Chore: Enforce Automated Code Quality, Security Scanning, and Test Coverage Thresholds

Bug Report

Describe the Bug

The project currently has no automated enforcement of code quality, security, or test coverage. This means bugs, security vulnerabilities, and untested code can silently enter the codebase without any warnings or failures during commit, push, or CI pipeline stages.

Specific problems observed:

  • Several modules (vlm_client.py, models.py) have 0% test coverage, meaning regressions in these areas would go completely undetected.
  • Overall project coverage sits at approximately ~80%, leaving a significant portion of the codebase untested.
  • There is no enforcement of commit message standards, leading to an inconsistent and hard-to-read git history.
  • Security issues (e.g., use of insecure /tmp paths) are not being caught automatically at any stage of the development lifecycle.
  • Dead code and type safety violations are not flagged before they reach the repository.

Expected Behavior

  • Any commit or push that introduces poorly typed, insecure, or untested code should be automatically blocked.
  • The CI/CD pipeline should enforce a minimum coverage threshold and fail visibly if it is not met.
  • Developers should receive immediate, actionable feedback locally before code ever reaches the remote.

Current Behavior

  • No pre-commit hooks are configured.
  • No coverage thresholds are enforced locally or in CI.
  • No security scanning is run at any stage.
  • Commit messages follow no enforced standard.

Environment

Field Value
Language Python
Package Manager uv
CI Platform GitLab CI

Additional Context

I'm not sure exactly how to set all of this up, but the tools I've seen used in similar projects include things like pre-commit, ruff, mypy, bandit, and pytest-cov. There may also be a way to configure GitLab CI to visualize coverage directly on the MR page.

Ideally the solution should require minimal manual setup for new developers joining the project — something that installs and configures itself as part of the standard uv sync workflow.

Any help or pointers on the right approach here would be appreciated.