ROADMAP

What we are building, what is committed for this quarter, and what we are exploring.

For agency directors and event teams both. No "coming soon." Three honest buckets — in flight, this quarter, exploring. If a commitment isn't backed by a published spec or a continuation-plan line, it sits in "exploring" with no promise. We will move things up as they ship. Agency-relevant work is in flight now: Stripe checkout for the Activation tier, the public API portal, and the image CDN behind festival-scale walls.

Last updated

NOW · IN FLIGHT

What is actively being built right now.

These four items are in active development this week. Each has a published spec or a tracked continuation-plan line. Expect movement on /changelog within the next month.

  1. Stripe self-serve checkout

    All paid plans

    Accepting payments for per-event purchases (Essential, Signature, Premier) and the Activation tier as a one-time payment. Webhook-driven subscription lifecycle, Customer Portal for self-serve plan changes. Phased rollout per the integration plan; Enterprise stays manual-quoted.

    Source: STRIPE_INTEGRATION_PLAN.md

  2. Public API endpoints portal

    All plans (read access); writes require an API key

    Developer-facing documentation portal for the existing Cloud Function callables plus the public webhook system that already ships. First pass covers events, photos, guests, webhooks, and admin endpoints — same content the embed and integration partners use today, just discoverable in one place.

    Source: /api-docs (parallel)

  3. Accessibility audit + WCAG 2.1 AA tightening

    Whole platform

    Targeted fixes from a fresh Lighthouse + axe-core pass across the five most-indexed marketing pages plus the admin dashboard. Lifts the CI assertion from warn to error on the accessibility score and adds independent third-party audit kickoff to the trust center.

    Source: CONTINUATION_PLAN.md §T0.4

  4. External HTTP probes on status.fotowall.io

    Public

    Wire UptimeRobot or Better Uptime (free tier) probes against app.fotowall.io, fotowall.io, /r.html (5-min HTTP 200) plus runHealthCheck (15-min). Replaces the inferred-status components removed in PR #69 with externally-verified signal.

    Source: CONTINUATION_PLAN.md §T1.5

NEXT · THIS QUARTER

Committed for the next 90 days.

Tier label tells you the plan you need to be on. Some items are platform-wide (App Check, image CDN); others are tier-gated (custom apex domain, custom sending email). All are scoped against a spec — no aspirational pitches here.

  1. Custom apex domain — Enterprise (Phase 2 subdomain)

    Enterprise — available on request

    photos.your-company.com points at your Fotowall events instead of the wildcard subdomain. Per-tenant CNAME + cert provisioning. Enterprise-only — the $25K floor justifies the per-tenant provisioning + cert renewal ops.

    Source: SUBDOMAIN_BUILD_SPEC.md §1

  2. Custom sending email domain — Enterprise (Phase 3 subdomain)

    Enterprise — available on request

    Lifecycle emails (welcome, first-event, pre-event, post-event, photo-approved) send from [email protected] instead of from the Fotowall domain. SPF/DKIM/DMARC handoff documented. Enterprise-only.

    Source: SUBDOMAIN_BUILD_SPEC.md §1

  3. App Check on every callable

    Whole platform — security improvement, no user-facing change

    Currently every Cloud Function callable has App Check set to non-enforcing — any actor with a valid Firebase ID token can call any callable. App Check binds clients to known origins. Phased per-callable rollout behind a feature flag, 7-day telemetry per surface, then made required.

    Source: CONTINUATION_PLAN.md §T1.2

  4. Image transforms + CDN in front of photo bucket

    Whole platform — performance + cost work

    Cloud Function trigger on photo approval generates 3 sizes (480 thumb / 1080 wall / 1920 fullscreen) into the photo bucket. Signed Cloud CDN in front of the public bucket; admin / wall / gallery surfaces request the right size for their viewport. Cuts storage egress + cold-load latency for photo-wall TVs.

    Source: CONTINUATION_PLAN.md §T2.5

  5. Denormalized event counters + admin list virtualization

    Whole platform — performance + cost work

    onPhotoWrite trigger maintains events/{id}.counts.{photos, approved, pending, guests} as a denormalized aggregate. Admin event-list switches to read the event doc only (vs N events × P photos per visit today). Pairs with .limit(50) + IntersectionObserver pagination on the event-list and tenants-list.

    Source: CONTINUATION_PLAN.md §T2.1

  6. Playwright e2e expansion (4 critical flows)

    Whole platform — testing depth

    Today only 1 Playwright smoke. Unskip the happy-path spec, then add: superadmin tenant impersonation, gallery-password gate, guest delete via DSAR, bulk photo moderation. Today's 28-PR refactor + Phase 8 platform consolidation added enormous surface area with no e2e coverage.

    Source: CONTINUATION_PLAN.md §T0.3

LATER · EXPLORING

Things we have thought about. No commitment.

These get built when a customer (or a fundraising conversation) makes them worth the engineering. Phrasing is intentionally vague — we will not promise a quarter we cannot back. If one of these is critical for you, tell us — that is the trigger.

  1. Native iOS + Android apps

    No commitment

    Capacitor 6 scaffold exists in mobile/ but the deeper question — whether a guest needs a native app to upload a photo when the QR-flow already works without one — is unresolved. Exploring. Trigger: enough Enterprise customers asking that the App Store presence matters more than the in-browser UX matters.

  2. EU region (eur3) deployment for data residency

    Enterprise — when an EU customer asks

    Separate Firebase project at eur3 multi-region. Tenant-region selector at signup. Cloud Functions become region-aware via a thin router. Data never crosses regions for EU-flagged tenants. Triggered by the first serious EU customer in pipeline — not pre-built. We have a written plan answer for sales today.

  3. SOC 2 Type I observation period kickoff

    When fundraising calendar demands it

    Auditor selection (Vanta / Drata / Secureframe are the usual three), 3-month observation period, then attestation. Calendar-bound, not engineering-bound. Target window: aligned with fundraising calendar so the Type I report is in hand for a Series B conversation.

  4. Customer-managed encryption keys (CMEK)

    Enterprise — when a contract requires it

    Enterprise customers bring their own KMS key. Firestore + Storage + secrets encrypted with the customer key. Revocation = customer self-service offboarding. ~2 weeks of work; trigger is an Enterprise contract that explicitly requires it.

  5. Native integrations (HubSpot, Salesforce, Mailchimp, Klaviyo)

    When a customer asks

    Every "coming-soon" badge on integration pages was removed in PR #79; HubSpot would land first (largest TAM intersection), then Salesforce, then Mailchimp + Klaviyo. Each is 1-2 weeks of engineering. Built when a customer asks during contract negotiation, not speculatively.

  6. WordPress.org plugin submission

    Distribution — when demand justifies

    Plugin exists at wordpress-plugin/ and works (private beta — referenced from /integrations/wordpress). Submission to wordpress.org is a 2-8 week review window plus PNG screenshots + banner from the existing SVG sources. We will submit once we have a customer asking specifically for the wordpress.org listing.

  7. Multi-region active-active photo bucket

    Series B+ scale

    US + EU + APAC public buckets, GeoDNS routing, replication-lag tolerance baked into the SLO. Series B+ scale. Today's single-region GCS handles the load fine.

NEED ONE OF THESE FOR A CONTRACT?

Tell us what is blocking you and we will tell you what we can commit to in writing.

We move items out of "exploring" when a paying customer makes the case. Especially on Enterprise — the $25K floor exists to fund per-tenant engineering work like custom domains, CMEK, EU residency. Talk to us.

Request a commitment See what already shipped