security: Restrict Claude and improve Dependabot handling

.github/workflows/claude-code-review.yml

@@ -12,11 +12,8 @@ on:
 
 jobs:
   claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    # Skip for Dependabot PRs as they don't have access to secrets
+    if: github.actor != 'dependabot[bot]'
 
     runs-on: ubuntu-latest
     permissions:

.github/workflows/claude-restricted-message.yml

@@ -0,0 +1,42 @@
+name: Claude Restricted Message
+
+on:
+  issue_comment:
+    types: [created]
+  issues:
+    types: [opened]
+
+jobs:
+  notify-restriction:
+    # Only run if someone other than the owner tries to use @claude
+    if: |
+      github.actor != 'niksacdev' &&
+      (
+        (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) ||
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude'))
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Post restriction message
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issueNumber = context.issue.number;
+            const actor = context.actor;
+
+            const message = `🤖 **Claude AI Assistant Notice**
+
+            Thank you for your interest in using Claude, @${actor}!
+
+            The Claude AI assistant is currently restricted to repository maintainers only to ensure responsible API usage and cost management.
+
+            Please describe your issue or question in detail, and a maintainer will review and assist you. We appreciate your understanding and contribution to the project!`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issueNumber,
+              body: message
+            });

.github/workflows/claude.yml

@@ -12,11 +12,15 @@ on:
 
 jobs:
   claude:
+    # Only allow repository owner to trigger Claude
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      github.actor == 'niksacdev' &&
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,36 @@
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Auto-approve Dependabot PRs
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: |
+          steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-major'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CLAUDE.md

@@ -203,6 +203,12 @@ uv run python scripts/validate_ci_fix.py
 
 ### Commit Best Practices
 
+#### Branch Management (CRITICAL)
+- **Always delete branches after PR merge**: Clean up both local and remote branches
+- **Create new branch for new work**: Never reuse old feature branches
+- **Branch naming**: Use descriptive names like `feat/feature-name` or `fix/bug-description`
+- **Keep main clean**: Always work in feature branches, never commit directly to main
+
 #### Commit Frequency (CRITICAL)
 - **Commit often**: After each logical change (not after hours of work)
 - **Atomic commits**: One logical change per commit

SECURITY.md

@@ -112,12 +112,21 @@ This system is designed with compliance in mind:
    - Implement tamper-proof audit trail
    - Add compliance reporting
 
+## 🤖 AI Assistant
+
+This repository uses Claude AI for automated assistance, but it is **restricted to repository maintainers only** to ensure responsible API usage and cost management. 
+
+If you need help with an issue:
+1. Create a detailed issue describing your problem
+2. A maintainer will review and assist you
+3. Do not mention @claude in your issues or comments as it will not trigger the assistant
+
 ## 📞 Contact
 
 Security Team: [[email protected]]
-Project Maintainer: [your-github-username]
+Project Maintainer: @niksacdev
 
 ---
 
 *Last Updated: August 2025*
-*Security Policy Version: 1.0*
+*Security Policy Version: 1.1*