ci: enforce clippy -D warnings and cargo audit as hard gates

Flip both CI gates from informational to hard-fail (SPEC-001 quality gates):
- clippy: `-- -D warnings` on the server crate. Cleared the debt via clippy --fix
  (unused imports/style), targeted #[allow(dead_code)] on native-remote-control
  future API, and #[allow(clippy::too_many_arguments)] on 3 protocol-mirroring fns.
- cargo audit: hard-fail with documented per-ID --ignore flags (rsa RUSTSEC-2023-0071
  unfixable/unreachable in active tree; gtk-rs + glib Linux-only tray backend not
  compiled into the Windows agent; proc-macro-error build-time). New advisories fail.
- Move [profile.release] to the workspace root (it was silently ignored in the server
  member), activating lto/codegen-units/strip.

No behavioral changes. Reviewed and gates verified passing on the build host.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

server/src/api/auth_logout.rs

@@ -1,7 +1,7 @@
 //! Logout and token revocation endpoints
 
 use axum::{
-    extract::{Path, Request, State},
+    extract::{Request, State},
     http::{HeaderMap, StatusCode},
     Json,
 };
@@ -97,7 +97,7 @@ pub struct RevokeUserRequest {
 ///
 /// For MVP, we're implementing the foundation but not the full user tracking.
 pub async fn revoke_user_tokens(
-    State(state): State<AppState>,
+    State(_state): State<AppState>,
     admin: AuthenticatedUser,
     Json(req): Json<RevokeUserRequest>,
 ) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {