ci(validation): add local-first validation framework

[justinrayshort]

Summary

Introduce a repo-owned local-first validation framework in xtask, align GitHub workflows to the same suite-selection and execution logic, block failing or stale branches before push, and stop tracking generated UI styling artifacts that cause recurring merge conflicts.

Linked Issue

Closes #139

Execution Artifacts

• Task contract: plans/139-local-first-validation-framework/task-contract.json
• Exec plan: plans/139-local-first-validation-framework/EXEC_PLAN.md

ADR References

• AGENTS.md
• ARCHITECTURE.md
• docs/architecture/layer-boundaries.md
• DEVELOPMENT_MODEL.md

Impacted Domains

• repo-owned validation and delivery governance
• UI generated-asset flow

Layers Touched

• enterprise
• schemas
• shared
• platform
• services
• workflows
• ui
• infrastructure
• agents
• testing
• docs
• .github / delivery tooling

Contracts Changed

• Validation command surface now includes cargo xtask validate doctor|bootstrap|changed|suite|ci|install-hooks.
• GitHub-required checks now flow through repo-owned validation entrypoints and documented required-check names.

Tests Added or Updated

• Added xtask coverage for suite selection, base resolution, hotspot freshness enforcement, and security exception metadata validation.
• Updated governance/process-audit expectations to keep workflow and policy drift under test.

Refreshed from Main

• Branch refreshed from the latest target branch before review: yes
• Validation rerun after refresh: yes

Risk Class

• high

Affected Consistency Class

• Class B

Affected Risk Tier

• medium

Architecture Delta

• Multi-plane sequence was required because the validation framework, GitHub workflow policy, pre-push enforcement, and generated UI asset handling must land together to keep local and remote validation coherent.

Workflow Checklist

• This branch is based on the current target branch (origin/main for normal PRs, the parent branch for stacked PRs).
• If this PR is stacked, the PR base points to the parent branch until that parent work merges.
• If this PR touches ui/crates/desktop_runtime, ui/crates/system_ui, shared/, platform/, schemas/, .github/, or infrastructure/wasmcloud/manifests, I refreshed from the latest target branch and reran validation immediately before requesting merge.
• If this PR changes shell, token, or Tailwind inputs, I regenerated the local derived UI outputs after the last rebase and did not commit repo-generated CSS/token files.
• The repository pre-push hook is installed locally, or I am disclosing below why it was bypassed.

Local Validation

• cargo xtask validate changed: pass
• cargo xtask github validate-pr-local: pass
• git push --no-verify used: no
• If git push --no-verify was used, document the incident, rationale, and follow-up issue here.

Technical Changes

• add the shared validation matrix in xtask/validation.toml and implement the cargo xtask validate command family
• route cargo verify-repo and cargo verify-ui through repo-owned validation entrypoints
• move security and governance checks into local-first xtask paths with repo-owned reporting and exception metadata
• install a blocking pre-push hook and branch-freshness enforcement for conflict-prone paths
• stop tracking generated UI CSS and Tailwind outputs and regenerate them deterministically from repo-owned flows
• update contributor docs, templates, and workflows to reflect merge queue and local-first validation expectations

Testing Strategy

• exercise the repo-owned changed-suite gate before push
• run targeted repo-owned validation commands locally for governance, security, UI verification, and UI hardening
• keep workflow/process drift under xtask test coverage and process audit validation

Rollback Path

• Revert the validation framework, workflow parity updates, and generated-asset tracking changes together so local and remote validation stay aligned.

Validation Artifacts

• cargo test -p xtask
• cargo xtask github audit-process
• cargo xtask validate doctor
• cargo xtask validate suite security
• cargo xtask validate changed --fetch-base
• cargo verify-ui
• cargo xtask ui-hardening
• target/validation/*
• target/process-audit/*
• build/wasm-hardening/remediation-report.md

Deployment Impact

• Changes GitHub governance and validation behavior for pull requests and merge-to-main, but does not introduce a runtime service rollout.