# Improvement Recommendations Roadmap

## Scope
This document tracks prioritized findings and implementation recommendations for improving quality, security, and maintainability.

## How To Use This File
1. Use this file for planning and prioritizing remediation work.
2. Treat `Must` items as immediate backlog priorities.
3. Move completed actions into release notes or closed tickets.

## Must (Immediate Fixes)
1. Broken Font Awesome stylesheet markup in head.
   - Evidence: `templ.php:159`, `templ.php:160`
   - Impact: malformed head markup and potential icon loading failures.
2. CSRF token generation is not backed by full session/validation flow.
   - Evidence: `templ.php:140`, `templ.php:141`
   - Impact: token value alone does not provide effective protection.

## Should (Near-Term Improvements)
1. Reduce route allow-list maintenance bottleneck.
   - Evidence: `templ.php:64` to `templ.php:77`
2. Fix navigation label inconsistency (`DashboardA`).
   - Evidence: `sidebar.php:78`
3. Keep docs aligned with implementation claims.
   - Evidence: `readme:15`
4. Keep fullscreen icon state synchronized on non-click exit paths.
   - Evidence: `header.php` fullscreen click-only toggle logic.

## Could (Optional Enhancements)
1. Move fragment inline scripts into page modules for cleaner testability.
2. Replace repeated inline styles with reusable CSS classes.
3. Standardize external dependency loading and integrity conventions.

## Recommended Implementation Plan

### Phase 1 (Quick Wins: 1-2 hours)
1. Fix Font Awesome link block in `templ.php`.
2. Correct `DashboardA` label typo in `sidebar.php`.
3. Update `readme` to match current functionality.
4. Add `fullscreenchange` listener in `header.php` to sync icon state.

### Phase 2 (Reliability: 0.5-1 day)
1. Move route map to dedicated config file, for example `routes.php`.
2. Add lightweight server-side request logging for exceptions.
3. Add session start and real CSRF validation for state-changing endpoints.
4. Consolidate fragment inline scripts into `assets/app.js` page modules.

### Phase 3 (Quality And Scale: 1-2 days)
1. Add static analysis and lint checks for PHP and JS.
2. Add smoke tests for route navigation and AJAX fragment loading.
3. Formalize contribution standards and accessibility checklist.
4. Add optional API/data layer abstraction for replacing demo arrays.

## Suggested Architecture Refinements
1. Introduce `routes.php` for whitelist map and labels.
2. Introduce `pages/` directory for content fragments.
3. Introduce `assets/pages/` for per-page JS modules.
4. Expose page init hooks, for example `App.pageInit[pageKey]()`.

## Sign-Off Record
- [ ] Must items triaged and assigned.
- [ ] Should items scheduled or justified.
- [ ] Could items captured in backlog.