--- issue: 117 title: "Frontend/scanner/backend: production/manual CI pipelines lack lint/type/test/audit gates" severity: medium domain: CI/CD labels: [ci-cd, quality, supply-chain] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend/scanner/backend: production/manual CI pipelines lack lint/type/test/audit gates **Severity:** medium **Domain:** CI/CD **Labels:** ci-cd, quality, supply-chain ## Description Production and manual CI pipelines across all three repos push images without the same lint/type/test gates that development pipelines apply. A broken build can be pushed to production via a manual trigger. NB-37 added a typecheck to the backend manual pipeline; the broader question of enforcing gates on all production/manual pipelines remains. ## Options 1. Add tsc/lint/test (and `go vet`/`go test` for scanner) to production and manual pipelines. 2. Reuse the development pipeline's gate as a shared step. 3. Block manual pipeline pushes unless a gate flag is passed. ## Recommendation Require the same lint/type/test gate on production and manual pipelines across all repos. This is a known project memory item ("verify before push"). ## Affected Files - `frontend/.woodpecker/production.yml` - `backend/.woodpecker/manual.yml` - `scanner/.woodpecker/manual.yml` - `scanner/.woodpecker/production.yml` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-77