ci: add pip-audit known-CVE scan job (Task A.3 from #158)

[BW-Projects]

Follow-up to the ruff (#160) and bandit (#167) CI PRs. Adds pip-audit
as its own independent CI job — a separate, individual job that doesn't
depend on the bandit PR.

Contributes to #158 (Task A — CI lint/format/security).

What this PR does

• Adds pip-audit>=2.10.0 to [dependency-groups] dev.
• Adds a pip-audit CI job that scans the locked dependency graph
  against the PyPI advisory DB. The install step matches the ruff/bandit
  jobs (uv sync --locked --only-group dev --no-install-project) — it
  installs just the pip-audit tool (no app runtime) and revalidates the
  lock.

How it audits the lock (no app-runtime build)

pip-audit checks each package against the PyPI advisory DB by name +
version, so it doesn't need the packages installed. We export the uv
lock as a PEP 751 pylock.toml (uv export --format pylock.toml) and
audit it via --locked. This keeps the job fast and consistent with the
ruff/bandit jobs (no GTK/torch/pycairo build on the runner).

Packages not on PyPI can't be audited there — the git aTrain_core
dependency and the +cuXXX torch builds from the PyTorch index.
pip-audit lists these in a "Skip Reason" table rather than silently
dropping them, so every exception is explicit and auditable:

Name        Skip Reason
atrain-core Dependency not found on PyPI … atrain-core (1.4.2)
torch       Dependency not found on PyPI … torch (2.9.1+cu128)

continue-on-error initially

nicegui 2.21.1 and werkzeug 3.0.3 carry known CVEs pending the
coordinated upgrade in #159, so the step runs continue-on-error: true
for now — findings print on every run (visible) but don't block. Flip
to gating once #159 lands.

Maps to BSI IT-Grundschutz

• CON.8 §3.2.4 (integrity check of external components / no outdated,
  known-vulnerable versions) — pip-audit operationalises the known-CVE
  half on every run.

cc @gerardo-navarro

[JuergenFleiss]

Thanks!