chore: hygiene + hardening bundle (CODEOWNERS, SHA-pins, uv ecosystem, proposal cleanup)

[RBKunnela]

Summary

Bundles four backlog items for paybot-sdk supply-chain + governance hygiene, executed under the second automated-pr-merge-authority.md convocation following the paybot-core sibling PR (parallel hygiene-and-hardening track).

Task	Item	Status
#5	Delete stale .github/workflows/ci.yml.proposed	DONE
#6	Add .github/CODEOWNERS (solo-founder catch-all)	DONE
#11	Add Python ecosystem block to .github/dependabot.yml (uv, not pip)	DONE
#12	SHA-pin all GitHub Actions across active workflows; add persist-credentials: false to checkout where applicable	DONE

Changes

Task #5 — Prune ci.yml.proposed

.github/workflows/ci.yml.proposed was a speculative draft of a richer CI (lint + coverage gate + boundary check + npm pack dry-run + manual approval). Left dead in the tree, it creates confusion when reading .github/workflows/. Removed via git rm.

Task #6 — .github/CODEOWNERS

Created .github/CODEOWNERS:

```

CODEOWNERS for paybot-sdk

Solo-founder phase: all paths route to operator.

When hiring, partition by file path here.

• @RBKunnela
  ```

Reconciliation note: A root-level CODEOWNERS was already present, with path-specific routing (/packages/python/ @RBKunnela @kite-builds, etc.). GitHub honours CODEOWNERS in order .github/ -> root -> docs/, so the root file would become dead-ignored once .github/CODEOWNERS exists. To avoid two divergent sources of truth, the root file is removed in the same commit. The simpler catch-all reflects the current solo-founder reality; partition is the explicit "when hiring" comment in the file.

Task #11 — uv ecosystem in Dependabot

Added a third ecosystem block to .github/dependabot.yml:

```yaml

• package-ecosystem: "uv"
  directory: "/packages/python"
  schedule:
  interval: "weekly"
  day: "tuesday"
  time: "06:00"
  timezone: "UTC"
  open-pull-requests-limit: 10
  commit-message:
  prefix: "deps"
  include: "scope"
  labels:
  • "dependencies"
  • "python"
    ```

Variance from task spec (deliberate, documented): the task brief specified package-ecosystem: pip. Replaced with uv because live evidence proves Dependabot natively understands the uv.lock format on this repo — Dependabot already auto-opened PR #12 (`chore(deps): bump mcp from 0.9.1 to 1.23.0 in /packages/python`) under package-manager=uv as a security update. The uv ecosystem reads pyproject.toml + uv.lock; the pip ecosystem would only cover pyproject.toml and miss lockfile-pinned transitive deps. The uv choice closes that gap.

On the 3 mcp Python CVEs: the task brief flagged that Dependabot's pip support for uv-style lockfiles is uncertain. The empirical answer (PR #12) is: uv works end-to-end including security updates. The 3 high CVEs were already surfaced before this PR landed; merging this PR enables regular (non-security) version updates on the same schedule.

Task #12 — SHA-pin GitHub Actions

CodeRabbit on PR #11 (squash 2513676d) flagged unpinned actions as MAJOR-level tech-debt. Pinned all references across the three active workflows to 40-char immutable commit SHAs with adjacent # v<X> comments preserving Dependabot's upgrade visibility.

Pin audit table

File	Action ref (before)	Commit SHA (after)	Notes
ci.yml (build)	actions/checkout@v4	34e114876b0b11c390a56381ad16ebd13914f8d5	+ persist-credentials: false
ci.yml (build)	actions/setup-node@v4	49933ea5288caeca8642d1e84afbd3f7d6820020	—
ci.yml (publish)	actions/checkout@v4	34e114876b0b11c390a56381ad16ebd13914f8d5	NO persist-credentials: false — OIDC GITHUB_TOKEN must remain for npm publish --provenance
ci.yml (publish)	actions/setup-node@v4	49933ea5288caeca8642d1e84afbd3f7d6820020	—
codeql.yml	actions/checkout@v4	34e114876b0b11c390a56381ad16ebd13914f8d5	+ persist-credentials: false
codeql.yml	github/codeql-action/init@v3	03e4368ac7daa2bd82b3e85262f3bf87ee112f57	annotated tag dereferenced to commit
codeql.yml	github/codeql-action/autobuild@v3	03e4368ac7daa2bd82b3e85262f3bf87ee112f57	same commit
codeql.yml	github/codeql-action/analyze@v3	03e4368ac7daa2bd82b3e85262f3bf87ee112f57	same commit
osv-scanner.yml	google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1	456ceb78310755116e0a3738121351006286b797	reusable workflow accepts SHA in uses:

Resolutions performed via:

```
gh api "repos///git/refs/tags/" --jq '{ref, sha:.object.sha, type:.object.type}'
```

For github/codeql-action the tag is annotated; dereferenced via gh api repos/github/codeql-action/git/tags/<tag-sha> to reach the commit SHA.

persist-credentials: false policy

Added to every actions/checkout step EXCEPT the one in the publish job. Rationale: npm publish --provenance needs the OIDC-issued GITHUB_TOKEN to remain available; setting persist-credentials: false would null it out for the subsequent npm publish step. Documented inline above that checkout step.

Chain governance

Per automated-pr-merge-authority.md, this PR enters the second-stage SINKRA chain alongside the paybot-core sibling PR:

Agent	Role	Status
@aiox-master (Orion)	Routing	Convoked @devops; chore carve-out justified (no src/, no semantic behavior change, diff entirely under .github/)
@sm / @po / @dev	Story phases	SKIP — chore carve-out per Orion routing decision
@qa (Quinn)	12-check adapted	Pending (will run on CI completion)
@devops (Gage)	Merge	DO NOT MERGE — return to Orion after CI green

Anti-patterns avoided

AP #	Lesson (from prior PRs)	This PR
1	OSV-Scanner @v2 major alias does not resolve	Already at @v2.2.1 pre-PR; this PR further pins to SHA
2	Reusable-workflow job-level permissions: are silently dropped	Workflow-level permissions: in osv-scanner.yml untouched
3	GHAS auto-creates duplicate check-runs on public repos	No new required checks added here; existing 4 contexts unchanged
4	Check context names must match gh pr checks verbatim	No protection changes in this PR
5	Dependabot enablement ordering (vulnerability-alerts -> automated-security-fixes)	Already enabled; this PR only adds an ecosystem block
6	One-PR-at-a-time discipline for paybot ecosystem hardening	This PR closes 4 small items in one chore commit per Orion's bundling directive
7	CodeRabbit dismissal vs auto-merge	DO NOT MERGE — return to Orion for @devops decision

Test plan

• CI green: build (18) + build (20) + Analyze (javascript-typescript) + scan / osv-scan
• CodeRabbit review — verify no new MAJOR findings (action-pinning category should now be clean)
• Dependabot does NOT immediately open new noisy PRs from uv ecosystem (PR chore(deps): bump mcp from 0.9.1 to 1.23.0 in /packages/python #12 mcp 1.23.0 is the pre-existing security update; regular cadence updates come on Tuesday 06:00 UTC)
• CODEOWNERS resolves on a sample file — visible in PR review request UI
• No regression to the npm publish flow (provenance still works post-pin)

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@RBKunnela has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 48 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 723166d5-036a-4282-aeb2-a54a6d7f5569

📥 Commits

Reviewing files that changed from the base of the PR and between 2513676 and 713edcf.

📒 Files selected for processing (7)

• .github/CODEOWNERS
• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/ci.yml.proposed
• .github/workflows/codeql.yml
• .github/workflows/osv-scanner.yml
• CODEOWNERS

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/hygiene-and-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request simplifies the CODEOWNERS file to route all paths to a single operator and adds a Dependabot configuration for the uv package ecosystem in the /packages/python directory. I have no feedback to provide.

[RBKunnela]

Merge authorization per .claude/rules/automated-pr-merge-authority.md (4th application, paybot-sdk track — final merge of 3-repo hygiene+hardening sweep):

• @sm: SKIP (chore-style hygiene + hardening + ecosystem PR)
• @po: SKIP
• @dev: SKIP (no app code)
• @qa: PASS — 12-check adapted matrix, 2 passes, amendment verified
  • CODEOWNERS amendment verified live (path-partitioned at head 713edcf vs simple at initial bf443de)
  • Routing-redundancy judgment correct (/src/ + /examples/ both omitted with sound reasoning)
  • 9/9 use-sites SHA-pinned, 0 floating tags
  • uv ecosystem block valid (Dependabot supports uv.lock natively; proven by pre-existing PR chore(deps): bump mcp from 0.9.1 to 1.23.0 in /packages/python #12)
  • OIDC publish-job exemption sound (build job hardened with persist-credentials:false; publish job runs only on trusted post-merge push)
  • 7/7 required CI green at amended head
• @aiox-master (Orion): Chain routing approved
• @devops: Executing merge

Non-blocking observations:

1. ci.yml publish-job comment slightly conflates GITHUB_TOKEN and OIDC id-token (terminology nit, security posture correct)
2. /examples/ dir absent from repo tree (pre-existing — original root CODEOWNERS dead reference, independent of amendment)

Precedent chain (today, 2026-05-22):

• paybot-core PR 🤝 Founding Contributors — Join the open agent payment protocol #3 → 6dc6f5aa (scanner bundle, private form)
• paybot-sdk PR ci(security): add CodeQL, Dependabot, and OSV-Scanner bundle #11 → 2513676 (scanner bundle, public form)
• paybot-mcp PR docs: PayBot liability management improvements from community feedback #1 → a6c211db (scanner bundle, public form)
• paybot-core PR deps(deps-dev): bump @vitest/coverage-v8 from 1.6.1 to 4.1.7 #26 → b537b1a6 (hygiene + hardening)
• paybot-mcp PR [CODE] [SDK] from @unknown-bot (stake: 1) #2 → 26fb8bb4 (hygiene + hardening)
• paybot-sdk PR chore: hygiene + hardening bundle (CODEOWNERS, SHA-pins, uv ecosystem, proposal cleanup) #28 → THIS (hygiene + hardening + uv ecosystem + CODEOWNERS amendment)

This completes the 6-PR security hardening sweep across the paybot ecosystem in a single day.