Add scheduled dependency audit workflow

[drsteinerdj]

Summary

Fixes #278.

Adds a focused dependency audit workflow for npm and Cargo dependencies without changing application code.

Feasibility notes

• npm workspace is present at the repository root with packages/* and apps/* workspaces.
• A Rust workspace exists at Cargo.toml with contracts/tariff-shield as the member.
• No Cargo.lock is committed, so the workflow generates a transient lockfile before running cargo audit.
• docs/security.md did not exist; this PR adds it.
• Existing workflows use actions/checkout@v4, actions/setup-node@v4, and public GitHub Actions only; this workflow follows that pattern.
• The audit path does not require private infrastructure or secrets.

Changes

• Adds .github/workflows/audit.yml:
  • runs on PRs, daily schedule, and manual dispatch
  • runs npm audit --audit-level=critical --json
  • installs and runs cargo audit, then fails only for high/critical Cargo advisories
  • uploads npm-audit-report.json and cargo-audit-report.json artifacts
  • opens a GitHub issue on scheduled audit failure with affected packages/advisories when available
• Adds deny.toml for Cargo license/source/duplicate-version policy checks.
• Adds docs/security.md with triage steps and a 24-hour critical-fix SLA.

Validation

• git diff --check
• Parsed .github/workflows/audit.yml with PyYAML successfully.
• Locally tested Cargo CVSS blocking logic with:
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -> blocking
  • numeric 7.0 -> blocking
  • numeric 6.9 -> non-blocking
  • malformed CVSS string -> blocking by default.
• npm audit --audit-level=critical --json exits 0 locally; current npm audit data shows high/moderate findings but no critical findings.
• cargo generate-lockfile could not be reproduced locally because crates.io index download fails on this Windows host with CRYPT_E_NO_REVOCATION_CHECK; the workflow uses GitHub-hosted Ubuntu runners and public crates.io access.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tariff-shield-web	Error		Jun 27, 2026 8:11pm

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9e9bbfd85

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Parse Cargo CVSS vectors before filtering severity

When cargo audit --json reports RustSec advisories, the severity is carried in advisory.cvss as a CVSS vector string such as CVSS:3.1/..., and there is no numeric advisory.severity field in the RustSec metadata. In that common case Number(advisory.cvss || 0) becomes NaN, so high/critical Cargo advisories are counted as 0 and the scheduled issue/fail step will not trigger for the Rust vulnerabilities this workflow is meant to block.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Run the Cargo source policy check

The new deny.toml defines a [sources] policy denying unknown registries and git sources, but this workflow only invokes licenses bans. cargo-deny only runs the named checks, with source validation handled by check sources, so a PR can add an alternate registry or git dependency without this audit enforcing the policy that was just added.

Useful? React with 👍 / 👎.

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `rootDirectory`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration