Project
Roadmap
What WATS plans to ship next, and what is explicitly out of scope for now.
active · applies to post-foundations roadmap · reviewed 2026-05-01
What is planned, what is shipped, and what is explicitly out of scope. Issue-level tracking lives in the project tracker.
Shipped
The 0.3.x-alpha-tooling line ships the substrate:
- Graph client, transport seam, endpoint registry, pagination, scoped clients
- Graph error registry seeded with the known Meta error codes
- webhook challenge/signature verification, runtime-neutral WebhookAdapter, Bun/Node/Fetch wrappers
- typed webhook normalizer, typed filters, router, listeners,
WhatsAppfacade - media runtime: upload, metadata resolution, binary download, delete, encrypted decrypt, resumable upload sessions
- outbound composers: media, location, contacts, reaction, interactive variants, template send, mark-as-read, typing indicators
- template management: list/create/get/update/delete, component builders, parameter validation, template webhook filters
- Flows: metadata/JSON CRUD, publish/deprecate,
buildFlowJson/validateFlowJson, data-exchange response builders, encrypted request decrypt / response encrypt, metrics, migration, and Flow media decrypt helpers - calling: initiate/pre-accept/accept/reject/terminate, call permissions, calling settings/SIP request shapes, BSUID recipients, call-button/deep-link helpers, calling webhook variants, typed call filters, and operator codec/signaling docs
- business/admin: read-only WABA and phone-number inventory, profile/commerce reads and updates, Block API, OBA status, display-name review, phone registration lifecycle, QR CRUD, public-key helpers, token exchange, and WABA callback override
- template helpers: list/create/get/update/delete, compare, unpause, migrate, archive/unarchive, authentication-template upsert, library-template create fields, component builders, parameter validation, template webhook filters
@wats/config,@wats/cli(init,setup,onboarding,config validate,doctor,serve,openapi,upgrade,messages list/show),@wats/servicewith OpenAPI 3.1- SQLite persistence: migrations, idempotency records, outbox APIs
- Postgres persistence adapter at
@wats/persistence/postgres(shape-only, mock-client tested; no default CI live Postgres) - local message projection (
wats_messages/wats_message_status_events) and read-onlywats messages list/showCLI inspection - pywa migration guide and per-endpoint status page
Everything above is credential-free and MockTransport-validated unless endpoint status marks it live-validated. The Postgres adapter is mock-client tested; it is not live-validated against a running Postgres service.
Planned
- Live credentialed validation of media, message, template, Flow, and calling paths: read-only discovery first, side-effecting tests second, destructive cleanup last. Halted until credentials and explicit operator authorization exist.
- Mutating admin endpoints still remaining: WABA CRUD, catalog/product inventory CRUD, and
subscribeApp; shipped request-shape helpers remain shape-only until live validation. - Live Postgres validation and service send enqueueing.
- Production deployment hardening: Compose, container image publication, registry workflow, and a production hosting contract. The repo ships a Railway-targeted Dockerfile.
- Analytics/quality/rate-limit surfaces beyond the current typed alert payloads.
Out of scope for now
- Automatic user-block decisions and policy/appeal automation.
- WebRTC/media session orchestration beyond calling request shapes.
- Catalog/product inventory CRUD beyond read-only commerce settings.
- Full Meta Graph API OpenAPI generation.
Credential rule
Any step that hits live Meta endpoints, sends messages, mutates WABA assets, or verifies live webhook secrets requires explicit operator authorization and a documented secrets plan first. No exceptions.