From 80289b0715e35842dbd07f40010ef1ad8923d188 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andy=20Gr=C3=BCning?= <andygruening@gmail.com>
Date: Tue, 2 Jun 2026 17:38:51 +0200
Subject: [PATCH 1/4] checkout repository in claude workflows

---
 .github/PULL_REQUEST_TEMPLATE.md         |  24 ++++
 .github/dependabot.yml                   |  32 +++++
 .github/workflows/ci.yml                 |   1 +
 .github/workflows/claude-code-review.yml |  31 +++++
 .github/workflows/claude.yml             |  36 +++++
 AGENTS.md                                | 163 +++++++++++++++++++++++
 CHANGELOG.md                             |  21 +++
 CLAUDE.md                                |   1 +
 CONTRIBUTING.md                          |  61 +++++++++
 SECURITY.md                              |  28 ++++
 TESTING.md                               |  73 ++++++++++
 11 files changed, 471 insertions(+)
 create mode 100644 .github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/claude-code-review.yml
 create mode 100644 .github/workflows/claude.yml
 create mode 100644 AGENTS.md
 create mode 100644 CHANGELOG.md
 create mode 100644 CLAUDE.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md
 create mode 100644 TESTING.md

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..2673d1d
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,24 @@
+## Summary
+
+<!-- What does this PR do and why? 1–3 sentences. -->
+
+> PR title must follow Conventional Commits, e.g. `feat(auth): short description`.
+> See https://www.conventionalcommits.org
+
+## Changes
+
+-
+
+## Testing
+
+<!-- How was this verified? Commands run, manual steps, screenshots. -->
+
+- [ ] `yarn lint` passes
+- [ ] `yarn typecheck` passes
+- [ ] `yarn prepare` (library build) succeeds
+- [ ] Native layer unchanged **or** manually verified on device/simulator
+- [ ] `API.md` updated if public exports changed
+
+## Related
+
+<!-- Linked issues or follow-ups. e.g. Closes #123 -->
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..43a4132
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,32 @@
+version: 2
+updates:
+  # Root package (library + workspaces)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+
+  # Expo example (standalone npm project)
+  - package-ecosystem: npm
+    directory: /examples/expo-example
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - ci
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ce25374..f6589ef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - master
+  pull_request:
   workflow_dispatch:
 
 concurrency:
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
new file mode 100644
index 0000000..01db077
--- /dev/null
+++ b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,31 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Claude Code Review
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY_GITHUB_ACTIONS }}
+          direct_prompt: |
+            Review this pull request. Focus on:
+            - Correctness of the TypeScript API surface changes
+            - Whether API.md is updated if src/index.tsx exports changed
+            - Native layer consistency (android/ and ios/ should change together)
+            - Conventional Commits format on the PR title
+            - Any obvious bugs, type errors, or missing edge cases
+          use_sticky_comment: true
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 0000000..879d469
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,36 @@
+name: Claude
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened]
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+  id-token: write
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY_GITHUB_ACTIONS }}
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..08b7eaf
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,163 @@
+# AGENTS.md
+
+Single source of truth for agents working in this repo. `CLAUDE.md` imports this file via
+`@AGENTS.md`, so Claude Code, Codex, and any other agent that reads `AGENTS.md` share the same
+instructions.
+
+---
+
+## Behavioral Guidelines
+
+Behavioral guidelines to reduce common LLM coding mistakes. (Adapted from Andrej Karpathy's
+[CLAUDE.md](https://github.com/multica-ai/andrej-karpathy-skills/blob/main/CLAUDE.md).)
+
+**Tradeoff:** These guidelines bias toward caution over speed. For trivial tasks, use judgment.
+
+### 1. Think Before Coding
+**Don't assume. Don't hide confusion. Surface tradeoffs.**
+- State your assumptions explicitly. If uncertain, ask.
+- If multiple interpretations exist, present them — don't pick silently.
+- If a simpler approach exists, say so. Push back when warranted.
+- If something is unclear, stop. Name what's confusing. Ask.
+
+### 2. Simplicity First
+**Minimum code that solves the problem. Nothing speculative.**
+- No features beyond what was asked.
+- No abstractions for single-use code.
+- No "flexibility" or "configurability" that wasn't requested.
+- If you write 200 lines and it could be 50, rewrite it.
+
+Ask yourself: "Would a senior engineer say this is overcomplicated?" If yes, simplify.
+
+### 3. Surgical Changes
+**Touch only what you must. Clean up only your own mess.**
+- Don't "improve" adjacent code, comments, or formatting.
+- Don't refactor things that aren't broken.
+- Match existing style, even if you'd do it differently.
+- Remove imports/variables YOUR changes made unused; leave pre-existing dead code unless asked.
+
+The test: every changed line should trace directly to the request.
+
+### 4. Goal-Driven Execution
+**Define success criteria. Loop until verified.**
+- "Add validation" → "Write tests for invalid inputs, then make them pass."
+- "Fix the bug" → "Write a test that reproduces it, then make it pass."
+
+For multi-step tasks, state a brief plan with a verify step for each item.
+
+---
+
+## Third-Party Library Docs
+
+For **any third-party library**, use the **context7** MCP to fetch up-to-date documentation rather
+than relying on training data, which lags real library APIs. If the context7 MCP server is not
+available, set it up: https://context7.com/install
+
+Key libraries in this repo to pull docs for: `react-native`, `react-native-builder-bob`, `turbo`,
+`@0xtrails/api`, `@0xtrails/wallet`, `0xtrails`.
+
+---
+
+## Project Overview
+
+`@0xsequence/oms-react-native-sdk` is a React Native SDK (Turbo Module) for the OMS platform,
+bridging native iOS (Swift) and Android (Kotlin) SDKs to TypeScript. It exposes wallet auth (email
+OTP, OIDC redirect), transaction signing, balance queries, and session management to React Native
+and Expo apps.
+
+## Repository Structure
+
+- `src/` — TypeScript public API and native module bindings
+- `lib/` — built output (CommonJS, ESM, TypeScript declarations); generated by `yarn prepare`
+- `android/` — Kotlin native module
+- `ios/` — ObjC/Swift native module
+- `examples/sdk-example/` — React Native CLI example app
+- `examples/trails-actions-example/` — Trails demo with redirect auth
+- `examples/expo-example/` — standalone Expo example (not in Yarn workspace; uses `npm`)
+- `.github/workflows/` — CI (lint, typecheck, Android + iOS builds)
+
+## Tech Stack
+
+- **Language:** TypeScript (React Native Turbo Module; native layers in Kotlin + Objective-C/Swift)
+- **Package manager:** Yarn 4 (Berry) with workspaces; `examples/expo-example` uses `npm` standalone
+- **Build tool:** `react-native-builder-bob` + Turbo
+- **Linting:** ESLint 9 flat config + Prettier
+- **Node version:** v24.13.0 (see `.nvmrc`)
+
+## Build & Run
+
+```bash
+# Install dependencies
+yarn install
+
+# Build the library
+yarn prepare
+
+# Typecheck
+yarn typecheck
+
+# Lint
+yarn lint
+
+# Run SDK example (React Native CLI)
+yarn sdk-example start
+
+# Run Expo example (standalone — uses npm, not yarn workspace)
+cd examples/expo-example && npm install && npm start
+```
+
+## Testing
+
+See **[TESTING.md](./TESTING.md)** for testing conventions, manual verification checklist, and the
+plan for when automated tests are added.
+
+## Documentation
+
+`API.md` at the repo root documents the full public TypeScript API for consumers.
+
+## Conventions
+
+- Commit messages and PR titles follow [Conventional Commits](https://www.conventionalcommits.org),
+  e.g. `feat(auth): add OIDC refresh token support`.
+- The public API surface is documented in `API.md` — update it whenever `src/index.tsx` exports
+  change.
+- The `lib/` directory is generated; never edit it by hand.
+- `examples/expo-example` is intentionally outside the Yarn workspace (`!examples/expo-example` in
+  `package.json#workspaces`) — install its deps with `npm`, not `yarn`.
+- Native builds (Android/iOS) are slow; validate JS-layer changes with `yarn lint && yarn typecheck`
+  first; leave full native builds to CI.
+- The `resolutions` block in `package.json` pins `0xtrails` / `@0xtrails/*` — update all three
+  entries together when bumping the trails version.
+- Pre-release versions use the `0.x.y-alpha.N` scheme. Publishing steps are in `README.md`.
+
+## CI/CD
+
+Two workflows in `.github/workflows/`:
+- **`ci.yml`** — runs on push to `master`: lint, typecheck, library build, Android build, iOS build.
+- **`quick-checks.yml`** — runs on push to non-master branches: lint + typecheck only.
+
+Pull requests get `quick-checks.yml` only; native builds run after merge. This means CI is not a
+full gate on PRs — validate native builds locally before merging if the native layer changed.
+
+## Common Pitfalls
+
+- Running `yarn` inside `examples/expo-example` will fail — it's not a Yarn workspace member. Use
+  `npm` there, or `yarn expo-example <script>` from the root.
+- `yarn prepare` regenerates `lib/` — if builds look stale, run `yarn clean && yarn prepare`.
+- The podspec resolves `oms-client-swift-sdk` and the Android module resolves
+  `io.github.0xsequence:oms-client-kotlin-sdk` — bump native SDK versions in the podspec and
+  `android/build.gradle` together.
+- Turbo cache can mask failures: if something seems wrong, run with `--force` to skip the cache.
+- Signed commits are required (enforced by branch protection) — configure `git commit -S` locally.
+
+## Maintenance Matrix
+
+| When this changes…                        | Also update…                                              |
+|-------------------------------------------|-----------------------------------------------------------|
+| `src/index.tsx` exports                   | `API.md`, `lib/` (run `yarn prepare`)                     |
+| Native SDK version (Swift / Kotlin)       | `OmsClientReactNativeSdk.podspec`, `android/build.gradle` |
+| `package.json` scripts or test commands   | `TESTING.md`, `.github/workflows/ci.yml`                  |
+| Node version (`.nvmrc`)                   | `turbo.json#globalDependencies`, CI setup action          |
+| `resolutions` (`0xtrails` / `@0xtrails/*`)| All three resolution entries together                     |
+| Repo structure (new top-level dirs)       | `AGENTS.md` structure section                             |
+| Contributing workflow                     | `CONTRIBUTING.md`, `README.md`                            |
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..0f64671
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,21 @@
+# Changelog
+
+All notable changes to `@0xsequence/oms-react-native-sdk` are documented here.
+
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [0.1.0-alpha.1] — 2025-05-27
+
+### Added
+- Initial alpha release of `@0xsequence/oms-react-native-sdk` (renamed from `oms-client-react-native-sdk`).
+- TypeScript public API: `configure`, `startEmailAuth`, `completeEmailAuth`, `startOidcRedirectAuth`,
+  `handleOidcRedirectCallback`, `getWalletAddress`, `signMessage`, `sendTransaction`,
+  `getTokenBalances`, `formatUnits`, `parseUnits`.
+- React Native Turbo Module bridging iOS (Swift `oms-client-swift-sdk`) and Android (Kotlin
+  `oms-client-kotlin-sdk`).
+- SDK example app, Trails actions demo (with redirect auth + pagination), and standalone Expo
+  example.
+- GitHub Actions CI: lint, typecheck, Android build, iOS build.
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..43c994c
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..9414899
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,61 @@
+# Contributing
+
+## Prerequisites
+
+- Node.js v24.13.0 (use `.nvmrc` — `nvm use` or `fnm use`)
+- Yarn 4 (`corepack enable` then `yarn --version`)
+- For Android builds: Android SDK, `ANDROID_HOME` set
+- For iOS builds: Xcode, CocoaPods, Ruby (`bundle install` inside the example)
+
+## Setup
+
+```bash
+git clone https://github.com/0xsequence/react-native-sdk.git
+cd react-native-sdk
+yarn install
+yarn prepare        # build lib/
+```
+
+## Repo structure
+
+| Path | Purpose |
+|---|---|
+| `src/` | TypeScript public API and Turbo Module bindings |
+| `lib/` | Built output — generated, do not edit directly |
