feat: add AI code review, issue triage, and release notes workflows

Add 5 AI-powered GitHub Actions workflows:
- claude-review-phase1: comment-only PR review (~$1.50/PR)
- claude-review-phase2: sensitive file detection + review (~$1.50/PR)
- claude-review-phase3: draft fix PR, opt-in via 'ai-fix' label ($3-8/PR)
- ai-issue-triage: auto-label issues with Claude (~$1.50/issue)
- release-notes: AI-generated release notes (~$1.50/release)

Security hardening per review feedback:
- All actions pinned to commit SHA (not mutable tags)
- Dependabot configured for weekly action updates
- Phase 3 label-gated to 'ai-fix' (no triple-trigger cost)
- GITHUB_TOKEN used everywhere (no PAT_TOKEN, prevents recursive loops)
- Secret validation uses env-block pattern (no shell expansion)
- Fork PRs detected and skipped cleanly

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Tony363

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/test-events/pr-opened.json

@@ -0,0 +1,21 @@
+{
+  "action": "opened",
+  "pull_request": {
+    "number": 100,
+    "title": "fix: handle missing GPU in dashboard-api",
+    "body": "Fixes #999",
+    "html_url": "https://github.com/test/test/pull/100",
+    "head": {
+      "ref": "fix/gpu-endpoint",
+      "sha": "abc1234"
+    },
+    "base": {
+      "ref": "main"
+    },
+    "user": {
+      "login": "testuser"
+    },
+    "labels": [],
+    "draft": false
+  }
+}

.github/test-events/release-created.json

@@ -0,0 +1,10 @@
+{
+  "action": "created",
+  "release": {
+    "tag_name": "v0.1.0",
+    "name": "v0.1.0",
+    "body": "",
+    "draft": false,
+    "prerelease": false
+  }
+}

.github/workflows/ai-issue-triage.yml

@@ -0,0 +1,81 @@
+name: AI Issue Triage
+
+# Auto-label and categorize new issues using Claude
+# Advisory mode only — adds labels, doesn't close or modify issues
+# Estimated cost: ~$1.50/issue
+
+on:
+  issues:
+    types: [opened]
+
+concurrency:
+  group: issue-triage-${{ github.event.issue.number }}
+  cancel-in-progress: false
+
+jobs:
+  triage:
+    name: Triage Issue
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.issue.user.login != 'github-actions[bot]' &&
+      github.event.issue.user.login != 'dependabot[bot]' &&
+      github.event.issue.user.login != 'claude[bot]'
+    permissions:
+      issues: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          sparse-checkout: |
+            dream-server/
+            CLAUDE.md
+          sparse-checkout-cone-mode: true
+
+      - name: Validate required secrets
+        env:
+          HAS_API_KEY: ${{ secrets.ANTHROPIC_API_KEY != '' }}
+        run: |
+          if [ "$HAS_API_KEY" != "true" ]; then
+            echo "::error::ANTHROPIC_API_KEY not configured"
+            exit 1
+          fi
+          echo "Required secrets present"
+
+      - name: AI Triage
+        uses: anthropics/claude-code-action@88c168b39e7e64da0286d812b6e9fbebb6708185 # v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            You are an issue triage bot for the DreamServer project (fully local AI stack: LLM inference, chat, voice, agents, workflows, RAG, image generation, privacy tools).
+
+            Architecture context:
+            - dream-server/installers/ = Bash installer libraries and phases
+            - dream-server/dream-cli = main CLI tool (~45K lines Bash)
+            - dream-server/extensions/services/dashboard-api/ = Python FastAPI backend
+            - dream-server/extensions/services/dashboard/ = React/Vite frontend
+            - dream-server/scripts/ = operational scripts
+            - dream-server/config/ = backend configs (GPU tiers, models)
+            - dream-server/tests/ = shell-based tests (BATS, contracts, smoke)
+            - dream-server/extensions/services/ = 17 service extensions with manifests
+
+            Analyze this new issue and apply appropriate labels:
+
+            **Issue #${{ github.event.issue.number }}**
+            **Title**: ${{ github.event.issue.title }}
+            **Body**: ${{ github.event.issue.body }}
+
+            ## Instructions
+
+            1. Read the issue title and body carefully
+            2. Determine the appropriate labels from this list:
+               - **Type labels** (pick one): `bug`, `enhancement`, `question`, `documentation`
+               - **Component labels** (pick all that apply): `installer`, `cli`, `dashboard`, `dashboard-api`, `extensions`, `docker`, `scripts`, `tests`, `docs`, `ci-cd`
+               - **Priority labels** (pick one): `priority:high`, `priority:medium`, `priority:low`
+            3. Apply the labels using: `gh issue edit ${{ github.event.issue.number }} --add-label "label1,label2"`
+            4. Do NOT close, assign, or comment on the issue — only add labels
+          claude_args: >-
+            --allowedTools
+            "Bash(gh issue edit *),Read,Glob,Grep"
+            --max-turns 5

.github/workflows/claude-review-phase1.yml

@@ -0,0 +1,82 @@
+name: Claude Review - Phase 1 (Comment Only)
+
+# Phase 1: Basic Claude Code Review with comment-only mode
+# Safe starting point — no PR creation, just review comments
+# Estimated cost: ~$1.50/PR | Latency: 2-5 minutes
+
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+  issue_comment:
+    types: [created]
+
+jobs:
+  claude-review:
+    if: |
+      github.actor != 'claude[bot]' &&
+      github.actor != 'dependabot[bot]' &&
+      github.actor != 'github-actions[bot]' &&
+      (
+        github.event_name == 'pull_request' ||
+        (github.event_name == 'issue_comment' &&
+         github.event.issue.pull_request &&
+         contains(github.event.comment.body, '@claude-review'))
+      )
+
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    concurrency:
+      group: claude-review-${{ github.event.pull_request.number || github.event.issue.number }}
+      cancel-in-progress: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Check PR size (cost control)
+        id: pr_size
+        run: |
+          BASE_REF="${{ github.base_ref || github.event.repository.default_branch || 'main' }}"
+          FILES_CHANGED=$(git diff --name-only origin/${BASE_REF}...HEAD | wc -l)
+          LINES_CHANGED=$(git diff --stat origin/${BASE_REF}...HEAD | tail -1 | awk '{print $4+$6}')
+
+          echo "files_changed=$FILES_CHANGED" >> $GITHUB_OUTPUT
+          echo "lines_changed=$LINES_CHANGED" >> $GITHUB_OUTPUT
+
+          if [ "$LINES_CHANGED" -gt 1000 ]; then
+            echo "skip_review=true" >> $GITHUB_OUTPUT
+            echo "::warning::PR too large for AI review (>1000 lines). Add 'force-review' label to override."
+          else
+            echo "skip_review=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Skip large PR notice
+        if: steps.pr_size.outputs.skip_review == 'true' && !contains(github.event.pull_request.labels.*.name, 'force-review')
+        run: |
+          echo "::notice::Skipping review for large PR. Add 'force-review' label to override."
+          exit 0
+
+      - name: Run Claude Code Review
+        if: steps.pr_size.outputs.skip_review == 'false' || contains(github.event.pull_request.labels.*.name, 'force-review')
+        uses: anthropics/claude-code-action@88c168b39e7e64da0286d812b6e9fbebb6708185 # v1
+        with:
+          claude_args: |
+            code-review --comment \
+            --model claude-opus-4-5-20251101 \
+            --max-turns 20 \
+            --allowedTools "Bash(git diff *),Bash(git log *),Bash(git blame *),Read"
+
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+      - name: Review metrics
+        if: always()
+        run: |
+          echo "### Review Metrics" >> $GITHUB_STEP_SUMMARY
+          echo "- Files changed: ${{ steps.pr_size.outputs.files_changed }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Lines changed: ${{ steps.pr_size.outputs.lines_changed }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Estimated cost: ~\$1.50" >> $GITHUB_STEP_SUMMARY
+          echo "- Phase: 1 (Comment Only)" >> $GITHUB_STEP_SUMMARY

