domainforge 0.13.0

package/.github/copilot-instructions.md

@@ -0,0 +1,13 @@
+# Copilot Instructions
+
+Use [AGENTS.md](../AGENTS.md) as the canonical source of repository-wide instructions.
+
+Copilot-specific rules:
+
+- Follow `AGENTS.md` for workflow, testing, routing, and state-management behavior.
+- Use `.agents/` as the active shared work-state store.
+- Treat `.agents/` as the only current agent-state directory in this repository.
+- If `.agents/` or its required subfolders are missing and the task needs them, create them before continuing.
+- Keep `.github/copilot-instructions.md` minimal; do not duplicate repository policy here.
+- When work spans multiple steps or handoff is likely, update `.agents/current_state.md` and `.agents/next_steps.md`.
+- You MUST read and follow the instructions in `AGENTS.md` and `.agents/current_state.md` before taking any action.

package/.github/dependabot.yml

@@ -0,0 +1,68 @@
+version: 2
+
+updates:
+  # ---------------------------------------------------------
+  # Rust (Cargo)
+  # ---------------------------------------------------------
+  - package-ecosystem: "cargo"
+    directory: "/domainforge-core"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "04:00"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "rust"
+      - "automerge"
+      - "safe-to-merge"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # ---------------------------------------------------------
+  # JavaScript/TypeScript (npm)
+  # ---------------------------------------------------------
+  - package-ecosystem: "npm"
+    directory: "/domainforge-typescript"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "04:00"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "typescript"
+      - "automerge"
+      - "safe-to-merge"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # ---------------------------------------------------------
+  # GitHub Actions
+  # ---------------------------------------------------------
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "04:00"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+      - "automerge"
+      - "safe-to-merge"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

package/.github/workflows/README.md

@@ -0,0 +1,165 @@
+# GitHub Workflows Documentation
+
+This directory contains the CI/CD workflows for the DomainForge project.
+
+## Workflows Overview
+
+| Workflow                   | Trigger                          | Purpose                                   |
+| -------------------------- | -------------------------------- | ----------------------------------------- |
+| `ci.yml`                   | Push to main/release/**, PRs     | Continuous Integration                    |
+| `release.yml`              | Tag `v*.*.*`                     | Build artifacts, create release, dispatch publishes |
+| `release-npm.yml`          | `workflow_call` from release.yml | Publish napi + WASM to npm                |
+| `release-pypi.yml`         | `workflow_call` from release.yml | Publish Python wheels to PyPI             |
+| `release-crates.yml`       | `workflow_call` from release.yml | Publish to crates.io                      |
+| `prepare-release.yml`      | Manual trigger                   | Automate version bump and release PR      |
+| `dependabot-automerge.yml` | Dependabot PRs                   | Auto-merge safe dependency updates        |
+| `dependency-review.yml`    | PRs                              | Review dependency changes for security    |
+
+## Workflow Details
+
+### `ci.yml` - Continuous Integration
+
+Main CI pipeline that runs on pushes to `main` and `release/**` branches, as well as pull requests targeting `main`.
+
+**Jobs:**
+
+- **lint**: Runs `rustfmt` and `clippy` on all Rust code
+- **test-rust**: Runs Rust tests on Linux, macOS, and Windows
+- **test-python**: Runs Python tests on Python 3.11 and 3.12
+- **test-typescript**: Runs TypeScript/Vitest tests
+- **test-integration**: Minimal integration checks including registry ambiguity validation
+- **test-wasm**: Builds and validates WASM bundle size
+- **security**: Runs `cargo audit` for security vulnerabilities
+
+### `release.yml` - Release Builds
+
+Triggered on version tags (`v*.*.*`). Builds release artifacts for all platforms.
