ci: fix uv sync flag and bandit install so CI actually runs

[abhicris]

Problem

Every CI run on main since v0.1.0 has failed — but not because of real code issues. Two workflow bugs are short-circuiting the jobs before any check actually executes.

1. Lint / Type Check / Test jobs — uv sync --dev is a no-op

The workflow runs:

- name: Install dependencies
  run: uv sync --dev

But pyproject.toml declares dev tooling under [project.optional-dependencies]:

[project.optional-dependencies]
dev = [
    "pytest>=8.0",
    "pytest-asyncio>=0.23",
    "pytest-cov>=4.1",
    "ruff>=0.1",
    "mypy>=1.8",
]

In modern uv, --dev targets [dependency-groups]. With [project.optional-dependencies] you need --extra dev. Result: ruff, pytest, and mypy never land in the venv, and every lint run dies with:

error: Failed to spawn: `ruff`
  Caused by: No such file or directory (os error 2)
Process completed with exit code 2.

(See run 24428772293 — and every CI run before it.)

The sibling workflow .github/workflows/docs.yml already uses the correct pattern: uv sync --extra docs. This PR brings ci.yml in line.

2. Security Scan job — no venv exists when uv pip install runs

- name: Install bandit
  run: uv pip install bandit
- name: Run bandit security check
  run: uv run bandit -r src/polybot/ -ll -x tests/ -f json -o bandit-report.json

Fails with:

error: No virtual environment found; run `uv venv` to create an environment, or pass `--system` to install into a non-virtual environment
Process completed with exit code 2.

The fix is to drop the two-step install+run and use uvx, which is purpose-built for one-shot tool invocations and doesn't need a project venv.

Fix

• ci.yml: uv sync --dev → uv sync --extra dev in the lint, type-check, and test jobs.
• ci.yml security job: replace uv pip install bandit + uv run bandit ... with a single uvx --from bandit bandit ... step.

Diff is 11 lines, one file.

Verification

Locally, against this branch:

$ uv sync --extra dev
 + ruff==0.14.10
 + pytest-asyncio==1.3.0
 + pytest-cov==7.0.0
 + mypy==1.18.2
 ...

$ uv run ruff --version
ruff 0.14.10      # was: error: Failed to spawn: `ruff`

$ uvx --from bandit bandit -r src/polybot/ -ll -x tests/ -f json -o /tmp/bandit-report.json
[json] INFO JSON output written to file: /tmp/bandit-report.json
# exit 0, 41KB report

Note for maintainers

Once CI actually runs, ruff check will surface real findings (the repo has ~1700 lint errors and 66 files flagged by ruff format --check). That's pre-existing — outside the scope of this PR. This PR just removes the infra failures that have been masking them. Consider it a precondition for any lint-cleanup PR that follows.

— kcolbchain / Abhishek Krishna