pounce/memory-bank/activeContext.md

# Pounce - Active Context

## Current Status
Pounce Terminal fully functional with complete monitoring & notification system.

## Completed
- [x] Backend structure with FastAPI
- [x] Database models (User, Domain, DomainCheck, Subscription, TLDPrice, DomainHealthCache)
- [x] Domain checker service (WHOIS + RDAP + DNS)
- [x] Domain health checker (DNS, HTTP, SSL layers)
- [x] Authentication system (HttpOnly cookies + OAuth)
- [x] API endpoints for domain management
- [x] Tiered scheduler for domain checks (Scout=daily, Trader=hourly, Tycoon=10min)
- [x] Next.js frontend with dark terminal theme
- [x] Pounce Terminal with all modules (Radar, Market, Intel, Watchlist, Listing)
- [x] Intel page with tier-gated features
- [x] TLD price scraping from 5 registrars (Porkbun, Namecheap, Cloudflare, GoDaddy, Dynadot)
- [x] **Watchlist with automatic monitoring & alerts**
- [x] **Health check overlays with complete DNS/HTTP/SSL details**
- [x] **Instant alert toggle (no refresh needed)**
- [x] **Performance Phase 0–2 applied (scheduler split, DB/index fixes, cached health, dashboard summary, metrics, job queue scaffolding)**

## Recent Changes (Dec 2025)

### Security hardening
- **HttpOnly cookie auth** (no JWT in URLs / no token in `localStorage`)
- **OAuth redirect hardening** (state + redirect validation)
- **Blog HTML sanitization** on backend
- **Secrets removed from repo history** + `.gitignore` hardened

### Performance & architecture phases (0 → 2)
- **Scheduler split**: API runs with `ENABLE_SCHEDULER=false`, scheduler runs as separate process/container
- **Market feed**: bounded DB queries + pagination (no full table loads)
- **Health**: bulk cached endpoint (`/domains/health-cache`) + cache-first per-domain health
- **Radar**: single-call dashboard payload (`/dashboard/summary`) → fewer frontend round-trips
- **DB migrations**: idempotent indexes + optional columns for existing DBs
- **Auction scoring**: persisted `pounce_score` populated by scraper
- **Admin**: removed N+1 patterns in user listing/export
- **Observability**: Prometheus metrics (`/metrics`) + optional DB query timing
- **Job queue**: Redis + ARQ worker scaffolding + admin scraping enqueue

### Ops & Deliverability (4B)
- **DB backups**: server-side backups (SQLite copy + integrity_check / Postgres pg_dump + pg_restore --list) + Admin UI trigger
- **Ops alerting without Docker**: hourly scheduler job checks backup freshness + 24h funnel signals and emails ops alerts (with cooldown)
- **Business KPIs in /metrics**: cached gauges derived from `telemetry_events` (1d + Nd windows)
- **Newsletter deliverability**: List-Unsubscribe (one-click) + one-click unsubscribe endpoint

### Watchlist & Monitoring
1. **Automatic domain checks**: Runs based on subscription tier
2. **Email alerts when domain becomes available**: Sends immediately
3. **Expiry warnings**: Weekly check for domains expiring in <30 days
4. **Health status monitoring**: Daily health checks with caching
5. **Weekly digest emails**: Summary every Sunday

### Email Notifications Implemented
| Alert Type | Trigger |
|------------|---------|
| Domain Available | Domain becomes free |
| Expiry Warning | <30 days until expiry |
| Health Critical | Domain goes offline |
| Price Change | TLD price changes >5% |
| Sniper Match | Auction matches criteria |
| Weekly Digest | Every Sunday |

### UI Improvements
1. **Instant alert toggle**: Uses Zustand store for optimistic updates
2. **Less prominent check frequency**: Subtle footer instead of prominent banner
3. **Health modals**: Show complete DNS, HTTP, SSL details
4. **"Not public" for private registries**: .ch/.de show lock icon with tooltip

## Next Steps
1. **Enable email verification in production**: set `REQUIRE_EMAIL_VERIFICATION=true` (forces verify before login)
2. **Enable ops alerts**: set `OPS_ALERTS_ENABLED=true` + `OPS_ALERT_RECIPIENTS=...` (and keep SMTP configured)
3. **Continue Unicorn focus**: 3A Programmatic SEO (indexation + template pages + sitemap) + 3C Viral Loop (invite codes + attribution + powered-by surfaces + referral KPIs + referral rewards/badges)
4. **Run load test** (`loadtest/k6/api-smoke.js`) after each deployment

## Server Deployment Checklist
- [ ] Set `SMTP_*` environment variables (see `env.example`)
- [ ] Set `STRIPE_*` for payments
- [ ] Set `GOOGLE_*` and `GITHUB_*` for OAuth
- [ ] Set `REQUIRE_EMAIL_VERIFICATION=true`
- [ ] (optional) Set `OPS_ALERTS_ENABLED=true` + `OPS_ALERT_RECIPIENTS=ops@...`
- [ ] Run `python scripts/init_db.py`
- [ ] Run `python scripts/seed_tld_prices.py`
- [ ] Start with PM2: `pm2 start "uvicorn app.main:app --host 0.0.0.0 --port 8000"`

## Design Decisions
- **Dark terminal theme** with emerald accent (#10b981)
- **Tier-gated features**: Scout (free), Trader ($9), Tycoon ($29)
- **Real data priority**: Always prefer DB data over simulations
- **Multiple registrar sources**: For accurate price comparison
- **Optimistic UI updates**: Instant feedback without API round-trip

## Known Considerations
- Email alerts require SMTP configuration
- Ops alert cooldown is in-memory (resets on process restart); consider persisting if needed
- Some TLDs (.ch, .de) don't publish expiration dates publicly
- SSL checks may fail on local dev (certificate chain issues)
- Scheduler should not run in the API process in production (avoid duplicate jobs with multiple API workers)