chore(ci): remove LLM summary generation from vulnerability triage (#1334)

* chore(ci): remove LLM summary generation from vulnerability triage

Replace the Claude analysis step in the vulnerability-triage workflow with
deterministic jq/curl scripting. Findings are now built directly from the
normalized Trivy, Dependabot, and CodeQL scan files (dedup by pre-computed
id, CodeQL grouped by rule, templated titles/descriptions), and existing
Linear issues are matched via GraphQL. No LLM is used anywhere.

Drops the ANTHROPIC_API_KEY secret from the reusable workflow (no callers
pass it).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(ci): dedupe vulnerability findings by id within each scanner

Trivy can report the same CVE multiple times (across lockfiles/targets or
when a CVE affects several packages). The previous build mapped over every
Trivy entry, so duplicate ids produced duplicate findings and therefore
duplicate Linear issues. Group Trivy and Dependabot by id so each unique id
yields exactly one finding, collecting all affected packages into it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(ci): match existing Linear issues so triage stops creating duplicates

The Linear search bound the team UUID as a `String!` GraphQL variable into
`team.id.eq`, which expects `ID`. That variable-type mismatch made every
search return null data, so no finding ever matched an existing issue and the
job re-filed every CVE on each run. Drop the team filter (repo-prefix title
scoping is the authoritative filter anyway) and warn when a search errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: run vulnerability triage on every push to main

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: brendan-kellam