ci: split security audit into blocking prod and informational full scans (#857)

Author: yeojz

.github/workflows/ci.yml

@@ -278,8 +278,23 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Run security audit
-        run: pnpm audit --audit-level=moderate
+      - name: Audit production dependencies (blocking)
+        run: pnpm audit --prod --audit-level=moderate
+
+      - name: Audit all dependencies (informational)
+        continue-on-error: true
+        run: |
+          if ! pnpm audit --audit-level=moderate > audit.txt 2>&1; then
+            {
+              echo "## Security Audit — full dependency tree (informational)"
+              echo ""
+              echo "⚠️ Advisories found in dev/transitive dependencies (non-blocking):"
+              echo '```'
+              cat audit.txt
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "::warning::Informational audit found advisories in the full dependency tree — see the job summary."
+          fi
 
   reporting:
     name: Reporting (Coverage and Bundle Analysis)