Feature/animals permissions

.gitattributes

@@ -1,14 +1,18 @@
-# Auto detect text files and perform LF normalization
-* text=auto
+* text eol=lf
 
-# Vendor static files — preserve LF line endings as published
-static/**/* text eol=lf
-static_collected/**/* text eol=lf
+*.py        text eol=lf
+*.sh        text eol=lf
+*.toml      text eol=lf
+*.yaml      text eol=lf
+*.yml       text eol=lf
+*.json      text eol=lf
+*.md        text eol=lf
+*.lock      text eol=lf
+Dockerfile* text eol=lf
 
-# Binary assets — must come after the text rules above (last match wins)
-*.png binary
-*.jpg binary
+*.png  binary
+*.jpg  binary
 *.jpeg binary
-*.gif binary
-*.ico binary
+*.gif  binary
+*.ico  binary
 *.webp binary

.github/workflows/django.yml

@@ -7,6 +7,34 @@ on:
     branches: [ "main" ]
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+          python-version: "3.14"
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Ruff check
+        run: uv run ruff check .
+
+      - name: Ruff format check
+        run: uv run ruff format --check .
+
+      - name: ty check
+        run: uv run ty check
+
+      - name: Codespell
+        run: uv run codespell
+
   test:
     runs-on: ubuntu-latest
     env:
@@ -58,7 +86,7 @@ jobs:
   build-and-push:
     name: Build and Push to ECR
     runs-on: ubuntu-latest
-    needs: test
+    needs: [test, lint]
     if: false  # disabled — re-enable when AWS ECR is ready
     steps:
       - name: Checkout Repository

.gitignore

@@ -10,6 +10,7 @@ __pycache__/
 .coverage
 .coverage.*
 htmlcov/
+tests/result/
 .pytest_cache/
 .hypothesis/
 
@@ -45,9 +46,11 @@ celerybeat.pid
 # Claude Code — not tracked in this repository
 .claude/
 CLAUDE.md
+/.mcp.json
 
 # IDE
 .idea/
+.vscode/
 
 # Project-specific
 /static_collected/
@@ -62,3 +65,8 @@ secret.yaml
 
 # Volumes
 /db/
+
+# Local dev workspace
+/temp/
+/log/*
+!/log/*.template

.pre-commit-config.yaml

@@ -1,3 +1,4 @@
+default_install_hook_types: [pre-commit, post-merge]
 exclude: 'static/|static_collected/'
 
 repos:
@@ -8,7 +9,7 @@ repos:
     entry: uv lock --check
     language: system
     pass_filenames: false
-    files: ^pyproject\.toml$
+    files: ^(pyproject\.toml|uv\.lock)$
 
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v5.0.0
@@ -17,21 +18,35 @@ repos:
     exclude: '\.sh$'
   - id: trailing-whitespace
 
-- repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.15.14
+- repo: local
   hooks:
   - id: ruff-check
+    name: ruff check
+    entry: uv run ruff check
+    language: system
+    types_or: [python, pyi]
+    pass_filenames: false
+    always_run: true
   - id: ruff-format
-    args: [--check]
-
-- repo: https://github.com/codespell-project/codespell
-  rev: v2.4.2
-  hooks:
+    name: ruff format
+    entry: uv run ruff format --check
+    language: system
+    types_or: [python, pyi]
+    pass_filenames: false
+    always_run: true
   - id: codespell
+    name: codespell
+    entry: uv run codespell
+    language: system
     types_or: [python, markdown, yaml]
-
-- repo: local
-  hooks:
+    pass_filenames: false
+    always_run: true
+  - id: ty-check
+    name: ty check
+    entry: uv run ty check
+    language: system
+    pass_filenames: false
+    always_run: true
   - id: bandit
     name: bandit
     entry: bandit -r src -c pyproject.toml -q