ci(gitflow): enforce branch and PR governance checks

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,17 @@
+## Summary
+
+- TODO item reference (exact text): `...`
+- Scope (single primary TODO item): `...`
+
+## Checklist
+
+- [ ] Linked TODO item is in `TODO.md`
+- [ ] Branch name follows `todo/*`, `refactor/*`, or `code/*`
+- [ ] `bun run check`
+- [ ] `bun run typecheck`
+- [ ] `bun run test`
+- [ ] E2E validation plan included (`bun run test:e2e` or reason if deferred)
+
+## Notes
+
+- Risks / migrations / rollout notes:

.gitea/scripts/check-branch-name.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+set -eu
+
+branch="${1:-}"
+
+if [ -z "$branch" ]; then
+  echo "Missing branch name."
+  exit 1
+fi
+
+case "$branch" in
+  dev|staging|main)
+    echo "Long-lived branch detected: $branch"
+    exit 0
+    ;;
+esac
+
+if printf "%s" "$branch" | grep -Eq '^(todo|refactor|code)\/[a-z0-9]+([._-][a-z0-9]+)*$'; then
+  echo "Branch naming valid: $branch"
+  exit 0
+fi
+
+echo "Invalid branch name: $branch"
+echo "Expected: todo/<slug> | refactor/<slug> | code/<slug>"
+exit 1

.gitea/scripts/check-pr-todo-reference.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+set -eu
+
+body="${1:-}"
+
+if [ -z "$body" ]; then
+  echo "PR body is empty."
+  exit 1
+fi
+
+if printf "%s" "$body" | grep -Eq 'TODO|todo|\[P[1-3]\]'; then
+  echo "PR body includes TODO reference."
+  exit 0
+fi
+
+echo "PR body must reference the related TODO item."
+exit 1

.gitea/scripts/configure-branch-protection.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env sh
+set -eu
+
+if [ "${#}" -ne 4 ]; then
+  echo "Usage: $0 <base-url> <owner> <repo> <token>"
+  exit 1
+fi
+
+base_url="$1"
+owner="$2"
+repo="$3"
+token="$4"
+
+protect_branch() {
+  branch="$1"
+
+  curl -sS -X POST \
+    "${base_url}/api/v1/repos/${owner}/${repo}/branch_protections" \
+    -H "Authorization: token ${token}" \
+    -H "Content-Type: application/json" \
+    -d "{
+      \"branch_name\": \"${branch}\",
+      \"enable_push\": false,
+      \"enable_push_whitelist\": false,
+      \"enable_merge_whitelist\": false,
+      \"enable_status_check\": true,
+      \"status_check_contexts\": [\"Governance Checks\", \"Lint Typecheck Unit E2E\"]
+    }" >/dev/null
+}
+
+protect_branch "main"
+protect_branch "staging"
+
+echo "Branch protection applied for main and staging."

.gitea/workflows/ci.yml

@@ -25,8 +25,38 @@ env:
   CMS_SUPPORT_LOGIN_KEY: "support-access"
 
 jobs:
+  governance:
+    name: Governance Checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate branch naming
+        run: |
+          branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
+          sh .gitea/scripts/check-branch-name.sh "$branch"
+
+      - name: Validate PR TODO reference
+        if: github.event_name == 'pull_request'
+        run: |
+          body='${{ github.event.pull_request.body }}'
+          sh .gitea/scripts/check-pr-todo-reference.sh "$body"
+
+      - name: Commit schema check (latest commit)
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Install dependencies for commitlint
+        run: bun install --frozen-lockfile
+
+      - name: Commitlint
+        run: bun run commitlint
+
   quality:
     name: Lint Typecheck Unit E2E
+    needs: governance
     runs-on: ubuntu-latest
     services:
       postgres: