Prox OS Internal Docs
ProductRoadmapPlatform

Platform Roadmap

The platform roadmap sequences the control-plane capabilities behind the OS

The platform roadmap sequences the control-plane capabilities behind the OS Shell, App Store, official OS app prototypes, and future community apps.

Long-term direction: Prox OS explores OS Space, OS App, Source, AI Context, and Workflow as platform objects. The current shell registry, app contract, and /app-os prototypes are early foundations, not final server-side schemas.

Current Baseline

v0.1.x is now consolidated as the browser OS shell and UI foundation era. It includes completed work for windows, registry-driven app opening, route groups, local module apps, OS package apps, iframe apps, official static platform prototypes, developer tools, docs integration, deployment notes, static Pricing/Growth packaging signals, initial data surface primitives, initial media resource primitives, initial map/geospatial primitives, initial action intent primitives, initial command palette primitives, initial form/input primitives, initial editor primitives, initial collaboration primitives, and initial notification primitives, initial search primitives, initial file primitives, and initial AI UI primitives.

The current baseline is still local-first:

  • Runtime registry describes what can open now.
  • Store catalog may describe roadmap apps, templates, Spaces, Sources, and AI workflows.
  • @prox-os/actions provides early action intent, button, menu, toolbar, list, card, status, and Storybook primitives for context menu, command, resource, media, map, data, and AI action surfaces.
  • @prox-os/command provides early command, provider, ranking, palette, input, list, item, shortcut, preview, recent command, and Storybook primitives while leaving the real global launcher in the Shell.
  • @prox-os/forms provides early form contract, field primitives, Zod/RHF adapter, schema form renderer, validation summary, form actions, and Storybook primitives without owning real backend submission.
  • @prox-os/editor provides early editor contract, Tiptap rich text adapter, CodeMirror markdown/code/prompt adapter, toolbar/status/preview primitives, and Storybook examples without owning collaboration, persistence, or AI calls.
  • @prox-os/collaboration provides early participant, presence, comment, thread, mention, share, review, approval, action intent, and Storybook primitives without owning realtime transport, notifications, search, activity, security policy, or persistence.
  • @prox-os/notifications provides early notification, source, actor, target, action ref, badge, bell, toast, notification center, digest, preference, and Storybook primitives without owning browser push, service workers, delivery, persistence, activity timelines, or OS runtime state.
  • @prox-os/search provides early searchable document, query, filter, facet, ranking, highlight, preview, recent/saved search, local adapter, and Storybook primitives without owning backend search, crawlers, embeddings, vector search, permission enforcement, or OS runtime state.
  • @prox-os/files provides early file, folder, storage provider, location, preview, transfer, picker, browser, metadata, storage usage, and adapter primitives without owning storage backends, uploads, downloads, browser file-system permissions, sync engines, permission enforcement, or OS runtime state.
  • @prox-os/ai-ui provides early AI session, message, run, tool call, approval, artifact, context source, citation, model selector, usage, risk, and Storybook primitives without owning LLM providers, AI SDKs, streaming backends, agent runtimes, MCP, tool execution, RAG, embeddings, vector search, or OS runtime state.
  • @prox-os/security-ui provides early principal, resource, permission, risk, trust, sensitivity, policy notice, security event, audit event, session, device, token, access review, and Storybook primitives without owning auth providers, policy engines, KMS, scanners, audit persistence, permission enforcement, or OS runtime state.
  • @prox-os/workspace-ui provides early workspace, space, member, role, resource, project, milestone, settings, onboarding, integration, stats, dashboard, switcher, and Storybook primitives without owning workspace backends, invite delivery, billing, project management engines, permission enforcement, or OS runtime state.
  • @prox-os/activity provides early activity actor, target, object, event, feed, group, digest, stats, redaction, timeline, detail, and Storybook primitives without owning analytics, telemetry, realtime streaming, event store, audit persistence, or OS runtime state.
  • @prox-os/data-contract, @prox-os/data-table, and @prox-os/data-viz provide early structured data display primitives with Storybook examples.
  • @prox-os/media provides early image, avatar, cover, embed, external link, provider, allowlist, transform, and context action primitives.
  • @prox-os/maps provides early map, marker, layer, attribution, provider, tile policy, and geospatial action primitives.
  • /app-os/* platform apps are static UI prototypes.
  • API Worker exposes only the skeleton health/OpenAPI/Scalar surfaces.
  • Database work is documented conceptually; no production platform migrations are part of this roadmap slice.

Proxied App Catalog Roadmap

Proxied Apps make third-party websites searchable, manageable, and launchable as app-like assets without claiming every site can be embedded.

PhaseScopeStatus
v0Manual curated seed catalog with compatibility status, launch mode, fallback copy, and Proxied Space templates.Current UI prototype
v1User-submitted URL intake with automatic title/icon/description metadata parsing and personal-only entries before review.Planned
v2Backend crawler and enrichment pipeline for catalog metadata, screenshots, policy checks, and safety review queues.Future
v3Cautious web discovery that is robots-aware, compliance-aware, rate-limited, and reviewable.Future

Browser-only Prox OS must not bypass X-Frame-Options, CSP frame-ancestors, authentication boundaries, or mixed-content policy. Popular blocked apps can remain visible and may receive dedicated fallback UI later.

Future client routes:

  • PWA: installable shell and stronger offline affordances.
  • Device Studio: responsive web and Mobile Launchpad PWA first, then declarative Studio View JSON, Gallery / Templates / Verified Views, and an Expo-based native companion only when native capabilities are validated.
  • Browser extension helper: user-permissioned link capture and metadata submission.
  • Tauri/Electron desktop client: possible system-level link interception, global shortcuts, tray, local indexing, and cookie/profile isolation research.
  • OS-level or bootable appliance exploration: ChromeOS-like, Linux shell, kiosk, or Prox OS Flex-style distribution is long-term imagination only.

Cookie/profile isolation is a desktop-client-only investigation, not a browser-shell promise.

The full staged client path is summarized in docs/platform/architecture/operations/client-and-os-roadmap.md and docs/product/clients/device-studio/README.md.

Device Studio Roadmap Addendum

Device Studio is a companion layer for Prox OS, not a mobile clone of the desktop shell.

HorizonScopeStatus
v0.x / near-termResponsive mobile pass for key Studio surfaces, Mobile Launchpad UI mock, Device Studio docs, and Studio View JSON draft.Planned - docs first
v0.x+ / mid-termPWA installability, mobile capture mock toward real APIs later, notification design, Gallery / Templates / Verified Views design.Planned
LaterExpo native companion exploration, push notifications, share extension, camera/photo library integration, native permission layer, and verified mini experience governance.Future

Native app is not a current implementation target. Device Studio should first be validated through Web/PWA. The mobile dynamic UI layer must be declarative and contract-driven.

Personal Record OS UI Layer

The v0.x UI layer now includes a mock-first personal record direction. This is not backend persistence yet. It adds richer OS app surfaces for game connectors, TypeScript learning, health, dreams, game sessions, places, movies, feeds, Madrid local life, trading journals, and AI-transparent publishing.

This direction is meant to prove an AI-readable life log shape:

  • common fields such as time, place, device, people, platform, cost, mood, and notes;
  • connector-first boundaries for external platforms;
  • sensitive health, finance, and location disclaimers;
  • future app translation after the English-first v0.1 phase is stable;
  • Boss Mode as a quick study-mode switch into TS Fullstack.

Future work should decide which records deserve a real backend schema, export format, permission policy, and AI summarization boundary.

Backend-first Platform Order

The current doctrine work prepares the next backend sequence without changing runtime routes:

Backend package architecture is now documented under docs/platform/packages/backend/*. That section is the source of truth for the future 15-package backend map, package radar, AI generation gates, boundary rules, and testing strategy. It does not authorize creating the packages before the contract and testing gates are met.

Now

  • Document Hub, Surface, URL, Space, Desktop, and WindowSession doctrine.
  • Keep the backend package graph documentation-only until implementation gates are satisfied.
  • Introduce Hub concepts into App Store and Pricing UI as static concepts.
  • Keep existing /app-os/* runtime routes unchanged.
  • Prepare backend model docs for User, Organization, Space, Desktop, Surface, InstalledSurface, WindowSession, and first business loops.
  • Identify the first backend platform partner role and AI support agents.

Next

  • Harden the API Worker skeleton through api-contract, api-kit, and observability before business routes expand.
  • Auth, login, and session baseline.
  • User, Organization, and Membership.
  • Space, Desktop, Surface, and InstalledSurface.
  • WindowSession persistence.
  • First real business loop: visitor, waitlist, activation code, and feedback.

Later

  • Moments and personal data backend.
  • Payment and entitlement after legal, tax, and payment readiness.
  • Marketplace listing.
  • Hub subscriptions.
  • Revenue split.
  • AI agent runtime.
  • Community spaces and developer publishing.

v0.2.x - Platform Foundation v0

v0.2.x is the first backend control-plane planning phase:

Identity, Space, App Catalog, App Registration, App Installation,
Permission Declaration, and backend contract planning.

