ci: Charter check failing at 'Install dependencies' — blocks PRs #22 + #27

[stackbilt-admin]

Problem

Charter governance check on the CI workflow fails at the Install dependencies step on every open non-draft PR. Subsequent steps (Validate Commits, Drift Scan, ADF Wiring, ADF Evidence) are all skipped as a result.

Verified on two independent PRs (13 days apart, different content):

• PR [auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts) #22 (2026-04-10 — dependabot hono + vite, 8 security alerts): https://github.com/Stackbilt-dev/aegis-oss/actions/runs/24234768801
• PR fix(health,argus): restore cost_health + drop stripe test-mode events #27 (2026-04-11 — cost_health fix): https://github.com/Stackbilt-dev/aegis-oss/actions/runs/24284584788

Both fail at the same step:

```
Set up job success
Run actions/checkout@v6 success
Run actions/setup-node@v6 success
Install dependencies FAILURE ← root cause
Validate Commits skipped
Drift Scan skipped
ADF Wiring & Pointer Integrity skipped
ADF Evidence skipped
Audit Report FAILURE ← downstream
```

Impact

• PR [auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts) #22 is 13 days stale with 8 dependabot security advisories (hono 4.x + vite) — supply-chain exposure window continues to widen
• PR fix(health,argus): restore cost_health + drop stripe test-mode events #27 (cost_health regression fix for cost_health field regression: missing from /health endpoint response #26) cannot land clean
• CI is effectively not gating anything — every PR red on Charter, merges blocked or require explicit red-merge rationale

Likely causes (to investigate)

1. npm registry transient / lockfile version mismatch after recent setup-node v4→v6 bump (merged 2026-04-06, chore(ci): bump actions/checkout from 4 to 6 #12)
2. Peer-dep change introduced by one of the dependabot-pinned packages
3. Charter workflow-yaml pinning a Node version that no longer resolves a transitive dep

Fix path

• Re-run Charter on PR fix(health,argus): restore cost_health + drop stripe test-mode events #27 first (smaller diff — easier to isolate install failure)
• If it reproduces, pull the raw log for `Install dependencies` — the actions log API redacted it here
• If it's a lockfile issue: regenerate `package-lock.json` on main, open a trivial PR, confirm Charter goes green, then rebase [auto] Bump hono to 4.12.12 and vite to 8.0.5 in aegis-oss (8 dependabot alerts) #22 + fix(health,argus): restore cost_health + drop stripe test-mode events #27

Unblock plan

Once root cause identified: merge fix → rebase PR #22 (dependabot) → rebase PR #27 (cost_health). Do NOT red-merge either without fixing CI first (per `feedback_no_red_merge.md`).

Why now

Security debt on PR #22 is the forcing function. 8 open advisories × 13 days stale × no path to green CI = systemic hole, not a triage queue.