M8-04: Keep supply-chain policy enforceable

[DrunkOnJava]

Created from the roadmap audit in TODO.md.

Source: https://github.com/DrunkOnJava/rvt-rs/blob/main/TODO.md#L985
Tracking commit: 1ec8105

Scope

Labels: priority:P1, type:security, area:ci

• Keep cargo deny check green.
• Keep RustSec advisory checks green.
• Review JS viewer dependencies separately with npm audit or a
  documented alternative.
• Pin or justify GitHub Actions versions.

Acceptance criteria:

• CI covers Rust and viewer dependency checks.
• Any ignored advisory has an issue, rationale, and expiry.

Definition of done

• The TODO acceptance criteria for this section are implemented or explicitly superseded by a linked decision.
• Tests, fixtures, or documentation are added at the level appropriate to the change risk.
• User-facing behavior and limitations remain honest in README/docs/viewer messaging.
• Relevant CI checks pass before the issue is closed.

[DrunkOnJava]

Starting implementation now. Scope: add a CI viewer dependency audit with npm audit, add Dependabot coverage for viewer npm dependencies, and document the supply-chain policy for Rust advisories, JS advisories, advisory ignores, and GitHub Actions pinning/justification.

[DrunkOnJava]

Implemented in d6e3493.

Changes:

• Added a CI viewer dependency audit job that runs npm ci and npm audit --audit-level=high in viewer/.
• Added weekly Dependabot coverage for /viewer npm dependencies.
• Added docs/supply-chain-policy.md covering Rust checks, npm checks, advisory-ignore requirements, GitHub Actions pinning/exception policy, and dependency update flow.
• Linked the policy from CONTRIBUTING.md.

Validation:

• npm audit --audit-level=high (0 vulnerabilities)
• cargo deny check (passed with existing unmatched-license allowlist warnings)
• ruby YAML parse for .github/workflows/ci.yml and .github/dependabot.yml
• git diff --check
• anti-stub scan over touched files

I will close this after the main-branch checks for d6e3493 finish green.