[FEATURE] Wire --redact-paths through inventory --scan-all JSON export

[hello-args]

Summary

Apply --redact-paths to mcts inventory --scan-all written JSON (inventory-scan-all.json), not only the default inventory path.

Problem

Validated after #87 / PR #279 implementation (2026-06-17):

• Default mcts inventory -o inventory.json --redact-paths redacts entries[].config_path and skills[].skill_path correctly.
• mcts inventory --scan-all --redact-paths is currently a complete no-op on the written file — the flag is accepted but ignored on the scan-all code path.
• write_inventory_scan_all() in src/mcts/inventory/scan_all.py always writes raw entry.model_dump() and _row() config_path values with no redaction hook.
• Both top-level entries[] and scan_results[] retain full absolute paths (e.g. /Users/.../mcp.json).
• Nested scan_results[].report payloads may contain additional paths (deeper redaction is optional follow-up within this issue or a sub-task).

SECURITY.md states nested scan reports are not redacted but does not make clear that entries in scan-all export are also unredacted when --redact-paths is passed.

Expected Behavior

When --redact-paths is set with inventory --scan-all:

1. Thread redact_paths from cli/main.py → write_inventory_scan_all() (and/or redact before _row()).
2. Redact config_path in entries[] and scan_results[] using redact_home() / redact_entry_dict().
3. Document limits for deeply nested paths inside scan_results[].report (full deep redaction optional; minimum is row-level paths).
4. Alternative (if deep redaction deferred): emit exit 2 or a clear warning when --redact-paths is combined with --scan-all until wiring is complete.

Evidence

• src/mcts/cli/main.py — scan-all branch calls write_inventory_scan_all() without redact_paths
• src/mcts/inventory/scan_all.py — write_inventory_scan_all, _row()
• Repro:

  mcts inventory --config-path ~/.cursor/mcp.json --scan-all --redact-paths -o out.json
  # entries[].config_path and scan_results[].config_path still absolute

Impact

Users on shared machines may export full home paths despite passing --redact-paths with --scan-all.

References

• [SECURITY] mcts inventory reads local MCP configs without consent gate #87 — closed via default inventory privacy controls
• PR feat(inventory): add privacy controls for config discovery (#87) #279
• Follow-up from validation in local/issue-87-pr-279-validation.md

Acceptance Criteria

• --redact-paths threads through scan-all CLI → write_inventory_scan_all
• entries[].config_path redacted in scan-all JSON when flag set
• scan_results[].config_path redacted when flag set
• Docs (SECURITY.md, docs/scanning/inventory.md) state scan-all redaction scope accurately
• Tests: inventory --scan-all --redact-paths -o asserts ~/ prefixes, no full home path leak
• (Optional) Nested report path redaction or documented out-of-scope

[hello-args]

Validated 2026-06-17: --redact-paths + --scan-all leaves both entries[] and scan_results[] with full absolute paths in written JSON. Issue body updated with repro and expanded AC.