Consolidate PR + default-branch validation into canonical ci.yml

.github/workflows/README.md

@@ -2,11 +2,10 @@
 
 Only these workflows are active:
 
-1. `pr-gate.yml`
-   - Required merge gate for PRs into `main`.
-2. `main-validation.yml`
-   - Deeper validation on `main` after merge.
-3. `security-deep.yml`
+1. `ci.yml`
+   - Required validation gate for pull requests and pushes to the repository default branch.
+   - Also supports manual execution via `workflow_dispatch`.
+2. `security-deep.yml`
    - Scheduled/manual deep security scans.
 
 If a proposed workflow does not define a distinct decision boundary, do not add it.

.github/workflows/ci.yml

@@ -0,0 +1,230 @@
+name: CI Validation
+
+on:
+  pull_request:
+    branches:
+      - '**'
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-validation-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python-quality:
+    name: Python quality + tests + build
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Python environment
+        uses: ./.github/actions/setup-tradepulse
+        with:
+          python-version: '3.11'
+          cache-prefix: ci-python
+
+      - name: Verify toolchain
+        run: |
+          set -euo pipefail
+          .venv/bin/python --version
+          .venv/bin/python -m pip --version
+
+      - name: Format check
+        run: .venv/bin/black --check .
+
+      - name: Lint
+        run: .venv/bin/ruff check .
+
+      - name: Type check
+        run: .venv/bin/mypy --config-file=mypy.ini .
+
+      - name: Unit tests with coverage
+        run: |
+          .venv/bin/pytest tests/ -m "not slow and not heavy_math and not nightly and not flaky" \
+            --cov=core --cov=backtest --cov=execution \
+            --cov-report=term-missing \
+            --cov-report=xml
+
+      - name: Coverage guardrail
+        run: |
+          .venv/bin/python -m tools.coverage.guardrail \
+            --config configs/quality/critical_surface.toml \
+            --coverage coverage.xml
+
+      - name: Build package artifacts
+        run: .venv/bin/python -m build --sdist --wheel --outdir dist
+
+      - name: Upload coverage XML
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+        with:
+          name: python-coverage-xml
+          path: coverage.xml
+          if-no-files-found: error
+
+  dependency-security:
+    name: Dependency security gates
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Python environment
+        uses: ./.github/actions/setup-tradepulse
+        with:
+          python-version: '3.11'
+          cache-prefix: ci-security
+
+      - name: Run pip-audit HIGH/CRITICAL gate
+        run: |
+          set -euo pipefail
+          .venv/bin/pip-audit -r requirements.lock -f json -o /tmp/pip-audit-runtime.json || true
+          .venv/bin/pip-audit -r requirements-dev.lock -f json -o /tmp/pip-audit-dev.json || true
+          .venv/bin/python .github/scripts/pip_audit_high_gate.py /tmp/pip-audit-runtime.json /tmp/pip-audit-dev.json
+
+      - name: Audit frontend dependencies
+        working-directory: apps/web
+        run: |
+          set -euo pipefail
+          npm ci
+          npm audit --audit-level=high --omit=dev
+
+  web-frontend:
+    name: Web frontend checks
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: apps/web/package-lock.json
+
+      - name: Install dependencies
+        working-directory: apps/web
+        run: npm ci
+
+      - name: Format check
+        working-directory: apps/web
+        run: npm run format:check
+
+      - name: Lint
+        working-directory: apps/web
+        run: npm run lint
+
+      - name: Type check
+        working-directory: apps/web
+        run: npm run typecheck
+
+      - name: Unit tests
+        working-directory: apps/web
+        run: npm run test -- --ci
+
+      - name: Build
+        working-directory: apps/web
+        run: npm run build
+
+  dashboard-frontend:
+    name: Dashboard frontend checks
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '20'
+          cache: npm
+          cache-dependency-path: ui/dashboard/package-lock.json
+
+      - name: Install dependencies
+        working-directory: ui/dashboard
+        run: npm ci
+
+      - name: Lint
+        working-directory: ui/dashboard
+        run: npm run lint
+
+      - name: Unit tests
+        working-directory: ui/dashboard
+        run: npm run test
+
+  go-validation:
+    name: Go tests
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Run Go tests
+        run: go test ./...
+
+  rust-validation:
+    name: Rust fmt + clippy + tests + build
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Setup Rust toolchain
+        run: rustup toolchain install stable --profile minimal --component rustfmt clippy
+
+      - name: Cargo fmt check
+        run: cargo fmt --manifest-path rust/tradepulse-accel/Cargo.toml --all --check
+
+      - name: Cargo clippy
+        run: cargo clippy --manifest-path rust/tradepulse-accel/Cargo.toml --all-targets -- -D warnings
+
+      - name: Cargo tests
+        run: cargo test --manifest-path rust/tradepulse-accel/Cargo.toml
+
+      - name: Cargo build
+        run: cargo build --manifest-path rust/tradepulse-accel/Cargo.toml --locked
+
+  docker-build-validation:
+    name: Docker build validation
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || (github.event_name == 'pull_request' && github.base_ref == github.event.repository.default_branch) }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Build root image
+        run: docker build -f Dockerfile .
+
+      - name: Build cortex_service image
+        run: docker build -f cortex_service/Dockerfile cortex_service