Add four-layer docs guardrails with transitional pre-push mode.

Introduce git hooks, unified QA gate, CI workflow, and Cursor workflow docs so publishing is blocked until validation passes, while allowing push-range checks for the historical wip branch.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: MAX-IT-Tech

.cursor/rules/devdocs-hook-reference-quality.mdc

@@ -16,13 +16,16 @@ Use this when editing generated or manually corrected hook reference pages.
 - Module links use native module repositories, not `PrestaShop/PrestaShop/modules/...`.
 - Do not use `files: {}` when a reviewer or source code identifies a real origin.
 - Delete pages for hooks that no longer dispatch in the target branch.
+- Never accept branch-only replacements (`8.x` -> `9.1.x`) without path existence verification.
+- If origin is `module`, `files[].url` must not be empty.
 
 ## Call Example Rules
 
 - The call block must show the actual hook invocation, not adjacent code.
 - Include the full current parameter array, including `id_shop`, `chain`, by-reference values, and return flags when present.
 - Do not keep truncated fragments like only the hook name or first array keys.
 - Use `twig` fences for `renderhook(...)` and `php` fences for `Hook::exec(...)`.
+- Use `smarty` fences for Smarty `{hook h='...'}` snippets.
 - Remove copied constants, comments, copyright headers, `include(...)`, layout markup, and unrelated code.
 - Smarty `{hook ...}` snippets must not end with `;`.
 
@@ -31,4 +34,4 @@ Use this when editing generated or manually corrected hook reference pages.
 - Search all changed hook pages for the same pattern after fixing one comment.
 - Verify deleted/empty-source candidates with source search, not only `hook.xml`.
 - Treat allow-list constants as references, not proof that a hook is dispatched.
-- Re-run hook validation, source-link checks, and Hugo build before push.
+- Re-run `scripts/qa_docs_gate.py` and Hugo build before push.

.cursor/rules/devdocs-systematic-quality-gates.mdc

@@ -7,6 +7,14 @@ alwaysApply: true
 
 Apply this to every docs area: hooks, Admin API, modules, themes, webservice, basics, contribution guides, and all version branches.
 
+## Four-Layer Protection Model
+
+- Layer 1, Git controls: use `origin` as fetch-only and push only via `publish`.
+- Layer 1, Git hooks: `pre-commit` and `pre-push` must be active through `core.hooksPath=.githooks`.
+- Layer 2, QA gate: run `scripts/qa_docs_gate.py` as the single source of validation truth.
+- Layer 3, Cursor workflow: always run full-scope audits, not point fixes.
+- Layer 4, GitHub protection: require PR checks (`build` and `docs-qa`) before merge.
+
 ## Work Systemically
 
 - Treat review comments and maintainer follow-up commits as examples of a class of issue.
@@ -31,10 +39,22 @@ Apply this to every docs area: hooks, Admin API, modules, themes, webservice, ba
 
 ## Verification Before Push
 
-- Run area-specific validators and a CI-equivalent Hugo build.
+- Run the unified gate: `python3 scripts/qa_docs_gate.py --scope changed --base-ref upstream/9.x --rebuild-index`.
+- Run final gate before push: `make qa-final` (strict) or `make qa-final-transitional` (listed transitional branches).
+- Ensure `pre-commit` performs Hugo build and hook quality checks.
 - Check changed links and examples against source.
 - Do not push until validation passes.
 
+## Known Failure Patterns
+
+- Branch-only URL replacement (`8.x` to `9.1.x`) without verifying path existence.
+- Module origins linked to `PrestaShop/PrestaShop/modules/...` instead of native module repositories.
+- `files: {}` used even though source or reviewer provides a concrete origin file.
+- Hook page kept while hook is obsolete and has no valid origin in target branch.
+- Call snippet includes unrelated context or misses required invocation content.
+- Wrong code fence language for snippet type (`php`, `twig`, `smarty`).
+- Truncated `Hook::exec(...)` examples with incomplete parameter arrays.
+
 ## Continuous Improvement
 
 When a new failure pattern is discovered:

