feat: add audit validation rules and script

Import audit rules from scaffold project covering:
- Access control validation
- Audit trail requirements
- Change management policies
- Compliance checks
- Data governance rules
- Documentation requirements
- Third-party dependency checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.audit-rules/third_party.yaml

@@ -0,0 +1,192 @@
+# Third-Party Risk Rules
+# ======================
+# Ensures proper management of external dependencies.
+# Critical for supply chain security and license compliance.
+
+rules:
+  # ===================
+  # DEPENDENCY MANAGEMENT
+  # ===================
+
+  - id: THIRD-DEP-001
+    name: "Dependency lock file required"
+    description: "Dependencies must be locked to specific versions"
+    severity: high
+    check:
+      type: file_exists
+      paths:
+        - "uv.lock"
+        - "poetry.lock"
+        - "requirements.lock"
+        - "Pipfile.lock"
+      message: "Dependency lock file required for reproducible builds"
+
+  - id: THIRD-DEP-002
+    name: "Dependencies defined in manifest"
+    description: "All dependencies must be declared"
+    severity: critical
+    check:
+      type: file_exists
+      paths:
+        - "pyproject.toml"
+        - "requirements.txt"
+        - "Pipfile"
+      message: "Dependency manifest file required"
+
+  - id: THIRD-DEP-003
+    name: "Pinned dependency versions"
+    description: "Production dependencies should have pinned versions"
+    severity: high
+    check:
+      type: pattern_recommended
+      paths:
+        - "pyproject.toml"
+      patterns:
+        - '>=.*,<|==|~='
+      message: "Consider pinning dependency version ranges"
+
+  # ===================
+  # VULNERABILITY MANAGEMENT
+  # ===================
+
+  - id: THIRD-VULN-001
+    name: "Dependency vulnerability scanning"
+    description: "Dependencies must be scanned for vulnerabilities"
+    severity: high
+    check:
+      type: file_exists
+      paths:
+        - ".github/workflows/*.yml"
+      patterns:
+        - "safety|pip-audit|snyk|dependabot"
+      message: "Dependency vulnerability scanning required"
+
+  - id: THIRD-VULN-002
+    name: "Dependabot enabled"
+    description: "Automated dependency updates should be configured"
+    severity: medium
+    check:
+      type: file_exists
+      paths:
+        - ".github/dependabot.yml"
+      message: "Consider enabling Dependabot for security updates"
+
+  - id: THIRD-VULN-003
+    name: "Container base image scanning"
+    description: "Container base images should be scanned"
+    severity: medium
+    check:
+      type: pattern_recommended
+      paths:
+        - ".github/workflows/*.yml"
+      patterns:
+        - "trivy|grype|snyk.*container"
+      message: "Consider container image vulnerability scanning"
+
+  # ===================
+  # LICENSE COMPLIANCE
+  # ===================
+
+  - id: THIRD-LIC-001
+    name: "License compatibility check"
+    description: "Dependency licenses must be compatible"
+    severity: high
+    check:
+      type: documentation
+      message: "Document license compliance verification process"
+
+  - id: THIRD-LIC-002
+    name: "No copyleft in proprietary code"
+    description: "GPL/AGPL dependencies require careful handling"
+    severity: high
+    check:
+      type: pattern_forbidden
+      paths:
+        - "pyproject.toml"
+      patterns:
+        - "gpl|agpl"
+      case_insensitive: true
+      message: "Copyleft licenses require legal review"
+
+  - id: THIRD-LIC-003
+    name: "Project license declared"
+    description: "Project must have explicit license"
+    severity: medium
+    check:
+      type: file_exists
+      paths:
+        - "LICENSE"
+        - "LICENSE.md"
+        - "LICENSE.txt"
+      message: "Project license file recommended"
+
+  # ===================
+  # VENDOR ASSESSMENT
+  # ===================
+
+  - id: THIRD-VEND-001
+    name: "Trusted package sources"
+    description: "Packages should come from trusted sources"
+    severity: high
+    check:
+      type: pattern_forbidden
+      paths:
+        - "pyproject.toml"
+        - "requirements.txt"
+      patterns:
+        - "git\\+http://|--index-url.*http://"
+      message: "Only HTTPS sources allowed for packages"
+
+  - id: THIRD-VEND-002
+    name: "No direct Git dependencies in production"
+    description: "Production should use released packages"
+    severity: medium
+    check:
+      type: pattern_recommended
+      paths:
+        - "pyproject.toml"
+      patterns:
+        - "git\\+"
+      invert: true
+      message: "Prefer released packages over Git dependencies"
+
+  - id: THIRD-VEND-003
+    name: "Minimal dependencies"
+    description: "Only necessary dependencies should be included"
+    severity: low
+    check:
+      type: documentation
+      message: "Document justification for external dependencies"
+
+  # ===================
+  # SUPPLY CHAIN SECURITY
+  # ===================
+
+  - id: THIRD-CHAIN-001
+    name: "Package integrity verification"
+    description: "Package hashes should be verified"
+    severity: medium
+    check:
+      type: pattern_recommended
+      paths:
+        - "uv.lock"
+        - "requirements.txt"
+      patterns:
+        - "sha256|hash"
+      message: "Consider hash verification for packages"
+
+  - id: THIRD-CHAIN-002
+    name: "Signed commits for dependencies"
+    description: "Critical dependencies should use signed releases"
+    severity: low
+    check:
+      type: documentation
+      message: "Consider verifying signatures for critical dependencies"
+
+  - id: THIRD-CHAIN-003
+    name: "Private package registry"
+    description: "Internal packages should use private registry"
+    severity: low
+    check:
+      type: documentation
+      message: "Document private package registry usage if applicable"