Full-Site Capability Matrix
This page aligns PayIncus capabilities with the current architecture, admin entry points, user/API entry points, documentation, and guard tests. It is not a release promise; it is the acceptance map for deciding whether a capability is product-complete.
Status legend:
- Complete: core code, visible entry point, documentation, and guard coverage exist.
- Usable foundation: the core capability exists, but operations, compensation, production acceptance, or documentation still needs work.
- Planned enhancement: a direction or partial foundation exists and still needs dedicated implementation.
| Capability | Status | Admin entry | User/API entry | Main source | Verification and gap |
|---|---|---|---|---|---|
| Split user/admin apps | Complete | /admin/* | User router | client/src/router/admin.ts, client/src/router/user.ts | Route and bundle guards exist; keep customer self-service code out of the admin bundle. |
| OTA updates | Complete | /admin/system-update | None | server/src/routes/system-update.ts, server/src/scripts/run-system-update-task.ts | Release artifact, SHA256, rollback, and runtime directory preservation are covered; production proof still comes from task logs. |
| Instance purchase and delivery | Usable foundation | /admin/delivery, /admin/instances/create | /instances/create, /instances/:id | server/src/routes/instances.ts, server/src/db/hosts.ts | Purchase checks host, inventory, and storage pools; a broader production acceptance matrix is still needed. |
| Storage pool binding | Complete | Host storage page, package binding | Automatic instance placement | server/src/routes/hosts.ts, server/src/db/storage-pools.ts | Hosts without system disk pools cannot be sold; more health checks and alerts can be added. |
| Instance plan upgrades | Usable foundation | /admin/billing upgrade modal, /admin/delivery repair queue | Instance change-plan modal | server/src/routes/instance-billing.ts, server/src/routes/admin-billing.ts, server/src/services/plan-upgrade-sync-repair.ts | Capacity, balance, sold-out state, bandwidth sync and Incus sync are checked; failed Incus resource sync now creates a Delivery Assurance repair case with retry and manual closure. A fuller rollback playbook is still needed. |
| Bandwidth and traffic | Usable foundation | Package/plan settings, traffic sync | Instance list/detail, traffic reset | server/src/db/traffic.ts, server/src/services/traffic-scheduler.ts | Plan-level reset price and speed limits exist; abnormal sync and over-limit states should enter a unified operations view. |
| Resource risk control | Complete | /admin/resource-risk | Restricted users can request review by ticket | server/src/services/resource-risk.ts, server/src/routes/resource-risk.ts | Instance scores, QoS, CPU/bandwidth/PPS/small-packet detection, manual suspend, formal action dialogs, reason templates, source-linked order restriction, evidence details, 24-hour/7-day trends, and JSON export exist; longer-range charts and batch evidence export can be added later. |
| Payments and accounting | Usable foundation | /admin/billing, /admin/orders | Wallet, orders, recharge | server/src/routes/admin-billing.ts, server/src/routes/orders.ts | Online recharge, manual recharge, balance logs, adjustment approval, reconciliation, redacted exports, plugin gateway refund state machine, and the original-route refund workbench exist. Manual recharge creates a pending order, shows payment instructions to the user, and waits for admin confirmation in the order center. Original-route refunds validate provider capability before request creation, and reconciliation covers stale refunds plus missing failed-refund restore logs. Built-in provider refund adapters and fuller provider status sync are still needed. |
| Gift cards | Complete | /admin/gift-cards | /gift-cards | server/src/routes/gift-cards.ts | Generation, redemption, allowlist, and Turnstile are covered; production still requires the correct admin allowlist and Turnstile keys. |
| Communication | Usable foundation | /admin/tickets, /admin/help, /admin/inbox, /admin/integrations | /tickets, help center, inbox | server/src/routes/tickets.ts, server/src/lib/notifier.ts | Admin-only support context and internal notes exist; Integration Center summarizes notification channels and external service settings, supports one-click tests and live external health probes for SMTP, Lsky, Telegram, payment providers, global notification channels, default remote storage, Agent/Incus, OTA, and marketplace sources, and stores recent failures plus 7-day success rates. |