+
+**Supported Targets:**
+
+| Target                      | OS Runner      | Notes                      |
+| --------------------------- | -------------- | -------------------------- |
+| `x86_64-unknown-linux-gnu`  | ubuntu-latest  | Standard Linux             |
+| `x86_64-apple-darwin`       | macos-15-intel | Intel Mac                  |
+| `x86_64-pc-windows-msvc`    | windows-2025-vs2026 | Windows                    |
+| `aarch64-apple-darwin`      | macos-15       | Apple Silicon              |
+| `aarch64-unknown-linux-gnu` | ubuntu-latest  | ARM Linux (cross-compiled) |
+
+**Jobs:**
+
+- **build-release**: Builds CLI binaries for all targets
+- **build-python-wheels**: Builds Python wheels for all targets
+- **build-wasm-release**: Builds optimized WASM bundle
+- **create-release**: Creates GitHub release with all artifacts
+- **publish-pypi**: Calls `release-pypi.yml` to publish wheels to PyPI
+- **publish-npm**: Calls `release-npm.yml` to publish napi + WASM to npm
+- **publish-crates**: Calls `release-crates.yml` to publish `domainforge-core` to crates.io
+
+### `prepare-release.yml` - Release Automation
+
+Manually triggered workflow to automate version bumping and release PR creation.
+
+**Inputs:**
+
+- `version_bump`: Choose `patch`, `minor`, or `major`
+- `prerelease`: Optional suffix like `alpha`, `beta`, or `rc1`
+
+**What it does:**
+
+1. Calculates new version based on bump type
+2. Updates `domainforge-core/Cargo.toml` with new version
+3. Prepares CHANGELOG.md entry
+4. Creates a release PR with checklist
+
+### Publishing Workflows
+
+| Workflow             | Registry  | Notes                                            |
+| -------------------- | --------- | ------------------------------------------------ |
+| `release-npm.yml`    | npm       | Publishes both napi bindings AND WASM package    |
+| `release-pypi.yml`   | PyPI      | Publishes wheels for all platforms including ARM |
+| `release-crates.yml` | crates.io | Publishes `domainforge-core` crate                       |
+
+## Bundle Size Thresholds
+
+| Artifact     | Limit | Notes                                    |
+| ------------ | ----- | ---------------------------------------- |
+| WASM bundle  | 2.5MB | Harmonized across ci.yml and release.yml |
+| CLI binary   | 50MB  | Per-platform binary                      |
+| CLI artifact | 70MB  | Packaged archive (tar.gz/zip)            |
+
+## Local Testing to Match CI
+
+```bash
+# Run all tests
+just all-tests
+
+# Or individually
+just rust-test
+just python-test
+just ts-test
+
+# WASM build and size check
+cd domainforge-core
+wasm-pack build --target web --features wasm
+SIZE=$(python3 -c "import os; print(os.path.getsize('pkg/domainforge_core_bg.wasm'))")
+echo "WASM bundle size: $SIZE bytes (threshold: 2621440)"
+[ "$SIZE" -lt 2621440 ] && echo "PASS" || echo "FAIL"
+
+# Lint checks
+cargo fmt --all --check
+cargo clippy --all-targets --all-features -- -D warnings
+```
+
+## Release Process
+
+### Automated (Recommended)
+
+1. Go to Actions → "Prepare Release" → Run workflow
+2. Select version bump type (patch/minor/major)
+3. Review and merge the created PR
+4. Create and push tag: `git tag v<version> && git push --tags`
+5. `release.yml` runs automatically on the tag: it builds artifacts, creates the GitHub Release, and then calls the three publish workflows (`release-pypi.yml`, `release-npm.yml`, `release-crates.yml`) via `workflow_call`.
+
+> **Note:** Publishing is dispatched by `release.yml` via `workflow_call`, not by the `release: published` event. This is intentional: events produced by the default `GITHUB_TOKEN` do not trigger downstream workflows, so relying on `release: published` would silently skip publishing when the release is created automatically. Calling the publish workflows directly from `release.yml` is deterministic and requires no extra tokens.
