# irc.now Platform Roadmap

High-level vision and phase overview. Detailed implementation plans are written
per-phase as work begins.

## Vision

irc.now is a hosted IRC services platform. Sign up, get a bouncer. Upgrade to
pro, get a dedicated bouncer with a custom hostname. Host your own IRC network.
Run bots with Lua scripts. Share images and pastes. Everything connected
through one account with SSO.

## Completed Phases

### Phase 1: Foundation -- done

Core platform: Rust workspace, CNPG, Keycloak at auth.irc.now, soju-operator,
account portal at my.irc.now, landing page at irc.now.

### Phase 1.5: Fill the Gaps -- done

Auth guard, users table, bouncer CRUD, Stripe checkout, content pages, profile,
favicons/OG images. Remaining ops tasks: replace placeholder stripe-keys,
Upptime deployment, remove znc.josie.lol DNS.

### Phase 2: Observability -- done

Prometheus (OCP user workload monitoring), Grafana at stats.irc.now (Keycloak SSO),
ServiceMonitors for all services, Alertmanager (email delivery).

### Phase 3: Supporting Services -- done

chat.irc.now (gamja), txt.irc.now (pastebin), irc.pics (image host), content
expiry synced to Keycloak claims. Remaining: log search add-on ($2/mo).

### Phase 5: Analytics -- done

Events table, business metrics (MRR, signups, conversion, churn), per-user
stats dashboard, Grafana admin dashboards. Onboarding funnel (signups ->
bouncer create -> return), time-to-first-bouncer, feature adoption gauges,
connected users 5m, per-network deliveries, bot execution metrics (script
runs/duration/errors), HTTP error rate panels, storage growth prediction.
Dashboard duplicate series bug fixed (max() aggregation). Remaining:
retention cohorts by acquisition channel.

---

## Active / In Progress

### Phase 4: Network Hosting

Let users run their own IRC networks. Starter: $12/mo (50 users, 1 server, 3 bots).
Growth: $24/mo (200 users, 3 servers, 10 bots).

| Item | Description | Status |
|------|-------------|--------|
| ergo-operator | kube.rs operator managing ErgoNetwork CRDs, OAuth2, IP cloaking | done |
| ErgoNetwork CRD | Reconciles into Deployment, ConfigMap, Service, Route, Certificate | done |
| net.irc.now | First ErgoNetwork instance, upstream auto-configured via bouncer watcher | done |
| IRCCloud migration | `/migrate` flow: import servers + channels from IRCCloud into soju | done |
| Portal integration | Network management tab (list, create, detail, delete, status polling) | done |
| DNS | Wildcard `*.irc.now` or per-tenant subdomain creation | planned |

**Architecture note:** ergo is MIT licensed, so if you need to patch it for
multi-tenant features (custom MOTD, connection limits, telemetry hooks) there
are no license constraints.

---

### Phase 6: Bots

Managed IRC bot runtime. The differentiating feature. Standalone: $2/mo per bot.
Network hosting plans include bot quotas.

| Item | Description | Status |
|------|-------------|--------|
| Bot runner | Rust service, manages bot instances in-process, one mlua (Lua 5.4) VM per bot | done |
| IRC connectivity | Bots connect through user's soju bouncer to any network | done |
| Built-in modules | Moderation (anti-spam, flood, pattern ban), utility (URL titles, !seen, stats), feeds (RSS, webhook relay, reminders) | planned |
| Lua sandbox | Event-driven API: on_message/on_join/etc, IRC commands, KV store, timers, rate-limited http_get | done |
| Portal UI | Bot CRUD, module toggles, Lua script editor, live log viewer, KV browser | planned |

**Runtime model:** All bots run in a single Deployment, multiplexed on async
IRC connections via tokio. No per-bot CRD -- configs live in the database.

**Sandbox boundaries:** No `os`, `io`, `require`, `loadfile`. Scripts can only
call the IRC API and KV store. `http_get` is allowlisted and rate-limited.

---

### Phase 7: Shared Bouncer

Free-tier shared bouncer, pro-tier dedicated bouncers with gamja sidecar, plan
gating, validation webhook, bidirectional migration.

| Item | Description | Status |
|------|-------------|--------|
| soju-shared | SojuBouncer CR for free-tier shared bouncer, multi-user mode | deployed |
| chat.irc.now routing | nginx proxies to soju-shared instead of individual bouncer | deployed |
| Keycloak chat token | access.token.lifespan set to 8h on chat client (was 5min default) | done |
| Plan gating (web-api) | Free users blocked from creating bouncers + networks, dashboard shows shared bouncer UI | code done |
| Gamja sidecar | soju-operator adds gamja container + edge Route to dedicated bouncers | code done |
| bouncer-webhook | ValidatingWebhookConfiguration enforces plan + max bouncer count | code done |
| Migration module | Forward + reverse user data copy between soju tenant DBs | code done |
| Network limit | Free tier limited to 1 upstream network (portal-level) | code done |
| Deploy + E2E test | Rebuild soju-operator, web-api, bouncer-webhook; test free/pro flows | pending |
| Migration wiring | Connect bouncer create handler to soju tenant DBs for live migration | pending |
| Soju network limit | Enforce 1-network limit at soju level (IRC command bypass) | pending |
| Downgrade UI | Network picker for reverse migration on pro->free | pending |

**Design doc:** `docs/plans/2026-03-07-shared-bouncer-design.md`
**Implementation plan:** `docs/plans/2026-03-07-shared-bouncer-plan.md`

---

### Trust & Safety -- done

Content moderation, abuse reporting, account suspension, CSAM scanning,
legal pages, upload rate limiting.

| Item | Description | Status |
|------|-------------|--------|
| Account suspension | `is_admin`, `suspended_at` columns, Keycloak disable, auth guard check | done |
| Admin panel | Report queue, user search, suspend/unsuspend, audit log, stats | done |
| Abuse reports | Public report form at /report, stored in accounts-db | done |
| Hidden content | `hidden` column on images/pastes, internal hide/unhide/delete APIs | done |
| CSAM scanning | PhotoDNA integration on pics upload, fail-closed, incident logging | done |
| Rate limiting | In-memory per-user upload limits (pics: 10/30 per hr, txt: 20/60 per hr) | done |
| Legal pages | Terms, privacy policy, acceptable use policy at irc.now | done |
| Report links | "report" links on pics view and txt view pages | done |

**Remaining:** Apply DB migrations, create `photodna-credentials` secret, deploy,
register with IWF/NCMEC for API reporting access, get legal review on draft pages.

---

## Cross-Cutting Concerns

### Auth
All services authenticate via Keycloak OIDC. The `common` crate provides Axum
middleware that validates tokens and extracts `UserClaims` (sub, email, plan,
stripe_customer_id).

### Design System
Newsreader/Outfit/JetBrains Mono fonts, green-on-dark palette, IRC-native
component patterns. Shared via static CSS files.

### Deployment
Everything runs on OCP. Container images built via `oc builds` (multi-stage
Rust builds to UBI9-minimal). OCP Routes handle TLS termination per subdomain.
cert-manager issues certificates via LetsEncrypt. CNPG manages PostgreSQL.
platform-operator manages WebService/ChatService/MinioInstance CRDs.

### Database Strategy
Single CNPG cluster. Separate databases per service (keycloak, accounts, paste,
pics). Per-tenant databases for operators (soju_*, ergo_*). Operators hold
master credentials and create scoped roles per tenant.