fix(ci): split runtime and dev dependency audits (#313)

.github/workflows/ci.yml

@@ -41,8 +41,13 @@ jobs:
       - name: Enforce coverage policy
         run: uv run python ./scripts/check_coverage.py
 
-      - name: Run dependency vulnerability audit
-        run: uv run pip-audit
+      - name: Export runtime requirements for vulnerability audit
+        run: >
+          uv export --format requirements.txt --no-dev --locked --no-emit-project
+          --output-file /tmp/runtime-requirements.txt >/dev/null
+
+      - name: Run runtime dependency vulnerability audit
+        run: uv run pip-audit --requirement /tmp/runtime-requirements.txt
 
       - name: Clean previous build artifacts
         run: rm -rf build dist

.github/workflows/publish.yml

@@ -35,8 +35,13 @@ jobs:
       - name: Run regression baseline
         run: bash ./scripts/doctor.sh
 
-      - name: Run dependency vulnerability audit
-        run: uv run pip-audit
+      - name: Export runtime requirements for vulnerability audit
+        run: >
+          uv export --format requirements.txt --no-dev --locked --no-emit-project
+          --output-file /tmp/runtime-requirements.txt >/dev/null
+
+      - name: Run runtime dependency vulnerability audit
+        run: uv run pip-audit --requirement /tmp/runtime-requirements.txt
 
       - name: Clean previous build artifacts
         run: rm -rf build dist

scripts/README.md

@@ -13,7 +13,7 @@ remaining repository-maintenance helpers.
 ## Other Scripts
 
 - [`doctor.sh`](./doctor.sh): primary local development regression entrypoint (uv sync + lint + tests + coverage)
-- [`dependency_health.sh`](./dependency_health.sh): dependency review entrypoint (`sync`/`pip check` + outdated + audit)
+- [`dependency_health.sh`](./dependency_health.sh): development dependency review entrypoint (`sync`/`pip check` + outdated + dev audit), while blocking CI/publish audits focus on runtime dependencies
 - [`check_coverage.py`](./check_coverage.py): enforces the overall coverage floor and per-file minimums for critical modules
 - [`lint.sh`](./lint.sh): lint helper
 - [`smoke_test_built_cli.sh`](./smoke_test_built_cli.sh): built-artifact smoke test for the released CLI runtime; defaults to the only local wheel, supports explicit wheel/sdist paths, and rejects ambiguous local artifact selection

scripts/dependency_health.sh

@@ -9,5 +9,11 @@ run_shared_repo_health_prerequisites "dependency-health"
 echo "[dependency-health] list outdated packages"
 uv pip list --outdated
 
-echo "[dependency-health] run vulnerability audit"
-uv run pip-audit
+dev_requirements="$(mktemp)"
+trap 'rm -f "${dev_requirements}"' EXIT
+
+echo "[dependency-health] export dev extra requirements"
+uv export --format requirements.txt --extra dev --no-dev --locked --no-emit-project --output-file "${dev_requirements}" >/dev/null
+
+echo "[dependency-health] run dev dependency vulnerability audit"
+uv run pip-audit --requirement "${dev_requirements}"