feat(audit): add audit command for Python package vulnerability scanning

[nyudenkov]

Summary

This PR implements the uv audit command as requested in issue #9189. The new command scans Python project dependencies for known security vulnerabilities using the PyPA Advisory Database.

Key Features:

• Scans dependencies from uv.lock (primary) or pyproject.toml (fallback)
• Supports multiple output formats: human-readable, JSON, and SARIF
• Includes vulnerability severity filtering and ignore lists
• Implements local caching of vulnerability database for performance
• Provides detailed vulnerability information including affected versions and fixes

Command Usage:

# Basic usage
uv audit                           # scan current project
uv audit /path/to/project          # scan specific project

# Output formats
uv audit --format json            # machine-readable output
uv audit --format sarif           # for CI/CD integration

# Filtering
uv audit --severity critical      # filter by severity
uv audit --ignore GHSA-xxxx-xxxx-xxxx  # ignore specific vulnerabilities

# Output options
uv audit --output report.json     # save to file
uv audit --quiet                  # minimal output
uv audit --verbose                # detailed information

Architecture:

• New uv-audit crate with modular design
• AuditCache for local vulnerability database caching
• OsvClient for fetching vulnerability data from PyPA Advisory Database
• Scanner for analyzing project dependencies
• Multiple output formatters (human, JSON, SARIF)
• Integrated with existing uv CLI infrastructure

Test Plan

Unit Tests:

• 37 test cases covering all major functionality
• Cache management and TTL handling
• Vulnerability matching logic
• Output format generation (JSON, SARIF, human-readable)
• Error handling for missing files and network issues

Integration Tests:

• CLI command parsing and execution
• Multiple output format validation
• Cache behavior verification

Manual Testing:

• Tested against real Python projects with known vulnerabilities
• Verified output formats are properly structured
• Confirmed performance with large dependency trees
• Validated caching reduces subsequent scan times

Edge Cases Covered:

• Missing uv.lock and pyproject.toml files
• Network connectivity issues
• Malformed vulnerability data
• Empty projects and projects with no vulnerabilities
• Invalid command line arguments

Resolves #9189

UPD: I'm sorry, I was too lazy to document it, but this command runs 20-30x faster than pip-audit

[nyudenkov]

@zanieb, hi! Requesting someone to make a review and help with these failing windows tests :')