living document · updated by the quality loop

The boost roadmap

Every finding from the autonomous quality loop lands here — what shipped, what's mid-flight, and what's queued — scored by complexity, impact, and a little bit of wow.

Shipped merged & released In flight a PR is open Next triaged, starting soon Planned on the list
4Shipped
3Next up
4Planned
32Loop finds

Shipped

// merged to main & published
ShippedTesting · Bug

Mutation hardening — core/store.py

Cut mutmut survivors 54 → 29 and uncovered a latent timestamp-preservation bug the old tests masked (second-precision now_iso() collisions hid installed_at/tags preservation mutants).

Complexity M Impact High Wow ★★★ 25 mutants killed
ShippedTesting

Mutation hardening — core/gitutil.py

35 → 1 survivor via argv-assertion tests that record the exact git command line — sidestepping the macOS case-insensitive filesystem that let HEAD/head, .git/.GIT and git/GIT mutants survive against a real repo.

Complexity M Impact High Wow ★★★★ 34 mutants killed
ShippedTesting

Mutation hardening — core/frontmatter.py

34 → 11 survivors with exact-equality tests, replacing substring in checks a mutated string literal still satisfied (e.g. dump()'s XX%s:XX still contains tags:).

Complexity M Impact Med Wow ★★★ PR #22 · 23 killed
ShippedInfra · DX

Autonomous ship-workflow & isolated worktree

The loop now runs commit → PR → green CI → squash-merge → release in a dedicated ~/boost-loop git worktree (own venv for mutmut), and modern git 2.55 replaced a 2017 build that fatally choked on the global zdiff3 config.

Complexity L Impact High Wow ★★★★

Next up

// triaged findings, starting soon
NextBug · Infra

GitHub Pages deploy is broken every push

Root cause found: a bogus mutants/None gitlink (a stray mutmut artifact) was committed with no .gitmodules entry, so Pages' submodule checkout aborts with fatal: No url found for submodule path 'mutants/None'. Fix: stop tracking mutants/.

Complexity S Impact High Wow ★★ docs site down
NextHygiene · DX

Untrack generated build noise

Over a hundred mutants/**, __pycache__/*.pyc and .coverage files are tracked despite being in .gitignore — they churn every diff and forced careful path-scoped git adds. Remove from the index.

Complexity S Impact Med Wow unblocks Pages
NextDesign

Reconcile the theme drift

docs/index.html inlines its own amber/orange palette instead of the canonical Aurora cyan→violet→pink system in style/boost.css. Move it onto the shared stylesheet so one token edit recolours the guide, roadmap, and demo together.

Complexity M Impact Med Wow ★★★

Planned

// on the list
PlannedTesting

Finish mutation hardening across core/

Work down the remaining survivor counts, biggest first: catalog (27), util (26), ai (21), registry (20), lockfile (13), policy (12), config (9), output (8), agents (6), paths (4).

Complexity L Impact Med Wow ★★ ~146 survivors
PlannedTesting · Gap

Bring commands/ under mutation testing

The ~5,000-line CLI command layer has zero mutation coverage today — mutmut is scoped to core/ only. Extend the gate (or a second gate) to the command groups.

Complexity XL Impact High Wow ★★★
PlannedDesign · QA

Visual regression pass on the guide

Drive docs/index.html in a real browser across breakpoints to confirm the glass cards, aurora, and terminal windows render cleanly — and to catch anything the theme reconciliation shifts.

Complexity M Impact Med Wow ★★★
PlannedDocs · Marketing

Refresh the marketing surface

Re-record docs/demo.gif from demo.tape against the current CLI, tighten the README hero, and give the landing page a flashier first impression that matches the Aurora theme.

Complexity M Impact Med Wow ★★★★

Code health & security

// planned · free tooling to catch vulns, smells & bugs
PlannedSecurity · Vuln

Security linting — bandit via ruff S rules

Turn on the flake8-bandit (S) rule family already bundled in ruff — one line in pyproject.toml, zero new tools. It catches the Python SAST smells the linter is blind to today: subprocess(shell=True), assert as a runtime check, tempfile.mktemp, unsafe yaml.load, hardcoded secrets and weak hashing. Semgrep Community rules are the heavier alternative when a finding needs real dataflow.

Complexity S Impact High Wow ★★★ 0 new deps
PlannedSecurity · Supply chain

Dependency CVE gate — pip-audit

PyPA's pip-audit fails CI when a resolved dependency matches a known advisory in the OSV / PyPI Advisory database. Dependabot opens update PRs but never blocks a merge on a live CVE; a scheduled + PR pip-audit job closes that gap and covers the dev/test toolchain that ships nothing but can still run malicious code.

Complexity S Impact Med Wow ★★ OSV-backed
PlannedSecurity · Posture

Supply-chain posture — OpenSSF Scorecard

The Scorecard GitHub Action audits ~18 supply-chain signals weekly — branch protection, token permissions, SHA-pinned actions, dangerous workflows, signed releases — and publishes results to the Security tab plus a README badge. Turns "are we set up safely?" into a tracked, trend-able number for a repo that owns a Trusted-Publisher release path.

Complexity S Impact Med Wow ★★★★ badge-worthy
PlannedSecurity · Secrets

Secret scanning — gitleaks + push protection

Scan the full history and every PR diff for leaked tokens, keys and PyPI credentials with the free gitleaks action, paired with GitHub push-protection (free on public repos) so a secret is blocked before it lands. Cheap insurance for a project whose release automation trades on trusted identity.

Complexity S Impact Med Wow ★★★ pre-commit-able
PlannedQuality · Smell

Complexity & dead-code radar — xenon · vulture

Gate CI on a maintainability grade with xenon (built on radon) and flag unreachable branches, unused arguments and orphan helpers with vulture. First target: the ~5,000-line commands/ layer that has no complexity signal today. Surfaces the structural smells mutation testing can't see.

Complexity M Impact Med Wow ★★ commands/ first
PlannedQuality · Platform

Quality dashboard — SonarCloud (free for OSS)

SonarCloud is free for public repos and layers bugs, code smells, security hotspots, duplication and a coverage overlay into one dashboard, decorating each PR with a pass/fail quality gate. The single highest-signal freemium add — one external surface that unifies everything else in this section.

Complexity M Impact High Wow ★★★★★ PR quality gate
PlannedTesting · Bug

Property-based tests — hypothesis on the parsers

Generate adversarial inputs against core/frontmatter and core/catalog.scan_dir to surface crashes and round-trip failures the example-based unit tests never think to try — a dumpparse must round-trip; a scan must never raise on arbitrary bytes. Complements the gate: mutmut proves the tests are strict, Hypothesis proves the inputs are wide.

Complexity M Impact High Wow ★★★★ finds edge cases
PlannedTesting · Bug

Coverage-guided fuzzing — atheris / OSS-Fuzz

Google's atheris fuzzes the frontmatter and registry parsers under coverage guidance to mine deep crash inputs; OSS-Fuzz runs it continuously for free once boost qualifies as an open-source project. The stretch goal — the highest ceiling for finding the bug nobody thought to write a test for.

Complexity L Impact Med Wow ★★★★ stretch

Pipeline & supply-chain integrity

// planned · free tooling to secure the CI/CD path itself
PlannedSecurity · CI/CD

Workflow SAST — zizmor

boost's four workflows embed github-script JavaScript and shell and drive a Trusted-Publisher release — a rich attack surface. zizmor statically flags template injection, unpinned actions, over-broad GITHUB_TOKEN permissions and dangerous triggers. The one tool that audits the automation that ships every other fix.

Complexity S Impact High Wow ★★★★★ pipx-run
PlannedQuality · CI/CD

Workflow linting — actionlint

Catches GitHub Actions YAML bugs before they fail a live release: malformed ${{ }} expressions, deprecated syntax, and shellcheck run over every run: block. Cheap insurance for a repo whose release is fully automated — a broken workflow is a broken publish.

Complexity S Impact Med Wow ★★★ shellcheck built in
PlannedSecurity · Supply chain

Build provenance — SLSA attestations

actions/attest-build-provenance emits a cryptographically signed, verifiable record of which workflow built which wheel from which commit, layered on top of the existing PyPI Trusted Publishing. Consumers can gh attestation verify the artifact they install — provenance without a paid signing service.

Complexity S Impact Med Wow ★★★★ SLSA build L2
PlannedSecurity · Supply chain

SBOM on every release — CycloneDX / Syft

Generate a CycloneDX SBOM with the free anchore/sbom-action and attach it to each GitHub Release, so downstreams can inventory and scan exactly what boost is built from. Modest today (boost is close to stdlib-only) but it grows in value as the optional [rag] extras pull in real dependencies.

Complexity S Impact Med Wow ★★★ feeds osv-scanner
PlannedSecurity · Vuln

SBOM-aware scanning — osv-scanner

Google's osv-scanner cross-checks a lockfile or the SBOM above against the OSV database, with broader ecosystem coverage than a single-language audit. The SBOM-driven complement to pip-audit: one scans the resolved env, the other scans the published manifest.

Complexity S Impact Med Wow ★★ OSV-backed
PlannedTesting · Type

Second type checker — pyright

Run Microsoft's pyright alongside mypy. Its independent inference catches None-flow and narrowing bugs the current mypy config lets slide, and it's the same engine most editors use — so CI enforces what contributors already see. Two type checkers rarely agree on nothing.

Complexity M Impact Med Wow ★★★ editor-parity
PlannedQuality · Smell

Widen the ruff rule surface — B·SIM·C4·PERF·RUF

Beyond the S security family (round 1), enable flake8-bugbear (B), simplify (SIM), comprehensions (C4), perflint (PERF) and Ruff-native (RUF) rules — bug, readability and performance smells caught at zero new-tool cost since ruff already runs in the lint gate.

Complexity S Impact Med Wow ★★★ 0 new deps
PlannedTesting · Gap

Patch-coverage gate — diff-cover

Enforce coverage on the changed lines of each PR — no external service needed, it reads the same coverage.xml the suite already emits. Pairs with the 80% project gate so new code can't quietly ride in under-tested behind an already-high overall number.

Complexity S Impact Med Wow ★★ self-hosted

Developer experience & maintainability

// planned · free tooling to catch issues earlier & keep the code legible
PlannedDX · Infra

Shift-left gate — pre-commit + pre-commit.ci

A .pre-commit-config.yaml runs ruff, mypy, codespell and the whitespace fixers before code ever reaches CI, and the free-for-OSS pre-commit.ci auto-fixes and auto-updates hooks right on the PR. The foundation the rest of this section plugs into — one config, many checks, faster feedback.

Complexity S Impact High Wow ★★★★ auto-fix PRs
PlannedQuality · Architecture

Layering guard — import-linter

Enforce the architecture boost already assumes: core/ must never import commands/, and the CLI depends inward only. import-linter turns that contract into a CI check, catching the cross-layer imports that slowly erode a clean engine — a structural smell no line-level linter can see.

Complexity M Impact Med Wow ★★★★ core/ ↛ commands/
PlannedQuality · Docs

Typo detection — codespell

Cheap, high-signal for a project this documentation-heavy: scan the README, docs/*.html, docstrings and every user-facing CLI string for misspellings. A typo in boost --help is a bug users see on their first run.

Complexity S Impact Med Wow ★★ user-facing text
PlannedQuality · Docs

Docstring coverage — interrogate

Gate CI below a docstring-coverage threshold so the engine stays self-documenting as it grows. core/ is already well commented; interrogate keeps it that way and flags the new public function that shipped without a word of explanation.

Complexity S Impact Low Wow ★★ keeps core/ documented
PlannedTesting · Perf

Performance-regression gate — pytest-benchmark

Benchmark the hot paths — a catalog scan over a large skills tree, a registry load — and fail the build when a change regresses them past a threshold. Catches the performance bugs a correctness suite waves through: the O(n²) that only bites at scale.

