Platform Roadmap
The platform roadmap sequences the control-plane capabilities behind the OS
The platform roadmap sequences the control-plane capabilities behind the OS Shell, App Store, official OS app prototypes, and future community apps.
Long-term direction: Prox OS explores OS Space, OS App, Source,
AI Context, and Workflow as platform objects. The current shell registry,
app contract, and /app-os prototypes are early foundations, not final
server-side schemas.
Current Baseline
v0.1.x is now consolidated as the browser OS shell and UI foundation era. It
includes completed work for windows, registry-driven app opening, route groups,
local module apps, OS package apps, iframe apps, official static platform
prototypes, developer tools, docs integration, deployment notes, static
Pricing/Growth packaging signals, initial data surface primitives, initial media
resource primitives, initial map/geospatial primitives, initial action intent
primitives, initial command palette primitives, initial form/input primitives,
initial editor primitives, initial collaboration primitives, and initial
notification primitives, initial search primitives, initial file primitives,
and initial AI UI primitives.
The current baseline is still local-first:
- Runtime registry describes what can open now.
- Store catalog may describe roadmap apps, templates, Spaces, Sources, and AI workflows.
@prox-os/actionsprovides early action intent, button, menu, toolbar, list, card, status, and Storybook primitives for context menu, command, resource, media, map, data, and AI action surfaces.@prox-os/commandprovides early command, provider, ranking, palette, input, list, item, shortcut, preview, recent command, and Storybook primitives while leaving the real global launcher in the Shell.@prox-os/formsprovides early form contract, field primitives, Zod/RHF adapter, schema form renderer, validation summary, form actions, and Storybook primitives without owning real backend submission.@prox-os/editorprovides early editor contract, Tiptap rich text adapter, CodeMirror markdown/code/prompt adapter, toolbar/status/preview primitives, and Storybook examples without owning collaboration, persistence, or AI calls.@prox-os/collaborationprovides early participant, presence, comment, thread, mention, share, review, approval, action intent, and Storybook primitives without owning realtime transport, notifications, search, activity, security policy, or persistence.@prox-os/notificationsprovides early notification, source, actor, target, action ref, badge, bell, toast, notification center, digest, preference, and Storybook primitives without owning browser push, service workers, delivery, persistence, activity timelines, or OS runtime state.@prox-os/searchprovides early searchable document, query, filter, facet, ranking, highlight, preview, recent/saved search, local adapter, and Storybook primitives without owning backend search, crawlers, embeddings, vector search, permission enforcement, or OS runtime state.@prox-os/filesprovides early file, folder, storage provider, location, preview, transfer, picker, browser, metadata, storage usage, and adapter primitives without owning storage backends, uploads, downloads, browser file-system permissions, sync engines, permission enforcement, or OS runtime state.@prox-os/ai-uiprovides early AI session, message, run, tool call, approval, artifact, context source, citation, model selector, usage, risk, and Storybook primitives without owning LLM providers, AI SDKs, streaming backends, agent runtimes, MCP, tool execution, RAG, embeddings, vector search, or OS runtime state.@prox-os/security-uiprovides early principal, resource, permission, risk, trust, sensitivity, policy notice, security event, audit event, session, device, token, access review, and Storybook primitives without owning auth providers, policy engines, KMS, scanners, audit persistence, permission enforcement, or OS runtime state.@prox-os/workspace-uiprovides early workspace, space, member, role, resource, project, milestone, settings, onboarding, integration, stats, dashboard, switcher, and Storybook primitives without owning workspace backends, invite delivery, billing, project management engines, permission enforcement, or OS runtime state.@prox-os/activityprovides early activity actor, target, object, event, feed, group, digest, stats, redaction, timeline, detail, and Storybook primitives without owning analytics, telemetry, realtime streaming, event store, audit persistence, or OS runtime state.@prox-os/data-contract,@prox-os/data-table, and@prox-os/data-vizprovide early structured data display primitives with Storybook examples.@prox-os/mediaprovides early image, avatar, cover, embed, external link, provider, allowlist, transform, and context action primitives.@prox-os/mapsprovides early map, marker, layer, attribution, provider, tile policy, and geospatial action primitives./app-os/*platform apps are static UI prototypes.- API Worker exposes only the skeleton health/OpenAPI/Scalar surfaces.
