[NX-202 Issue] Add pip-audit CI enforcement for Python dependency security

This commit integrates pip-audit to enforce vulnerability checks in CI. Dependencies with unresolved HIGH/CRITICAL vulnerabilities will block builds unless explicitly allowlisted. The process is documented, with a strict policy to ensure exceptions are trackable and time-limited.

.github/workflows/python-dependency-security.yml

@@ -0,0 +1,53 @@
+name: Python Dependency Security
+
+on:
+  push:
+    branches: ["main", "master", "development"]
+    paths:
+      - "backend/**"
+      - ".github/workflows/python-dependency-security.yml"
+      - "ops/security/pip-audit-allowlist.json"
+      - "docs/security/dependency-exceptions.md"
+  pull_request:
+    paths:
+      - "backend/**"
+      - ".github/workflows/python-dependency-security.yml"
+      - "ops/security/pip-audit-allowlist.json"
+      - "docs/security/dependency-exceptions.md"
+  workflow_dispatch:
+
+jobs:
+  pip-audit:
+    name: pip-audit (block high/critical)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install pip-audit
+        run: |
+          python -m pip install --upgrade pip
+          pip install pip-audit
+
+      - name: Run pip-audit (JSON report)
+        run: |
+          pip-audit -r backend/requirements.txt --format json --aliases --output pip-audit-backend.json || true
+
+      - name: Enforce vulnerability policy
+        run: |
+          python backend/scripts/pip_audit_gate.py \
+            --report pip-audit-backend.json \
+            --allowlist ops/security/pip-audit-allowlist.json
+
+      - name: Upload pip-audit report
+        uses: actions/upload-artifact@v3
+        with:
+          name: pip-audit-security-report
+          path: pip-audit-backend.json