feat(security): fail-closed npm-audit gate (no critical/high vulns ships)

[bdelanghe]

Summary

Adds a fail-closed dependency-vulnerability gate. scripts/check-vulns.mjs re-runs npm audit over the committed package-lock.json, counts critical + high advisories, and fails CI unless that count is 0 and matches the committed evidence.vulns.knownCriticalOrHighVulns (drift guard) — same discipline as the axe / SBOM gates. Wired as a named step in the brand-checks conformance job. Scanned: 0 critical / 0 high.

Honest scope (important)

This does not yet flip the lone security.no-critical-vulns conformance row. The site's vendored conformance-kit (rev bf20952) still folds the vuln count into a combined e.security object shared with OWASP ASVS — supplying the vuln count alone would force a false ASVS verdict, which the honesty model forbids. lone's source has split vulns/asvs, but the vendored kit hasn't adopted it.

→ The committed evidence.vulns is the gate's drift baseline today; the conformance row flips with no new evidence once conformance-kit adopts the split and the site re-vendors. Tracked: prx-0ip7 (unblock), prx-2efn (this).

Why ship the gate now anyway

It's independently valuable and honest: the build now refuses to ship with known critical/high vulns, and it pre-positions the evidence for the row flip.

Test plan

• node scripts/check-vulns.mjs → ok — 0 known critical/high vulns (verified in the nix devshell).
• Drift/posture paths fail closed (exit 1) by construction.
• Draft until CI is green.

🤖 Generated with Claude Code

[bdelanghe]

Superseded by the re-vendor (#102, merged): conformance-kit e8838ed ships gates/vuln-gate.mjs (productized npm-audit gate, exact shape lone's split vulns schema consumes) — now vendored in the site. The follow-up will wire that upstream gate + add evidence.vulns to flip security.no-critical-vulns, replacing this hand-rolled scripts/check-vulns.mjs. Tracked under prx-tnqu / prx-2efn.