php-devops/TODO.md

TODO — core-devops

Updated: 2026-02-21 (Phase 0 assessment) See: FINDINGS.md for full assessment details.

---

Phase 1 — Immediate (main branch health)

• Merge dev → main after review (dev is 20+ commits ahead)
• Update VERSION in scripts/install-core.sh to auto-detect latest release (fix is on dev)
• Verify COMPOSER_EXPECTED_SIG in scripts/install-deps.sh is current
• Update GO_VERSION in scripts/install-deps.sh to 1.24.x

Phase 2 — Shell script quality

• Install shellcheck in CI and run against all .sh files
• Add BATS (Bash Automated Testing System) tests for install-deps.sh and install-core.sh
• Fix ${var,,} bash 4+ syntax in install-core.sh for macOS bash 3 compatibility (fix on dev)
• Add GitHub Actions workflow to lint shell scripts on push

Phase 3 — CI/CD for this repo

• Add .github/workflows/ci.yml to run shellcheck and BATS tests
• Add scripts/install-core.sh smoke test in CI (build-from-source path)
• Enable CodeQL scanning (workflow exists on dev)
• Add Trivy/Gitleaks security scanning (workflows on dev)

Phase 4 — Documentation

• Merge VitePress docs site from dev (.vitepress/, doc/)
• Add architecture diagram to README
• Document .core/ folder spec for package maintainers
• Add SECURITY.md (exists on dev)
• Add CONTRIBUTING.md (exists on dev)

Phase 5 — Workspace tooling

• Confirm core CLI v0.1.0 is released and binaries are available on GitHub
• Add core doctor --fix smoke test to CI
• Validate repos.yaml schema in CI (YAML lint + custom validation)
• Add make test target that runs shell script tests

Deferred

• TLS certificate pinning for script downloads (currently relies on system CA store)
• Separate trust root for binary checksums (currently same origin as binaries)
• GPG signing of core CLI release tags