fix(ci): audit only production deps in the deploy gate (--omit=dev) (#18)

The security-audit gate ran 'npm audit --audit-level=high' over all deps,
so newly-published advisories on build-only tooling (esbuild, elliptic via
vite-plugin-node-polyfills, etc.) repeatedly blocked production deploys
even though that code ships to no user. Scope the gate to production
dependencies with --omit=dev. Verified: 'npm audit --audit-level=high
--omit=dev' → 0 vulnerabilities. TruffleHog secret scanning is unchanged.

.github/workflows/quality-gate.yml

@@ -628,11 +628,14 @@ jobs:
         with:
           node-version: '20'
 
-      - name: Web — npm audit (high + critical)
+      - name: Web — npm audit (high + critical, production deps only)
         working-directory: ./web
         run: |
           npm install
-          npm audit --audit-level=high
+          # Audit only production dependencies. Build tooling (vite, esbuild,
+          # vite-plugin-node-polyfills → elliptic, etc.) ships to no user, and
+          # advisories on those dev deps kept blocking production deploys.
+          npm audit --audit-level=high --omit=dev
 
       - name: TruffleHog — PR diff (verified secrets only)
         if: github.event_name == 'pull_request'