- Database work is documented conceptually; no production platform migrations are part of this roadmap slice.
Proxied App Catalog Roadmap
Proxied Apps make third-party websites searchable, manageable, and launchable as app-like assets without claiming every site can be embedded.
| Phase | Scope | Status |
|---|---|---|
v0 | Manual curated seed catalog with compatibility status, launch mode, fallback copy, and Proxied Space templates. | Current UI prototype |
v1 | User-submitted URL intake with automatic title/icon/description metadata parsing and personal-only entries before review. | Planned |
v2 | Backend crawler and enrichment pipeline for catalog metadata, screenshots, policy checks, and safety review queues. | Future |
v3 | Cautious web discovery that is robots-aware, compliance-aware, rate-limited, and reviewable. | Future |
Browser-only Prox OS must not bypass X-Frame-Options, CSP
frame-ancestors, authentication boundaries, or mixed-content policy. Popular
blocked apps can remain visible and may receive dedicated fallback UI later.
Future client routes:
- PWA: installable shell and stronger offline affordances.
- Device Studio: responsive web and Mobile Launchpad PWA first, then declarative Studio View JSON, Gallery / Templates / Verified Views, and an Expo-based native companion only when native capabilities are validated.
- Browser extension helper: user-permissioned link capture and metadata submission.
- Tauri/Electron desktop client: possible system-level link interception, global shortcuts, tray, local indexing, and cookie/profile isolation research.
- OS-level or bootable appliance exploration: ChromeOS-like, Linux shell, kiosk, or Prox OS Flex-style distribution is long-term imagination only.
Cookie/profile isolation is a desktop-client-only investigation, not a browser-shell promise.
The full staged client path is summarized in
docs/platform/architecture/operations/client-and-os-roadmap.md and
docs/product/clients/device-studio/README.md.
Device Studio Roadmap Addendum
Device Studio is a companion layer for Prox OS, not a mobile clone of the desktop shell.
| Horizon | Scope | Status |
|---|---|---|
v0.x / near-term | Responsive mobile pass for key Studio surfaces, Mobile Launchpad UI mock, Device Studio docs, and Studio View JSON draft. | Planned - docs first |
v0.x+ / mid-term | PWA installability, mobile capture mock toward real APIs later, notification design, Gallery / Templates / Verified Views design. | Planned |
| Later | Expo native companion exploration, push notifications, share extension, camera/photo library integration, native permission layer, and verified mini experience governance. | Future |
Native app is not a current implementation target. Device Studio should first be validated through Web/PWA. The mobile dynamic UI layer must be declarative and contract-driven.
Personal Record OS UI Layer
The v0.x UI layer now includes a mock-first personal record direction. This is not backend persistence yet. It adds richer OS app surfaces for game connectors, TypeScript learning, health, dreams, game sessions, places, movies, feeds, Madrid local life, trading journals, and AI-transparent publishing.
This direction is meant to prove an AI-readable life log shape:
- common fields such as time, place, device, people, platform, cost, mood, and notes;
- connector-first boundaries for external platforms;
- sensitive health, finance, and location disclaimers;
- future app translation after the English-first v0.1 phase is stable;
- Boss Mode as a quick study-mode switch into TS Fullstack.
Future work should decide which records deserve a real backend schema, export format, permission policy, and AI summarization boundary.
Backend-first Platform Order
The current doctrine work prepares the next backend sequence without changing runtime routes:
Backend package architecture is now documented under
docs/platform/packages/backend/*. That section is the source of truth for the future
15-package backend map, package radar, AI generation gates, boundary rules, and
testing strategy. It does not authorize creating the packages before the
contract and testing gates are met.
