ci: clearer check labels and dependency vulnerability scanners

[MoonBoi9001]

TL;DR

Rewrites the CI workflow surface so every check label says what it actually runs. Splits the catch-all lint job into prettier, eslint, typecheck. Adds two dependency vulnerability scanners and fixes a latent bug where the CLI Docker image was being published from every PR build.

Motivation

The PR check list today reads "Check Formatting / check" and "CI / build (20, ubuntu-22.04)". The first hides three tools — prettier, eslint, tsc — behind one green or red dot, so a reviewer cannot tell which one flagged the violation. The second is named "CI" but actually runs the jest test suite, which confuses contributors who expect "CI" to mean something more generic. Nothing automatically scans yarn.lock for known vulnerable dependencies today, and the CLI image workflow publishes to GHCR from every PR build via a hard-coded push flag. The label cleanup is a natural moment to close both gaps.

Summary

• Renames check-formatting.yml to lint.yml; splits into prettier, eslint, typecheck jobs.
• Renames ci.yml to tests.yml; matrix job displays as tests / node 20 and tests / node 22.
• Merges the image workflows into docker-build.yml with agent and cli jobs.
• Replaces the CLI workflow's hard-coded push: true with the agent's PR-exclusion conditional.
• Adds audit.yml running yarn audit --level high so high or critical CVE findings block merge.
• Adds osv-scanner.yml running OSV against yarn.lock for a second vulnerability database.
• Extends codeql-analysis.yml to PRs targeting main-dips, bumps its action versions.
• Bumps actions/checkout and actions/setup-node to v4 across rewritten workflows; adds yarn caching.
• Unifies install style: every workflow uses yarn install --frozen-lockfile.

After merge the PR check list reads audit / yarn-audit, codeql / analyze, docker build / agent (amd64|arm64), docker build / cli, lint / eslint|prettier|typecheck, osv-scanner / scan, tests / node 20|22.

Generated with Claude Code