Partner Support periodically flags CVEs in our images without saying where. We want to find and classify them ourselves, on a regular cadence, and keep artifacts for the team. What: - local skill running govulncheck + pnpm audit + trivy, producing a triage report - scheduled GitLab CI jobs doing the same, publishing JSON + text artifacts and an aggregated SUMMARY.md Why: - clear ownership of CVE status across Go deps, UI deps, and the Docker image - catches new CVEs automatically, independent of partner notifications - gives the team artifacts to act on (fixable vs unfixed, CVSS vectors for real risk, not just severity labels) Scope: - `.claude/commands/cve-audit.md` — local `/cve-audit` command - `.gitlab-ci-security.yml` — scheduled CI jobs - `.gitlab-ci.yml` — include the new file - `.gitignore` — exclude scan outputs Out of scope: - fixing the actual CVEs (separate tickets per batch) - auto-creating issues from findings (possible follow-up)