chore: remove openspec/ planning notes and Dependabot

.gitignore

@@ -41,10 +41,11 @@ data/cron-*.log
 .env.*
 !.env.example
 
-# OpenSpec — keep the `openspec/` proposals + specs in version control,
-# but ignore the per-IDE integration files `openspec init` materializes
-# under .claude/.codebuddy/.continue/.junie/.kiro. Those are local tooling
-# for whichever editor each developer uses.
+# Local planning scratch — design proposals live in Linear, not the repo.
+openspec/
+
+# Per-IDE agent integration files — local tooling for whichever editor each
+# developer uses.
 .claude/*
 # Exception: project-specific Claude Code skills (`pupila-*`) ship with the
 # repo so contributors get the agent guidance automatically. Provider-generic

AGENTS.md

@@ -113,8 +113,6 @@ tsconfig.test.json  # extends above with rootDir=. so tests/ typecheck without l
 .github/
   workflows/
     check.yml       # PR/push: biome + typecheck + tests + build + audit (only remaining workflow)
-    check.yml       # PR/push: lint + typecheck + test + audit
-  dependabot.yml    # weekly npm + github-actions PRs
 ```
 
 > **CodeQL workflow removed.** Code Scanning isn't available on private repos without GitHub Advanced Security. If the repo ever goes public, restore `.github/workflows/codeql.yml` from commit `7397117`.
@@ -299,9 +297,7 @@ One workflow only — the project moved to local-first scheduling.
 
 The previously included `jobs.yml` (daily aggregator cron) and `keepalive.yml` (cron-keepalive) workflows were removed. Daily aggregation now runs locally via `scripts/install-launchd.sh` (macOS) or `scripts/install-cron.sh` (Linux), which install two agents: one for `pnpm run dev`, one for `pnpm run ai-review`. See README "Schedule the daily run" for usage.
 
-`.github/dependabot.yml` opens weekly grouped PRs for npm + github-actions.
-
-**Pinning.** All third-party actions are referenced by full 40-char commit SHA, not a floating `@v4` / `@v5` tag, with the version in a trailing comment. When updating an action, replace both the SHA and the comment. Dependabot keeps these current via PRs.
+**Pinning.** All third-party actions are referenced by full 40-char commit SHA, not a floating `@v4` / `@v5` tag, with the version in a trailing comment. When updating an action, replace both the SHA and the comment manually.
 
 ## Tests
 

CLAUDE.md

@@ -72,7 +72,6 @@ pnpm run mcp                          # MCP server over stdio
 | `ui/` | Local-only React dashboard (see `ui/CLAUDE.md`) |
 | `scripts/` | Apply worker, installers (launchd/cron/mcp), clean |
 | `tests/` | 330 vitest cases, fixtures in `tests/fixtures/` |
-| `openspec/changes/` | OpenSpec proposals (committed) |
 | `.claude/skills/` | Project skills (`pupila-*`) ship; provider-generic skills are local-only |
 
 ## Orchestrator flow
@@ -165,7 +164,7 @@ Vitest, 330 cases across `tests/` (`*.test.ts` glob). Run via `pnpm test` or `pn
 
 One workflow only — `.github/workflows/check.yml` — every push to `main` and PR. Seven gates: Biome lint, typecheck (3 tsconfigs), Vitest, `tsc` build, Vite UI build, bundle-size budget, `pnpm audit`. Daily aggregation runs **locally** via launchd/cron (see `scripts/install-*.sh`).
 
-Third-party actions pinned by 40-char SHA with version comment. Dependabot opens weekly grouped PRs.
+Third-party actions pinned by 40-char SHA with version comment. Bump manually when needed.
 
 > **CodeQL workflow removed** — Code Scanning isn't available on private repos without GitHub Advanced Security. Restore from commit `7397117` if the repo goes public.
 

README.md

@@ -1,7 +1,7 @@
 <p align="left">
   <img src="./assets/logo.svg" alt="pupila logo" height="60" align="middle" /><img src="./assets/pupila-ascii.svg" alt="pupila" height="60" align="middle" /></p>
 
-# PUPILA: A-eye on every job board
+# PUPILA: An A-Eye on every job board
 
 <p align="center">
   <img src="./assets/readme/dashboard.jpg" alt="Local job matching dashboard with source feeds, scoring, and scheduled file output" width="100%" />
@@ -236,7 +236,7 @@ Idempotent — running on an already-clean state prints `nothing to clean`. Afte
 | HTML scraping | Inline regex parsers (no cheerio/jsdom) |
 | Schedule | Local launchd (macOS) / cron (Linux), two agents: aggregator + AI review |
 | Output | Files in your local checkout (`data/jobs.json`, `data/feed.xml` RSS, `JOBS.md`, `data/archive/<YYYY-MM>.json` on month-start) |
-| Static analysis | Biome + tsc + build on every PR via `check.yml`; Dependabot for npm + GitHub Actions |
+| Static analysis | Biome + tsc + build on every PR via `check.yml` |
 
 ## Architecture
 
@@ -735,9 +735,8 @@ Keyword arrays are joined with `|` and compiled into word-bounded, case-insensit
 ```
 pupila/
 ├── .github/
-│   ├── workflows/
-│   │   └── check.yml          # PR/push: biome + typecheck + tests + build + audit
-│   └── dependabot.yml         # weekly npm + github-actions updates
+│   └── workflows/
+│       └── check.yml          # PR/push: biome + typecheck + tests + build + audit
 ├── assets/
 │   └── readme/
 │       └── dashboard.jpg      # README banner artwork
@@ -853,7 +852,7 @@ The previously included `jobs.yml` (daily aggregator cron) and `keepalive.yml` (
 
