chore: add dependency-review + cargo-audit + commitlint workflows

[satyakwok]

Why

Mirrors the supply-chain hygiene already running on `sentrix-labs/sentrix`. indexer-rs reads chain RPC + writes to Postgres / Redis / ClickHouse — compromised deps here would have direct write access to operator infra.

Per the repo hardening matrix (`research/02_repo_hardening_matrix.md`), this is HIGH priority. `gitleaks` already landed in #26; this PR closes the remaining hardening gaps.

What

• `.github/workflows/dependency-review.yml` — blocks PRs introducing HIGH-severity vulns or licenses outside our allowlist (license list mirrors `deny.toml` for consistency).
• `.github/workflows/cargo-audit.yml` — daily-scheduled + per-PR RustSec advisory scan. Catches new advisories against existing deps that `deny.toml` hasn't seen yet. Non-blocking warning for now (promote to blocking once backlog is clean).
• `.github/workflows/commitlint.yml` + `.commitlintrc.json` — Conventional Commits on PR messages.

`cargo-deny` is already wired in `ci.yml`'s `deny` job — not duplicated.

Test plan

• Open this PR → all three new workflows fire on the diff

Summary by CodeRabbit

• Chores
  • Enforced stricter commit message rules with a 100‑char header limit and constrained set of allowed types; body/footer line limits left unconstrained.
  • Added CI check to lint commit messages on PRs.
  • Added scheduled and on‑push vulnerability scanning that surfaces advisories as non‑blocking warnings.
  • Added automated dependency and license review that blocks high‑severity issues and summarizes findings in PRs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e3007e12-4723-4161-97b5-e1863abecc4d

📥 Commits

Reviewing files that changed from the base of the PR and between 6d96118 and bc5847e.

📒 Files selected for processing (1)

• .github/workflows/cargo-audit.yml

---

📝 Walkthrough

Walkthrough

This PR adds CI checks and commit rules: a .commitlintrc.json file for commit message validation, a commitlint GitHub Actions workflow that runs on PRs to main, a dependency-review workflow that diffs dependency changes and enforces license/security policies on PRs, and a cargo-audit workflow that runs on PRs, pushes to main, on a daily schedule, and via manual dispatch while mapping cargo-audit exit codes to warnings vs. failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Sentriscloud/sdk-rs#6: Pins GitHub Actions workflow uses: entries to specific commit SHAs for reproducibility, similar to the dependency-review action pinning in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding three workflows (dependency-review, cargo-audit, commitlint) for repository hardening.
Description check	✅ Passed	The description provides clear context (Why), detailed changes (What), and confirmation of testing (Test plan), though it does not follow the template structure with Scope and Deploy impact checkboxes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-rust-supply-chain-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cargo-audit.yml:
- Around line 41-45: Replace the current unconditional fallback ("cargo audit
... || echo ...") with a post-run exit-code check: run the cargo audit command
(with the same --ignore flags), capture its exit status ($?), and then if the
status is 1 emit the existing warning message (non-blocking advisories), but if
the status is 2 or greater re-exit the workflow with that code so execution
failures fail the job; keep the same ignored IDs and warning text and ensure the
shell step returns the captured exit code on error cases >=2.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c4abe018-0872-4c42-9d71-13cf242e2325

📥 Commits

Reviewing files that changed from the base of the PR and between 96d3e89 and b05362e.

📒 Files selected for processing (4)

• .commitlintrc.json
• .github/workflows/cargo-audit.yml
• .github/workflows/commitlint.yml
• .github/workflows/dependency-review.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cargo-audit.yml:
- Around line 8-10: Update the stale comment that still claims the job is
wrapped in "|| echo ::warning::" to reflect the actual explicit exit-code
branching logic now used later in the workflow; find the top comment that
mentions "|| echo ::warning::" and replace it with a concise note stating the
job uses explicit exit-code branching (see the conditional exit handling later
in the workflow) and instruct that the check can be promoted to a blocking
failure by removing the non-blocking branching once the backlog is cleared.
Ensure the updated comment references the explicit exit-code behavior rather
than the old shim so future maintainers aren't misled.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c0e250c7-f2ad-48e2-bf8d-5e7d757a46b4

📥 Commits

Reviewing files that changed from the base of the PR and between b05362e and 3138ed0.

📒 Files selected for processing (1)

• .github/workflows/cargo-audit.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cargo-audit.yml:
- Around line 37-38: Update the "Install cargo-audit" CI step to pin cargo-audit
to a specific version for reproducible scans: replace the current install
invocation (cargo install cargo-audit --locked) with a version-pinned install
(use the --version flag, e.g. cargo install cargo-audit --locked --version
x.y.z) so the workflow always installs the explicit cargo-audit release; confirm
the chosen version and update any workflow docs if needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ff8835d5-8567-4675-a97d-83ab054a869a

📥 Commits

Reviewing files that changed from the base of the PR and between 3138ed0 and 6d96118.

📒 Files selected for processing (1)

• .github/workflows/cargo-audit.yml