diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
new file mode 100644
index 00000000..0d376413
--- /dev/null
+++ b/docs/ROADMAP.md
@@ -0,0 +1,450 @@
+# MCPProxy-Go Development Roadmap
+
+> **Vision**: Create the most secure, user-friendly MCP proxy for personal use with comprehensive tool poisoning defense, seamless registry integration, and intelligent UX features that save time and tokens.
+
+## Executive Summary
+
+This roadmap prioritizes **security-first development** with **personal productivity enhancements** to address critical vulnerabilities in the MCP ecosystem while providing an exceptional user experience. Focus areas include advanced security monitoring, MCP registry integration, and smart features that reduce token usage and improve tool discoverability.
+
+### Core Principles
+1. **Security First**: Comprehensive tool poisoning defense and security monitoring
+2. **Personal Productivity**: Token-efficient workflows and smart tool management  
+3. **Registry Integration**: Seamless discovery via official and community MCP registries
+4. **User Experience**: Intuitive management with intelligent recommendations
+
+---
+
+## 🎯 Implementation Status Overview
+
+### ✅ **Already Implemented**
+- [x] **Tool Quarantine System** - Automatic quarantine for new servers
+- [x] **Security Analysis Tools** - Comprehensive TPA detection via `quarantine_security` tool
+- [x] **Multi-Transport Support** - stdio, HTTP, SSE, streamable-HTTP protocols
+- [x] **Storage Management** - BBolt database with tool statistics and hash tracking
+- [x] **Cache System** - BleveDB indexing with pagination and search
+- [x] **System Tray GUI** - Server management with real-time status updates
+- [x] **Configuration Management** - File watching and auto-reload capabilities  
+- [x] **Tool Discovery** - `retrieve_tools` with semantic search capabilities
+- [x] **Upstream Management** - Add/remove/enable/disable servers via `upstream_servers` tool
+- [x] **Auto-start Functionality** - macOS launch agent support
+- [x] **Security Documentation** - Comprehensive TPA analysis guides for LLMs
+
+### ⚠️ **Partially Implemented**
+- [x] **Basic Protocol Support** - MCP initialization and version negotiation
+- [ ] **Advanced OAuth** - Basic framework exists, needs RFC 8707 compliance
+
+### ❌ **Not Yet Implemented**
+- [ ] **Advanced Security Features** - Signed manifests, LLM-based TPA scanning
+- [ ] **Personal UX Features** - Token savings, pinned tools, usage analytics
+- [ ] **Registry Integration** - Connection to official and community MCP registries
+- [ ] **Enhanced Protocol Support** - Structured output, elicitation, advanced security
+
+---
+
+## 🛡️ Phase 1: Advanced Security & MCP 2025.06 Compliance
+
+> **Priority**: CRITICAL - Essential security foundations and protocol compliance
+
+### 1.1 OAuth 2.1 with Resource Indicators (RFC 8707) 
+**Status**: ❌ **Required by MCP 2025.06**  
+**Impact**: Very High | **Complexity**: High
+
+#### Core Implementation
+- [ ] **Protected Resource Metadata Discovery** ([RFC 9728](https://www.rfc-editor.org/rfc/rfc9728.html))
+  - [ ] Implement `/.well-known/oauth-protected-resource` endpoint
+  - [ ] Support authorization server discovery via `authorization_servers` property
+  - [ ] Enable separation of authorization server and resource server roles
+- [ ] **Resource Indicator Token Validation**
+  - [ ] Implement RFC 8707 resource parameter handling  
+  - [ ] Validate audience-restricted tokens with proper `aud` claims
+  - [ ] Reject tokens without correct resource URI scoping
+- [ ] **Enhanced Token Security**
+  - [ ] Token audience restriction to prevent cross-resource usage
+  - [ ] JWT access token support (RFC 9068) for stateless validation
+  - [ ] Configurable token lifetime management
+
+**Dependencies**: Update to `mark3labs/mcp-go v0.33.0+` (when available)
+
+### 1.2 Signed Tool Manifests & Integrity Verification
+**Status**: ❌ **Addresses Tool Poisoning Attacks**  
+**Impact**: High | **Complexity**: Medium
+
+#### Cryptographic Security
+- [ ] **Digital Signature Verification**
+  - [ ] Ed25519 signature support for tool definitions
+  - [ ] Multiple signing authority support with key rotation
