feat: unified auth model, project onboarding, install pipeline, config management

The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
  --gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.

.pre-commit-config.yaml

@@ -30,14 +30,14 @@ repos:
         language: system
         types: [rust]
         pass_filenames: false
-        stages: [manual]
+        stages: [pre-commit]
 
       - id: cargo-deny
         name: Cargo deny (licenses & advisories)
         entry: bash -c 'cargo deny check licenses advisories'
         language: system
         pass_filenames: false
-        stages: [manual]
+        stages: [pre-commit]
 
   # ============================================================================
   # Nushell Hooks (optional - enable if using Nushell)

deny.toml

@@ -1,23 +1,19 @@
-# Generated by dev-system/ci
-# Configuration for cargo-deny
-# See: https://embarkstudios.github.io/cargo-deny/
+# cargo-deny configuration — cargo-deny 0.18+
+# https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-# The path where the advisory database is cloned/fetched into
 db-path = "~/.cargo/advisory-db"
-# The url(s) of the advisory databases to use
 db-urls = ["https://github.com/rustsec/advisory-db"]
-# How to handle crates with security vulnerabilities
-vulnerability = "deny"
-# How to handle unmaintained crates
-unmaintained = "warn"
-# How to handle crates that have been yanked from crates.io
+unmaintained = "workspace"
 yanked = "warn"
+ignore = [
+    # RUSTSEC-2023-0071: rsa Marvin Attack (timing side-channel).
+    # rsa is a transitive dep; not used in network-facing key operations here.
+    # Revisit when rsa publishes a patched release.
+    { id = "RUSTSEC-2023-0071" },
+]
 
 [licenses]
-# The lint level for crates which do not have a detectable license
-unlicensed = "deny"
-# List of explicitly allowed licenses
 allow = [
     "MIT",
     "MIT-0",
@@ -27,48 +23,26 @@ allow = [
     "BSD-3-Clause",
     "ISC",
     "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "CC0-1.0",
+    "Zlib",
+    "Unlicense",
+    "MPL-2.0",
+    "OpenSSL",
+    "CDLA-Permissive-2.0",
+    "BUSL-1.1",
 ]
-# List of explicitly disallowed licenses
-deny = [
-    "GPL-2.0",
-    "GPL-3.0",
-    "AGPL-3.0",
-]
-# Lint level for licenses considered copyleft
-copyleft = "warn"
-# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
-allow-osi-fsf-free = "both"
-# Lint level used when no other predicates are matched
-default = "deny"
+exceptions = []
 
 [bans]
-# Lint level for when multiple versions of the same crate are detected
 multiple-versions = "warn"
-# Lint level for when an allow-listed crate is detected without an exact version
-allow = [
-    # Each entry can be just the name and an optional wildcard version.
-    # This would ideally be pulled from Cargo.lock deps to keep up to date
-    # but that is more complex. It depends on the use case.
-]
-# Each entry must be a single version number
-deny = [
-    # Each entry is a crate name. Optionally with a version
-]
-# Certain crates/versions that will be skipped when doing duplicate detection
-skip = [
-    # { name = "ansi_term", version = "<= 0.11.0" }
-]
-# Similarly named crates that are allowed to coexist
-skip-tree = [
-    # { name = "windows", version = "<=0.46.0" }
-]
+allow = []
+deny = []
+skip = []
+skip-tree = []
 
 [sources]
-# Lint level for what to happen when a crate from a crate registry that is not in the allow list is detected
 unknown-registry = "deny"
-# Lint level for what to happen when a crate from a Git repository that is not in the allow list is detected
 unknown-git = "deny"
-# The allow list of crate registries
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-# The allow list of Git repositories
 allow-git = []