 > **Note on CodeQL.** A CodeQL workflow was previously included but removed because **Code Scanning isn't available on private repos for personal accounts** without GitHub Advanced Security.
 
-The remaining workflow pins third-party actions to **commit SHAs** (not floating `@v4` / `@v5` tags) for supply-chain safety. [`Dependabot`](./.github/dependabot.yml) opens weekly PRs to bump those SHAs and the npm deps; the `check.yml` workflow validates each PR before merge.
+The remaining workflow pins third-party actions to **commit SHAs** (not floating `@v4` / `@v5` tags) for supply-chain safety. Bump SHAs and npm deps manually (`pnpm update`, then refresh action SHAs from the upstream tag) when you want to update — `check.yml` gates the change like any other PR.
 
 ## Customization
 
@@ -903,7 +902,6 @@ Defense-in-depth measures, ranked from runtime to build-time:
 - **Tests** (`pnpm test`) — Vitest, extensive backend + UI suite covering security-sensitive code (URL safety, regex filters, dedup tiebreaks, applied-status grouping, salary parsing, RSS escaping, custom-ATS HTML/GraphQL parsers, AI Apply core, apply-queue mutators, swipe-skip storage, profile bootstrap) plus every UI hook + key components. Runs on every PR.
 - **`pnpm audit --prod --audit-level high`** in [`check.yml`](./.github/workflows/check.yml). Reports known CVEs in production deps.
 - **Pinned actions.** The remaining workflow references third-party actions by commit SHA, not floating tags. Defends against tag-hijacking.
-- **Dependabot** ([`dependabot.yml`](./.github/dependabot.yml)) — weekly PRs for npm + GitHub Actions. Each PR is gated by `check.yml`.
 - **Minimum permissions.** `check.yml` uses `contents: read` only — no workflow has write access to the repo.
 
 ## Known upstream issues (as of 2026-04)

SECURITY.md

@@ -45,7 +45,7 @@ Examples of in-scope issues:
 - Issues that require the attacker to already have local code execution on your machine — at that point they own everything anyway.
 - Exposing the UI publicly. The dev server binds to `127.0.0.1:5173` by design; running it on a public interface is a configuration mistake, not a vulnerability.
 - Committing `config/applied.json` or `config/candidate-brief.md` to a public fork. Both are gitignored; the user has to explicitly opt in to track them.
-- Dependency CVEs already flagged by `pnpm audit` in CI — those are tracked in the open and Dependabot PRs.
+- Dependency CVEs already flagged by `pnpm audit` in CI — those are tracked in the open.
 
 ## Hall of fame