diff --git a/.github/workflows/ci-comprehensive.yml b/.github/workflows/ci-comprehensive.yml
index 616ec15d..d5ba097b 100644
--- a/.github/workflows/ci-comprehensive.yml
+++ b/.github/workflows/ci-comprehensive.yml
@@ -220,7 +220,7 @@ jobs:
       
       - name: Run Safety dependency check
         run: |
-          safety check --file requirements.txt --json > safety-report.json || true
+          safety check --file requirements.txt --json > safety-report.json
       
       - name: Upload security reports
         if: always()
@@ -250,12 +250,23 @@ jobs:
       
       - name: Install dependencies
         run: |
+          pip install -r requirements.txt
           pip install -r requirements-test.txt
+          pip install -e .
       
       - name: Run flake8
         run: |
           flake8 app/ --count --select=E9,F63,F7,F82 --show-source --statistics
-          flake8 app/ --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+          flake8 app/ --count --max-complexity=10 --max-line-length=120 --statistics
+      
+      - name: Run black (format check)
+        run: black --check app/
+      
+      - name: Run isort (import check)
+        run: isort --check-only app/
+      
+      - name: Run mypy
+        run: mypy app/ || true
 
   # ============================================================================
   # Docker Build Test
@@ -457,7 +468,7 @@ jobs:
           INSTALLATION_CONFIG_DIR: ${{ github.workspace }}/.test_installation_config
         run: |
           pytest -v -n auto --cov=app --cov-report=xml --cov-report=html --cov-report=term-missing \
-                 --junitxml=junit.xml --maxfail=5
+                 --cov-fail-under=35 --junitxml=junit.xml --maxfail=5
       
       - name: Upload full coverage
         uses: codecov/codecov-action@v4
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7b968821..ccbfee4f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,14 +26,14 @@ repos:
     hooks:
       - id: black
         language_version: python3.11
-        args: [--line-length=127]
+        args: [--line-length=120]
 
   # Python import sorting
   - repo: https://github.com/PyCQA/isort
     rev: 5.13.2
     hooks:
       - id: isort
-        args: [--profile=black, --line-length=127]
+        args: [--profile=black, --line-length=120]
 
   # Python linting
   - repo: https://github.com/PyCQA/flake8
@@ -41,7 +41,7 @@ repos:
     hooks:
       - id: flake8
         args: [
-          --max-line-length=127,
+          --max-line-length=120,
           --extend-ignore=E203,E501,W503,
           --exclude=migrations,
         ]
diff --git a/Makefile b/Makefile
index 32528b7e..6ca06a43 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 # Common development and testing tasks
 
 .PHONY: help install test test-smoke test-unit test-integration test-security test-coverage \
-        test-fast test-parallel lint format clean docker-build docker-run setup dev
+        test-fast test-parallel lint format clean docker-build docker-run setup dev security-scan frontend-a11y
 
 # Default target
 help:
@@ -34,6 +34,7 @@ help:
 	@echo "  make format         - Format code (black + isort)"
 	@echo "  make format-check   - Check code formatting"
 	@echo "  make security-scan  - Run security scanners"
+	@echo "  make frontend-a11y  - Run accessibility check on web app (requires app running; set FRONTEND_URL)"
 	@echo ""
 	@echo "Docker:"
 	@echo "  make docker-build   - Build Docker image"
@@ -109,7 +110,7 @@ test-debug:
 lint:
 	@echo "Running flake8..."
 	flake8 app/ --count --select=E9,F63,F7,F82 --show-source --statistics
-	flake8 app/ --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+	flake8 app/ --count --max-complexity=10 --max-line-length=120 --statistics
 
 format:
 	@echo "Running black..."
@@ -125,9 +126,16 @@ format-check:
 
 security-scan:
 	@echo "Running bandit..."
-	bandit -r app/ || true
+	bandit -r app/
 	@echo "Running safety..."
-	safety check --file requirements.txt || true
+	safety check --file requirements.txt
+
+# Frontend quality: accessibility check (requires app running at FRONTEND_URL, default http://localhost:3000)
+FRONTEND_URL ?= http://localhost:3000
+frontend-a11y:
+	@echo "Accessibility check: $(FRONTEND_URL)"
+	@command -v npx >/dev/null 2>&1 || { echo "npx not found; install Node.js or run: npx pa11y $(FRONTEND_URL)"; exit 0; }
+	npx --yes pa11y "$(FRONTEND_URL)" 2>/dev/null || echo "Run: npx pa11y $(FRONTEND_URL) (start app first). See docs/development/FRONTEND_QUALITY_GATES.md"
 
 # Docker targets
 docker-build:
diff --git a/docker-compose.yml b/docker-compose.yml
index 80f2f2aa..f937e9e2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -37,7 +37,7 @@ services:
       - CURRENCY=${CURRENCY:-EUR}
       - ROUNDING_MINUTES=${ROUNDING_MINUTES:-1}
       - SINGLE_ACTIVE_TIMER=${SINGLE_ACTIVE_TIMER:-true}
-      - ALLOW_SELF_REGISTER=${ALLOW_SELF_REGISTER:-true}
+      - ALLOW_SELF_REGISTER=${ALLOW_SELF_REGISTER:-false}
       - IDLE_TIMEOUT_MINUTES=${IDLE_TIMEOUT_MINUTES:-30}
       - ADMIN_USERNAMES=${ADMIN_USERNAMES:-admin}
       # IMPORTANT: Change SECRET_KEY in production! Used for sessions and CSRF tokens.