diff --git a/.coderabbit.yaml b/.coderabbit.yaml
deleted file mode 100644
index 9d76648..0000000
--- a/.coderabbit.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# CodeRabbit configuration — relaxed for a solo-maintainer repo.
-# Reviews are helpful but not blocking. Auto-review only on PRs, never on drafts.
-reviews:
-  profile: chill
-  auto_review:
-    enabled: true
-    drafts: false
-    base_branches: ["main"]
-  path_filters:
-    - "!**/dist/**"
-    - "!**/node_modules/**"
-    - "!**/*.lock"
-    - "!**/graphify-out/**"
-    - "!**/.opencode/**"
-    - "!**/coverage/**"
-  path_instructions:
-    - path: "src/services/**/*.ts"
-      instructions: |
-        Focus on memory management, SQLite operations, and vector
-        search correctness. Flag unhandled promise rejections or
-        missing error handling. Do not nitpick style — Prettier
-        and DeepSource already enforce formatting and lint rules.
-    - path: "tests/**/*.ts"
-      instructions: |
-        Ensure tests use proper vitest patterns and mock cleanup.
-        Check for test isolation — no shared state between tests.
-        Do not request tests for trivial one-liners.
-chat:
-  auto_reply: false
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ab266d9..6f27174 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,3 +10,9 @@ updates:
     commit-message:
       prefix: "chore"
       include: scope
+    # Only minor and patch updates by default — major bumps require manual
+    # review since they often break types or APIs (e.g. TypeScript 6 removed
+    # implicit Bun globals, @ai-sdk/openai 4 changed LanguageModel type).
+    update-types:
+      - "version-update:semver-minor"
+      - "version-update:semver-patch"
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 01107c7..05320db 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -15,6 +15,9 @@ permissions:
 jobs:
   sonarcloud:
     runs-on: ubuntu-latest
+    # Skip on Dependabot PRs — SONAR_TOKEN isn't available to fork PRs,
+    # causing "Not authorized" failures. Dependabot branches are forks.
+    if: github.event_name != 'pull_request' || !startsWith(github.head_ref, 'dependabot/')
     steps:
       - uses: actions/checkout@v5
         with: