fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error (#78)

## Summary

- **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning.
- **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load.

## Changes

| File | Change |
|------|--------|
| `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout |
| `syft.rs` | Remove remote license lookup env vars; 5-minute timeout |
| `gitleaks.rs` | 5-minute timeout |
| `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` |

## Test plan

- [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear
- [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed
- [ ] Navigate to dashboard unauthenticated — Script error gone from logs
- [ ] Verify scans work end-to-end with `docker compose up`

---------

Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Reviewed-on: #78

.cargo/audit.toml

@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
+    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
+    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
+    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
+    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
+    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
+    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
+]