call trivy directly instead of wrapping in docker run
The tool assumed trivy ran via docker run aquasec/trivy:latest, building volume mounts and container-path remapping for every invocation. Since the CI environment now provides trivy as a direct dependency inside the prod-base container, the Docker orchestration is unnecessary complexity. Replace build_docker_args / build_sbom_args with direct subprocess.run trivy calls and wire the previously-parsed --severity and --trivyignore CLI flags through to run_scan. Ref #1246
mount ~/.claude/sessions into VM for session persistence
Add a fourth Lima mount for ~/.claude/sessions (writable) so Claude Code sessions survive VM rebuilds. This mirrors the existing mounts for projects and skills.