docs: ADR-028 CI security scanning strategy + frontend pnpm audit job

[singyichen]

Summary

• Add ADR-028 recording the CI security scanning decision: two-layer strategy — SCA (dependency audit) on both ends now, Semgrep SAST adopted in principle but deferred until backend code exists.
• Document the previously undocumented backend pip-audit CI job, and record rejected/deferred alternatives (DAST, API fuzzing) with explicit revisit conditions so the "scan OSS repos / black-box testing" question is not re-litigated.
• Add a dormant conditional frontend-security CI job (pnpm audit --prod --audit-level high), mirroring backend-security; it activates automatically once frontend/package.json exists.

Changed Files

File	Change
docs/adr/028-ci-security-scanning.md	New ADR — CI security scanning strategy
docs/adr/README.md	Index entry for ADR-028
.github/workflows/ci.yml	New frontend-security job (pnpm audit)

Test Plan

• ci.yml parses as valid YAML (verified locally via Ruby YAML parser)
• New job uses the existing conditional pattern (needs.validate.outputs.frontend-exists) — skipped on this PR since frontend/package.json does not exist
• No untrusted input interpolated in run: commands (workflow injection check)
• ADR index link and numbering verified against docs/adr/README.md

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[amazon-q-developer]

Review Summary

This PR adds comprehensive CI security scanning documentation via ADR-028 and implements a dormant frontend-security CI job. The implementation is technically sound and ready to merge.

Changes Reviewed:

• ✅ New frontend-security job correctly implements pnpm audit --prod --audit-level high
• ✅ Job uses proper conditional pattern (needs.validate.outputs.frontend-exists)
• ✅ ADR-028 thoroughly documents security scanning strategy with clear rationale
• ✅ ADR index properly updated

No blocking issues found. The implementation correctly follows the existing CI patterns, uses appropriate security audit flags, and the dormant job will activate automatically when frontend/package.json is created.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[gemini-code-assist]

Code Review

This pull request introduces ADR-028, which establishes a two-layer CI security scanning strategy using Software Composition Analysis (SCA) for both backend and frontend dependencies, while deferring Static Application Security Testing (SAST) until application code is present. Feedback was provided on the backend SCA documentation to ensure that the uv run command includes the --no-dev flag, preventing development dependencies from being audited.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In uv, running uv run pip-audit will automatically re-sync the environment and install development dependencies by default, overriding a previous uv sync --no-dev step. To ensure only production dependencies are audited, the --no-dev flag should be passed directly to uv run.

Suggested change

	- **Backend**: keep the existing `backend-security` job — `uv run pip-audit --desc --fail-on high` against production dependencies only (`uv sync --no-dev`).
	- **Backend**: keep the existing `backend-security` job — `uv run --no-dev pip-audit --desc --fail-on high` against production dependencies only.