feat(frontend/security): add npm audit to CI and document env guidelines (#41)

* chore(ci): add npm audit job for frontend deps in security workflow

* docs(frontend/security): document VITE env and JWT storage in CONTRIBUTING

* fix(frontend): resolve high-severity npm audit (minimatch, rollup)

- npm audit fix for ReDoS in minimatch and path traversal in rollup
- Unblocks Security / NPM Audit (frontend) CI check per review

Made-with: Cursor

---------

Co-authored-by: Bruno César <bruno@sekai.cx>

.github/workflows/security.yml

@@ -72,6 +72,24 @@ jobs:
       - name: Audit ETL dependencies
         run: uvx pip-audit -r /tmp/etl-requirements.txt --strict
 
+  npm-audit:
+    name: NPM Audit (frontend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install frontend dependencies
+        run: cd frontend && npm ci
+
+      - name: Audit frontend dependencies
+        run: cd frontend && npm audit --audit-level=high
+
   public-privacy-gate:
     name: Public Privacy Gate
     runs-on: ubuntu-latest