ci: add deterministic formatting and clean-worktree gates

.github/workflows/qa-matrix.yml

@@ -39,6 +39,9 @@ jobs:
       - name: Lint
         run: npm run lint
 
+      - name: Verify clean working tree after lint
+        run: git diff --name-status --exit-code
+
       - name: Unit and integration tests
         run: npm test -- --runInBand
 

docs/plan/cicd_security.md

@@ -13,6 +13,7 @@ This document defines the CI/CD security and quality baseline for `ai-code-fusio
 ## Security and Quality Layers
 
 1. Source and policy gates
+- Prettier formatter drift gate (`npm run format:check`, non-mutating).
 - ESLint gate for `src/` and `tests/`.
 - Markdown integrity lint (`scripts/lint-markdown-links.js`) for broken docs links/assets.
 - Markdown style lint (`markdownlint-cli`) with `.markdownlint.json`.
@@ -44,12 +45,14 @@ This document defines the CI/CD security and quality baseline for `ai-code-fusio
 ### Lint and Changelog Gates
 
 - `npm run lint` now runs:
+  - Prettier check (`format:check`)
   - ESLint (`src/`, `tests/`)
   - Markdown lint (`lint:md`)
   - Changelog lint (`changelog:validate`)
 - `lint:md` runs both:
   - Markdown link/asset checks
   - Markdown style policy checks
+- QA matrix enforces a clean repository state after lint with `git diff --name-status --exit-code`.
 
 ### SBOM Push to GitHub Security
 

package.json

@@ -17,13 +17,14 @@
     "predev": "npm run build:ts && node scripts/clean-dev-assets.js",
     "dev": "node scripts/index.js dev",
     "clear-assets": "rimraf src/renderer/bundle.js src/renderer/bundle.js.map src/renderer/bundle.js.LICENSE.txt src/renderer/output.css",
-    "lint": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint src tests --ext .js,.jsx,.ts,.tsx --cache && npm run lint:md && npm run changelog:validate",
+    "lint": "npm run format:check && cross-env ESLINT_USE_FLAT_CONFIG=false eslint src tests --ext .js,.jsx,.ts,.tsx --cache && npm run lint:md && npm run changelog:validate",
     "lint:md": "npm run lint:md:links && npm run lint:md:style",
     "lint:md:links": "node scripts/lint-markdown-links.js",
     "lint:md:style": "markdownlint \"**/*.{md,mdx}\" --config .markdownlint.json --ignore node_modules --ignore dist",
     "changelog:validate": "node scripts/validate-changelog.js",
     "lint:tests": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint tests --ext .js,.jsx,.ts,.tsx --cache",
     "format": "prettier --write \"**/*.{js,jsx,ts,tsx,json,md,html,css}\"",
+    "format:check": "prettier --check --end-of-line auto \"**/*.{json,md,html,css}\"",
     "test": "jest --config jest.config.js --passWithNoTests",
     "test:watch": "jest --watch --config jest.config.js --passWithNoTests",
     "test:stress": "jest --config jest.config.js --runInBand --testMatch=\"**/tests/stress/**/*.{js,jsx,ts,tsx}\" --verbose",

tests/catalog.md

@@ -9,6 +9,7 @@ Purpose: quick map of what is covered, why it exists, and which command to run.
 - Stress publish verification in Prometheus: `npm run prometheus:verify`
 - End-to-end perf metrics job (`TOOLS_DOMAIN` aware): `npm run perf:test` or `make perf-test`
 - Lint: `npm run lint`
+- Formatter drift check (non-mutating): `npm run format:check`
 - Markdown docs lint (links/images/icons): `npm run lint:md`
 - Changelog format validation: `npm run changelog:validate`
 - Electron E2E (Playwright): `npm run e2e:playwright`
@@ -105,5 +106,8 @@ Stress benchmark outputs:
   - `tests/unit/utils/token-counter.test.ts`
 - Actions/workflow freshness automation changes:
   - `tests/unit/scripts/actions-freshness.test.js`
+- CI quality gate/workflow changes:
+  - `npm run lint`
+  - `npm test -- --runInBand`
 - XML export end-to-end:
   - `tests/integration/main-process/xml-export-e2e.test.ts`