build(deps): use the published @posthog/warlock npm package (#182)

Switch @posthog/warlock from the git dependency
(git+https://github.com/PostHog/warlock.git) to the published registry
release (^0.2.2): https://www.npmjs.com/package/@posthog/warlock

Why now: the CI workflows install pnpm `version: latest`, which just
became pnpm v11. v11 blocks install/build scripts for git-hosted
dependencies unless they're allow-listed in a specific git-spec format.
The warlock is pulled from git and runs a build step on install, so
v11's gate broke `pnpm install` repo-wide. The published tarball ships
pre-built (main: dist/index.js) with no install script, so installing
from the registry runs no build step and v11 has nothing to gate.

Also drops the now-unnecessary warlock build-script approvals from
pnpm-workspace.yaml (onlyBuiltDependencies + allowBuilds). esbuild stays.

Verified locally (pnpm v10): lockfile resolves 0.2.2 from the registry
with no git refs; the package imports { scan, triageMatches, CATEGORIES };
the WASM scanner runs and returns { matched, matches: [{rule, metadata,
matchedStrings}] }, matching what scripts/scan-warlock.js consumes; and
npm test passes (58/58). CI's `scan-warlock.js dist/skills` step is the
end-to-end check.

Generated-By: PostHog Code
Task-Id: 95407a79-1f13-4f1d-a37b-43fe4a62b857

Author: sarahxsanders

package.json

@@ -25,7 +25,7 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.95.0",
-    "@posthog/warlock": "git+https://github.com/PostHog/warlock.git",
+    "@posthog/warlock": "^0.2.2",
     "gray-matter": "^4.0.3",
     "js-yaml": "^4.1.1"
   },

pnpm-lock.yaml

@@ -1,6 +1,4 @@
 onlyBuiltDependencies:
-  - "@posthog/warlock"
   - esbuild
 allowBuilds:
-  "@posthog/warlock": true
   esbuild: true