Add cargo audit security gate in CI

[LucaCappelletti94]

Adds a Security audit workflow that runs cargo audit on push, on pull requests, and weekly so newly published advisories are caught without a code change. Because Cargo.lock is gitignored, the job resolves a fresh lockfile first and audits the versions CI would actually build.

An audit.toml ignores five advisories that come only from optional tooling, never the core library or the published site: fast-float 0.2.0 (pulled by the historical databend-common-ast 0.0.3 that the time machine compiles to benchmark old releases) and rustls-webpki 0.101.7 (pulled by tiberius in the Docker-only oracle crate, which talks to a trusted local container). Each is documented with its source and rationale, and the gate still fails on any new advisory elsewhere. Unmaintained-crate warnings are left visible but non-blocking.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 39.59%. Comparing base (5f7fb50) to head (275f991).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #21   +/-   ##
=======================================
  Coverage   39.59%   39.59%           
=======================================
  Files          23       23           
  Lines        2546     2546           
=======================================
  Hits         1008     1008           
  Misses       1538     1538           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.