chore(security): add dependency vulnerability audit target

Add pip-audit as a dev dependency with a separate make audit target,
document the audit workflow, and constrain supported Python metadata to
>=3.11,<4.0 so dependency resolution matches the supported runtime range.

Author: I-am-PUID-0

.github/PULL_REQUEST_TEMPLATE.md

@@ -24,6 +24,7 @@ Describe what you tested and how.
 - [ ] Manual testing completed
 - [ ] Automated tests updated or added
 - [ ] `make verify` passes inside the DUMB devcontainer
+- [ ] `make audit` reviewed when dependency metadata changed
 
 ## Related Issues
 

CONTRIBUTING.md

@@ -45,6 +45,14 @@ make env-example
 
 `make verify` checks that `.env.example` is current, but it does not rewrite the file for you. Use `make env-check` when you only want to check generated env-file drift.
 
+Dependency vulnerability auditing is available as a separate check while the audit noise level is evaluated:
+
+```bash
+make audit
+```
+
+`make audit` runs `pip-audit` against the Poetry environment. It is not part of `make verify` yet.
+
 ## Pull Request Expectations
 
 - Use Conventional Commit style for PR titles and commits.

Makefile

@@ -1,4 +1,4 @@
-.PHONY: env-check env-example format format-check lint lock-check metadata syntax test verify
+.PHONY: audit env-check env-example format format-check lint lock-check metadata syntax test verify
 
 POETRY ?= poetry
 PYTHON ?= $(POETRY) run python
@@ -7,6 +7,9 @@ RUFF ?= $(POETRY) run ruff
 PYTHONPYCACHEPREFIX ?= /tmp/dumb-pycache
 PYTHON_TARGETS ?= api utils tests scripts
 
+audit:
+	$(POETRY) run pip-audit
+
 env-example:
 	$(PYTHON) scripts/generate_env_example.py