diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b45eccc
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,47 @@
+# Dependabot — automated dependency PRs for paybot-sdk
+#
+# What:    Weekly version-update PRs for npm packages and GitHub Actions.
+#          Security updates (CVE fixes) are auto-enabled separately via the
+#          /repos/{owner}/{repo}/automated-security-fixes API and surface
+#          regardless of the schedule below.
+# Why:     Keep supply chain current; minimize lag between CVE disclosure and patch.
+#          paybot-sdk is published to npm — downstream consumer surface area
+#          makes timely security patching especially load-bearing.
+# Gate:    PRs run through CI + the SINKRA chain. @qa flags risk, @devops merges.
+#
+# Reference:
+#   - https://docs.github.com/en/code-security/dependabot
+#   - Precedent: paybot-core PR #3 (merged 6dc6f5aa, 2026-05-22)
+version: 2
+updates:
+  # ---------- npm ecosystem ----------
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # ---------- GitHub Actions ecosystem ----------
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..4f02b87
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,65 @@
+# CodeQL — SAST (Static Application Security Testing) for paybot-sdk
+#
+# What:    GitHub's CodeQL engine analyzing JavaScript/TypeScript for SQL
+#          injection, unsafe regex, hardcoded crypto, taint flows, and other
+#          security issues.
+# When:    On PRs targeting main, on push to main, and weekly (Monday 06:00 UTC).
+# Output:  SARIF results uploaded natively to GitHub Code Scanning (Security tab).
+#          Public repo: SARIF upload to Security tab is free (no GHAS needed).
+#          Contrast with paybot-core (private personal-account) which required
+#          `upload: false` + artifact workaround — see paybot-core PR #3.
+# Gate:    Failed scans (any error severity finding) fail the job → PR blocked
+#          via branch protection once required_status_checks is updated to
+#          include "Analyze (javascript-typescript)" (verbatim from
+#          `gh pr checks` after first run).
+#
+# Reference:
+#   - https://docs.github.com/en/code-security/code-scanning
+#   - Precedent: paybot-core PR #3 (merged 6dc6f5aa, 2026-05-22)
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Monday 06:00 UTC — weekly scheduled scan independent of PR activity
+    - cron: '0 6 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          # Public repo: SARIF upload to Security tab is free (no GHAS needed).
+          # `upload: true` is the default; declared explicitly for clarity.
+          upload: true
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 0000000..4b98ef7
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,64 @@
+# OSV-Scanner — vulnerability scanning against Google's OSV.dev database
+#
+# What:    Scans lockfiles + manifests against the Open Source Vulnerabilities
+#          database. Broader coverage than Dependabot alone (npm advisories +
+#          GHSA + GitHub-specific feeds + ecosystem-specific feeds).
+# When:    On PRs targeting main, on push to main, and weekly (Tuesday 06:00 UTC).
+#          Tuesday cadence intentionally offsets from CodeQL (Monday) to spread
+#          CI load and produce two independent weekly signals.
+# Output:  SARIF uploaded natively to GitHub Code Scanning (Security tab).
+#          Public repo: third-party SARIF upload is free (no GHAS needed).
+#          Contrast with paybot-core (private personal-account) which required
+#          `upload-sarif: false` — see paybot-core PR #3.
+# Gate:    Failed scans block PR via branch protection once added to required
+#          status checks (verbatim context name from `gh pr checks` after
+#          first run).
+#
+# Note on design: we use the single (non-PR-diff) reusable workflow for ALL
+#                 events. The PR-diff reusable variant requires both branches
+#                 to have scannable lockfiles to compute a diff, which is
+#                 brittle for short-lived branches. The full-scan flavor is
+#                 more robust and gives identical signal for our gating purposes.
+#
+# Anti-patterns avoided (from paybot-core PR #3):
+#   - AP #2: OSV-Scanner publishes only EXACT version tags. `@v2` is NOT a
+#            valid alias — must pin to `@v2.2.1` (Dependabot github-actions
+#            will surface upgrades).
+#   - AP #3: Reusable-workflow callers cannot set per-job `permissions:`
+#            overrides — they are silently dropped. Permissions MUST be at
+#            workflow level (top of file, before `jobs:`).
+#
+# Reference:
+#   - https://github.com/google/osv-scanner-action
+#   - Precedent: paybot-core PR #3 (merged 6dc6f5aa, 2026-05-22)
+name: OSV-Scanner
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Tuesday 06:00 UTC — offset from CodeQL (Monday) to spread CI load
+    - cron: '0 6 * * 2'
+
+# Workflow-level permissions are inherited by reusable workflow calls.
+# Per-job `permissions:` on a reusable-workflow `uses:` is silently dropped
+# (paybot-core PR #3, AP #3).
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    # AP #2: exact tag, not `@v2` major alias.
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1"
+    with:
+      scan-args: |-
+        --recursive
+        --skip-git
+        ./
+      # Public repo: SARIF upload to Security tab is free (no GHAS needed).
+      # `upload-sarif: true` is the default; declared explicitly for clarity.
+      upload-sarif: true