diff --git a/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md b/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md index 089062c6..a42a8127 100644 --- a/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md +++ b/docs/proposals/validator-noqa-suppressions-and-remaining-findings.md @@ -1,7 +1,8 @@ # Validator Noqa Suppressions & Remaining Findings **Date:** 2026-02-14 -**Status:** Implemented (noqa mechanism + initial suppressions) +**Updated:** 2026-02-16 +**Status:** Implemented — noqa mechanism complete, errors and warnings resolved, info findings remain ## What Was Done @@ -12,15 +13,27 @@ 3. **Consistent noqa wiring** — all check functions in `validate_security.py` (21 locations) and `validate_performance.py` (18 locations) now respect noqa 4. **`site/` added to `IGNORE_PATTERNS`** — excludes mkdocs build output from scanning -### Validator Results After Suppressions +### Follow-up Fixes (Since Initial Implementation) -| Validator | Errors | Warnings | Info | -|-----------|--------|----------|------| -| Architecture | 0 | 4 | 0 | -| Security | 0 | 0 | 1600 | -| Performance | 0 | 77 | 1530 | -| Audit | 0 | 0 | 0 | -| Ruff | 0 | 0 | — | +5. **4 architecture warnings resolved** (`3ec58c1`) — fixed catalog→inventory cross-module imports +6. **77 performance warnings resolved** (`1cb659e`) — addressed all PERF-006 `db.add()` in loop warnings +7. **SEC-015 proposal written** (`0b701fb`) — see `fix-1600-sec015-xhtml-findings.md` for plan to tune Alpine.js `x-html` false positives + +### Current Validator Results + +| Validator | Files | Errors | Warnings | Info | +|-----------|-------|--------|----------|------| +| Architecture | 607 | 0 | 0 | 0 | +| Security | 1323 | 0 | 0 | 1600 | +| Performance | 1195 | 0 | 0 | 1527 | +| Audit | 0 | 0 | 2 | 0 | + +**Total: 0 errors, 2 warnings, 3127 info** + +The 2 audit warnings are configuration recommendations (not code issues): + +- `COMP-POL-001` — Pull request template recommended (`.github/PULL_REQUEST_TEMPLATE.md`) +- `THIRD-VULN-002` — Dependency scanning recommended (`.github/dependabot.yml`) --- @@ -49,33 +62,31 @@ --- -## Remaining Findings & Recommendations +## Remaining Info Findings (3127) -### Performance Warnings (77 PERF-006) +All errors and warnings (except 2 audit config recommendations) are resolved. What remains are **info-level** findings only. -These flag `db.add()` inside loops and suggest `db.add_all()`. +### Security Info (1600 SEC-015) -- **~50 in tests/fixtures/seeds** — Leave alone. Performance is irrelevant in test setup. -- **~25 in production services** — Most have conditional logic inside the loop preventing simple `add_all()`. Useful as a backlog for anyone optimizing a specific service. +| Rule | Count | What | Status | Effort | +|------|-------|------|--------|--------| +| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Proposal written** — see `fix-1600-sec015-xhtml-findings.md` | Medium | -**Recommendation: Leave as warnings. They serve as a useful improvement backlog.** - -### Info Findings (1600 SEC-015 + 1530 PERF) +### Performance Info (1527) | Rule | Count | What | Recommendation | Effort | |------|-------|------|----------------|--------| -| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Tune the rule** — add exception for Alpine.js `x-html` with server-rendered content | Medium | -| **PERF-048** | 633 | "Consider chunked processing" | Leave as info | — | -| **PERF-009** | 583 | Loop updates | Leave as info | — | +| **PERF-048** | 630 | "Consider chunked processing" | Leave as info | — | +| **PERF-009** | 580 | Loop updates | Leave as info | — | | **PERF-067** | 145 | `