chore: release v5

.editorconfig

@@ -0,0 +1,15 @@
+# EditorConfig — https://editorconfig.org
+# Keep editors aligned with the Prettier config (.prettierrc).
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# Markdown uses two trailing spaces for hard line breaks — don't strip them.
+[*.md]
+trim_trailing_whitespace = false

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,63 @@
+name: Bug report
+description: Report a problem with the dcd CLI or dcd-mcp server
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to file a bug! Please fill in the details below.
+
+        ⚠️ **Do not report security vulnerabilities here** — see our
+        [Security Policy](https://github.com/devicecloud-dev/dcd-cli/blob/dev/SECURITY.md).
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: A clear description of the bug, including what you expected to happen instead.
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: The exact `dcd` command(s) you ran and what followed. Redact any API keys.
+      placeholder: |
+        1. Run `dcd cloud --apiKey *** app.apk flows/`
+        2. ...
+        3. See error
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: CLI version
+      description: Output of `dcd --version`.
+      placeholder: "e.g. 5.0.0"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating system
+      options:
+        - macOS
+        - Linux
+        - Windows
+        - Other (note in description)
+    validations:
+      required: true
+  - type: input
+    id: install
+    attributes:
+      label: How did you install dcd?
+      placeholder: "binary (curl/irm), npm global, npx, …"
+    validations:
+      required: false
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / output
+      description: Relevant output. Re-run with more detail if you can. This is automatically formatted as code.
+      render: shell
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Questions & help
+    url: https://discord.gg/gm3mJwcNw8
+    about: For usage questions and general help, ask in our Discord rather than opening an issue.
+  - name: Documentation
+    url: https://docs.devicecloud.dev
+    about: Check the docs for installation, usage, and command reference.
+  - name: Report a security vulnerability
+    url: https://github.com/devicecloud-dev/dcd-cli/blob/dev/SECURITY.md
+    about: Do not file security issues publicly — email security@devicecloud.dev (see our Security Policy).

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,35 @@
+name: Feature request
+description: Suggest an idea or improvement for the dcd CLI or dcd-mcp server
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for the suggestion! Please describe the problem before the solution.
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+      description: What are you trying to do, and where does the CLI get in the way today?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: What would you like to happen? A concrete command/flag/output sketch helps.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Other approaches or workarounds you've thought about.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Anything else — links, screenshots, related issues.
+    validations:
+      required: false

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,36 @@
+<!--
+  PR TITLE: must follow Conventional Commits — it becomes the squash-merge
+  commit and feeds release-please. e.g.  feat(cloud): add --json output
+  Allowed types: feat, fix, perf, deps, revert, refactor, docs, chore, test, ci, build, style
+  See CONTRIBUTING.md for details.
+-->
+
+## What & why
+
+<!-- What does this change do, and why? Link any related issue: Closes #123 -->
+
+## Type of change
+
+<!-- Match this to your PR title's type. -->
+
+- [ ] `fix` — bug fix
+- [ ] `feat` — new feature
+- [ ] `perf` — performance improvement
+- [ ] `refactor` — code change that's neither a fix nor a feature
+- [ ] `docs` — documentation only
+- [ ] `chore` / `ci` / `build` / `test` — tooling, no user-facing change
+- [ ] Breaking change (title has `!` or PR notes a `BREAKING CHANGE:`)
+
+## Checklist
+
+- [ ] PR title follows the Conventional Commits format (see comment above)
+- [ ] `pnpm lint` passes
+- [ ] `pnpm typecheck` passes
+- [ ] `pnpm build` passes
+- [ ] I have **not** bumped the version or edited `CHANGELOG.md` (release-please handles this)
+- [ ] I have signed the CLA (the bot will prompt on first contribution)
+- [ ] Docs / `README.md` / `STYLE_GUIDE.md` updated if behaviour or output changed
+
+## How to test
+
+<!-- Steps a reviewer can follow to verify the change. -->

.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  # npm / pnpm dependencies.
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    target-branch: dev
+    open-pull-requests-limit: 10
+    commit-message:
+      # Conventional Commit prefix so the squashed PR title matches our PR-title
+      # lint and release-please picks dependency bumps into the changelog.
+      prefix: deps
+      prefix-development: chore
+    groups:
+      # Collapse the noise: one PR for all non-major updates.
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch
+
+  # GitHub Actions used by our workflows.
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    target-branch: dev
+    commit-message:
+      prefix: ci
+    groups:
+      # One PR per week for ALL action bumps (including majors). Actions are
+      # low-risk and quick to eyeball together; no need for a PR each.
+      actions:
+        patterns:
+          - "*"