Now
- Document Hub, Surface, URL, Space, Desktop, and WindowSession doctrine.
- Keep the backend package graph documentation-only until implementation gates are satisfied.
- Introduce Hub concepts into App Store and Pricing UI as static concepts.
- Keep existing
/app-os/*runtime routes unchanged. - Prepare backend model docs for User, Organization, Space, Desktop, Surface, InstalledSurface, WindowSession, and first business loops.
- Identify the first backend platform partner role and AI support agents.
Next
- Harden the API Worker skeleton through
api-contract,api-kit, andobservabilitybefore business routes expand. - Auth, login, and session baseline.
- User, Organization, and Membership.
- Space, Desktop, Surface, and InstalledSurface.
- WindowSession persistence.
- First real business loop: visitor, waitlist, activation code, and feedback.
Later
- Moments and personal data backend.
- Payment and entitlement after legal, tax, and payment readiness.
- Marketplace listing.
- Hub subscriptions.
- Revenue split.
- AI agent runtime.
- Community spaces and developer publishing.
v0.2.x - Platform Foundation v0
v0.2.x is the first backend control-plane planning phase:
Identity, Space, App Catalog, App Registration, App Installation,
Permission Declaration, and backend contract planning.This is not the Source/View killer demo phase yet. It prepares the objects that official apps, third-party apps, and future AI agents can operate on.
Confirmed Decisions
| Decision | v0.2.x stance |
|---|---|
| First auth provider | GitHub SSO |
| Google SSO | Deferred beyond first stage |
| Email/password login | Deferred beyond first stage |
| Space creation | Minimal Space creation first |
| App registration | Minimal App registration first |
| App install/uninstall | Persisted once backend implementation starts |
| Permission model | Declaration and grant seeds before enforcement |
| URL strategy | Internal IDs first; owner/slug later |
| Deployment | BYO GitHub plus BYO Cloudflare / Vercel / Netlify / custom deployment metadata |
| Deployment platform | Not built in v0.2 |
| AI Builder | Not implemented in v0.2.0; platform objects should be AI-operable later |
| MCP Gateway | Not implemented in v0.2.0; permissions and audit concepts should leave room |
v0.2.x Slices
| Version | Slice | Status | Scope |
|---|---|---|---|
v0.2.0 | API Contract and Platform Foundation RFC | Planned - docs first | Hono + Zod OpenAPI direction, OpenAPI as API truth, MSW aligned with API shape, TanStack Query for server state, Drizzle/Neon direction, packages/os-actions as reusable action layer direction, no production DB migration without human approval. |
v0.2.1 | Identity and Profile v0 Planning | Planned | GitHub SSO only, proposed profiles, accounts, sessions, GET /api/user/session, anonymous vs authenticated behavior, owner namespace claim, no Google/email login. |
v0.2.2 | Space v0 Planning | Planned | Minimal proposed spaces, optional space_memberships, private / unlisted / public visibility, internal ID first, future owner/slug route. |
v0.2.3 | App Catalog and Registration v0 Planning | Planned | Proposed apps, app metadata, app source repo metadata, manifest metadata, iframe runtime first, future remote modules, official apps, community apps. |
v0.2.4 | App Deployment Metadata v0 Planning | Planned | Proposed app_sources, app_deployments, app_entrypoints, BYO Cloudflare Pages / Vercel / Netlify / custom deployment, URL/provider/environment/status/commit SHA metadata, no deployment platform. |
v0.2.5 | App Installation and Shell Integration Planning | Planned | Proposed app_installations, install/uninstall API shape, Shell reads installed apps, Dock/launcher integration direction, Space-scoped vs profile-scoped installation. |
v0.2.6 | Permission Declaration v0 Planning | Planned | Proposed permission_declarations, permission_grants, no complete enforcement, Permission Center later reads real metadata. |
v0.2.7 | Source and View Bridge Planning | Planned | Proposed sources, source_connections, source_sync_runs, views, and route toward card/table/radar/feed/timeline Views. |
v0.2.8 | AI Builder Readiness Planning | Planned | No code generation yet; define platform actions and future audit/build records so AI can later operate on real objects. |
Early Permission Scopes
Permission v0 should start with declarations and grant seeds. These are proposed scope names, not enforced permissions today:
profile:read
space:read
space:write
app:install
source:read
asset:read
context:export
mcp:invoke:readSource And View Bridge
v0.2.7 is the bridge toward the later killer apps. It should plan reusable
Source and View objects before each app invents its own private shape.
