diff --git a/TODO.md b/TODO.md index 12d1931..6ec3020 100644 --- a/TODO.md +++ b/TODO.md @@ -341,3 +341,51 @@ Do not treat the product as complete until all of the following are true: - Build and run instructions exist for desktop, and packaging guidance exists for Android. - `go test ./...` passes. - `go tool golangci-lint run ./...` passes. + +## Remaining Gaps Against AGENTS.md + +This section tracks requirements from `AGENTS.md` that are not fully satisfied by the current landed code, even if the segment work and tests are green. + +### 1. KDBX Security Settings Are Only Preserved, Not Fully Product-Configurable + +Evidence: +- `docs/kdbx-compatibility.md` states that KeePassGO preserves the original opened vault's cipher and KDF selection during save. +- The same document also states: + - KeePassGO does not yet provide a UI for editing cipher or KDF parameters directly. + - New vault creation still uses library default KDBX header settings. + +Why this is still a gap: +- `AGENTS.md` requires support for the major KeePass-style encryption and KDF configuration choices represented in KDBX databases. +- Preserving existing settings is good, but it is weaker than allowing the product user to choose those settings for new vaults or change them explicitly for existing vaults. + +Remaining work: +- Expose major KDBX cipher/KDF choices in the product UI for vault creation. +- Expose supported security-setting changes for an existing unlocked vault. +- Add behavior tests covering explicit user selection of supported cipher/KDF options. +- Update `docs/kdbx-compatibility.md` once those product-facing controls exist. + +Exit criteria for this gap: +- A user can create a vault with a selected supported cipher/KDF combination through the product. +- A user can change supported cipher/KDF settings for an existing vault through the product, where the underlying library supports it. +- Tests cover those choices end to end. + +### 2. Accessibility Requirement Needs Explicit Screen-Reader Review + +Evidence: +- Keyboard-first behavior and focus handling exist in the landed code. +- Accessibility labels exist in `ui_accessibility.go`. +- The repository does not currently contain a documented review of what screen-reader-conscious behavior Gio can and cannot provide on the supported desktop targets. + +Why this is still a gap: +- `AGENTS.md` explicitly calls for screen-reader-conscious design, not only keyboard shortcuts and focus states. +- The current code suggests intent, but the repo does not yet document a concrete accessibility support boundary or validation result. + +Remaining work: +- Audit the current Gio accessibility surface on Linux and Windows for the controls used by KeePassGO. +- Document what is currently exposed, what is intentionally labeled, and what remains limited by the toolkit. +- Add targeted tests for any label/focus mapping that can be verified in-repo. + +Exit criteria for this gap: +- The repo includes a documented accessibility review for current desktop targets. +- Screen-reader-conscious behavior is explicitly described rather than implied. +- Any in-repo verifiable accessibility mappings have tests.