Complexity M Impact Med Wow ★★★ scan & registry
PlannedQuality · Smell

Modernization smells — refurb + pyupgrade

refurb's unique FURB checks flag dated idioms the ruff families miss, and pyupgrade rewrites to the cleanest form the >=3.9 floor allows. Keeps the codebase reading like modern Python instead of accreting legacy patterns.

Complexity S Impact Low Wow ★★ respects 3.9 floor
PlannedTesting · Platform

Coverage dashboard — Codecov (free for OSS)

Upgrade the homegrown coverage badge to Codecov's PR diff-coverage comments, file sunburst and trend graph — free for public repos. The hosted counterpart to the self-contained diff-cover gate: one enforces patch coverage in CI, the other visualizes the trend over time.

Complexity S Impact Med Wow ★★★ PR decoration
PlannedSecurity · CI/CD

Runner egress monitoring — StepSecurity Harden-Runner

Free for public repos, Harden-Runner watches (and can block) unexpected network egress from CI runners — the runtime signal that catches a compromised action exfiltrating a token. The dynamic complement to zizmor's static workflow analysis, guarding the release path from both sides.

Complexity S Impact Med Wow ★★★★ runtime + static

Docs-site & content quality

// planned · free tooling for the Pages site, README & prose
PlannedDocs · Perf

Lighthouse CI on the Pages site

treosh/lighthouse-ci-action scores index.html and roadmap.html on performance, accessibility, best-practices and SEO on every deploy, and fails the build against budgets. Turns the marketing surface's quality into a number that can't silently regress as the Aurora theme evolves.

Complexity M Impact High Wow ★★★★★ 4 score budgets
PlannedQuality · A11y

Accessibility audit — pa11y-ci / axe-core

Run WCAG checks over the rendered pages: colour contrast, focus order, alt text and ARIA. The Aurora palette leans on muted --text-2/--text-3 tokens against dark glass — exactly where contrast ratios slip below AA. Catches the a11y regressions a purely visual review misses.

Complexity M Impact Med Wow ★★★★ WCAG AA
PlannedQuality · Docs

HTML validation — html-validate

The guide and roadmap are hand-authored HTML whose tags are balanced by eye today. A CI html-validate pass catches unclosed elements, duplicate ids and invalid nesting before they ship a subtly broken layout — the automated version of the manual tag-count sanity check.

Complexity S Impact Med Wow ★★★ hand-authored HTML
PlannedQuality · Docs

Broken-link & anchor checking — lychee

Fast, free link checker over the README and docs/*.html: verifies external URLs (GitHub, PyPI), asset paths (../style/boost.css) and in-page anchors (#next, #health) still resolve. A dead link in the landing page is the first broken promise a visitor sees.

Complexity S Impact Med Wow ★★★ URLs + anchors
PlannedQuality · Content

Prose & terminology linting — vale

vale enforces a consistent voice across the README and docs with a small boost vocabulary — canonical spelling of skill, tap, registry; no Boost/boost drift; flagged weasel words. Keeps a docs-heavy project reading like one author wrote it.

Complexity S Impact Low Wow ★★ house style
PlannedQuality · Docs

Markdown consistency — markdownlint-cli2

Lint every Markdown surface — README, CLAUDE.md, DEBUGGING.md, rag-architecture.md — for heading order, list style and fenced-code hygiene. Cheap, deterministic, and it keeps the contributor-facing docs as tidy as the code the gates already enforce.

Complexity S Impact Low Wow ★★ every .md
PlannedQuality · Style

Theme-asset linting — stylelint + eslint

The shared style/boost.css and boost.js theme the guide, roadmap and demo together, so a bug there recolours or breaks everything at once. stylelint guards the CSS tokens and eslint the reveal/interaction JS — the one place a small mistake has system-wide blast radius.

Complexity S Impact Med Wow ★★ shared blast radius
PlannedTesting · Docs

Post-deploy smoke — headless load check

After each Pages deploy, headless-load the guide and roadmap and assert the essentials: HTTP 200, every asset resolves, and the console is free of errors. Distinct from the planned visual-regression pass — this is a cheap always-on health gate that would have caught the current broken Pages deploy automatically.

Complexity M Impact Med Wow ★★★ catches red deploys