chore: remediate code audit findings and fix CI pipeline failures

- Security: Add Secure flag to checkin identity cookie, implement rate limiting on login, and harden Helm security context.
- Security: Add cargo-audit to CI and Release pipelines for dependency vulnerability scanning.
- Backend: Enable SQLite WAL mode and fix AppState initialization in tests.
- Frontend: Fully type the API client, fix importStudents FormData handling, and pin dependency versions.
- Frontend: Add auto-logout on 401 and resolve authentication initialization race conditions.
- CI/CD: Pin pnpm version in release workflow and include lint/audit quality gates.

deploy/templates/deployment.yaml

@@ -60,8 +60,10 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
           securityContext:
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:

deploy/values_override.yaml

@@ -6,5 +6,4 @@ image:
   tag: v0.1.9
 
 env:
-  extra:
-    DEMO: "true"
+  extra: {}