From 7bb7425a0b9fdb325e1ce6cfdccc9c6d119ea4f6 Mon Sep 17 00:00:00 2001
From: DJ <dj@Rachels-Air.localdomain>
Date: Mon, 30 Mar 2026 19:48:22 -0700
Subject: [PATCH 1/3] ci: add cargo audit for dependency security scanning

Add a separate security audit job to the CI workflow that runs
cargo-audit to check for known vulnerabilities in dependencies.

Refs #11 (item 6)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fc8c481..054ba3a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,3 +37,16 @@ jobs:
 
       - name: Run cargo test
         run: cargo test --locked
+
+  audit:
+    name: Security Audit
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: Run cargo audit
+        run: cargo audit

From df028c5b6efb1de24165f9f44d346a64167e22ba Mon Sep 17 00:00:00 2001
From: DJ <dj@Rachels-Air.localdomain>
Date: Mon, 30 Mar 2026 20:12:43 -0700
Subject: [PATCH 2/3] fix: add Rust toolchain and cache to audit job

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 054ba3a..641506e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,6 +45,12 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
 
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Restore Cargo cache
+        uses: Swatinem/rust-cache@v2
+
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
 

From e16e0cef72c6fc7a124f8d91327a754998240465 Mon Sep 17 00:00:00 2001
From: mark-pro <20671988+mark-pro@users.noreply.github.com>
Date: Tue, 31 Mar 2026 20:10:38 -0400
Subject: [PATCH 3/3] ci: use rustsec/audit-check for security scanning

Replace manual cargo-audit installation and execution with the official rustsec/audit-check action for significantly faster CI runs and automatic PR annotations.
---
 .github/workflows/ci.yml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 641506e..880885c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,14 +45,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
 
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Restore Cargo cache
-        uses: Swatinem/rust-cache@v2
-
-      - name: Install cargo-audit
-        run: cargo install cargo-audit --locked
-
-      - name: Run cargo audit
-        run: cargo audit
+      - name: Security audit
+        uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}