weekly-dep-auditlisted

# weekly-dep-audit — Cross-Repo Dependency Audit Uses Gemini 2.5 Pro's 1M context to ingest entire lockfiles + advisory databases and report actionable findings. ## Procedure 1. **Resolve repos.** If `repos:` is empty, query GitHub for repos the calling user owns with the `hermes-audit` topic (via `github` MCP). Otherwise use the provided list. 2. **For each repo, pull the relevant lockfile(s):** - `package-lock.json` / `pnpm-lock.yaml` / `yarn.lock` - `uv.lock` / `poetry.lock` / `Pipfile.lock` / `requirements*.txt` - `Cargo.lock` - `go.sum` - `Gemfile.lock` 3. **Delegate to Gemini 2.5 Pro.** Build a single `delegate_task` call: ```yaml goal: | Audit the following lockfiles for security advisories at severity ${SEVERITY_FLOOR} or higher. Cross-reference against: - https://osv.dev - https://github.com/advisories - https://security.snyk.io For each finding, output JSON: { repo, ecosystem, package, current_version, vulnerable_ranges, advisory_id, severity, cvss, recommendation } context: - lockfile_dump: | # repo1/package-lock.json ... # repo2/uv.lock ... toolsets: [web] model: gemini-2.5-pro # 1M context max_iterations: 30 ``` 4. **Collate findings.** Parse the JSON back. Dedupe by `advisory_id` across repos. 5. **Open triage issues.** For each finding at severity ≥ `severity_floor`: - Check via `github` MCP if an issue with title `[dep-audi