This is not the Source/View killer demo phase yet. It prepares the objects that official apps, third-party apps, and future AI agents can operate on.

Confirmed Decisions

Decisionv0.2.x stance
First auth providerGitHub SSO
Google SSODeferred beyond first stage
Email/password loginDeferred beyond first stage
Space creationMinimal Space creation first
App registrationMinimal App registration first
App install/uninstallPersisted once backend implementation starts
Permission modelDeclaration and grant seeds before enforcement
URL strategyInternal IDs first; owner/slug later
DeploymentBYO GitHub plus BYO Cloudflare / Vercel / Netlify / custom deployment metadata
Deployment platformNot built in v0.2
AI BuilderNot implemented in v0.2.0; platform objects should be AI-operable later
MCP GatewayNot implemented in v0.2.0; permissions and audit concepts should leave room

v0.2.x Slices

VersionSliceStatusScope
v0.2.0API Contract and Platform Foundation RFCPlanned - docs firstHono + Zod OpenAPI direction, OpenAPI as API truth, MSW aligned with API shape, TanStack Query for server state, Drizzle/Neon direction, packages/os-actions as reusable action layer direction, no production DB migration without human approval.
v0.2.1Identity and Profile v0 PlanningPlannedGitHub SSO only, proposed profiles, accounts, sessions, GET /api/user/session, anonymous vs authenticated behavior, owner namespace claim, no Google/email login.
v0.2.2Space v0 PlanningPlannedMinimal proposed spaces, optional space_memberships, private / unlisted / public visibility, internal ID first, future owner/slug route.
v0.2.3App Catalog and Registration v0 PlanningPlannedProposed apps, app metadata, app source repo metadata, manifest metadata, iframe runtime first, future remote modules, official apps, community apps.
v0.2.4App Deployment Metadata v0 PlanningPlannedProposed app_sources, app_deployments, app_entrypoints, BYO Cloudflare Pages / Vercel / Netlify / custom deployment, URL/provider/environment/status/commit SHA metadata, no deployment platform.
v0.2.5App Installation and Shell Integration PlanningPlannedProposed app_installations, install/uninstall API shape, Shell reads installed apps, Dock/launcher integration direction, Space-scoped vs profile-scoped installation.
v0.2.6Permission Declaration v0 PlanningPlannedProposed permission_declarations, permission_grants, no complete enforcement, Permission Center later reads real metadata.
v0.2.7Source and View Bridge PlanningPlannedProposed sources, source_connections, source_sync_runs, views, and route toward card/table/radar/feed/timeline Views.
v0.2.8AI Builder Readiness PlanningPlannedNo code generation yet; define platform actions and future audit/build records so AI can later operate on real objects.

Early Permission Scopes

Permission v0 should start with declarations and grant seeds. These are proposed scope names, not enforced permissions today:

profile:read
space:read
space:write
app:install
source:read
asset:read
context:export
mcp:invoke:read

Source And View Bridge

v0.2.7 is the bridge toward the later killer apps. It should plan reusable Source and View objects before each app invents its own private shape.

Current package foundation:

  • @prox-os/actions defines shared action intent for open, copy, save, inspect, AI, and destructive actions before command palette, context menu, permissions, audit, and backend execution mature.
  • @prox-os/command converts apps, docs, routes, URLs, actions, settings, and AI intents into searchable commands before the Shell adopts a unified command provider model.
  • @prox-os/forms defines shared input and editing primitives for create/edit, settings, filters, metadata, confirmation, and future backend contract-driven forms.
  • @prox-os/editor defines shared editing primitives for rich text, markdown, code snippets, prompts, comments, app descriptions, and future AI-assisted content review.
  • @prox-os/collaboration defines shared collaboration primitives for presence, threads, mentions, sharing, review approval, and future provider-backed resource collaboration.
  • @prox-os/notifications defines shared notification primitives for badges, bells, toasts, notification center, digests, preferences, action refs, and future provider-backed notification delivery.
  • @prox-os/search defines shared search primitives for searchable documents, local search, filters, facets, previews, saved searches, and future provider-backed resource discovery.
  • @prox-os/files defines shared file primitives for files, folders, storage providers, paths, previews, transfers, file pickers, file browsers, and future provider-backed storage handoff.
  • @prox-os/security-ui defines shared security UI primitives for principals, resources, permission grants, access levels, risk/trust/sensitivity, policy notices, security events, audit rows, sessions, integration token metadata, and access reviews.
  • @prox-os/workspace-ui defines shared workspace UI primitives for personal homes, team workspaces, community spaces, creator spaces, Founder Suite, developer spaces, resources, projects, members, settings, onboarding, integrations, and workspace-aware handoffs.
  • @prox-os/activity defines shared activity timeline primitives for actors, targets, objects, events, feeds, groups, digests, stats, related resources, redaction, and cross-domain history handoffs.
  • @prox-os/data-contract defines OsDataset, fields, views, source refs, permissions, and neutral chart specs.
  • @prox-os/data-table provides TanStack Table primitives and a Glide Data Grid high-density preview.
  • @prox-os/data-viz provides ECharts, Vega-Lite, and Recharts adapters.
  • @prox-os/media provides a reusable media resource contract for source thumbnails, covers, screenshots, external links, and future attachments.
  • @prox-os/maps provides a reusable geospatial surface contract for source locations, markers, GeoJSON layers, static previews, and future map-backed views.
  • Grist is the first recommended white-box structured data reference integration, planned as self-hosted / iframe / external app / connector work, not vendored code.

