OPS-18: Dependency update automation and security triage workflow

.github/dependabot.yml

@@ -0,0 +1,77 @@
+# Dependabot configuration for automated dependency updates
+# Policy: docs/ops/DEPENDENCY_UPDATE_POLICY.md
+# Linked issue: #148 (OPS-18)
+
+version: 2
+
+updates:
+  # --- NuGet (backend .NET) ---
+  - package-ecosystem: nuget
+    directory: /backend
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: America/Chicago
+    open-pull-requests-limit: 10
+    reviewers:
+      - jekyt
+    labels:
+      - dependencies
+      - backend
+    groups:
+      # Group minor/patch updates together to reduce PR noise
+      dotnet-minor-patch:
+        update-types:
+          - minor
+          - patch
+    # Let major versions come as individual PRs for explicit review
+    commit-message:
+      prefix: "deps(nuget)"
+
+  # --- npm (frontend) ---
+  - package-ecosystem: npm
+    directory: /frontend/taskdeck-web
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: America/Chicago
+    open-pull-requests-limit: 10
+    reviewers:
+      - jekyt
+    labels:
+      - dependencies
+      - frontend
+    groups:
+      # Group minor/patch updates together
+      npm-minor-patch:
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: "deps(npm)"
+
+  # --- GitHub Actions ---
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: America/Chicago
+    open-pull-requests-limit: 5
+    reviewers:
+      - jekyt
+    labels:
+      - dependencies
+      - ci
+    groups:
+      # Group all Actions updates together since they are low-risk
+      actions-all:
+        update-types:
+          - major
+          - minor
+          - patch
+    commit-message:
+      prefix: "deps(actions)"

docs/IMPLEMENTATION_MASTERPLAN.md

@@ -434,6 +434,11 @@ Delivered in the latest cycle:
    - ArchiveRecovery decomposition: `ArchiveRecoveryService` → `ArchiveConflictDetector` + `RestorePlanner` + `RestoreExecutor`
    - AutomationExecutor decomposition: `AutomationExecutorService` → `OperationParameterParser` + `ExecutionAuditRecorder` + `OperationHandlerRegistry`
    - Deploy/MCP failure injection drills: 5 shell drill scripts + `run-all-drills.sh` orchestrator in `scripts/drills/`
+95. OPS-18 dependency update automation and security triage workflow (`#148`):
+   - added `.github/dependabot.yml` with weekly update schedules for NuGet (`/backend`), npm (`/frontend/taskdeck-web`), and GitHub Actions (`/`) ecosystems
+   - minor/patch updates grouped per ecosystem; major NuGet/npm updates arrive as individual PRs; GitHub Actions updates fully grouped
+   - added `docs/ops/DEPENDENCY_UPDATE_POLICY.md` with update categories, PR verification expectations, severity-based triage SLAs, escalation procedures, and policy boundaries
+   - security triage workflow aligns with existing `docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md` severity policy; no auto-merge enabled
 
 ## Current Planning Pivot (2026-03-07)
 

docs/STATUS.md

@@ -619,7 +619,14 @@ Release workflow: `.github/workflows/ci-release.yml`
 
 - release/tag/manual build verification (backend + frontend)
 - container image artifact/checksum lane reused from container baseline workflow
-- SBOM/provenance placeholder (follow-through: `#103`, `#106`, `#148`)
+- SBOM/provenance placeholder (follow-through: `#103`, `#106`)
+
+Dependency update automation: `.github/dependabot.yml`
+
+- weekly Dependabot PRs for NuGet, npm, and GitHub Actions ecosystems
+- minor/patch grouped; major NuGet/npm individual; Actions fully grouped
+- security updates follow severity-based triage SLAs in `docs/ops/DEPENDENCY_UPDATE_POLICY.md`
+- no auto-merge; all dependency PRs require human review and `ci-required.yml` gate pass
 
