# Pounce - Active Context ## Current Status Pounce Terminal fully functional with complete monitoring & notification system. ## Completed - [x] Backend structure with FastAPI - [x] Database models (User, Domain, DomainCheck, Subscription, TLDPrice, DomainHealthCache) - [x] Domain checker service (WHOIS + RDAP + DNS) - [x] Domain health checker (DNS, HTTP, SSL layers) - [x] Authentication system (HttpOnly cookies + OAuth) - [x] API endpoints for domain management - [x] Tiered scheduler for domain checks (Scout=daily, Trader=hourly, Tycoon=10min) - [x] Next.js frontend with dark terminal theme - [x] Pounce Terminal with all modules (Radar, Market, Intel, Watchlist, Listing) - [x] Intel page with tier-gated features - [x] TLD price scraping from 5 registrars (Porkbun, Namecheap, Cloudflare, GoDaddy, Dynadot) - [x] **Watchlist with automatic monitoring & alerts** - [x] **Health check overlays with complete DNS/HTTP/SSL details** - [x] **Instant alert toggle (no refresh needed)** - [x] **Performance Phase 0–2 applied (scheduler split, DB/index fixes, cached health, dashboard summary, metrics, job queue scaffolding)** ## Recent Changes (Dec 2025) ### Security hardening - **HttpOnly cookie auth** (no JWT in URLs / no token in `localStorage`) - **OAuth redirect hardening** (state + redirect validation) - **Blog HTML sanitization** on backend - **Secrets removed from repo history** + `.gitignore` hardened ### Performance & architecture phases (0 → 2) - **Scheduler split**: API runs with `ENABLE_SCHEDULER=false`, scheduler runs as separate process/container - **Market feed**: bounded DB queries + pagination (no full table loads) - **Health**: bulk cached endpoint (`/domains/health-cache`) + cache-first per-domain health - **Radar**: single-call dashboard payload (`/dashboard/summary`) → fewer frontend round-trips - **DB migrations**: idempotent indexes + optional columns for existing DBs - **Auction scoring**: persisted `pounce_score` populated by scraper - **Admin**: removed N+1 patterns in user listing/export - **Observability**: Prometheus metrics (`/metrics`) + optional DB query timing - **Job queue**: Redis + ARQ worker scaffolding + admin scraping enqueue ### Ops & Deliverability (4B) - **DB backups**: server-side backups (SQLite copy + integrity_check / Postgres pg_dump + pg_restore --list) + Admin UI trigger - **Ops alerting without Docker**: hourly scheduler job checks backup freshness + 24h funnel signals and emails ops alerts (with cooldown) - **Business KPIs in /metrics**: cached gauges derived from `telemetry_events` (1d + Nd windows) - **Newsletter deliverability**: List-Unsubscribe (one-click) + one-click unsubscribe endpoint ### Watchlist & Monitoring 1. **Automatic domain checks**: Runs based on subscription tier 2. **Email alerts when domain becomes available**: Sends immediately 3. **Expiry warnings**: Weekly check for domains expiring in <30 days 4. **Health status monitoring**: Daily health checks with caching 5. **Weekly digest emails**: Summary every Sunday ### Email Notifications Implemented | Alert Type | Trigger | |------------|---------| | Domain Available | Domain becomes free | | Expiry Warning | <30 days until expiry | | Health Critical | Domain goes offline | | Price Change | TLD price changes >5% | | Sniper Match | Auction matches criteria | | Weekly Digest | Every Sunday | ### UI Improvements 1. **Instant alert toggle**: Uses Zustand store for optimistic updates 2. **Less prominent check frequency**: Subtle footer instead of prominent banner 3. **Health modals**: Show complete DNS, HTTP, SSL details 4. **"Not public" for private registries**: .ch/.de show lock icon with tooltip ## Next Steps 1. **Enable email verification in production**: set `REQUIRE_EMAIL_VERIFICATION=true` (forces verify before login) 2. **Enable ops alerts**: set `OPS_ALERTS_ENABLED=true` + `OPS_ALERT_RECIPIENTS=...` (and keep SMTP configured) 3. **Continue Unicorn focus**: 3A Programmatic SEO (indexation + template pages + sitemap) + 3C Viral Loop (invite codes + attribution + powered-by surfaces + referral KPIs + referral rewards/badges) 4. **Run load test** (`loadtest/k6/api-smoke.js`) after each deployment ## Server Deployment Checklist - [ ] Set `SMTP_*` environment variables (see `env.example`) - [ ] Set `STRIPE_*` for payments - [ ] Set `GOOGLE_*` and `GITHUB_*` for OAuth - [ ] Set `REQUIRE_EMAIL_VERIFICATION=true` - [ ] (optional) Set `OPS_ALERTS_ENABLED=true` + `OPS_ALERT_RECIPIENTS=ops@...` - [ ] Run `python scripts/init_db.py` - [ ] Run `python scripts/seed_tld_prices.py` - [ ] Start with PM2: `pm2 start "uvicorn app.main:app --host 0.0.0.0 --port 8000"` ## Design Decisions - **Dark terminal theme** with emerald accent (#10b981) - **Tier-gated features**: Scout (free), Trader ($9), Tycoon ($29) - **Real data priority**: Always prefer DB data over simulations - **Multiple registrar sources**: For accurate price comparison - **Optimistic UI updates**: Instant feedback without API round-trip ## Known Considerations - Email alerts require SMTP configuration - Ops alert cooldown is in-memory (resets on process restart); consider persisting if needed - Some TLDs (.ch, .de) don't publish expiration dates publicly - SSL checks may fail on local dev (certificate chain issues) - Scheduler should not run in the API process in production (avoid duplicate jobs with multiple API workers)