CI: Node 20 + pnpm test; isolate legacy template from workspace

[snissn]

Implements the final roadmap item (CI + security hardening) by adding GitHub Actions CI and reducing the dependency surface area that CI installs/tests.

What changed

• Adds a GitHub Actions workflow that runs on Node 20 and executes pnpm test on pushes to master and on PRs.
• Removes the legacy tokenhost-web-template from the pnpm workspace so it no longer participates in workspace installs/lockfile resolution and is not pulled into CI.
• Regenerates pnpm-lock.yaml accordingly (removes the legacy template importer + transitive graph).

Why

• CI should validate the spec-aligned toolchain (packages/* + apps/*), not the deprecated legacy template pipeline.
• This isolates the largest source of dependency churn/vulnerability noise while we continue migrating away from the legacy template.

How to test

• Locally: pnpm install then pnpm test
• On GitHub: CI job should run automatically for this PR

Notes

• The legacy template remains in-repo for now, but is intentionally excluded from pnpm workspace installs/CI.
• If we decide to fully retire it, we can archive/move it (or split it to a separate repo) in a follow-up PR to eliminate Dependabot/security alert noise from that legacy dependency tree.

[snissn]

Verdict: APPROVE WITH MINOR REVISIONS

CI is a must-have; this workflow is straightforward and aligned with Node 20 + pnpm. Excluding the legacy template from the workspace is also the right call to keep CI focused on the spec-aligned toolchain.

What I verified locally

• pnpm test passes after the workspace change.

Good

• Adds .github/workflows/ci.yml (Node 20, pnpm, cache, pnpm test).
• Excludes tokenhost-web-template from pnpm workspace installs so CI doesn’t pull in that deprecated dependency tree.

Minor revisions / follow-ups (non-blocking)

1. This won’t reduce GitHub security alerts by itself because tokenhost-web-template/package.json still exists.

   • Options: move legacy template to an archived repo, delete it once retired, or add Dependabot config to ignore that directory.

2. Consider adding pnpm -r --filter @tokenhost/* typecheck in CI.

3. Consider adding a non-gating security visibility job (e.g., pnpm audit with continue-on-error) so we track vuln drift without blocking merges.

[snissn]

Follow-up: minor revision items addressed.

• CI now runs pnpm typecheck in addition to pnpm test.
• Added a non-blocking pnpm audit --audit-level high step for vuln visibility without gating merges.
• Added .github/dependabot.yml focused on the spec-aligned pnpm workspace (intentionally excludes the legacy tokenhost-web-template/).

[snissn]

Verdict: APPROVE WITH MINOR REVISIONS

Re-reviewing with the latest commits on this branch: CI is now meaningfully stronger and aligns with the spec-aligned workspace.

What changed since my last review

• CI now runs pnpm typecheck as well as pnpm test.
• Added a non-blocking pnpm audit --audit-level high step for vuln visibility without gating merges.
• Added .github/dependabot.yml focused on the pnpm workspace.

What I checked

• Local pnpm install --frozen-lockfile and pnpm test pass.

Minor follow-ups (non-blocking)

• GitHub security alerts will still include the deprecated tokenhost-web-template/ as long as its package.json remains in-repo. If we want to reduce the alert count, we’ll need to either:
  • move/retire that directory (archive repo / split it out), or
  • proactively update its dependencies.