php-devops/TODO.md

# TODO — core-devops

**Updated:** 2026-02-21 (Phase 0 assessment)
**See:** [FINDINGS.md](FINDINGS.md) for full assessment details.

---

## Phase 1 — Immediate (main branch health)

- [ ] Merge `dev` → `main` after review (dev is 20+ commits ahead)
- [ ] Update `VERSION` in `scripts/install-core.sh` to auto-detect latest release (fix is on `dev`)
- [ ] Verify `COMPOSER_EXPECTED_SIG` in `scripts/install-deps.sh` is current
- [ ] Update `GO_VERSION` in `scripts/install-deps.sh` to 1.24.x

## Phase 2 — Shell script quality

- [ ] Install `shellcheck` in CI and run against all `.sh` files
- [ ] Add BATS (Bash Automated Testing System) tests for `install-deps.sh` and `install-core.sh`
- [ ] Fix `${var,,}` bash 4+ syntax in `install-core.sh` for macOS bash 3 compatibility (fix on `dev`)
- [ ] Add GitHub Actions workflow to lint shell scripts on push

## Phase 3 — CI/CD for this repo

- [ ] Add `.github/workflows/ci.yml` to run `shellcheck` and BATS tests
- [ ] Add `scripts/install-core.sh` smoke test in CI (build-from-source path)
- [ ] Enable CodeQL scanning (workflow exists on `dev`)
- [ ] Add Trivy/Gitleaks security scanning (workflows on `dev`)

## Phase 4 — Documentation

- [ ] Merge VitePress docs site from `dev` (`.vitepress/`, `doc/`)
- [ ] Add architecture diagram to README
- [ ] Document `.core/` folder spec for package maintainers
- [ ] Add SECURITY.md (exists on `dev`)
- [ ] Add CONTRIBUTING.md (exists on `dev`)

## Phase 5 — Workspace tooling

- [ ] Confirm `core` CLI v0.1.0 is released and binaries are available on GitHub
- [ ] Add `core doctor --fix` smoke test to CI
- [ ] Validate `repos.yaml` schema in CI (YAML lint + custom validation)
- [ ] Add `make test` target that runs shell script tests

## Deferred

- [ ] TLS certificate pinning for script downloads (currently relies on system CA store)
- [ ] Separate trust root for binary checksums (currently same origin as binaries)
- [ ] GPG signing of `core` CLI release tags