diff --git a/TODO b/TODO
index db542e91..ead7c197 100644
--- a/TODO
+++ b/TODO
@@ -3,10 +3,20 @@
     extended key usage can have OIDs ?!
     problem: pgp can cause token event while pgp store is available
     deinit method for providers, to occur for all before destruction?
-    it's possible we use SecureArray in some unnecessary places
-    give all classes non-default ctors/dtors/copy/op=, and dpointers?
-    add more "getters" to the library?
-    don't forget to QCA_EXPORT everything
+    securemessage bytesWritten?
+    Provider::version -> qcaVersion, make version() provider's own version?
+    ensure non-default ctors/dtors/copy/op=, and dpointers as needed:
+       basic,publickey,cert,keystore,securelayer,securemessage
+    QCA_EXPORT check:
+       basic,publickey,cert,keystore,securelayer,securemessage
+    de-indent / fix docs and formatting:
+       basic,publickey,cert,keystore,securelayer,securemessage
+    check for unnecessary SecureArray usage in the API:
+       qpipe,support,provider,core,textfilter
+       basic,publickey,cert,keystore,securelayer,securemessage
+    check if we should add any extra "getters" to the API:
+       tools,qpipe,support,provider,core,textfilter
+       qca_basic,publickey,cert,keystore,securelayer,securemessage
   code:
     default: config option for setting provider priorities
     cert: rfc 2818 hostname validation