Skip to content

Fix tag-frozen generation suite and clean up template config/docs#4

Merged
maybebyte merged 13 commits into
mainfrom
chore/slop-audit-cleanup
Jul 1, 2026
Merged

Fix tag-frozen generation suite and clean up template config/docs#4
maybebyte merged 13 commits into
mainfrom
chore/slop-audit-cleanup

Conversation

@maybebyte

Copy link
Copy Markdown
Owner

Summary

An "AI slop" audit of the template surfaced a test-harness bug that had silently
frozen the generation suite at the v0.1.0 release — hiding every template/
change since — plus a batch of template/config and maintainer-doc corrections.
This fixes them across 12 atomic, individually-green commits.

Changes

  • Test harness (first commit): the render fixture used copier's default ref,
    which is the latest release tag, so the suite validated a frozen v0.1.0
    instead of the working template. Pin it to vcs_ref="HEAD". This cleanup's
    template edits are the first since the tag, so they're what exposed it.
  • Template correctness: fmt lint-fixes before formatting; the mccabe config
    and gitleaks mise pin are gated to the right toggles; just scan scans history
    (gitleaks git) to match CI; scan.yml fetches shallow unless secret scanning
    needs history; the mutation job drops continue-on-error so infra failures
    surface; .editorconfig stops forcing 2-space .toml.
  • Docs & deps: stale AGENTS.md wiring/release notes and a test-fixture comment
    corrected; plumbum declared as a direct dev dependency.
  • Every template change ships with its test_generation.py assertion, per the
    AGENTS.md contract.

Testing

  • uv run pytest (i.e. just test) — 70 passed. Without the first commit,
    5 generation tests fail because they render the frozen tag.

Notes for reviewers

  • 12 atomic commits; the harness fix is first so each later commit is
    self-consistent. Reviewing commit-by-commit is easiest.

maybebyte added 13 commits July 1, 2026 16:05
The generation-test render fixture called copier.run_copy with no vcs_ref, so
copier used its default and copied the latest release tag (v0.1.0) instead of
HEAD. Every template change made since that tag was silently excluded from the
rendered project, so the suite validated a frozen release rather than the
working tree -- and this cleanup's template changes are the first since the tag
to expose it.

Pin the fixture to vcs_ref="HEAD" so the suite renders the current template
(local dirty changes included, per copier's HEAD behavior).
test_update_roundtrip keeps its explicit v0.1.0 pin; it deliberately updates
from the first release.
`ruff format` must run last: ruff's lint autofixes (import sorting and the
SIM/UP/C4 rewrites) can emit unformatted code, so formatting first and
lint-fixing after could leave a tree that `fmt-check` (ruff format --check)
then rejects -- the recipe's own output failing the gate it feeds.

Applies to both the shipped template recipe and this repo's maintainer
harness; the AGENTS.md `just fmt` description is corrected to match.
`[tool.ruff.lint.mccabe] max-complexity` only governs C901 (the C90 prefix),
which the curated ruleset does not select, so it rendered as dead config there
-- inconsistent with the already-gated pydocstyle block. Gate it on
ruff_ruleset == "all". The generation test now asserts the block is absent
under curated and present under all.
`gitleaks dir .` scans only the working tree, so a secret committed and later
deleted would pass the local recipe yet fail the CI gate (scan.yml runs
`gitleaks git`). Switch the recipe to `gitleaks git .` so the local preview
matches CI. The generation test asserts the `git` form renders and `dir` does
not.
gitleaks is a scanner-only tool, but its mise.toml pin rendered
unconditionally -- dead config (and recurring Renovate churn) in projects
generated without the scanner layer. Gate the pin on enable_scanners. The
generation test asserts it is present when scanners are on and absent when off.
scan.yml checked out full history (fetch-depth: 0) unconditionally, but only
gitleaks needs it. A project enabling scan.yml through the dependency-audit or
sha-pin-policy layer alone paid an unbounded fetch for nothing. Gate
fetch-depth on enable_scanners (0 with scanners, 1 without). A new generation
test renders scan.yml via the dependency-audit layer with scanners off and
asserts the semgrep/gitleaks steps and the deep fetch are all absent.
Job-level `continue-on-error: true` masked every failure of the mutation
workflow, including real infrastructure breakage (a bad lockfile, a failed
export), not just surviving mutants. Drop it: surviving mutants stay non-gating
through the `|| true` on the `mutmut run` step, while genuine breakage now
shows red. The generation test asserts the `|| true` step is present and no
continue-on-error remains.
The generated .editorconfig grouped .toml into the 2-space glob, but the
rendered pyproject.toml ships 4-space arrays and no TOML formatter reconciles
the two, so the rule only misled editors. Drop .toml from the glob; it falls
back to the 4-space default. The generation test asserts `toml` no longer
appears in .editorconfig.
The `ci` recipe's comment claimed to mirror everything that blocks a PR, but
the scanners run in CI only (scan.yml), never in the local gate. Reword the
comment to say so and point to scan.yml when the scanner layer is enabled. No
behavior change.
Two AGENTS.md statements had gone stale:
- The guardrail-wiring step implied every layer adds a `ci` dependency, but
  out-of-band checks (scan/mutate) ship a recipe kept off `ci` and CI-only
  layers (renovate/sha-pin) add no recipe at all. Spell out the three cases.
- The release note claimed the repo carries no tags; v0.1.0 exists. Reword to
  simply require tagging each released commit.
The conftest render helper's comment referenced a "Task 7" that no longer
exists and gave a wrong reason for skipping the pre-commit hook-install task.
Describe the real reason (a network-bound copy-time _task, irrelevant to these
assertions) and name the test that does cover the install path.
The maintainer harness imports `plumbum.local` directly to scrub interpreter
pins from copier's _task channel, so it should declare plumbum rather than rely
on copier's transitive pin. Add it to the dev group and refresh uv.lock.
Add the config/CI corrections from this branch under [Unreleased], split into
Changed (conditional-rendering cleanup) and Fixed (behavior corrections) per
Keep a Changelog. Maintainer-only changes -- the test harness, docs, and dev
deps -- are omitted; they do not affect generated projects.
@maybebyte maybebyte merged commit dd4297a into main Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant