ci: Mergify merge queue, dependabot integration, and CI simplification

.github/dco.yml

@@ -0,0 +1,3 @@
+allowRemediationCommits:
+  individual: true
+  thirdParty: true

.github/dependabot.yml

@@ -1,16 +1,19 @@
 version: 2
 updates:
-    - package-ecosystem: "cargo" # See documentation for possible values
-      directory: "/" # Location of package manifests
+    - package-ecosystem: "cargo"
+      directory: "/"
       schedule:
           interval: "weekly"
+      rebase-strategy: "disabled"
 
     - package-ecosystem: "github-actions"
       directory: "/"
       schedule:
-          interval: weekly
+          interval: "weekly"
+      rebase-strategy: "disabled"
 
     - package-ecosystem: "devcontainers"
       directory: "/"
       schedule:
-          interval: weekly
+          interval: "weekly"
+      rebase-strategy: "disabled"

.mergify.yml

@@ -11,31 +11,63 @@ queue_rules:
       - check-success = coverage
 
 pull_request_rules:
-  - name: Queue PRs when approved
+  # Tier 1: Maintainer PRs -- queue when maintainer adds 'lgtm' label
+  - name: Queue maintainer PRs with lgtm label
     conditions:
       - base = main
-      - "#approved-reviews-by >= 1"
+      - "author=@maintainers"
+      - label = lgtm
       - label != do-not-merge
     actions:
       queue:
         name: default
 
+  # Tier 2: Trusted bot PRs -- auto-queue when checks pass
   - name: Auto-queue release-plz PRs
     conditions:
       - base = main
       - "head ~= ^release-plz-"
+      - label != do-not-merge
     actions:
       queue:
         name: default
 
-  - name: Auto-queue dependabot PRs
+  - name: Auto-approve and queue dependabot PRs
     conditions:
       - base = main
       - author = dependabot[bot]
+      - label != do-not-merge
+      - -files~=\.github/workflows/release\.yml
+    actions:
+      review:
+        type: APPROVE
+        message: Automatically approved by Mergify
+      queue:
+        name: default
+
+  # Tier 3: All other PRs (external contributors, copilot) -- require maintainer approval
+  - name: Queue external PRs when approved by maintainer
+    conditions:
+      - base = main
+      - "-author=@maintainers"
+      - author != dependabot[bot]
+      - "-head ~= ^release-plz-"
+      - "approved-reviews-by=@maintainers"
+      - label != do-not-merge
     actions:
       queue:
         name: default
 
+  - name: Keep PRs up to date with main
+    conditions:
+      - base = main
+      - -conflict
+      - -draft
+      - -author = dependabot[bot]
+      - label != do-not-merge
+    actions:
+      update: {}
+
 merge_protections:
   - name: CI must pass
     description: >-

AGENTS.md

@@ -399,7 +399,7 @@ This pattern ensures build-time failures (e.g., invalid magic files) are properl
 
 ### Automated Checks
 
-The project includes automated CI checks via `.kiro/hooks/ci-auto-fix.kiro.hook`:
+The project uses GitHub Actions CI with Mergify merge queue:
 
 1. **Formatting**: `cargo fmt` for consistent code style
 2. **Linting**: `cargo clippy -- -D warnings` for best practices
@@ -430,7 +430,9 @@ All pull requests require review before merging. Reviews are performed by mainta
 - **Style**: Follows project conventions, passes `cargo fmt` and `cargo clippy -- -D warnings`
 - **Documentation**: Public APIs have rustdoc with examples, AGENTS.md updated if architecture changes
 
-CI must pass before merge. Branch protection enforces these checks on the `main` branch.
+CI must pass before merge. Mergify merge queue and merge protections enforce these checks.
+PRs enter the merge queue when approved (or automatically for release-plz/dependabot).
+Mergify rebases against main, runs CI, and squash-merges on success.
 
 ## Project Context
 
@@ -509,6 +511,9 @@ This guide ensures consistent, high-quality development practices for the libmag
 
 ## Quick Reference
 
+- Merging is managed by Mergify merge queue -- PRs are squash-merged after CI passes
+- `.mergify.yml` configures merge queue rules, auto-queue, and merge protections
+- `cargo deny check` uses `deny.toml` (default) -- do not specify a custom config path
 - `.github/workflows/release.yml` is auto-generated by cargo-dist -- do not modify manually
 - All `.rs` files must have copyright and SPDX headers (see any source file for format)
 - `Cargo.lock` and `mise.lock` are committed for reproducible builds -- do not gitignore

CONTRIBUTING.md

@@ -344,7 +344,7 @@ libmagic-rs uses a **maintainer-driven** governance model. Decisions are made by
 
 | Role | Responsibilities | Current |
 |------|-----------------|---------|
-| **Maintainer** | Merge PRs, manage releases, set project direction, review security reports | [@unclesp1d3r](https://github.com/unclesp1d3r), [@kmelton](https://github.com/kmelton) |
+| **Maintainer** | Merge PRs, manage releases, set project direction, review security reports | [@unclesp1d3r](https://github.com/unclesp1d3r), [@KryptoKat08](https://github.com/KryptoKat08) |
 | **Contributor** | Submit issues, PRs, and participate in discussions | Anyone following this guide |
 
 ### How Decisions Are Made