Current package foundation:
@prox-os/actionsdefines shared action intent for open, copy, save, inspect, AI, and destructive actions before command palette, context menu, permissions, audit, and backend execution mature.@prox-os/commandconverts apps, docs, routes, URLs, actions, settings, and AI intents into searchable commands before the Shell adopts a unified command provider model.@prox-os/formsdefines shared input and editing primitives for create/edit, settings, filters, metadata, confirmation, and future backend contract-driven forms.@prox-os/editordefines shared editing primitives for rich text, markdown, code snippets, prompts, comments, app descriptions, and future AI-assisted content review.@prox-os/collaborationdefines shared collaboration primitives for presence, threads, mentions, sharing, review approval, and future provider-backed resource collaboration.@prox-os/notificationsdefines shared notification primitives for badges, bells, toasts, notification center, digests, preferences, action refs, and future provider-backed notification delivery.@prox-os/searchdefines shared search primitives for searchable documents, local search, filters, facets, previews, saved searches, and future provider-backed resource discovery.@prox-os/filesdefines shared file primitives for files, folders, storage providers, paths, previews, transfers, file pickers, file browsers, and future provider-backed storage handoff.@prox-os/security-uidefines shared security UI primitives for principals, resources, permission grants, access levels, risk/trust/sensitivity, policy notices, security events, audit rows, sessions, integration token metadata, and access reviews.@prox-os/workspace-uidefines shared workspace UI primitives for personal homes, team workspaces, community spaces, creator spaces, Founder Suite, developer spaces, resources, projects, members, settings, onboarding, integrations, and workspace-aware handoffs.@prox-os/activitydefines shared activity timeline primitives for actors, targets, objects, events, feeds, groups, digests, stats, related resources, redaction, and cross-domain history handoffs.@prox-os/data-contractdefinesOsDataset, fields, views, source refs, permissions, and neutral chart specs.@prox-os/data-tableprovides TanStack Table primitives and a Glide Data Grid high-density preview.@prox-os/data-vizprovides ECharts, Vega-Lite, and Recharts adapters.@prox-os/mediaprovides a reusable media resource contract for source thumbnails, covers, screenshots, external links, and future attachments.@prox-os/mapsprovides a reusable geospatial surface contract for source locations, markers, GeoJSON layers, static previews, and future map-backed views.- Grist is the first recommended white-box structured data reference integration, planned as self-hosted / iframe / external app / connector work, not vendored code.
Proposed source_type examples:
github_repo
github_list
rss_feed
web_url
figma_file
notion_database
r2_bucket
mcp_endpointProposed view_type examples:
card_grid
table
radar_board
feed
timelineMedia Resource Bridge
@prox-os/media starts the shared media layer before each app invents its own
image, avatar, cover, external link, or iframe rules.
Current package foundation:
OsMediaResource,OsImageSource,OsEmbedSource, andOsExternalLinkSourcedescribe media without binding apps to one CDN.OsImage,OsAvatar,OsCoverImage,OsImageGrid,OsMediaCard,OsEmbedFrame,OsYouTubeEmbed, andOsExternalLinkPreviewprovide the first Storybook-visible primitives.OsImageTransformpreserves Cloudflare Images / Image Transformations intent without implementing storage in this phase.- Media components emit context action intent; the OS Shell should own actual right-click menu execution.
Future phases:
- Phase 2: R2 originals, Cloudflare Images / Transformations, signed URLs, and Worker-enforced private media.
- Phase 3: OS Media Library for uploads, app assets, avatars, covers, attachments, provenance, permissions, search, and metadata inspection.
Map And Geospatial Bridge
@prox-os/maps starts the shared geospatial layer before each app invents its
own marker, popup, provider, attribution, or tile policy rules.
Current package foundation:
OsCoordinate,OsGeoPoint,OsMapSource, andOsMapLayerConfigdescribe map data without binding apps to one proprietary map vendor.OsMap,MapLibreMapPreview,OsMapCard,OsMapMarker,OsMapPopup,OsMapLayer,OsMapProviderBadge,OsMapAttribution, andOsStaticMapPlaceholderprovide the first Storybook-visible primitives.- Map components emit geospatial context action intent; the OS Shell should own actual right-click menu execution.
- Demo styles or public demo tiles are allowed for local previews only. Public OSM tile servers are not a production CDN for Prox OS.
Future phases:
- Phase 2: PMTiles, Protomaps/OpenMapTiles, R2-hosted map archives, Cloudflare caching, Worker-signed/private tile access, and workspace-aware tile policy.
- Phase 3: Places and geocoding with self-hosted Nominatim policy, Photon or Pelias adapters, search, and reverse geocoding.
- Phase 4: Routing and tracks with OSRM, Valhalla, GraphHopper, GPX, GeoJSON, and Moments location history.
- Phase 5: Spatial Data OS with geo dataset views, GeoJSON editing, deck.gl layers, heatmaps, user-owned spatial data, and community map spaces.
AI Builder Readiness
v0.2.x does not need to generate code. It should prepare objects so a future
AI Builder can safely propose or execute these actions after the required
contracts, approvals, and audits exist:
- Create a Space.
- Register an App.
- Attach a GitHub repo.
- Attach a deploy URL.
- Declare permissions.
- Install an App into a Space.
- Propose a DB schema.
- Propose an API route.
- Create a Source or View.
Future planning-only tables:
ai_build_jobs
ai_build_artifacts
ai_code_sessions
ai_action_audit_logsBYO Cloud Control Plane
Early platform strategy:
BYO GitHub + BYO Deploy + Prox Metadata Control PlaneProx OS should not start by hosting all user code, files, databases, AI inference, and static resources. Early users can keep code in GitHub, deploy static apps to Cloudflare Pages, Vercel, Netlify, or a custom host, and use GitHub README, JSON, RSS, and third-party APIs as Sources. Prox OS stores metadata, manifests, Space index, profiles, stars, watches, install relations, permission declarations, and deployment metadata.
Candidate future creation flow:
1. Create App or Create Space.
2. Select template.
3. AI drafts manifest, README, layout, and data config.
4. Create or connect GitHub repo.
5. Connect Cloudflare Pages, Vercel, Netlify, or custom deployment.
6. Return deployed URL.
7. Register URL and metadata in Prox OS.
8. Publish to Profile, Space Gallery, or App Store draft.Future Capability Sequence
| Phase | Primary capability work | Product surface |
|---|---|---|
v0.1.x | App Runtime and View foundations through registry, windows, iframe hosting, reusable app package boundaries, and static OS app prototypes. | OS Shell, App Store, /app-os prototypes, developer apps |
v0.2.x | Platform Foundation v0 through identity, Spaces, app catalog/registration, installation, permission declarations, deployment metadata, and API/DB planning. | Profile, Space, Developer Console, Permission Center, Pricing |
v0.3.x | Source/View and publishing foundations for public Spaces, templates, clone/remix, owner/slug URLs, and featured catalogs. | Awesome GitHub Radar, RSS Knowledge Inbox, Space Gallery |
v0.4.x | App Runtime developer surface: manifest standardization, SDK exploration, Window API, Theme API, Permission API, AI Context API, and mobile declarative View contract hardening. | Developer App Platform, app templates, app validation, Device Studio renderer |
v0.5.x | Source, Permission, Knowledge, and MCP expansion after cloud-first workflows are proven. | Local Bridge research, governed MCP Gateway, advanced connectors |
Future OS App Portfolio
These app surfaces are a platform map, not an immediate implementation list.