+
+### Manual
+
+1. Bump version in `domainforge-core/Cargo.toml`
+2. Update `CHANGELOG.md`
+3. Commit and push
+4. Create and push tag: `git tag v<version> && git push --tags`
+5. `release.yml` builds, creates the release, and dispatches publishes automatically
+
+## Cache Management
+
+All workflows use GitHub Actions cache (v5) with a `CACHE_VERSION` environment variable. To bust all caches:
+
+1. Increment `CACHE_VERSION` in the workflow file
+2. This is useful when dependencies are corrupted or need a fresh start
+
+## Secrets Required
+
+| Secret           | Used By               | Purpose                       |
+| ---------------- | --------------------- | ----------------------------- |
+| `SOPS_AGE_KEY`   | All publish workflows | Decrypt encrypted secrets     |
+| `PYPI_API_TOKEN` | release-pypi.yml      | PyPI publishing (fallback)    |
+| `GITHUB_TOKEN`   | All workflows         | GitHub API access (automatic) |
+
+## Troubleshooting
+
+### ARM Linux Cross-Compilation
+
+ARM Linux targets use either `cross` (for CLI) or `zig` (for Python wheels) for cross-compilation. If builds fail:
+
+1. Check that the target toolchain is installed
+2. Verify cross/zig are working correctly
+3. ARM Linux builds cannot be verified locally on x86 runners
+
+### Publish Failures
+
+All publish workflows have `continue-on-error: true` or `--skip-existing` to handle:
+
+- Package already published (re-runs)
+- Network issues (will fail but won't block other jobs)
+
+To check if a publish actually succeeded, verify the package on the respective registry.

package/.github/workflows/ci.yml

@@ -0,0 +1,335 @@
+name: CI
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [main, release/**]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+  CARGO_INCREMENTAL: 0
+  CACHE_VERSION: v4 # Increment to bust all caches
+  CLI_MAX_BYTES: "52428800" # 50MB
+  WASM_MAX_BYTES: "2621440" # 2.5MB
+
+jobs:
+  lint:
+    name: Lint & Format
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Cache cargo registry
+        uses: actions/cache@v5
+        with:
+          path: ~/.cargo/registry/index
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-cargo-index
+
+      - name: Cache cargo build
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.CACHE_VERSION }}-cargo-
+
+      - name: Run rustfmt
+        run: cargo fmt --all --check
+
+      - name: Run clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+  test-rust:
+    name: Test Rust (${{ matrix.os }})
+    needs: lint
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+          - os: macos-latest
+            target: aarch64-apple-darwin
+          - os: windows-2025-vs2026
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Install just
+        uses: extractions/setup-just@v4
+
+      - name: Cache dependencies
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.CACHE_VERSION }}-cargo-
+
+      - name: Run unit tests
+        run: just ci-test-rust
+
+      - name: Build release CLI binary (verify)
+        run: |
+          cd domainforge-core
+          cargo build --release --target ${{ matrix.target }} --features cli
+
+      - name: Resolve CLI binary path
+        if: matrix.os != 'windows-2025-vs2026'
+        run: |
+          CLI_BIN=$(python3 scripts/resolve_rust_binary.py --workspace "$(pwd)" --name domainforge --profile release --target-triple ${{ matrix.target }} --require-executable)
+          echo "Resolved CLI binary: $CLI_BIN"
+          echo "CLI_BIN=$CLI_BIN" >> "$GITHUB_ENV"
+
+      - name: Resolve CLI binary path (windows)
