Marmo Privacy — Product Roadmap 8-Month Post-MVP Timeline | July 2026 – February 2027 --- Overview This roadmap covers the eight months following the Marmo Privacy MVP launch. The MVP delivers: smart contract deployment on Base mainnet, a functional Telegram mini app, a desktop app for macOS/Windows/Linux, the `@usemarmo/base-sdk` npm package, and core stealth address infrastructure. Everything on this roadmap builds on that foundation. Items are ordered by dependency and user impact. Each phase is designed to ship as a complete, usable increment — not as partial work. --- Month 1 — July 2026: Production Hardening Goal: Turn the MVP into a production-grade system. - Smart contract audit — Commission and complete a third-party security audit of `MarmoAccount.sol` and `MarmoAccountFactory.sol`. Resolve all findings before proceeding to scale. - Bundler integration — Connect the desktop and Telegram apps to a production bundler (Pimlico or Alchemy) so UserOps are reliably submitted on-chain. Remove placeholder `VITE_BUNDLER_URL` requirement from user configuration. - Real transaction submission — End-to-end ETH and USDC sends from both surfaces with basescan confirmation links. - Gas estimation — Dynamic gas estimation instead of hardcoded limits. Prevent failed UserOps due to insufficient gas. - Rate limiting and abuse protection — Harden the co-signer API against spam and denial-of-service patterns. - Error monitoring — Integrate Sentry (or equivalent) on both the co-signer and Telegram app for production visibility. --- Month 2 — August 2026: Full Stealth Receive Goal: Complete the stealth address receive flow so users can actually detect and spend incoming stealth payments. - Stealth scanning — Implement ERC-5564 `Announcement` event scanning. The wallet scans from the last synced block and identifies incoming payments destined for the user's view key. - Stealth sweep — Automatically build and submit a UserOp that sweeps detected stealth UTXOs into the main smart account. - Receive UI — Replace the static meta-address display with an active inbox showing pending and confirmed stealth receives. - Announcer contract — Deploy the ERC-5564 Announcer contract on Base to standardise announcement publishing for Marmo sends. --- Month 3 — September 2026: Swap and Multi-Token Goal: Let users swap tokens natively without leaving the wallet. - Uniswap V3 integration — Route swaps through Uniswap V3 on Base via the co-signer's `/v1/quote` and `/v1/tx/swap` endpoints. Show price impact, slippage, and fee breakdown before confirmation. - Multi-token support — Display and send WETH, USDT, DAI, cbBTC, and any ERC-20 held in the wallet. Token list sourced from the Uniswap default token list. - Token price display — Show USD values for all token balances in real time. - Swap history — Persist a local transaction history on the desktop app and Telegram app. --- Month 4 — October 2026: Desktop App v1.0 Goal: Ship the desktop app as a polished, signed, auto-updating release. - Code signing — Sign macOS (.dmg), Windows (.msi), and Linux builds. Remove "untrusted developer" warnings on first launch. - Auto-update — Ship Tauri's built-in updater so users receive patches without reinstalling. - Key rotation UI — Allow users to rotate Shard A or Shard C from within the app, sweeping funds to a new account. Essential for users whose device or passkey is compromised. - Desktop notifications — Notify users of incoming stealth payments detected during background scanning. - USB drive shard flow — Guide new users through writing Shard A to a USB drive instead of the OS keychain, for air-gap-style security. - Public v1.0 launch — Update landing page download links to signed v1.0 builds. Remove "beta" language. --- Month 5 — November 2026: .marmo Handles and Identity Goal: Make Marmo addresses human-readable and shareable. - .marmo handle registration — Allow users to claim a `.marmo` username that resolves to their stealth meta-address. Implemented as an on-chain registry on Base. - Handle resolution — The send screen accepts `.marmo` handles as recipients, resolving them to the appropriate stealth meta-address and generating a one-time address automatically. - ENS compatibility — Read ENS `stealth-meta-address` text records so users can send to existing ENS names if the recipient has published a meta-address. - Profile page — Each `.marmo` handle gets a public profile page at `usemarmo.xyz/u/handle` showing only the handle and meta-address (no balance or history). --- Month 6 — December 2026: Privacy Pools Goal: Provide compliant outbound privacy for USDC sends. - Screened privacy pool integration — Integrate with an EVM-compatible privacy pool that issues ZK proofs of compliance. Users can deposit USDC, receive a compliance proof, and withdraw to a fresh address. - Proof of innocence UI — Display a "screened" badge on outbound transactions that used the privacy pool. Allow users to export the compliance proof for regulatory purposes. - Outbound stealth — Combine stealth addresses for receive with privacy pool exits for send, creating a complete private payment cycle. - Compliance documentation — Publish a legal memo explaining the regulatory posture of screened pools vs. unscreened mixing. --- Month 7 — January 2027: Mobile App Goal: Ship a native iOS and Android app for users who do not use Telegram. - React Native app — Build `marmo-mobile` using React Native with native WebAuthn (passkey) integration via platform APIs. - Biometric unlock — Face ID / fingerprint unlock to access the wallet on mobile (local, not transmitted). - Push notifications — Native push for incoming stealth payments. - App Store and Play Store launch — Submit for review and publish Marmo Privacy on both stores. - Mobile shard model — Shard A on mobile uses the device's Secure Enclave directly. Shard C is a separate passkey stored in iCloud/Google Password Manager. --- Month 8 — February 2027: SDK v2.0 and Developer Ecosystem Goal: Make Marmo a platform other developers can build on. - `@usemarmo/base-sdk` v2.0 — Add stealth address generation and scanning, UserOp building, and co-signer integration to the SDK. Developers can build Marmo-compatible wallets in under 50 lines. - Developer documentation — Full docs site at `docs.usemarmo.xyz` with quickstart guides, API reference, and worked examples. - Co-signer self-hosting guide — Publish a Docker Compose setup so developers can run their own co-signer server with their own key material. - SDK playground — Interactive browser-based playground at `docs.usemarmo.xyz/playground` for testing stealth address generation and UserOp construction. - Bug bounty program — Launch a public bug bounty covering the smart contracts, co-signer API, and SDK. - Community governance proposal — Publish an initial proposal for community involvement in protocol parameter decisions (co-signer fee structure, supported chains). --- Beyond 8 Months (Q2 2027 and Later) Items under active consideration for the period beyond this roadmap: - Multi-chain expansion — Optimism, Arbitrum, Polygon. The same MarmoAccountFactory can be deployed on any EVM chain. The co-signer API is chain-agnostic. - Batch transactions — Use `executeBatch` to combine multiple sends into a single UserOp, reducing gas and improving privacy (one transaction for multiple recipients). - Social recovery — Replace Shard C (passkey) with a social recovery mechanism: designate trusted contacts who can collectively unlock recovery without a passkey. - Hardware integration — Optional Ledger or YubiKey support for Shard A as a premium security tier. - USDC paymaster — Allow users to pay gas in USDC instead of ETH, removing the need to hold ETH for gas. - Institutional tier — An M-of-N variant for teams and small DAOs, with customisable quorum and role-based signing policies. --- Principles Guiding Prioritisation 1. Security before features — No new surface ships without passing a security review. The audit in Month 1 gates everything downstream. 2. Complete increments — Each month ships something users can actually use end-to-end, not partial infrastructure. 3. Privacy by default — Every feature is evaluated for whether it reduces or increases the user's on-chain footprint. Privacy must not require user action. 4. Open source first — Every component ships as open source. Proprietary lock-in contradicts the self-custody ethos. --- Marmo Privacy | usemarmo.xyz | contact@usemarmo.xyz Last updated: June 2026