Scope pentests by repo on Console V2; deprecate projectId

[jorgeraad]

Fixes #11.

Problem

Console V2 folded the projects concept into workspaces. /ci/dispatch now scopes a scan by workspace (from the API key) plus an optional repository (repoId = GITHUB_REPOSITORY_ID, resolved to externalRepoId); projectId is accepted but ignored.

dispatchScan let the now-ignored projectId shadow repoId:

...(params.projectId ? { projectId: params.projectId } : { repoId: params.repoId }),

Every documented setup sets PENSAR_PROJECT_ID, so projectId was truthy and the auto-detected repoId was dropped — producing an unscoped, workspace-wide scan. Workspaces with more than one repo got scanned (and billed) in full; repo-scoping was unreachable from the CLI.

Changes

• src/lib/ci.ts — always send repoId when present; send projectId only as a no-op fallback for older Console deployments. Drop the projectId || repoId requirement (an API key alone resolves to a workspace → workspace-wide scan). Prefer the repo in the dispatch log line.
• Docs/help — reframe identifiers around workspace (API key) + repository; mark --project / PENSAR_PROJECT_ID deprecated. Updated README.md, examples/README.md, src/bin/index.ts help text, and bumped the CLI version string 1.2.0 → 2.4.0 to match package.json.
• examples/** — drop PENSAR_PROJECT_ID. GitHub Actions auto-detects the repo; GitLab has no GitHub repo id, so its jobs run workspace-wide (documented; pass --repo-id to scope).
• Test — add a framework-free assert check (npm test) that stubs fetch and verifies dispatchScan sends repoId even when projectId is set, and that an identifier-less call no longer throws. Guards the exact regression this PR fixes.

Verification

• npm test passes; tsc build clean.
• Server contract confirmed against packages/functions/src/ci/dispatch.ts + status.ts and their tests in Console (.strict() schema explicitly allow-lists projectId/repoId/repositoryId/workspaceId).

GitLab repo-scoping (mapping CI_PROJECT_ID → repository) is out of scope here.