+  - [ ] Integration with existing BBolt cache for signed manifest storage
+- [ ] **Tool Definition Integrity**
+  - [ ] SHA-256 hash verification at tool load time
+  - [ ] Detect unauthorized modifications to tool descriptions  
+  - [ ] Block execution of tampered tool definitions
+- [ ] **Manifest Pinning System**
+  - [ ] Version-locked tool definitions to prevent "rug pull" attacks
+  - [ ] User-configurable update policies (manual/automatic/scheduled)
+  - [ ] Rollback capabilities for problematic tool updates
+
+### 1.3 Enhanced Structured Tool Output Support
+**Status**: ❌ **New in MCP 2025.06**  
+**Impact**: High | **Complexity**: Medium
+
+#### Implementation Tasks
+- [ ] **Enhanced Schema Cache System**
+  - [ ] JSON Schema validation for tool outputs using existing cache infrastructure
+  - [ ] Type-safe result parsing and validation
+  - [ ] Integration with BleveDB for searchable structured data
+- [ ] **Security-Aware Result Processing**
+  - [ ] Sanitization of structured outputs before UI rendering
+  - [ ] Field-level security annotations (safe/unsafe content marking)
+  - [ ] Configurable output filtering policies in tray interface
+- [ ] **Rich UI Rendering**
+  - [ ] Structured data display in system tray notifications
+  - [ ] Export capabilities for structured data (JSON/CSV)
+  - [ ] Security indicators for potentially unsafe fields
+
+### 1.4 Elicitation Support Implementation  
+**Status**: ❌ **New in MCP 2025.06**  
+**Impact**: Medium | **Complexity**: Medium
+
+#### Core Features
+- [ ] **User Information Elicitation Handler**
+  - [ ] Server-initiated user data request processing
+  - [ ] Integration with existing quarantine system for elicitation review
+  - [ ] Privacy-first policies for data sharing with user consent prompts
+- [ ] **Elicitation Security Gateway**
+  - [ ] Human-in-the-loop approval via tray notification system
+  - [ ] Data classification and handling policies
+  - [ ] Comprehensive audit logging for all elicitation activities
+
+### 1.5 MCP Protocol Version Headers
+**Status**: ⚠️ **Basic support exists, needs enhancement**  
+**Impact**: Medium | **Complexity**: Low
+
+#### Enhancement Tasks
+- [ ] **Protocol Version Negotiation**
+  - [ ] Enhanced `MCP-Protocol-Version` header support per [PR #548](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/548)
+  - [ ] Version compatibility matrix and feature detection
+  - [ ] Graceful fallback for older protocol versions in upstream connections
+
+---
+
+## 🎯 Phase 2: Personal Productivity & UX Enhancement
+
+> **Priority**: HIGH - Features that improve daily workflow and reduce token costs
+
+### 2.1 Token Usage Analytics & Optimization
+**Status**: ❌ **High personal value**  
+**Impact**: Very High | **Complexity**: Medium
+
+#### Smart Analytics Dashboard
+- [ ] **Token Consumption Tracking**
+  - [ ] Per-tool token usage monitoring with cost estimation
+  - [ ] Daily/weekly/monthly usage summaries via tray tooltips
+  - [ ] Token savings indicators showing cache hits vs fresh calls
+  - [ ] Integration with existing tool statistics in storage layer
+- [ ] **Cost Optimization Features**
+  - [ ] Intelligent caching recommendations based on usage patterns
+  - [ ] Token-efficient tool suggestions (recommend similar but cheaper tools)
+  - [ ] Batch operation detection to reduce API call overhead
+  - [ ] "Token Budget" alerts when approaching usage limits
+
+#### Smart Caching Enhancements  
+- [ ] **Usage-Based Cache Policies**
+  - [ ] Extend existing cache TTL based on tool frequency
+  - [ ] Intelligent pre-caching for frequently used tools
+  - [ ] Cache warming for predictable usage patterns
+  - [ ] Cache compression for token-heavy responses
+
+### 2.2 Pinned Tools & Quick Access
+**Status**: ❌ **Personal productivity feature**  
+**Impact**: High | **Complexity**: Low
+
+#### Quick Access System
+- [ ] **Tool Pinning Interface**
+  - [ ] Pin frequently used tools via tray context menus
+  - [ ] Drag-and-drop reordering in system tray
+  - [ ] Keyboard shortcuts for top 5 pinned tools
+  - [ ] Integration with existing tray server management
+- [ ] **Smart Recommendations**
+  - [ ] Auto-suggest pins based on usage frequency from existing tool stats
+  - [ ] Context-aware tool suggestions (time of day, recent activity)
+  - [ ] "Discovery mode" for exploring new tools similar to pinned ones
+  - [ ] Integration with tool search and indexing system
+
+### 2.3 Personal Workflow Automation
+**Status**: ❌ **Advanced personal features**  
+**Impact**: Medium | **Complexity**: Medium
+
+#### Workflow Features
+- [ ] **Tool Chains & Sequences**
+  - [ ] Create saved sequences of tool calls for common workflows
+  - [ ] Conditional execution based on previous tool results
+  - [ ] Variable passing between chained tools
+  - [ ] Integration with existing tool call infrastructure
+- [ ] **Smart Notifications**
+  - [ ] Long-running tool completion notifications via existing tray system
+  - [ ] Daily summary of tool usage and token consumption
+  - [ ] Security alerts for suspicious tool behavior patterns
+  - [ ] New tool discovery notifications from registry integration
+
+---
+
+## 📡 Phase 3: MCP Registry Integration & Discovery
+
+> **Priority**: HIGH - Connect to the growing MCP ecosystem
+
+### 3.1 Official MCP Registry Integration
+**Status**: ❌ **Ecosystem connectivity**  
+**Impact**: Very High | **Complexity**: High
+
+#### Registry Connection Framework
+- [ ] **Anthropic Official Registry**
+  - [ ] RESTful API integration for server discovery
+  - [ ] OAuth 2.0 authentication for registry access
+  - [ ] Real-time server metadata synchronization
+  - [ ] Integration with existing upstream server management
+- [ ] **Registry Browser Interface**
+  - [ ] In-tray registry browsing with search and filtering
+  - [ ] Server ratings and community reviews display
+  - [ ] One-click server installation with automatic quarantine
+  - [ ] Integration with existing security quarantine system
+
+#### Community Registry Support
+- [ ] **Docker MCP Catalog Integration**
+  - [ ] Direct connection to Docker Hub MCP catalog
+  - [ ] Container-based server deployment support
+  - [ ] Automatic image pulling and lifecycle management
+  - [ ] Integration with existing server enable/disable functionality
+- [ ] **MCP Compass Integration**  
+  - [ ] Natural language server discovery
+  - [ ] Semantic search integration with existing BleveDB indexing
+  - [ ] Real-time registry updates and notifications
+  - [ ] Smart recommendations based on current tool usage
+
+### 3.2 Registry-Based Security Enhancement
+**Status**: ❌ **Security via community intelligence**  
+**Impact**: High | **Complexity**: Medium
+
+#### Community Security Features
+- [ ] **Crowdsourced Security Ratings**
+  - [ ] Display community security ratings in server lists
+  - [ ] Integration with existing quarantine system based on ratings
+  - [ ] User contribution to security assessments
+  - [ ] Integration with TPA detection and analysis tools
+- [ ] **Verified Publisher Programs**
+  - [ ] Support for verified publisher badges from registries
+  - [ ] Enhanced trust indicators in tray server management
+  - [ ] Automatic security policy application for verified vs unverified servers
+  - [ ] Integration with signed manifest verification
+
+### 3.3 Registry Metadata & Discovery
+**Status**: ❌ **Enhanced discovery capabilities**  
+**Impact**: Medium | **Complexity**: Medium
+
+#### Metadata Integration
+- [ ] **Rich Server Metadata**
+  - [ ] Category and tag-based organization in registry browser
+  - [ ] Tool capability matrix display
+  - [ ] Usage statistics and popularity metrics
+  - [ ] Integration with existing tool statistics and search
+- [ ] **Smart Discovery Features**
+  - [ ] "Servers like this" recommendations
+  - [ ] Tool gap analysis (suggest servers for missing capabilities)
+  - [ ] Trend alerts for new popular servers
+  - [ ] Integration with personal usage analytics for better recommendations
+
+---
+
+## 🔒 Phase 4: Advanced Security & TPA Prevention
+
+> **Priority**: HIGH - Sophisticated threat detection and prevention
+
+### 4.1 LLM-Based Tool Poisoning Attack Scanner
+**Status**: ❌ **Advanced security analysis**  
+**Impact**: Very High | **Complexity**: High
+
+#### AI-Powered Security Analysis
+- [ ] **Advanced TPA Detection Engine**
+  - [ ] LLM-based tool description analysis for hidden instructions
+  - [ ] Pattern matching for common attack vectors ("send data to", "execute", etc.)
