ci: enforce clippy -D warnings and cargo audit as hard gates

Flip both CI gates from informational to hard-fail (SPEC-001 quality gates):
- clippy: `-- -D warnings` on the server crate. Cleared the debt via clippy --fix
  (unused imports/style), targeted #[allow(dead_code)] on native-remote-control
  future API, and #[allow(clippy::too_many_arguments)] on 3 protocol-mirroring fns.
- cargo audit: hard-fail with documented per-ID --ignore flags (rsa RUSTSEC-2023-0071
  unfixable/unreachable in active tree; gtk-rs + glib Linux-only tray backend not
  compiled into the Windows agent; proc-macro-error build-time). New advisories fail.
- Move [profile.release] to the workspace root (it was silently ignored in the server
  member), activating lto/codegen-units/strip.

No behavioral changes. Reviewed and gates verified passing on the build host.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

server/src/utils/ip_extract.rs

@@ -1,6 +1,5 @@
 //! IP address extraction from WebSocket connections
 
-use axum::extract::ConnectInfo;
 use std::net::{IpAddr, SocketAddr};
 
 /// Extract IP address from Axum ConnectInfo
@@ -12,11 +11,13 @@ use std::net::{IpAddr, SocketAddr};
 ///     // Use ip for logging
 /// }
 /// ```
+#[allow(dead_code)] // TODO(native-remote-control): consumed by the integration API; see docs/specs/native-remote-control/
 pub fn extract_ip(addr: &SocketAddr) -> IpAddr {
     addr.ip()
 }
 
 /// Extract IP address as string
+#[allow(dead_code)] // TODO(native-remote-control): consumed by the integration API; see docs/specs/native-remote-control/
 pub fn extract_ip_string(addr: &SocketAddr) -> String {
     addr.ip().to_string()
 }