fix: guard two script edge cases

- scripts/harness-audit.js: getRepoChecks() parsed package.json with raw
  JSON.parse(readText(...)), while the rest of the file (lines 218, 822)
  uses the tolerant safeParseJson(safeRead(...)). In repo target mode a
  project lacking package.json — or with malformed JSON — threw an uncaught
  exception and crashed the audit instead of degrading. Match the existing
  convention so the audit tolerates a missing/invalid package.json.

- skills/frontend-slides/scripts/export-pdf.sh: `set -- "${POSITIONAL[@]}"`
  expands an empty array under `set -u` on bash 3.2 (the macOS system bash),
  aborting with "POSITIONAL[@]: unbound variable" instead of printing the
  usage message when invoked with no positional args. Guard the expansion
  with ${POSITIONAL[@]+"${POSITIONAL[@]}"} (no-op safe under bash 3.2 set -u).

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

scripts/harness-audit.js

@@ -199,7 +199,7 @@ function findPluginInstall(rootDir) {
 }
 
 function getRepoChecks(rootDir) {
-  const packageJson = JSON.parse(readText(rootDir, 'package.json'));
+  const packageJson = safeParseJson(safeRead(rootDir, 'package.json'));
   const commandPrimary = safeRead(rootDir, 'commands/harness-audit.md').trim();
   const commandParity = safeRead(rootDir, '.opencode/commands/harness-audit.md').trim();
   const hooksJson = safeRead(rootDir, 'hooks/hooks.json');