ci(security): Faz 3 + ekstra — runner consolidation, auto-rollback, cosign, SRI, dep cleanup

* Faz 3.1 — All CI jobs moved to self-hosted pwap-runner (DEV VPS).
  No more dependency on GitHub-hosted runners — supply-chain attack
  surface from GHA runner image compromise eliminated.
* Faz 3.3 — Automatic rollback on health-check fail. Each deploy stamps
  /.deploy-sha into the artifact. On health-check failure, the deploy
  job reads the previous SHA from the live site, pulls that image, and
  redeploys. Telegram notification differentiates: rolled-back-OK,
  rollback-also-failed, no-prev-available, manual-rollback-needed.
* E.3 — cosign keyless image signing. build-image signs the GHCR
  manifest via Sigstore Fulcio (OIDC, no long-lived keys). deploy-app
  and deploy-pex verify the signature before extracting /dist —
  unsigned or tampered images cannot deploy. Identity-pinned to this
  workflow file.
* E.5 — Subresource Integrity (SRI). vite-plugin-subresource-integrity
  injects sha384 integrity= into <script>/<link> tags at build time.
  CDN/proxy compromise cannot inject tampered JS — browser blocks on
  hash mismatch.
* E.2 — Dependabot triage. 14 alerts: 7 high + 4 moderate cleared via
  npm audit fix + npm overrides (elliptic, create-ecdh). 6 low
  (transitive in vite-plugin-node-polyfills chain) accepted; the
  upstream fix proposes a semver-major DOWNGRADE which makes no sense.
* E.1 — Branch protection on main: CI Gate ✅ required, 1 review
  required, force-push and deletion blocked.

web/package-lock.json

@@ -109,6 +109,7 @@
         "typescript-eslint": "^8.0.1",
         "vite": "^7.3.1",
         "vite-plugin-node-polyfills": "^0.25.0",
+        "vite-plugin-subresource-integrity": "^0.0.12",
         "vitest": "^4.0.10"
       }
     },
@@ -13259,6 +13260,13 @@
         "vite": "^2.0.0 || ^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0"
       }
     },
+    "node_modules/vite-plugin-subresource-integrity": {
+      "version": "0.0.12",
+      "resolved": "https://registry.npmjs.org/vite-plugin-subresource-integrity/-/vite-plugin-subresource-integrity-0.0.12.tgz",
+      "integrity": "sha512-geKEo1KgGA56G8CciaoKA3Yf7ckpR23zSuSW802xrisW6vnH+dAYjKXZygEcmFKfsOe0+r3uG7Oz9eFEwhdjxg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/vite/node_modules/fdir": {
       "version": "6.5.0",
       "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",

web/package.json

@@ -120,7 +120,9 @@
     "@pezkuwi/x-textdecoder": "^14.0.25",
     "@pezkuwi/x-textencoder": "^14.0.25",
     "@pezkuwi/x-ws": "^14.0.25",
-    "@pezkuwi/networks": "^14.0.25"
+    "@pezkuwi/networks": "^14.0.25",
+    "elliptic": "^6.6.1",
+    "create-ecdh": "^5.0.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.9.0",
@@ -147,6 +149,7 @@
     "typescript-eslint": "^8.0.1",
     "vite": "^7.3.1",
     "vite-plugin-node-polyfills": "^0.25.0",
+    "vite-plugin-subresource-integrity": "^0.0.12",
     "vitest": "^4.0.10"
   }
 }

web/vite.config.ts

@@ -3,6 +3,7 @@ import { defineConfig } from "vitest/config";
 import react from "@vitejs/plugin-react-swc";
 import path from "path";
 import { nodePolyfills } from 'vite-plugin-node-polyfills';
+import subresourceIntegrity from 'vite-plugin-subresource-integrity';
 
 // https://vitejs.dev/config/
 export default defineConfig(({ command }) => ({
@@ -38,6 +39,10 @@ export default defineConfig(({ command }) => ({
       },
       protocolImports: true,
     }),
+    // SRI: production build sırasında <script>/<link> tag'lerine
+    // sha384 integrity hash ekle. CDN/proxy compromise olsa bile
+    // tampered asset browser tarafından load edilmez.
+    command === 'build' ? subresourceIntegrity({ algorithm: 'sha384' }) : null,
   ].filter(Boolean),
   resolve: {
     mainFields: ['browser', 'module', 'main', 'exports'],