# Planned Fixes and Enhancements

_This document captures the next set of improvements and fixes for Dereth Tracker._

## 1. Chat Window Styling and Format
- **Terminal-style chat interface**
  - Redesign the chat window to mimic Asheron’s Call in-game chat: monospaced font, dark semi-transparent background, and text entry at the bottom.
  - Implement timestamped message prefixes (e.g., `[12:34] character: message`).
  - Support command- and system-level styling (e.g., whispers, party chat) with distinct color cues.

## 2. Incoming Message Parsing
- **Strip protocol overhead**
  - Remove JSON envelope artifacts (e.g., remove quotes, braces) so only raw message text appears.
  - Validate and sanitize incoming payloads (e.g., escape HTML, truncate length).
  - Optionally support rich-text / emotes by parsing simple markup (e.g., `*bold*`, `/me action`).

## 3. Message Color Scheme
- **Per-character consistent colors**
  - Map each character name to a unique, but legible, pastel or muted color.
  - Ensure sufficient contrast with the chat background (WCAG AA compliance).
  - Provide user override settings for theme (light/dark) and custom palettes.

## 4. Command Prompt Integration
- **Client-side command entry**
  - Allow slash-commands in chat input (e.g., `/kick PlayerName`, `/whisper PlayerName Hello`).
  - Validate commands before sending to `/ws/live` and route to the correct plugin WebSocket.
  - Show feedback on command success/failure in the chat window.

## 5. Security Hardening
- **Authentication & Authorization**
  - Enforce TLS (HTTPS/WSS) for all HTTP and WebSocket connections.
  - Protect `/ws/position` with rotating shared secrets or token-based auth (e.g., JWT).
  - Rate-limit incoming telemetry and chat messages to prevent flooding.
  - Sanitize all inputs to guard against injection (SQL, XSS) and implement strict CSP headers.

## 6. Performance and Scalability
- **Throttling and Load Handling**
  - Batch updates during high-frequency telemetry bursts to reduce WebSocket churn.
  - Cache recent `/live` and `/trails` responses in-memory to relieve SQLite under load.
  - Plan for horizontal scaling: stateless FastAPI behind a load balancer with shared database or in-memory pub/sub.

## 7. Testing and Quality Assurance
- **Automated Tests**
  - Unit tests for `db.save_snapshot`, HTTP endpoints, and WebSocket handlers.
  - E2E tests for the frontend UI (using Puppeteer or Playwright) to verify chat and map functionality.
  - Security regression tests for input sanitization and auth enforcement.

_Refer to this list when planning next development sprints. Each item should be broken down into individual tickets or pull requests._