 Release/security deep workflow: `.github/workflows/release-security.yml`
 

docs/ops/DEPENDENCY_UPDATE_POLICY.md

@@ -0,0 +1,124 @@
+# Dependency Update Policy
+
+Last Updated: 2026-03-29
+Owner: Repository maintainers
+Linked issue: `#148` (OPS-18)
+
+## Purpose
+
+This document defines the dependency update automation policy and security-advisory triage workflow for Taskdeck. It complements the existing vulnerability management policy (`docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md`) by adding proactive update automation and structured triage ownership.
+
+Related docs:
+
+- `docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md` — vulnerability scan cadence, severity policy, exception process
+- `.github/dependabot.yml` — Dependabot automation configuration
+
+## Automation Tool
+
+Taskdeck uses **GitHub Dependabot** for automated dependency update PRs across three ecosystems:
+
+| Ecosystem      | Config directory          | Schedule        | Grouping strategy                          |
+|----------------|---------------------------|-----------------|--------------------------------------------|
+| NuGet (backend)| `/backend`                | Weekly (Monday) | Minor/patch grouped; major individual      |
+| npm (frontend) | `/frontend/taskdeck-web`  | Weekly (Monday) | Minor/patch grouped; major individual      |
+| GitHub Actions | `/`                       | Weekly (Monday) | All update types grouped                   |
+
+## Update Categories
+
+### Routine updates (minor and patch)
+
+- Grouped into single PRs per ecosystem to reduce noise.
+- Expected to pass CI without intervention in most cases.
+- Maintainer review is required before merge; no auto-merge is enabled.
+- If CI passes and the changelog shows no breaking changes, merge promptly.
+
+### Major version updates
+
+- Arrive as individual PRs for explicit review.
+- Require maintainer assessment of breaking changes, migration guides, and downstream impact.
+- Should be tested locally when the changelog indicates API surface changes.
+- Target resolution within one development cycle (1 to 2 weeks) unless blocked.
+
+### Security updates
+
+- Dependabot security updates are enabled by default on GitHub and create PRs independently of the weekly schedule.
+- Security PRs are distinguishable by the security advisory reference in the PR body. GitHub may also auto-apply a `security` label if one exists in the repo. Note: the PR title format is the same as regular Dependabot PRs ("Bump X from Y to Z"), so rely on the body and labels rather than the title to identify security updates.
+- Security updates follow the severity-based SLA targets defined below.
+
+### Lock-file-only updates
+
+- Dependabot may propose lock-file-only changes when transitive dependencies have updates.
+- These follow the same review process as routine updates.
+- Pay attention to transitive security fixes surfaced through lock-file changes.
+
+## PR Verification Expectations
+
+All Dependabot PRs must pass the `ci-required.yml` gate before merge. This includes:
+
+- Backend build and unit tests (domain, application, CLI, API integration)
+- Frontend typecheck, lint, unit tests, and E2E smoke
+- Architecture boundary tests
+- Docs governance checks
+
+Additional verification for dependency PRs:
+
+- Review the Dependabot PR body for changelog links and compatibility notes.
+- For NuGet major bumps: verify `dotnet build` succeeds locally and check for deprecation warnings.
+- For npm major bumps: verify `npm run build` and `npx vitest --run` succeed locally.
+- For GitHub Actions bumps: verify the referenced action version exists and check for breaking changes in the action's release notes.
+
+## Security-Advisory Triage Workflow
+
+### Trigger sources
+
+1. **Dependabot security alerts** — GitHub surfaces these on the Security tab and may auto-create PRs.
+2. **Dependabot security update PRs** — automated fix PRs for known advisories.
+3. **Nightly dependency security signals** — `nightly-quality.yml` runs vulnerability scans on schedule.
+4. **Manual scan** — operators can run `dotnet list ... --vulnerable` and `npm audit` locally (see commands in the vulnerability policy doc).
+
+### Triage ownership
+
+- The maintainer who sees the alert first owns initial triage classification.
+- Classification means: confirm severity, determine if the package is runtime/test/build-only, and assign a remediation owner.
+- If no maintainer is available within the SLA window, the alert must be escalated (GitHub issue with `Priority I` or `Priority II` label).
+
+### Severity-based response targets
+
+These targets align with the existing vulnerability policy (`docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md`):
+
+| Severity | Triage SLA         | Remediation target                                    |
+|----------|---------------------|-------------------------------------------------------|
+| Critical | Same business day   | Merge fix within 1 business day; block releases       |
+| High     | 1 business day      | Merge fix within 3 business days; block releases      |
+| Moderate | 5 business days     | Schedule in normal backlog; does not block release     |
+| Low/Info | 10 business days    | Batch with routine dependency hygiene                  |
+
+### Triage checklist
+
+For each security advisory or Dependabot security PR:
+
+1. Confirm the advisory applies to Taskdeck's usage of the package (not just presence in the dependency tree).
+2. Classify exposure: `runtime`, `test-only`, `build-only`, `local-dev-only`.
+3. Check if Dependabot has already opened a fix PR. If yes, prioritize review.
+4. If no automated fix exists, create a GitHub issue with the appropriate priority label.
+5. If remediation is blocked (no upstream fix available), follow the exception process in the vulnerability policy doc.
+6. Post triage outcome (fixed, excepted, or false positive) as a comment on the alert or PR.
+
+### Escalation
+
+- Critical/High findings with no available fix: create a GitHub issue with `Priority I` label and document compensating controls.
+- Findings that affect the release pipeline: notify maintainers and block release candidates per the vulnerability policy enforcement rules.
+
+## Policy Boundaries
+
+### What this policy does NOT cover
+
+- Auto-merge: all dependency PRs require human review. Auto-merge may be considered in the future for patch-only grouped updates with passing CI, but is not enabled now.
+- Renovate: the project uses Dependabot only. Renovate may be evaluated if Dependabot proves insufficient.
+- SBOM generation: tracked separately in `#103`.
+- Stricter required-PR blocking for vulnerability findings: tracked as a follow-up in the vulnerability policy doc.
+
+### Review cadence
+
+- Maintainers should review open Dependabot PRs at least weekly (aligned with the Monday generation schedule).
+- Stale Dependabot PRs older than 30 days should be investigated: either the update is blocked (needs an issue) or it was overlooked.

docs/ops/GITHUB_LABEL_TAXONOMY.md

@@ -44,6 +44,10 @@ Note:
   - Background worker runtime behavior, queue processing, retry semantics, and worker observability.
 - `performance`
   - Latency, throughput, responsiveness, and resource-efficiency improvements across API, worker, and frontend surfaces.
+- `dependencies`
+  - Dependency version updates managed by Dependabot or manual dependency hygiene.
+- `ci`
+  - CI/CD pipeline, workflow, and build infrastructure changes.
 
 ## Priority Labels
 

docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md

@@ -176,7 +176,7 @@ node --test scripts/ci/summarize-dependency-security-signals.test.mjs
 ## Follow-up Scope Still Outside This Policy
 
 - automated issue creation for fresh findings
-- Dependabot or Renovate policy automation beyond current dependency review usage
 - stricter required-PR blocking for vulnerability findings
+- auto-merge for low-risk dependency update PRs
 
-Those can be added later if the current signal-first posture proves reliable enough.
+Dependabot automation is now active (`.github/dependabot.yml`). The update policy and security-advisory triage workflow are documented in `docs/ops/DEPENDENCY_UPDATE_POLICY.md`.