chore(deps): remediate Wave0 pip-audit vulnerabilities (#377)

* fix: unblock wave0 shared CI failures (#371)

* chore: satisfy black gate for shared lint blockers

* fix: enforce instruction override guard and stale agent links

* fix: import prompt loader in cart agent instructions helper

* chore(deps): remediate wave0 pip-audit vulnerabilities

Author: Cataldir

.github/workflows/dependency-audit.yml

@@ -0,0 +1,61 @@
+name: dependency-audit
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+    paths:
+      - lib/**
+      - apps/**
+      - pyproject.toml
+      - .github/workflows/dependency-audit.yml
+
+jobs:
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+      - name: Install audit toolchain
+        run: |
+          uv pip install --system pip-audit "black[jupyter]>=26.3.1"
+      - name: Install lib
+        run: uv pip install --system -e ./lib/src
+      - name: Install apps
+        run: |
+          set -e
+          for d in apps/*/src; do
+            if [ -f "$d/pyproject.toml" ]; then
+              uv pip install --system -e "$d"
+            else
+              echo "Skipping $d (no pyproject.toml)"
+            fi
+          done
+      - name: Run pip-audit (Wave0)
+        run: |
+          python -m pip_audit --ignore-vuln CVE-2024-23342
+      - name: Export pip-audit report
+        if: always()
+        run: |
+          python -m pip_audit --format=json --ignore-vuln CVE-2024-23342 > pip-audit-report.json
+      - name: Upload pip-audit report artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: pip-audit-report
+          path: pip-audit-report.json

.github/workflows/lint.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Install lib
         run: uv pip install --system -e ./lib/src
       - name: Install lint dependencies
-        run: uv pip install --system pylint isort "black[jupyter]>=25.1.0"
+        run: uv pip install --system pylint isort "black[jupyter]>=26.3.1"
       - name: Install apps
         run: |
           for d in apps/*/src; do

apps/crud-service/src/pyproject.toml

@@ -47,7 +47,7 @@ dev = [
     "pytest-cov>=6.0.0",
     "pytest-mock>=3.14.0",
     "httpx>=0.28.0",  # For testing FastAPI
-    "black>=24.10.0",
+    "black>=26.3.1",
     "isort>=5.13.0",
     "pylint>=3.3.0",
     "mypy>=1.13.0",

docs/governance/README.md

@@ -22,6 +22,10 @@ This folder is the governance source of truth for engineering standards, runtime
 **Audience**: DevOps/SRE/Cloud engineers  
 **Scope**: Azure IaC, AKS/SWA deployment, CI/CD and environment gates
 
+### [Wave0 Dependency Audit](dependency-audit-wave0.md)
+**Audience**: Platform/DevSecOps engineers  
+**Scope**: pip-audit baseline evidence, remediation status, and vulnerability exception tracking
+
 ## Repository Source-of-Truth Map
 
 | Governance topic | Canonical source | Notes |

docs/governance/dependency-audit-wave0.md

@@ -0,0 +1,45 @@
+# Wave0 Dependency Audit Remediation
+
+**Issue**: [#372](https://github.com/Azure-Samples/holiday-peak-hub/issues/372)  
+**Owner**: Platform Quality / Platform Engineering  
+**Last Updated**: 2026-03-19
+
+## Baseline Evidence
+
+Issue baseline reproduction command:
+
+```bash
+python -m pip_audit
+```
+
+Wave0 baseline observed in issue #372:
+
+- `15` known vulnerabilities in `12` packages
+- Representative vulnerable packages: `black`, `cryptography`, `flask`, `pillow`, `urllib3`, `werkzeug`
+
+## Remediation Applied
+
+- Added CI workflow `.github/workflows/dependency-audit.yml` to run `pip-audit` on every PR/push to `main`.
+- Updated lint toolchain minimum version to `black[jupyter]>=26.3.1` in:
+  - `.github/workflows/lint.yml`
+  - `lib/src/pyproject.toml`
+  - `apps/crud-service/src/pyproject.toml`
+- Added report artifact upload (`pip-audit-report.json`) for traceable security evidence.
+
+## Current Scan Status
+
+Repository-scoped clean environment scan after remediation:
+
+- Command: `python -m pip_audit --ignore-vuln CVE-2024-23342`
+- Result: `No known vulnerabilities found, 1 ignored`
+
+## Temporary Exception Register
+
+| Vulnerability | Package | Status | Rationale | Owner | Expiry |
+| --- | --- | --- | --- | --- | --- |
+| `CVE-2024-23342` | `ecdsa==0.19.1` | Temporary exception | No upstream fixed version published at audit time; transitive dependency path requires upstream release before safe upgrade. | Platform Engineering | 2026-06-30 |
+
+## Follow-up Actions
+
+1. Re-check `ecdsa` on each dependency audit run and remove ignore immediately when fixed version is available.
+2. Keep dependency-audit workflow enabled as a PR gate recommendation for `main` branch governance.

lib/src/pyproject.toml

@@ -52,7 +52,7 @@ test = [
 lint = [
     "pylint",
     "isort",
-    "black[jupyter]>=25.1.0",
+    "black[jupyter]>=26.3.1",
 ]
 docs = [
     "mkdocs",