Proposed source_type examples:

github_repo
github_list
rss_feed
web_url
figma_file
notion_database
r2_bucket
mcp_endpoint

Proposed view_type examples:

card_grid
table
radar_board
feed
timeline

Media Resource Bridge

@prox-os/media starts the shared media layer before each app invents its own image, avatar, cover, external link, or iframe rules.

Current package foundation:

  • OsMediaResource, OsImageSource, OsEmbedSource, and OsExternalLinkSource describe media without binding apps to one CDN.
  • OsImage, OsAvatar, OsCoverImage, OsImageGrid, OsMediaCard, OsEmbedFrame, OsYouTubeEmbed, and OsExternalLinkPreview provide the first Storybook-visible primitives.
  • OsImageTransform preserves Cloudflare Images / Image Transformations intent without implementing storage in this phase.
  • Media components emit context action intent; the OS Shell should own actual right-click menu execution.

Future phases:

  • Phase 2: R2 originals, Cloudflare Images / Transformations, signed URLs, and Worker-enforced private media.
  • Phase 3: OS Media Library for uploads, app assets, avatars, covers, attachments, provenance, permissions, search, and metadata inspection.

Map And Geospatial Bridge

@prox-os/maps starts the shared geospatial layer before each app invents its own marker, popup, provider, attribution, or tile policy rules.

Current package foundation:

  • OsCoordinate, OsGeoPoint, OsMapSource, and OsMapLayerConfig describe map data without binding apps to one proprietary map vendor.
  • OsMap, MapLibreMapPreview, OsMapCard, OsMapMarker, OsMapPopup, OsMapLayer, OsMapProviderBadge, OsMapAttribution, and OsStaticMapPlaceholder provide the first Storybook-visible primitives.
  • Map components emit geospatial context action intent; the OS Shell should own actual right-click menu execution.
  • Demo styles or public demo tiles are allowed for local previews only. Public OSM tile servers are not a production CDN for Prox OS.

Future phases:

  • Phase 2: PMTiles, Protomaps/OpenMapTiles, R2-hosted map archives, Cloudflare caching, Worker-signed/private tile access, and workspace-aware tile policy.
  • Phase 3: Places and geocoding with self-hosted Nominatim policy, Photon or Pelias adapters, search, and reverse geocoding.
  • Phase 4: Routing and tracks with OSRM, Valhalla, GraphHopper, GPX, GeoJSON, and Moments location history.
  • Phase 5: Spatial Data OS with geo dataset views, GeoJSON editing, deck.gl layers, heatmaps, user-owned spatial data, and community map spaces.

AI Builder Readiness

v0.2.x does not need to generate code. It should prepare objects so a future AI Builder can safely propose or execute these actions after the required contracts, approvals, and audits exist:

  • Create a Space.
  • Register an App.
  • Attach a GitHub repo.
  • Attach a deploy URL.
  • Declare permissions.
  • Install an App into a Space.
  • Propose a DB schema.
  • Propose an API route.
  • Create a Source or View.

Future planning-only tables:

ai_build_jobs
ai_build_artifacts
ai_code_sessions
ai_action_audit_logs

BYO Cloud Control Plane

Early platform strategy:

BYO GitHub + BYO Deploy + Prox Metadata Control Plane

Prox OS should not start by hosting all user code, files, databases, AI inference, and static resources. Early users can keep code in GitHub, deploy static apps to Cloudflare Pages, Vercel, Netlify, or a custom host, and use GitHub README, JSON, RSS, and third-party APIs as Sources. Prox OS stores metadata, manifests, Space index, profiles, stars, watches, install relations, permission declarations, and deployment metadata.

