ci: add Renovate config and GitHub Actions quality workflow

Add automated dependency management with Renovate and comprehensive CI
checks including formatting, clippy, audit, and frontend build validation.

.github/renovate.json

@@ -0,0 +1,42 @@
+{
+	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
+	"extends": [
+		"config:recommended",
+		":dependencyDashboard",
+		":semanticCommits",
+		":automergeDigest",
+		":automergeMinor"
+	],
+	"schedule": ["before 5am on monday"],
+	"timezone": "America/Chicago",
+	"prConcurrentLimit": 3,
+	"prCreation": "not-pending",
+	"rebaseWhen": "behind-base-branch",
+	"semanticCommitScope": "deps",
+	"vulnerabilityAlerts": {
+		"labels": ["security"],
+		"automerge": true,
+		"schedule": ["at any time"]
+	},
+	"packageRules": [
+		{
+			"description": "Group all non-major dependency updates together",
+			"groupName": "all non-major dependencies",
+			"matchUpdateTypes": ["minor", "patch", "digest"],
+			"automerge": true,
+			"automergeType": "pr",
+			"minimumReleaseAge": "3 days"
+		},
+		{
+			"description": "Major updates get individual PRs for review",
+			"matchUpdateTypes": ["major"],
+			"automerge": false,
+			"minimumReleaseAge": "7 days"
+		}
+	],
+	"postUpdateOptions": ["pnpmDedupe"],
+	"lockFileMaintenance": {
+		"enabled": true,
+		"schedule": ["before 5am on monday"]
+	}
+}

.github/workflows/quality.yaml

@@ -0,0 +1,104 @@
+name: Quality
+
+on: [push, pull_request]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  format:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+
+      - name: Check formatting
+        run: cargo fmt -- --check
+
+      - name: Check demo formatting
+        run: cargo fmt --manifest-path demo/Cargo.toml -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Run clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Run clippy on demo
+        run: cargo clippy --manifest-path demo/Cargo.toml --all-targets --all-features -- -D warnings
+
+  audit:
+    name: Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: taiki-e/install-action@cargo-audit
+
+      - name: Run audit
+        run: cargo audit
+
+      - name: Run audit on demo
+        run: cargo audit --file demo/Cargo.lock
+
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Run check
+        run: cargo check --all-targets --all-features
+
+      - name: Run check on demo
+        run: cargo check --manifest-path demo/Cargo.toml --all-targets --all-features
+
+  frontend:
+    name: Frontend
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+          cache-dependency-path: frontend/pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Type check
+        run: pnpm astro check
+
+      - name: Build
+        run: pnpm build