feat: add vulnerability audit workflow (PoC)

.github/workflows/vulnerability-audit.yml

@@ -0,0 +1,50 @@
+name: Vulnerability Audit
+
+on:
+  schedule:
+    # Run weekly on Mondays at 9:00 UTC
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+  # Also run on PRs that change dependencies
+  pull_request:
+    paths:
+      - "uv.lock"
+      - "pyproject.toml"
+
+jobs:
+  # Approach 1: pip-audit (PyPA official tool)
+  # Exports uv.lock to requirements format and pipes it into pip-audit (no install needed).
+  # Pros: official PyPA tool, well-maintained, no env install required
+  # Cons: requires export step, doesn't read uv.lock directly
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Run pip-audit
+        run: uv export --locked --no-hashes | uvx pip-audit -r /dev/stdin --strict --vulnerability-service osv --desc
+
+  # Approach 2: uv-secure (reads uv.lock directly)
+  # Pros: fast (no install needed), reads uv.lock natively, supports severity filtering
+  # Cons: newer/less established, community tool
+  uv-secure:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Run uv-secure
+        run: uvx uv-secure uv.lock
+
+  # Approach 3: uv audit (native uv command, still in preview as of 0.11.2)
+  # Pros: native to uv (no extra tools), reads uv.lock directly, uses OSV database
+  # Cons: requires --preview flag, may change before stable
+  uv-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Run uv audit
+        run: uv audit --preview