- FINDINGS.md: full assessment of core-devops architecture, PHP tooling gaps (no composer.json — meta repo), shell script syntax checks, security controls review, and dev vs main divergence summary - TODO.md: phased task list covering merge from dev, shellcheck/BATS integration, CI pipeline, and documentation improvements Closes #1 Co-Authored-By: Clotho <clotho@lthn.ai>
1.9 KiB
1.9 KiB
TODO — core-devops
Updated: 2026-02-21 (Phase 0 assessment) See: FINDINGS.md for full assessment details.
Phase 1 — Immediate (main branch health)
- Merge
dev→mainafter review (dev is 20+ commits ahead) - Update
VERSIONinscripts/install-core.shto auto-detect latest release (fix is ondev) - Verify
COMPOSER_EXPECTED_SIGinscripts/install-deps.shis current - Update
GO_VERSIONinscripts/install-deps.shto 1.24.x
Phase 2 — Shell script quality
- Install
shellcheckin CI and run against all.shfiles - Add BATS (Bash Automated Testing System) tests for
install-deps.shandinstall-core.sh - Fix
${var,,}bash 4+ syntax ininstall-core.shfor macOS bash 3 compatibility (fix ondev) - Add GitHub Actions workflow to lint shell scripts on push
Phase 3 — CI/CD for this repo
- Add
.github/workflows/ci.ymlto runshellcheckand BATS tests - Add
scripts/install-core.shsmoke test in CI (build-from-source path) - Enable CodeQL scanning (workflow exists on
dev) - Add Trivy/Gitleaks security scanning (workflows on
dev)
Phase 4 — Documentation
- Merge VitePress docs site from
dev(.vitepress/,doc/) - Add architecture diagram to README
- Document
.core/folder spec for package maintainers - Add SECURITY.md (exists on
dev) - Add CONTRIBUTING.md (exists on
dev)
Phase 5 — Workspace tooling
- Confirm
coreCLI v0.1.0 is released and binaries are available on GitHub - Add
core doctor --fixsmoke test to CI - Validate
repos.yamlschema in CI (YAML lint + custom validation) - Add
make testtarget that runs shell script tests
Deferred
- TLS certificate pinning for script downloads (currently relies on system CA store)
- Separate trust root for binary checksums (currently same origin as binaries)
- GPG signing of
coreCLI release tags