What's next for prefixd.

Core functionality is stable:

• Event ingestion and policy engine
• GoBGP v4.x FlowSpec (IPv4/IPv6)
• Reconciliation loop with drift detection
• PostgreSQL state storage
• Mode-aware auth (none, credentials, bearer, mtls)
• WebSocket real-time dashboard
• CLI tool (prefixdctl)

See CHANGELOG for version history.

These blockers map directly to the "Production Ready" release gates below. Keep both sections in sync when statuses change.

• FRR FlowSpec lab (containerlab) - fully working
• Juniper cJunosEvolved (PTX10002) - end-to-end verified
  • Event ingestion → policy → GoBGP → cJunos inetflow.0
  • Announce, rate-limit, withdraw, TTL expiry all confirmed
  • Documented vendor quirks (FlowSpec-only AFI-SAFI, FXP0ADDR token, license warning)
• Test with Arista cEOS
• Test with Cisco XRd
• Document vendor-specific quirks and import policies

• Review all docs for accuracy (release-candidate freeze)
• Add example Grafana dashboards
• Record demo video: attack → detection → mitigation → recovery

• Derive WebSocket URL from window.location at runtime (removed NEXT_PUBLIC_PREFIXD_WS build-time env var; nginx reverse proxy is the proper solution for single-origin deployment)
• Light/dark mode toggle
• Config page (Phase 1)
  • Read-only view of running config (allowlist-redacted settings, playbook visualization)
  • Hot-reload button (triggers POST /v1/config/reload)
  • Inventory browser (searchable customer/service/IP table)
  • Route-group auth guard, session expiry handling, deny-by-default permissions
• Withdraw button on mitigations (P0 — all competitors have this)
  • Inline XCircle button on active/escalated rows + confirm dialog in detail panel
  • Calls POST /v1/mitigations/{id}/withdraw, permission-gated (operator+admin)
  • Real-time list update via SWR mutate
• Safelist management on admin page (P0 — FastNetMon/Wanguard have whitelist UI)
  • Full CRUD: add with prefix + reason, remove with confirm dialog
  • Calls GET/POST /v1/safelist, DELETE /v1/safelist/{prefix}
  • Shows prefix, reason, added_by, timestamp per entry
• Mitigation detail view (P1 — drill-down page)
  • Full-page dedicated view (/mitigations/{id})
  • FlowSpec rule JSON preview and timeline (created → escalated → withdrawn/expired)
  • Embedded customer and service context looking up from inventory
  • Inline withdraw capabilities
• Manual mitigation/event creation (P1 — "mitigate now" from UI)
  • Form at /mitigations/create submitting POST /v1/events with action: "ban"
  • Fields: destination IP, vector, bps/pps, ports (max 8), confidence slider
  • Permission-gated (operator + admin), "Mitigate Now" button in mitigations toolbar + command palette
• Toast notifications from WebSocket feed (P1 — Wanguard/Kentik have real-time alerts)
  • Surface WS events as toast notifications (new mitigation, escalation, expiry)
  • Refactored use-websocket into a WebSocketProvider Context to prevent duplicate connections
  • Centralized connection management and SWR cache invalidation
• Embedded time-series charts (P2 — reduces context-switching to Grafana)
  • 24h area chart on overview: mitigations + events per hour
  • PostgreSQL-backed via GET /v1/stats/timeseries with gap-filled generate_series buckets
  • recharts AreaChart with gradient fill, 30s auto-refresh
• Filtering and pagination on list pages (P1 — client-side)
  • Mitigations: status toggle pills, IP search, column sorting, 20/page pagination
  • Events: source filter, vector filter, IP search, column sorting, 20/page pagination
