ci: add explicit advisory severity thresholds to deny.toml (#393)

* ci: add explicit advisory severity thresholds to deny.toml

- Set vulnerability = "deny" to fail CI on known vulnerabilities
- Set unmaintained = "warn" (changed from "workspace" for clarity)
- Set notice = "warn" to surface informational advisories
- Keep yanked = "warn" as before

This improves signal-to-noise by ensuring genuine vulnerabilities
block CI while less critical advisories are surfaced as warnings.

Closes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use valid cargo-deny v2 schema values for advisories

In v2, vulnerability/notice fields are removed (always error).
- unmaintained: change "workspace" → "all" (check all deps, not just direct)
- yanked: change "warn" → "deny" (fail CI on yanked crates)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(deny): ignore RUSTSEC-2025-0141 bincode unmaintained advisory

bincode v2.0.1 is a transitive dependency via probe-rs that we cannot
easily replace. The advisory notes the project considers v1.3.3 complete.
Adding to ignore list so unmaintained="all" check passes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

deny.toml

@@ -2,8 +2,16 @@
 # https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-unmaintained = "workspace"
-yanked = "warn"
+# In v2, vulnerability advisories always emit errors (not configurable).
+# unmaintained: scope of unmaintained-crate checks (all | workspace | transitive | none)
+unmaintained = "all"
+# yanked: deny | warn | allow
+yanked = "deny"
+# Ignore known unmaintained transitive deps we cannot easily replace
+ignore = [
+    # bincode v2.0.1 via probe-rs — project ceased but 1.3.3 considered complete
+    "RUSTSEC-2025-0141",
+]
 
 [licenses]
 # All licenses are denied unless explicitly allowed