fix: align deno.json audit task with CI invocation (#1142)

## Summary

The `deno run audit` task in `deno.json` has been silently broken since
PR #484: it lacks `--allow-env=GITHUB_STEP_SUMMARY` and `--allow-write`,
but `scripts/audit_deps.ts:245` calls
`Deno.env.get("GITHUB_STEP_SUMMARY")` and `writeGitHubSummary()` later
writes that file. The task crashes with `NotCapable` after every
successful scan, returning a non-zero exit code locally.

CI never noticed because `.github/workflows/ci.yml:96` invoked
`scripts/audit_deps.ts` directly with the correct flags, bypassing the
task entirely.

This PR:

- **Adds `--allow-env=GITHUB_STEP_SUMMARY` and `--allow-write` to the
`audit` task** in `deno.json` so it matches CI's flag set byte-for-byte.
The script's `writeGitHubSummary` early-returns when
`GITHUB_STEP_SUMMARY` is unset, so the local dev experience is unchanged
— the grant only matters in CI where the var is set.
- **Drops `&& deno outdated` from the task.** CI's vuln-scan invocation
never included it, and CI runs `deno outdated` as its own
failure-tolerant step (`ci.yml:98-106`) with `|| true` warning semantics
that would be lost if folded into the task's `&&` chain. That separate
CI step is left intact. In practice no developer ever saw `deno
outdated` run via `deno run audit` because the task always crashed
first.
- **Routes CI's "Scan for known vulnerabilities" step through `deno task
audit`** so the `deno.json` task is the single source of truth. This
eliminates the silent drift that hid this bug for ~30 PRs and matches
the existing `deno task check`/`deno task test`/`deno task compile`
pattern used elsewhere in `ci.yml`.

## Notes

- Not a regression. Git history (`scripts/audit_deps.ts`,
`deno.json:15`) shows the task body has been unchanged since `017139c4`
(PR #484), introduced together with the script that requires the env
access. The task never worked locally; the bug was masked by CI
bypassing it.
- The unbounded `--allow-write` grant on the local task is a deliberate
trade-off for CI parity. Locally, `GITHUB_STEP_SUMMARY` is never set, so
`writeGitHubSummary()` returns at `audit_deps.ts:246` before any write —
the grant covers an unreachable code path.
- Resolves swamp-club lab issue #27.

## Test plan

- [x] `deno run audit` from the repo root — exits 0, "No known
vulnerabilities found"
- [x] `deno fmt --check` — clean
- [x] `deno check` — clean (1117 files)
- [x] `deno lint` — clean (1011 files)
- [ ] CI deps-audit job passes (validates step 2 — `deno task audit`
produces the same output as the previous inline command, since they're
byte-for-byte the same command line)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stack72

.github/workflows/ci.yml

@@ -93,7 +93,7 @@ jobs:
           deno-version: v2.x
 
       - name: Scan for known vulnerabilities
-        run: deno run --allow-read --allow-net=api.osv.dev --allow-env=GITHUB_STEP_SUMMARY --allow-write scripts/audit_deps.ts
+        run: deno task audit
 
       - name: Check for outdated dependencies
         run: |

deno.json

@@ -12,7 +12,7 @@
     "fmt": "deno fmt",
     "compile": "deno run -A scripts/compile.ts",
     "license-headers": "deno run --allow-read --allow-write scripts/add_license_headers.ts",
-    "audit": "deno run --allow-read --allow-net=api.osv.dev scripts/audit_deps.ts && deno outdated",
+    "audit": "deno run --allow-read --allow-net=api.osv.dev --allow-env=GITHUB_STEP_SUMMARY --allow-write scripts/audit_deps.ts",
     "audit-actions": "deno run --allow-read --allow-net=api.github.com --allow-env=GITHUB_STEP_SUMMARY,GITHUB_TOKEN --allow-write scripts/audit_actions.ts",
     "review-skills": "deno run --allow-read --allow-run --allow-env=GITHUB_STEP_SUMMARY --allow-write scripts/review_skills.ts",
     "eval-skill-triggers": "deno run --allow-read --allow-run --allow-env --allow-write scripts/eval_skill_triggers_promptfoo.ts"