Substantial implementation exists, but trustworthiness still lags feature breadth.
-
Parser, emitter, CLI, WordPress-aware analysis, and transform modules are present.
-
The project is best treated as a research or beta security tool until the verification story catches up.
-
TEST-NEEDS.mdandPROOF-NEEDS.mdare currently more truthful than the old milestone boilerplate.
-
❏ Reconcile contradictory status language across
ROADMAP.adoc,PROGRESS-SUMMARY.md,TOPOLOGY.md, and the test/proof docs. -
❏ Add dedicated taint-analysis tests with meaningful source, sink, and sanitizer coverage.
-
❏ Add dedicated dead-code-analysis tests instead of relying on fixture presence alone.
-
❏ Add end-to-end tests that run the binary on real PHP inputs and validate emitted PHP.
-
❏ Remove or replace
tests/fuzz/placeholder.txtso the repo does not imply fuzz coverage it does not have.
-
❏ Define release criteria for a security-analysis tool:
-
false-negative tracking
-
representative corpus testing
-
benchmark baselines
-
proof obligations for taint and transform soundness
-
-
❏ Expand security tests well beyond the current small set.
-
❏ Add performance and large-codebase regression runs.
-
❏ Add a single authoritative current-status document and mark older summaries as historical when needed.
-
❏ Finish CI/CD templates and release packaging.
-
❏ Decide the smallest credible public promise for
v1.0.0. -
❏ Position the tool as beta until the security-analysis core is demonstrably trustworthy.
-
❏ Roadmap and status docs reconciled
-
❏ Taint and dead-code tests expanded
-
❏ Real end-to-end execution coverage
-
❏ Placeholder fuzz artifact removed
-
❏ Security corpus and benchmark runs in place
-
❏ Release criteria documented
-
❏ Stronger proof story for critical analyses