ci: run the test suites (pytest + frontend) on every PR (#452)

[MartinCastroAlvarez]

Summary

CodeQL was the only server-side check, so test regressions merged onto main green — #401 broke tests/test_logentry.py, caught only on a later local run (#451). This adds CI that runs the test suites on every PR + push to main, so a red suite can't merge.

Closes the core of #452. Sub-task of #331.

Scope (per owner direction: ship CI now, fix linters next)

• backend — poetry run pytest (with coverage). Verified: 532 passed locally.
• frontend — pnpm -r typecheck → pnpm lint → pnpm test → pnpm -r build. Already green in CI.

Why not the Python lint gate yet? While building this, CI surfaced that scripts/lint.sh isn't satisfiable on a clean tree: it runs two formatters (ruff format + black) whose output mutually conflicts (after ruff format, black --check wants to undo it), plus a little flake8/pylint debt. The #401/#451 regression was a test break, and the suites are green, so CI enforces tests today. Wiring the (de-conflicted) lint gate into CI is the immediate follow-up — that's the "fix the linters in main next" task.

It also fixes a latent blocker: a fresh poetry install failed because poetry.lock's content-hash was stale vs pyproject.toml (local dev never hit it — existing venv). Regenerating touched only the hash line (zero version moves); Poetry is pinned to the lock's generator (2.1.4) for a deterministic check.

Security posture

Least-privilege contents: read; every action SHA-pinned (same pins as codeql.yml/release.yml); no id-token, no PyPI, no secrets.

Reconciled in this PR

SECURITY.md §8; the codeql.yml / scripts/lint.sh / .pre-commit-config.yaml / workflows-README comments; the PM/security/architect decision logs + decisions.md ADR; ACCEPTANCE.md Q-4; OQ-A-001 resolved/removed.

Owner follow-ups

• De-conflict the lint gate (drop one formatter) + clear flake8/pylint debt, then add the lint step here.
• Mark backend + frontend required in Settings → Branches.
• Optional Python/Django version matrix.

🤖 Generated with Claude Code

[MartinCastroAlvarez]

Security + CI review — Reviewer lane (independent; did not author). Tier 5 → I am NOT merging; this is for the owner.

Design of ci.yml: excellent. Least-privilege contents: read, no id-token, no secrets, SHA-pinned actions, concurrency: cancel-in-progress, and — the right call — the backend job runs scripts/lint.sh itself rather than re-listing tools, so the gate keeps one source of truth. Docs (SECURITY.md §8, the DECISIONS files, READMEs) are updated in lockstep, and you correctly leave the required-checks flip as a separate owner branch-protection action. The intent (catch the test/lint regressions that slip through CodeQL-only gating, e.g. #401→#451) is exactly right.

But it is not green, and the failure is informative — please do not merge or make required until it's resolved. The backend job fails, and I traced every failing hook. None is a real security violation, but the gate is red on main from day one:

The root cause: CI runs the pre-commit hooks with --all-files, whereas local runs hit only changed files. Several hooks are not --all-files-clean:

1. no-csrf-exempt (pattern csrf_exempt) — all hits are docstrings that explain the rule ("No @csrf_exempt — Django's middleware enforces", in urls.py, create.py, auth.py, …). There is no actual @csrf_exempt anywhere in the package. Pure false positive.
2. no-objects-all-in-api (pattern objects\.(all|filter)\() — hits the same rule-explaining docstrings plus one real line: recent_actions.py:67 LogEntry.objects.filter(user__pk=user_pk) (the #502 feed, merged). That query is correct — it's the audit-log, scoped strictly to request.user, the same shape as Django's own get_admin_log; rule 10's "start from ModelAdmin.get_queryset" doesn't apply to LogEntry (no consumer ModelAdmin owns it). The hook just can't tell.
3. no-partial-tokens — matches a token prefix string (ghp_/AKIA…/BEGIN … PRIVATE) in a file that isn't on its exclude: list (likely one of the docs/DECISIONS this PR added that quotes the example). gitleaks (the real secret scanner) passed — there is no actual secret.
4. ruff / ruff-format / black — these are the auto-fixing pre-commit variants; under --all-files they rewrite files and report "Failed" on any pre-existing drift. CI should run them in check mode (ruff format --check, black --check) so they report without mutating.

Confirmed clean (no action): no real CSRF exemption; recent_actions.py (#502) is staff-gated, Cache-Control: no-store, scoped to request.user.pk, and gates its deep-link on has_view_permission (_target_for, line 120). gitleaks green.

To make this gate green + safe to require, the pre-commit house-rule hooks need to be --all-files-safe (this is itself security tooling — Tier 5). Concretely:

• no-csrf-exempt / no-objects-all-in-api: ignore comment/docstring lines (or add a scoped exclude: like no-partial-tokens already uses), and allow LogEntry.objects.* in recent_actions.py.
• no-partial-tokens: add the doc/DECISIONS file(s) this PR touched to the exclude: list.
• Run the formatters in --check mode in the CI path of scripts/lint.sh (or have CI call the check-only targets), so auto-fixers don't self-report failure.

I'm filing this hook-hardening as a discrete blocker issue and linking it here. Once those land and this job is green, this is a strong, mergeable hardening — the missing server-side enforcement #452/#331 call for.

[MartinCastroAlvarez]

Filed the hook-hardening blocker as #514 (added to the board) — that needs to land before this job goes green / can be required.

[MartinCastroAlvarez]

Heads up: this is now unblocked. Your Backend (pytest) job failed on a single assertion — test_s15_no_objects_all_or_filter_in_api flagging recent_actions.py:67 (1 failed, 545 passed). That was a real S-15 violation in the merged #505 recent-actions view; #523 just landed on main and moves the LogEntry query into audit.py, restoring the guard. A rebase onto current main should turn the backend gate green (the other 545 tests already pass). The pygrep-hook false positives are a separate pre-commit-only concern (#514) and don't affect this CI gate, which uses the AST-based test_security.py.

[martin-castro-laminr-ai]

Review — architect + security (merging)

Reviewed as software-architect + security-expert.

This closes a real gap. CodeQL was the only server-side gate, so test regressions merged green (#401 → #451). Adding pytest + the pnpm gate (typecheck + lint + test + build) on every PR and push to main is the right server-side enforcement and the core of #452.

[S] Supply-chain / least-privilege — verified:

• Top-level permissions: contents: read; no job requests write, id-token, or secrets. ✅
• Every third-party action is SHA-pinned (checkout, setup-python, pnpm/action-setup, setup-node) — a tag can be moved, a SHA can't. Consistent with codeql.yml / release.yml and #331. ✅
• It's a gate, not a publisher — no PyPI access. ✅
• concurrency … cancel-in-progress avoids burning minutes on stale commits. ✅

poetry.lock: diff is the content-hash line only — zero version moves. Poetry pinned to 2.1.4 (the lock's generator) for a deterministic --frozen check. Good catch on the stale-hash latent blocker.

Scope discipline: deferring the Python lint gate is the right call and honestly documented (SECURITY.md §8, the workflow header, #514) — ruff format + black mutually conflict, so the gate isn't satisfiable on a clean tree yet. Shipping the test gate now (the actual #401/#451 failure mode) and de-conflicting the linter as the tracked follow-up (#514) is correct sequencing.

Docs reconciled in-PR: SECURITY.md §8, decisions logs, ACCEPTANCE Q-4, OQ-A-001.

Owner follow-up noted: mark backend + frontend required in Settings → Branches (can't be done from a PR).

Tier 5/6 (SECURITY.md + .github/workflows/). Merging under the owner's standing direct-merge authorization; security-positive, fully green, this review on the record.