Add GitHub Actions CI with tests, linting, and security scanning

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  # Frontend npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+    groups:
+      # Group minor/patch updates to reduce PR noise
+      minor-and-patch:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # Backend NuGet dependencies
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-and-patch:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions-updates:
+        patterns: ["*"]

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  backend:
+    name: Backend
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Restore dependencies
+        run: dotnet restore
+
+      - name: Build
+        run: dotnet build --no-restore --configuration Release
+
+      - name: Run unit tests
+        run: dotnet test --project tests/OpenGTD.Tests --no-build --configuration Release --verbosity normal
+
+      - name: Run integration tests
+        run: dotnet test --project tests/OpenGTD.IntegrationTests --no-build --configuration Release --verbosity normal
+
+  frontend:
+    name: Frontend
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+          cache-dependency-path: frontend/pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Type check
+        run: pnpm exec tsc --noEmit
+
+      - name: Run tests
+        run: pnpm run test:run
+
+      - name: Build
+        run: pnpm run build
+
+  e2e:
+    name: E2E Tests
+    needs: [backend, frontend]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+          cache-dependency-path: frontend/pnpm-lock.yaml
+
+      - name: Restore .NET dependencies
+        run: dotnet restore
+
+      - name: Build backend
+        run: dotnet build --no-restore --configuration Release
+
+      - name: Install frontend dependencies
+        run: pnpm install --frozen-lockfile
+        working-directory: frontend
+
+      - name: Install Playwright browsers
+        run: pwsh tests/OpenGTD.E2E/bin/Release/net10.0/playwright.ps1 install --with-deps chromium
+
+      - name: Run E2E tests
+        run: dotnet test --project tests/OpenGTD.E2E --no-build --configuration Release --verbosity normal

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: CodeQL
+
+# Disabled until Code Scanning is enabled in repository settings
+# See: https://github.com/trevwilson/GTDApp/settings/security_analysis
+on:
+  workflow_dispatch:
+  # Uncomment these when Code Scanning is enabled:
+  # push:
+  #   branches: [main, master]
+  # pull_request:
+  #   branches: [main, master]
+  # schedule:
+  #   - cron: '0 0 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['csharp', 'javascript-typescript']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        if: matrix.language == 'csharp'
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build .NET
+        if: matrix.language == 'csharp'
+        run: dotnet build --configuration Release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

CLAUDE.md

@@ -1,7 +1,3 @@
-## Project Status
-
-The project is currently undergoing a migration from a Blazor server setup to .NET Minimal APIs with a React frontend. As long as you are on the react-rewrite branch this migration isn't complete, and tasks related to implementing functionality that existed in the Blazor should query code on the master branch (which is also checked out in a git worktree) to see the existing implementation and reuse it as much as possible rather than creating one from scratch.
-
 ## Product Vision
 
 This GTD app aims to be a **universal inbox** - a frictionless capture point for thoughts, tasks, and information from any source. The guiding principle: if a user thinks "I wish I could add items via X", it should already be possible.
@@ -88,17 +84,17 @@ dotnet build
 dotnet run --project src/OpenGTD
 
 # Run frontend only (web)
-cd frontend && npm run dev
+cd frontend && pnpm run dev
 
 # Run frontend (Electron desktop)
-cd frontend && npm run dev:electron
+cd frontend && pnpm run dev:electron
 
 # Build Electron app
 cd frontend
-npm run build:electron           # Build only
-npm run build:win                # Build + package for Windows
-npm run build:mac                # Build + package for macOS
-npm run build:linux              # Build + package for Linux
+pnpm run build:electron           # Build only
+pnpm run build:win                # Build + package for Windows
+pnpm run build:mac                # Build + package for macOS
+pnpm run build:linux              # Build + package for Linux
 
 # Run unit tests (~4s for 345 tests) - uses TUnit, not xUnit
 dotnet test --project tests/OpenGTD.Tests
@@ -120,6 +116,27 @@ dotnet test --project tests/OpenGTD.Tests --treenode-filter "/*/*/InboxServiceTe
 - **Integration tests** (`OpenGTD.IntegrationTests`) - Slower (~5s). Run before committing.
 - **E2E tests** (`OpenGTD.E2E`) - Slowest (~35s). Run before committing.
 
+## Pre-commit Verification
+
+Run these checks before committing to catch CI failures early:
+
+```bash
+# Backend: build + unit tests (~8s total)
+dotnet build && dotnet test tests/OpenGTD.Tests
+
+# Frontend: lint + typecheck + tests (~5s total)
+cd frontend && pnpm run lint && pnpm exec tsc --noEmit && pnpm run test:run
+```
+
+**Full CI check** (run before pushing):
+```bash
+# All backend tests including integration (~15s)
+dotnet test
+
+# E2E tests (~35s) - requires Docker
+dotnet test tests/OpenGTD.E2E
+```
+
 ## OpenAPI and TypeScript Types
 
 The backend generates an OpenAPI spec via NSwag. The frontend generates Zod schemas from this spec, which serve as the single source of truth for both runtime validation and TypeScript types.
@@ -129,13 +146,13 @@ The backend generates an OpenAPI spec via NSwag. The frontend generates Zod sche
 cd frontend
 
 # Export OpenAPI spec from running backend
-npm run openapi:export
+pnpm run openapi:export
 
 # Generate Zod schemas from spec
-npm run openapi:generate
+pnpm run openapi:generate
 
 # Do both in one command
-npm run openapi:sync
+pnpm run openapi:sync
 ```
 
 **When to regenerate:**
@@ -313,10 +330,10 @@ The frontend uses Vite's `--mode` flag to select environment configuration:
 | `prod` | `.env.prod` | Production deployment (future) |
 
 **Scripts:**
-- `npm run dev` / `npm run build` → default mode (localhost services)
-- `npm run dev:cloud` → dev server against cloud services (injects secrets via Doppler)
-- `npm run build:dev` → dev cloud build (injects secrets via Doppler)
-- `npm run build:prod` → production build (uses Doppler `prd` config)
+- `pnpm run dev` / `pnpm run build` → default mode (localhost services)
+- `pnpm run dev:cloud` → dev server against cloud services (injects secrets via Doppler)
+- `pnpm run build:dev` → dev cloud build (injects secrets via Doppler)
+- `pnpm run build:prod` → production build (uses Doppler `prd` config)
 
 **Environment Variables:**
 

docs/DATA_FLOW.md

@@ -24,21 +24,21 @@ The application uses an **offline-first architecture** powered by PowerSync. Dat
 │   • Instant reads (no network latency)                              │
 │   • Optimistic writes (UI updates immediately)                      │
 │   • CRUD operations tracked for sync                                │
-└──────────────────┬──────────────────────────────┬───────────────────┘
-                   │                              │
-            ┌──────▼──────┐                ┌──────▼──────┐
+└──────────────────┬──────────────────────────────▲───────────────────┘
+                   │                              |
+            ┌──────▼──────┐                ┌──────┴──────┐
             │   UPLOAD    │                │  DOWNLOAD   │
             │  (writes)   │                │  (sync)     │
-            └──────┬──────┘                └──────┬──────┘
+            └──────┬──────┘                └──────▲──────┘
                    │                              │
                    │  BackendConnector            │  sync-rules.yaml
                    │  transforms & sends          │  defines queries
                    │                              │
-            ┌──────▼──────────────────────────────▼──────┐
+            ┌──────▼──────────────────────────────┴──────┐
             │           PowerSync Cloud                  │
             │                                            │
             │   • Bi-directional sync                    │
-            │   • Conflict resolution (last-write-wins) │
+            │   • Conflict resolution (last-write-wins)  │
             │   • Change detection & propagation         │
             └─────────────────────┬──────────────────────┘
                                   │

frontend/eslint.config.js

@@ -1,5 +1,6 @@
 import js from '@eslint/js'
 import globals from 'globals'
+import reactCompiler from 'eslint-plugin-react-compiler'
 import reactHooks from 'eslint-plugin-react-hooks'
 import reactRefresh from 'eslint-plugin-react-refresh'
 import jsxA11y from 'eslint-plugin-jsx-a11y'
@@ -20,6 +21,7 @@ export default defineConfig([
       tseslint.configs.recommended,
       importX.flatConfigs.recommended,
       importX.flatConfigs.typescript,
+      reactCompiler.configs.recommended,
       reactHooks.configs.flat.recommended,
       reactRefresh.configs.vite,
       jsxA11y.flatConfigs.recommended,