Roadmap
What's shipped, what's next, what's deferred. Update as work lands.
Shipped
- Short
ag-XXXXagent IDs, renamable, propagated via SSEagent_renamed. - Agent Settings modal (cwd, env, autoRestart toggle, signal picker for kill).
- AutoRestart supervisor with 5-per-60s ceiling.
- SQLite agent history with 30-day retention (
history.go) — env values redacted at insert time; corruption auto-rotates + recovers. - Secretless local dashboard on
127.0.0.1:33120/. - Tray: pair, spawn, kill, open local dashboard, idle-sensitive polling (2s busy / 5s idle).
- PTY hub fanout — one PTY, many dashboard tabs; 64KB per-agent scrollback that survives client disconnects (late-joiners replay on attach).
- RevenueCat Pro entitlement with machine-count gate (3 free) and history gate. Pricing (2026-04-22 relaunch): Free $0 (3 nodes, 7d history) · Pro $9/mo (unlimited nodes, 30d, priority tunnel, schedules, secrets) · Team $49/mo (5 seats, multi-owner, RBAC) · Enterprise contact (SSO/SLA/persistent orchestration). Legacy
celistra_professional/celistra_enterpriseproduct ids kept as deprecated aliases so grandfathered paid users keep Pro. - Kill signal picker (HUP/INT/TERM/QUIT/KILL) — SIGHUP closes PTY, others signal the child directly so long-running servers can trap SIGTERM.
- SSE exponential-backoff reconnect (1s→30s cap) with per-machine status banner in the UI so the sidebar never silently drifts.
- Cross-platform tray: platform-specific clipboard (
pbcopy/xclip+xsel+wl-copy/clip.exe), attach-in-terminal (Terminal.app / gnome-terminal→konsole→xterm fallback chain /cmd /c start), and quick-spawn prompt (osascript / zenity / PowerShell InputBox) split behind build tags. Resize notification likewise — SIGWINCH on unix, no-op on Windows.
Shipped (cont.)
- Sidebar search / filter —
filteredMachinesinsrc/components/Sidebar.tsx; matches on machine name, agent name, agent ID, or command. - Configurable scrollback —
celistrad --scrollback-kb Nflag sets the per-agent ring size. Defaults 256KB; Pro users typically bump to 1024+. - CI for cross-platform daemon builds —
.github/workflows/daemon.ymlbuilds macOS arm64/amd64, Linux amd64 (with GTK headers), and Windows amd64 on every push tomain. - Env-mounted secrets —
~/.celistra_secrets.json(0600). Agentenventries of the formKEY=@secret:NAMEare resolved at spawn time; the literal@secret:NAMEis what gets stored on disk and in history. CRUD at/v1/secrets. - Scheduled agents — interval-based scheduler (
~/.celistra_schedules.json). Each fire spawns through/v1/agents/spawnwithSource=scheduled:<id>, so they show up in history and the UI like any other agent. CRUD at/v1/schedules. - Multi-owner machines —
Config.AllowedUIDsholds additional UIDs the owner has vouched for. Those UIDs can re-pair without a tray-approved challenge. Owner-only mutation at/v1/machine/share.
In Progress
- Stable Pro tunnel subdomain — paid users currently get a random
localhost.runsubdomain that flaps. Needs either a managed tunnel (Cloudflare Tunnel named,frp) or a proxy layer that maps<machineId>.celistra.dev→ current tunnel URL.
Next (meaty)
- Agent dependencies — agent B waits until agent A is healthy (simple port probe / HTTP check).
- Secrets/Schedules UI — backend is shipped; frontend currently only exposes them through
DaemonClientmethods. A small modal wired to the sidebar would close the loop. - Cron expressions for schedules — today
intervalSecondsis a fixed interval.0 9 * * *style viagithub.com/robfig/cron/v3is the natural next step.
Reliability
- Tunnel auto-heal telemetry — surface tunnel flaps in the UI so users know why they dropped off remote.
- SSE reconnect — current dashboard relies on browser EventSource retry. Add explicit exponential backoff and a "SSE disconnected" banner.
- History DB corruption recovery — if SQLite is unreadable, rename with a timestamp suffix and start fresh rather than disabling history silently.
Docs debt
- CLI reference for
celistrad --help. Document--no-tunnel,--headless,--portflags once they exist (none do yet). - Walkthrough: "from
npm installto a working paired machine" as a single linear doc — currently split between README and the Pairing section in SECURITY.md.
Won't do (deliberate)
- Browser-side command execution without pairing. Keeps the zero-trust model intact.
- Arbitrary
sudo/ root commands. The command policy is load-bearing. - Storing machine secrets in Firestore. The whole point is the secret never leaves the box.