+        if: matrix.os == 'windows-2025-vs2026'
+        shell: pwsh
+        run: |
+          $workspace = (Get-Location).Path
+          $cliBin = python scripts/resolve_rust_binary.py --workspace "$workspace" --name domainforge --profile release --target-triple ${{ matrix.target }} --require-executable
+          Write-Host "Resolved CLI binary: $cliBin"
+          "CLI_BIN=$cliBin" >> $env:GITHUB_ENV
+
+      - name: Verify CLI binary executes
+        run: just ci-verify-binary "${{ env.CLI_BIN }}"
+
+      - name: Check CLI binary size
+        run: just ci-check-binary-size "${{ env.CLI_BIN }}" "${{ env.CLI_MAX_BYTES }}"
+
+  test-python:
+    name: Test Python (${{ matrix.python-version }})
+    needs: lint
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        python-version: ["3.11", "3.12"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install just
+        uses: extractions/setup-just@v4
+
+      - name: Cache dependencies
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-py${{ matrix.python-version }}-${{ hashFiles('**/Cargo.lock', 'requirements*.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.CACHE_VERSION }}-py${{ matrix.python-version }}-
+
+      - name: Setup Python environment
+        run: just python-setup
+
+      - name: Run Python tests
+        run: just ci-test-python
+
+  test-typescript:
+    name: Test TypeScript
+    needs: lint
+    timeout-minutes: 20
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install just
+        uses: extractions/setup-just@v4
+
+      - name: Cache dependencies
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-ts-${{ hashFiles('**/Cargo.lock', 'bun.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.CACHE_VERSION }}-ts-
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build TypeScript bindings
+        # Build inside domainforge-typescript/ (where the napi package + config live).
+        # Root index.js re-exports domainforge-typescript/index.js, so the test loader
+        # (imported by tests via '../index') resolves the native binary in place.
+        run: cd domainforge-typescript && bun run build
+
+      - name: Run TypeScript tests
+        run: just ci-test-ts
+
+  test-integration:
+    name: Minimal Integration Check
+    needs: [test-rust, test-typescript]
+    timeout-minutes: 20
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Build domainforge binary
+        run: cargo build -p domainforge-core --bin domainforge --features cli
+
+      - name: Build TypeScript bindings (minimal)
+        run: |
+          bun install --frozen-lockfile
+          cd domainforge-typescript && bun run build
+
+      - name: Minimal registry ambiguity check
+        shell: bash
+        run: |
+          tmpdir=$(mktemp -d)
+          tee "$tmpdir/.sea-registry.toml" > /dev/null <<'EOF'
+          version = 1
+          default_namespace = "default"
+
+          [[namespaces]]
+          namespace = "a"
+          patterns = ["domains/*/warehouse.sea"]
+
+          [[namespaces]]
+          namespace = "b"
+          patterns = ["domains/*/warehouse.sea"]
+          EOF
+          mkdir -p "$tmpdir/domains/logistics"
+          echo 'Entity "Warehouse"' > "$tmpdir/domains/logistics/warehouse.sea"
+
+          # Test that --fail-on-ambiguity properly detects ambiguous matches
+          # The command should fail and output an error message
+          set +e  # Temporarily disable exit on error
+          output=$(./target/debug/domainforge registry resolve --fail-on-ambiguity "$tmpdir/domains/logistics/warehouse.sea" 2>&1)
+          exit_code=$?
