chore: drop npm-audit job until #21 lands frontend

.github/branch-protection/develop.json

@@ -13,7 +13,6 @@
       "Lint PR title (conventional commits)",
       "Secret scan (gitleaks)",
       "Python deps (pip-audit)",
-      "Frontend deps (npm audit)",
       "Container image scan (trivy)"
     ]
   },

.github/branch-protection/main.json

@@ -13,7 +13,6 @@
       "Lint PR title (conventional commits)",
       "Secret scan (gitleaks)",
       "Python deps (pip-audit)",
-      "Frontend deps (npm audit)",
       "Container image scan (trivy)"
     ]
   },

.github/workflows/security.yml

@@ -67,22 +67,7 @@ jobs:
             --vulnerability-service osv \
             $IGNORES
 
-  npm-audit:
-    name: Frontend deps (npm audit)
-    runs-on: ubuntu-latest
-    # Skips cleanly until #21 lands frontend/package.json.
-    if: hashFiles('frontend/package-lock.json') != ''
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
-        with:
-          node-version: "24"
-          cache: npm
-          cache-dependency-path: frontend/package-lock.json
-      - run: cd frontend && npm ci
-      # --audit-level=high — fail only on high/critical; moderate/low noted
-      # but not blocking.
-      - run: cd frontend && npm audit --audit-level=high
+  # Frontend deps (npm audit) — added by ticket #21 alongside frontend/.
 
   trivy-image:
     name: Container image scan (trivy)