ci(security): simplify to repo-specific layout, drop unsupported cache expr

GitHub rejected the prior workflow on registration (0 jobs created,
rerequestable=false) — most likely the dynamic `cache: \${{ ... && ... || ... }}`
expression in setup-node and/or the missing .python-version file referenced
unconditionally. Switching to a static config tailored to this repo's
actual layout (sdk/ for JS, core/ for Go, no Python).

.github/workflows/security.yml

@@ -1,8 +1,7 @@
-# DeBros canonical security CI workflow.
+# DeBros canonical security CI workflow (orama-specific).
 #
-# Auto-detects the project's language and runs the appropriate
-# supply-chain + vulnerability checks. Drop this file into
-# .github/workflows/ in any DeBros-compliant repo.
+# Runs supply-chain + vulnerability checks per the DeBros baseline rules.
+# Triggers on main pushes/PRs and weekly to catch newly-published CVEs.
 #
 # See: https://github.com/DeBrosDAO/rules/blob/main/DEBROS.md
 
@@ -10,89 +9,81 @@ name: security
 
 on:
   pull_request:
-    branches: [main, master]
+    branches: [main]
   push:
-    branches: [main, master]
+    branches: [main]
   schedule:
-    # Weekly scan even on quiet repos — catches newly-published CVEs
+    # Weekly scan even on quiet weeks — catches newly-published CVEs
     # in existing dependencies.
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   # ------------------------------------------------------------------
-  # JavaScript / TypeScript
+  # JavaScript / TypeScript (sdk/)
   # ------------------------------------------------------------------
   npm-audit:
-    if: ${{ hashFiles('**/package.json') != '' }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
+    defaults:
+      run:
+        working-directory: sdk
     steps:
       - uses: actions/checkout@v4
 
       - name: Verify lockfile committed
         run: |
-          if [ ! -f pnpm-lock.yaml ] && [ ! -f package-lock.json ] && [ ! -f yarn.lock ] && [ ! -f bun.lockb ]; then
-            echo "::error::No lockfile committed. See DEBROS.md §1.2"
+          if [ ! -f pnpm-lock.yaml ]; then
+            echo "::error::sdk/pnpm-lock.yaml must be committed (DEBROS.md §1.2)"
             exit 1
           fi
 
       - name: Verify .npmrc blocks install scripts
         run: |
           if ! grep -q '^ignore-scripts=true' .npmrc 2>/dev/null; then
-            echo "::error::.npmrc must contain 'ignore-scripts=true' (DEBROS.md §1.3, JS/TS compliance)"
+            echo "::error::sdk/.npmrc must contain 'ignore-scripts=true' (DEBROS.md §1.3)"
             exit 1
           fi
 
-      - uses: pnpm/action-setup@v3
-        if: ${{ hashFiles('pnpm-lock.yaml') != '' }}
+      - uses: pnpm/action-setup@v4
         with:
-          run_install: false
+          version: 9
 
       - uses: actions/setup-node@v4
         with:
           node-version-file: ".nvmrc"
-          cache: ${{ hashFiles('pnpm-lock.yaml') != '' && 'pnpm' || 'npm' }}
+          cache: pnpm
+          cache-dependency-path: sdk/pnpm-lock.yaml
 
-      - name: Install (frozen lockfile)
-        run: |
-          if [ -f pnpm-lock.yaml ]; then
-            pnpm install --frozen-lockfile
-          elif [ -f package-lock.json ]; then
-            npm ci
-          elif [ -f yarn.lock ]; then
-            yarn install --frozen-lockfile
-          fi
+      - name: Install (frozen lockfile, no scripts)
+        run: pnpm install --frozen-lockfile --ignore-scripts
 
-      - name: Audit (production deps)
-        run: |
-          if [ -f pnpm-lock.yaml ]; then
-            pnpm audit --prod --audit-level=high
-          else
-            npm audit --omit=dev --audit-level=high
-          fi
+      - name: Audit production deps
+        run: pnpm audit --prod --audit-level=high
 
   # ------------------------------------------------------------------
-  # Go
+  # Go (core/)
   # ------------------------------------------------------------------
   go-vuln:
-    if: ${{ hashFiles('**/go.mod') != '' }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
+    defaults:
+      run:
+        working-directory: core
     steps:
       - uses: actions/checkout@v4
 
       - name: Verify go.sum committed
         run: |
           if [ ! -f go.sum ]; then
-            echo "::error::go.sum must be committed (DEBROS.md §1.2)"
+            echo "::error::core/go.sum must be committed (DEBROS.md §1.2)"
             exit 1
           fi
 
       - uses: actions/setup-go@v5
         with:
-          go-version-file: "go.mod"
+          go-version-file: core/go.mod
+          cache-dependency-path: core/go.sum
 
       - name: Verify modules
         run: go mod verify
@@ -102,43 +93,3 @@ jobs:
 
       - name: Run govulncheck
         run: govulncheck ./...
-
-      - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@latest
-
-      - name: Run staticcheck
-        run: staticcheck ./...
-
-  # ------------------------------------------------------------------
-  # Python
-  # ------------------------------------------------------------------
-  python-audit:
-    if: ${{ hashFiles('**/pyproject.toml') != '' || hashFiles('**/requirements*.txt') != '' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Verify lockfile committed
-        run: |
-          if [ ! -f poetry.lock ] && [ ! -f uv.lock ] && [ ! -f Pipfile.lock ]; then
-            echo "::warning::No lockfile detected. Consider Poetry or uv for reproducibility (DEBROS.md §1.2)"
-          fi
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version-file: ".python-version"
-
-      - name: Install pip-audit
-        run: pip install pip-audit
-
-      - name: Run pip-audit
-        run: |
-          if [ -f poetry.lock ]; then
-            pip-audit --strict
-          elif [ -f requirements.txt ]; then
-            pip-audit --requirement requirements.txt --strict
-          else
-            pip-audit --strict
-          fi