GitHub flags CVEs during a normal session. Sentinel + Shipyard go from detection to committed fix in 12 minutes, zero context switches.

12-Minute Vulnerability Resolution

Scenario: GitHub flags vulnerabilities on push during a normal feature session Stack: Plugin monorepo with transitive npm dependencies Plugin features: Sentinel (/sentinel:audit-deps) + Shipyard (/shipyard:deps-check)

The Problem

You push a feature commit. GitHub responds with "4 vulnerabilities found (2 high, 2 moderate)." Now you have a choice:

Context switch: Stop what you're doing, open a new terminal, run npm audit, research CVEs, figure out fix paths, test, push again
File a ticket: "Someone should look at this later" (they won't)
Ignore it: Hope it's not exploitable (it might be)

All three options break flow. Option 1 costs 30-60 minutes of context switching. Options 2 and 3 are security risks.

What Happened

Timeline

02:02 AM  Pushed feature + README commits
          GitHub: "4 vulnerabilities found (2 high, 2 moderate)"

02:03 AM  User: "Run them" (meaning the audit skills)

02:03 AM  Two audit agents launched IN PARALLEL:
          → /sentinel:audit-deps (CVE-focused, CVSS scoring)
          → /shipyard:deps-check (safe upgrade paths, version analysis)

02:05 AM  Both agents report back:
          Sentinel: 2 unique CVEs in path-to-regexp@8.3.0
            CVE-2026-4926 (CVSS 7.5) — DoS via sequential optional groups
            CVE-2026-4923 (CVSS 5.9) — ReDoS via multiple wildcards
          Shipyard: Same dependency, transitive via @modelcontextprotocol/sdk → express → router
            Safe upgrade: path-to-regexp@8.4.0 (no breaking changes)

02:06 AM  Claude: patches both affected package directories
          Runs pnpm update in composure/app and composure/graph

02:08 AM  Verification: pnpm audit shows 0 vulnerabilities

02:10 AM  Commit: "fix: patch path-to-regexp ReDoS vulnerabilities"

02:14 AM  Push: GitHub confirms 0 vulnerabilities

Total time: 12 minutes, same session, no context switch.

Why This Matters

Without the plugins

Step	Tool	Time	Context cost
Read GitHub alert	Browser	2 min	Manual
Run npm audit	Terminal	1 min	Context switch
Research CVE details	Browser	10 min	Another context switch
Find fix path	npm docs	5 min	Manual research
Apply fix	Terminal	3 min	Back to terminal
Verify	Terminal	2 min	Run audit again
Commit + push	Terminal	2 min	Back to git

Total: ~25 minutes across 4 different tools with 3 context switches.

With the plugins

Step	Tool	Time
User says "run them"	Same session	0s
Parallel audit	Sentinel + Shipyard	~2 min
Fix applied	Claude patches directly	~2 min
Verify + commit + push	Same session	~4 min

Total: ~12 minutes, one session, zero context switches.

How It Works

Sentinel: Security-First Audit

Matches CVE IDs to actual CVSS scores
Identifies the transitive dependency chain (which direct dependency brings the vulnerability)
Grades exploitability risk, not just "vulnerability exists"

Shipyard: Safe Upgrade Paths

Finds the minimum safe version that resolves the CVE
Checks for breaking changes between current and safe version
Reports the exact pnpm update command to run

Parallel Execution

Both agents run simultaneously. Different perspectives on the same problem:

Sentinel answers: "How bad is this?"
Shipyard answers: "How do I fix it safely?"

Combined, they give a complete picture in one pass.

The Broader Pattern

This isn't just about vulnerabilities. It's about keeping security in the development flow instead of making it a separate activity:

Push triggers an alert → audit runs in the same session
Audit identifies the fix → Claude applies it immediately
Fix is verified → committed in the same context

No tickets. No "I'll get to it later." No separate security review cycle. The vulnerability exists for 12 minutes instead of 12 days.

Docs: composure-pro.com

Composure v1.2.71 + Sentinel v1.0.0 + Shipyard v1.0.0 · Claude Opus 4.6

12-Minute Vulnerability Resolution

On this page