sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update validator noqa proposal with current results

Browse Source 
Reflect resolved architecture warnings, performance warnings, and
current info-only findings (3127) from validate_all output.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-16 14:25:45 +01:00
parent 0b701fb847
commit 6458ab13d7
1 changed files with 37 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
docs/proposals/validator-noqa-suppressions-and-remaining-findings.md
View File

@@ -1,7 +1,8 @@
# Validator Noqa Suppressions & Remaining Findings # Validator Noqa Suppressions & Remaining Findings
**Date:** 2026-02-14 **Date:** 2026-02-14
**Status:** Implemented (noqa mechanism + initial suppressions) **Updated:** 2026-02-16
**Status:** Implemented — noqa mechanism complete, errors and warnings resolved, info findings remain
## What Was Done ## What Was Done
@@ -12,15 +13,27 @@
3. **Consistent noqa wiring** — all check functions in `validate_security.py` (21 locations) and `validate_performance.py` (18 locations) now respect noqa 3. **Consistent noqa wiring** — all check functions in `validate_security.py` (21 locations) and `validate_performance.py` (18 locations) now respect noqa
4. **`site/` added to `IGNORE_PATTERNS`** — excludes mkdocs build output from scanning 4. **`site/` added to `IGNORE_PATTERNS`** — excludes mkdocs build output from scanning
### Validator Results After Suppressions ### Follow-up Fixes (Since Initial Implementation)
| Validator | Errors | Warnings | Info | 5. **4 architecture warnings resolved** (`3ec58c1`) — fixed catalog→inventory cross-module imports
|-----------|--------|----------|------| 6. **77 performance warnings resolved** (`1cb659e`) — addressed all PERF-006 `db.add()` in loop warnings
| Architecture | 0 | 4 | 0 | 7. **SEC-015 proposal written** (`0b701fb`) — see `fix-1600-sec015-xhtml-findings.md` for plan to tune Alpine.js `x-html` false positives
| Security | 0 | 0 | 1600 |
| Performance | 0 | 77 | 1530 | ### Current Validator Results
| Audit | 0 | 0 | 0 |
| Ruff | 0 | 0 | — | | Validator | Files | Errors | Warnings | Info |
|-----------|-------|--------|----------|------|
| Architecture | 607 | 0 | 0 | 0 |
| Security | 1323 | 0 | 0 | 1600 |
| Performance | 1195 | 0 | 0 | 1527 |
| Audit | 0 | 0 | 2 | 0 |
**Total: 0 errors, 2 warnings, 3127 info**
The 2 audit warnings are configuration recommendations (not code issues):
- `COMP-POL-001` — Pull request template recommended (`.github/PULL_REQUEST_TEMPLATE.md`)
- `THIRD-VULN-002` — Dependency scanning recommended (`.github/dependabot.yml`)
--- ---
@@ -49,33 +62,31 @@
--- ---
## Remaining Findings & Recommendations ## Remaining Info Findings (3127)
### Performance Warnings (77 PERF-006) All errors and warnings (except 2 audit config recommendations) are resolved. What remains are **info-level** findings only.
These flag `db.add()` inside loops and suggest `db.add_all()`. ### Security Info (1600 SEC-015)
- **~50 in tests/fixtures/seeds** — Leave alone. Performance is irrelevant in test setup. | Rule | Count | What | Status | Effort |
- **~25 in production services** — Most have conditional logic inside the loop preventing simple `add_all()`. Useful as a backlog for anyone optimizing a specific service. |------|-------|------|--------|--------|
| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Proposal written** — see `fix-1600-sec015-xhtml-findings.md` | Medium |
**Recommendation: Leave as warnings. They serve as a useful improvement backlog.** ### Performance Info (1527)
### Info Findings (1600 SEC-015 + 1530 PERF)
| Rule | Count | What | Recommendation | Effort | | Rule | Count | What | Recommendation | Effort |
|------|-------|------|----------------|--------| |------|-------|------|----------------|--------|
| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Tune the rule** — add exception for Alpine.js `x-html` with server-rendered content | Medium | | **PERF-048** | 630 | "Consider chunked processing" | Leave as info | — |
| **PERF-048** | 633 | "Consider chunked processing" | Leave as info | — | | **PERF-009** | 580 | Loop updates | Leave as info | — |
| **PERF-009** | 583 | Loop updates | Leave as info | — |
| **PERF-067** | 145 | `<script>` without `defer`/`async` | **Add `defer` to script tags** — actual UX improvement | Low | | **PERF-067** | 145 | `<script>` without `defer`/`async` | **Add `defer` to script tags** — actual UX improvement | Low |
| **PERF-046** | 55 | "Use generators" | Leave as info | — | | **PERF-046** | 56 | "Use generators" | Leave as info | — |
| **PERF-051** | 47 | String concatenation | Leave as info | — | | **PERF-051** | 47 | String concatenation | Leave as info | — |
| **PERF-003** | 46 | Query limiting | Leave as info (most have pagination) | — | | **PERF-003** | 47 | Query limiting | Leave as info (most have pagination) | — |
| **PERF-058** | 22 | Images without `loading="lazy"` | **Add `loading="lazy"`** — actual UX improvement | Low | | **PERF-058** | 22 | Images without `loading="lazy"` | **Add `loading="lazy"`** — actual UX improvement | Low |
### Priority Order ### Priority Order
1. **Do nothing more now** — validators are clean where it matters (0 errors, 0 security warnings) 1. **Tune SEC-015** to recognize Alpine.js patterns — eliminates 1600 noise findings at the source (proposal ready)
2. **Quick wins when convenient**: add `defer` to scripts (PERF-067) and `loading="lazy"` to images (PERF-058) 2. **Quick wins**: add `defer` to scripts (PERF-067, 145 findings) and `loading="lazy"` to images (PERF-058, 22 findings)
3. **Tune SEC-015** to recognize Alpine.js patterns — eliminates 1600 noise findings at the source 3. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
4. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files 4. **Audit config**: add PR template and dependabot config to eliminate 2 remaining warnings