From 49cdcb523ce232ad12100df31d4ffd8fa32e8e96 Mon Sep 17 00:00:00 2001
From: Kurdistan Tech Ministry <info@pezkuwichain.io>
Date: Wed, 19 Nov 2025 18:35:11 +0300
Subject: [PATCH] chore(ci): Establish quality gate and strengthen pre-commit
 hook

---
 .github/workflows/quality-gate.yml | 89 ++++++++++++++++++++++++++++++
 web/.husky/pre-commit              |  9 +++
 2 files changed, 98 insertions(+)
 create mode 100644 .github/workflows/quality-gate.yml
 create mode 100644 web/.husky/pre-commit

diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
new file mode 100644
index 00000000..fb128476
--- /dev/null
+++ b/.github/workflows/quality-gate.yml
@@ -0,0 +1,89 @@
+name: Quality Gate
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  workflow_dispatch:
+
+jobs:
+  # ========================================
+  # BUILD, LINT & TEST (CRITICAL)
+  # ========================================
+  quality-gate:
+    name: Build, Lint & Test
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install dependencies
+        # Use workspace root package-lock.json
+        run: npm ci
+
+      - name: Run Linter
+        # Use web workspace for linting
+        run: npm run lint -w web
+
+      - name: Run Tests
+        # Use web workspace for testing
+        run: npm run test -w web -- --run
+
+      - name: Build Project
+        # Use web workspace for building
+        run: npm run build -w web
+
+  # ========================================
+  # SECURITY CHECKS (INFORMATIVE)
+  # ========================================
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    needs: quality-gate
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+            
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        continue-on-error: true
+        run: npm audit --audit-level=high
+
+      - name: TruffleHog Secret Scan
+        continue-on-error: true
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
\ No newline at end of file
diff --git a/web/.husky/pre-commit b/web/.husky/pre-commit
new file mode 100644
index 00000000..dcf9d6e4
--- /dev/null
+++ b/web/.husky/pre-commit
@@ -0,0 +1,9 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+echo "Running pre-commit hook..."
+echo "Linting code..."
+npm run lint -w web
+
+echo "Running tests..."
+npm run test -w web -- --run
\ No newline at end of file