chore(ci): decouple the supply-chain audit from unrelated PRs

[olivrg]

Description

Keep full-tree coverage (dev + build + transitive — npm supply-chain campaigns target those, not just prod), change only the enforcement:

• ci.yml: on a pull_request the audit runs ONLY when the PR changes a dependency manifest or install input — package.json / pnpm-lock.yaml / pnpm-workspace.yaml / .npmrc / .pnpmfile.* / patches/** — detected via inline git diff (no new action dependency). Otherwise it emits a notice and the check stays green. Fails CLOSED: unknown event, missing base SHA, diff error, or grep error all run the full audit. push-to-main still audits unconditionally.
• security-audit.yml: new daily (+ manual) full-tree audit as the standing-tree backstop; opens/updates a tracking issue on failure so it's actionable.
• release.yml already audits the full tree before publishing (unchanged) — the ship-time guarantee.
• CONTRIBUTING.md: documents the posture, the triage-by-type rule (a malicious / install-RCE / token-exfil advisory is an incident regardless of dev-vs-prod; benign dev-tool vulns get a time-boxed ignore + tracking issue), the register of current dev-only ignores, and the branch-protection this control depends on.

Safety invariant: with --frozen-lockfile, leaving every dependency manifest / install input unchanged means an unchanged installed tree, so a skipped PR audit can introduce nothing unaudited; the standing tree stays covered by main, release, the daily audit, and Dependabot. No pull_request_target; base SHA is passed via env, not interpolated into the script.

Implements the convention/decoupling from #75 (enable Dependabot security updates

• branch protection separately, as repo settings). chore(deps): upgrade vite so esbuild ≥0.28.1, then drop the GHSA-gv7w-rqvm-qjhr audit ignore #64 stays open: the esbuild/vite ignores remain until vite is upgraded.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (no functional changes)
• Documentation
• CI / build / tooling

Packages Affected

• packages/proxy
• packages/dashboard
• packages/python-sdk
• Root config / monorepo tooling
• docs/
• examples/

Checklist

• I have read CONTRIBUTING.md
• My code follows the existing style (ESLint + Prettier pass)
• TypeScript strict mode — no any types or @ts-ignore without justification
• I have added or updated tests for my changes
• All CI checks pass (pnpm secrets:scan, pnpm docs:check:ci, pnpm audit --audit-level=high, pnpm build, pnpm lint, pnpm format:check, pnpm typecheck, pnpm test)
• I have updated documentation if this changes user-facing behavior
• Commit messages follow Conventional Commits (e.g. feat:, fix:, docs:)

How to Test

1. This PR changes no dependency manifest, so its own CI audit step skips with a notice (expected — demonstrates the decoupling).
2. workflow_dispatch the new Security Audit workflow → full-tree audit runs green.
3. A PR that touches pnpm-lock.yaml runs the full audit (unchanged behavior).
   Part of chore(ci): enable Dependabot security updates so advisories stop breaking unrelated PRs' audit gate #75 (Dependabot security updates + branch protection are separate repo settings). chore(deps): upgrade vite so esbuild ≥0.28.1, then drop the GHSA-gv7w-rqvm-qjhr audit ignore #64 unaffected (esbuild/vite ignores stay until vite is upgraded).
4. Squash-merge (single commit — subject already conventional, just append (#NN)), delete branch, then git
   checkout main && git pull && git branch -d chore/decouple-audit-gate.

Additional Context