# ROADMAP — AuthLimbo Tracked work items for the plugin. Format: priority, ID, title, status, acceptance criteria. Source-of-truth for what needs to ship next. Status legend: - `OPEN` — not started - `WIP` — in progress on a branch - `BLOCKED` — waiting on upstream / external - `DONE` — landed on `main`, in a tagged release --- ## P0 — must-fix (data-loss bugs) ### F1 · OPEN · Void-damage guard during post-login restore Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F1. Triggered by YOU500 incident on 2026-05-07 — full inventory loss to void on login. Acceptance: - New `Set pendingTransit` in `LoginListener`. - UUID added on `LoginEvent`, removed on TP success or final retry give-up. - `EntityDamageEvent` listener at `EventPriority.HIGHEST`: if `entity instanceof Player`, UUID in `pendingTransit`, cause is `VOID` → `setCancelled(true)` and `player.teleport(limboManager.spawn())` *synchronously* (we need to land before the next tick voids them again). - Covered by test plan §5.1 and §5.4 in AUDIT-2026-05-07.md. ### F2 · OPEN · Recovery when teleportAsync returns false Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F2. Today: `LoginListener.java:172–175` only logs. After fix: - On `success == false`: synchronously TP to limbo spawn, schedule one retry of `doTeleport` after 20 ticks. - Track retry count per UUID (max 3). After 3 failures: drop into F6 path. - Also wire the `exceptionally` branches (lines 180–185, 186–191) into the same recovery. Acceptance: test plan §5.2 passes — invalid coords trigger recovery, no void death, admin sees logged retries. ### F4 · OPEN · Pre-empt AuthMe's own broken teleport Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F4. Implements option (a): add a second `LoginEvent` handler at `EventPriority.LOWEST` that immediately teleports the player back to limbo spawn. AuthMe's internal teleport then runs against an irrelevant location, our MONITOR handler wins last. Depends on: F1 (so void damage during the LOWEST→MONITOR window is guarded). Acceptance: in test plan §5.6, log shows AuthMe's TP line followed by no `left the confines` event before our authoritative TP fires. --- ## P1 — defensive (failure modes we know about) ### F3 · OPEN · Pre-flight 3x3 chunk preload before teleportAsync Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F3. In `doTeleport` (LoginListener.java:133), before calling `getChunkAtAsyncUrgently` on the centre chunk, also `addPluginChunkTicket` on the eight neighbours. Release all nine tickets via the existing `scheduleTicketRelease` path (extend it to take a list). Acceptance: test plan §5.1 passes even when the centre chunk is on a section boundary that previously triggered "loaded but not ready". ### F5 · OPEN · Inventory snapshot + auto-restore on transit death Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F5. Defence in depth — even if F1–F4 all fail, no inventory is lost. - On `AuthMeAsyncPreLoginEvent` (in addition to chunk pin), snapshot player inventory + xp + location into `Map`. - Optionally persist to `plugins/AuthLimbo/snapshots/.nbt` for crash-survivability. - On `PlayerDeathEvent` while UUID in `pendingTransit`: `event.getDrops().clear()`, `event.setKeepInventory(true)`, `event.setKeepLevel(true)`. On `PlayerRespawnEvent`, restore from snapshot if needed and TP to limbo spawn for re-restore. - Snapshot discarded 30 s after successful TP. Acceptance: test plan §5.5 — induced death during transit yields full inventory on respawn. --- ## P2 — nice-to-have ### F6 · OPEN · Spectator-mode admin-alert fallback Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F6. After 3 failed retries (F2): set spectator, TP to overworld default spawn, console log + optional Discord webhook config key. Player gets a message to ping staff for manual `/authlimbo tp`. ### F7 · OPEN · Telemetry counters + `/authlimbo stats` Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F7. Track per-session counters: restore_success, restore_retry, restore_fail, void_damage_blocked, snapshot_restored. Expose via a new `/authlimbo stats` subcommand. Reset on plugin reload. --- ## Done (Nothing landed since v1.0.0 release on 2026-04-30. First post-1.0 release will be triggered by F1+F2+F4 landing as v1.1.0.) --- ## Release plan - **v1.1.0** — F1, F2, F4 (data-loss fix). Target: ASAP. - **v1.2.0** — F3, F5 (defence in depth). Target: within 2 weeks. - **v1.3.0** — F6, F7 (ops UX). Target: opportunistic. Privacy invariant (limbo-on-join, no overworld exposure pre-auth) must hold across every release. See `AUDIT-2026-05-07.md` §6.