diff --git a/.github/workflows/claude-code.yml b/.github/workflows/claude-code.yml
new file mode 100644
index 00000000..1e2b4948
--- /dev/null
+++ b/.github/workflows/claude-code.yml
@@ -0,0 +1,62 @@
+# Automated Claude Code PR reviews via AWS Bedrock.
+# Uses the shared Jamf reusable workflow — no AWS keys or setup required.
+# See https://github.com/jamf/github-actions-claude for docs and customization.
+
+name: Claude Code
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+permissions:
+  id-token: write
+  contents: write # needed for resolve_threads
+  pull-requests: write
+  issues: write
+  actions: read
+
+jobs:
+  review:
+    uses: jamf/github-actions-claude/.github/workflows/review.yml@v1
+    secrets: inherit
+    with:
+      severity_taxonomy: true
+      resolve_threads: true
+      cleanup_comments: true
+      additional_context: |
+        This is a Go CLI for the Jamf platform (Jamf Pro + Jamf Protect).
+
+        GENERATED CODE — SKIP REVIEW:
+        Files in internal/commands/pro/generated/ are auto-generated from OpenAPI
+        specs by the code generator in generator/. They contain the header
+        "Code generated by jamf-cli generator. DO NOT EDIT." If a PR modifies
+        these files, verify the changes came from `make generate` — don't review
+        the generated code line-by-line. Review the generator source instead
+        (generator/parser/, generator/classic/).
+
+        CI ALREADY CHECKS:
+        golangci-lint, `make test`, `make verify-generated`, and `make build`
+        run on every PR via ci.yaml. Don't duplicate linter or test-pass feedback.
+        Focus on what CI can't catch: design, correctness, security, and
+        architectural fit.
+
+        CRITICAL — CREDENTIAL INPUT POLICY:
+        Never accept credentials (passwords, tokens, client secrets) via CLI flags
+        or stdin. This prevents exposure in shell history and ps output. Flag any
+        PR that adds --password, --token, --client-secret, or similar flags.
+        Interactive prompts or env vars only.
+
+        GENERATOR CHANGES:
+        If a PR modifies generator/parser/generator.go or generator/classic/generator.go,
+        the review should focus on the template constants (resourceTemplate,
+        classicResourceTemplate) and verify that `make generate && make test` would
+        produce correct output. Template changes affect all 200+ generated commands.
+
+        SPECS:
+        OpenAPI specs live in specs/*.yaml. Changes here come from `make sync-specs`
+        and are usually paired with regenerated commands. Verify the spec change
+        matches the generated output.