diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c816bd5
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,30 @@
+version: 2
+updates:
+  # Keep CI actions up to date — minimal risk, weekly cadence
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - github-actions
+
+  # If this repo has Node dependencies, uncomment the block below + remove the comment marker
+  # - package-ecosystem: npm
+  #   directory: "/"
+  #   schedule:
+  #     interval: weekly
+  #   open-pull-requests-limit: 5
+  #   labels:
+  #     - dependencies
+  #   groups:
+  #     minor-and-patch:
+  #       update-types:
+  #         - minor
+  #         - patch
+
+  # If this repo has Python dependencies, uncomment + adapt path:
+  # - package-ecosystem: pip
+  #   directory: "/"
+  #   schedule:
+  #     interval: weekly
diff --git a/.github/workflows/security-baseline.yml b/.github/workflows/security-baseline.yml
new file mode 100644
index 0000000..2d42998
--- /dev/null
+++ b/.github/workflows/security-baseline.yml
@@ -0,0 +1,5 @@
+name: security-baseline
+on: [pull_request, push]
+jobs:
+  scan:
+    uses: aks129/security-baseline/.github/workflows/scan-reusable.yml@main
diff --git a/.gitignore b/.gitignore
index 688de55..491dd12 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,20 @@ mcp-server/dist/
 mcp-server/node_modules/
 mcp-app/dist/
 mcp-app/node_modules/
+
+# --- security-baseline additions ---
+# Claude Code / agent workspace state (never commit)
+.claude/
+.superpowers/
+claude-*.tmp
+
+# Strategy + outreach drafts (gitignored — local-only)
+.private/
+
+# Environment files (use .env.example for templates instead)
+.env
+.env.local
+.env.*.local
+
+# GCP/GitHub Actions service-account creds written by google-github-actions/auth
+gha-creds-*.json