feat: add git pre-push hook to prevent direct pushes to protected branches

This commit introduces a pre-push Git hook that prevents direct
pushes to the `main` and `dev` branches. This enforces the use of
pull requests for merging changes into these protected branches,
promoting code review and maintaining branch stability.

The changes include:
- Adding a `install-git-hooks` target to the Makefile to symlink
 the pre-push script into the `.git/hooks/` directory.
- Creating the `scripts/git-hooks/pre-push` script that checks the
 target branch and aborts the push if it matches a protected branch.
- Updating the `CONTRIBUTING.md` file to instruct developers to
 install the Git hooks after setting up their development
 environment.

CONTRIBUTING.md

@@ -33,6 +33,9 @@ Follow these steps to set up your development environment and gain access to all
     *   Install web frontend dependencies: `make install`
     *   *(Mobile app dependencies will be installed within their respective directories later.)*
 
+- **Install Git Hooks:**
+    -   Run `make install-git-hooks` to set up local safeguards that prevent direct pushes to protected branches (`main` and `dev`). **This is a mandatory step.**
+
 7.  **Firebase Project Access Validation (CTO will provide access):**
     *   Confirm you have access to the `dev` Firebase/GCP project.
     *   Verify you can run `firebase login` and `gcloud auth login` successfully.

Makefile

@@ -74,3 +74,9 @@ create-issues-from-file:
 	@echo "--> Creating GitHub issues from file..."
 	@./scripts/create_issues.py
 
+# --- Development Tools ---
+install-git-hooks:
+	@echo "--> Installing Git hooks..."
+	@ln -sf ../../scripts/git-hooks/pre-push .git/hooks/pre-push
+	@echo "✅ pre-push hook installed successfully. Direct pushes to 'main' and 'dev' are now blocked."
+

scripts/git-hooks/pre-push

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# --- Protected Branches ---
+PROTECTED_BRANCHES="^(main|dev)$"
+
+# Read stdin to get push details
+while read local_ref local_sha remote_ref remote_sha; do
+    # Extract the branch name from the remote ref (e.g., refs/heads/branch-name)
+    branch_name=$(echo "$remote_ref" | sed 's!refs/heads/!!')
+
+    # Check if the pushed branch matches our protected branches
+    if echo "$branch_name" | grep -qE "$PROTECTED_BRANCHES"; then
+        echo "----------------------------------------------------------------"
+        echo "❌ ERROR: Direct pushes to the '$branch_name' branch are forbidden."
+        echo "Please use a pull request to merge your changes."
+        echo "----------------------------------------------------------------"
+        exit 1 # Abort the push
+    fi
+done
+
+exit 0 # Allow the push