.github/workflows/cla.yml

@@ -0,0 +1,72 @@
+name: CLA Assistant
+
+# Gates merges on a signed Contributor License Agreement.
+#
+# Uses CLA Assistant Lite (contributor-assistant/github-action): signatures are
+# stored as a JSON file committed to a branch of THIS repo (no third-party
+# service holds the data). Contributors sign by commenting the configured phrase
+# on their PR; the action records it and flips the check green.
+#
+# AUTH: mints a token from the shared automation GitHub App (the same App
+# release-please uses), so signature commits show as the bot and there's no
+# personal token to expire.
+#
+# SETUP REQUIRED before this enforces anything:
+#   1. Create/install the automation GitHub App (Contents R/W, Pull requests R/W,
+#      Issues R/W) and add BOT_APP_ID + BOT_APP_PRIVATE_KEY repo secrets — the
+#      same secrets release-please uses.
+#   2. Create the `cla-signatures` branch (empty orphan) so the action has
+#      somewhere to write `signatures/version1/cla.json`.
+#   3. Finalise CLA.md (legal review) — it's the document contributors agree to.
+#
+# Until the App secrets exist the CLA step self-skips, so the check is green
+# (not failing) on every PR and auto-activates once they're set.
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    # Empty until the automation App secrets are configured (see SETUP above).
+    # While empty, the steps below self-skip so this check passes (green) instead
+    # of failing on every PR with "Branch cla-signatures not found".
+    env:
+      HAS_APP: ${{ secrets.BOT_APP_ID != '' }}
+    # Only act on the signature comment or on PR events (not every comment).
+    if: (github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        if: env.HAS_APP == 'true'
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+      - uses: contributor-assistant/github-action@v2.6.1
+        if: env.HAS_APP == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          path-to-signatures: "signatures/version1/cla.json"
+          path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md"
+          branch: "cla-signatures"
+          # Do NOT lock the PR on merge (the action's default is true). release-please
+          # comments on its release PR *after* merge; a locked conversation makes that
+          # comment fail and takes down the whole Release job (npm publish + binaries
+          # never run). Keeping this false is load-bearing for the release pipeline.
+          lock-pullrequest-aftermerge: false
+          # Internal maintainers (covered by employment/CCLA) + bots skip the prompt.
+          allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot]
+          # Customise the bot's prompts if desired:
+          custom-notsigned-prcomment: "Thanks for your contribution! Please sign our Contributor License Agreement before we can merge. Comment the line below to sign:"
+          custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
+          custom-allsigned-prcomment: "All contributors have signed the CLA. ✍️ ✅"

.github/workflows/claude-code-review.yml

@@ -12,12 +12,11 @@ on:
 
 jobs:
   claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
-
+    # Skip PRs we shouldn't (or can't) review:
+    #  - Dependabot / forks: no CLAUDE_CODE_OAUTH_TOKEN, so the action would fail.
+    #  - release-please release PRs: just version bumps + changelog — nothing to
+    #    review, and it must never block a release.
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' && !startsWith(github.head_ref, 'release-please--') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -30,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -26,7 +26,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           fetch-depth: 1
 

.github/workflows/cli-ci.yml

@@ -2,9 +2,11 @@ name: CLI CI
 
 on:
   push:
-    branches: [ dev ]
+    branches: [ dev, production ]
   pull_request:
-    branches: [ dev ]
+    # `production` is included so the dev→production promotion PR is also gated
+    # by lint/typecheck/build (and is required by the production ruleset).
+    branches: [ dev, production ]
   workflow_dispatch:
 
 permissions:
@@ -15,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout (full history)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v7
       with:
         # Full history so gitleaks scans every commit, not just the tip.
         fetch-depth: 0
@@ -38,18 +40,22 @@ jobs:
     # SSH deploy key. GitHub does NOT expose secrets to pull_request workflows
     # triggered from forks, so that checkout (and the integration tests that need
     # it) can only run for same-repo events. Fork PRs still run lint/typecheck/build.
+    #
+    # Dependabot PRs branch from this repo (so the fork check passes) but ALSO run
+    # without secrets — treat them like forks and skip the private checkout, or
+    # the mock-api clone fails with an empty DCD_SSH_DEPLOY_KEY.
     env:
-      HAS_PRIVATE_ACCESS: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+      HAS_PRIVATE_ACCESS: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' }}
 
     steps:
     - name: Checkout CLI
-      uses: actions/checkout@v5
+      uses: actions/checkout@v7
       with:
         path: cli
 
     - name: Checkout dcd (mock-api)
       if: env.HAS_PRIVATE_ACCESS == 'true'
-      uses: actions/checkout@v5
+      uses: actions/checkout@v7
       with:
         repository: moropo-com/dcd
         path: dcd
@@ -62,13 +68,13 @@ jobs:
           /api/swagger.json
 
     - name: Setup pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@v6
       with:
         version: 10
         run_install: false
 
     - name: Setup Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       with:
         node-version: '22'
         cache: 'pnpm'

.github/workflows/npm-publish.yml

@@ -24,14 +24,14 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v7
       # Setup .npmrc file to publish to npm
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
           run_install: false
 
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'