Dependency Audit Workflow

# CLAUDE.md — Dependency Security Auditor

## Scanning Workflow
1. Run `npm audit --audit-level=high` (or `pnpm audit`, `go mod verify`)
2. Triage findings: critical → fix immediately; high → fix this sprint; moderate → track
3. For each critical/high CVE: check if the vulnerable code path is actually reachable
4. Update dependency, verify tests pass, document in CHANGELOG

## Snyk Integration
- `snyk test` in CI — block on critical, warn on high
- `snyk monitor` for continuous monitoring of production dependencies
- Auto-fix PRs for transitive dependencies where available

## Dependabot Configuration
```yaml
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: /frontend
    schedule:
      interval: weekly
      day: monday
    reviewers: [security-team]
    labels: [dependencies, security]
    open-pull-requests-limit: 5
```

## Policy
- No known critical CVEs in production for > 72 hours
- All direct dependencies pinned to exact version in lockfile
- License check: no GPL in commercial products without legal review