+  - [ ] Integration with existing quarantine tool analysis features
+  - [ ] Real-time scanning of tool updates and modifications
+- [ ] **Behavioral Analysis System**
+  - [ ] Tool execution pattern monitoring for anomalous behavior
+  - [ ] Cross-tool correlation analysis for attack chains
+  - [ ] Automatic quarantine triggers for suspicious tool combinations
+  - [ ] Integration with existing tool call interception system
+
+#### Enhanced Security Features
+- [ ] **Tool Description Sanitization**
+  - [ ] Automatic removal of potentially malicious instructions
+  - [ ] Whitelist-based instruction filtering with user configuration
+  - [ ] User notification system for sanitized content via tray
+  - [ ] Rollback capabilities for over-aggressive filtering
+
+### 4.2 Cross-Server Isolation & Tool Shadowing Prevention
+**Status**: ❌ **Server-to-server attack prevention**  
+**Impact**: High | **Complexity**: Medium
+
+#### Isolation Framework
+- [ ] **Server Namespace Isolation**
+  - [ ] Prevent cross-server tool name collisions using existing tool management
+  - [ ] Server-scoped tool namespacing in cache and index systems
+  - [ ] Configurable conflict detection and resolution policies
+  - [ ] Integration with existing tool discovery and search
+- [ ] **Tool Shadowing Detection**
+  - [ ] Monitor for duplicate tool names across servers
+  - [ ] Alert system for potential tool impersonation attempts via tray
+  - [ ] User-configurable precedence rules for tool conflicts
+  - [ ] Integration with security analysis and quarantine systems
+
+### 4.3 Comprehensive Security Dashboard
+**Status**: ❌ **Security visibility and control**  
+**Impact**: High | **Complexity**: Medium
+
+#### Security Monitoring Interface
+- [ ] **Real-time Threat Monitoring**
+  - [ ] Security event timeline with tray notifications
+  - [ ] Server trust status indicators in existing server management
+  - [ ] Tool execution audit trails with searchable logs
+  - [ ] Integration with existing quarantine and analysis tools
+- [ ] **Risk Assessment Interface**
+  - [ ] Server security scoring with visual indicators
+  - [ ] Tool risk categorization (safe/caution/dangerous)
+  - [ ] Security compliance dashboard showing RFC 8707 status
+  - [ ] Integration with registry security ratings and community data
+
+---
+
+## 🚀 Phase 5: Performance & Platform Enhancement
+
+> **Priority**: MEDIUM - Optimization and platform expansion
+
+### 5.1 Performance Optimization
+**Status**: ❌ **Operational excellence**  
+**Impact**: Medium | **Complexity**: Medium
+
+#### Core Performance Improvements
+- [ ] **Enhanced Caching System**
+  - [ ] Distributed cache with Redis/Valkey for multi-instance deployments
+  - [ ] Cache warming strategies based on usage patterns
+  - [ ] Compression and deduplication for large tool responses
+  - [ ] Integration with existing BBolt cache and statistics
+- [ ] **Connection Pool Management**
+  - [ ] Persistent connection pools for frequently used servers
+  - [ ] Automatic connection health monitoring and recovery
+  - [ ] Load balancing across multiple server instances
+  - [ ] Integration with existing upstream client management
+
+### 5.2 Advanced Personal Features
+**Status**: ❌ **Power user capabilities**  
+**Impact**: Medium | **Complexity**: Medium
+
+#### Advanced User Features
+- [ ] **Custom Tool Templates**
+  - [ ] User-defined tool argument templates for frequent use cases
+  - [ ] Template sharing via registry integration
+  - [ ] Version control for personal template library
+  - [ ] Integration with pinned tools and quick access features
+- [ ] **Personal Data Integration**
+  - [ ] Secure personal context storage (contacts, preferences, etc.)
