Hygiene audit found deps clean but CI ran no vulnerability scan, so a
future advisory against a locked crate would go undetected. Add an
Audit workflow running cargo audit on push/PR — parses Cargo.lock,
needs no GTK4 build env.
Remove pkg/PKGBUILD: orphaned moonlock-git VCS recipe from the
pre-tag-build era, two minors behind; canonical packaging lives in
moonarch-pkgbuilds and is auto-bumped by update-pkgver.yaml. Drop the
now-dead pkg/* makepkg ignore lines and add .pytest_cache/.
No version bump — no change to the binary.