.cursor/skills/docs-safe-workflow/SKILL.md

@@ -0,0 +1,35 @@
+# Docs Safe Workflow
+
+Use this skill for any PrestaShop documentation update, especially hook metadata, migration work, and review-comment follow-up.
+
+## Goals
+
+- Enforce systemic quality, not point fixes.
+- Ensure links, snippets, and metadata stay valid for the target branch.
+- Run deterministic QA before commit and before push.
+
+## Push policy modes
+
+- **Strict (default):** all `feat/*` and `fix/*` branches. Full branch diff from `upstream/9.x`, `feat/*`/`fix/*` naming required, `make qa-final`.
+- **Transitional:** branches listed in `.githooks/push-policy.json`. Checks only the push range (new commits), allows `local/*` when explicitly listed, uses `make qa-final-transitional`.
+
+## Mandatory Sequence
+
+1. Identify target branch and source-of-truth repositories.
+2. Perform a full-scope audit for the changed area.
+3. Apply changes only after mapping all similar occurrences.
+4. Run:
+   - `python3 scripts/qa_docs_gate.py --scope changed --base-ref upstream/9.x --rebuild-index`
+   - local Hugo build via pre-commit hook
+5. Before push, run final gate:
+   - strict branch: `make qa-final`
+   - transitional branch (listed in `.githooks/push-policy.json`): `make qa-final-transitional`
+
+## Policies
+
+- No partial fixes: if one pattern is broken, check full scope for the same pattern.
+- Review comments are examples, not full scope.
+- Do not replace branch names in URLs without path existence checks.
+- Do not link module origins to `PrestaShop/PrestaShop/modules/...`.
+- Do not keep obsolete hook pages with no valid source.
+- Do not keep truncated call snippets or wrong code fence languages.

.githooks/pre-commit

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${SKIP_DOCS_PRECOMMIT:-0}" == "1" ]]; then
+  echo "[pre-commit] SKIP_DOCS_PRECOMMIT=1, skipping checks."
+  exit 0
+fi
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+STAGED_FILES="$(git diff --cached --name-only --diff-filter=ACMR || true)"
+
+if [[ -z "$STAGED_FILES" ]]; then
+  echo "[pre-commit] No staged files, skipping."
+  exit 0
+fi
+
+if ! echo "$STAGED_FILES" | rg -q '\.md$|^\.github/workflows/build\.yml$'; then
+  echo "[pre-commit] No docs-related staged files, skipping."
+  exit 0
+fi
+
+echo "[pre-commit] Running docs QA gate (staged scope)..."
+python3 "$REPO_ROOT/scripts/qa_docs_gate.py" --scope staged --rebuild-index
+
+if [[ "${SKIP_HUGO_PRECOMMIT:-0}" == "1" ]]; then
+  echo "[pre-commit] SKIP_HUGO_PRECOMMIT=1, skipping Hugo build."
+  exit 0
+fi
+
+DEV_SITE="$REPO_ROOT/.reference/devdocs-site"
+HUGO_IMAGE="${HUGO_DOCKER_IMAGE:-hugomods/hugo:exts-0.121.1}"
+VERSION="${DEVDOCS_VERSION:-9}"
+
+echo "[pre-commit] Running local CI-like Hugo build for /$VERSION..."
+
+if [[ ! -d "$DEV_SITE/.git" ]]; then
+  git clone --depth 1 https://github.com/PrestaShop/devdocs-site.git "$DEV_SITE"
+fi
+
+git -C "$DEV_SITE" submodule update --init --depth 1 src/themes/ps-docs-theme
+
+if [[ ! -d "$DEV_SITE/src/content/1.7/.git" ]]; then
+  rm -rf "$DEV_SITE/src/content/1.7"
+  git clone --depth 1 --branch 1.7.x https://github.com/PrestaShop/docs.git "$DEV_SITE/src/content/1.7"
+fi
+
+if [[ ! -d "$DEV_SITE/src/content/8/.git" ]]; then
+  rm -rf "$DEV_SITE/src/content/8"
+  git clone --depth 1 --branch 8.x https://github.com/PrestaShop/docs.git "$DEV_SITE/src/content/8"
+fi
+
+TARGET="$DEV_SITE/src/content/$VERSION"
+rm -rf "$TARGET"
+mkdir -p "$(dirname "$TARGET")"
+
+rsync -a --delete \
+  --exclude ".git" \
+  --exclude ".reference" \
+  --exclude ".cursor" \
+  --exclude ".specstory" \
+  --exclude ".vscode" \
+  --exclude "node_modules" \
+  "$REPO_ROOT/" "$TARGET/"
+
+docker run --rm -v "$DEV_SITE:/site" -w /site/src "$HUGO_IMAGE" hugo >/dev/null
+
+echo "[pre-commit] Hugo build passed."