+  - [ ] Privacy-preserving data usage with local encryption
+  - [ ] Personal data audit logs with automatic cleanup
+  - [ ] Integration with elicitation system for data consent
+
+### 5.3 Cross-Platform Enhancement
+**Status**: ⚠️ **Linux and headless support exists but limited**  
+**Impact**: Medium | **Complexity**: Low
+
+#### Platform-Specific Improvements
+- [ ] **Linux Desktop Integration**
+  - [ ] Native system tray for Linux desktop environments
+  - [ ] Systemd service management with auto-start support
+  - [ ] Linux-specific security features (AppArmor/SELinux integration)
+  - [ ] Desktop notifications for security events
+- [ ] **Enhanced Windows Support**
+  - [ ] Windows Service deployment option
+  - [ ] Windows-specific auto-start and system integration
+  - [ ] Windows Toast notifications for security events
+  - [ ] Windows Defender SmartScreen integration for downloaded servers
+
+---
+
+## 📊 Success Metrics & Validation
+
+### Security Metrics
+- **Zero Critical TPA Incidents**: No successful tool poisoning attacks in production
+- **95%+ Security Coverage**: Comprehensive analysis of all quarantined servers
+- **<1 second** mean detection time for known TPA patterns
+- **99.9%** uptime for security monitoring systems
+
+### Personal Productivity Metrics  
+- **50%+ Token Savings**: Through intelligent caching and optimization
+- **<3 clicks** to access most frequently used tools via pinning
+- **90%+ User Satisfaction**: With discovery and management experience
+- **<5 seconds** response time for registry searches and tool discovery
+
+### Ecosystem Integration Metrics
+- **100+ Registry Servers**: Available through integrated discovery
+- **Real-time Sync**: Registry updates reflected within 60 seconds
+- **Community Engagement**: Active contribution to security assessments
+- **Cross-Platform Parity**: Feature consistency across macOS, Linux, Windows
+
+---
+
+## 🔗 Integration Points & Dependencies
+
+### MCP Ecosystem Dependencies
+- **mcp-go Framework**: Requires updates for full MCP 2025.06 compliance
+- **Registry APIs**: Anthropic official registry, Docker MCP Catalog, MCP Compass
+- **Security Intelligence**: Community TPA databases and threat intelligence feeds
+- **Protocol Standards**: MCP specification updates and RFC compliance requirements
+
+### Development Infrastructure
+- **Build System**: Cross-platform compilation and packaging automation
+- **Testing Framework**: Security validation, protocol compliance, and integration testing  
+- **Documentation**: User guides, security best practices, and API documentation
+- **Community Integration**: Issue tracking, feature requests, and security reporting
+
+---
+
+## 🎯 Conclusion
+
+This roadmap transforms mcpproxy-go into the premier **personal MCP proxy** by balancing robust security with exceptional user experience. The phased approach ensures security foundations are solid before building productivity features, while registry integration connects users to the growing MCP ecosystem safely and efficiently.
+
+Key differentiators:
+- **Security-first design** with comprehensive TPA prevention
+- **Personal productivity focus** with token optimization and smart workflows  
+- **Seamless registry integration** for ecosystem connectivity
+- **Intelligent user experience** that learns from usage patterns
+
+The roadmap prioritizes features that provide immediate value to individual users while building toward a comprehensive, secure, and user-friendly MCP management platform.
+
+---
+
+## 📚 References & Justification Sources
+
+### Security Research & Standards
+1. [MCP 2025.06 Specification](https://spec.modelcontextprotocol.io/specification/2025-06-18/)
+2. [RFC 8707 - Resource Indicators for OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8707.html)
+3. [RFC 9728 - Protected Resource Metadata](https://www.rfc-editor.org/rfc/rfc9728.html)
+4. [Tool Poisoning Research - Trail of Bits](https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/)
+5. [MCP Security Analysis - Invariant Labs](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks)
+
+### Registry & Ecosystem Resources
+6. [Anthropic MCP Registry Roadmap](https://modelcontextprotocol.io/development/roadmap)
+7. [Docker MCP Catalog Documentation](https://docs.docker.com/ai/mcp-catalog-and-toolkit/catalog/)
+8. [MCP Compass - Natural Language Discovery](https://github.com/liuyoshio/mcp-compass)
+9. [Community MCP Registry](https://github.com/modelcontextprotocol/registry)
+10. [MCP Market - Server Leaderboards](https://mcpmarket.com/leaderboards)
+
+### Protocol & Technical References
+11. [MCP Authorization Specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization)
+12. [MCP Development Roadmap](https://modelcontextprotocol.io/development/roadmap)
+13. [OWASP GenAI Security Guidelines](https://genai.owasp.org/2025/04/22/securing-ais-new-frontier-the-power-of-open-collaboration-on-mcp-security/)
+14. [McpSafetyScanner Research](https://arxiv.org/html/2504.03767v2)
+15. [MCP Proxy Transport Bridge](https://pypi.org/project/mcp-proxy/0.3.2/)
+
+---
+
+*Last Updated: Based on current codebase analysis*  
+*Next Review: After major MCP 2025.06 compliance milestone* 
\ No newline at end of file