v1.9 Product Roadmap (10x CTO)
Technical and product priorities for v1.9 and beyond. Order: reliability and observability first, then security and clarity, then product features that compound.
Priorities
| Area | Priority | Key actions |
|---|---|---|
| Reliability | P0 | URL validation on analyze route; clear stream error/timeout handling; document timeouts |
| Observability | P0 | Primary metric (conversion/analyses per visitor); stage timings in logs |
| Security | P1 | validateUrl everywhere; doc rate limit and env |
| Performance | P1 | Document targets; optional parallel component analyzers; defer caching |
| Product | P2 | First-run without sign-up; evidence snippets; shareable link; public API later |
| Quality | P1 | Test validateUrl and analyze endpoint; doc ops/tech |
Implemented (v1.9)
- URL guard:
validateUrlon main analyze route and analyze-cdo; roles/crawl, roles/cmo, roles/cdo, crawl/status, api/v1/crawl already used it. - Stream and timeout UX: Stream always sends final error or complete; timeout-like errors show "Analysis took too long. Please try again."; client shows "Connection lost" or "Connection lost or request cancelled" when stream ends without result.
- Primary metric events:
analysis_startedandcrawl_started; documented in distribution-plan.md.report_completedunchanged. - Stage timing: Pipeline logs each stage with duration in executionLog; final "Analysis complete" log includes stageTiming.
- Operations doc: operations.md — timeouts, env matrix, where to look when a run fails, rate limiting.
- Tests: Unit test for
validateUrl(core/security/url-guard.test.ts); integration tests for POST /api/analyze (400 for missing/invalid URL, 401 when no auth). - Evidence snippets in UI: Short evidence snippets next to key claims in CMO first report (claim support in
app/components/roles/CmoFirstReportView.tsx).
Implemented (v1.9, continued)
- First-run without sign-up (Option A): One analysis without account; cookie cap (
pmf_guest_ran); CTA after first report. See decisions.md. - Shareable report link: Read-only link
/report/readonly/[runId]?token=...;analysis_runs.share_token; POST/api/report/shareto create link; Share button on result page. - Public API: POST
/api/v1/analyzewith API key (Bearer or X-Api-Key); POST/api/api-keysto create key; rate limit 10/min per user; see public-api.md.
Next (when ready)
- Dashboard UI for API keys (list, revoke).
- Optional: first crawl without sign-up (same cookie cap as analyze).
Reference
Full 10x CTO plan (phases, options, out of scope): see the plan file in .cursor/plans/ or the copy used to implement this. operations.md is the ops runbook.