+| `android/` | Kotlin native module |
+| `ios/` | ObjC/Swift native module |
+| `examples/sdk-example/` | React Native CLI example (Yarn workspace) |
+| `examples/trails-actions-example/` | Trails demo (Yarn workspace) |
+| `examples/expo-example/` | Expo example — **not** a Yarn workspace; use `npm` here |
+
+## Development workflow
+
+```bash
+yarn lint           # ESLint + Prettier check
+yarn typecheck      # tsc
+yarn prepare        # rebuild lib/ after src/ changes
+
+# Run the SDK example
+yarn sdk-example start
+
+# Run the Expo example (uses npm, not yarn)
+cd examples/expo-example && npm install && npm start
+```
+
+## Before opening a PR
+
+1. `yarn lint && yarn typecheck && yarn prepare` must pass cleanly.
+2. Update `API.md` if you changed public exports in `src/index.tsx`.
+3. Update `TESTING.md` if you added or changed test commands.
+4. If you changed the native layer (`android/`, `ios/`, `.podspec`), note it in the PR — full native builds only run on CI after merge to `master`.
+5. PR title must follow [Conventional Commits](https://www.conventionalcommits.org), e.g. `fix(auth): handle expired OTP correctly`.
+
+## Publishing (alpha)
+
+Publishing steps are documented in `README.md` under the alpha publishing section. Only maintainers
+with npm publish access should publish.
+
+## Signed commits
+
+This repo requires signed commits. Configure `gpg` or SSH signing in your local git config before
+contributing.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..e91dde2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please **do not** open a public GitHub issue for security vulnerabilities.
+
+Report vulnerabilities by emailing **dev@sequence.xyz** with the subject line
+`[SECURITY] react-native-sdk — <brief description>`.
+
+Include:
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or a proof-of-concept
+- Affected versions (check `package.json` for the current version)
+
+We aim to acknowledge reports within 2 business days and to provide a fix or mitigation timeline
+within 7 business days.
+
+## Supported versions
+
+| Version | Supported |
+|---|---|
+| 0.1.x-alpha | ✅ Active development |
+| Earlier | ❌ Not supported |
+
+## Scope
+
+This policy covers the `@0xsequence/oms-react-native-sdk` npm package and the native bridge modules
+in `android/` and `ios/`. Example apps (`examples/`) are not considered in scope.
diff --git a/TESTING.md b/TESTING.md
new file mode 100644
index 0000000..f688d19
--- /dev/null
+++ b/TESTING.md
@@ -0,0 +1,73 @@
+# TESTING.md
+
+How testing works in this repo. `AGENTS.md` points here so agents know how to verify changes.
+
+## Current state
+
+**No automated test suite exists yet.** The repo is in early alpha (`0.1.0-alpha.1`). Until a test
+runner is set up, verification is manual (see checklist below).
+
+When tests are added, this file should be updated with the runner, locations, and commands.
+
+---
+
+## Manual verification checklist
+
+Run these before merging any change:
+
+```bash
+# Lint and formatting
+yarn lint
+
+# TypeScript type-check (library)
+yarn typecheck
+
+# TypeScript type-check (Expo example)
+npm --prefix examples/expo-example ci
+npm --prefix examples/expo-example run typecheck
+
+# Build the library
+yarn prepare
+```
+
+Native builds (Android + iOS) run automatically in CI on push to `master`. If you changed the
+native layer (anything in `android/`, `ios/`, or the `.podspec`), trigger a manual workflow run or
+validate the build locally before merging.
+
+---
+
+## Planned test setup
+
+When automated tests are introduced, the intended split is:
+
+- **Unit tests** — pure TypeScript functions in `src/` (e.g. `formatUnits`, `parseUnits`,
+  `oidcProviders`). No native bridge, no device. Target runner: Jest or Vitest.
+  - Location: `src/__tests__/` or co-located `*.test.ts` files.
+  - Command (proposed): `yarn test`
+
+- **Integration tests** — tests that exercise the native bridge on a real device or simulator.
+  These require a connected device/emulator and valid OMS credentials. Not expected to run in
+  standard CI; run manually before release.
+
+---
+
+## Conventions (for when tests are added)
+
+- Name unit test files `*.test.ts` (co-located next to source) or place them in `src/__tests__/`.
+- Every bug fix should include a regression test.
+- Every new exported function should have at least one happy-path unit test.
+- Keep unit tests free of native-bridge calls — mock `NativeOmsClientReactNativeSdk` at the module
+  boundary.
+
+---
+
+## Execution summary
+
+| Goal                        | Command                                      |
+|-----------------------------|----------------------------------------------|
+| Lint                        | `yarn lint`                                  |
+| Typecheck (library)         | `yarn typecheck`                             |
+| Typecheck (Expo example)    | `npm --prefix examples/expo-example run typecheck` |
+| Build library               | `yarn prepare`                               |
+| Run unit tests *(planned)*  | `yarn test`                                  |
+| Full CI equivalent          | `yarn lint && yarn typecheck && yarn prepare` |

