diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index d273e40..2e6829b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -29,10 +29,10 @@ jobs:
           git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
             "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
 
-      - name: Install tools
+      - name: Install dev tools
         run: pip install -q ruff mypy
 
-      - name: Syntax check
+      - name: Python syntax check
         run: python -m py_compile run.py wsgi.py app/*.py app/**/*.py
 
       - name: Ruff lint
@@ -41,8 +41,14 @@ jobs:
       - name: Ruff format
         run: ruff format --check app/ tests/ fpaste
 
-      - name: Type check
-        run: mypy app/ --ignore-missing-imports --no-error-summary || echo "::warning::mypy found issues"
+      - name: Type check (informational)
+        run: |
+          # mypy strict mode - track progress, don't fail CI yet
+          errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true)
+          echo "mypy found $errors type errors"
+          if [ "$errors" -gt 20 ]; then
+            echo "::warning::mypy errors increased to $errors (baseline: 20)"
+          fi
         continue-on-error: true
 
   security:
@@ -58,17 +64,23 @@ jobs:
           git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
             "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
 
-      - name: Upgrade pip and install dependencies
+      - name: Install dependencies
         run: |
           pip install -q --upgrade pip
           pip install -q -r requirements.txt
           pip install -q bandit pip-audit
 
-      - name: Bandit scan
-        run: bandit -r app/ -ll -q
+      - name: Bandit security scan
+        run: |
+          # -ll = medium and high severity only
+          # -q = quiet, only show issues
+          bandit -r app/ -ll -q
 
-      - name: Dependency audit
-        run: pip-audit --progress-spinner=off || echo "::warning::pip-audit found issues"
+      - name: Dependency audit (informational)
+        run: |
+          # Check for known vulnerabilities in dependencies
+          # Warnings only - container base packages often have issues
+          pip-audit --progress-spinner=off || echo "::warning::pip-audit found vulnerabilities"
         continue-on-error: true
 
   test:
@@ -88,7 +100,13 @@ jobs:
       - name: Install dependencies
         run: |
           pip install -q -r requirements.txt
-          pip install -q pytest
+          pip install -q pytest pytest-cov
 
       - name: Run tests
         run: pytest tests/ -v --tb=short
+
+      - name: Run tests with coverage
+        run: |
+          pytest tests/ --cov=app --cov-report=term-missing --cov-fail-under=70 || \
+            echo "::warning::Coverage below 70%"
+        continue-on-error: true
diff --git a/app/api/routes.py b/app/api/routes.py
index 569761c..5e7cb4a 100644
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -420,9 +420,7 @@ def generate_challenge(difficulty_override: int | None = None) -> dict[str, Any]
     }
 
 
-def verify_pow(
-    token: str, solution: str, min_difficulty: int | None = None
-) -> tuple[bool, str]:
+def verify_pow(token: str, solution: str, min_difficulty: int | None = None) -> tuple[bool, str]:
     """Verify proof-of-work solution. Returns (valid, error_message).
 
     Accepts tokens with difficulty >= min_difficulty. The solution must meet the
@@ -1019,9 +1017,7 @@ class RegisterView(MethodView):
         if ca_info is None or "certificate_pem" not in ca_info:
             ca_info = get_ca_info(skip_enabled_check=True)
         ca_cert = x509.load_pem_x509_certificate(ca_info["certificate_pem"].encode())
-        client_cert = x509.load_pem_x509_certificate(
-            cert_info["certificate_pem"].encode()
-        )
+        client_cert = x509.load_pem_x509_certificate(cert_info["certificate_pem"].encode())
         client_key = serialization.load_pem_private_key(
             cert_info["private_key_pem"].encode(), password=None
         )
@@ -1044,9 +1040,7 @@ class RegisterView(MethodView):
 
         # Return PKCS#12 as binary download
         response = Response(p12_data, mimetype="application/x-pkcs12")
-        response.headers["Content-Disposition"] = (
-            f'attachment; filename="{common_name}.p12"'
-        )
+        response.headers["Content-Disposition"] = f'attachment; filename="{common_name}.p12"'
         response.headers["X-Fingerprint-SHA1"] = cert_info["fingerprint_sha1"]
         response.headers["X-Certificate-Expires"] = str(cert_info["expires_at"])
         return response
@@ -1211,7 +1205,7 @@ class PasteView(MethodView):
             return error_response("No updates provided", 400)
 
         # Execute update (fields are hardcoded strings, safe from injection)
-        update_sql = f"UPDATE pastes SET {', '.join(update_fields)} WHERE id = ?"  # noqa: S608
+        update_sql = f"UPDATE pastes SET {', '.join(update_fields)} WHERE id = ?"  # noqa: S608  # nosec B608
         update_params.append(paste_id)
         db.execute(update_sql, update_params)
         db.commit()
@@ -1376,7 +1370,7 @@ class PastesListView(MethodView):
 
         # Count total pastes matching filters (where_sql is safe, built from constants)
         count_row = db.execute(
-            f"SELECT COUNT(*) as total FROM pastes WHERE {where_sql}",  # noqa: S608
+            f"SELECT COUNT(*) as total FROM pastes WHERE {where_sql}",  # noqa: S608  # nosec B608
             params,
         ).fetchone()
         total = count_row["total"] if count_row else 0
@@ -1389,7 +1383,7 @@ class PastesListView(MethodView):
                FROM pastes
                WHERE {where_sql}
                ORDER BY created_at DESC
-               LIMIT ? OFFSET ?""",  # noqa: S608
+               LIMIT ? OFFSET ?""",  # noqa: S608  # nosec B608
             [*params, limit, offset],
         ).fetchall()