sec(ci): add cargo-deny for dependency vulnerability scanning

[cluster2600]

Summary

There is no deny.toml, .cargo/audit.toml, or any reference to cargo-deny or cargo-audit in the repository. This means there is no automated supply-chain vulnerability checking against the RustSec advisory database for the ~300+ transitive dependencies in Cargo.lock.

Additionally, the project uses serde_yaml 0.9.34+deprecated which depends on unsafe-libyaml (a Rust FFI binding around libyaml's C code). The serde_yaml crate is marked as deprecated by its author.

Impact

• Severity: Medium
• Known CVEs in transitive dependencies would go undetected.
• The deprecated serde_yaml crate will not receive security updates.

Proposed Fix

1. Add cargo-deny with an [advisories] section to CI
2. Configure [bans] to flag deprecated crates
3. Migrate from serde_yaml to a maintained alternative (e.g., serde_yml)

[johntmyers]

Security triage determination: No-go (security process improvement request, not a vulnerability report).

Adding cargo-deny/advisory scanning is a valid CI hardening step, but this issue does not identify a concrete exploitable defect in runtime code or core channels. It is a governance/tooling enhancement request.