| React/Node formatting | Biome | Review |
| Python formatting/linting | Ruff | Tests |
| React/Node linting | Biome | Type checking or tests |
| Python dependency management | uv with committed uv.lock | Python test execution or vulnerability scanning |
| Terraform linting | TFLint | Terraform validate or security scan |
| Type checking | TypeScript / MyPy | Runtime validation |
| React unit/component tests | Vitest + Testing Library + user-event + jsdom | Deployed browser/E2E tests |
| Node backend unit tests | Vitest | Deployed API/contract tests |
| Python unit tests | Pytest + pytest-cov | Deployed integration tests |
| Maintainability and imported coverage | SonarQube | Test execution, Allure, or SAST |
| SAST | Semgrep | Manual security review |
| Secrets | Gitleaks | Secret manager |
| Dependency scan | Trivy FS | Dependency design review |
| IaC security | Trivy Config | Terraform validate or kubeconform |
| Image scan | Trivy Image | Runtime security |
| SBOM | Syft | Vulnerability remediation |
| Signing | Cosign | Authorization to deploy |
| Browser/E2E target standard | Playwright + Allure, post-deployment | Vitest source-CI gate |
| Current browser-flow compatibility | Custom .mjs flows | Long-term Playwright standard |
| API/contract/integration | Deployed environment suites | Unit tests |
| DAST | OWASP ZAP | Manual VAPT |