.github/workflows/claude-review-phase2.yml

@@ -0,0 +1,174 @@
+name: Claude Review - Phase 2 (Sensitive File Detection)
+
+# Phase 2: Claude Review with enhanced detection for security-sensitive files
+# Flags high-stakes changes for extra human review attention
+# Estimated cost: ~$1.50/PR
+
+on:
+  pull_request:
+    types: [opened, ready_for_review, synchronize]
+
+jobs:
+  detect-high-stakes:
+    name: Detect High-Stakes Changes
+    runs-on: ubuntu-latest
+    outputs:
+      is_high_stakes: ${{ steps.check.outputs.is_high_stakes }}
+      sensitive_files: ${{ steps.check.outputs.sensitive_files }}
+      reason: ${{ steps.check.outputs.reason }}
+      is_fork: ${{ steps.fork-check.outputs.is_fork }}
+
+    steps:
+      - name: Check if fork PR
+        id: fork-check
+        run: |
+          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+            echo "is_fork=true" >> $GITHUB_OUTPUT
+            echo "::notice::Fork PR detected — Claude review requires repo secrets and will be skipped"
+          else
+            echo "is_fork=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for high-stakes changes
+        id: check
+        run: |
+          HIGH_STAKES_PATTERNS=(
+            "dream-server/installers/"
+            "dream-server/dream-cli"
+            "dream-server/config/"
+            "dream-server/extensions/services/dashboard-api/security.py"
+            ".github/workflows/"
+            ".env"
+            "docker-compose"
+          )
+
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref || github.event.repository.default_branch || 'main' }}...HEAD)
+
+          IS_HIGH_STAKES="false"
+          SENSITIVE_FILES=""
+          REASON=""
+
+          for pattern in "${HIGH_STAKES_PATTERNS[@]}"; do
+            if echo "$CHANGED_FILES" | grep -i "$pattern" > /dev/null; then
+              IS_HIGH_STAKES="true"
+              SENSITIVE_FILES=$(echo "$CHANGED_FILES" | grep -i "$pattern" | head -5)
+              REASON="Security-sensitive files detected: $pattern"
+              break
+            fi
+          done
+
+          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'ai-consensus') }}" == "true" ]]; then
+            IS_HIGH_STAKES="true"
+            REASON="Manual review escalation requested via label"
+          fi
+
+          echo "is_high_stakes=$IS_HIGH_STAKES" >> $GITHUB_OUTPUT
+          echo "sensitive_files<<EOF" >> $GITHUB_OUTPUT
+          echo "$SENSITIVE_FILES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          echo "reason=$REASON" >> $GITHUB_OUTPUT
+
+          if [ "$IS_HIGH_STAKES" == "true" ]; then
+            echo "::notice::High-stakes changes detected — flagging for extra review"
+          fi
+
+  claude-review:
+    name: Claude Code Review
+    needs: detect-high-stakes
+    if: |
+      needs.detect-high-stakes.outputs.is_fork != 'true' &&
+      github.actor != 'claude[bot]' &&
+      github.actor != 'dependabot[bot]' &&
+      github.actor != 'github-actions[bot]'
+
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    concurrency:
+      group: claude-review-p2-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Claude Code Review
+        id: review
+        uses: anthropics/claude-code-action@88c168b39e7e64da0286d812b6e9fbebb6708185 # v1
+        with:
+          claude_args: |
+            code-review \
+            --model claude-opus-4-5-20251101 \
+            --max-turns 20 \
+            --allowedTools "Bash(git diff *),Bash(git log *),Bash(git blame *),Read"
+
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+      - name: Save review artifact (high-stakes)
+        if: needs.detect-high-stakes.outputs.is_high_stakes == 'true'
+        run: |
+          mkdir -p /tmp/review-artifacts
+          echo "high-stakes review completed" > /tmp/review-artifacts/claude-review.txt
+
+      - name: Upload review artifact
+        if: needs.detect-high-stakes.outputs.is_high_stakes == 'true'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: claude-review-result
+          path: /tmp/review-artifacts/
+
+  review-summary:
+    name: Review Summary
+    needs: [detect-high-stakes, claude-review]
+    if: always() && needs.detect-high-stakes.outputs.is_fork != 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Post high-stakes notice
+        if: needs.detect-high-stakes.outputs.is_high_stakes == 'true'
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const reason = `${{ needs.detect-high-stakes.outputs.reason }}`;
+            const sensitiveFiles = `${{ needs.detect-high-stakes.outputs.sensitive_files }}`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: `## Sensitive Files Detected
+
+            **Trigger**: ${reason}
+
+            **Files flagged**:
+            \`\`\`
+            ${sensitiveFiles}
+            \`\`\`
+
+            Extra human review is recommended for this PR.
+
+            ---
+            **Phase**: 2 (Sensitive File Detection) | **Estimated Cost**: ~$1.50`
+            });
+
+      - name: Generate summary
+        run: |
+          echo "### Review Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Phase**: 2 (Sensitive File Detection)" >> $GITHUB_STEP_SUMMARY
+          echo "- **High-Stakes**: ${{ needs.detect-high-stakes.outputs.is_high_stakes }}" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ needs.detect-high-stakes.outputs.is_high_stakes }}" == "true" ]; then
+            echo "- **Reason**: ${{ needs.detect-high-stakes.outputs.reason }}" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "- **Estimated Cost**: ~\$1.50" >> $GITHUB_STEP_SUMMARY