+          set -e  # Re-enable exit on error
+
+          if [ $exit_code -ne 0 ] && echo "$output" | grep -q "multiple namespaces"; then
+            echo "✓ Ambiguity detection working correctly"
+            echo "Output: $output"
+            exit 0
+          else
+            echo "✗ Expected ambiguity error but got:"
+            echo "Exit code: $exit_code"
+            echo "Output: $output"
+            exit 1
+          fi
+
+  test-wasm:
+    name: Test WASM
+    needs: lint
+    timeout-minutes: 20
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - name: Install just
+        uses: extractions/setup-just@v4
+
+      - name: Cache dependencies
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+          key: ${{ runner.os }}-${{ env.CACHE_VERSION }}-wasm-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.CACHE_VERSION }}-wasm-
+
+      - name: Install wasm-pack
+        run: cargo install wasm-pack --locked
+
+      - name: Build WASM
+        run: |
+          cd domainforge-core
+          wasm-pack build --target web --features wasm
+
+      - name: Check bundle size
+        run: |
+          WASM_FILE="domainforge-core/pkg/domainforge_core_bg.wasm"
+          python3 scripts/ci_tasks.py check-size --file "$WASM_FILE" --max-bytes "${{ env.WASM_MAX_BYTES }}" --label "WASM bundle"
+
+  security:
+    name: Security Audit
+    needs: lint
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Run cargo audit
+        uses: rustsec/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,114 @@
+name: Dependabot Auto Merge
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+  pull_request_review:
+    types:
+      - submitted
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+  statuses: read
+
+jobs:
+  auto-merge:
+    name: Auto-merge Dependabot PRs
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out
+        uses: actions/checkout@v6
+
+      - name: Extract Dependabot metadata
+        id: dependabot
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Safety gate – block major updates
+        if: steps.dependabot.outputs.update-type == 'version-update:semver-major'
+        run: |
+          echo "Major update detected. Auto-merge disabled."
+          exit 0
+
+      - name: Safety gate – ensure all checks pass
+        id: check_status
+        run: |
+          sleep 10
+          
+          checks=$(gh pr checks ${{ github.event.pull_request.number }} --json state,conclusion 2>/dev/null || echo '[]')
+          
+          if [ "$checks" = "[]" ] || [ -z "$checks" ]; then
+            echo "No checks found. Cannot verify CI. Failing."
+            exit 1
+          fi
+          
+          failed=$(echo "$checks" | jq -r '.[] | select(.state=="COMPLETED") | select(.conclusion=="FAILURE") | .conclusion' | head -1)
+          if [ ! -z "$failed" ]; then
+            echo "Some checks failed."
+            exit 1
+          fi
+          
+          pending=$(echo "$checks" | jq -r '.[] | select(.state=="IN_PROGRESS" or .state=="PENDING" or .state=="QUEUED") | .state' | head -1)
+          if [ ! -z "$pending" ]; then
+            MAX_WAIT_SECONDS=${MAX_WAIT_SECONDS:-120}
+            SLEEP_INTERVAL=${SLEEP_INTERVAL:-15}
+            elapsed=0
+            while [ $elapsed -lt $MAX_WAIT_SECONDS ]; do
+              echo "Checks still pending (${elapsed}s elapsed). Waiting ${SLEEP_INTERVAL}s..."
+              sleep $SLEEP_INTERVAL
+              elapsed=$((elapsed + SLEEP_INTERVAL))
+              checks=$(gh api repos/${{ github.repository }}/commits/${{ github.event.pull_request.head.sha }}/check-runs --jq '.check_runs')
+              pending=$(echo "$checks" | jq -r '.[] | select(.state=="IN_PROGRESS" or .state=="PENDING" or .state=="QUEUED") | .state' | head -1)
+              if [ -z "$pending" ]; then
+                echo "All checks completed."
+                break
+              fi
+            done
+            if [ ! -z "$pending" ]; then
+              echo "Checks still pending after ${MAX_WAIT_SECONDS}s. Failing."
+              exit 1
+            fi
+          fi
+          
+          echo "All checks passed."
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve PR
+        run: gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved by workflow."
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Apply auto-merge label (optional)
+        run: gh pr edit ${{ github.event.pull_request.number }} --add-label "automerge"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge security updates
+        if: steps.dependabot.outputs.update-type == 'security'
+        run: gh pr merge ${{ github.event.pull_request.number }} --merge --delete-branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge patch & minor updates
+        if: >
+          steps.dependabot.outputs.update-type == 'version-update:semver-patch' ||
+          steps.dependabot.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge ${{ github.event.pull_request.number }} --squash --delete-branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Print merge decision
+        run: |
+          echo "Dependabot PR processed:"
+          echo " - Update type: ${{ steps.dependabot.outputs.update-type }}"
+          echo " - Auto-merge executed."