Research backlog & roadmap
Status
Stable· Last verified 2026-07-12
This is the living to-do list. It’s deliberately honest about where v0.1 is thin. Priority: 🔴 high · 🟡 medium · ⚪ later.
Recently completed
Section titled “Recently completed”- ✅ Interactions deep-dives (2026-07-11): lifecycle, signature verification, slash commands, components/modals, responses & follow-ups, security pitfalls — all grounded in the official docs with verified enum values.
- ✅ Changelog-watch reconciliation (2026-07-11): every entry checked against the primary change log; titles quoted; the DAVE date corrected (announced 2025-09-02, enforced 2026-03-01).
- ✅ OAuth2 authorization-code flow (2026-07-11): deep page + runnable
[
oauth2-login] example withstate/CSRF handling and unit tests. - ✅ OAuth2 live re-verification (2026-07-11): scopes catalogue, client-credentials & implicit grants documented; PKCE confirmed NOT documented (verified absence); token/revoke endpoints and the revocation cascade verified. New pages: scopes, other-grants.
- ✅ OAuth2 token lifecycle (2026-07-11):
tokens.mjs(refresh + revoke) with mocked-fetch tests in [oauth2-login]. - ✅ Linked Roles (2026-07-11): doc page + runnable
[
oauth2-linked-roles] example (metadata records + user connection), verified against the role-connection-metadata and user resources. - ✅ Quality bar + CI (2026-07-12):
pnpm test/pnpm check, GitHub Actions (secrets → tests → site build → internal links), optionalpnpm hooks:install. - ✅ Secret-scanner packaging (2026-07-12): un-ignore
scripts/check-secrets.mjs(was matched by*secret*); expand assignment patterns; document pre-commit. - ✅ Interaction endpoint hardening (2026-07-12): 5-min timestamp skew, strict hex, 256 KiB body cap, async try/catch; unit + HTTP tests for stale signatures.
- ✅ Webhook payload limits (2026-07-12): enforce title/description/field caps
that were previously only declared; shared
isWebhookUrlaccepts canary/ptb/vN. - ✅ Repo URL placeholders (2026-07-12):
your-org→snowyukittyacross site config and docs (canonical until a different remote is set).
Content depth (tracks to expand)
Section titled “Content depth (tracks to expand)”- 🟡 OAuth2 — remaining:
/oauth2/@meauthorization-info usage; a client-credentials worked snippet; a full end-to-end Linked Roles server walkthrough. - 🟡 Gateway internals: sharding math, max-concurrency, resume vs re-identify, event catalogue.
- 🟡 Monetization: entitlements, SKUs, subscriptions, testing purchases.
- 🟡 Activities / Embedded App SDK: a real minimal Activity example.
- 🟡 Moderation: AutoMod rules + events, audit-log patterns.
- ⚪ Voice/DAVE: developer-facing implications of mandatory E2EE.
- ⚪ Social SDK: overview for game developers (consoles, lobbies).
Examples (runnable)
Section titled “Examples (runnable)”- ✅
interaction-endpointoffline tests (HTTP + pureverifyunit tests) — done 2026-07-11/12. - ✅
oauth2-loginexample (auth-code flow + token refresh/revoke, mocked-fetch tests) — done 2026-07-11. - ✅
oauth2-linked-rolesexample (role connection metadata) — done 2026-07-11. - ✅
bot-gateway-minimal: graceful shutdown (SIGINT/SIGTERM) already present. - 🟡
bot-gateway-minimal: add a components/button demo (still open). - ⚪
embedded-activityexample (Embedded App SDK hello-world). - ⚪ A
packages/shared helper (typed REST client wrapper) if examples start to duplicate code.
Verification & tooling
Section titled “Verification & tooling”- ✅ Reconcile changelog watch against the primary change log — done 2026-07-11 (titles quoted; DAVE corrected).
- ✅ Link checker —
pnpm check:links+ CI on push/PR (2026-07-12). - ✅ Numeric limits verified (2026-07-11):
content2000, embeds 10, embed sub-limits + 6000 total confirmed against the message/webhook resources and marked Verified in send-messages. Webhook rate (~30/min) and attachment size stay intentionally non-fixed (not guaranteed / tier-dependent). - ✅ Modal facts verified (2026-07-11): the Label-over-Action-Row change is confirmed against the component reference; numeric modal caps are marked as ecosystem (discord.js) guidance since the API reference doesn’t pin them.
- ✅ Pre-commit hook installer —
pnpm hooks:install(2026-07-12). - ✅ Change-detection automation (2026-07-13):
scripts/changelog-watch.mjsdiffs the official change log againstresearch/changelog-snapshot.json; the weeklyChange-log watchGitHub Action opens a triage issue on new entries. Clear withpnpm changelog:updateafter triaging into changelog watch. - 🟡 Starlight meta badges: wire
.atlas-meta/.atlas-badgeCSS to a real component that reads frontmatter (status / lastVerified / sources) instead of hand-written banner lines. - ⚪ A generated capability matrix page rendered from
research/capability-matrix.yaml.
Translations
Section titled “Translations”- 🔴 Extend ja/zh-tw to the full getting-started track and webhooks/send-messages.
- 🟡 Translate the security overview and glossary.
- Track coverage in translation-status.
Site & DX
Section titled “Site & DX”- ✅ Cloudflare Pages hosting (2026-07-12/13): live at
https://discord-platform-atlas.pages.dev— first publish viawrangler pages deploy(direct-upload).DEPLOY.mdrunbook,wrangler.jsonc,site/public/_headers,pnpm site:deploy. Connect-to-Git for push-to-deploy is still a one-time dashboard step (seeDEPLOY.md). Canonicalsiteset; updateastro.config.mjsif a custom domain is attached. - 🟡 Custom 404 branding, favicon/logo, social-card image.
- 🟡 Attach a custom domain and lock the production
siteURL. - ⚪ Versioned docs if/when Discord ships an API v11.
Open questions (honestly unresolved)
Section titled “Open questions (honestly unresolved)”- Exact, current numeric rate limits per webhook/route — documented as “don’t hard-code,” but we should record observed values with dates.
- Precise unique-user counting for the 2026 privileged-intent threshold (how Discord computes “users who can see your app”).
- Components V2 feature completeness vs the classic set — which patterns still require classic components.
- Whether any atlas topic depends on Limited/allowlisted access we can’t verify first-hand.