fix(security): raise password minimum to 12 chars, hide raw error messages, add audit script

- Password validation: min(8) → min(12) across auth.ts, user-procedure-support.ts,
  and invite.ts (aligns with NIST SP 800-63B modern recommendations)
- Error boundary: stop rendering raw error.message which could leak internal
  details; always show the generic fallback text
- Add `pnpm audit` script (--audit-level=high) for dependency vulnerability scanning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/router/auth.ts

@@ -74,7 +74,7 @@ export const authRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string().min(1),
-        password: z.string().min(8, "Password must be at least 8 characters."),
+        password: z.string().min(12, "Password must be at least 12 characters."),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/invite.ts

@@ -109,7 +109,7 @@ export const inviteRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string(),
-        password: z.string().min(8, "Password must be at least 8 characters."),
+        password: z.string().min(12, "Password must be at least 12 characters."),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/user-procedure-support.ts

@@ -10,12 +10,12 @@ export const CreateUserInputSchema = z.object({
   email: z.string().email(),
   name: z.string().min(1),
   systemRole: z.nativeEnum(SystemRole).default(SystemRole.USER),
-  password: z.string().min(8),
+  password: z.string().min(12),
 });
 
 export const SetUserPasswordInputSchema = z.object({
   userId: z.string(),
-  password: z.string().min(8, "Password must be at least 8 characters"),
+  password: z.string().min(12, "Password must be at least 12 characters"),
 });
 
 export const UpdateUserRoleInputSchema = z.object({