ci(supply-chain): add Dependabot config

[pedrofuentes]

P6 — Supply-chain hardening (CI/config-only)

Adds Dependabot configuration. No source, test, package.json, or existing-workflow changes.

Files added

• .github/dependabot.yml (version 2)
  • npm ecosystem covering the pnpm monorepo via directories: ["/", "/packages/cli", "/packages/core", "/packages/web"], weekly, minor+patch grouped into one PR, commit-message.prefix: chore(deps), open-pull-requests-limit: 10.
  • github-actions ecosystem at /, weekly, grouped, commit-message.prefix: ci(deps).

Code Scanning

CodeQL is now handled by GitHub's built-in code-scanning default setup, enabled at the repo level. The previously-included advanced .github/workflows/codeql.yml has been removed because GitHub does not allow an advanced CodeQL workflow and the default setup to coexist — the two are mutually exclusive.

Verification

• YAML parses cleanly (pyyaml safe_load).
• pnpm typecheck and pnpm lint pass unchanged.
• Single ci(...) commit (TDD-exempt).

[pedrofuentes]

Status: APPROVED

Sentinel Review Report

Ref: ci/supply-chain → main
Report ID: SENT-1176-4ee4dcc
Reviewed SHA: 4ee4dcc
Sentinel ruleset: v1
Reviewed at: 2026-06-18T21:40:00-07:00
Mode: standard
Review depth: Tier 2 (full)
Required action: MERGE

Phase 0 — Binding

• Branch: ci/supply-chain → main; PR ci(supply-chain): add Dependabot config #1176
• Reviewed SHA: 4ee4dcc (verified HEAD == reviewed SHA via gh pr view 1176 --json headRefOid → 4ee4dcc5fc7b23e1284529864d132ded1f93dd0a)
• Net diff vs main: 1 file, .github/dependabot.yml (+32) — confirmed via git diff main...HEAD --stat
• Branch history: ebd2705 ci(supply-chain): add Dependabot config and CodeQL scanning workflow → 4ee4dcc ci(supply-chain): use code scanning default setup instead of advanced CodeQL workflow. The add-then-remove of codeql.yml is intentional (repo uses code-scanning default setup, mutually exclusive with advanced CodeQL workflow); net diff is dependabot.yml only. Not flagged.

Phase 1 — TDD / Test Evidence

• Classification: Fully-exempt PR — ALL commits are ci(supply-chain) and the only changed file is .github/dependabot.yml. Per ruleset §Exemptions, checks 1–4 (test existence, test-first ordering, no-gaming, untested-paths) are N/A for a ci config-only change.
• Tests exist & meaningful: N/A (exempt — no behavior-bearing source changed)
• Test-first history verified: N/A (exempt ci)
• Full suite green on SHA: ✅ ⚠️ parent-provided evidence + CI. GitHub Actions all green on SHA 4ee4dcc — verified via gh pr view 1176 --json statusCheckRollup: Typecheck, Lint & Test SUCCESS, Typecheck & Lint SUCCESS, Unit Tests (shard 1/4..4/4) all SUCCESS, E2E, Integration & Security Tests SUCCESS, CodeQL / Analyze (actions) / Analyze (javascript-typescript) all SUCCESS. A .github/dependabot.yml change is not imported/loaded by the suite, so check 5 satisfied without a local full run (⚠️ no-code; suite run skipped, corroborated by CI).
• Coverage: N/A (threshold not enforced in invocation; config-only diff)

Phase 1.5 — Fast-path Evaluation

🔴 count: 0 | LOC: 32 (≤150: Y) | Security paths: N | New deps: N | Commit types qualify: N (ci is not in the fast-path skip set {fix, refactor, docs, test, style, chore})
→ Fast-path eligible: NO (commit-type criterion unmet) → proceeded to Phase 2

Phase 2 — Execution Log

Dim	Tool Call	Agent ID / Ref	Status
A1	task(agent_type="general-purpose", model="claude-sonnet-4.6", name="dim-a1")	dim-a1	✅ No findings
A2	task(agent_type="general-purpose", model="claude-sonnet-4.6", name="dim-a2")	dim-a2	✅ No findings
B	—	N/A (exempt: ci selective dispatch)	⏭️
C	—	N/A (exempt: ci selective dispatch)	⏭️
D	—	N/A (exempt: ci selective dispatch)	⏭️
E	task(agent_type="general-purpose", name="dim-e")	dim-e	✅ No findings
F	task(agent_type="general-purpose", name="dim-f")	dim-f	✅ No findings

Selective dispatch rationale: chore/build/ci PRs dispatch A1, A2, E, F; B, C, D logged N/A (exempt). Dim E NOT auto-skipped — .github/dependabot.yml is a supply-chain/package-manager governance config. Report persisted to PR #1176 via gh pr comment.

Phase 2 dimension highlights

• A1 verified existing CI workflows whose reachability Dependabot PRs touch: ci.yml/release-please.yml use pull_request/push (no pull_request_target with PR checkout); third-party actions SHA-pinned; permissions: minimal (contents: read in CI). No attacker-reachable path introduced.
• A2: no secrets/high-entropy strings; no auto-merge directive; no ignore rules suppressing security updates.
• E: Dependabot config is sound — npm + github-actions ecosystems, weekly schedule, minor+patch grouping, open-pull-requests-limit: 10; references existing directories (/, /packages/cli|core|web). Adds no actual dependencies/manifests/lockfiles.
• F: config-only change requires no documentation update; repo uses Release Please (CHANGELOG auto-generated — check skipped).

Findings

• 🔴 CRITICAL: 0
• 🟡 IMPORTANT: 0 new / 0 known
• 🟢 MINOR: 0

Details (ordered by severity)

None.

Follow-ups & Actions

• APPROVED → MERGE. No new 🟡/🟢 findings to file.
• Record Report ID: SENT-1176-4ee4dcc + SHA: 4ee4dcc in the merge commit.

Decision rationale

• Net diff is a single 32-line .github/dependabot.yml config file; no source/test/build code changed.
• Fully-exempt ci PR: TDD checks 1–4 N/A; check 5 (suite green) satisfied via green CI on the reviewed SHA (⚠️ parent-provided evidence).
• All four applicable dimensions (A1, A2, E, F) dispatched in parallel via sub-agents; every one returned "No findings."
• No secrets, no trust-boundary changes, no dependency additions; Dependabot config references existing directories and is well-formed.
• HEAD SHA == reviewed SHA (4ee4dcc); zero 🔴/🟡/🟢 → APPROVED.