CastQuest · Copilot · May 9, 2026 · May 9, 2026 · May 9, 2026 · May 9, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,9 +33,19 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
+      - name: Check Trivy SARIF output
+        id: trivy_sarif
+        if: always()
+        run: |
+          if [ -s trivy-results.sarif ]; then
+            echo "ready=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "ready=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Upload Trivy results
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
+        if: (success() || failure()) && steps.trivy_sarif.outputs.ready == 'true'
+        uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4
         with:
           sarif_file: 'trivy-results.sarif'
 

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -13,6 +13,8 @@ jobs:
   dependabot:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
+    env:
+      MERGE_CHECK_TIMEOUT: '15m'
     steps:
       - name: Fetch metadata
         id: metadata
@@ -22,7 +24,14 @@ jobs:
 
       - name: Auto-approve safe updates
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr review --approve "$PR_URL"
+        run: gh pr review --approve "$PR_URL" --body "Auto-approved after Dependabot metadata validation."
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Wait for required checks (green-only gate)
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: timeout "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/apps/admin/package.json b/apps/admin/package.json
@@ -38,7 +38,7 @@
     "zustand": "^4.4.7"
   },
   "devDependencies": {
-    "@types/node": "20.17.12",
+    "@types/node": "^20.17.12",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
     "@types/ws": "^8.5.10",
@@ -48,4 +48,4 @@
     "tailwindcss": "^3.4.0",
     "typescript": "5.3.3"
   }
-}
+}
diff --git a/docs/DEPENDENCY-HEALTH.md b/docs/DEPENDENCY-HEALTH.md
@@ -101,14 +101,23 @@ Automated health checks run on:
 
 **Actions Performed:**
 - Full health check execution
-- Smart Brain oracle analysis
 - Security audit with pnpm audit
 - Version consistency validation
 - PR comments with health status
 - Auto-create issues on critical failures
 - Generate and upload health reports
 
-### 5. Pre-commit Hooks (`.husky/pre-commit`)
+### 5. Dependabot Automation (`.github/dependabot.yml` + `.github/workflows/dependabot-automerge.yml`)
+
+Automated dependency update management is configured with safety gates:
+
+- Daily Dependabot checks for npm workspace dependencies
+- Grouped patch/minor and major update streams
+- Auto-approval and auto-merge only for patch/minor updates
+- Required-check green gate before merge activation (`gh pr checks --required --watch`)
+- Major updates are labeled for manual review
+
+### 6. Pre-commit Hooks (`.husky/pre-commit`)
 
 Prevents problematic commits before they reach the repository:
 
@@ -136,9 +145,9 @@ The repository maintains consistent versions across all packages:
 | Dependency | Version | Reason |
 |------------|---------|--------|
 | TypeScript | 5.3.3 | Stable, widely supported |
-| @types/node | 20.10.6 | Matches Node.js 20.x LTS |
-| Next.js | 14.2.18 | Latest stable 14.x with security patches |
-| React | 18.2.0 | Stable, production-ready |
+| @types/node | ^20.17.12 | Matches Node.js 20.x LTS range used in apps |
+| Next.js | 14.2.35 / 15.2.4 | Dual baseline (`frames` on 14.x, admin/web on 15.x) |
+| React | 18.2.0 / ^19.0.0 | Dual baseline aligned with package compatibility |
 | Node.js | 20.19.6 | LTS version (see .nvmrc) |
 | pnpm | 9.0.0 | Latest with improved workspace support |
 
@@ -148,6 +157,7 @@ The repository maintains consistent versions across all packages:
 2. **Caret ranges (^)** for tools and utilities to allow patch updates
 3. **Workspace protocol (workspace:*)** for internal packages
 4. **Aligned versions** across all apps and packages for shared dependencies
+5. **Lockfile parity is required**: CI uses `pnpm install --frozen-lockfile`, so `package.json` and `pnpm-lock.yaml` must be committed together
 
 ## Upgrade Procedures
 

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml