chore: modernize tooling, deps, and CI

.github/dependabot.yml

@@ -12,7 +12,22 @@ updates:
       - dependencies
       - automated
     groups:
-      # Group minor/patch updates together
+      fumadocs:
+        patterns:
+          - "fumadocs-*"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
+      tailwind:
+        patterns:
+          - "tailwindcss"
+          - "@tailwindcss/*"
+      types:
+        patterns:
+          - "@types/*"
       production:
         dependency-type: production
         update-types:
@@ -23,7 +38,6 @@ updates:
         update-types:
           - minor
           - patch
-    # Auto-merge patch updates
     commit-message:
       prefix: "chore(deps):"
 

.github/workflows/ci.yml

@@ -3,93 +3,88 @@ name: CI
 on:
   pull_request:
     branches: [main]
-  push:
-    branches: [main]
+  # Allow reuse from deploy workflow
+  workflow_call:
 
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ci-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
-  typecheck:
-    name: Typecheck
+  lint:
+    name: Lint & Format
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
+      - run: bun install --frozen-lockfile
+      - run: bun run lint
 
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Run typecheck
-        run: bun run typecheck
-
-  lint:
-    name: Lint
+  typecheck:
+    name: Typecheck
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Run Biome
-        run: bun run lint
+      - run: bun install --frozen-lockfile
+      - run: bun run typecheck
 
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs: [typecheck, lint]
+    timeout-minutes: 10
+    needs: [lint, typecheck]
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
+      - run: bun install --frozen-lockfile
       - name: Build static site
         run: bun run build
-
       - name: Upload build artifact
         if: github.ref == 'refs/heads/main'
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: out
 
-  security:
-    name: Security audit
+  dependency-review:
+    name: Dependency Review
     runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
-          bun-version: latest
+          fail-on-severity: high
+          deny-licenses: GPL-3.0, AGPL-3.0
 
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Audit dependencies
-        run: bun pm audit || true
-
-      - name: Check for known vulnerabilities in lockfile
-        run: |
-          # Fail on critical/high vulnerabilities
-          bun pm audit 2>&1 | tee audit-output.txt
-          if grep -qiE '(critical|high)' audit-output.txt; then
-            echo "::error::Critical or high severity vulnerabilities found"
-            exit 1
-          fi
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e03543dad62555ecf6606aabe9724fd07e1cd632 # v3.32.6
+        with:
+          languages: javascript-typescript
+          queries: security-and-quality
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@e03543dad62555ecf6606aabe9724fd07e1cd632 # v3.32.6
+        with:
+          category: /language:javascript-typescript

.github/workflows/codeql.yml

@@ -1,10 +1,6 @@
 name: CodeQL Security Analysis
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
   schedule:
     # Every Wednesday at 04:00 UTC
     - cron: "0 4 * * 3"
@@ -17,24 +13,20 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [javascript-typescript]
-
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@e03543dad62555ecf6606aabe9724fd07e1cd632 # v3.32.6
         with:
-          languages: ${{ matrix.language }}
+          languages: javascript-typescript
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@e03543dad62555ecf6606aabe9724fd07e1cd632 # v3.32.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@e03543dad62555ecf6606aabe9724fd07e1cd632 # v3.32.6
         with:
-          category: "/language:${{ matrix.language }}"
+          category: /language:javascript-typescript

.github/workflows/dependency-update.yml

@@ -14,10 +14,11 @@ jobs:
   update-dependencies:
     name: Check for updates
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
 
@@ -30,11 +31,14 @@ jobs:
       - name: Typecheck with updated deps
         run: bun run typecheck
 
+      - name: Lint with updated deps
+        run: bun run lint
+
       - name: Build with updated deps
         run: bun run build
 
       - name: Create PR if changes exist
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "chore(deps): update dependencies"
@@ -43,7 +47,7 @@ jobs:
             Automated weekly dependency update.
 
             This PR updates all dependencies to their latest compatible versions.
-            The build and typecheck passed with the updated dependencies.
+            Typecheck, lint, and build passed with the updated dependencies.
 
             ---
             _Generated by the dependency-update workflow._

.github/workflows/deploy.yml

@@ -15,41 +15,22 @@ permissions:
   id-token: write
 
 jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Typecheck
-        run: bun run typecheck
-
-      - name: Lint
-        run: bun run lint
-
-      - name: Build static site
-        run: bun run build
-
-      - name: Upload Pages artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: out
+  ci:
+    name: CI
+    uses: ./.github/workflows/ci.yml
+    permissions:
+      contents: read
+      security-events: write
 
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    needs: build
+    timeout-minutes: 5
+    needs: ci
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

CLAUDE.md

@@ -0,0 +1,76 @@
+# @pyreon/docs
+
+Documentation site for the Pyreon UI framework ecosystem.
+
+## Stack
+
+- **Framework**: Next.js 16 (App Router, static export to `out/`)
+- **Docs engine**: Fumadocs (fumadocs-core, fumadocs-ui, fumadocs-mdx)
+- **Styling**: Tailwind CSS v4 + fumadocs-ui preset
+- **Linting**: Biome (extends `@vitus-labs/tools-lint/biome`)
+- **TypeScript**: 6.x with strict mode
+- **Package manager**: Bun
+- **Deployment**: GitHub Pages via GitHub Actions
+
+## Project structure
+
+```
+src/
+  app/
+    (home)/page.tsx        — Landing page (hero, features, package cards)
+    docs/layout.tsx        — Docs sidebar layout (fumadocs DocsLayout)
+    docs/[[...slug]]/page.tsx — Dynamic MDX page renderer
+    layout.tsx             — Root layout (RootProvider, static search)
+    global.css             — Tailwind imports + custom hero/card styles
+  components/              — Custom MDX components (APICard, PackageBadge, PropTable, CompatMatrix, Since)
+  lib/
+    source.ts              — Fumadocs source loader
+    layout.shared.tsx      — Nav/link config shared between layouts
+
+content/docs/              — MDX documentation pages (one folder per package)
+source.config.ts           — Fumadocs MDX config (remarkInstall plugin)
+mdx-components.tsx         — MDX component registry
+```
+
+## Commands
+
+```bash
+bun run dev          # Start dev server
+bun run build        # Static export to out/
+bun run typecheck    # tsc --noEmit
+bun run lint         # biome check .
+bun run lint:fix     # biome check . --write
+bun run format       # biome format . --write
+bun run check        # typecheck + lint + build
+```
+
+## Content authoring
+
+- Each package has a folder under `content/docs/<package>/` with `index.mdx` and optional `meta.json`
+- MDX files use fumadocs frontmatter (`title`, `description`)
+- Custom components available in MDX: `APICard`, `PackageBadge`, `PropTable`, `CompatMatrix`, `Since`
+- Install blocks use `remarkInstall` plugin — write ```` ```package-install ````
+- Navigation tree is driven by `meta.json` files (fumadocs convention)
+
+## Custom MDX components
+
+- **APICard** — API item card with type badge (fn, C, H, T, K, P, Cx) and optional signature
+- **PackageBadge** — Package name/version badge with status indicator (stable/beta/alpha/deprecated)
+- **PropTable** — Props documentation table with columns: Prop, Type, Default, Description
+- **CompatMatrix** — Framework compatibility table with support levels (full/partial/none)
+- **Since** — Version badge (e.g. "v1.2.0+")
+
+## CI/CD
+
+- `ci.yml` — PR checks: lint, typecheck, build, dependency-review, CodeQL
+- `deploy.yml` — Push to main: runs CI, then deploys `out/` to GitHub Pages
+- `dependency-update.yml` — Weekly Monday: `bun update`, typecheck, lint, build, auto-PR
+- `codeql.yml` — Weekly Wednesday: standalone security scan
+- Dependabot groups: fumadocs, react, tailwind, types, GitHub Actions
+
+## Conventions
+
+- Static export (`output: 'export'`) — no server runtime
+- All GitHub Actions pinned by SHA with version comment
+- Biome extends `@vitus-labs/tools-lint/biome` (shared across Pyreon repos)
+- No tests (static docs site) — quality gates are typecheck + lint + build

biome.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.4.6/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.8/schema.json",
   "extends": ["@vitus-labs/tools-lint/biome"],
   "files": {
     "includes": [