ci: swap safety check for pip-audit (PyPA, no API key)

tox.ini

@@ -54,16 +54,23 @@ commands =
     coverage report
 
 [testenv:safety]
-# Safety ignore list:
-# 39642: reportlab vuln resolved in https://github.com/mitre/debrief/pull/39
-# 39659: aiohttp cannot be upgraded to 3.7.4: https://github.com/mitre/caldera/pull/2062
+# Dependency vulnerability scan. Env name kept as "safety" so branch
+# protection contexts (`build (3.13, safety)`) don't need a coordinated
+# update; underlying tool is pip-audit (PyPA, no API key, free).
+#
+# `safety check` was deprecated 2024-06; the pyup.io account/scan
+# replacement was not worth the new secret + auth integration when
+# Dependabot, GitGuardian, and SonarCloud already cover supply chain.
+#
+# Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete
+# now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add
+# `--ignore-vuln GHSA-...` here if a real exemption is needed later.
 deps =
-    safety
+    pip-audit
 skip_install = true
-whitelist_externals=find
 commands =
-    safety check -r requirements.txt --policy-file .safety-policy.yml --ignore 39642 --ignore 39659
-    safety check -r requirements-dev.txt --policy-file .safety-policy.yml
+    pip-audit -r requirements.txt
+    pip-audit -r requirements-dev.txt
 
 [testenv:bandit]
 deps =