diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..bb4757e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+# Dependabot version updates.
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Swift Package Manager dependencies (FluidAudio, etc.) in Package.swift.
+  - package-ecosystem: "swift"
+    directory: "/"
+    schedule:
+      interval: weekly
+
+  # Keep the SHA-pinned GitHub Actions fresh (they're pinned to commit SHAs for
+  # supply-chain safety; Dependabot proposes version bumps as PRs).
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
new file mode 100644
index 0000000..7f34544
--- /dev/null
+++ b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,69 @@
+name: Claude Code Review
+
+# Auto-review every PR. Auth via the CLAUDE_CODE_OAUTH_TOKEN secret created by
+# running `/install-github-app` in Claude Code. If that secret is absent the job
+# is skipped (so the workflow is harmless until the app is installed).
+
+"on":
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+  id-token: write
+
+concurrency:
+  group: "claude-review-${{ github.event.pull_request.number }}"
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    # Only review PRs from the same repo (head has access to secrets).
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+      - name: Check for Claude token
+        id: token
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+        run: echo "present=${CLAUDE_CODE_OAUTH_TOKEN:+true}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR
+        if: steps.token.outputs.present == 'true'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+
+      - name: Claude review
+        if: steps.token.outputs.present == 'true'
+        uses: anthropics/claude-code-action@0cb4f3e5e764d2e00407d29b6bf0aa9df0976d88 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Review this pull request for Parley (a macOS menu-bar meeting
+            transcriber written in Swift: SwiftUI app + XPC audio-capture service
+            + TranscriberCore logic library). Be concise and high-signal — only
+            flag things that matter. Focus on:
+            - Correctness bugs, edge cases, and broken error handling, especially
+              around audio formats, file I/O, XPC lifecycle, and concurrency
+              (actor isolation, @MainActor, data races).
+            - Test coverage: per the repo's TDD rule, new or changed logic should
+              have Swift Testing unit tests (SwiftTests/TranscriberTests/) covering
+              happy path, edge cases, and invalid inputs. Flag untested new behaviour.
+            - Security and privacy: leaked secrets/keys, audio/transcript paths or
+              speaker names logged as .public, unsafe deserialization.
+            - Clarity and consistency with surrounding code and the architecture
+              described in CLAUDE.md.
+            - Whether behaviour changes are reflected in docs (CLAUDE.md, docs/,
+              scripts/test-checklist.md).
+
+            The PR branch is already checked out. Post findings as GitHub comments
+            only — use inline comments for specific lines and one top-level summary
+            comment. Do not approve or block; just review.
+          claude_args: |
+            --max-turns 20
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
diff --git a/.github/workflows/setup-branch-protection.yml b/.github/workflows/setup-branch-protection.yml
deleted file mode 100644
index 5dde9c1..0000000
--- a/.github/workflows/setup-branch-protection.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-name: Setup Branch Protection
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - '.github/workflows/setup-branch-protection.yml'
-
-permissions:
-  administration: write
-  contents: read
-
-jobs:
-  protect-main:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Configure main branch protection
-        # Status check context "test" matches the job name in .github/workflows/test.yml (workflow: Tests)
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api \
-            --method PUT \
-            -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/branches/main/protection \
-            --input - <<'EOF'
-          {
-            "required_status_checks": {
-              "strict": true,
-              "contexts": ["test"]
-            },
-            "enforce_admins": true,
-            "required_pull_request_reviews": {
-              "dismiss_stale_reviews": true,
-              "require_code_owner_reviews": false,
-              "required_approving_review_count": 0,
-              "require_last_push_approval": false
-            },
-            "restrictions": null,
-            "required_conversation_resolution": true
-          }
-          EOF