chore(ci): adopt ratchet-based quality gate

[AlexandreCamillo]

Summary

Adopts the alkg-cloud/quality-gate engine — a strict, ratchet-based quality gate that runs on every PR and fails it on regression. It is additive to test.yml (does not replace lint/typecheck/test/build). Per-PR metrics are compared against a baseline stored on the orphan quality-metrics branch, refreshed on every push to main.

This is the bootstrap PR: it runs in bootstrap mode (no baseline yet) and passes. Merging it creates the orphan branch and the first baseline.

Files

• quality-gate.config.json — strict ratchet (epsilon 0), MAX_FILE_LINES 300, MIN_NEW_FILE_COVERAGE 60, blocks critical / warns high security advisories; adapter name node.

• .quality-gate/adapter.sh — emits the six canonical metric files using this repo's own tooling:

  • coverage — Vitest (v8 provider, json-summary), full unit + integration suite
  • lint — biome check . (errors + warnings per file)
  • duplication — jscpd over src/
  • file_size — tracked source (git ls-files) ≥ MAX_FILE_LINES
  • security — pnpm audit severity counts

  The adapter self-bootstraps its environment (corepack → pnpm install → prisma generate → fixtures) because the gate workflows check out Node only.

• .github/workflows/quality-gate-pr.yml / quality-gate-main.yml — copied from the engine templates; Node pinned to 22 to match engines.node.

• docs/ci.md — new "Quality gate" section.

Baseline this PR's merge will capture

Metric	Value
Coverage (lines)	73.1%
Duplication	3.82% (117 clones)
Lint (biome err+warn)	3
Files ≥ 300 lines	28
Security	0 critical / 0 high / 3 moderate

Local verification

• qg-core collect — all six files schema-valid ✅
• qg-core compare --baseline NONE — gate_passed: true (bootstrap) ✅

Notes for the reviewer (require admin / a decision)

1. Branch protection: add the required status check quality-gate / quality-gate (this cannot be set from the PR).
2. Merge creates the baseline — do not merge until the required check is configured as desired.

Heads-up / tunables

• The gate runs the full test suite + a native pnpm install on every PR and every push to main, roughly doubling CI time vs test.yml. Coverage can be scoped to unit-only later if that's too heavy.
• Lint counts biome warnings too, so a new (even justified) any warning trips the ratchet — tunable to errors-only.
• QG_REF is main (mutable); pin to a tag/SHA in the workflows' install step for reproducible CI.

Test plan

• quality-gate check runs green on this PR (bootstrap mode)
• After merge, the quality-gate-baseline run creates the quality-metrics orphan branch
• A follow-up PR exercises the ratchet (e.g. confirm a coverage drop fails the gate)

[AlexandreCamillo]

Closing as a duplicate: the quality gate is already implemented and merged on main via #47. This branch was built from a stale local main before fetching, so it's redundant and out of date.