Roadmap

• Document what all queue's that can be triggered using payload-hooks
• Change queue triggering logic to payload hooks

• no signup
• no login
• app.dflow.sh, when not logged in redirect to dflow.sh/dashboard (internal login to dflow.sh/sign-in)

If /api/auto-login?token="123456" also, checks if user exists and if dons not exists automatically creates an account for them.

If a project name and service name are not unique, don't throw error and stop the process of creation of project or service, replace the project/service name with a unique name and continue the process.

eg-1: project name => hasura already exists => new project created with hasura => automatically suffix the new project name with hasura-1 eg-2: project name => hasura, and hasura-1 already exists => new project created with hasura or hasura-1 => automatically suffix the new project name with hasura-2

• ensure we opt for DRY
• ensure sendEvent itself does the log

• to ensure compatibility with monorepo setup

• auth groups
• jsx and ts
• if any other

Identify the build errors and try to resolve any warnings or errors and ensure build looks clean.

• chokidar dependencies
• any other
• redis internal connection errors

Ensure even the same on dflow marketing website.

Please add integration of Zero Trust service or similar VPN-like for secure remote access e.g. Pangolin and Octelium have access control and safe remote connections.

https://github.com/fosrl/pangolin

https://github.com/octelium/octelium

others: NetBird, Tailscale.

We need a dedicated place, which is the first layer and in layout to showcase alert banners, notifications, promotions, hot news, etc.

But this banner should not disturb the existing CSS of the application, need to be properly abstracted.

1. If a user enables dFlow integration(by default, it is enabled, i.e., if not removed), and no card attached to it, we show clear banner.
2. If there is no card, and user purchased a server using wallet amount, once again show a banner, but this time users should not be able to close it

Reduce as much as possible

Description

When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target=_blank; attribute. Using this attribute unaccompanied by rel=noreferrer, however, is a severe security vulnerability.

@pavanbhaskardev, ensure the same to be in dflow marketing website too.

🧠 Purpose

We're at a point where the product has matured enough, and instead of shipping more features right now, we're taking a short pause to:

• Review and clean our entire codebase
• Ensure everyone on the team fully understands all parts of the system
• Standardize structure, naming, and conventions
• Remove tech debt, dead code, and inconsistencies
• Document decisions and logic
• Make the repo ready for scaling, contributors, and onboarding

This is happening live on Teams over one or two sessions.

✅ Core Goals

• Clean, consistent codebase with clear naming and structure
• Shared understanding of code and system design
• All developers can confidently review PRs across the app
• No more "mystery logic" or unused code lurking around
• Code and file layout aligns with features and UI flows
• Dead code, commented code, and legacy patterns removed
• Unused DB fields identified and removed
• UI-to-code walkthroughs for top user flows
• Final shared checklist and internal documentation created

📋 Live Session Agenda

Each dev walks through the parts of the app they wrote or maintained. As we go, we’ll collectively track cleanup items and improvement areas.

Topics to Cover

• 📁 Directory Structure Review & Cleanup
• 🧾 File Naming & Naming Conventions
• 🧠 Function-by-function walkthrough (explain all logic)
• 💥 Remove unused files, folders, and commented code
• 📦 Audit & clean DB schema — remove unused fields
• 🔄 Refactor or rename vague functions/components
• 🔍 Trace 2–3 key UI flows → underlying logic
• 🧪 Edge case testing + known issue validation
• 🧹 TODO / FIXME / LEGACY cleanup
• 🧰 Shared util / component deduplication
• 📚 Dev onboarding doc and naming/style guide
• 📦 Branch cleanup & dead code PRs
• 🔐 Permissions / role logic audit
• 📋 Checklist of agreed-upon standards

📍 Deliverables

• cleanup-2025 branch with applied changes
• Internal doc: docs/codebase-overview.md
• Updated .env.example, README.md, and onboarding steps
• Team can confidently explain all business logic
• Codebase reflects product as it is today — ready for scale

💬 Questions or Suggestions?

Use comments on this issue for suggestions, questions, or to document anything unexpected that came up during the cleanup.

Let’s make this repo clean, teachable, and future-ready 💪

These are the list of initial templates we are planning to release.

• appwrite
• hasura
• strapi
• plausible
• n8n
• calcom
• ghost
• wordpress
• minio
• coder
• discord tickets
• chatwoot
• commento
• draw.io
• penpot
• langflow
• flowise
• supabase
• convex

1. Currently refresh event is not tenant specific
2. Show when there is a refresh event triggered for a tenant action all other tenants will see the refresh event
3. End-goal to make the refresh event tenant specific so events won't overlap

• After successfully creating a Dflow account, the dialog remains open instead of closing automatically, even though the account is added successfully.

• Previously, revalidation paths were defined without tenant context, e.g., revalidatePath('/servers').
• With the introduction of organizations (tenants), revalidation paths must now include the tenant slug, e.g., revalidatePath(/${tenant.slug}/servers).
• Updated all relevant revalidation paths to reflect this change.
• Ensured consistency across the codebase by checking all revalidation usages.

• If a user creates an account with the username "admin", the organization's routing will start with /admin.

• This creates a conflict because /admin is already reserved for the PayloadCMS admin panel.

• Due to Next.js routing, any route starting with /admin/ will be routed to the PayloadCMS admin panel instead of the intended organization route.

• To resolve this issue, we need to:

  • Prevent users from creating an account with the username "admin" and throw an error when attempting to do so.
  • Check for any other potential conflicts with reserved routes or usernames and ensure they are properly handled to avoid similar routing issues.

1. Create a documentation on what all steps involved when deploying a app

• Remove access to admin panel panel for user.
• Username should be admin while creating account

• When a user removes a server that has existing projects, the system performs a soft delete on those projects.
• If the user later reconnects the same server, the system checks whether the previously deleted projects still exist.
• If they do, the system automatically restores the projects along with their associated services.

• Username in signup.
• Tenant collection to store tenants.
• Integrate multi-tenant-plugin.
• Create new tenant when user signup
• set organisation slug in cookies
• proper access controls.

1. Add template deployment option
2. Deploy the services in deployment order with proper services linking

Add a section in documentation which specifies the complete security measures user need to take in order to protect your data. Do not expose the following:

• Payload secret.

• #142
• #131
• Skeleton while template is fetching in edit template.
• #132
• #133
• #143
• #122
• #123

Add skeleton loaders using React Suspense, Promise.all, and React.use() to the entire onboarding flow. This will improve the speed and user experience by displaying loading placeholders while data is being fetched, resulting in a smoother, faster process for users

• Check the user added the records in the register or not