diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..100ed4b
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,14 @@
+# Global fallback — all changes require review
+* @hartmut
+
+# Infrastructure
+.github/ @hartmut
+tooling/ @hartmut
+docker-compose*.yml @hartmut
+
+# Database schema
+packages/db/prisma/ @hartmut
+
+# Auth & security
+packages/api/src/router/auth.ts @hartmut
+packages/api/src/middleware/ @hartmut
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ce4acba..6070f57 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,6 +46,9 @@ jobs:
       - name: Check workspace imports
         run: pnpm check:imports
 
+      - name: Security audit (high+ severity)
+        run: pnpm audit --audit-level=high
+
   # ──────────────────────────────────────────────
   # Typecheck — ~40s, no services needed
   # ──────────────────────────────────────────────