WA-NEW-036: Security audit — update vulnerable dependencies

[kitcommerce]

Summary

Run bundler-audit and bundle outdated to identify gems with known CVEs or security issues. Many dependencies haven't been updated since the original Workarea 3.5 release.

Scope

1. Run bundler-audit check and document all advisories
2. Cross-reference with Ruby Advisory Database
3. Categorize: critical (must fix), moderate (should fix), low (can defer)
4. Update gems where possible without breaking compatibility
5. Document any gems that can't be updated (explain why)

Objective

Identify and fix known security vulnerabilities in dependencies.

Client impact

Positive — reduces CVE exposure for all downstream users.

Acceptance Criteria

• bundler-audit report generated and documented
• Critical CVEs addressed
• Tests pass after updates

Verification Plan

1. bundle exec bundler-audit check before and after
2. Run full test suite
3. Document remaining advisories with justification

[kitcommerce]

Blocking: PR #708 is currently CONFLICTING (needs rebase/merge conflict resolution against next).

Once conflicts are resolved, remove blocked:merge-conflict and return to status:ready-for-review.