ci: shift-left quality gates — add mypy to pre-commit, fix CI failures (#53)

* ci: shift-left quality gates — add mypy to pre-commit, fix CI failures

- Add mypy pre-commit hook (mirrors-mypy v1.13.0) so type checks run locally
- Add [tool.mypy] config to scripts/pyproject.toml with overrides for untyped libs (ebooklib, sync_translations)
- Add mypy>=1.8.0 to requirements-dev.txt
- Fix CI test.yml: remove continue-on-error: true from lint/security/type-check jobs (was silently swallowing failures)
- Fix CI bandit -c path: pyproject.toml → scripts/pyproject.toml
- Fix CI mypy command: use --config-file scripts/pyproject.toml
- Fix CI build-epub: add type-check to needs, fix if: success() → !failure() && !cancelled()
- Fix ruff errors in sync_translations.py (RUF013 implicit Optional, SIM102 nested if)
- Fix mypy errors: add list[str] annotations to errors vars in check_cross_references.py and check_links.py

* fix(ci): install mmdc in build-epub job and correct return type annotation

- Add npm install step for @mermaid-js/mermaid-cli before Build EPUB
  to fix CI failure (mmdc not found error)
- Fix check_translation_status() return type from list[dict] to
  tuple[list[dict], list[dict]] to match the actual return value

* fix(ci): pass --no-sandbox to Puppeteer in build-epub CI job

mmdc (Mermaid CLI) uses Puppeteer/Chromium which requires --no-sandbox
in the GitHub Actions sandboxed environment. Add --puppeteer-config flag
to build_epub.py that passes a Puppeteer JSON config file to mmdc via -p,
and use it in the CI workflow to inject the no-sandbox args.

.github/workflows/test.yml

@@ -88,11 +88,9 @@ jobs:
 
       - name: Ruff Format Check
         run: uv run ruff format --check scripts/
-        continue-on-error: true
 
       - name: Ruff Lint Check
         run: uv run ruff check scripts/
-        continue-on-error: true
 
   security:
     name: Security Scan
@@ -113,8 +111,7 @@ jobs:
           uv pip install "bandit[toml]"
 
       - name: Run Bandit Security Scan
-        run: uv run bandit -c pyproject.toml -r scripts/ --exclude scripts/tests/ -f json -o bandit-report.json
-        continue-on-error: true
+        run: uv run bandit -c scripts/pyproject.toml -r scripts/ --exclude scripts/tests/ -f json -o bandit-report.json
 
       - name: Upload security report
         uses: actions/upload-artifact@v4
@@ -143,14 +140,13 @@ jobs:
           uv pip install -r scripts/requirements-dev.txt mypy
 
       - name: Run mypy
-        run: uv run mypy scripts/ --ignore-missing-imports --no-implicit-optional
-        continue-on-error: true
+        run: uv run mypy scripts/ --config-file scripts/pyproject.toml
 
   build-epub:
     name: Build EPUB Artifact
     runs-on: ubuntu-latest
-    needs: [pytest, lint, security]
-    if: success()
+    needs: [pytest, lint, security, type-check]
+    if: ${{ !failure() && !cancelled() }}
 
     steps:
       - name: Checkout code
@@ -167,8 +163,13 @@ jobs:
           uv venv
           uv pip install -r scripts/requirements-dev.txt
 
+      - name: Install mmdc (Mermaid CLI)
+        run: npm install -g @mermaid-js/mermaid-cli
+
       - name: Build EPUB
-        run: uv run scripts/build_epub.py
+        run: |
+          echo '{"args":["--no-sandbox","--disable-setuid-sandbox"]}' > /tmp/puppeteer-ci.json
+          uv run scripts/build_epub.py --puppeteer-config /tmp/puppeteer-ci.json
 
       - name: Verify EPUB Created
         run: |