go-devops/TODO.md

# TODO.md — go-devops

Dispatched from core/go orchestration. Pick up tasks in order.

---

## Phase 0: Test Coverage & Hardening

- [x] **Expand ansible/ tests** — Added `parser_test.go` (17 tests: ParsePlaybook, ParseInventory, ParseTasks, GetHosts, GetHostVars, isModule, NormalizeModule), `types_test.go` (RoleRef/Task UnmarshalYAML, Inventory, Facts, TaskResult, KnownModules), `executor_test.go` (getHosts, matchesTags, evaluateWhen, templateString, applyFilter, resolveLoop, templateArgs, handleNotify, normalizeConditions, helper functions). All pass. Commit `6e346cb`.
- [x] **Expand infra/ tests** — Added `hetzner_test.go` (HCloudClient/HRobotClient construction, do() round-trip via httptest, API error handling, JSON serialisation for HCloudServer, HCloudLoadBalancer, HRobotServer) and `cloudns_test.go` (doRaw() round-trip, zone/record JSON, CRUD responses, ACME challenge, auth params, errors). Commit `6e346cb`.
- [ ] **Expand build/ tests** — Add: builder detection tests (each builder's `Detect()` with matching/non-matching directory structures), archive round-trip (create tar.gz → extract → compare), signing mock tests (verify `Sign()` called with correct paths).
- [ ] **Expand release/ tests** — Add: version detection from git tags / package.json / go.mod, changelog generation from conventional commits (mock git log output), publisher dry-run tests. Note: pre-existing nil pointer crash in `TestLinuxKitPublisher_Publish_NilRelCfg_Good` at `linuxkit.go:50`.
- [x] **Race condition tests** — `go test -race ./...` clean across ansible, infra, container, devops, build packages. Commit `6e346cb`.
- [x] **`go vet ./...` clean** — Fixed stale API calls in container/linuxkit_test.go, state_test.go, templates_test.go, devops/devops_test.go. go.mod replace directive fixed. Commit `6e346cb`.

## Phase 1: Ansible Engine Hardening

- [ ] **Module test coverage** — `modules.go` is 1,434 LOC with zero tests. Each module (service, file, template, command, copy, apt, yum) needs unit tests with mocked SSH sessions.
- [ ] **Error propagation** — Verify all SSH errors are wrapped with `core.E()` including host context. Currently some errors may lose the host identifier.
- [ ] **Fact gathering** — Test fact collection from different Linux distros (Ubuntu, CentOS, Alpine). Mock `/etc/os-release` parsing.
- [ ] **Become/sudo** — Test privilege escalation paths. Verify password prompt handling.
- [ ] **Idempotency checks** — Modules should report `changed: false` when no action needed. Verify for file, service, template modules.

## Phase 2: Infrastructure API Robustness

- [ ] **Retry logic** — Add configurable retry with exponential backoff for Hetzner Cloud/Robot and CloudNS API calls. Cloud APIs are flaky.
- [ ] **Rate limiting** — Hetzner Cloud has rate limits. Detect 429 responses, queue and retry.
- [ ] **DigitalOcean support** — Currently referenced in config but no implementation. Either implement or remove.
- [ ] **API client abstraction** — Extract common HTTP client pattern from hetzner.go and cloudns.go into shared infra client.

## Phase 3: Release Pipeline Testing

- [ ] **Publisher integration tests** — Mock GitHub API for release creation, Docker registry for image push, Homebrew tap for formula update. Verify dry-run mode produces correct output without side effects.
- [ ] **SDK generation tests** — Generate TypeScript/Go/Python clients from a test OpenAPI spec. Verify output compiles/type-checks.
- [ ] **Breaking change detection** — Test oasdiff integration: modify a spec with breaking change, verify detection and failure mode.

## Phase 4: DevKit Expansion

- [ ] **Vulnerability scanning** — Integrate `govulncheck` output parsing into devkit findings.
- [ ] **Complexity thresholds** — Configurable cyclomatic complexity threshold. Flag functions exceeding it.
- [ ] **Coverage trending** — Store coverage snapshots, detect regressions between runs.

---

## Workflow

1. Virgil in core/go writes tasks here after research
2. This repo's dedicated session picks up tasks in phase order
3. Mark `[x]` when done, note commit hash
docs: add domain expert guide, task queue, and research notes CLAUDE.md: architecture guide for ansible/build/infra/release (29K LOC) TODO.md: 5-phase task queue (test coverage, ansible, infra, release, devkit) FINDINGS.md: package inventory, test gaps, config ecosystem Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-20 00:59:01 +00:00			`# TODO.md — go-devops`

