Automated CI Pipeline (GitHub Actions) - M50

Implement a GitHub Actions workflow that runs pytest, bandit, and safety on every push and PR. ROI: Saves 2 hours/week of manual verification. Acceptance Criteria: Workflow passes on main branch, reports coverage, and blocks merges on security failures.