diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
new file mode 100644
index 0000000..bf08cce
--- /dev/null
+++ b/.github/workflows/cla.yaml
@@ -0,0 +1,36 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        # Upstream contributor-assistant/github-action was archived 2026-03-23
+        # still on Node 20 (deprecated 2026-06-02). This fork bumps to Node 24
+        # and adds: an impersonation guard (PR opener must be an author or
+        # co-author of at least one commit), Co-authored-by trailer support,
+        # email-based allowlist matching, automatic retry of transient
+        # GitHub 5xx errors, and actionable unlinked-email guidance.
+        uses: iainmcgin/cla-github-action@3e58ace6af840f66fcd80f68c08d76559140df5e # v3.0.0 (sha-pinned)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          path-to-document: "https://github.com/${{ github.repository }}/blob/main/CLA.md"
+          path-to-signatures: "signatures/cla.json"
+          branch: "cla-signatures"
+          # noreply@anthropic.com is the email AI assistants use on
+          # Co-authored-by trailers (e.g. Claude). Allowlisting it suppresses
+          # the synthetic co-author from the CLA check; the PR opener still
+          # has to sign.
+          allowlist: "iainmcgin,dependabot[bot],github-actions[bot],renovate[bot],noreply@anthropic.com"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6934bad..730c60f 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,6 +4,13 @@ Notes for anyone writing or editing a plugin in this repo. Keep this short — t
 design principles that matter most for the quality of the output, not a style
 guide.
 
+## Before your first PR
+
+Sign the CLA. The first time you open a pull request, the CLA Assistant bot will
+comment with a link to the [CLA](CLA.md) and ask you to confirm. Reply with
+`I have read the CLA Document and I hereby sign the CLA` and the check will pass.
+You only need to do this once.
+
 ## Design principle: SKILL.md encodes the right behavior; CLAUDE.md guardrails
 are the net
 
diff --git a/scripts/deploy-managed-agent.sh b/scripts/deploy-managed-agent.sh
index 78e6571..b6966f1 100755
--- a/scripts/deploy-managed-agent.sh
+++ b/scripts/deploy-managed-agent.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 2026 Anthropic PBC.
+# Copyright 2026 Anthropic PBC
 # SPDX-License-Identifier: Apache-2.0
 # Deploy a managed-agent template to POST /v1/agents.
 #
diff --git a/scripts/lint-tool-scope.py b/scripts/lint-tool-scope.py
index ed1b38c..9b75dbb 100755
--- a/scripts/lint-tool-scope.py
+++ b/scripts/lint-tool-scope.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2026 Anthropic PBC.
+# Copyright 2026 Anthropic PBC
 # SPDX-License-Identifier: Apache-2.0
 """Assert orchestrator `agent.yaml` files ship with scoped tool configs.
 
diff --git a/scripts/orchestrate.py b/scripts/orchestrate.py
index 1b70624..7cb3942 100755
--- a/scripts/orchestrate.py
+++ b/scripts/orchestrate.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2026 Anthropic PBC.
+# Copyright 2026 Anthropic PBC
 # SPDX-License-Identifier: Apache-2.0
 """Reference event loop for cross-agent handoffs between managed agents.
 
diff --git a/scripts/test-cookbooks.sh b/scripts/test-cookbooks.sh
index 12c5721..8668efd 100755
--- a/scripts/test-cookbooks.sh
+++ b/scripts/test-cookbooks.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 2026 Anthropic PBC.
+# Copyright 2026 Anthropic PBC
 # SPDX-License-Identifier: Apache-2.0
 # Dry-run every managed-agent cookbook and assert the resolved POST /v1/agents
 # bodies are well-formed: valid JSON, depth-1, non-empty system prompts, no
diff --git a/scripts/validate.py b/scripts/validate.py
index 55d38eb..899f467 100755
--- a/scripts/validate.py
+++ b/scripts/validate.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2026 Anthropic PBC.
+# Copyright 2026 Anthropic PBC
 # SPDX-License-Identifier: Apache-2.0
 """Harness-side schema validation for managed-agent worker output.