Roadmap

Aero2 is evolving from a single-tenant OIDC provider into a multi-tenant identity platform. This page summarizes the development phases.

Current State (v0.3)

Aero2 currently provides:

OIDC Provider — Authorization code flow with PKCE, ID/access/refresh tokens, JWKS, discovery
Relying Party — GitHub and Google OAuth, static and dynamic IdP configuration
Security — RS256 token signing, CSRF protection, CSP, HSTS, CORS fail-closed, open redirect prevention, proactive session revocation
RBAC — Roles and permissions, bootstrap admin, permission-based endpoint protection
Frontend — React 19 SPA with admin dashboard, dark mode, audit log viewer
Testing — 128+ tests (Vitest with Cloudflare Workers pool)

Phase Overview

Phase	Focus	Priority	Status
Phase 0	Multi-Tenancy Foundation	P0	Not Started
Phase 1	Core Auth (email/password, lockout, profile)	P0	Partially Done
Phase 2	Multi-Factor Authentication	P0-P1	Not Started
Phase 3	Developer Experience (SDKs, OpenAPI, M2M)	P1	Not Started
Phase 4	Organizations & B2B	P1-P2	Not Started
Phase 5	Session & Token Enhancements	P1-P2	Not Started
Phase 6	Enterprise SSO (SAML, SCIM)	P2	Not Started
Phase 7	Security Hardening	P2	Not Started
Phase 8	Admin & Operational	P2	Not Started
Phase 9	Frontend Polish	P2	Not Started
Phase 10	Advanced OAuth2 (Device flow, PAR, DPoP)	P3	Not Started
Phase 11	Compliance (GDPR, DR)	P3	Not Started
Phase 12	Webhooks & Events	P3	Not Started
Phase 13	Performance & Observability	P3	Not Started

Phase 0: Multi-Tenancy Foundation

Must be completed first — every subsequent feature depends on this.

Transforms Aero2 from single-tenant to multi-tenant by adding:

applications table with app_id scoping on all tenant tables
Dashboard application bootstrap (dogfooding)
Subdomain routing middleware (hostname → application resolution)
Application CRUD API and API key management
Custom domain support via Cloudflare for SaaS
Dashboard frontend for developers

See Multi-Tenancy Design for full details.

Phase 1: Core Auth Foundation

Adds native authentication methods beyond external OAuth:

Durable Object-backed rate limiting (replacing in-memory)
Account lockout and brute-force protection
Email/password authentication with signup, verification, and password reset
User self-service profile management
Sign-up configuration (open, invite-only, domain-restricted)

Completed items: open redirect prevention (#2), CSRF hardening (#3), session revocation on disable (#5).

See Email/Password Design for details.

Phase 2: MFA

TOTP (authenticator apps)
WebAuthn / Passkeys
SMS OTP
Magic link authentication
Step-up authentication for sensitive operations
Per-app MFA policy (off/optional/required)

See MFA Design for details.

Phase 3: Developer Experience

Client credentials flow (M2M authentication)
Token introspection endpoint (RFC 7662)
OpenAPI documentation with Scalar UI
JavaScript/TypeScript SDK (@aero2/sdk-js)
React component library (@aero2/react)
Backend middleware libraries (@aero2/node, @aero2/hono)
Custom JWT templates

Phase 4: Organizations

Organization CRUD and membership
Org-level RBAC
Verified domains (auto-enroll by email domain)
Invitation flow
Org switcher and management UI

See Organizations Design for details.

Phases 5-13

Later phases cover session enhancements, enterprise SSO (SAML/SCIM), security hardening, branding, webhooks, advanced OAuth2 protocols (Device flow, PAR, DPoP), compliance tools, and performance optimization.

Suggested Build Order

Phase 0 (multi-tenancy)
Email/password auth (#6) + password reset (#7)
Rate limiting (#1) + account lockout (#4)
User profile (#8) + signup config (#9)
TOTP MFA (#10)
Client credentials (#15)
Organizations (#22-25)
OpenAPI docs (#17)
SDKs (#18-20)
Everything else based on demand

Contributing

Pick up any unstarted item from the roadmap. See Local Setup for getting started and Conventions for coding standards.