living document · updated by the quality loop

The boost roadmap

Every finding from the autonomous quality loop lands here — what shipped, what's mid-flight, and what's queued — scored by complexity, impact, and a little bit of wow.

Shipped merged & released In flight a PR is open Next triaged, starting soon Planned on the list
4Shipped
3Next up
4Planned
8Code-health finds

Shipped

// merged to main & published
ShippedTesting · Bug

Mutation hardening — core/store.py

Cut mutmut survivors 54 → 29 and uncovered a latent timestamp-preservation bug the old tests masked (second-precision now_iso() collisions hid installed_at/tags preservation mutants).

Complexity M Impact High Wow ★★★ 25 mutants killed
ShippedTesting

Mutation hardening — core/gitutil.py

35 → 1 survivor via argv-assertion tests that record the exact git command line — sidestepping the macOS case-insensitive filesystem that let HEAD/head, .git/.GIT and git/GIT mutants survive against a real repo.

Complexity M Impact High Wow ★★★★ 34 mutants killed
ShippedTesting

Mutation hardening — core/frontmatter.py

34 → 11 survivors with exact-equality tests, replacing substring in checks a mutated string literal still satisfied (e.g. dump()'s XX%s:XX still contains tags:).

Complexity M Impact Med Wow ★★★ PR #22 · 23 killed
ShippedInfra · DX

Autonomous ship-workflow & isolated worktree

The loop now runs commit → PR → green CI → squash-merge → release in a dedicated ~/boost-loop git worktree (own venv for mutmut), and modern git 2.55 replaced a 2017 build that fatally choked on the global zdiff3 config.

Complexity L Impact High Wow ★★★★

Next up

// triaged findings, starting soon
NextBug · Infra

GitHub Pages deploy is broken every push

Root cause found: a bogus mutants/None gitlink (a stray mutmut artifact) was committed with no .gitmodules entry, so Pages' submodule checkout aborts with fatal: No url found for submodule path 'mutants/None'. Fix: stop tracking mutants/.

Complexity S Impact High Wow ★★ docs site down
NextHygiene · DX

Untrack generated build noise

Over a hundred mutants/**, __pycache__/*.pyc and .coverage files are tracked despite being in .gitignore — they churn every diff and forced careful path-scoped git adds. Remove from the index.

Complexity S Impact Med Wow unblocks Pages
NextDesign

Reconcile the theme drift

docs/index.html inlines its own amber/orange palette instead of the canonical Aurora cyan→violet→pink system in style/boost.css. Move it onto the shared stylesheet so one token edit recolours the guide, roadmap, and demo together.

Complexity M Impact Med Wow ★★★

Planned

// on the list
PlannedTesting

Finish mutation hardening across core/

Work down the remaining survivor counts, biggest first: catalog (27), util (26), ai (21), registry (20), lockfile (13), policy (12), config (9), output (8), agents (6), paths (4).

Complexity L Impact Med Wow ★★ ~146 survivors
PlannedTesting · Gap

Bring commands/ under mutation testing

The ~5,000-line CLI command layer has zero mutation coverage today — mutmut is scoped to core/ only. Extend the gate (or a second gate) to the command groups.

Complexity XL Impact High Wow ★★★
PlannedDesign · QA

Visual regression pass on the guide

Drive docs/index.html in a real browser across breakpoints to confirm the glass cards, aurora, and terminal windows render cleanly — and to catch anything the theme reconciliation shifts.

Complexity M Impact Med Wow ★★★
PlannedDocs · Marketing

Refresh the marketing surface

Re-record docs/demo.gif from demo.tape against the current CLI, tighten the README hero, and give the landing page a flashier first impression that matches the Aurora theme.

Complexity M Impact Med Wow ★★★★

Code health & security

// planned · free tooling to catch vulns, smells & bugs
PlannedSecurity · Vuln

Security linting — bandit via ruff S rules

Turn on the flake8-bandit (S) rule family already bundled in ruff — one line in pyproject.toml, zero new tools. It catches the Python SAST smells the linter is blind to today: subprocess(shell=True), assert as a runtime check, tempfile.mktemp, unsafe yaml.load, hardcoded secrets and weak hashing. Semgrep Community rules are the heavier alternative when a finding needs real dataflow.

Complexity S Impact High Wow ★★★ 0 new deps
PlannedSecurity · Supply chain

Dependency CVE gate — pip-audit

PyPA's pip-audit fails CI when a resolved dependency matches a known advisory in the OSV / PyPI Advisory database. Dependabot opens update PRs but never blocks a merge on a live CVE; a scheduled + PR pip-audit job closes that gap and covers the dev/test toolchain that ships nothing but can still run malicious code.

Complexity S Impact Med Wow ★★ OSV-backed
PlannedSecurity · Posture

Supply-chain posture — OpenSSF Scorecard

The Scorecard GitHub Action audits ~18 supply-chain signals weekly — branch protection, token permissions, SHA-pinned actions, dangerous workflows, signed releases — and publishes results to the Security tab plus a README badge. Turns "are we set up safely?" into a tracked, trend-able number for a repo that owns a Trusted-Publisher release path.

Complexity S Impact Med Wow ★★★★ badge-worthy
PlannedSecurity · Secrets

Secret scanning — gitleaks + push protection

Scan the full history and every PR diff for leaked tokens, keys and PyPI credentials with the free gitleaks action, paired with GitHub push-protection (free on public repos) so a secret is blocked before it lands. Cheap insurance for a project whose release automation trades on trusted identity.

Complexity S Impact Med Wow ★★★ pre-commit-able
PlannedQuality · Smell

Complexity & dead-code radar — xenon · vulture

Gate CI on a maintainability grade with xenon (built on radon) and flag unreachable branches, unused arguments and orphan helpers with vulture. First target: the ~5,000-line commands/ layer that has no complexity signal today. Surfaces the structural smells mutation testing can't see.

Complexity M Impact Med Wow ★★ commands/ first
PlannedQuality · Platform

Quality dashboard — SonarCloud (free for OSS)

SonarCloud is free for public repos and layers bugs, code smells, security hotspots, duplication and a coverage overlay into one dashboard, decorating each PR with a pass/fail quality gate. The single highest-signal freemium add — one external surface that unifies everything else in this section.

Complexity M Impact High Wow ★★★★★ PR quality gate
PlannedTesting · Bug

Property-based tests — hypothesis on the parsers

Generate adversarial inputs against core/frontmatter and core/catalog.scan_dir to surface crashes and round-trip failures the example-based unit tests never think to try — a dumpparse must round-trip; a scan must never raise on arbitrary bytes. Complements the gate: mutmut proves the tests are strict, Hypothesis proves the inputs are wide.

Complexity M Impact High Wow ★★★★ finds edge cases
PlannedTesting · Bug

Coverage-guided fuzzing — atheris / OSS-Fuzz

Google's atheris fuzzes the frontmatter and registry parsers under coverage guidance to mine deep crash inputs; OSS-Fuzz runs it continuously for free once boost qualifies as an open-source project. The stretch goal — the highest ceiling for finding the bug nobody thought to write a test for.

Complexity L Impact Med Wow ★★★★ stretch