[EPIC] Security & supply-chain hardening for mainnet

[joelpeace48-cell]

Epic / consolidation. Merges the security-hardening + supply-chain tasks into one high-priority, mainnet-blocking initiative. Supersedes #585, #586, #588, #589, #590, #591, #592, #599 (and folds in the intent of the former bug-bounty/pentest/threat-model docs).

Why this matters (trust = growth)

For a value-moving rewards platform, a single security incident ends the project. Security and supply-chain integrity are prerequisites for operators to trust Trivela with real assets — and therefore for adoption. This bundles the hardening work that must land before mainnet.

Goal

Harden the build pipeline and runtime against supply-chain and application attacks: signed/attested artifacts, reproducible builds, brute-force protection, strict CSP, secret rotation, input fuzzing, and abuse-resistant allowlist imports.

Scope (merged work items)

• SBOM + provenance — CycloneDX SBOM (npm + cargo) + SLSA build provenance attached to releases. (was feat: SBOM generation + SLSA build provenance in CI #585)
• Image signing — cosign keyless signing in CI + verification at deploy (reject unsigned). (was feat: Container image signing (cosign) + verification at deploy #586)
• Reproducible builds — npm ci/cargo --locked, rust-toolchain.toml, CI double-build WASM hash equality, lockfile-lint. (was feat: Dependency pinning + reproducible-build verification (WASM hash) #591)
• Brute-force/lockout — progressive delay + temporary lockout on auth endpoints (API key + SEP-10) with spike alerting. (was feat: Brute-force / lockout protection on auth endpoints #588)
• Strict CSP + SRI — nonce-based CSP (no unsafe-inline), SRI for external assets, violation reporting; tighten the security-headers CI job. (was feat: Strict nonce-based CSP + Subresource Integrity (SRI) #589)
• Secret rotation — rotation tooling (API keys, JWT dual-key, signing keys via 2-step admin) + leak-response runbook. (was feat: Automated secret rotation + leak-response runbook #590)
• API input fuzzing — schema-driven fuzzing of all endpoints in CI; assert no 5xx/crashes. (was feat: Schema-driven API input fuzzing in CI #592)
• Allowlist anomaly detection — flag dupes/invalid/oversized/clustered bulk imports + confirmation gate before committing the Merkle root. (was feat: Allowlist anomaly detection for bulk imports #599)
• Disclosure — SECURITY.md + .well-known/security.txt + coordinated-disclosure workflow.

Acceptance criteria

• Releases ship verifiable SBOM + provenance; unsigned images rejected at deploy.
• Same commit → identical WASM hash in CI; lockfile/dependency drift fails CI.
• Brute-force triggers lockout; CSP blocks inline/un-pinned scripts; fuzz run finds no unhandled errors; anomalous imports are gated.

Verification

• CI: hash double-build, cosign verify (negative test), fuzz job, promtool/header scans; brute-force + anomaly integration tests.

Priority: high · Difficulty: hard · Effort: L · mainnet blocker