Add TODO.md with codebase audit findings

Document issues found during code audit including: - Critical: broken error comparison, unchecked hash writes, URL path traversal - Important: goroutine leak, timestamp precision, missing context cancellation - Code quality: duplicate functions, inefficient calculations, missing validation
2025-12-18 01:30:01 -08:00 · 2025-12-18 01:30:01 -08:00 · fc0b38ea19
commit fc0b38ea19
parent 61c17ca585
1 changed files with 19 additions and 0 deletions
--- a/TODO.md
+++ b/TODO.md
@ -0,0 +1,19 @@
+# TODO
+
+## Critical
+
+- [ ] Fix broken error comparison in `internal/checker/checker.go:195` - `errors.Is(err, errors.New("file does not exist"))` always returns false because `errors.New()` creates a new instance each call
+- [ ] Fix unchecked `hash.Write()` errors in `mfer/builder.go:52`, `mfer/serialize.go:56`, `internal/cli/freshen.go:340`
+- [ ] Fix URL path traversal risk in `internal/cli/fetch.go:116` - path isn't URL-escaped, should use `url.JoinPath()` or proper encoding
+
+## Important
+
+- [ ] Fix goroutine leak in signal handler `internal/cli/gen.go:98-106` - goroutine runs until channel closed, leaks if program exits normally
+- [ ] Fix timestamp precision in `mfer/serialize.go:16-22` - use `t.Nanosecond()` instead of manual calculation
+- [ ] Add context cancellation check to filesystem walk in `internal/cli/freshen.go` - Ctrl-C doesn't work during scan phase
+
+## Code Quality
+
+- [ ] Consolidate duplicate `pathIsHidden` implementations in `internal/scanner/scanner.go:385-402` and `internal/cli/freshen.go:378-397`
+- [ ] Make `TotalBytes()` in `internal/scanner/scanner.go:250-259` track total incrementally instead of recalculating on every call
+- [ ] Add input validation to `AddFileWithHash()` in `mfer/builder.go:107-120` - validate path, size, and hash inputs