feat: Install quality-rails for mechanical code quality enforcement

Quality Rails provides mechanical enforcement of code quality through
pre-commit hooks and CI/CD pipelines, preventing ~70% of common issues.

What's added:
- Pre-commit hooks via husky (formatting enforcement enabled)
- Enhanced ESLint rules (no-explicit-any, security plugin, etc.)
- lint-staged configuration (currently formatting-only mode)
- Woodpecker CI pipeline template (.woodpecker.yml)
- eslint-plugin-security for vulnerability detection
- Documentation (docs/quality-rails-status.md)

Current status:
- Strict enforcement DISABLED until existing violations are fixed
- Found 1,226 violations (1,121 errors, 105 warnings)
- Priority: Fix explicit 'any' types first
- Pre-commit currently only enforces Prettier formatting

Next steps:
1. Fix existing lint violations
2. Enable strict pre-commit enforcement
3. Configure CI/CD pipeline

Based on quality-rails from ~/src/quality-rails (monorepo template)
See docs/quality-rails-status.md for detailed roadmap.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

packages/config/eslint/base.js

@@ -2,6 +2,8 @@ import eslint from "@eslint/js";
 import tseslint from "typescript-eslint";
 import prettierConfig from "eslint-config-prettier";
 import prettierPlugin from "eslint-plugin-prettier";
+// @ts-expect-error - security plugin doesn't have types
+import securityPlugin from "eslint-plugin-security";
 
 export default tseslint.config(
   eslint.configs.recommended,
@@ -11,19 +13,42 @@ export default tseslint.config(
   {
     plugins: {
       prettier: prettierPlugin,
+      security: securityPlugin,
     },
     rules: {
+      // Prettier
       "prettier/prettier": "error",
+
+      // Type Safety - STRICT (Quality Rails)
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/explicit-function-return-type": "warn",
+      "@typescript-eslint/explicit-module-boundary-types": "error",
       "@typescript-eslint/no-unused-vars": [
         "error",
         { argsIgnorePattern: "^_", varsIgnorePattern: "^_" },
       ],
-      "@typescript-eslint/consistent-type-imports": [
-        "error",
-        { prefer: "type-imports" },
-      ],
+      "@typescript-eslint/consistent-type-imports": ["error", { prefer: "type-imports" }],
+
+      // Promise/Async Safety (Quality Rails)
       "@typescript-eslint/no-floating-promises": "error",
       "@typescript-eslint/no-misused-promises": "error",
+      "@typescript-eslint/await-thenable": "error",
+
+      // Code Quality (Quality Rails)
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-nullish-coalescing": "warn",
+      "@typescript-eslint/prefer-optional-chain": "warn",
+
+      // Security (Quality Rails)
+      "security/detect-object-injection": "off", // Too many false positives
+      "security/detect-non-literal-fs-filename": "warn",
+      "security/detect-non-literal-regexp": "warn",
+      "security/detect-unsafe-regex": "error",
+      "security/detect-buffer-noassert": "error",
+      "security/detect-eval-with-expression": "error",
+      "security/detect-no-csrf-before-method-override": "error",
+      "security/detect-possible-timing-attacks": "warn",
+      "security/detect-pseudoRandomBytes": "error",
     },
   },
   {

packages/config/package.json

@@ -20,6 +20,7 @@
     "eslint": "^9.21.0",
     "eslint-config-prettier": "^10.1.0",
     "eslint-plugin-prettier": "^5.2.3",
+    "eslint-plugin-security": "^3.0.1",
     "prettier": "^3.5.3",
     "typescript-eslint": "^8.26.0"
   },