chore(ci): branch-protection parity with mailrag (#78)

.github/dependabot.yml

@@ -0,0 +1,17 @@
+# Dependabot version updates.
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Swift Package Manager dependencies (FluidAudio, etc.) in Package.swift.
+  - package-ecosystem: "swift"
+    directory: "/"
+    schedule:
+      interval: weekly
+
+  # Keep the SHA-pinned GitHub Actions fresh (they're pinned to commit SHAs for
+  # supply-chain safety; Dependabot proposes version bumps as PRs).
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly

.github/workflows/claude-code-review.yml

@@ -0,0 +1,69 @@
+name: Claude Code Review
+
+# Auto-review every PR. Auth via the CLAUDE_CODE_OAUTH_TOKEN secret created by
+# running `/install-github-app` in Claude Code. If that secret is absent the job
+# is skipped (so the workflow is harmless until the app is installed).
+
+"on":
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+  id-token: write
+
+concurrency:
+  group: "claude-review-${{ github.event.pull_request.number }}"
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    # Only review PRs from the same repo (head has access to secrets).
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+      - name: Check for Claude token
+        id: token
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+        run: echo "present=${CLAUDE_CODE_OAUTH_TOKEN:+true}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR
+        if: steps.token.outputs.present == 'true'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+
+      - name: Claude review
+        if: steps.token.outputs.present == 'true'
+        uses: anthropics/claude-code-action@0cb4f3e5e764d2e00407d29b6bf0aa9df0976d88 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Review this pull request for Parley (a macOS menu-bar meeting
+            transcriber written in Swift: SwiftUI app + XPC audio-capture service
+            + TranscriberCore logic library). Be concise and high-signal — only
+            flag things that matter. Focus on:
+            - Correctness bugs, edge cases, and broken error handling, especially
+              around audio formats, file I/O, XPC lifecycle, and concurrency
+              (actor isolation, @MainActor, data races).
+            - Test coverage: per the repo's TDD rule, new or changed logic should
+              have Swift Testing unit tests (SwiftTests/TranscriberTests/) covering
+              happy path, edge cases, and invalid inputs. Flag untested new behaviour.
+            - Security and privacy: leaked secrets/keys, audio/transcript paths or
+              speaker names logged as .public, unsafe deserialization.
+            - Clarity and consistency with surrounding code and the architecture
+              described in CLAUDE.md.
+            - Whether behaviour changes are reflected in docs (CLAUDE.md, docs/,
+              scripts/test-checklist.md).
+
+            The PR branch is already checked out. Post findings as GitHub comments
+            only — use inline comments for specific lines and one top-level summary
+            comment. Do not approve or block; just review.
+          claude_args: |
+            --max-turns 20
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"