.githooks/pre-push

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${SKIP_DOCS_PREPUSH:-0}" == "1" ]]; then
+  echo "[pre-push] SKIP_DOCS_PREPUSH=1, skipping checks."
+  exit 0
+fi
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+HEAD_SHA="$(git rev-parse HEAD)"
+BASE_REF="${DOCS_BASE_REF:-upstream/9.x}"
+POLICY_MODE="$(python3 "$REPO_ROOT/scripts/docs_push_policy.py" "$BRANCH")"
+
+PUSH_LOCAL_SHA="$HEAD_SHA"
+REMOTE_SHA=""
+while read -r _ local_sha _ remote_sha; do
+  [[ -z "${local_sha:-}" ]] && continue
+  PUSH_LOCAL_SHA="$local_sha"
+  if [[ "${remote_sha:-}" =~ ^0+$ ]]; then
+    REMOTE_SHA=""
+  else
+    REMOTE_SHA="$remote_sha"
+  fi
+done
+
+if ! git rev-parse --verify "$BASE_REF" >/dev/null 2>&1; then
+  BASE_REF="origin/9.x"
+fi
+
+if [[ "$POLICY_MODE" == "transitional" ]]; then
+  echo "[pre-push] Transitional mode enabled for branch '$BRANCH'."
+  if [[ -n "$REMOTE_SHA" ]]; then
+    DIFF_RANGE="${REMOTE_SHA}..${PUSH_LOCAL_SHA}"
+  elif git rev-parse --verify "refs/remotes/publish/${BRANCH}" >/dev/null 2>&1; then
+    DIFF_RANGE="refs/remotes/publish/${BRANCH}..${PUSH_LOCAL_SHA}"
+  elif git rev-parse --verify "refs/remotes/origin/${BRANCH}" >/dev/null 2>&1; then
+    DIFF_RANGE="refs/remotes/origin/${BRANCH}..${PUSH_LOCAL_SHA}"
+  else
+    UPSTREAM_REF="$(git rev-parse --abbrev-ref --symbolic-full-name "${BRANCH}@{upstream}" 2>/dev/null || true)"
+    UPSTREAM_BRANCH="${UPSTREAM_REF##*/}"
+    if [[ -n "$UPSTREAM_REF" && "$UPSTREAM_BRANCH" == "$BRANCH" ]] && git rev-parse --verify "$UPSTREAM_REF" >/dev/null 2>&1; then
+      DIFF_RANGE="${UPSTREAM_REF}..${PUSH_LOCAL_SHA}"
+    else
+      DIFF_RANGE=""
+    fi
+  fi
+else
+  echo "[pre-push] Strict mode for branch '$BRANCH'."
+  DIFF_RANGE="${BASE_REF}...HEAD"
+fi
+
+if [[ "$POLICY_MODE" != "transitional" ]]; then
+  if [[ "$BRANCH" =~ ^(local|wip|scratch)/ ]]; then
+    echo "[pre-push] Push is blocked for branch '$BRANCH'."
+    echo "[pre-push] Rename branch to feat/* or fix/* before publishing."
+    exit 1
+  fi
+
+  if [[ ! "$BRANCH" =~ ^(feat|fix)/ ]]; then
+    echo "[pre-push] Branch '$BRANCH' does not match allowed patterns feat/* or fix/*."
+    exit 1
+  fi
+fi
+
+FORBIDDEN_RE='^(\.specstory/|tmp_groups/|\.cursor/plans/|\.reference/)'
+if [[ "$POLICY_MODE" == "transitional" && -z "$DIFF_RANGE" ]]; then
+  echo "[pre-push] Transitional mode: no remote push range resolved; skipping forbidden-path scan."
+  echo "[pre-push] Set upstream to the same branch on publish/origin or pass PUSH_RANGE to make qa-final-transitional."
+elif [[ -n "$DIFF_RANGE" ]] && git diff --name-only --diff-filter=ACMR "$DIFF_RANGE" | rg -q "$FORBIDDEN_RE"; then
+  echo "[pre-push] Found forbidden paths in checked diff range ($DIFF_RANGE):"
+  git diff --name-only --diff-filter=ACMR "$DIFF_RANGE" | rg "$FORBIDDEN_RE" || true
+  exit 1
+fi
+
+STAMP_FILE="$REPO_ROOT/.git/qa/docs_gate_final_${BRANCH//\//__}.json"
+if [[ ! -f "$STAMP_FILE" ]]; then
+  echo "[pre-push] Missing final QA stamp for branch '$BRANCH'."
+  if [[ "$POLICY_MODE" == "transitional" ]]; then
+    echo "[pre-push] Run:"
+    echo "  make qa-final-transitional"
+  else
+    echo "[pre-push] Run:"
+    echo "  make qa-final"
+  fi
+  exit 1
+fi
+
+read_stamp_field() {
+  python3 - "$STAMP_FILE" "$1" <<'PY'
+import json, pathlib, sys
+p = pathlib.Path(sys.argv[1])
+field = sys.argv[2]
+data = json.loads(p.read_text(encoding="utf-8"))
+print(data.get(field, ""))
+PY
+}
+
+STAMP_SHA="$(read_stamp_field sha)"
+STAMP_MODE="$(read_stamp_field mode)"
+STAMP_RANGE="$(read_stamp_field diff_range)"
+
+if [[ "$STAMP_SHA" != "$HEAD_SHA" ]]; then
+  echo "[pre-push] Final QA stamp is stale."
+  echo "[pre-push] stamped_sha=$STAMP_SHA"
+  echo "[pre-push] current_sha=$HEAD_SHA"
+  echo "[pre-push] Re-run final QA after latest commit."
+  exit 1
+fi
+
+if [[ "$POLICY_MODE" == "transitional" ]]; then
+  if [[ "$STAMP_MODE" != "transitional" ]]; then
+    echo "[pre-push] Branch requires transitional QA stamp (mode=transitional)."
+    echo "[pre-push] Run: make qa-final-transitional"
+    exit 1
+  fi
+else
+  if [[ -n "$STAMP_MODE" && "$STAMP_MODE" != "strict" ]]; then
+    echo "[pre-push] Branch requires strict QA stamp (mode=strict)."
+    echo "[pre-push] Run: make qa-final"
+    exit 1
+  fi
+fi
+
+if [[ "$POLICY_MODE" == "transitional" && -n "$STAMP_RANGE" && -n "$DIFF_RANGE" && "$STAMP_RANGE" != "$DIFF_RANGE" ]]; then
+  echo "[pre-push] Transitional QA stamp range does not match push range."
+  echo "[pre-push] stamped_range=$STAMP_RANGE"
+  echo "[pre-push] push_range=$DIFF_RANGE"
+  echo "[pre-push] Re-run: make qa-final-transitional PUSH_RANGE='$DIFF_RANGE'"
+  exit 1
+fi
+
+echo "[pre-push] All push gates passed ($POLICY_MODE mode${DIFF_RANGE:+, range: $DIFF_RANGE})."

