Skip to content

Research backlog & roadmap

Status Stable · Last verified 2026-07-12

This is the living to-do list. It’s deliberately honest about where v0.1 is thin. Priority: 🔴 high · 🟡 medium · ⚪ later.

  • Interactions deep-dives (2026-07-11): lifecycle, signature verification, slash commands, components/modals, responses & follow-ups, security pitfalls — all grounded in the official docs with verified enum values.
  • Changelog-watch reconciliation (2026-07-11): every entry checked against the primary change log; titles quoted; the DAVE date corrected (announced 2025-09-02, enforced 2026-03-01).
  • OAuth2 authorization-code flow (2026-07-11): deep page + runnable [oauth2-login] example with state/CSRF handling and unit tests.
  • OAuth2 live re-verification (2026-07-11): scopes catalogue, client-credentials & implicit grants documented; PKCE confirmed NOT documented (verified absence); token/revoke endpoints and the revocation cascade verified. New pages: scopes, other-grants.
  • OAuth2 token lifecycle (2026-07-11): tokens.mjs (refresh + revoke) with mocked-fetch tests in [oauth2-login].
  • Linked Roles (2026-07-11): doc page + runnable [oauth2-linked-roles] example (metadata records + user connection), verified against the role-connection-metadata and user resources.
  • Quality bar + CI (2026-07-12): pnpm test / pnpm check, GitHub Actions (secrets → tests → site build → internal links), optional pnpm hooks:install.
  • Secret-scanner packaging (2026-07-12): un-ignore scripts/check-secrets.mjs (was matched by *secret*); expand assignment patterns; document pre-commit.
  • Interaction endpoint hardening (2026-07-12): 5-min timestamp skew, strict hex, 256 KiB body cap, async try/catch; unit + HTTP tests for stale signatures.
  • Webhook payload limits (2026-07-12): enforce title/description/field caps that were previously only declared; shared isWebhookUrl accepts canary/ptb/vN.
  • Repo URL placeholders (2026-07-12): your-orgsnowyukitty across site config and docs (canonical until a different remote is set).
  • 🟡 OAuth2 — remaining: /oauth2/@me authorization-info usage; a client-credentials worked snippet; a full end-to-end Linked Roles server walkthrough.
  • 🟡 Gateway internals: sharding math, max-concurrency, resume vs re-identify, event catalogue.
  • 🟡 Monetization: entitlements, SKUs, subscriptions, testing purchases.
  • 🟡 Activities / Embedded App SDK: a real minimal Activity example.
  • 🟡 Moderation: AutoMod rules + events, audit-log patterns.
  • Voice/DAVE: developer-facing implications of mandatory E2EE.
  • Social SDK: overview for game developers (consoles, lobbies).
  • interaction-endpoint offline tests (HTTP + pure verify unit tests) — done 2026-07-11/12.
  • oauth2-login example (auth-code flow + token refresh/revoke, mocked-fetch tests) — done 2026-07-11.
  • oauth2-linked-roles example (role connection metadata) — done 2026-07-11.
  • bot-gateway-minimal: graceful shutdown (SIGINT/SIGTERM) already present.
  • 🟡 bot-gateway-minimal: add a components/button demo (still open).
  • embedded-activity example (Embedded App SDK hello-world).
  • ⚪ A packages/ shared helper (typed REST client wrapper) if examples start to duplicate code.
  • Reconcile changelog watch against the primary change log — done 2026-07-11 (titles quoted; DAVE corrected).
  • Link checkerpnpm check:links + CI on push/PR (2026-07-12).
  • Numeric limits verified (2026-07-11): content 2000, embeds 10, embed sub-limits + 6000 total confirmed against the message/webhook resources and marked Verified in send-messages. Webhook rate (~30/min) and attachment size stay intentionally non-fixed (not guaranteed / tier-dependent).
  • Modal facts verified (2026-07-11): the Label-over-Action-Row change is confirmed against the component reference; numeric modal caps are marked as ecosystem (discord.js) guidance since the API reference doesn’t pin them.
  • Pre-commit hook installerpnpm hooks:install (2026-07-12).
  • Change-detection automation (2026-07-13): scripts/changelog-watch.mjs diffs the official change log against research/changelog-snapshot.json; the weekly Change-log watch GitHub Action opens a triage issue on new entries. Clear with pnpm changelog:update after triaging into changelog watch.
  • 🟡 Starlight meta badges: wire .atlas-meta / .atlas-badge CSS to a real component that reads frontmatter (status / lastVerified / sources) instead of hand-written banner lines.
  • ⚪ A generated capability matrix page rendered from research/capability-matrix.yaml.
  • 🔴 Extend ja/zh-tw to the full getting-started track and webhooks/send-messages.
  • 🟡 Translate the security overview and glossary.
  • Track coverage in translation-status.
  • Cloudflare Pages hosting (2026-07-12/13): live at https://discord-platform-atlas.pages.dev — first publish via wrangler pages deploy (direct-upload). DEPLOY.md runbook, wrangler.jsonc, site/public/_headers, pnpm site:deploy. Connect-to-Git for push-to-deploy is still a one-time dashboard step (see DEPLOY.md). Canonical site set; update astro.config.mjs if a custom domain is attached.
  • 🟡 Custom 404 branding, favicon/logo, social-card image.
  • 🟡 Attach a custom domain and lock the production site URL.
  • ⚪ Versioned docs if/when Discord ships an API v11.
  • Exact, current numeric rate limits per webhook/route — documented as “don’t hard-code,” but we should record observed values with dates.
  • Precise unique-user counting for the 2026 privileged-intent threshold (how Discord computes “users who can see your app”).
  • Components V2 feature completeness vs the classic set — which patterns still require classic components.
  • Whether any atlas topic depends on Limited/allowlisted access we can’t verify first-hand.