Quality Gates

• CI must pass (lint + unit + integration) before merge.
• Coverage >= 80% on backend services touched by the feature.
• No high severity ESLint issues.
• Vulnerability scan clean for high/critical.