.githooks/push-policy.json

@@ -0,0 +1,6 @@
+{
+  "version": 1,
+  "default_mode": "strict",
+  "transitional_branches": ["local/wip-docs-artifacts"],
+  "notes": "Transitional mode validates only commits/files in the push range. Remove branches from transitional_branches once rebased onto a clean feat/* or fix/* branch."
+}

.github/workflows/docs-qa.yml

@@ -0,0 +1,48 @@
+name: Docs QA Gate
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "9.x"
+      - "feat/**"
+      - "fix/**"
+
+jobs:
+  qa:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Ensure reference mirrors
+        run: |
+          mkdir -p .reference
+          [[ -d .reference/prestashop/.git ]] || git clone --depth 1 --branch 9.1.x https://github.com/PrestaShop/PrestaShop.git .reference/prestashop
+          [[ -d .reference/classic-theme/.git ]] || git clone --depth 1 --branch develop https://github.com/PrestaShop/classic-theme.git .reference/classic-theme
+          [[ -d .reference/hummingbird/.git ]] || git clone --depth 1 --branch develop https://github.com/PrestaShop/hummingbird.git .reference/hummingbird
+
+      - name: Resolve base branch ref
+        id: base
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "ref=origin/${{ github.base_ref }}" >> "$GITHUB_OUTPUT"
+            git fetch origin "${{ github.base_ref }}" --depth=1
+          else
+            echo "ref=origin/9.x" >> "$GITHUB_OUTPUT"
+            git fetch origin 9.x --depth=1
+          fi
+
+      - name: Run docs QA gate
+        run: |
+          python3 scripts/qa_docs_gate.py \
+            --scope changed \
+            --base-ref "${{ steps.base.outputs.ref }}" \
+            --rebuild-index