ci: add centralized vuln remediation workflow

[ulziibay-kernel]

Thin caller to the reusable 3-stage pipeline (triage → fix → PR) in kernel/security-workflows.

Made with Cursor

---

Note

Low Risk
Adds a scheduled/manual GitHub Actions workflow and a minimal socket.yml config; no application logic changes, with limited risk beyond CI automation behavior and PR creation permissions.

Overview
Introduces a new GitHub Actions workflow, vuln-remediation.yml, that runs weekly (and on manual dispatch) and delegates remediation to the reusable kernel/security-workflows pipeline with contents/pull-requests write permissions.

Adds a minimal socket.yml (version: 2) configuration file.

^{Reviewed by Cursor Bugbot for commit 2c9abc9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies CI/vulnerability workflow configuration, not kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a3a7c5a. Configure here.}