Skip to main content

Roadmap

What's shipped, what's next, what's deferred. Update as work lands.

Shipped

  • Short ag-XXXX agent IDs, renamable, propagated via SSE agent_renamed.
  • Agent Settings modal (cwd, env, autoRestart toggle, signal picker for kill).
  • AutoRestart supervisor with 5-per-60s ceiling.
  • SQLite agent history with 30-day retention (history.go) — env values redacted at insert time; corruption auto-rotates + recovers.
  • Secretless local dashboard on 127.0.0.1:33120/.
  • Tray: pair, spawn, kill, open local dashboard, idle-sensitive polling (2s busy / 5s idle).
  • PTY hub fanout — one PTY, many dashboard tabs; 64KB per-agent scrollback that survives client disconnects (late-joiners replay on attach).
  • RevenueCat Pro entitlement with machine-count gate (3 free) and history gate. Pricing (2026-04-22 relaunch): Free $0 (3 nodes, 7d history) · Pro $9/mo (unlimited nodes, 30d, priority tunnel, schedules, secrets) · Team $49/mo (5 seats, multi-owner, RBAC) · Enterprise contact (SSO/SLA/persistent orchestration). Legacy celistra_professional / celistra_enterprise product ids kept as deprecated aliases so grandfathered paid users keep Pro.
  • Kill signal picker (HUP/INT/TERM/QUIT/KILL) — SIGHUP closes PTY, others signal the child directly so long-running servers can trap SIGTERM.
  • SSE exponential-backoff reconnect (1s→30s cap) with per-machine status banner in the UI so the sidebar never silently drifts.
  • Cross-platform tray: platform-specific clipboard (pbcopy / xclip+xsel+wl-copy / clip.exe), attach-in-terminal (Terminal.app / gnome-terminal→konsole→xterm fallback chain / cmd /c start), and quick-spawn prompt (osascript / zenity / PowerShell InputBox) split behind build tags. Resize notification likewise — SIGWINCH on unix, no-op on Windows.

Shipped (cont.)

  • Sidebar search / filterfilteredMachines in src/components/Sidebar.tsx; matches on machine name, agent name, agent ID, or command.
  • Configurable scrollbackcelistrad --scrollback-kb N flag sets the per-agent ring size. Defaults 256KB; Pro users typically bump to 1024+.
  • CI for cross-platform daemon builds.github/workflows/daemon.yml builds macOS arm64/amd64, Linux amd64 (with GTK headers), and Windows amd64 on every push to main.
  • Env-mounted secrets~/.celistra_secrets.json (0600). Agent env entries of the form KEY=@secret:NAME are resolved at spawn time; the literal @secret:NAME is what gets stored on disk and in history. CRUD at /v1/secrets.
  • Scheduled agents — interval-based scheduler (~/.celistra_schedules.json). Each fire spawns through /v1/agents/spawn with Source=scheduled:<id>, so they show up in history and the UI like any other agent. CRUD at /v1/schedules.
  • Multi-owner machinesConfig.AllowedUIDs holds additional UIDs the owner has vouched for. Those UIDs can re-pair without a tray-approved challenge. Owner-only mutation at /v1/machine/share.

In Progress

  • Stable Pro tunnel subdomain — paid users currently get a random localhost.run subdomain that flaps. Needs either a managed tunnel (Cloudflare Tunnel named, frp) or a proxy layer that maps <machineId>.celistra.dev → current tunnel URL.

Next (meaty)

  • Agent dependencies — agent B waits until agent A is healthy (simple port probe / HTTP check).
  • Secrets/Schedules UI — backend is shipped; frontend currently only exposes them through DaemonClient methods. A small modal wired to the sidebar would close the loop.
  • Cron expressions for schedules — today intervalSeconds is a fixed interval. 0 9 * * * style via github.com/robfig/cron/v3 is the natural next step.

Reliability

  • Tunnel auto-heal telemetry — surface tunnel flaps in the UI so users know why they dropped off remote.
  • SSE reconnect — current dashboard relies on browser EventSource retry. Add explicit exponential backoff and a "SSE disconnected" banner.
  • History DB corruption recovery — if SQLite is unreadable, rename with a timestamp suffix and start fresh rather than disabling history silently.

Docs debt

  • CLI reference for celistrad --help. Document --no-tunnel, --headless, --port flags once they exist (none do yet).
  • Walkthrough: "from npm install to a working paired machine" as a single linear doc — currently split between README and the Pairing section in SECURITY.md.

Won't do (deliberate)

  • Browser-side command execution without pairing. Keeps the zero-trust model intact.
  • Arbitrary sudo / root commands. The command policy is load-bearing.
  • Storing machine secrets in Firestore. The whole point is the secret never leaves the box.