The current shell includes static /app-os UI prototypes for the core surfaces;
see Platform Core App Prototypes
for route names and prototype boundaries.
| Surface | Platform role | Status |
|---|---|---|
| Prox Studio | AI OS App and Space Builder for templates, manifests, README, layouts, data config, permissions, and publish drafts. | Completed - static prototype |
| App Store | Curated discovery layer for featured Apps, Spaces, templates, installed apps, and incubating concepts. | Completed - catalog prototype |
| Space Gallery | Public browsing surface for featured Spaces, radars, dashboards, personal OS Homes, clone/remix, and badges. | Completed - static prototype |
| Profile App | Identity layer for pinned Spaces, published apps, public dashboards, repos, AI contexts, followers, stars, watchlist, and activity. | Completed - static prototype |
| Developer Console | App registration, manifest validation, entry URLs, OAuth callback config, API keys, webhooks, MCP registration, versioning, analytics. | Completed - static prototype |
| Connectors Hub | Notion, Airtable, Coda, Google Sheets, GitHub, Stripe, ClickUp, monday.com, Smartsheet, Baserow, NocoDB, Softr, Glide, AppSheet, Power Apps, Retool, Appsmith, Budibase, RSS, Cloudflare, Vercel, Neon, Supabase, Hugging Face, Figma, Linear, Slack, static JSON, Obsidian Vault, Local Bridge later. | Completed - static /app-hub prototype |
| Launcher Hub | Notion Sites, Obsidian Publish, Cloudflare Pages, Vercel, Netlify, GitHub Pages, v0, Lovable, Bolt, Claude Artifacts, personal landing pages, docs sites, demo sites. | Completed - static /app-hub prototype |
| Design System Hub | Prox Native, Bit.dev, Storybook, shadcn, Material Design, Fluent UI, Ant Design, Liquid Glass, style packs, AI-readable recipes. | Completed - static /app-hub prototype |
| Permission Center | App-to-Source access, Source-to-AI-Context access, public/private visibility, MCP tools, token storage/revoke/audit, read/write scopes. | Completed - static prototype |
| MCP Gateway | Unified MCP resources, tools, prompts, scopes, auth, rate limits, audit logs, and user approval. | Completed - long-term static prototype |
| Business/Growth Apps | Landing, Template Gallery, Space Analytics, Upgrade Center, Onboarding, Creator Dashboard, Feedback Inbox, Referral, CRM, Proposals, Pilot Pipeline. | Completed - concept prototype |
MCP rule:
OS App declares MCP capabilities.
Prox MCP Gateway enforces auth, scopes, rate limits, audit logs, and user approval.Do not let every app open its own unmanaged MCP server by default.
Rules
- Runtime registry describes what can open now.
- Store catalog may describe roadmap apps, templates, Spaces, Sources, and AI workflows, but runtime launches must still flow through registered manifests.
- Permission Platform must gate source access, AI context access, public publishing, and write-capable workflows before enforcement becomes real.
- View Platform should avoid one-off app-only data shapes when the same data could be rendered as table, board, timeline, graph, calendar, dashboard, or window.
- Publishing Platform should treat public Space, RSS feed, API, embed, and badge output as governed exports from private workspace data.
- Production DB migrations, auth providers, payment providers, and MCP Gateway implementation require explicit human approval.