ci: add Security workflow (pip-audit, bandit, SBOM) + .gitignore vendor

- security.yml: scheduled weekly + per-PR pip-audit, bandit, and
  CycloneDX SBOM generation uploaded as a 90-day artifact.
- .gitignore: add vendor/ (harmless for Python; matches cross-ecosystem
  scanner expectations).

Covers: ER-01, ER-02, ER-03, GW-03.
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>

Author: CybotTM

.github/workflows/security.yml

@@ -0,0 +1,79 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Python security audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.14'
+
+      - name: Install pip-audit and bandit
+        run: |
+          python -m pip install --upgrade pip
+          pip install pip-audit bandit[toml]
+
+      # pip-audit reads pyproject.toml + uv.lock; fail only on known CVEs
+      - name: pip-audit (pyproject + uv.lock)
+        run: pip-audit --skip-editable
+
+      - name: bandit (static analysis)
+        run: bandit -r cli_audit -c pyproject.toml
+
+  sbom:
+    name: Generate SBOM (CycloneDX)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.14'
+
+      - name: Install cyclonedx-py
+        run: |
+          python -m pip install --upgrade pip
+          pip install cyclonedx-bom
+
+      - name: Generate CycloneDX SBOM
+        run: cyclonedx-py environment --of JSON -o sbom.cdx.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: sbom-cyclonedx
+          path: sbom.cdx.json
+          retention-days: 90

.gitignore

@@ -39,6 +39,9 @@ tools_snapshot.json
 # Node.js
 node_modules/
 
+# Vendored dependencies (this project uses uv; vendor/ is reserved for ad-hoc checkouts)
+vendor/
+
 # AI agent session context (not committed)
 claudedocs/
 .serena/