Skip to content
← Back to homePRODUCT ROADMAP

Roadmap

What's built, what's in progress, and what's coming next.

Forge — Roadmap

Phase 1: Frontend Shell

  • Next.js 15 project with App Router + TypeScript + Tailwind CSS
  • Clerk authentication (sign up, sign in, protected routes)
  • Landing page (hero, features, how it works, pricing, waitlist)
  • Dashboard with file upload zone (react-dropzone)
  • Vault/graph view page with node cards
  • Ideation chat UI (message bubbles, markdown rendering, copy-to-clipboard)
  • Settings/account page (profile, subscription, usage, danger zone)
  • Sidebar navigation with user avatar

Phase 2: Backend + Wiring

  • PostgreSQL schema + pgvector + indexes (Supabase)
  • File upload API + Supabase Storage
  • Python ingestion worker (MarkItDown + ffmpeg, deployed to Railway)
  • Job queue via PostgreSQL polling (FOR UPDATE SKIP LOCKED)
  • Auto-linking engine (entity extraction, embeddings, semantic similarity, tag overlap)
  • 3-pass profiling engine (per-node extraction, graph analysis, profile synthesis)
  • Ideation chat backend (4-stage conversation, SSE streaming, Claude Sonnet 4)
  • Wire all frontend pages to backend APIs (no mock data in auth pages)
  • Deployment (Vercel + Railway + Supabase + Porkbun DNS)

Post-MVP: Built

  • D3 force-directed knowledge graph visualization with settings panel
  • URL import (Google Drive URLs + any public HTTP URL)
  • Mobile responsive design (all pages)
  • Video/audio transcription (ffmpeg + MarkItDown speech recognition)
  • Chat-to-graph feedback loop (profile enrichment, graph writer)
  • Admin dashboard (cost tracking, user management, plan assignment)
  • Voice-to-text input in ideation chat (Web Speech API)
  • Quick capture (text → auto-classified node via Claude)
  • Vault analytics (health scorecard, summary, hubs, orphans, sweep, rebuild)
  • Node operations (CRUD, merge, traverse, batch search, tag management, deep scan)
  • API usage tracking (per-call cost logging to api_usage table)
  • Rate limiting (tiered: auth 10/min, data 60/min, service 120/min)
  • Monthly usage tracking (monthly_usage table, plan-based limits)
  • Plan-based limits (Free: 10 uploads lifetime, 15 msg/mo, 1 session, 3 full ingestions/mo. Pro: unlimited uploads, 300 msg/mo, 10 sessions, 5 roadmaps, 30 full ingestions/mo, $7 cost ceiling)
  • Dual-tier ingestion (full vs lite, silent switch, deep scan upgrade)
  • Toast notification system (rate limit 429, usage limit 403, upgrade prompts)
  • Favicons, OG image, PWA manifest
  • Privacy policy and terms of service pages
  • Waitlist endpoint (real backend, waitlist table)
  • Clerk webhook handler (user.created, user.deleted)
  • Onboarding flow (Clerk privateMetadata — server-only)
  • Chat error recovery (rate limit retry, connection drop handling)
  • Response buffering with thinking indicator and contextual hint chips
  • Circuit breaker for external APIs (Anthropic, OpenAI) — 5 failures/60s trips, 30s cooldown
  • Webhook idempotency for Stripe via stripe_webhook_events table
  • UUID validation on all .or() PostgREST filter interpolations (SQL injection prevention)
  • IPv6 SSRF protection on URL imports (link-local, unique-local, IPv4-mapped ranges)
  • Structured logging via Pino (replaced all silent .catch(() => {}) blocks)
  • Environment variable validation at startup (Zod schema)
  • RAG context injection in ideation chat (embed query → search_by_embedding RPC → prompt injection)
  • N+1 query fix in /api/files (batched node/edge queries)
  • Edges user_id column for defense-in-depth user scoping
  • SEO optimization (OpenGraph, JSON-LD structured data, sitemap, robots.txt)
  • Health check endpoint (/api/health — public, for uptime monitors)
  • Tiered rate limiting (auth 10/min, data 60/min, service 120/min)
  • Payment status enforcement (past_due blocking with 402 responses)
  • Retroactive orphan fix endpoint (/api/vault/fix-orphans — service key internal)
  • Security audit sweep (145 fixes across 5 severity levels — see AUDIT-FIXES-LOG.md)
  • Data export endpoint (streaming vault export)
  • Error reporting endpoint (client-side error capture)
  • Admin Stripe sync endpoint (webhook failure recovery)
  • 3D knowledge graph on landing page (React Three Fiber)
  • Data retention policy documentation

Post-MVP: Scaffolded (Partially Built)

  • Google Drive OAuth — stub routes return 501, settings UI exists, env vars empty. Needs Google Cloud project, OAuth consent screen, credentials, token storage, file picker UI.
  • Stripe billing (end-to-end) — all routes built, real keys set (pk_live_, sk_live_, price_, whsec_). Webhook idempotency, past_due blocking, and invoice.payment_failed handling are implemented. End-to-end checkout → webhook → plan upgrade flow needs production testing.

Post-MVP: Not Built

  • Roadmap versioning — conversations stored but no comparison/versioning system for roadmap outputs
  • Team vaults — everything is single-user, no shared vault or role-based access
  • Onboarding interview flow — no guided Q&A fallback for users with few files (profiling auto-triggers at 3+ nodes but no interview mode)
  • Email notifications — src/lib/email.ts uses Resend SDK with circuit breaker. Needs RESEND_API_KEY env var and verified sender domain to go live.
  • Changelog/roadmap/about/blog pages — footer links point to #
  • Full test coverage — 118 unit tests across 17 files in src/__tests__/ and __tests__/ (all mocked). Integration and end-to-end tests not yet written.

Known Issues

  1. Stripe billing not fully end-to-end tested — webhook idempotency and past_due blocking are implemented, but the full checkout → webhook → plan upgrade flow needs production testing
  2. Footer links are placeholders — changelog, roadmap, about, blog, etc. all point to #
  3. upload_jobs CHECK constraint may be missing abandoned, cancelled, and permanently_failed statuses (added manually in Supabase, not in migration files)
  4. Migration file numbering is inconsistent — duplicate prefixes for 005, 006, 007. No formal migration runner.
  5. PERPLEXITY_API_KEY in .env is unused (not referenced in code)