ci: require npm audit signature checks

Require npm registry signature verification wherever workflow npm audit checks run.

- add npm audit signatures to CI Security Scan and maintenance security audit jobs
- teach the workflow security validator to reject npm audit without signature verification
- keep the repair and Copilot prompt tests portable across Windows path/case and CRLF frontmatter behavior

Validation:
- node tests/run-all.js (2376 passed, 0 failed)
- CI current-head matrix green on #1846

.github/workflows/ci.yml

@@ -243,7 +243,9 @@ jobs:
           node-version: '20.x'
 
       - name: Run npm audit
-        run: npm audit --audit-level=high
+        run: |
+          npm audit signatures
+          npm audit --audit-level=high
         continue-on-error: true  # Allows PR to proceed, but marks job as failed if vulnerabilities found
 
   lint:

.github/workflows/maintenance.yml

@@ -34,6 +34,7 @@ jobs:
         run: |
           if [ -f package-lock.json ]; then
             npm ci --ignore-scripts
+            npm audit signatures
             npm audit --audit-level=high
           else
             echo "No package-lock.json found; skipping npm audit"