[Chore] CSO remediations: pin CI actions, drop unused blendavit npm dep

[Dr-kersho]

Driver

Follow-up from /gstack-cso daily audit (2026-06-06).

Scope

1. Pin third-party and first-party GitHub Actions to immutable commit SHAs in .github/workflows/.
2. Remove unused animejs npm dependency from blendavit static site (not loaded in shipped HTML).

Acceptance criteria

• All workflow uses: references use full SHAs with version comments
• projects/smartmomlabs/website/package.json removed (zero runtime npm deps)
• node_modules/ gitignored under blendavit website

[atlas-apex]

Hi @Dr-kersho — thanks for using apexyard! 👋

Heads-up: this one (along with #556, #558, and PR #552) looks like it's meant for your own project, not the apexyard framework itself — the acceptance criteria here are about your storefront, and PR #552's diff touches the entire framework tree. Both are classic signs that your fork's tracker is still pointed at this upstream repo instead of your own project, which happens on older apexyard versions (before per-project GitHub-Issues routing + leak-protection landed).

So I'm closing these here — but here's how to fix it going forward so your tickets land in the right place and nothing gets lost:

A — Upgrade in place (try this first)
Run /update in your fork. It syncs you to the latest (v3.0.0), which routes /feature, /bug, and /task tickets to your project's repo — not here — and adds leak-protection.

B — Re-fork (if your fork has diverged too far)
PR #552 touching the whole framework tree suggests a stale base. If /update conflicts heavily, re-fork fresh from me2resh/apexyard.

Keeping your data across an upgrade or re-fork
Your work is separable from the framework. The cleanest setup is split-portfolio mode — run /split-portfolio, which moves your registry, project docs, onboarding, and workspaces into a separate private repo. After that the framework fork is disposable: re-fork or upgrade any time and your data never moves. Manual fallback if you'd rather not split: copy apexyard.projects.yaml, onboarding.yaml, projects/, and any handbooks/ or custom skills out of the old fork, re-fork, then drop them back in.

If any of these is actually a framework bug or feature request (not project-specific), please re-open with that framing and I'll be glad to look. 🙏

(Full guide: docs/multi-project.md → "split-portfolio".)