diff --git a/.dockerignore b/.dockerignore
index d9d79be..e41ff9c 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,3 +8,4 @@ coverage
 .env
 .env.*
 README.md
+.codex
\ No newline at end of file
diff --git a/.gitea/workflows/commit-conventional.yml b/.gitea/workflows/commit-conventional.yml
new file mode 100644
index 0000000..8f2545f
--- /dev/null
+++ b/.gitea/workflows/commit-conventional.yml
@@ -0,0 +1,50 @@
+name: Commit Message Check
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+
+jobs:
+  conventional-commits:
+    runs-on: [self-hosted, linux]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Validate commit messages with commitlint
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BEFORE_SHA: ${{ github.event.before }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+
+          BASE_SHA=""
+
+          if [ "${EVENT_NAME}" = "pull_request" ] && [ -n "${PR_BASE_SHA:-}" ]; then
+            BASE_SHA="${PR_BASE_SHA}"
+          elif [ -n "${BEFORE_SHA:-}" ] && [ "${BEFORE_SHA}" != "0000000000000000000000000000000000000000" ]; then
+            BASE_SHA="${BEFORE_SHA}"
+          elif git rev-parse "${HEAD_SHA}^" >/dev/null 2>&1; then
+            BASE_SHA="$(git rev-parse "${HEAD_SHA}^")"
+          fi
+
+          if [ -n "${BASE_SHA}" ] && [ "${BASE_SHA}" != "${HEAD_SHA}" ]; then
+            npx --no -- commitlint --from "${BASE_SHA}" --to "${HEAD_SHA}" --verbose
+          else
+            git log -1 --format=%s "${HEAD_SHA}" | npx --no -- commitlint --verbose
+          fi
diff --git a/.gitea/workflows/deploy-dev.yml b/.gitea/workflows/deploy-dev.yml
index d9fd024..257a246 100644
--- a/.gitea/workflows/deploy-dev.yml
+++ b/.gitea/workflows/deploy-dev.yml
@@ -3,6 +3,7 @@ name: Deploy monie-backend to dev (kaniko)
 on:
   push:
     branches: [ develop ]
+  pull_request:
 
 jobs:
   build-and-deploy:
@@ -26,7 +27,12 @@ jobs:
       REPO_PATH: monie/monie-backend.git
 
     steps:
+      - name: Skip deploy for pull requests
+        if: github.event_name == 'pull_request'
+        run: echo "Pull request check passed. Deploy runs only on push to develop."
+
       - name: Debug
+        if: github.event_name == 'push'
         run: |
           set -eu
           echo "sha=${{ github.sha }}"
@@ -35,6 +41,7 @@ jobs:
           microk8s kubectl version --client=true
 
       - name: Build & push with Kaniko (K8s Job)
+        if: github.event_name == 'push'
         env:
           SHA: ${{ github.sha }}
           REF: ${{ github.ref_name }}
@@ -131,6 +138,7 @@ jobs:
           fi
 
       - name: Deploy to dev
+        if: github.event_name == 'push'
         env:
           SHA: ${{ github.sha }}
         run: |
diff --git a/.gitea/workflows/deploy-prod.yml b/.gitea/workflows/deploy-prod.yml
index 246993f..7ea30f2 100644
--- a/.gitea/workflows/deploy-prod.yml
+++ b/.gitea/workflows/deploy-prod.yml
@@ -1,9 +1,9 @@
-# .gitea/workflows/deploy-prod.yml
 name: Deploy monie-backend (kaniko)
 
 on:
   push:
     branches: [ main ]
+  pull_request:
 
 jobs:
   build-and-deploy:
@@ -27,7 +27,12 @@ jobs:
       REPO_PATH: monie/monie-backend.git
 
     steps:
+      - name: Skip deploy for pull requests
+        if: github.event_name == 'pull_request'
+        run: echo "Pull request check passed. Deploy runs only on push to main."
+
       - name: Build & push image with Kaniko (K8s Job)
+        if: github.event_name == 'push'
         env:
           SHA: ${{ github.sha }}
           REF: ${{ github.ref_name }}
@@ -120,6 +125,7 @@ jobs:
           fi
 
       - name: Deploy to prod
+        if: github.event_name == 'push'
         env:
           SHA: ${{ github.sha }}
         run: |
diff --git a/.gitignore b/.gitignore
index 4b56acf..d81f821 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,6 +34,7 @@ lerna-debug.log*
 !.vscode/tasks.json
 !.vscode/launch.json
 !.vscode/extensions.json
+.codex
 
 # dotenv environment variable files
 .env
diff --git a/.husky/pre-push b/.husky/pre-push
new file mode 100755
index 0000000..20fc5f3
--- /dev/null
+++ b/.husky/pre-push
@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+branch="$(git rev-parse --abbrev-ref HEAD)"
+
+case "$branch" in
+  main|develop)
+    echo "Direct pushes to $branch are not allowed."
+    echo "Please create a feature/... or bugfix/... branch and open a PR/MR."
+    exit 1
+    ;;
+  feature/*|bugfix/*|hotfix/*|chore/*)
+    exit 0
+    ;;
+  *)
+    echo "Invalid branch name: $branch"
+    echo "Allowed branch prefixes: feature/*, bugfix/*, hotfix/*, chore/*"
+    exit 1
+    ;;
+esac
diff --git a/Dockerfile b/Dockerfile
index 3750500..1d50451 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,15 @@
-FROM node:22-bookworm-slim AS deps
+FROM node:24-bookworm-slim AS deps
 WORKDIR /app
 COPY package*.json ./
 RUN npm ci
 
-FROM node:22-bookworm-slim AS build
+FROM node:24-bookworm-slim AS build
 WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 RUN npm run build && npm prune --omit=dev
 
-FROM node:22-bookworm-slim AS runner
+FROM node:24-bookworm-slim AS runner
 WORKDIR /app
 ENV NODE_ENV=production
 COPY package*.json ./