			`Dispatched from core/go orchestration. Pick up tasks in order.`

			`---`

			`## Phase 0: Test Coverage & Hardening`

docs(devops): update TODO.md Phase 0 completion status Mark ansible/ and infra/ tests as done, race detection clean, go vet fixed. Note pre-existing LinuxKit nil pointer crash. Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-20 01:38:18 +00:00			- [x] Expand ansible/ tests — Added `parser_test.go` (17 tests: ParsePlaybook, ParseInventory, ParseTasks, GetHosts, GetHostVars, isModule, NormalizeModule), `types_test.go` (RoleRef/Task UnmarshalYAML, Inventory, Facts, TaskResult, KnownModules), `executor_test.go` (getHosts, matchesTags, evaluateWhen, templateString, applyFilter, resolveLoop, templateArgs, handleNotify, normalizeConditions, helper functions). All pass. Commit `6e346cb`.
			- [x] Expand infra/ tests — Added `hetzner_test.go` (HCloudClient/HRobotClient construction, do() round-trip via httptest, API error handling, JSON serialisation for HCloudServer, HCloudLoadBalancer, HRobotServer) and `cloudns_test.go` (doRaw() round-trip, zone/record JSON, CRUD responses, ACME challenge, auth params, errors). Commit `6e346cb`.
docs: add domain expert guide, task queue, and research notes CLAUDE.md: architecture guide for ansible/build/infra/release (29K LOC) TODO.md: 5-phase task queue (test coverage, ansible, infra, release, devkit) FINDINGS.md: package inventory, test gaps, config ecosystem Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-20 00:59:01 +00:00			- [ ] Expand build/ tests — Add: builder detection tests (each builder's `Detect()` with matching/non-matching directory structures), archive round-trip (create tar.gz → extract → compare), signing mock tests (verify `Sign()` called with correct paths).
docs(devops): update TODO.md Phase 0 completion status Mark ansible/ and infra/ tests as done, race detection clean, go vet fixed. Note pre-existing LinuxKit nil pointer crash. Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-20 01:38:18 +00:00			- [ ] Expand release/ tests — Add: version detection from git tags / package.json / go.mod, changelog generation from conventional commits (mock git log output), publisher dry-run tests. Note: pre-existing nil pointer crash in `TestLinuxKitPublisher_Publish_NilRelCfg_Good` at `linuxkit.go:50`.
			- [x] Race condition tests — `go test -race ./...` clean across ansible, infra, container, devops, build packages. Commit `6e346cb`.
			- [x] `go vet ./...` clean — Fixed stale API calls in container/linuxkit_test.go, state_test.go, templates_test.go, devops/devops_test.go. go.mod replace directive fixed. Commit `6e346cb`.
docs: add domain expert guide, task queue, and research notes CLAUDE.md: architecture guide for ansible/build/infra/release (29K LOC) TODO.md: 5-phase task queue (test coverage, ansible, infra, release, devkit) FINDINGS.md: package inventory, test gaps, config ecosystem Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-20 00:59:01 +00:00
			`## Phase 1: Ansible Engine Hardening`

			- [ ] Module test coverage — `modules.go` is 1,434 LOC with zero tests. Each module (service, file, template, command, copy, apt, yum) needs unit tests with mocked SSH sessions.
			- [ ] Error propagation — Verify all SSH errors are wrapped with `core.E()` including host context. Currently some errors may lose the host identifier.
			- [ ] Fact gathering — Test fact collection from different Linux distros (Ubuntu, CentOS, Alpine). Mock `/etc/os-release` parsing.
			`- [ ] Become/sudo — Test privilege escalation paths. Verify password prompt handling.`
			- [ ] Idempotency checks — Modules should report `changed: false` when no action needed. Verify for file, service, template modules.

			`## Phase 2: Infrastructure API Robustness`

			`- [ ] Retry logic — Add configurable retry with exponential backoff for Hetzner Cloud/Robot and CloudNS API calls. Cloud APIs are flaky.`
			`- [ ] Rate limiting — Hetzner Cloud has rate limits. Detect 429 responses, queue and retry.`
			`- [ ] DigitalOcean support — Currently referenced in config but no implementation. Either implement or remove.`
			`- [ ] API client abstraction — Extract common HTTP client pattern from hetzner.go and cloudns.go into shared infra client.`

			`## Phase 3: Release Pipeline Testing`

			`- [ ] Publisher integration tests — Mock GitHub API for release creation, Docker registry for image push, Homebrew tap for formula update. Verify dry-run mode produces correct output without side effects.`
			`- [ ] SDK generation tests — Generate TypeScript/Go/Python clients from a test OpenAPI spec. Verify output compiles/type-checks.`
			`- [ ] Breaking change detection — Test oasdiff integration: modify a spec with breaking change, verify detection and failure mode.`

			`## Phase 4: DevKit Expansion`

			- [ ] Vulnerability scanning — Integrate `govulncheck` output parsing into devkit findings.
			`- [ ] Complexity thresholds — Configurable cyclomatic complexity threshold. Flag functions exceeding it.`
			`- [ ] Coverage trending — Store coverage snapshots, detect regressions between runs.`

			`---`

			`## Workflow`

			`1. Virgil in core/go writes tasks here after research`
			`2. This repo's dedicated session picks up tasks in phase order`
			3. Mark `[x]` when done, note commit hash