operational logging plugin (SQLite per-channel) - [x] Persistent notes plugin (per-channel key-value) - [x] Subdomain enumeration (crt.sh + wordlist DNS brute) - [x] HTTP header fingerprinting (local signature db) - [x] ExploitDB search (local CSV clone) - [x] Payload template library (SQLi, XSS, SSTI, LFI, CMDi, XXE) ## v1.0.0 -- Stable (done) - [x] IRCv3 capability negotiation (CAP LS 302) - [x] Message tags support (IRCv3 @tags parsing) - [x] Channel management commands (kick, ban, unban, topic, mode) - [x] Plugin state persistence (SQLite key-value store) ## v1.1.0 -- Hardening + Wave 5 Plugins (done) - [x] Message truncation for IRC 512-byte limit - [x] Configurable reconnect backoff (exponential) - [x] Bot orchestrator + config merge tests - [x] `wayback` plugin (Wayback Machine snapshot lookup) - [x] `dork` plugin (Google dork query builder) - [x] Per-channel plugin enable/disable - [x] Structured logging (JSON output option) - [x] Integration tests with mock IRC server - [x] `username` plugin (cross-platform username enumeration) ## v1.2.0 -- Subscriptions + Proxy (done) - [x] `rss` plugin (RSS/Atom feed subscriptions with polling) - [x] `yt` plugin (YouTube channel follow via Atom feeds) - [x] `twitch` plugin (livestream notifications via public GQL) - [x] `alert` plugin (keyword alerts across 27 platforms) - [x] `searx` plugin (SearXNG web search) - [x] `tdns` plugin (TCP DNS via SOCKS5 proxy) - [x] `remind` plugin (one-shot, repeating, calendar-based reminders) - [x] SOCKS5 proxy transport layer (HTTP, TCP, async connections) - [x] Alert backends: YouTube, Twitch, SearXNG, Reddit, Mastodon, DuckDuckGo, Google News, Kick, Dailymotion, PeerTube, Bluesky, Lemmy, Odysee, Archive.org, Hacker News, GitHub, Wikipedia, Stack Exchange, GitLab, npm, PyPI, Docker Hub, arXiv, Lobsters, DEV.to, Medium, Hugging Face - [x] Alert result history (SQLite) with short IDs and `!alert info` - [x] OG tag fetching for keyword matching and date enrichment - [x] Invite auto-join with persistence - [x] Graceful SIGTERM shutdown - [x] InnerTube-based YouTube channel resolution for video URLs ## v1.2.1 -- Performance + Polish (done) - [x] HTTP opener caching at module level (eliminates per-request construction) - [x] `--tracemalloc` CLI flag for memory profiling (dumps to `data/derp.malloc`) - [x] Background seeding on `!alert add` (instant reply, seeds asynchronously) - [x] Per-backend error tracking with exponential backoff - [x] Concurrent fetches for multi-instance backends (PeerTube, Mastodon, Lemmy, SearXNG) - [x] `retries` parameter for `derp.http.urlopen` - [x] Alert output: ACTION line (metadata/URL) + PRIVMSG (full uncropped title) - [x] tracemalloc writes to file instead of logger (survives podman log buffer) ## v2.0.0 -- Multi-Server + Integrations - [x] Multi-server support (per-server config, shared plugins) - [x] Stable plugin API (versioned, breaking change policy) - [x] Paste overflow (auto-paste long output to FlaskPaste, return link) - [x] URL shortener integration (shorten URLs in subscription announcements) - [x] Webhook listener (HTTP endpoint for push events to channels) - [x] Granular ACLs (per-command permission tiers: trusted, operator, admin) - [x] `paste` command (manual paste to FlaskPaste) - [x] `shorten` command (manual URL shortening) - [x] `emailcheck` plugin (SMTP VRFY/RCPT TO) - [x] `canary` plugin (canary token generator/tracker) - [x] `virustotal` plugin (hash/URL/IP/domain lookup, free API) - [x] `abuseipdb` plugin (IP abuse confidence scoring, free tier) - [x] `jwt` plugin (decode tokens, show claims/expiry, flag weaknesses) - [x] `mac` plugin (OUI vendor lookup, local IEEE database) - [x] `pastemoni` plugin (monitor paste sites for keywords) - [x] `cron` plugin (scheduled bot commands on a timer) - [x] Plugin command unit tests (encode, hash, dns, cidr, defang) - [x] CI