  • Audit log: action filter, actor filter, text search, column sorting, 20/page pagination
  • Server-side cursor pagination tracked as future item
• Mitigation history per IP (P2 — "what happened to this IP")
  • Dedicated /ip-history?ip=X page with search bar and vertical timeline
  • Events + mitigations interleaved chronologically, customer/service context
  • All victim_ip cells across UI link to IP history page
  • GET /v1/ip/{ip}/history backend endpoint with inventory lookup
• Alerting/webhook config UI (P1 — full editor + test alert)
  • "Alerting" tab on Config page: add/edit/remove destinations, event filters, redacted secrets, admin-only test alert
• Audit log detail expansion (P1 — click-to-expand)
  • Click truncated details to expand full JSON inline; extracted AuditRow sub-component
• Customer/POP filter on mitigations (P1 — dropdown filters)
  • Customer and POP dropdown filters using existing backend ?customer_id= and ?pop= params
• Timeseries range selector (P1 — 4 range options)
  • 1h/6h/24h/7d toggle buttons above activity chart with appropriate bucket sizes (5m/30m/1h/6h)
• Active count badge on sidebar (P1 — live count)
  • Active mitigation count badge on Mitigations nav item via useStats() hook
• Severity badges on mitigations (P1 — color-coded)
  • Severity column derived from status + action_type (critical/high/medium/low)
• Dark mode refinement (P1 — audited, no issues)
  • All hardcoded colors are semantic accents (status green/red/yellow) with good contrast in both themes
  • Admin reload button already has explicit dark: hover variants
• Page layout cleanup (P1 — admin tabs shipped)
  • Admin page uses Tabs component: Status, Safelist, Users (conditionally rendered)
  • Config page already tabbed: Settings, Playbooks, Alerting
• Config page editing (Phase 2 shipped)
  • Playbook editor shipped: form tab + raw YAML tab backed by PUT /v1/config/playbooks
  • Alerting editor shipped: destination CRUD + event filters backed by PUT /v1/config/alerting
  • Atomic YAML writes, .bak backups, and hot-reload on save
• Vitest setup (vitest.config.ts, jsdom, @testing-library/react, bun run test)
• Component tests (ErrorBoundary test with 3 cases)
• Hook tests (usePermissions 5 tests, useAuth 5 tests)
• Error boundaries (ErrorBoundary component wrapping dashboard layout)
• Event → mitigation linking (P1 — connects the operator workflow)
  • Mitigation detail page links back to triggering event via ?id= param
  • Audit log target_id links to mitigation detail when target_type is mitigation
  • Command palette search links directly to /mitigations/{id}
  • Overview stat cards link to mitigations/events pages
  • Events "View Mitigations for IP" pre-fills search via ?ip= param
• CSV export for list pages (P1 — operators need data for reports/tooling)
  • Download button on mitigations, events, and audit log tables
  • Exports current filtered view as CSV (client-side generation, no backend)
  • Includes all visible columns plus IDs, date-stamped filename
• Keyboard shortcuts (P1 — DX, command palette already exists)
  • g o/m/e/i/h/a/c navigation, n for Mitigate Now, ? toggles help modal
  • Cmd+K command palette, Cmd+B sidebar toggle
  • Hints shown in command palette and keyboard shortcuts modal
• Upgrade lucide-react (0.454 → 0.575, all ~40 icon imports verified)
• Upgrade react-resizable-panels (2.1 → 4.6, major version)
• Upgrade tower-sessions (0.14 -> 0.15, blocked on axum-login 0.18 compatibility)

