chore: supply-chain hardening

[erik1o6]

Applies the repo-hardening skill (bun ecosystem).

Repo posture

• Type: app (bun runtime; small service for token images)
• Mixed lockfiles: had bun.lockb AND pnpm-lock.yaml. All scripts call bun run — bun is the source of truth
• One workflow: triggers HTTP syncs; does not install deps

Controls applied

• Deleted pnpm-lock.yaml (kept bun.lockb)
• 4/5. Added bunfig.toml with [install] frozenLockfile=true, exact=true — bun equivalent of npm ci + save-exact=true
• 8. .github/dependabot.yml with 7-day cooldown for npm and github-actions
• 10. Workflow permissions contents: read

Skipped

• 1: deps still ranged — pinning them is a separate small PR; lockfile + frozen gate provides interim protection
• 2: no packageManager field (bun isn't supported by Corepack as of writing)
• 3: .nvmrc/engines.node not added — repo runs only on bun, not Node
• 6/7: no PR-CI workflow
• 9: no Dockerfile
• 11: workflow only has scheduled trigger; no actions/checkout etc. to pin
• Native release-age gate not available in bun yet — flagged for follow-up when bun adds it

⚠️ Needs review

• Bun ecosystem — confirm bunfig.toml keys are picked up by your dev/deploy paths
• Deleted pnpm-lock.yaml — confirm nothing in deploy used pnpm path