ci: align workflows with aletheia reference patterns

[forkwright]

Summary

• rust.yml: Removed secrets job (belongs in security.yml only); added msrv (1.85), docs (rustdoc), and coverage (cargo-llvm-cov) jobs
• security.yml: Renamed audit job, removed 2>/dev/null suppression, added deny.toml ignore extraction, added secret-scan job (TruffleHog v3.93.7), added CST comment to cron
• dependabot-auto-merge.yml: Added CI check wait step before auto-merge to prevent merging failing PRs
• pr-hygiene.yml: Replaced unicode escape emoji with template literal; restructured duplicate comment check to use early-return pattern with comments.data.some()
• stale.yml: Added CST comment to cron schedule
• nightly.yml: Added CST comment to cron; added blank lines between steps for readability

Observations

• nightly.yml still uses 2>/dev/null || true on cargo install cargo-audit — left as-is since the task only specifies removing it from security.yml
• pr-hygiene.yml already had a duplicate comment guard pre-PR, but used comments.find() with a bot-login check; replaced with comments.data.some() + early return to match aletheia's pattern

Test plan

• All 9 workflow YAML files pass python3 -c "import yaml; yaml.safe_load(...)" validation
• Verify TruffleHog action version matches aletheia's security.yml
• Confirm dependabot CI wait step triggers on expected update types

🤖 Generated with Claude Code