Add validate-strict CI workflow (#89)

* Add validate-strict CI workflow

Locks in the 0-error closed-schema baseline established across PRs
#84-#88 so it can't silently regress on future merges. Mirrors the
qc.yaml workflow shipped to TraitMech in PR #77 and adapted for the
CommunityMech runner conventions.

Runs `just validate-strict` + `just audit-writers` + `pytest tests/`
on PRs touching kb/communities/, schema, source, scripts, justfile,
or this workflow. Uploads the categorized TSV reports as workflow
artifacts so reviewers can inspect failures without re-running
locally.

Deliberately scoped narrower than `just qc` — the existing
network-quality.yml handles the network-integrity audit; this new
workflow specifically gates closed-schema validation + writer audit
+ unit tests, which are fast and run on every PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Address Copilot review on PR #89

Three findings, all addressed:

- Path globs: \`**.py\` doesn't actually match nested subdirs in
  GitHub Actions glob semantics — it behaves like \`*.py\`. Switch
  to \`**/*.py\` so changes under src/communitymech/<subpkg>/ (like
  network/, validators/, embedding/) trigger the workflow.
- Push trigger had no \`paths:\` filter, so the workflow ran on
  every commit to main. Mirror the pull_request path list via a
  YAML anchor (&trigger_paths + *trigger_paths) so the two stay in
  sync.
- uv sync: switch to \`--frozen --all-extras\` so the workflow fails
  if uv.lock is stale (instead of silently re-resolving) while
  keeping the dev/test extras the existing network-quality.yml
  uses. Also added uv.lock + tests/**/*.py to the trigger paths so
  dependency and test changes re-run the workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: realmarcin

.github/workflows/validate-strict.yaml

@@ -0,0 +1,66 @@
+name: validate-strict
+
+on:
+  pull_request:
+    paths: &trigger_paths
+      - "kb/communities/**"
+      - "src/communitymech/schema/**"
+      - "src/communitymech/**/*.py"
+      - "scripts/**/*.py"
+      - "tests/**/*.py"
+      - "justfile"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/validate-strict.yaml"
+  push:
+    branches: [main]
+    paths: *trigger_paths
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validate-strict:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: extractions/setup-just@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+          enable-cache: true
+
+      - name: Install dependencies
+        # --frozen fails the workflow if uv.lock is stale (don't silently
+        # re-resolve in CI). --all-extras keeps parity with the existing
+        # network-quality.yml workflow and ensures pytest + optional deps
+        # are available for the test step below.
+        run: uv sync --frozen --all-extras
+
+      - name: Run validate-strict (closed-schema LinkML validation)
+        run: just validate-strict
+
+      - name: Run audit-writers
+        run: just audit-writers
+
+      - name: Run tests
+        run: uv run pytest tests/ -q --no-cov
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: validate-strict-reports-${{ github.run_id }}
+          path: |
+            reports/instance_validation_failures.tsv
+            reports/pipeline_writers_audit.tsv
+          if-no-files-found: warn