fix(security): raise password minimum to 12 chars, hide raw error messages, add audit script

- Password validation: min(8) → min(12) across auth.ts, user-procedure-support.ts,
  and invite.ts (aligns with NIST SP 800-63B modern recommendations)
- Error boundary: stop rendering raw error.message which could leak internal
  details; always show the generic fallback text
- Add `pnpm audit` script (--audit-level=high) for dependency vulnerability scanning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/router/auth.ts

@@ -74,7 +74,7 @@ export const authRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string().min(1),
-        password: z.string().min(8, "Password must be at least 8 characters."),
+        password: z.string().min(12, "Password must be at least 12 characters."),
       }),
     )
     .mutation(async ({ ctx, input }) => {