Keep PR audit informational without leaving the check red

The CI workflow already described production dependency audit as an
informational PR signal, but the job still surfaced as a failing check.
That left release PRs in an unstable state even after the real merge-gate
jobs were green. This keeps PR audits visible as warnings while still
letting main-branch pushes fail if production dependency audit actually
returns a non-zero exit.

Constraint: Preserve production audit visibility while avoiding false-red PR status
Rejected: Remove audit from CI entirely | loses vulnerability visibility
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep audit informational on pull requests unless branch protection is intentionally tightened later
Tested: YAML parse via ruby; git diff --check
Not-tested: Full GitHub Actions rerun pending after push

.github/workflows/ci.yml

@@ -319,7 +319,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     # Keep PR audit informational so build/test/schema remain the merge gate.
-    continue-on-error: true
 
     steps:
       - name: Checkout
@@ -335,7 +334,15 @@ jobs:
         run: npm ci --prefer-offline --no-audit --no-fund
 
       - name: Audit production dependencies
-        run: npm audit --omit=dev --audit-level=high
+        run: |
+          set +e
+          npm audit --omit=dev --audit-level=high
+          status=$?
+          if [ "$status" -ne 0 ] && [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "::warning::npm audit reported production dependency vulnerabilities; PR audit stays informational."
+            exit 0
+          fi
+          exit "$status"
 
   publish-docker-arch:
     name: Publish Docker Image (${{ matrix.arch }})