• Credentials auth mode (username/password)
  • Users table in PostgreSQL
  • Argon2id password hashing
  • Session cookies (HttpOnly, Secure when TLS is enabled, SameSite=Lax)
  • Roles: admin, operator, viewer
• User management UI in Admin page
• Real login form (replace placeholder)

Target: Validated with real routers, stable API, production-proven. Operators trust prefixd before we build new features.

• Arista + Cisco XR interop scenarios pass end-to-end in lab
• Vendor capability matrix + reference import policy docs published
• CVE gate + SBOM generation enabled in CI and green on main
• Documentation accuracy review + demo video complete

• Juniper PTX (cJunosEvolved 25.4R1.13-EVO) - verified
• Arista cEOS / 7xxx (EOS 4.20+) — validate FlowSpec announce/withdraw/reconcile
• Cisco XRd / IOS-XR (ASR 9000, NCS) — known FlowSpec quirks to document
• Juniper quirks documented (FlowSpec-only AFI-SAFI, import policy, no-validate)
• Vendor capability matrix (what works, what doesn't, per vendor) — docs/vendors.md
• Reference import policies per vendor (copy-paste ready) — in docs/vendors.md and docs/deployment.md
• Graceful degradation for unsupported features

• Monthly GoBGP baseline bump policy (track upstream releases, especially parser hardening like v3.35.0)
• CVE gate in CI (cargo audit + bun audit gate Docker publishing; fail build on known vulnerabilities)
• SBOM generation (CycloneDX JSON, published as release artifact on version tags)
• FlowSpec NLRI parser fuzz/regression tests (proptest in CI + cargo-fuzz for offline coverage)

• API versioning and deprecation policy (docs/api-versioning.md)
• Database migration tooling (schema_migrations table, prefixdctl migrations)
• Upgrade path documentation (docs/upgrading.md)

• Config API allowlist redaction (prevent accidental secret exposure)
• Public health endpoint slimmed (no DB/GoBGP calls, no operational data)
• Frontend deny-by-default permissions with auth-mode awareness
• Session expiry handling (401 interceptor, debounced redirect)
• Route-group auth guard (structural, not opt-in per page)
• Route definition deduplication (shared helpers for production + test routers)
• OpenAPI spec covers all endpoints (health split, config read-only)
• Integration tests for config/health endpoints (25 integration tests)
• Event ingestion endpoint auth enforcement (require_auth on POST /v1/events)
• Chaos testing — 17 tests across 4 categories (Postgres, GoBGP, prefixd, network), all passing
• Load testing — 7 HTTP load tests with hey (~4,700 events/sec, ~8,000 health req/s)
• Security audit — 20 backend + 9 frontend findings, actionable items fixed
• Reconciliation loop pagination (pages through all active mitigations, no cap)
• SSRF protection on webhook URLs (HTTPS required, private IPs rejected)

• Database metrics (connection pool: active, idle, total via prefixd_db_pool_connections)
• Request tracing with correlation IDs (x-request-id header, tracing span, nginx forwarding)
• Grafana dashboard templates

• Review all docs for accuracy (release-candidate freeze)
• Record demo video: attack → detection → mitigation → recovery
• Vendor quirks documented

Target: Quality-of-life for operators during active incidents. These are the features that reduce time-to-action during attack waves.

• Bulk withdraw — Multi-select mitigations and withdraw all at once (critical during false-positive waves)
• Bulk acknowledge — Mark mitigations as reviewed without withdrawing (POST /v1/mitigations/acknowledge, ?acknowledged= filter)

• Date range filtering — ?start=&end= query params on events, mitigations, and audit log endpoints
• Post-attack incident reports — GET /v1/reports/incident generates markdown summary (timeline, peak traffic, actions taken). PDF export tracked as follow-up. prefixdctl report command tracked as follow-up.
• FlowSpec rule preview — Human-readable display of announced NLRI on mitigation detail page

• Notification preferences — Mute/filter WebSocket toasts, quiet hours (reduce alert fatigue) — ADR 017, migration 006
• Per-destination event routing — Route different event types to different alerting destinations — ADR 017

• Server-side cursor pagination — All list endpoints use cursor-based pagination (ADR 016), offset removed
• Event batching — POST /v1/events/batch accepts up to 100 events with partial success semantics

Replace the GoBGP container dependency with rustbgpd crates embedded directly into the prefixd binary. Eliminates the separate process, gRPC client overhead, proto compilation, and container orchestration. prefixd becomes a single binary that speaks BGP natively.

• Add rustbgpd-wire, rustbgpd-fsm, rustbgpd-transport, rustbgpd-rib as workspace dependencies
• Implement RustBgpdAnnouncer behind the existing FlowSpecAnnouncer trait (announce, withdraw, list_active, session_status)
• Peer lifecycle managed by prefixd config (ASN, neighbor address, AFI-SAFI, timers)
• Feature-flag the announcer backend (--features gobgp vs --features native-bgp, default native)

• Reconciliation loop reads the embedded RIB directly instead of querying GoBGP via gRPC
• Expose BGP session state in health detail endpoint from the embedded FSM
• Map existing gobgp.conf semantics to rustbgpd peer config (migration path for existing deployments)

• Remove proto/ directory and build.rs proto compilation
• Remove tonic/prost GoBGP client dependencies
• Remove gobgp service from docker-compose.yml
• Update all lab topologies (containerlab configs peer directly with prefixd)
• Update deployment docs, vendor configs, and troubleshooting guides

• Re-run Juniper cJunosEvolved interop (announce, rate-limit, withdraw, TTL expiry)
• Re-run FRR containerlab interop
• Arista EOS validation (if hardware available)
• Chaos and load test suites pass against embedded speaker
• Migration guide for existing GoBGP deployments

The killer feature. Combine weak signals from multiple detectors into high-confidence decisions. Start with one high-value adapter.

