From a99a1e65cea437659ba731cd855ead293b4ea6b3 Mon Sep 17 00:00:00 2001 From: Stephen Klein Date: Wed, 10 Jun 2026 21:09:37 -0400 Subject: [PATCH] Elevate cleanup tasks to high priority in TODO Mark A2, A5, Q1, Q3 as DO FIRST before bug fixes -- consolidating duplicate functions and the service catalog ensures each bug only needs to be fixed in one place. Update order of attack accordingly. Co-Authored-By: Claude Sonnet 4.6 --- TODO.md | 52 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/TODO.md b/TODO.md index 22b6908..a42bcfd 100644 --- a/TODO.md +++ b/TODO.md @@ -155,12 +155,13 @@ Generated by codebase audit (2026-06-10). Ranked by severity. - Path A chosen. Delete: `setup`, `privileged-setup`, `user-operations`, `services-improved`. -### A2 -- Three sources of truth for the service catalog [HIGH] +### A2 -- Three sources of truth for the service catalog [HIGH] -- DO FIRST - `services`: `get_service_ports()` + inline image strings (CANONICAL) - `services-improved`: scheduled for deletion (Path B) - `lib/docker.sh`: `HOPS_SERVICES` array -- reconcile or remove duplicates - Fix: `lib/docker.sh` service maps must match `services`; remove anything only used by Path B. +- Must be done before port collision fix (B7) so there is one authoritative map. ### A3 -- `lib/privileges.sh` is dead code [MED] -- RESOLVED: delete - Path B artifact. Delete it. @@ -171,11 +172,12 @@ Generated by codebase audit (2026-06-10). Ranked by severity. - Fix passphrase-on-command-line exposure (S1, S2). - Wire encrypt/decrypt calls into `install` flow. -### A5 -- `hops` duplicates functions from `lib/common.sh` [MED] +### A5 -- `hops` duplicates functions from `lib/common.sh` [HIGH] -- DO FIRST - `log`, `error_exit`, `warning`, `success`, `info`, `validate_timezone`, `validate_password`, `generate_secure_password`, `create_docker_networks`, `get_service_port/image` are all defined twice (or three times). - Fix: source `lib/common.sh` from `hops` and remove local duplicates. +- Must be done before bug fixes to avoid patching the same logic in multiple places. ### A6 -- Caddy is unreachable via the menu [LOW] - `services` defines `generate_caddy` but the `select_services` menu in @@ -223,19 +225,20 @@ Generated by codebase audit (2026-06-10). Ranked by severity. ## CODE QUALITY -### Q1 -- Three separate error-handling implementations [MED] +### Q1 -- Three separate error-handling implementations [HIGH] -- DO FIRST - `hops`, `uninstall`, and `lib/common.sh` each define their own `error_exit` and `log` with different formats. Consolidate in `lib/common.sh`. +- Covered by A5; tracked here for completeness. ### Q2 -- `set -e` + intentional non-zero returns is a minefield [MED] - `validate_password` returns 1/2/3, `check_port` returns 1 -- these work only because they happen to be in conditionals. Combined with B5 this is fragile. Consider `set -euo pipefail` with explicit `|| true` where non-zero is intended. -### Q3 -- Debug `echo` statements left in production code [LOW] -- Files: `lib/system.sh:605,823,1043,1046,1084,1089,1149-1156`, - `privileged-setup:72` +### Q3 -- Debug `echo` statements left in production code [MED] -- DO FIRST +- Files: `lib/system.sh:605,823,1043,1046,1084,1089,1149-1156` - `DEBUG:` prefixed echo lines should be removed or gated behind a `$DEBUG` flag. +- Clean these before bug fixes so signal isn't buried in debug noise. ### Q4 -- `services-improved` leaks `set -e` when sourced [LOW] - File: `services-improved` top of file @@ -246,18 +249,25 @@ Generated by codebase audit (2026-06-10). Ranked by severity. ## SUGGESTED ORDER OF ATTACK -1. Delete Path B files: `setup`, `privileged-setup`, `user-operations`, - `services-improved`, `lib/privileges.sh` (A1/A3 -- resolved) -2. Fix B1 (infinite recursion in `services`) -- unblocks all Linux installs -3. Fix B5 (`((x++))` under `set -e`) -- prevents silent aborts -4. Fix B3 (glob directory detection) -- fixes multi-user and uninstall -5. Fix B4 (wrong filename in firewall setup) -6. Reconcile `lib/docker.sh` service maps with `services` (A2) -7. Security pass: S3 (default Authelia cred), S2/S6 (passphrase on cmdline, - mktemp), S5 (eval on env var), S7 (string-built commands) -8. Fix and wire in `lib/secrets.sh`: replace broken crypto, hook into install - flow to encrypt `.env` at rest (A4/S1/S2) -9. Fix B12 empty-password regex, B8 watchtower port, B9 backup self-copy -10. Consolidate duplicate functions into `lib/common.sh` (A5, Q1) -11. Remove debug echo statements (Q3) -12. macOS / WSL2 support (B6, P4) -- future roadmap +### Cleanup first (do before any bug fixes) +1. [DONE] Delete Path B files (A1/A3) +2. Consolidate duplicate functions into `lib/common.sh` (A5, Q1) -- one copy to fix +3. Reconcile `lib/docker.sh` service maps with `services` (A2) -- one catalog to fix +4. Remove debug echo statements from `lib/system.sh` (Q3) -- reduce noise + +### Bug fixes +5. Fix B1 (infinite recursion in `services`) -- unblocks all Linux installs +6. Fix B5 (`((x++))` under `set -e`) -- prevents silent aborts +7. Fix B3 (glob directory detection) -- fixes multi-user and uninstall +8. Fix B4 (wrong filename in firewall setup) +9. Fix B7 (intra-selection port collision detection) + +### Security pass +10. S3 (default Authelia cred), S5 (eval on env var), S6 (mktemp), + S7 (string-built commands), S2 (passphrase on cmdline) +11. Fix and wire in `lib/secrets.sh`: replace broken crypto, hook into install + flow to encrypt `.env` at rest (A4/S1/S2) + +### Remaining +12. Fix B12 empty-password regex, B8 watchtower port, B9 backup self-copy +13. macOS / WSL2 support (B6, P4) -- future roadmap