Perform a security audit of the codebase covering common vulnerability categories.

## Steps

### 1. Dependency Vulnerabilities
- Run the package manager's audit: `npm audit`, `pip audit`, `cargo audit`, `govulncheck ./...`.
- List critical and high severity vulnerabilities.
- For each, determine if the vulnerable code path is actually reachable in this project.
- Recommend specific version upgrades or patches.

### 2. Secrets Scan
- Search for hardcoded secrets, API keys, tokens, and passwords:
  - Patterns: `password\s*=`, `api[_-]?key`, `secret`, `token`, `Bearer `, base64-encoded strings.
  - Files: `.env` files committed to git, config files, source code.
- Check `.gitignore` for proper exclusion of sensitive files.
- Verify environment variables are used for all secrets.

### 3. OWASP Top 10 Check
- **Injection**: SQL injection, command injection, XSS. Search for string concatenation in queries, `eval()`, `innerHTML`.
- **Broken Auth**: Weak password policies, missing rate limiting, session fixation.
- **Sensitive Data Exposure**: Unencrypted data at rest/transit, verbose error messages, logs containing PII.
- **Broken Access Control**: Missing authorization checks, IDOR vulnerabilities, privilege escalation paths.
- **Security Misconfiguration**: Default credentials, unnecessary features enabled, CORS wildcards.

### 4. Input Validation
- Verify all user inputs are validated before processing.
- Check for proper type coercion and boundary checking.
- Ensure file uploads have type, size, and name validation.
- Verify URL and redirect validation prevents open redirects.

### 5. Authentication and Authorization Review
- Check password hashing (bcrypt/argon2, not MD5/SHA1).
- Verify JWT token expiration and rotation.
- Check for proper CSRF protection.
- Verify role-based access control at the API layer, not just the UI.

### 6. Report
Produce a findings report organized by severity (Critical, High, Medium, Low, Info) with:
- Finding description.
- Affected file and line.
- Recommended fix.
- Reference (CWE number or OWASP category).

## Rules

- Prioritize findings by exploitability and impact, not just theoretical risk.
- Include proof-of-concept for critical findings when safe to do so.
- Do not just list tools to run. Actually analyze the output and provide actionable recommendations.
- Check both the application code and infrastructure configuration (Dockerfiles, CI configs, cloud configs).