From 545f2f7afad37b0ec3aa075734e5844a185d923c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andy=20Gr=C3=BCning?= <andygruening@gmail.com>
Date: Tue, 2 Jun 2026 17:42:35 +0200
Subject: [PATCH 2/4] add agent-doctor scaffolding and CI improvements

---
 .github/workflows/claude-code-review.yml | 2 ++
 .github/workflows/claude.yml             | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 01db077..257fb4a 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -7,6 +7,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  id-token: write
 
 jobs:
   review:
@@ -21,6 +22,7 @@ jobs:
         uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY_GITHUB_ACTIONS }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           direct_prompt: |
             Review this pull request. Focus on:
             - Correctness of the TypeScript API surface changes
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 879d469..80ae126 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -34,3 +34,4 @@ jobs:
         uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY_GITHUB_ACTIONS }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

From 4b46f18a6270fbfdc23bbfa090a0f3d547e1d8f9 Mon Sep 17 00:00:00 2001
From: Tolgahan <tolgahan.arikan@gmail.com>
Date: Tue, 2 Jun 2026 19:49:38 +0300
Subject: [PATCH 3/4] docs: clarify PR CI coverage

---
 AGENTS.md       | 7 ++++---
 CONTRIBUTING.md | 3 ++-
 TESTING.md      | 6 +++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 08b7eaf..684e467 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -133,11 +133,12 @@ plan for when automated tests are added.
 ## CI/CD
 
 Two workflows in `.github/workflows/`:
-- **`ci.yml`** — runs on push to `master`: lint, typecheck, library build, Android build, iOS build.
+- **`ci.yml`** — runs on pull requests, workflow dispatch, and pushes to `master`: lint, typecheck,
+  library build, Android build, iOS build.
 - **`quick-checks.yml`** — runs on push to non-master branches: lint + typecheck only.
 
-Pull requests get `quick-checks.yml` only; native builds run after merge. This means CI is not a
-full gate on PRs — validate native builds locally before merging if the native layer changed.
+Pull requests run full CI, including native builds. If the native layer changed, make sure the
+Android and iOS PR checks pass before merging; validate locally when you need faster feedback.
 
 ## Common Pitfalls
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9414899..dccb1a5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -47,7 +47,8 @@ cd examples/expo-example && npm install && npm start
 1. `yarn lint && yarn typecheck && yarn prepare` must pass cleanly.
 2. Update `API.md` if you changed public exports in `src/index.tsx`.
 3. Update `TESTING.md` if you added or changed test commands.
-4. If you changed the native layer (`android/`, `ios/`, `.podspec`), note it in the PR — full native builds only run on CI after merge to `master`.
+4. If you changed the native layer (`android/`, `ios/`, `.podspec`), note it in the PR and make
+   sure the Android and iOS CI checks pass before merging.
 5. PR title must follow [Conventional Commits](https://www.conventionalcommits.org), e.g. `fix(auth): handle expired OTP correctly`.
 
 ## Publishing (alpha)
diff --git a/TESTING.md b/TESTING.md
index f688d19..57c19f9 100644
--- a/TESTING.md
+++ b/TESTING.md
@@ -30,9 +30,9 @@ npm --prefix examples/expo-example run typecheck
 yarn prepare
 ```
 
-Native builds (Android + iOS) run automatically in CI on push to `master`. If you changed the
-native layer (anything in `android/`, `ios/`, or the `.podspec`), trigger a manual workflow run or
-validate the build locally before merging.
+Native builds (Android + iOS) run automatically in CI for pull requests and pushes to `master`. If
+you changed the native layer (anything in `android/`, `ios/`, or the `.podspec`), make sure the
+Android and iOS CI checks pass before merging; validate locally when you need faster feedback.
 
 ---
 

From e43e8194b36a2be3afad877891b87fc380d6bb84 Mon Sep 17 00:00:00 2001
From: Tolgahan <tolgahan.arikan@gmail.com>
Date: Tue, 2 Jun 2026 20:21:18 +0300
Subject: [PATCH 4/4] ci: skip Claude review for Dependabot PRs

---
 .github/workflows/claude-code-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 257fb4a..0b4155f 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   review:
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout