ci: no quality workflow — missing cargo-audit, cargo-deny, MSRV, mutation testing

[metavacua]

Problem

The upstream repo has no quality.yml workflow. The per-crate CI workflows cover fmt, clippy, test, and doc checks, but there is no workspace-level gate for:

• cargo-audit — RustSec advisory database scan for known vulnerabilities
• cargo-deny — license allow-list, banned crates, source allow-list (requires deny.toml)
• MSRV verification — cargo-msrv verify ensuring the declared rust-version is accurate
• Mutation testing — cargo-mutants on PR diff scope (informational, non-blocking)
• Protocol schema lint — buf lint on the two .proto files

As a result, known security advisories and dependency hygiene issues are invisible to CI.

Current known gaps (would fail quality gates today)

Advisory	Crate	Severity	Fix
RUSTSEC-2026-0021, -0085, -0086, -0087, -0088	wasmtime 29.0.1	Critical/High	upgrade to >=36.0.7
RUSTSEC-2026-0176, -0177	pyo3 0.24.2	High	upgrade to >=0.29.0

cargo deny check also fails immediately because there is no deny.toml — the tool falls back to a default config that rejects the Apache-2.0/MIT slash notation used by accelerate-src v0.3.2.

Proposed fix

1. Add deny.toml at the workspace root with an audited license allow-list and advisory ignore set.
2. Add .github/workflows/quality.yml covering the jobs listed above.
3. Address open advisories (separate PRs per crate, tracked as sub-issues).

A working reference implementation exists in the fork metavacua/larql-to-sparql and can be adapted.