fix(cli): align fail-on defaults

[nvphungdev]

What

Align audit --fail-on with analyze --fail-on so both commands require an explicit threshold before returning exit code 1 for findings.

Why

Fixes #22

How

Changed the audit command default from high to unset, added a regression test that runs audit without --fail-on, and updated the README flag table to document the opt-in default.

Testing

• golangci-lint run passes in Docker via golangci/golangci-lint:latest
• go test ./... passes in Docker via golang:1.24
• go test -race ./... passes in Docker via golang:1.24
• go vet ./... passes in Docker via golang:1.24
• Tested locally with: docker run --rm -v "$PWD":/src -w /src golang:1.24 go test -race ./...

Checklist

• PR title follows Conventional Commits (feat(scope): subject)
• All commits are DCO-signed
• No unrelated changes pulled in
• Documentation updated where user-visible behavior changed
• No LLM calls or telemetry introduced
• No proprietary backend imports

[github-actions]

First PR — welcome aboard!

A few things to expect:

1. CI: every PR runs build + race tests + lint on Ubuntu and macOS. If something fails, the log will tell you exactly which gate.
2. DCO: every commit needs Signed-off-by:. git commit -s adds it automatically.
3. Conventional Commits: PR titles like feat(analyze): new rule or fix(cli): handle X. We squash-merge by default.
4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.