Roadmap — Planned & Not Yet Implemented
These surfaces are designed (see the docs/design/ notes) and, in several cases,
partially plumbed through the schema — but they are not yet callable. This page lists
each one, what it will do, its current state, and where the design lives, so the reference
above stays honest about the line between shipped and planned.
The data engine is built in stages; A–F are shipped (private tables, resources,
membership, mounts, link/unlink, federated queries, the access engine, the onMemberRemove
lifecycle, object storage, and user profiles + identity resolution). The osgarden
CLI (deploy, typegen) ships too. What remains within Stage F is visitors; Phase 3+
(realtime, functions, jobs) and the design-needed items below are still open.
Files & storage — shipped (Stage E)#
Object storage on both private and resource scopes: upload, download, url, list,
metadata, updateMetadata, delete, move, copy, backed by a storage adapter (local
dir in dev; S3 later). .url() is same-origin and cookie-authed. Uploads escrow a
one-time storage_write charge against the at-rest payer; downloads meter storage_egress
to the fetcher. See docs/api/files.md. Still pending: visitor-sponsored
(signed-out) .url() reads, and the recurring GB-month at-rest sweep (see
docs/metering.md).
Users & profiles — shipped (Stage F)#
user_profiles ({ userId, displayName, avatarUrl, handle }), osgarden.users(id).profile()
/ .profiles(), auth.getUser() = { id, profile } (email is never exposed), the reserved
author(...) projection on mounted tables, and account deletion (onOwnerDelete:
remove / tombstone / retain, with the reserved deleted-user profile). See
docs/api/users.md. Still pending within Stage F: visitors (below).
Visitors & the app allowance#
Stage F — not implemented.
Sessionless (cookieless) reads for anonymous visitors on public resources that opt in
with visitors({ read: true }), served at the resource's default role and metered to
the app's allowance rather than a user wallet — with sponsor_exhausted when the
allowance is spent. Backed by the app_allowance ledger (a bootstrap grant plus a rate ×
cumulative user spend), which also funds statics and cron, and enables true
payer: "split" settlement.
- Schema today:
visitors({ read })is parsed and validated (a visitor-read resource must be public) but not enforced. - Design:
docs/design/db.md,docs/design/auth.md.
Realtime — channels & presence#
Phase 3 — not implemented.
Publish/subscribe channels and presence scoped to the resource boundary
(channel(name, { subscribe, publish }), presence({ read })).
- Schema today:
channel(...)andpresence(...)are parsed and stored so schemas are forward-compatible; nothing is enforced or served. - Design:
docs/design/realtime.md.
Billing: spend-threshold notifications#
Not implemented.
Notify a user as their spend on an app approaches its monthly cap (e.g. 50/80/100% thresholds), delivered by email. There is deliberately no global cross-app cap — the per-app cap plus this notification is the intended control surface. See billing.md.
Explicit custom migrations#
Design needed.
migration(async (db) => { … }) is sketched (see schema-and-deploy.md)
and the 409 migration_blocked gate works, but the surrounding process is
underspecified: where migration files live and how they're named/ordered, how the CLI
bundles them into a /deploy payload, dry-run/preview before applying, and rollback on
a failed migration. Needs a design pass before the first blocked deploy in anger.
Unified metering / rate card#
Partially landed. The shared rate card now lives in
docs/metering.md, enumerating every surface as (payer, rate,
mechanism). Still open: the recurring GB-month at-rest sweep — file storage
currently charges a one-time per-byte storage_write at upload (padded to amortize
retention) rather than a monthly accrual. Realtime/functions/jobs will add their own
dimensions to the card as they land.
Functions#
Not implemented.
App-defined server functions running against the resource boundary, with the same access and metering model as the rest of the platform.
- Design:
docs/design/functions.md.
Jobs#
Not implemented.
Scheduled and background work (cron, queues) sharing the resource/permission model.
- Design:
docs/design/jobs.md.
Shipped-area caveats (recap)#
Even within the implemented surface, a few paths are deliberately simplified for now:
| Behavior | Current | Target |
|---|---|---|
payer: "split" | bills the actor | true split via the resource allowance (visitors) |
| File at-rest cost | one-time charge at upload | recurring GB-month sweep (see docs/metering.md) |
| Member removal on files | remove (deletes their files) | per-bucket hide/retain (column is in place) |
| Account deletion of owned resources | deletes them outright | optional ownership transfer |
.url() for signed-out visitors | requires a session | visitor-sponsored reads (visitors, above) |
See README.md.