pipeline (Gitea Actions, Python 3.11-3.13, ruff + pytest) ## v2.1.0 -- Teams + Telegram Integration - [x] Microsoft Teams adapter via outgoing webhooks (no SDK) - [x] `TeamsBot` class with same plugin API as IRC `Bot` - [x] `TeamsMessage` dataclass duck-typed with IRC `Message` - [x] HMAC-SHA256 webhook signature validation - [x] Permission tiers via AAD object IDs - [x] IRC-only methods as no-ops (join, part, kick, mode, set_topic) - [x] Incoming webhook support for `send()` (proactive messages) - [x] Paste overflow via FlaskPaste (same as IRC) - [x] Teams `send()` routed through SOCKS5 proxy (bug fix) - [x] Telegram adapter via long-polling (`getUpdates`, no SDK) - [x] `TelegramBot` class with same plugin API as IRC `Bot` - [x] `TelegramMessage` dataclass duck-typed with IRC `Message` - [x] All Telegram HTTP through SOCKS5 proxy - [x] Message splitting at 4096-char limit - [x] `@botusername` suffix stripping in groups - [ ] Adaptive Cards for richer formatting (Teams) - [ ] Graph API integration for DMs and richer channel access (Teams) - [ ] Teams event handlers (member join/leave) ## v2.2.0 -- Protocol Expansion - [x] Mumble adapter via TCP/TLS protobuf control channel (text chat only) - [ ] Discord adapter via WebSocket gateway + REST API - [ ] Matrix adapter via long-poll `/sync` endpoint - [ ] XMPP adapter via persistent TCP + XML stanzas (MUC support) - [ ] Slack adapter via Socket Mode WebSocket - [ ] Mattermost adapter via WebSocket API - [ ] Bluesky adapter via AT Protocol firehose + REST API ## v2.3.0 -- Mumble Voice + Multi-Bot (done) - [x] pymumble transport rewrite (voice + text) - [x] Music playback: play/stop/skip/prev/queue/np/volume/seek/resume - [x] Voice ducking (auto-lower music on voice activity) - [x] Kept track library with metadata (!keep, !kept, !play #N) - [x] Smooth fade-out on skip/stop/prev, fade-in on resume - [x] In-stream seek with pipeline swap (no task cancellation) - [x] Multi-bot Mumble: extra bots via `[[mumble.extra]]` - [x] Per-bot plugin filtering (only_plugins / except_plugins) - [x] Voice STT (Whisper) + TTS (Piper) plugin - [x] Configurable voice profiles (voice, FX, piper params) - [x] Rubberband pitch-shifting via CLI (Alpine ffmpeg lacks librubberband) - [x] Bot audio ignored in sound callback (no self-ducking, no STT of bots) - [x] Self-mute support (mute on connect, unmute for audio, re-mute after) - [x] Autoplay shuffled kept tracks on reconnect (silence detection) - [x] Alias plugin (!alias add/del/list) - [x] Container management tools (tools/build, start, stop, restart, nuke, logs, status) ## v2.4.0 -- Music Discovery + Performance - [ ] Last.fm integration (artist.getSimilar, artist.getTopTags, track.getSimilar) - [ ] `!similar` command (find similar artists, optionally queue via YouTube) - [ ] `!tags` command (genre/style tags for current track) - [x] Pause/unpause (`!pause` toggle, position tracking, stale re-download) - [x] Autoplay continuous radio (random kept, silence-aware, cooldown between tracks) - [x] Periodic resume persistence (10s interval, survives hard kills) - [x] Track duration in `!np` (elapsed/total via ffprobe) - [x] `!announce` toggle (optional track announcements) - [x] Direct bot addressing (`merlin: say `, TTS via voice peer) - [x] Self-deafen on connect - [x] Fade-out click fix (conditional buffer clear, post-fade drain) - [x] cProfile analysis tool (`tools/profile`) - [x] Mute detection: skip duck silence when all users muted - [x] Autoplay shuffle deck (no repeats until full cycle) - [x] Seek clamp to track duration (prevent seek-past-end stall) - [x] Iterative `_extract_videos` (replace 51K-deep recursion with stack) - [x] Bypass SOCKS5 for local SearXNG (`proxy=False`) - [x] Connection pool: `preload_content=True` for SOCKS connection reuse - [x] Pool tuning: 30 pools / 8 connections (up from 20/4)