# Pounce - Active Context ## Current Status Pounce Terminal fully functional with complete monitoring & notification system. ## Completed - [x] Backend structure with FastAPI - [x] Database models (User, Domain, DomainCheck, Subscription, TLDPrice, DomainHealthCache) - [x] Domain checker service (WHOIS + RDAP + DNS) - [x] Domain health checker (DNS, HTTP, SSL layers) - [x] Authentication system (HttpOnly cookies + OAuth) - [x] API endpoints for domain management - [x] Tiered scheduler for domain checks (Scout=daily, Trader=hourly, Tycoon=10min) - [x] Next.js frontend with dark terminal theme - [x] Pounce Terminal with all modules (Radar, Market, Intel, Watchlist, Listing) - [x] Intel page with tier-gated features - [x] TLD price scraping from 5 registrars (Porkbun, Namecheap, Cloudflare, GoDaddy, Dynadot) - [x] **Watchlist with automatic monitoring & alerts** - [x] **Health check overlays with complete DNS/HTTP/SSL details** - [x] **Instant alert toggle (no refresh needed)** - [x] **Performance Phase 0–2 applied (scheduler split, DB/index fixes, cached health, dashboard summary, metrics, job queue scaffolding)** ## Recent Changes (Dec 2025) ### Security hardening - **HttpOnly cookie auth** (no JWT in URLs / no token in `localStorage`) - **OAuth redirect hardening** (state + redirect validation) - **Blog HTML sanitization** on backend - **Secrets removed from repo history** + `.gitignore` hardened ### Performance & architecture phases (0 → 2) - **Scheduler split**: API runs with `ENABLE_SCHEDULER=false`, scheduler runs as separate process/container - **Market feed**: bounded DB queries + pagination (no full table loads) - **Health**: bulk cached endpoint (`/domains/health-cache`) + cache-first per-domain health - **Radar**: single-call dashboard payload (`/dashboard/summary`) → fewer frontend round-trips - **DB migrations**: idempotent indexes + optional columns for existing DBs - **Auction scoring**: persisted `pounce_score` populated by scraper - **Admin**: removed N+1 patterns in user listing/export - **Observability**: Prometheus metrics (`/metrics`) + optional DB query timing - **Job queue**: Redis + ARQ worker scaffolding + admin scraping enqueue ### Watchlist & Monitoring 1. **Automatic domain checks**: Runs based on subscription tier 2. **Email alerts when domain becomes available**: Sends immediately 3. **Expiry warnings**: Weekly check for domains expiring in <30 days 4. **Health status monitoring**: Daily health checks with caching 5. **Weekly digest emails**: Summary every Sunday ### Email Notifications Implemented | Alert Type | Trigger | |------------|---------| | Domain Available | Domain becomes free | | Expiry Warning | <30 days until expiry | | Health Critical | Domain goes offline | | Price Change | TLD price changes >5% | | Sniper Match | Auction matches criteria | | Weekly Digest | Every Sunday | ### UI Improvements 1. **Instant alert toggle**: Uses Zustand store for optimistic updates 2. **Less prominent check frequency**: Subtle footer instead of prominent banner 3. **Health modals**: Show complete DNS, HTTP, SSL details 4. **"Not public" for private registries**: .ch/.de show lock icon with tooltip ## Next Steps 1. **Configure SMTP on server** - Required for email alerts to work 2. **Run production stack with scheduler + worker** (Docker Compose includes `scheduler`, `worker`, `redis`) 3. **Monitor `/metrics`** and set alerts (p95 latency, DB query time, job failures) 4. **Run load test** (`loadtest/k6/api-smoke.js`) after each deployment ## Server Deployment Checklist - [ ] Set `SMTP_*` environment variables (see `env.example`) - [ ] Set `STRIPE_*` for payments - [ ] Set `GOOGLE_*` and `GITHUB_*` for OAuth - [ ] Run `python scripts/init_db.py` - [ ] Run `python scripts/seed_tld_prices.py` - [ ] Start with PM2: `pm2 start "uvicorn app.main:app --host 0.0.0.0 --port 8000"` ## Design Decisions - **Dark terminal theme** with emerald accent (#10b981) - **Tier-gated features**: Scout (free), Trader ($9), Tycoon ($29) - **Real data priority**: Always prefer DB data over simulations - **Multiple registrar sources**: For accurate price comparison - **Optimistic UI updates**: Instant feedback without API round-trip ## Known Considerations - Email alerts require SMTP configuration - Some TLDs (.ch, .de) don't publish expiration dates publicly - SSL checks may fail on local dev (certificate chain issues) - Scheduler should not run in the API process in production (avoid duplicate jobs with multiple API workers)