chore(deps+security): clear 2026-06-12 CVE backlog + install security stack

.github/dependabot.yml

@@ -0,0 +1,31 @@
+# Dependabot configuration (Node.js monorepo)
+# Installed by: security-audit skill
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "security"
+    groups:
+      dev-dependencies:
+        dependency-type: "development"
+        patterns: ["vitest", "vite", "esbuild", "@vscode/*", "@types/*"]
+      runtime-security:
+        dependency-type: "production"
+        patterns: ["dompurify", "marked"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 2
+    labels:
+      - "dependencies"
+      - "ci"

.github/workflows/release.yml

@@ -12,13 +12,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4.0.0
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@0c17529a66aca453f9227af23103ed11469b1e47  # v4.0.0
         with:
           version: 10
 
@@ -44,6 +44,6 @@ jobs:
           VSCE_PAT: ${{ secrets.VSCE_PAT }}
 
       - name: Upload .vsix to GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@738f0c76948a84ff818b6e43c8b515cb27dbc559  # v2.0.0
         with:
           files: packages/platforms/vscode/*.vsix

.github/workflows/security-audit.yml

@@ -0,0 +1,79 @@
+# Security Audit CI Workflow (Node.js monorepo)
+# Installed by: security-audit skill
+#
+# IMPORTANT: All actions are pinned to commit SHAs for supply-chain integrity.
+# Use `gh api repos/<owner>/<repo>/git/refs/tags/<tag>` to look up the SHA for an
+# upgrade, then replace the `@<sha>` portion below.
+
+name: Security Audit
+
+on:
+  push:
+    branches: [main, development]
+  pull_request:
+    branches: [main, development]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 06:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          fetch-depth: 0
+      - name: Gitleaks
+        uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc  # v2.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  sast-semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      - name: Semgrep SAST
+        run: |
+          semgrep scan \
+            --config p/javascript \
+            --config p/typescript \
+            --config p/react \
+            --config p/secrets \
+            --error \
+            --metrics=off \
+            --sarif --output semgrep-results.sarif
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb  # v3.28.3
+        with:
+          sarif_file: semgrep-results.sarif
+        continue-on-error: true
+
+  dependency-scan:
+    name: pnpm audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      - name: Install pnpm
+        uses: pnpm/action-setup@0c17529a66aca453f9227af23103ed11469b1e47  # v4.0.0
+        with:
+          version: 10
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4.0.0
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Audit dependencies
+        run: pnpm audit --audit-level=high

.github/workflows/test.yml

@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4.0.0
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@0c17529a66aca453f9227af23103ed11469b1e47  # v4.0.0
         with:
           version: 10
 

.gitleaks.toml

@@ -0,0 +1,21 @@
+# Gitleaks allowlist — suppress false positives
+# Installed by: security-audit skill
+# Source: ~/.config/opencode/skills/security-audit/templates/node/.gitleaks.toml
+
+[allowlist]
+  description = "Allowlist for config templates, test fixtures, and dotenv examples"
+  paths = [
+    '''\.env\.example''',
+    '''\.env\.sample''',
+    '''__tests__/.*''',
+    '''\.gitleaks\.toml''',
+    '''scripts/security/.*\.json''',
+    '''pnpm-lock\.yaml''',
+    '''node_modules/.*''',
+    '''dist/.*''',
+    '''\.vscode-test/.*''',
+  ]
+  regexes = [
+    '''opencodegui-monorepo''',
+    '''opencodegui@''',
+  ]

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+# Security audit pre-commit hooks (Node.js)
+# Installed by: security-audit skill
+
+repos:
+  # Secret detection — blocks accidental commits of API keys, tokens, credentials
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| main    | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Report via GitHub private vulnerability reporting:
+https://github.com/ktmage/opencode-gui/security/advisories/new
+
+Expect a response within 72 hours. Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Affected versions
+- Any potential mitigations you've identified
+
+## Scope
+
+This policy covers:
+- The application code and its dependencies
+- API key handling and configuration management
+- CI/CD pipeline security
+- Dependency supply chain (pnpm/npm)
+- VS Code extension security (webview ↔ host message protocol)
+
+## Accepted Risks
+
+| Date       | Finding                       | Severity | Rationale                                                                                         |
+|------------|-------------------------------|----------|---------------------------------------------------------------------------------------------------|
+| 2026-06-12 | (none recorded)               | —        | Audit at 2026-06-12 cleared 1 CRIT + 10 HIGH + 21 MOD to 0/0/0 across 530 packages. See SECURITY audit trail. |
+
+## Audit Trail
+
+Security audits are recorded in `scripts/security/last-audit.json`.
+Latest audit: **2026-06-12** (workspace + changed files, mode: all) — 0 findings, 0 CVEs.
+Threat-monitor risk assessments: `plans/security/risk_assessment-*.md`.

package.json

@@ -17,5 +17,18 @@
   },
   "devDependencies": {
     "@biomejs/biome": "2.4.4"
+  },
+  "pnpm": {
+    "overrides": {
+      "undici": "^7.27.2",
+      "picomatch": "^4.0.4",
+      "fast-uri": "^3.1.2",
+      "lodash": "^4.18.0",
+      "tmp": "^0.2.6",
+      "postcss": "^8.5.10",
+      "uuid": "^11.1.1",
+      "qs": "^6.15.2",
+      "brace-expansion": "^5.0.6"
+    }
   }
 }

packages/agents/opencode/package.json

@@ -19,6 +19,6 @@
   },
   "devDependencies": {
     "typescript": "^5.7.0",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.8"
   }
 }

packages/platforms/vscode/package.json

@@ -74,27 +74,27 @@
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
-    "@types/dompurify": "^3.0.5",
+    "@types/dompurify": "^3.2.0",
     "@types/node": "^22.0.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
     "@types/vscode": "^1.100.0",
     "@vitejs/plugin-react": "^5.1.4",
-    "@vscode/vsce": "^3.7.1",
+    "@vscode/vsce": "^3.9.2",
     "esbuild": "^0.25.0",
     "jsdom": "^28.1.0",
     "marked": "^17.0.3",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "typescript": "^5.7.0",
-    "vite": "^6.0.0",
-    "vitest": "^4.0.18"
+    "vite": "^7.3.5",
+    "vitest": "^4.1.8"
   },
   "dependencies": {
     "@opencodegui/agent-opencode": "workspace:*",
     "@opencodegui/core": "workspace:*",
     "diff": "^8.0.0",
-    "dompurify": "^3.3.1",
+    "dompurify": "^3.4.0",
     "highlight.js": "^11.11.1",
     "react-icons": "^5.5.0"
   }