docs(todo): cross-platform support — phase-breakdown + r/devops question map

Extends the cross-platform smoke-test entry surfaced 2026-05-28 into
a three-phase plan with concrete handles per concern:

Phase 1 — CI smoke matrix per tag (linux/darwin/windows × amd64/arm64).
Confirms the binary actually executes before any real bug-hunting.

Phase 2 — Windows-specific concerns mapped to the r/devops question
pattern u/HarjjotSinghh predicted ('crowd will ask within a week').
Each row: expected question, the gnoma-side gap it exposes, and the
rough fix scope. Covers PowerShell shell quoting, WSL vs native,
corporate-proxy / PAC support, Authenticode signing, MSI installer,
Event Viewer integration, Group Policy hooks, and air-gapped install
flow (ollama-dependency gap).

Phase 3 — macOS concerns: Apple-silicon launch sanity + Gatekeeper /
notarization warning on first run.

Pre-condition added for the eventual r/devops post: Phase 1 must be
in place before posting so the 'did you test it?' question has an
honest answer. Phase 2 items each need at least TODO acknowledgement
in the post body so the thread sees the gaps are tracked.

TODO.md

@@ -195,17 +195,54 @@ Active work, newest first.
      "network egress gated"; corrected in the README scope note
      and the audit-log commit.
 
-- **Cross-platform smoke tests — Windows + macOS.** GoReleaser
-  builds static binaries for `linux/darwin/windows × amd64/arm64`
-  every release but only Linux is exercised at all today. Windows
-  and macOS binaries ship untested. Need at minimum a smoke-run
-  per platform per tag: launch gnoma, run a trivial prompt, exit
-  cleanly. Cheapest path: a non-blocking GitHub Actions matrix
-  job that pulls each release archive and runs
-  `gnoma --version && echo hi | gnoma --provider ollama` against
-  a stub provider. Surfaced 2026-05-28 (r/SideProject reply to
-  `u/HarjjotSinghh`) — answered "yes Windows builds ship" but
-  honestly couldn't claim they're tested.
+- **Cross-platform support — Windows + macOS.** GoReleaser builds
+  static binaries for `linux/darwin/windows × amd64/arm64` every
+  release but only Linux is exercised at all today. Windows and
+  macOS binaries ship untested. Surfaced 2026-05-28 (r/SideProject
+  reply to `u/HarjjotSinghh`) — answered "yes Windows builds ship"
+  but honestly couldn't claim they're tested. His framing was
+  specifically that the `r/devops` audience will surface predictable
+  questions "within a week" — list below maps each question to the
+  underlying gnoma-side gap.
+
+  ### Phase 1 — smoke tests (unblock the honest answer)
+
+  Non-blocking GitHub Actions matrix job per tag: pull each release
+  archive, run `gnoma --version && echo hi | gnoma --provider
+  ollama` against a stub provider. Confirms the binary executes and
+  the TUI doesn't crash before any real bug-hunt starts.
+
+  ### Phase 2 — Windows-specific concerns (r/devops question pattern)
+
+  Each row is an expected r/devops question, the gnoma-side gap it
+  exposes, and the rough fix scope. Order roughly by "how soon would
+  this come up in a thread":
+
+  | Question | Gap | Fix scope |
+  |---|---|---|
+  | "Does it work in PowerShell?" | Shell quoting in `internal/tool/bash` assumes POSIX; ANSI escape handling not tested against PowerShell + Windows Terminal | Add a PowerShell quoter (Quote a la `Get-Process "$arg"` rules); test ANSI emission against `Out-Host` and legacy `conhost.exe` |
+  | "WSL or native?" | Both should work; not documented; corporate-managed Windows VMs often lack WSL | One README line + a smoke test invocation under each |
+  | "Respects system proxy / corporate proxy?" | Go `http.Client` reads `HTTP_PROXY`/`HTTPS_PROXY` env vars but **does not** read Windows system proxy registry or PAC files. Corporate networks rely on these. | Either document the env-var workaround, or vendor a PAC-aware transport (e.g. `github.com/rapid7/go-get-proxied`); test path covered by Phase 1 smoke matrix |
+  | "Authenticode signed binary?" | Releases are unsigned; SmartScreen will warn, some corp policies block | GoReleaser supports cosign + signtool integration; needs an EV cert (or Azure Trusted Signing) — non-trivial cost. Document the workaround for now: "right-click → Properties → Unblock" |
+  | "MSI installer?" | We ship a zip; some shops can't deploy raw zips through SCCM / Intune | Add an `.msi` artifact to GoReleaser via `go-msi` or `wix`. Mid-effort; gated on whether anyone actually asks for it (post the question to the eventual r/devops thread, see who upvotes) |
+  | "Windows Event Viewer integration?" | Logs go to slog default sink + per-session audit log under project root | Document the audit log location explicitly; add a `--log-format=eventlog` mode later if anyone asks |
+  | "Group Policy hooks?" | None. Config is per-user TOML. | Out of scope short-term. Document `[provider.endpoints]` + `[router].prefer` as the levers admins would use via login script / config push |
+  | "Air-gapped install?" | Static binary works; ollama dependency is the problem (model downloads, runtime updates) | Document the offline flow: pre-download models via `ollama pull` on a connected machine, ship to the air-gapped network. Not a code change, just a doc gap |
+
+  ### Phase 3 — macOS concerns
+
+  Smaller surface; mostly Apple-silicon launch sanity (the arm64
+  binary works) + Gatekeeper / notarization warning on first run.
+  Same documentation note as Authenticode applies.
+
+  ### Pre-conditions for posting to r/devops
+
+  Per [[next-reddit-post]], the security-observation post should land
+  on r/devops eventually. **Don't post until Phase 1 is in place** so
+  the predictable "did you test it?" question has an honest answer.
+  Phase 2 items don't all need to ship first — but each one needs at
+  least a TODO-linked acknowledgement in the post body so the
+  thread sees gnoma takes the gaps seriously.
 
 - **Tool-router specialization (functiongemma)** — gated on telemetry,
   not committed. Phase A.2 adds did-switch-rate measurement to the