Problem
Even with Dependabot, we should surface known CVEs on a schedule so a stale branch can't slip past unnoticed.
Expected
- New workflow file `.github/workflows/security-audit.yml`.
- Runs weekly (cron) + on demand (`workflow_dispatch`).
- Jobs: `npm audit --audit-level=high`, `cargo audit` for each crate (or `cargo-deny advisories`).
Acceptance
- Workflow runs successfully on the default branch.
- Failures open an issue or annotate the run.
Problem
Even with Dependabot, we should surface known CVEs on a schedule so a stale branch can't slip past unnoticed.
Expected
Acceptance