feat(repo): Add warning budget and maintainer audit

Freeze the accepted validation warning count at 135 so repo-state and release-state checks fail if the warning baseline grows silently while legacy warnings remain intentionally preserved. Add a read-only maintainer audit command plus regression tests so maintainers can inspect repo health quickly without mutating files.
2026-03-21 11:08:57 +01:00
parent 2463affbac
commit fc5b383f34
12 changed files with 408 additions and 9 deletions
--- a/tools/scripts/tests/automation_workflows.test.js
+++ b/tools/scripts/tests/automation_workflows.test.js
@@ -18,6 +18,14 @@ assert.ok(
  packageJson.scripts["sync:release-state"],
  "package.json should expose a deterministic release-state sync command",
 );
+assert.ok(
+  packageJson.scripts["check:warning-budget"],
+  "package.json should expose a warning-budget guardrail command",
+);
+assert.ok(
+  packageJson.scripts["audit:maintainer"],
+  "package.json should expose a maintainer audit command",
+);
 assert.ok(
  packageJson.scripts["sync:web-assets"],
  "package.json should expose a web-asset sync command for tracked web artifacts",
@@ -27,11 +35,21 @@ assert.match(
  /sync:web-assets/,
  "sync:release-state should refresh tracked web assets before auditing release drift",
 );
+assert.match(
+  packageJson.scripts["sync:release-state"],
+  /check:warning-budget/,
+  "sync:release-state should enforce the frozen validation warning budget",
+);
 assert.match(
  packageJson.scripts["sync:repo-state"],
  /sync:web-assets/,
  "sync:repo-state should refresh tracked web assets before maintainer audits",
 );
+assert.match(
+  packageJson.scripts["sync:repo-state"],
+  /check:warning-budget/,
+  "sync:repo-state should enforce the frozen validation warning budget",
+);

 for (const filePath of [
  "apps/web-app/public/sitemap.xml",
--- a/tools/scripts/tests/run-test-suite.js
+++ b/tools/scripts/tests/run-test-suite.js
@@ -31,6 +31,8 @@ const LOCAL_TEST_COMMANDS = [
  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_sync_microsoft_skills_security.py")],
  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_sync_repo_metadata.py")],
  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_sync_contributors.py")],
+  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_validation_warning_budget.py")],
+  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_maintainer_audit.py")],
  [path.join(TOOL_SCRIPTS, "run-python.js"), path.join(TOOL_TESTS, "test_validate_skills_headings.py")],
 ];
 const NETWORK_TEST_COMMANDS = [
--- a/tools/scripts/tests/test_maintainer_audit.py
+++ b/tools/scripts/tests/test_maintainer_audit.py
@@ -0,0 +1,101 @@
+import importlib.util
+import json
+import sys
+import tempfile
+import unittest
+from pathlib import Path
+
+
+REPO_ROOT = Path(__file__).resolve().parents[3]
+TOOLS_SCRIPTS_DIR = REPO_ROOT / "tools" / "scripts"
+if str(TOOLS_SCRIPTS_DIR) not in sys.path:
+    sys.path.insert(0, str(TOOLS_SCRIPTS_DIR))
+
+
+def load_module(relative_path: str, module_name: str):
+    module_path = REPO_ROOT / relative_path
+    spec = importlib.util.spec_from_file_location(module_name, module_path)
+    module = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    sys.modules[module_name] = module
+    spec.loader.exec_module(module)
+    return module
+
+
+maintainer_audit = load_module(
+    "tools/scripts/maintainer_audit.py",
+    "maintainer_audit_test",
+)
+
+
+class MaintainerAuditTests(unittest.TestCase):
+    def test_build_audit_summary_reports_clean_state(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            (root / "README.md").write_text(
+                """<!-- registry-sync: version=8.4.0; skills=1; stars=26132; updated_at=2026-03-21T00:00:00+00:00 -->
+# Test Repo
+""",
+                encoding="utf-8",
+            )
+            (root / "package.json").write_text(
+                json.dumps(
+                    {
+                        "name": "antigravity-awesome-skills",
+                        "version": "8.4.0",
+                        "description": "1+ agentic skills for Claude Code, Gemini CLI, Cursor, Antigravity & more. Installer CLI.",
+                    }
+                ),
+                encoding="utf-8",
+            )
+            (root / "skills_index.json").write_text(json.dumps([{}]), encoding="utf-8")
+
+            summary = maintainer_audit.build_audit_summary(
+                root,
+                warning_budget_checker=lambda _base_dir: {"actual": 135, "max": 135, "within_budget": True},
+                consistency_finder=lambda _base_dir: [],
+                git_status_resolver=lambda _base_dir: [],
+            )
+
