chore(ci): also ignore disputed PyJWT CVE-2025-45768 in ci.yml

  security.yml had this ignore added in 9d440beb but ci.yml runs its
  own pip-audit step with a separate ignore list. CI was still failing
  on main + dev. Reasoning identical to the security.yml comment —
  disputed by PyJWT maintainers, no fix exists, Bambuddy uses
  secrets.token_urlsafe(64) and rejects short secrets.

.github/workflows/ci.yml

@@ -73,7 +73,15 @@ jobs:
         run: |
           # CVE-2026-4539: low-severity ReDoS in Pygments AdlLexer (indirect dep via mkdocs-material/pytest/rich).
           # No fix available yet. Remove --ignore-vuln once Pygments releases a patched version.
-          pip-audit --desc on --ignore-vuln CVE-2026-4539
+          #
+          # CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): disputed by PyJWT maintainers.
+          # Advisory says "key length is chosen by the application that uses the library" — no
+          # PyJWT fix exists or will exist. Bambuddy is safe: backend/app/core/auth.py:184 uses
+          # secrets.token_urlsafe(64) (~86 chars of entropy) for auto-generated secrets and
+          # rejects file-loaded secrets shorter than 32 chars at :177. Keep ignored permanently.
+          pip-audit --desc on \
+            --ignore-vuln CVE-2026-4539 \
+            --ignore-vuln CVE-2025-45768
 
   backend-tests:
     name: Backend Tests