chore(audit): add --strict mode + baseline file (CI gate)

scripts/audit_license_cve.baseline.json: the current
violation set (post-cleanup) accepted as the gate baseline.
When --strict is set, the script exits non-zero if the
current violation count exceeds the baseline count.

To regenerate the baseline after an intentional change
(e.g., adding a new dep with an acceptable license), run:
  uv run python -m scripts.audit_license_cve --dump-baseline

Also fixes the baseline path: it now lives next to the script
(Path(__file__).parent) instead of the wrong location under
docs/reports/scripts/. The script's --report-dir argument is
unaffected - the baseline lives at scripts/audit_license_cve.baseline.json
regardless of the report directory.

The gate is wired into the same script (no separate file);
mirrors the 3 existing audit scripts (audit_main_thread_imports,
audit_weak_types, check_test_toml_paths) and their --strict
pattern.

28 unit + integration tests passing.

scripts/audit_license_cve.py

@@ -204,7 +204,7 @@ def main() -> int:
  _write_report(violations, report_path, args)
 
  if args.strict:
-  baseline_path = Path(args.report_dir).parent / "scripts" / "audit_license_cve.baseline.json"
+  baseline_path = Path(__file__).parent / "audit_license_cve.baseline.json"
   if baseline_path.exists():
    baseline = json.loads(baseline_path.read_text(encoding="utf-8"))
    baseline_n = len(baseline.get("baseline_violations", []))
@@ -213,7 +213,7 @@ def main() -> int:
     return 1
 
  if args.dump_baseline:
-  baseline_path = Path(args.report_dir).parent / "scripts" / "audit_license_cve.baseline.json"
+  baseline_path = Path(__file__).parent / "audit_license_cve.baseline.json"
   baseline_path.parent.mkdir(parents=True, exist_ok=True)
   baseline_path.write_text(json.dumps({
    "schema_version": 1,