fix(api): restore runtime verification modules and canonical key auth

.env.example

@@ -5,11 +5,14 @@ ISSUER_PUBLIC_JWK_JSON='{"kty":"EC","crv":"P-256","x":"<x>","y":"<y>"}'
 DB_PATH=attestations.sqlite
 DATABASE_URL="file:./prisma/dev.db"
 # Supabase aliases for apps/api Postgres (optional)
+SUPABASE_URL=https://<project-ref>.supabase.co
+SUPABASE_SERVICE_ROLE_KEY=replace-with-server-only-service-role-key
 SUPABASE_DB_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
 SUPABASE_POOLER_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
 SUPABASE_DIRECT_URL=postgresql://postgres:[password]@db.<project-ref>.supabase.co:5432/postgres?sslmode=require
 # Optional helper if using Supabase CLI pooler URL discovery from `supabase/.temp/pooler-url`.
 SUPABASE_DB_PASSWORD=replace-with-supabase-db-password
+SUPABASE_SECRET_KEY=replace-with-server-only-secret-key
 PORT=3000
 
 # apps/api security controls

.github/dependabot.yml

@@ -1,19 +1,53 @@
 version: 2
+
 updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "05:00"
+      timezone: "America/Chicago"
     open-pull-requests-limit: 5
+    groups:
+      npm-production:
+        dependency-type: "production"
+      npm-development:
+        dependency-type: "development"
     labels:
       - "dependencies"
       - "security"
+    commit-message:
+      prefix: "deps"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "05:30"
+      timezone: "America/Chicago"
     open-pull-requests-limit: 5
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "cargo"
+    directory: "/circuits/non_mem_gadget"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 3
     labels:
       - "dependencies"
       - "security"
+    commit-message:
+      prefix: "deps"

.github/pull_request_template.md

@@ -1,14 +1,33 @@
 ## Summary
 
-- Describe the change
+- Describe the change and why it is needed.
 
-## AI Disclosure
+## Change Type
 
-- [ ] AI-assisted changes are included in this PR
+- [ ] Runtime or API behavior
+- [ ] Security or repo governance
+- [ ] Workflow or CI configuration
+- [ ] Documentation or claims boundary only
+- [ ] Dependency update
 
-## Review Checklist
+## Security Review
 
-- [ ] Human review requested
-- [ ] Tests added or updated where appropriate
+- [ ] Security impact is described
 - [ ] No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
-- [ ] Security impact and remaining risks are described
+- [ ] New permissions, auth assumptions, or trust-boundary changes are called out
+- [ ] Dependency changes were reviewed for risk
+
+## Claims Boundary And Docs
+
+- [ ] Public-facing claims or evaluator docs were updated if needed
+- [ ] No unsupported claims were introduced
+
+## Validation
+
+- [ ] Human review requested
+- [ ] Tests or validation commands were run where appropriate
+- [ ] Workflow changes were reviewed for least privilege and pinned actions
+
+## AI Disclosure
+
+- [ ] AI-assisted changes are included in this PR

.github/workflows/dependency-review.yml

@@ -0,0 +1,17 @@
+name: Security / Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: Dependency diff review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4 # GitHub-maintained action pinned to supported major; Dependabot tracks updates.
+        with:
+          fail-on-severity: high

.github/workflows/trivy.yml

@@ -0,0 +1,54 @@
+name: Security / Trivy Filesystem Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-fs:
+    name: Trivy repository scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln
+          vuln-type: os,library
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          hide-progress: true
+          format: sarif
+          output: trivy-results.sarif
+          limit-severities-for-sarif: true
+          exit-code: "0"
+          skip-dirs: node_modules,.next,dist,coverage,.git
+
+      - name: Upload Trivy SARIF
+        if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
+        uses: github/codeql-action/upload-sarif@v4 # GitHub-maintained action pinned to supported major; Dependabot tracks updates.
+        with:
+          sarif_file: trivy-results.sarif
+
+      - name: Summarize Trivy mode
+        if: always()
+        run: |
+          {
+            echo "## Trivy filesystem scan"
+            echo ""
+            echo "- Mode: advisory"
+            echo "- Scope: filesystem vulnerability scan with HIGH/CRITICAL severity only"
+            echo "- Notes: ignores unfixed issues and uploads SARIF for review in Security/code scanning when token permissions allow it"
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/zizmor.yml

@@ -0,0 +1,42 @@
+name: Security / zizmor Workflow Audit
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  push:
+    paths:
+      - ".github/workflows/**"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor advisory audit
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        continue-on-error: true
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          advanced-security: false
+          annotations: true
+
+      - name: Summarize zizmor mode
+        if: always()
+        run: |
+          {
+            echo "## zizmor workflow audit"
+            echo ""
+            echo "- Mode: advisory"
+            echo "- Scope: GitHub Actions workflow security linting"
+            echo "- Notes: findings are annotated in the run and should be reviewed before merging workflow changes"
+          } >> "$GITHUB_STEP_SUMMARY"