ci(security): apply follow-up atomic module fixes

Author: jamesatomc

.github/workflows/apply-followup-security.yml

@@ -0,0 +1,46 @@
+name: Apply Follow-up Security Fixes
+
+on:
+  push:
+    branches:
+      - audit/fix-critical-high
+    paths:
+      - scripts/apply_followup_security_fixes.py
+      - .github/workflows/apply-followup-security.yml
+
+permissions:
+  contents: write
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout remediation branch
+        uses: actions/checkout@v4
+        with:
+          ref: audit/fix-critical-high
+          fetch-depth: 0
+
+      - name: Apply follow-up patch
+        run: python3 scripts/apply_followup_security_fixes.py
+
+      - name: Format Rust sources
+        run: cargo fmt --all
+
+      - name: Remove one-shot remediation machinery
+        run: |
+          git rm scripts/apply_critical_high_fixes.py
+          git rm scripts/apply_followup_security_fixes.py
+          git rm .github/workflows/apply-followup-security.yml
+
+      - name: Validate patch shape
+        run: git diff --check
+
+      - name: Commit follow-up fixes
+        run: |
+          git config user.name "kanari-security-bot"
+          git config user.email "security-bot@users.noreply.github.com"
+          git add crates/kanari-core crates/kanari-types move-execution/v1/kanari-move-runtime-v1
+          git commit -m "fix(security): atomically commit published modules"
+          git push origin HEAD:audit/fix-critical-high