living document · updated by the quality loop

The boost roadmap

Every finding from the autonomous quality loop lands here — what shipped, what's mid-flight, and what's queued — scored by complexity, impact, and a little bit of wow.

Shipped merged & released In flight a PR is open Next triaged, starting soon Planned on the list
4Shipped
3Next up
4Planned
16Loop finds

Shipped

// merged to main & published
ShippedTesting · Bug

Mutation hardening — core/store.py

Cut mutmut survivors 54 → 29 and uncovered a latent timestamp-preservation bug the old tests masked (second-precision now_iso() collisions hid installed_at/tags preservation mutants).

Complexity M Impact High Wow ★★★ 25 mutants killed
ShippedTesting

Mutation hardening — core/gitutil.py

35 → 1 survivor via argv-assertion tests that record the exact git command line — sidestepping the macOS case-insensitive filesystem that let HEAD/head, .git/.GIT and git/GIT mutants survive against a real repo.

Complexity M Impact High Wow ★★★★ 34 mutants killed
ShippedTesting

Mutation hardening — core/frontmatter.py

34 → 11 survivors with exact-equality tests, replacing substring in checks a mutated string literal still satisfied (e.g. dump()'s XX%s:XX still contains tags:).

Complexity M Impact Med Wow ★★★ PR #22 · 23 killed
ShippedInfra · DX

Autonomous ship-workflow & isolated worktree

The loop now runs commit → PR → green CI → squash-merge → release in a dedicated ~/boost-loop git worktree (own venv for mutmut), and modern git 2.55 replaced a 2017 build that fatally choked on the global zdiff3 config.

Complexity L Impact High Wow ★★★★

Next up

// triaged findings, starting soon
NextBug · Infra

GitHub Pages deploy is broken every push

Root cause found: a bogus mutants/None gitlink (a stray mutmut artifact) was committed with no .gitmodules entry, so Pages' submodule checkout aborts with fatal: No url found for submodule path 'mutants/None'. Fix: stop tracking mutants/.

Complexity S Impact High Wow ★★ docs site down
NextHygiene · DX

Untrack generated build noise

Over a hundred mutants/**, __pycache__/*.pyc and .coverage files are tracked despite being in .gitignore — they churn every diff and forced careful path-scoped git adds. Remove from the index.

Complexity S Impact Med Wow unblocks Pages
NextDesign

Reconcile the theme drift

docs/index.html inlines its own amber/orange palette instead of the canonical Aurora cyan→violet→pink system in style/boost.css. Move it onto the shared stylesheet so one token edit recolours the guide, roadmap, and demo together.

Complexity M Impact Med Wow ★★★

Planned

// on the list
PlannedTesting

Finish mutation hardening across core/

Work down the remaining survivor counts, biggest first: catalog (27), util (26), ai (21), registry (20), lockfile (13), policy (12), config (9), output (8), agents (6), paths (4).

Complexity L Impact Med Wow ★★ ~146 survivors
PlannedTesting · Gap

Bring commands/ under mutation testing

The ~5,000-line CLI command layer has zero mutation coverage today — mutmut is scoped to core/ only. Extend the gate (or a second gate) to the command groups.

Complexity XL Impact High Wow ★★★
PlannedDesign · QA

Visual regression pass on the guide

Drive docs/index.html in a real browser across breakpoints to confirm the glass cards, aurora, and terminal windows render cleanly — and to catch anything the theme reconciliation shifts.

Complexity M Impact Med Wow ★★★
PlannedDocs · Marketing

Refresh the marketing surface

Re-record docs/demo.gif from demo.tape against the current CLI, tighten the README hero, and give the landing page a flashier first impression that matches the Aurora theme.

Complexity M Impact Med Wow ★★★★

Code health & security

// planned · free tooling to catch vulns, smells & bugs
PlannedSecurity · Vuln

Security linting — bandit via ruff S rules

Turn on the flake8-bandit (S) rule family already bundled in ruff — one line in pyproject.toml, zero new tools. It catches the Python SAST smells the linter is blind to today: subprocess(shell=True), assert as a runtime check, tempfile.mktemp, unsafe yaml.load, hardcoded secrets and weak hashing. Semgrep Community rules are the heavier alternative when a finding needs real dataflow.

Complexity S Impact High Wow ★★★ 0 new deps
PlannedSecurity · Supply chain

Dependency CVE gate — pip-audit

PyPA's pip-audit fails CI when a resolved dependency matches a known advisory in the OSV / PyPI Advisory database. Dependabot opens update PRs but never blocks a merge on a live CVE; a scheduled + PR pip-audit job closes that gap and covers the dev/test toolchain that ships nothing but can still run malicious code.

Complexity S Impact Med Wow ★★ OSV-backed
PlannedSecurity · Posture

Supply-chain posture — OpenSSF Scorecard

The Scorecard GitHub Action audits ~18 supply-chain signals weekly — branch protection, token permissions, SHA-pinned actions, dangerous workflows, signed releases — and publishes results to the Security tab plus a README badge. Turns "are we set up safely?" into a tracked, trend-able number for a repo that owns a Trusted-Publisher release path.

