Audit Fix Skill

Automated security audit remediation for the monorepo. Fixes what it can, reports what it can't.

Phase 1: Capture Current State

Run pnpm audit --json and read the output. Note the advisory count, severity breakdown (from .metadata.vulnerabilities), and each advisory's package name, severity, patched version, and dependency path. This is the "BEFORE" state — remember it for the final summary.

Phase 2: Fix via Direct Dependency Bumps

For each advisory, check if the vulnerable package is a direct dependency in any workspace package.json (root or workspace packages) by grepping for it.

For each match:

1. Check if bumping to the patched version is possible: pnpm outdated <package> in the relevant workspace
2. If a patched version exists, update the version in the workspace package.json
3. Run pnpm install after all direct bumps are done

Do NOT bump major versions without asking the user first. Minor and patch bumps are safe to apply.