feat(ci): adopt @quality-gate/core for multi-metric merge gate

[AlexandreCamillo]

Summary

• Replaces the bespoke scripts/coverage-ratchet.ts + coverage-data orphan branch with the upstream alkg-cloud/quality-gate engine, pinned at commit 192fcaf3.
• Adds five ratcheted metrics: coverage (vitest), lint (biome), duplication (jscpd), file_size, security (pnpm audit).
• New orphan branch quality-metrics replaces coverage-data (latter to be deleted post-merge).
• See docs/quality-gate.md for the full contract.

What's in this PR

Change	File(s)
Config	quality-gate.config.json
Adapter	.quality-gate/adapter.sh, .quality-gate/README.md
Workflows	.github/workflows/quality-gate-pr.yml, .github/workflows/quality-gate-main.yml
Bespoke ratchet removed	scripts/coverage-ratchet.ts, scripts/lib/coverage-compare.ts, tests/unit/scripts/coverage-compare.test.ts, ratchet step in .github/workflows/test.yml
Docs	docs/quality-gate.md (new), docs/ci.md, docs/testing.md, docs/INDEX.md, README.md (badges)
Tolerance	epsilon: 0.1 (preserves the 0.10pp drift tolerance from the bespoke ratchet)

Why we clone+build the upstream engine

@quality-gate/core is not published to npm (E404) and the upstream repo has no GitHub releases/tags + does not commit dist/. Both workflows clone the upstream at the pinned SHA 192fcaf3 and run pnpm install && pnpm run build before invoking node /tmp/qg-core/dist/cli.js. To bump the pin, edit the SHA in both workflow files.

Bootstrap behaviour (this PR's CI)

The first PR runs without a baseline. The engine returns bootstrap: true, skips ratchet comparisons, and only blocks on critical audit vulnerabilities. Local dry-run confirms:

```json
{ "gate_passed": true, "bootstrap": true, "regressions": 0, "warnings": 0 }
```

Current snapshot: coverage 58.99%, duplication 18.75%, lint 0 errors, 9 files >500 lines, security 0 critical / 0 high / 3 moderate / 0 low.

Merging this PR populates quality-metrics on first push; subsequent PRs are ratcheted normally.

Required follow-up after merge (user-driven, NOT in this PR)

1. Wait for `quality-gate-baseline` to finish on the merge commit, then verify the orphan branch exists: `git fetch origin && git branch -r | grep quality-metrics`.
2. Verify badges resolve: open the two `img.shields.io/endpoint?url=…/quality-metrics/badges/*.json` URLs in a browser.
3. Delete the legacy orphan branch: `git push origin --delete coverage-data`.
4. Update branch protection on `main`: replace any required check that referred to the bespoke coverage ratchet with `quality-gate / quality-gate`. Keep `lint`, `typecheck`, `build`, `test-coverage`, `e2e`.

Test plan

• `quality-gate / quality-gate` check appears on this PR and passes (bootstrap mode, only blocks on `critical`).
• Sticky PR comment is posted showing all 5 metrics.
• After merge, `quality-gate-baseline` workflow runs and creates `quality-metrics` branch with `baseline.json`, `badges/coverage.json`, `badges/quality.json`, `README.md`.
• After merge, README badges resolve.

[github-actions]

🚦 Quality Gate — ⚙️ BOOTSTRAP

Adapter: markup@0.1.0 · Tools: vitest, biome, jscpd, pnpm-audit
Baseline: pending — will be created on first merge to default branch.

Metric	Baseline	PR	Δ	Status
Coverage	—	59.06%	—	✅
Duplication	—	19.35%	—	✅
Lint (total)	—	3181	—	✅
Oversized	—	9	—	✅
Security	—	0 crit	—	✅

⚙️ Bootstrap pending — baseline will be created on first merge to default branch. Critical security issues still block.

[AlexandreCamillo]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[AlexandreCamillo]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code