Example: FastNetMon says UDP flood at 0.6 confidence + router CPU spiking + host conntrack exhaustion = high-confidence mitigation.

• Prometheus/Alertmanager adapter (POST /v1/signals/alertmanager webhook receiver) — maps labels/annotations to attack events, handles batched alerts
• FastNetMon webhook adapter (POST /v1/signals/fastnetmon) — classifies vectors from traffic breakdown, configurable confidence mapping
• Generic webhook adapter (POST /v1/signals/webhook/{name}) — operator-configured JSONPath mapping, HMAC/bearer/none auth, array batching via root_path (ADR 020)
• Router telemetry adapter (JTI, gNMI)
• Generic adapter transform functions (unit conversion, regex extract, computed fields)

• Time-windowed event grouping
• Source weighting and reliability scoring
• Corroboration requirements ("require 2+ sources")
• Correlation explainability (why details in API/UI for each mitigation decision)
• Corroborating-only signals v1 — coarse telemetry (router CPU, PoP interface, per-customer NetFlow) can strengthen groups without ever triggering mitigations on its own (ADR 021, PR #109)
• Corroborating signals v2 (PR B) — follow-ups from the ADR 021 review:
  • Playbook-override-aware corroborator finalization: let a late corroborator promote corroboration_met → true on its own path, using the resolved override from the group's most recent primary event. Eliminates the current dependency on "another primary event fires within the window" for late corroborators to take effect.
  • Per-source attribution on prefixd_corroborator_expired_total: select expiring rows grouped by source before delete so the metric can be labelled without a full rewrite of the sweep path.
  • API cleanup: drop the redundant cached: true field from CorroboratorResponse; status ∈ {attached, cached} already fully describes the outcome. Coordinate with a minor API version bump since the endpoint is new in this release.
  • Dashboard "cached corroborators" panel: small widget on the Correlation dashboard showing live count of unattached-but-unexpired corroborators per source, sourced from a new /v1/signals/corroborator/cache listing endpoint (admin-only).
  • Gauge metric prefixd_corroborator_cache_size{source} updated by the reconcile loop for Prometheus alerting on runaway caches.
• Router telemetry adapter (JTI, gNMI) as the first production consumer of corroborator mode (already listed under Signal Adapters)
• Replay mode for tuning (simulate historical incidents without announcing FlowSpec rules)

• Derived confidence from traffic patterns
• Confidence decay over time
• Per-playbook thresholds

Broader ecosystem integration and advanced capabilities for large-scale deployments.

• NetBox inventory sync (replace YAML inventory with NetBox as source-of-truth)
• FastNetMon native adapter (common pairing for self-hosted deployments) — shipped v0.14.0
• Scrubber vendor integrations (complement cloud/hardware mitigation with policy automation)
• Reference integration recipes for commercial DDoS appliances (Radware, NETSCOUT, A10) via the generic webhook adapter
• LDAP/AD auth backend (group-to-role mapping)
• RADIUS/ISE auth backend (attribute mapping to roles)
• Customer self-service portal (per-customer dashboards for MSSPs)
• Native BGP speaker — moved to its own milestone (rustbgpd integration)

• Redirect actions (redirect-to-IP, redirect-to-VRF)
• Extended match criteria (packet length, TCP flags, DSCP)
• Scrubber integration with diversion orchestration

• Distributed coordination for multi-region
• POP-level drill-down dashboard with geographic view

• Real-time bps/pps sparklines per mitigation (query Prometheus or internal metrics)
• OpenAPI/Swagger viewer embedded in dashboard
• GeoIP / ASN / IX enrichment at ingest

Explicitly out of scope:

• Inline packet scrubbing - Control-plane only
• L7/WAF analysis - Focus is L3/L4 volumetric
• Detection algorithms - Use existing detectors
• Tbps-scale scrubbing - Requires upstream integration
• FlowSpec "match everything" rules - Blocked by guardrails

Want to help? Check:

1. Issues labeled good first issue
2. Items in this roadmap
3. CONTRIBUTING.md for guidelines