feat(ci): add qlty gate and weekly health scan

.github/workflows/qlty.yml

@@ -5,15 +5,21 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  schedule:
+    # Weekly full-codebase health scan: Monday 07:00 UTC
+    - cron: '0 7 * * 1'
+  workflow_dispatch:
 
 permissions: read-all
 
 concurrency:
-  group: qlty-coverage-${{ github.ref }}
+  group: qlty-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  # Coverage upload after merges to main only.
   qlty:
+    if: github.event_name == 'push'
     uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@40ff5b5615e786ee0867e1b9e8f21a4735036e63  # main
     permissions:
       contents: read
@@ -24,3 +30,27 @@ jobs:
       coverage-format: cobertura
     secrets:
       QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_COVERAGE_TOKEN }}
+
+  # PR gate: diff mode, block merges that introduce medium+ severity issues.
+  # Check name: "qlty-gate / Qlty Gate" -- required by org baseline ruleset.
+  qlty-gate:
+    if: github.event_name == 'pull_request'
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-gate.yml@040026ab682aa4b9ef491750d62cdd1592cdb659
+    permissions:
+      contents: read
+    with:
+      fail-level: medium
+      upstream: origin/${{ github.base_ref }}
+
+  # Weekly health scan: full codebase, informational only.
+  # Reports accumulated debt without blocking workflows.
+  # Remove no-fail once the existing 100-issue backlog is resolved.
+  qlty-health:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-gate.yml@040026ab682aa4b9ef491750d62cdd1592cdb659
+    permissions:
+      contents: read
+    with:
+      fail-level: high
+      check-all: true
+      no-fail: true