ci: scope CI to the test suites (pytest + frontend); lint gate is a follow-up

Per owner direction (#452): ship the test gate now, fix the linters next.

The backend job runs `poetry run pytest` rather than `scripts/lint.sh`.
Reason: the local lint gate isn't satisfiable on a clean tree — it runs
two formatters (`ruff format` + `black`) whose output mutually conflicts,
plus a little flake8/pylint debt. The #401/#451 incident that motivated
#452 was a *test* regression, and the test suites pass green, so CI
enforces those today; wiring the (de-conflicted) Python lint gate into CI
is a tracked follow-up.

Drops the pre-commit install (only the lint gate needed it). Reconciles
SECURITY.md §8, the codeql/lint.sh/pre-commit/workflows-README comments,
and the decision logs (PM/security/architect, ACCEPTANCE Q-4) to "tests
in CI; lint gate local + CI follow-up".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: martin-castro-laminr-ai

.github/workflows/README.md

@@ -4,13 +4,13 @@ GitHub Actions workflows for django-admin-react.
 
 ## What lives here
 
-- **`ci.yml`** — the lint + test gate on every PR and push to `main`:
-  backend (`scripts/lint.sh` → ruff/black/isort/flake8/pylint/mypy/bandit
-  + the pre-commit security hooks + `pytest`) and frontend
-  (`pnpm -r typecheck`, `pnpm lint`, `pnpm test`, `pnpm -r build`). A red
-  suite blocks merge. Added in #452 (reversing the prior local-only
-  posture). Marking the checks **required** is an owner branch-protection
-  action (#452 / #331).
+- **`ci.yml`** — the test gate on every PR and push to `main`: backend
+  `pytest` (with coverage) and the frontend `pnpm` gate (`-r typecheck`,
+  `lint`, `test`, `-r build`). A red suite blocks merge. Added in #452
+  (reversing the prior local-only posture). The Python *lint* gate
+  (`scripts/lint.sh`) is not in CI yet — it runs two formatters that
+  conflict, so it's de-conflicted first (follow-up off #452). Marking the
+  checks **required** is an owner branch-protection action (#452 / #331).
 - **`codeql.yml`** — CodeQL static analysis (Python + JS/TS) on push/PR and a
   weekly schedule. This is the project's security dataflow scanner.
 - **`release.yml`** — automated PyPI publishing. Triggered when a GitHub
@@ -23,11 +23,11 @@ GitHub Actions workflows for django-admin-react.
 
 ## What does not belong here
 
-- The *definition* of the quality gate. `ci.yml` does not duplicate the
-  tool list — the backend job runs `scripts/lint.sh` and the frontend job
-  runs the package.json scripts, so the gate has one source of truth. See
-  `SECURITY.md` §8 for the local + CI posture and #331 for the forward
-  hardening plan (SHA-pinning is already done; required-checks /
+- The Python *lint* gate (`scripts/lint.sh` + `.pre-commit-config.yaml`).
+  CI runs `pytest` and the frontend `pnpm` gate; the Python lint gate
+  isn't wired into CI yet (it must be de-conflicted first — two formatters
+  disagree). See `SECURITY.md` §8 and #331 for the forward hardening plan
+  (SHA-pinning is already done; lint-in-CI / required-checks /
   version-matrix remain).
 - Secrets. Workflows authenticate via OIDC (release) or the default
   `GITHUB_TOKEN` (CodeQL). No long-lived tokens are stored as secrets.

.github/workflows/ci.yml

@@ -1,23 +1,25 @@
-# The lint + test gate, run on every pull request and on push to `main`.
+# CI test gate — run the test suites on every pull request and on push to
+# `main`, so a red suite can't merge.
 #
 # WHY: until now the lint/test pipeline was local-only — `scripts/lint.sh`
 # + the pre-commit hooks, run on a contributor's laptop before the Merger
 # pulled a PR (the deliberate "no CI in pre-alpha" posture). With many
 # agents merging in parallel and only CodeQL gating server-side, test
 # regressions slipped onto `main` green (e.g. #401 broke
 # `tests/test_logentry.py`, undetected until a later full local run —
-# #451). This workflow makes the gate enforced server-side so a red suite
-# can't merge. Resolves #452; the no-CI revisit recorded in
+# #451). This enforces the suites server-side. Resolves the core of #452
+# (run the test suites in CI); the no-CI revisit is recorded in
 # `SECURITY.md` §8 / `docs/agents/decisions.md` / OQ-A-001.
 #
-# SOURCE OF TRUTH: the backend job runs `scripts/lint.sh` itself (with
-# `LINT_PY_ONLY=1`) so CI runs the *exact* gate a developer runs locally —
-# including the pre-commit security hooks (bandit + the house-rule pygrep
-# checks: no-objects-all, no-csrf-exempt, no-user-has-perm,
-# no-dar-api-from-pages, no-partial-tokens). The frontend job mirrors
-# #452's acceptance explicitly (typecheck + lint + test + build), because
-# `scripts/lint.sh`'s frontend block intentionally stops at lint and does
-# not run vitest or the Vite build.
+# SCOPE: the backend job runs `pytest` (the regression that motivated
+# #452 was a broken test). The frontend job runs the full `pnpm` gate —
+# typecheck + lint + test + build — which is already self-consistent and
+# green. Enforcing the *Python lint* gate in CI is a deliberate near-term
+# follow-up: `scripts/lint.sh` currently runs two formatters (`ruff
+# format` + `black`) whose output conflicts, so it is not yet satisfiable
+# on a clean tree. That gets de-conflicted and the small existing lint
+# debt cleared first (follow-up off #452), then the lint step is added
+# here.
 #
 # SECURITY POSTURE:
 #   - Least-privilege: top-level `contents: read`; no job needs write.
@@ -48,7 +50,7 @@ concurrency:
 
 jobs:
   backend:
-    name: Backend (lint + pytest)
+    name: Backend (pytest)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -59,23 +61,22 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: Install Poetry + pre-commit
+      - name: Install Poetry
         # Poetry is pinned to the version that generated poetry.lock (see
         # its header). `poetry install` compares the lock's content-hash
         # against the one it computes from pyproject; a different Poetry
         # can compute it differently and reject an otherwise-valid lock.
         # Bump this in lockstep whenever the lock is regenerated.
-        run: pipx install poetry==2.1.4 && pipx install pre-commit
+        run: pipx install poetry==2.1.4
 
       - name: Install dependencies (locked)
         run: poetry install --no-interaction
 
-      # Runs the same gate as a local `LINT_PY_ONLY=1 bash scripts/lint.sh`:
-      # pre-commit (bandit + the security pygrep hooks) then ruff / ruff
-      # format / black / isort / flake8 / pylint -E / mypy (package,
-      # blocking) / bandit / pytest (with coverage, per pyproject addopts).
-      - name: Python gate (scripts/lint.sh)
-        run: LINT_PY_ONLY=1 bash scripts/lint.sh
+      # pytest with coverage (per pyproject `addopts`), including
+      # tests/test_security.py. `filterwarnings = ["error"]` means a new
+      # warning fails the run.
+      - name: Tests (pytest)
+        run: poetry run pytest
 
   frontend:
     name: Frontend (typecheck + lint + test + build)

.github/workflows/codeql.yml

@@ -2,12 +2,12 @@
 #
 # Dataflow-based security analysis (Python + TypeScript), surfacing
 # findings in the repository's Security tab where external reporters and
-# maintainers both look. Free for public repos. It complements the lint +
-# test gate in `ci.yml` (and the local `scripts/lint.sh`): `bandit` /
+# maintainers both look. Free for public repos. It complements the test
+# gate in `ci.yml` and the local lint gate (`scripts/lint.sh`): `bandit` /
 # `ruff -S` (Python) and `eslint` (frontend) are rule-based; CodeQL adds
 # dataflow detection (injection, path traversal, unsafe deserialization)
 # those linters can miss. Added in #144 (post-public-flip hardening);
-# the lint/test CI gate followed in #452.
+# the test CI gate followed in #452.
 name: CodeQL
 
 on:

.pre-commit-config.yaml

@@ -8,10 +8,10 @@
 # Anything below the [BLOCK] threshold in
 # `docs/agents/security-expert/REVIEW_CHECKLIST.md` §1 aborts the commit.
 #
-# This file is the commit-time half of the quality gate. The same hooks
-# run server-side in CI (`.github/workflows/ci.yml` invokes
-# `scripts/lint.sh`, which runs `pre-commit run --all-files`), so a
-# developer who disables this local hook still hits the gate on their PR.
+# This file is the commit-time half of the quality gate, run together
+# with `scripts/lint.sh` before a PR. CI (`.github/workflows/ci.yml`)
+# currently runs the test suites, not these hooks; wiring the lint/security
+# hooks into CI is a follow-up (#452).
 
 repos:
   # -------------------------------------------------------------------

ACCEPTANCE.md

@@ -436,7 +436,7 @@ Merger runs the pipeline locally before squash-merge.
 | Q-1 | `./scripts/lint.sh` is the merge gate. A merge that bypassed it is a policy violation and a revert candidate. | Forum status / PR body. |
 | Q-2 | `./scripts/build.sh` is the release gate. Both the SPA build and `poetry build` must succeed. | Run output before tagging. |
 | Q-3 | A PR that touches `pyproject.toml` runtime deps, frontend root `package.json` deps, or `LICENSE` includes a locally-recorded `pip-audit` (Python) and `pnpm audit` (npm) clean run in the PR body. | PR-body inspection. |
-| Q-4 | The "no CI" decision was revisited and reversed before leaving pre-alpha: the lint + test gate now runs in CI (`.github/workflows/ci.yml`), recorded in [`docs/agents/decisions.md`](docs/agents/decisions.md). Marking the checks required in branch protection is the remaining owner action (#452). | Decision-log entry + `ci.yml`. |
+| Q-4 | The "no CI" decision was revisited and reversed before leaving pre-alpha: the test suites now run in CI (`.github/workflows/ci.yml` — backend `pytest` + frontend gate), recorded in [`docs/agents/decisions.md`](docs/agents/decisions.md). Wiring the Python lint gate into CI and marking checks required in branch protection are the remaining follow-ups (#452). | Decision-log entry + `ci.yml`. |
 
 ### 3.8 Packaging
 

SECURITY.md

@@ -176,13 +176,19 @@ Every endpoint added must include all of these tests before merging:
 
 ## 8. Static analysis (local + CI)
 
-The gate runs in two places, both required: locally for fast feedback
-(`./scripts/lint.sh` + the pre-commit hooks) **and** server-side in CI
-(`.github/workflows/ci.yml`) so a red suite cannot merge. The earlier
-"local-only, no CI in v0.x" posture was revisited and reversed (issue
-#452 — regressions were slipping onto `main` under CodeQL-only gating;
-see `docs/agents/decisions.md`). The CI backend job runs `scripts/lint.sh`
-directly, so the two stay in lockstep by construction.
+The earlier "local-only, no CI in v0.x" posture was revisited and
+reversed (issue #452 — regressions were slipping onto `main` under
+CodeQL-only gating; see `docs/agents/decisions.md`). **The test suites
+now run server-side in CI** (`.github/workflows/ci.yml`): backend
+`pytest` and the frontend `pnpm` gate (typecheck + lint + test + build),
+so a red suite cannot merge.
+
+Enforcing the **Python lint gate** in CI is a near-term follow-up:
+`scripts/lint.sh` currently runs two formatters (`ruff format` + `black`)
+whose output conflicts, so it isn't satisfiable on a clean tree yet. The
+local script below is still the authoritative lint gate; it gets
+de-conflicted and the small existing debt cleared first, then the lint
+step is added to CI.
 
 Run via `./scripts/lint.sh`:
 
@@ -198,9 +204,8 @@ Run via `./scripts/lint.sh`:
 - Frontend: `pnpm -r typecheck`, `pnpm lint` (eslint `--max-warnings 0`
   + stylelint + dark-mode coverage), `pnpm test` (vitest), `pnpm -r build`.
 
-CI additionally runs the pre-commit security hooks (bandit + the
-house-rule pygrep checks) on every PR. Making the CI checks **required**
-in branch protection is a separate owner action (#452 / #331).
+Making the CI checks **required** in branch protection is a separate
+owner action (#452 / #331).
 
 Dependency audit runs separately via `./scripts/audit-deps.sh`
 (see §6).

docs/agents/decisions.md

@@ -7,24 +7,25 @@ Newest decisions on top.
 
 ---
 
-## 2026-05-28 — Reverse "no CI": the lint + test gate now runs server-side
+## 2026-05-28 — Reverse "no CI": the test suites now run server-side
 
 The prior "no CI in pre-alpha (per repo-owner direction)" posture was
 revisited (the trigger named in OQ-A-001 / ACCEPTANCE Q-4) and reversed.
 Under CodeQL-only gating, test regressions were merging onto `main` green
 with many agents working in parallel (e.g. #401 broke
 `tests/test_logentry.py`, caught only on a later local run — #451).
 
-- **CI now runs the full gate on every PR + push to `main`**
-  (`.github/workflows/ci.yml`): backend job runs `scripts/lint.sh` itself
-  (so local ≡ CI, incl. the pre-commit security hooks + `pytest`),
-  frontend job runs `pnpm -r typecheck` / `pnpm lint` / `pnpm test` /
-  `pnpm -r build`. Actions SHA-pinned; least-privilege `contents: read`.
-  — issue #452, ci.yml. **Tier 5 (workflows + SECURITY.md §8) —
-  human-reviewed.**
-- Still outstanding (owner action, tracked in #452 / #331): mark the CI
-  checks **required** in branch protection; an optional Python/Django
-  version matrix.
+- **CI now runs the test suites on every PR + push to `main`**
+  (`.github/workflows/ci.yml`): backend `pytest` (with coverage) and the
+  frontend gate (`pnpm -r typecheck` / `pnpm lint` / `pnpm test` /
+  `pnpm -r build`). Actions SHA-pinned; least-privilege `contents: read`.
+  — issue #452, ci.yml. Owner-directed merge despite Tier 5 (workflows +
+  SECURITY.md §8).
+- **Follow-ups** (off #452 / #331): wire the Python *lint* gate into CI —
+  blocked first on de-conflicting `scripts/lint.sh`, which runs two
+  formatters (`ruff format` + `black`) whose output conflicts, plus a
+  little pylint/flake8 debt to clear; mark the CI checks **required** in
+  branch protection; optional Python/Django version matrix.
 
 ---
 

docs/agents/product-manager/DECISIONS.md

@@ -60,9 +60,10 @@ Authoring session: `claude-pm-ux-opus47`.
 11. **Lighthouse-equivalent budget:** FCP < 1.5 s cached, LCP < 2.5 s
     cold on the reference profile (M-class laptop, 10 Mbps).
     — [`PRODUCT_VISION.md`](../../PRODUCT_VISION.md) §7
-12. **No `--force` push to `main`.** The lint + test gate runs both
-    locally (`scripts/lint.sh`) and in CI (`.github/workflows/ci.yml`,
-    added in #452 — the prior "no CI" stance was revisited and reversed).
+12. **No `--force` push to `main`.** The test suites run in CI
+    (`.github/workflows/ci.yml`, added in #452 — the prior "no CI" stance
+    was reversed); the lint gate (`scripts/lint.sh`) runs locally, with
+    lint-in-CI a follow-up.
     — [`docs/agents/decisions.md`](../../docs/agents/decisions.md) (engineering)
 13. **`docs/agents/` handoff convention adopted** — durable role state
     survives session loss. — [`docs/agents/decisions.md`](../DECISIONS.md)

docs/agents/security-expert/DECISIONS.md

@@ -31,12 +31,13 @@ agents see it without reading this folder.
 - **CSRF is mandatory.** No view in the package is `@csrf_exempt`.
   Tests must assert that a missing or invalid `X-CSRFToken` header
   on `POST` / `PATCH` / `DELETE` returns `403`. — invariant
-- **The gate runs locally and in CI.** `scripts/lint.sh` is the local
-  gate; `.github/workflows/ci.yml` runs that same script (plus the
-  frontend gate) server-side on every PR so a red suite can't merge
-  (#452 — the earlier "no CI" stance was reversed). Security scans
-  (`ruff S`, `bandit`, the pre-commit secret/pygrep hooks) run in both;
-  `pip-audit` stays a local pre-merge step (§6). — #452
+- **Tests run in CI; the lint gate stays local (for now).**
+  `.github/workflows/ci.yml` runs `pytest` + the frontend gate
+  server-side on every PR so a red suite can't merge (#452 — the earlier
+  "no CI" stance was reversed). The Python lint/security gate
+  (`scripts/lint.sh`: `ruff S`, `bandit`, the pre-commit secret/pygrep
+  hooks) plus `pip-audit` stay local pre-merge steps until the gate is
+  de-conflicted and wired into CI (follow-up off #452). — #452
 - **Frontend never holds permission state alone.** `@dar/data` may
   cache `permissions: {view, add, change, delete}` from the API for
   UI courtesy (hide buttons), but **every** write call re-verifies

docs/agents/software-architect/DECISIONS.md

@@ -9,12 +9,13 @@
 
 ## 2026-05-28
 
-- **OQ-A-001 resolved — "no CI" reversed.** The lint + test gate now
-  runs server-side on every PR (`.github/workflows/ci.yml`); the backend
-  job runs `scripts/lint.sh` so local ≡ CI. Trigger: regressions slipping
-  onto `main` under CodeQL-only gating (#401 / #451). Cross-role record:
+- **OQ-A-001 resolved — "no CI" reversed.** The test suites now run
+  server-side on every PR (`.github/workflows/ci.yml`): backend `pytest`
+  + the frontend gate. Trigger: regressions slipping onto `main` under
+  CodeQL-only gating (#401 / #451). Cross-role record:
   [`docs/agents/decisions.md`](../../docs/agents/decisions.md)
-  (2026-05-28). — #452. Remaining owner action: required-checks branch
+  (2026-05-28). — #452. Follow-ups: wire the Python lint gate into CI
+  (de-conflict `ruff format`/`black` first), required-checks branch
   protection.
 
 ---