ci: enforce PR-based workflow with branch protection, DOX tracking, Dependabot

[ZeR020]

Description

Sets up the professional GitHub workflow infrastructure so all future changes (from agents and humans alike) follow a proper PR-based process.

Type of Change

• Documentation update
• Bug fix
• New feature
• Breaking change
• Performance improvement
• Refactoring

Changes

Branch protection (already live on GitHub)

• enforce_admins: true — owner can no longer bypass protection; all changes must go through PRs
• required_linear_history: true — squash merge only, clean history
• allow_force_pushes: false — no force-push to main

DOX hierarchy tracked in git

• Fixed .gitignore with !AGENTS.md exception so the 14 AGENTS.md files are version-controlled
• Future agent sessions will now see the workflow rules in their context
• Root AGENTS.md documents: no direct commits to main, PR-based delivery, squash merge, Conventional Commits PR titles, release process, contributor credits

Dependabot

• Added .github/dependabot.yml: weekly npm dependency updates, 5 PR limit, chore commit prefix, dependencies label

PR template improved

• Added docs/CHANGELOG.md update checklist item
• Added "Changelog Entry" section for one-line summary
• Added "Contributor Credit" section for crediting issue reporters

Checklist

• I have run bun run typecheck and it passes
• I have run bun run test and all tests pass
• I have run bun run build and it succeeds
• I have run bun run format:check and it passes
• My code follows the project's style guidelines

Testing

Pre-commit hook passed (security checks, typecheck, lint-staged/Prettier). Pre-push hook passed (DeepSource local lint). No code changes — only docs and CI config.

Related Issues

N/A — infrastructure improvement

Changelog Entry

Added: Dependabot config, PR-based workflow enforcement, DOX hierarchy tracked in git

Contributor Credit

N/A

Summary by CodeRabbit

• Documentation

  • Added and expanded repository guidance for contributing, testing, releases, and code ownership across the project.
  • Improved pull request templates with clearer change types, testing details, and release note prompts.
  • Added directory-level docs to keep standards consistent for app, services, scripts, web UI, and tests.

• Chores

  • Enabled automated dependency update checks for project packages.
  • Updated ignore rules to better track the main repository guidance files.

[deepsource-io]

DeepSource Code Review

We reviewed changes in fcbad22...fc016b0 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Jun 28, 2026 4:01p.m.	Review ↗
Secrets		Jun 28, 2026 4:01p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds a complete hierarchy of AGENTS.md documentation files establishing the "DOX framework" — a binding documentation contract covering the root, .github/, .husky/, docs/, scripts/, src/ (and its service/web subtrees), and tests/. Also adds a Dependabot npm config, expands the PR template, and updates .gitignore to track the root AGENTS.md.

Changes

DOX Framework and Repository Configuration

Layer / File(s)	Summary
Root AGENTS.md and GitHub config AGENTS.md, .github/AGENTS.md, .github/dependabot.yml, .github/pull_request_template.md, .gitignore	Root AGENTS.md defines the DOX framework rules, opencode-mem0 ownership, verification commands, and child DOX index. Dependabot weekly npm monitoring, expanded PR template sections, and a .gitignore exception to track root AGENTS.md are added alongside.
Leaf AGENTS.md files: husky, docs, scripts, tests .husky/AGENTS.md, docs/AGENTS.md, scripts/AGENTS.md, tests/AGENTS.md	Documents hook responsibilities and local contracts for Husky pre-commit/pre-push gates, documentation synchronization rules for docs/, script ownership and CI alignment for scripts/, and Vitest test suite conventions and HOME isolation for tests/.
src/ and service-layer AGENTS.md files src/AGENTS.md, src/services/AGENTS.md, src/services/ai/AGENTS.md, src/services/ai/providers/AGENTS.md, src/services/sqlite/AGENTS.md, src/services/user-profile/AGENTS.md, src/services/vector-backends/AGENTS.md, src/web/AGENTS.md	Adds module-purpose, ownership, local contracts, and verification guidance for the plugin entry points, all service subsystems, and the Memory Explorer web UI static assets.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐇 Hopping through the repo tree,
I planted docs for all to see.
Each folder now has rules to guide,
With AGENTS.md tucked inside.
No secrets lost, no contracts bare —
The DOX framework shows I care! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main workflow, branch-protection, and Dependabot changes in the PR.
Description check	✅ Passed	The description covers all required template sections and adds useful detail on changes, testing, and follow-up info.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/professional-workflow-setup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[Copilot]

Pull request overview

Introduces a DOX (AGENTS.md) documentation hierarchy and supporting GitHub workflow configuration to enforce a PR-based contribution process, plus automation for dependency updates.

Changes:

• Adds AGENTS.md “work contract” docs across key repository subtrees (root, src/, services subdomains, tests/, docs/, scripts/, .github/, .husky/).
• Updates .gitignore to ensure AGENTS.md files are version-controlled.
• Adds Dependabot configuration and improves the PR template to align with the project workflow.

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
AGENTS.md	Adds root DOX framework contract + repo-wide workflow/verification rules.
src/AGENTS.md	Documents ownership and contracts for the src/ subtree.
src/services/AGENTS.md	Documents the service layer structure, API surface, and subsystem boundaries.
src/services/ai/AGENTS.md	Documents AI provider subsystem structure/contracts and child index.
src/services/ai/providers/AGENTS.md	Documents provider implementation contracts and safety rules for extra params.
src/services/sqlite/AGENTS.md	Documents SQLite layer responsibilities and invariants.
src/services/vector-backends/AGENTS.md	Documents vector backend interface seam and fallback behavior.
src/services/user-profile/AGENTS.md	Documents user profile subsystem boundaries and retention constraints.
src/web/AGENTS.md	Documents web UI asset pipeline and XSS boundary expectations.
tests/AGENTS.md	Documents Vitest conventions, HOME isolation, mocking, and verification commands.
docs/AGENTS.md	Documents the documentation set and which docs are “source of truth”.
scripts/AGENTS.md	Documents build/lint/migration scripts and local verification expectations.
.github/AGENTS.md	Documents GitHub workflows/templates ownership and constraints.
.husky/AGENTS.md	Documents pre-commit/pre-push hook responsibilities and invariants.
.github/pull_request_template.md	Expands PR template checklist and adds changelog/credit sections.
.github/dependabot.yml	Adds Dependabot version update configuration.
.gitignore	Adjusts ignore rules to ensure AGENTS.md files are tracked.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fc016b0d7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use the Bun Dependabot ecosystem

This repository's dependency lockfile is bun.lock and CI installs with Bun, but this config asks Dependabot to run the npm updater. GitHub's Dependabot reference lists Bun as its own package-ecosystem: "bun" and npm separately, so Bun dependency PRs opened from this entry will not maintain the Bun lockfile that the project actually uses, leaving merged dependency updates with a stale lockfile.

Useful? React with 👍 / 👎.