Add Socket supply-chain scanning; tune dependency audit noise

[theoephraim]

Replaces blunt, noisy dependency auditing with Socket as the primary supply-chain gate, and demotes `bun audit` to a low-noise backstop.

What changed

Socket (socket.dev)

• `socket.yml` — tunes the Socket GitHub App so PR scans are actually readable: only scan PRs that change a manifest/lockfile, drop the auto-generated overview/report comments, keep high-signal alerts (malware, install scripts, network/env access, typosquat, non-registry sources, obfuscation, critical CVE) and mute reputational noise (new author, telemetry, minified, native code, deprecated).
• `nightly-socket-scan.yaml` — nightly `socket ci` over `main` (time-axis: catches advisories newly disclosed against deps already shipped). Read-only.
• `weekly-socket-fix.yaml` — weekly `socket fix` that opens remediation PRs. No `--autopilot` — never auto-merges; a human reviews the dep diff before it lands.

bun audit

• PR gate (`audit:changed`) dropped from `moderate` → `critical`. Socket is the real gate now; bun audit is a free, local, critical-only floor that won't block PRs on transitive dev-tooling noise.
• Removed the nightly bun audit — redundant with `socket ci` on the known-CVE axis. The `audit:full` script stays for on-demand local use.

Setup required

• `SOCKET_SECURITY_API_KEY` secret (for the CLI workflows; the App needs no key).

Notes

• `socket fix` PRs open with the built-in `GITHUB_TOKEN`, so they won't auto-trigger CI — swap for a PAT/App token if CI-on-bot-PRs is wanted.
• Worth confirming `socket fix` handles `bun.lock` cleanly on first manual run.