| Telegram integration | Usable foundation | /admin/integrations, /admin/settings/telegram | Profile binding | server/src/routes/telegram.ts, client/src/views/admin/TelegramConfigView.vue | Bot, webhook, user bindings, and group eligibility exist; Integration Center now surfaces the overall state. |
| Mail and Lsky attachments | Usable foundation | /admin/integrations, /admin/settings/mail, /admin/settings/tickets | Email verification, ticket attachments | server/src/routes/system-config.ts, server/src/lib/lsky.ts | SMTP/Lsky configuration, preflight, and Integration Center one-click health probes exist; health history stores recent failures and 7-day success rates. |
| Extension Center | Usable foundation | /admin/plugins | /extensions, extension pages | server/src/lib/plugin-manifest.ts, server/src/routes/admin-plugins.ts | Config, pages, events, actions, storage, marketplace submissions, tasks, and capability review exist; high-risk actions, service extensions, gateway extensions, and storage capabilities create review records, and unapproved high-risk capabilities cannot be enabled. Runtime-level fine-grained enforcement and rollback playbooks still need more work. |
| Theme Center | Complete | /admin/themes | /api/themes/active | server/src/lib/theme-package.ts, server/src/routes/admin-themes.ts | Upload, online marketplace, submission review, scan/publish, preview, enablement, configuration, and rollback exist; themes can only change visual surfaces, not auth, payments, permissions, risk control, or delivery logic. |
| Public API / OAuth | Usable foundation | /admin/oauth | /api/v1/*, OAuth Provider | server/src/routes/public-api.ts, server/src/lib/public-api-openapi.ts | Token auth, scopes, pagination, sorting, errors, and SDK exist; service creation, refunds, direct balance writes, and migrations remain closed. |
| Hosting and resource pools | Usable foundation | /admin/hosting, resource pages | My hosts, my packages, hosting wallet | server/src/routes/hosting.ts, server/src/routes/packages.ts | Hosting zones, income, packages, and host binding exist; business acceptance and anomaly notification need more work. |
| Entertainment and benefits | Usable foundation | /admin/entertainment | /entertainment, check-in/benefits | server/src/routes/admin-entertainment.ts, server/src/routes/checkin.ts | Foundation exists; product positioning, visibility, and configuration boundaries should be clarified. |
Next Closures
- Integration Center: SMTP, Lsky, Telegram, payment providers, notification channels, remote storage, Agent/Incus, OTA, marketplace sources, and webhook configuration state is now unified; SMTP, Lsky, Telegram, payment provider, global notification channel, default remote storage, Agent/Incus, OTA, extension market, and theme market one-click tests persist recent failures and 7-day success-rate summaries.
- Upgrade compensation: cases where billing/database updates succeeded but Incus sync failed now enter Delivery Assurance with retry and manual closure; next add a fuller rollback playbook and finer repair audit views.
- Risk workbench: prompt-based manual actions now use dedicated action dialogs with reason templates, and evidence details now include 24-hour/7-day trends, recent samples, risk event timelines, handling audit, linked restrictions, and JSON export; next optional enhancement is longer-range charts and batch evidence export.
- High-risk extension capabilities: capability review, admin handling, enablement blocking, and audit logs now exist; next add runtime-level fine-grained enforcement, batch audit export, and rollback playbooks.
- Refund lifecycle: plugin gateway refund has a controlled state machine, pre-create capability checks, refund lifecycle reconciliation, and the admin original-route refund workbench; next add built-in provider refund adapters and fuller provider status synchronization.
Maintenance Rule
Update this page whenever admin entries, user entries, Public API endpoints, OAuth scopes, extension capabilities, theme slots, delivery, payments, risk control, or OTA behavior changes. Run the matching guard tests with the docs update.