ci: wire the merge-orchestration CVE/bump gate (bridge-gate.yml)

[hyperpolymath]

Wires the merge-orchestration CVE/bump gate into reposystem's CI (from hypatia artifact 4, #459). This is a meta change — it edits the CI oracle — so per our own reflexivity rule it's for your review, NOT auto-merged. Auto-merge is deliberately left off.

.github/workflows/bridge-gate.yml runs on dependabot//renovate/ PRs:

• B3 — nix bump → fail (Nix removed; close).
• B1 — builds panic-attack --features http, runs bridge triage (queries OSV), fails if any reachable Unmitigable CVE.
• a clean patch/minor CVE-clear bump → passes.

SHA-pinned checkout (matches this repo's convention), env-only github context, timeout-minutes set — so it passes workflow_audit itself. The verdict logic was tested in hypatia#459 (clean→PASS, unmitigable→FLAG); the OSV/build half runs for real here in CI (it couldn't in the dev sandbox).

Two operational steps after merge (your call):

1. To make a B1/B3 failure actually block auto-merge, add bridge-gate to this repo's required status checks (branch protection).
2. The 8 open cargo bumps (chore(deps): bump sha2 from 0.10.9 to 0.11.0 in /tools/rsr-certified #96–chore(deps): bump clap from 4.5.60 to 4.6.1 in /tools/rsr-certified #107) won't trigger this gate until they're synchronized — comment @dependabot rebase on each (or wait for the next dependabot cycle).

Review points: (a) panic-attack must be cloneable in CI (public clone assumed); (b) the cold source-build is slow — production hardening is a released binary or a hyperpolymath/standards reusable workflow (matching your other CI). Happy to do either as a follow-up, and to replicate this to echidna + the other cargo repos once you're happy with the pattern.

---

Generated by Claude Code