fix(dependency-review): require strict org membership for enterprise SFW

Tighten the enterprise-mode gate to author_association OWNER/MEMBER only.
Outside collaborators (COLLABORATOR) now fall through to the free edition,
same as Dependabot / forks / external contributors.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: lelia

.github/workflows/dependency-review.yml

@@ -83,13 +83,14 @@ jobs:
           SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }}
         run: |
           mode=firewall-free
-          # Enterprise only for a trusted SocketDev member (OWNER/MEMBER) or
-          # repo collaborator on an in-repo PR, and only when the token is
-          # actually present. Anything else falls back to the free edition.
+          # Enterprise only for a SocketDev org member (OWNER/MEMBER) on an
+          # in-repo PR, and only when the token is actually present. Everything
+          # else -- Dependabot, forks, outside collaborators, external
+          # contributors, or a missing token -- uses the free edition.
           if [ "$IS_DEPENDABOT" != "true" ] \
              && [ "$IS_FORK" != "true" ] \
              && [ -n "$SOCKET_API_TOKEN" ] \
-             && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER|COLLABORATOR)$'; then
+             && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then
             mode=firewall-enterprise
           fi