ci: add security policy, cargo-deny configuration, and audit workflow

- Add deny.toml with license/advisory policy for cargo-deny
- Add security.yml GitHub Actions workflow for automated audit
- Update rust.yml with hardened clippy lint enforcement
- Update Cargo.toml/Cargo.lock with audit-related dependency additions
- Fix clippy lint placement in config.toml (Clippy lints must not live in rustflags)

Part of PR-SEC-1: no Rust source changes, establishes CI gates for all subsequent PRs.

.github/workflows/rust.yml

@@ -45,10 +45,14 @@ jobs:
     - name: Run tests
       run: cargo test --verbose
 
-# clippy dont fail on warnings because of active development of telemt 
-# and many warnings
+    - name: Check benches compile
+      run: cargo check --benches
+
+    # Strict policy is deferred to PR-SEC-8 — intermediate branches use
+    # #[allow(clippy::panic)], #[allow(clippy::expect_used)] etc. which are
+    # incompatible with -F (forbid) flags active before all source fixes land.
     - name: Run clippy
-      run: cargo clippy -- --cap-lints warn
+      run: cargo clippy --workspace -- -D clippy::correctness
 
     - name: Check for unused dependencies
       run: cargo udeps || true

.github/workflows/security.yml

@@ -0,0 +1,34 @@
+name: Security
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  advisory-gate:
+    name: Advisory Gate
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install latest stable Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install --locked cargo-audit
+
+      - name: Run policy regression tests
+        run: bash tools/security/test_enforce_audit_policy.sh
+
+      - name: Enforce advisory policy
+        run: bash tools/security/enforce_audit_policy.sh