Candidate future creation flow:

1. Create App or Create Space.
2. Select template.
3. AI drafts manifest, README, layout, and data config.
4. Create or connect GitHub repo.
5. Connect Cloudflare Pages, Vercel, Netlify, or custom deployment.
6. Return deployed URL.
7. Register URL and metadata in Prox OS.
8. Publish to Profile, Space Gallery, or App Store draft.

Future Capability Sequence

PhasePrimary capability workProduct surface
v0.1.xApp Runtime and View foundations through registry, windows, iframe hosting, reusable app package boundaries, and static OS app prototypes.OS Shell, App Store, /app-os prototypes, developer apps
v0.2.xPlatform Foundation v0 through identity, Spaces, app catalog/registration, installation, permission declarations, deployment metadata, and API/DB planning.Profile, Space, Developer Console, Permission Center, Pricing
v0.3.xSource/View and publishing foundations for public Spaces, templates, clone/remix, owner/slug URLs, and featured catalogs.Awesome GitHub Radar, RSS Knowledge Inbox, Space Gallery
v0.4.xApp Runtime developer surface: manifest standardization, SDK exploration, Window API, Theme API, Permission API, AI Context API, and mobile declarative View contract hardening.Developer App Platform, app templates, app validation, Device Studio renderer
v0.5.xSource, Permission, Knowledge, and MCP expansion after cloud-first workflows are proven.Local Bridge research, governed MCP Gateway, advanced connectors

Future OS App Portfolio

These app surfaces are a platform map, not an immediate implementation list. The current shell includes static /app-os UI prototypes for the core surfaces; see Platform Core App Prototypes for route names and prototype boundaries.

SurfacePlatform roleStatus
Prox StudioAI OS App and Space Builder for templates, manifests, README, layouts, data config, permissions, and publish drafts.Completed - static prototype
App StoreCurated discovery layer for featured Apps, Spaces, templates, installed apps, and incubating concepts.Completed - catalog prototype
Space GalleryPublic browsing surface for featured Spaces, radars, dashboards, personal OS Homes, clone/remix, and badges.Completed - static prototype
Profile AppIdentity layer for pinned Spaces, published apps, public dashboards, repos, AI contexts, followers, stars, watchlist, and activity.Completed - static prototype
Developer ConsoleApp registration, manifest validation, entry URLs, OAuth callback config, API keys, webhooks, MCP registration, versioning, analytics.Completed - static prototype
Connectors HubNotion, Airtable, Coda, Google Sheets, GitHub, Stripe, ClickUp, monday.com, Smartsheet, Baserow, NocoDB, Softr, Glide, AppSheet, Power Apps, Retool, Appsmith, Budibase, RSS, Cloudflare, Vercel, Neon, Supabase, Hugging Face, Figma, Linear, Slack, static JSON, Obsidian Vault, Local Bridge later.Completed - static /app-hub prototype
Launcher HubNotion Sites, Obsidian Publish, Cloudflare Pages, Vercel, Netlify, GitHub Pages, v0, Lovable, Bolt, Claude Artifacts, personal landing pages, docs sites, demo sites.Completed - static /app-hub prototype
Design System HubProx Native, Bit.dev, Storybook, shadcn, Material Design, Fluent UI, Ant Design, Liquid Glass, style packs, AI-readable recipes.Completed - static /app-hub prototype
Permission CenterApp-to-Source access, Source-to-AI-Context access, public/private visibility, MCP tools, token storage/revoke/audit, read/write scopes.Completed - static prototype
MCP GatewayUnified MCP resources, tools, prompts, scopes, auth, rate limits, audit logs, and user approval.Completed - long-term static prototype
Business/Growth AppsLanding, Template Gallery, Space Analytics, Upgrade Center, Onboarding, Creator Dashboard, Feedback Inbox, Referral, CRM, Proposals, Pilot Pipeline.Completed - concept prototype

MCP rule:

OS App declares MCP capabilities.
Prox MCP Gateway enforces auth, scopes, rate limits, audit logs, and user approval.

Do not let every app open its own unmanaged MCP server by default.

Rules

  • Runtime registry describes what can open now.
  • Store catalog may describe roadmap apps, templates, Spaces, Sources, and AI workflows, but runtime launches must still flow through registered manifests.
  • Permission Platform must gate source access, AI context access, public publishing, and write-capable workflows before enforcement becomes real.
  • View Platform should avoid one-off app-only data shapes when the same data could be rendered as table, board, timeline, graph, calendar, dashboard, or window.
  • Publishing Platform should treat public Space, RSS feed, API, embed, and badge output as governed exports from private workspace data.
  • Production DB migrations, auth providers, payment providers, and MCP Gateway implementation require explicit human approval.

On this page