feat: adopt treemapper CI/CD best practices

CI improvements:
- Add matrix testing (3 OS × 4 Python versions = 12 jobs)
- Separate jobs: pre-commit, lint-type-check, test
- Add coverage reporting with 40% threshold
- Add mutation testing job (main branch only)
- Add complexity checks with radon
- Add architecture validation with import-linter

pyproject.toml improvements:
- Add Python 3.10-3.13 classifiers
- Add maintainers field
- Expand ruff rules (I, N, S, UP)
- Add pytest asyncio_mode and pythonpath
- Add ruff.lint.isort with known-first-party

CD improvements:
- Fix version injection with proper regex
- Update PyPI URL to arbitrium-core

Pre-commit updates:
- Correct isort→black ordering
- Update versions (isort 7.0.0, ruff 0.14.0)
- Change default Python to 3.12 for stability

Author: nikolay-e

.github/workflows/cd.yml

@@ -1,5 +1,5 @@
 # .github/workflows/cd.yml
-name: Arbitrium Framework CD
+name: CD
 
 permissions:
   contents: write
@@ -43,14 +43,13 @@ jobs:
           echo "Setting version to $VERSION"
           # Robust version updating using Python
           python -c "
+          import re
+          ver = '${{ github.event.inputs.version }}'
           with open('src/arbitrium/__about__.py', 'r') as f:
               content = f.read()
+          content = re.sub(r'__version__\s*=\s*[\"'\''].*?[\"'\'']', f'__version__ = \"{ver}\"', content, count=1)
           with open('src/arbitrium/__about__.py', 'w') as f:
-              lines = content.split('\n')
-              for i, line in enumerate(lines):
-                  if line.startswith('__version__'):
-                      lines[i] = f'__version__ = \"$VERSION\"'
-              f.write('\n'.join(lines))
+              f.write(content)
           "
           echo "__about__.py content after change:"
           cat src/arbitrium/__about__.py
@@ -168,7 +167,7 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: pypi
-      url: https://pypi.org/p/arbitrium-framework
+      url: https://pypi.org/p/arbitrium-core
     permissions:
       id-token: write
     steps:

.github/workflows/ci.yml

@@ -1,15 +1,20 @@
-name: Code Quality CI
+name: CI
 
 "on":
   push:
     branches: [main]
   pull_request:
-    branches: [main]
+    branches: ['**']
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
+  # ============================================================================
+  # LAYER 1: Fast feedback (runs first)
+  # ============================================================================
+
   pre-commit:
     name: Pre-commit hooks
     runs-on: ubuntu-latest
@@ -19,19 +24,213 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: "3.13"
+          python-version: "3.12"
 
       - name: Cache pre-commit
         uses: actions/cache@v5
         with:
           path: ~/.cache/pre-commit
           key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
 
-      - name: Install Python dependencies
+      - name: Install pre-commit
         run: |
           python -m pip install --upgrade pip
           pip install pre-commit
-          pip install -e .[dev]
 
       - name: Run pre-commit
         run: pre-commit run --all-files
+
+  lint-type-check:
+    name: Lint & Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Cache pip
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-lint-pip-${{ hashFiles('**/pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-lint-pip-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .[dev]
+
+      - name: Run ruff
+        run: ruff check src tests
+
+      - name: Run black
+        run: black --check src tests
+
+      - name: Run mypy
+        run: mypy src
+
+  # ============================================================================
+  # LAYER 2: Tests (depends on Layer 1)
+  # ============================================================================
+
+  test:
+    name: Test (Python ${{ matrix.python-version }} / ${{ matrix.os }})
+    needs: [pre-commit, lint-type-check]
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ['3.10', '3.11', '3.12', '3.13']
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Cache pip
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('**/pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-${{ matrix.python-version }}-
+            ${{ runner.os }}-pip-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .[dev]
+
+      - name: Run tests with coverage
+        run: |
+          pytest tests/ -v \
+            --cov=src/arbitrium \
+            --cov-report=xml \
+            --cov-report=term-missing \
+            --cov-branch \
+            --junitxml=test-results.xml
+        env:
+          SKIP_DB_INIT: "true"
+
+      - name: Enforce coverage threshold
+        if: runner.os == 'Linux' && matrix.python-version == '3.12'
+        run: coverage report --fail-under=40
+
+      - name: Upload coverage report
+        if: runner.os == 'Linux' && matrix.python-version == '3.12'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: |
+            coverage.xml
+            test-results.xml
+          retention-days: 1
+
+  # ============================================================================
+  # LAYER 3: Quality analysis (parallel, non-blocking on main)
+  # ============================================================================
+
+  mutation-testing:
+    name: Mutation Testing
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .[dev]
+
+      - name: Run mutation testing
+        run: |
+          mutmut run . || true
+          mutmut results || true
+        env:
+          SKIP_DB_INIT: "true"
+
+  complexity-checks:
+    name: Complexity Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install radon
+        run: pip install radon
+
+      - name: Check cyclomatic complexity
+        run: |
+          echo "=== Cyclomatic Complexity ==="
+          radon cc src/arbitrium/ --min B --total-average
+          radon cc src/arbitrium/ --min C --total-average || \
+            (echo "::warning::High complexity detected (grade C or worse)" && exit 0)
+
+      - name: Check maintainability index
+        run: |
+          echo "=== Maintainability Index ==="
+          radon mi src/arbitrium/ --min B
+
+  architecture-checks:
+    name: Architecture Validation
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install import-linter
+        run: pip install import-linter
+
+      - name: Create import contracts
+        run: |
+          cat > .importlinter <<EOF
+          [importlinter]
+          root_package = arbitrium
+
+          [importlinter:contract:1]
+          name = CLI should not import core internals directly
+          type = forbidden
+          source_modules = arbitrium.cli
+          forbidden_modules = arbitrium.core.tournament
+
+          [importlinter:contract:2]
+          name = Models should not import CLI
+          type = forbidden
+          source_modules = arbitrium.models
+          forbidden_modules = arbitrium.cli
+
+          [importlinter:contract:3]
+          name = Utils should be independent
+          type = independence
+          modules =
+            arbitrium.utils
+          EOF
+
+      - name: Install package
+        run: pip install -e .
+
+      - name: Validate architecture
+        run: lint-imports || echo "::warning::Architecture violations detected"

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 minimum_pre_commit_version: '3.5.0'
 default_stages: [pre-commit]
 default_language_version:
-  python: python3.13
+  python: python3.12
   node: system
 
 fail_fast: false
@@ -44,25 +44,25 @@ repos:
         args: ['--verbose']
 
   # ============================================================================
-  # CODE FORMATTING (minimal - consistency only, not quality)
+  # CODE FORMATTING (Order matters: isort → black to avoid conflicts)
   # ============================================================================
+  - repo: https://github.com/pycqa/isort
+    rev: 7.0.0
+    hooks:
+      - id: isort
+
   - repo: https://github.com/psf/black
     rev: 25.9.0
     hooks:
       - id: black
         language_version: python3
 
-  - repo: https://github.com/pycqa/isort
-    rev: 6.1.0
-    hooks:
-      - id: isort
-
   - repo: https://github.com/asottile/pyupgrade
     rev: v3.21.1
     hooks:
       - id: pyupgrade
         name: pyupgrade (auto-upgrade Python syntax)
-        args: ['--py313-plus']
+        args: ['--py310-plus']
         files: ^src/.*\.py$
 
   # ============================================================================
@@ -167,7 +167,7 @@ repos:
   # Using Ruff for speed; flake8 removed to avoid redundancy
   # ============================================================================
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.3
+    rev: v0.14.0
     hooks:
       - id: ruff
         name: ruff (correctness-focused checks)