From 9c537b027b5ccc3c3b86935b6fecba547effc1aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hartmut=20N=C3=B6renberg?= <hn@hartmut-noerenberg.com>
Date: Sat, 11 Apr 2026 08:31:45 +0200
Subject: [PATCH] ci: add dependency audit step and CODEOWNERS

- Add pnpm audit --audit-level=high to CI guardrails job so vulnerable
  packages are caught before merge, not just in nightly scans
- Add CODEOWNERS for review routing on infra, schema, and auth changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/CODEOWNERS       | 14 ++++++++++++++
 .github/workflows/ci.yml |  3 +++
 2 files changed, 17 insertions(+)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..100ed4b
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,14 @@
+# Global fallback — all changes require review
+* @hartmut
+
+# Infrastructure
+.github/ @hartmut
+tooling/ @hartmut
+docker-compose*.yml @hartmut
+
+# Database schema
+packages/db/prisma/ @hartmut
+
+# Auth & security
+packages/api/src/router/auth.ts @hartmut
+packages/api/src/middleware/ @hartmut
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ce4acba..6070f57 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,6 +46,9 @@ jobs:
       - name: Check workspace imports
         run: pnpm check:imports
 
+      - name: Security audit (high+ severity)
+        run: pnpm audit --audit-level=high
+
   # ──────────────────────────────────────────────
   # Typecheck — ~40s, no services needed
   # ──────────────────────────────────────────────