# TODO

## Phase 0 Governance

- [x] Add `CODE_OF_CONDUCT.md`.
- [x] Add governance policy documentation.
- [x] Upgrade `AGENTS.md` as authoritative AI contract.

## Phase 1 Architecture

- [x] Publish roadmap and threat/security model updates.
- [x] Publish phased TODO tracker.

## Phase 2 Expanded Read Tools

- [x] Implement `search_code`.
- [x] Implement `list_commits`.
- [x] Implement `get_commit_diff`.
- [x] Implement `compare_refs`.
- [x] Implement `list_issues`.
- [x] Implement `get_issue`.
- [x] Implement `list_pull_requests`.
- [x] Implement `get_pull_request`.
- [x] Implement `list_labels`.
- [x] Implement `list_tags`.
- [x] Implement `list_releases`.
- [x] Add input validation and response bounds.
- [x] Add unit/failure-mode tests.

## Phase 3 Policy Engine

- [x] Implement YAML policy loader and validator.
- [x] Implement per-tool and per-repo allow/deny.
- [x] Implement optional path restrictions.
- [x] Enforce default write deny.
- [x] Add policy unit tests.

## Phase 4 Write Mode

- [x] Implement write tools (`create_issue`, `update_issue`, comments, labels, assignment).
- [x] Keep write mode disabled by default.
- [x] Enforce repository whitelist.
- [x] Ensure no merge/deletion/force-push capabilities.
- [x] Add write denial tests.

## Phase 5 Hardening

- [x] Add secret detection + mask/block controls.
- [x] Add prompt-injection defensive model (data-only handling).
- [x] Add tamper-evident audit chaining and validation.
- [x] Add per-IP and per-token rate limiting.

## Phase 6 Automation

- [x] Implement webhook ingestion pipeline.
- [x] Implement on-demand scheduled jobs runner endpoint.
- [x] Implement auto issue creation job scaffold from findings.
- [x] Implement dependency hygiene scan orchestration scaffold.
- [x] Implement stale issue detection automation.
- [x] Add automation endpoint tests.

## Phase 7 Deployment

- [x] Harden Docker runtime defaults.
- [x] Separate dev/prod compose profiles.
- [x] Preserve non-root runtime and health checks.

## Phase 8 Observability

- [x] Add Prometheus metrics endpoint.
- [x] Add structured JSON logging.
- [x] Add request ID correlation.
- [x] Add tool timing metrics.

## Phase 9 Testing and Release Readiness

- [x] Extend unit tests.
- [x] Add policy tests.
- [x] Add secret detection tests.
- [x] Add write-mode denial tests.
- [x] Add audit integrity tests.
- [ ] Add integration-tagged tests against live Gitea (optional CI stage).
- [ ] Final security review sign-off.
- [ ] Release checklist execution.

## Release Checklist

- [ ] `make lint`
- [ ] `make test`
- [ ] Documentation review complete
- [ ] Policy file reviewed for production scope
- [ ] Write mode remains disabled unless explicitly approved