Add supply-chain scanning with cargo-audit / cargo-deny in CI

[Manuel1234477]

Summary

There is no automated dependency/vulnerability scanning. A payments service should fail CI when a dependency has a known advisory or an incompatible/unmaintained license.

Where

• Cargo.toml / Cargo.lock — runtime deps include axum, reqwest, sqlx, hmac, sha2, etc.
• Complements the proposed fmt/clippy/test CI in Add CI: GitHub Actions for fmt, clippy, and test #11 (this is the supply-chain half).

Proposed change

• Add cargo audit (RustSec advisory DB) to CI.
• Optionally add cargo deny for advisories + license + duplicate-version checks, with a checked-in deny.toml.
• Run on push/PR and on a weekly schedule so newly-disclosed advisories surface even without code changes.

Acceptance criteria

• CI fails on a known advisory in the dependency tree.
• (If cargo deny) deny.toml defines the allowed license set.
• A scheduled run exists in addition to PR runs.

[Rocket1960]

I've set up cargo audit and cargo deny in CI pipelines before, including scheduled runs and custom deny.toml license policies. I can have this integrated cleanly alongside the existing CI without conflicts.

[grantfox-oss]

🦊 GrantFox — @Rocket1960 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #29)
2. Your PR will be reviewed by the StellarGateLabs maintainers

Good luck! Track your progress on GrantFox.

[GBOYEE]

Hi! I'd like to work on this issue. I can deliver a clean fix.

[GBOYEE]

Hi! I'd like to work on this issue.

I have experience with this stack and can deliver a clean, tested solution. Please assign this to me and I'll submit a PR shortly.

My approach:

• Analyze the root cause
• Implement a fix following existing code patterns
• Add tests and documentation

Thanks!