Complexity S Impact Med Wow ★★★★ badge-worthy
PlannedSecurity · Secrets

Secret scanning — gitleaks + push protection

Scan the full history and every PR diff for leaked tokens, keys and PyPI credentials with the free gitleaks action, paired with GitHub push-protection (free on public repos) so a secret is blocked before it lands. Cheap insurance for a project whose release automation trades on trusted identity.

Complexity S Impact Med Wow ★★★ pre-commit-able
PlannedQuality · Smell

Complexity & dead-code radar — xenon · vulture

Gate CI on a maintainability grade with xenon (built on radon) and flag unreachable branches, unused arguments and orphan helpers with vulture. First target: the ~5,000-line commands/ layer that has no complexity signal today. Surfaces the structural smells mutation testing can't see.

Complexity M Impact Med Wow ★★ commands/ first
PlannedQuality · Platform

Quality dashboard — SonarCloud (free for OSS)

SonarCloud is free for public repos and layers bugs, code smells, security hotspots, duplication and a coverage overlay into one dashboard, decorating each PR with a pass/fail quality gate. The single highest-signal freemium add — one external surface that unifies everything else in this section.

Complexity M Impact High Wow ★★★★★ PR quality gate
PlannedTesting · Bug

Property-based tests — hypothesis on the parsers

Generate adversarial inputs against core/frontmatter and core/catalog.scan_dir to surface crashes and round-trip failures the example-based unit tests never think to try — a dumpparse must round-trip; a scan must never raise on arbitrary bytes. Complements the gate: mutmut proves the tests are strict, Hypothesis proves the inputs are wide.

Complexity M Impact High Wow ★★★★ finds edge cases
PlannedTesting · Bug

Coverage-guided fuzzing — atheris / OSS-Fuzz

Google's atheris fuzzes the frontmatter and registry parsers under coverage guidance to mine deep crash inputs; OSS-Fuzz runs it continuously for free once boost qualifies as an open-source project. The stretch goal — the highest ceiling for finding the bug nobody thought to write a test for.

Complexity L Impact Med Wow ★★★★ stretch

Pipeline & supply-chain integrity

// planned · free tooling to secure the CI/CD path itself
PlannedSecurity · CI/CD

Workflow SAST — zizmor

boost's four workflows embed github-script JavaScript and shell and drive a Trusted-Publisher release — a rich attack surface. zizmor statically flags template injection, unpinned actions, over-broad GITHUB_TOKEN permissions and dangerous triggers. The one tool that audits the automation that ships every other fix.

Complexity S Impact High Wow ★★★★★ pipx-run
PlannedQuality · CI/CD

Workflow linting — actionlint

Catches GitHub Actions YAML bugs before they fail a live release: malformed ${{ }} expressions, deprecated syntax, and shellcheck run over every run: block. Cheap insurance for a repo whose release is fully automated — a broken workflow is a broken publish.

Complexity S Impact Med Wow ★★★ shellcheck built in
PlannedSecurity · Supply chain

Build provenance — SLSA attestations

actions/attest-build-provenance emits a cryptographically signed, verifiable record of which workflow built which wheel from which commit, layered on top of the existing PyPI Trusted Publishing. Consumers can gh attestation verify the artifact they install — provenance without a paid signing service.

Complexity S Impact Med Wow ★★★★ SLSA build L2
PlannedSecurity · Supply chain

SBOM on every release — CycloneDX / Syft

Generate a CycloneDX SBOM with the free anchore/sbom-action and attach it to each GitHub Release, so downstreams can inventory and scan exactly what boost is built from. Modest today (boost is close to stdlib-only) but it grows in value as the optional [rag] extras pull in real dependencies.

Complexity S Impact Med Wow ★★★ feeds osv-scanner
PlannedSecurity · Vuln

SBOM-aware scanning — osv-scanner

Google's osv-scanner cross-checks a lockfile or the SBOM above against the OSV database, with broader ecosystem coverage than a single-language audit. The SBOM-driven complement to pip-audit: one scans the resolved env, the other scans the published manifest.

Complexity S Impact Med Wow ★★ OSV-backed
PlannedTesting · Type

Second type checker — pyright

Run Microsoft's pyright alongside mypy. Its independent inference catches None-flow and narrowing bugs the current mypy config lets slide, and it's the same engine most editors use — so CI enforces what contributors already see. Two type checkers rarely agree on nothing.

Complexity M Impact Med Wow ★★★ editor-parity
PlannedQuality · Smell

Widen the ruff rule surface — B·SIM·C4·PERF·RUF

Beyond the S security family (round 1), enable flake8-bugbear (B), simplify (SIM), comprehensions (C4), perflint (PERF) and Ruff-native (RUF) rules — bug, readability and performance smells caught at zero new-tool cost since ruff already runs in the lint gate.

Complexity S Impact Med Wow ★★★ 0 new deps
PlannedTesting · Gap

Patch-coverage gate — diff-cover

Enforce coverage on the changed lines of each PR — no external service needed, it reads the same coverage.xml the suite already emits. Pairs with the 80% project gate so new code can't quietly ride in under-tested behind an already-high overall number.

Complexity S Impact Med Wow ★★ self-hosted