+            self.assertEqual(summary["version"], "8.4.0")
+            self.assertEqual(summary["total_skills"], 1)
+            self.assertTrue(summary["warning_budget"]["within_budget"])
+            self.assertEqual(summary["consistency_issues"], [])
+            self.assertTrue(summary["git"]["clean"])
+
+    def test_build_audit_summary_reports_drift(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            (root / "README.md").write_text(
+                """<!-- registry-sync: version=8.4.0; skills=1; stars=26132; updated_at=2026-03-21T00:00:00+00:00 -->
+# Test Repo
+""",
+                encoding="utf-8",
+            )
+            (root / "package.json").write_text(
+                json.dumps(
+                    {
+                        "name": "antigravity-awesome-skills",
+                        "version": "8.4.0",
+                        "description": "1+ agentic skills for Claude Code, Gemini CLI, Cursor, Antigravity & more. Installer CLI.",
+                    }
+                ),
+                encoding="utf-8",
+            )
+            (root / "skills_index.json").write_text(json.dumps([{}]), encoding="utf-8")
+
+            summary = maintainer_audit.build_audit_summary(
+                root,
+                warning_budget_checker=lambda _base_dir: {"actual": 140, "max": 135, "within_budget": False},
+                consistency_finder=lambda _base_dir: ["README drift"],
+                git_status_resolver=lambda _base_dir: [" M README.md"],
+            )
+
+            self.assertFalse(summary["warning_budget"]["within_budget"])
+            self.assertEqual(summary["consistency_issues"], ["README drift"])
+            self.assertFalse(summary["git"]["clean"])
+            self.assertEqual(summary["git"]["changed_files"], [" M README.md"])
+
+
+if __name__ == "__main__":
+    unittest.main()
--- a/tools/scripts/tests/test_validation_warning_budget.py
+++ b/tools/scripts/tests/test_validation_warning_budget.py
@@ -0,0 +1,90 @@
+import importlib.util
+import json
+import sys
+import tempfile
+import unittest
+from pathlib import Path
+
+
+REPO_ROOT = Path(__file__).resolve().parents[3]
+TOOLS_SCRIPTS_DIR = REPO_ROOT / "tools" / "scripts"
+if str(TOOLS_SCRIPTS_DIR) not in sys.path:
+    sys.path.insert(0, str(TOOLS_SCRIPTS_DIR))
+
+
+def load_module(relative_path: str, module_name: str):
+    module_path = REPO_ROOT / relative_path
+    spec = importlib.util.spec_from_file_location(module_name, module_path)
+    module = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    sys.modules[module_name] = module
+    spec.loader.exec_module(module)
+    return module
+
+
+warning_budget = load_module(
+    "tools/scripts/check_validation_warning_budget.py",
+    "check_validation_warning_budget_test",
+)
+
+
+class ValidationWarningBudgetTests(unittest.TestCase):
+    def test_warning_budget_passes_when_actual_matches_budget(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            (root / "tools" / "config").mkdir(parents=True)
+            (root / "skills" / "example-skill").mkdir(parents=True)
+            (root / "tools" / "config" / "validation-budget.json").write_text(
+                json.dumps({"maxWarnings": 1}),
+                encoding="utf-8",
+            )
+            (root / "skills" / "example-skill" / "SKILL.md").write_text(
+                """---
+name: example-skill
+description: Example skill
+risk: safe
+source: community
+---
+
+# Example Skill
+""",
+                encoding="utf-8",
+            )
+
+            summary = warning_budget.check_warning_budget(root)
+
+            self.assertEqual(summary["actual"], 1)
+            self.assertEqual(summary["max"], 1)
+            self.assertTrue(summary["within_budget"])
+
+    def test_warning_budget_fails_when_actual_exceeds_budget(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            (root / "tools" / "config").mkdir(parents=True)
+            (root / "skills" / "example-skill").mkdir(parents=True)
+            (root / "tools" / "config" / "validation-budget.json").write_text(
+                json.dumps({"maxWarnings": 0}),
+                encoding="utf-8",
+            )
+            (root / "skills" / "example-skill" / "SKILL.md").write_text(
+                """---
+name: example-skill
+description: Example skill
+risk: safe
+source: community
+---
+
+# Example Skill
+""",
+                encoding="utf-8",
+            )
+
+            summary = warning_budget.check_warning_budget(root)
+
+            self.assertEqual(summary["actual"], 1)
+            self.assertEqual(summary["max"], 0)
+            self.assertFalse(summary["within_budget"])
+
+
+if __name__ == "__main__":
+    unittest.main()