diff --git a/.commitlintrc.json b/.commitlintrc.json
new file mode 100644
index 0000000..e912347
--- /dev/null
+++ b/.commitlintrc.json
@@ -0,0 +1,12 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "header-max-length": [2, "always", 100],
+    "body-max-line-length": [0, "always"],
+    "footer-max-line-length": [0, "always"],
+    "type-enum": [2, "always", [
+      "build", "chore", "ci", "docs", "feat", "fix",
+      "perf", "refactor", "revert", "style", "test"
+    ]]
+  }
+}
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
new file mode 100644
index 0000000..44672ea
--- /dev/null
+++ b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,26 @@
+name: cargo-deny
+
+# License + advisory + ban policy enforcement via deny.toml. Runs on PR
+# + push to main + manual dispatch. Mirrors the cargo-deny gate already
+# running on the chain repo (sentrix-labs/sentrix).
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  cargo-deny:
+    name: cargo-deny (licenses + advisories + bans)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
+        with:
+          command: check
+          arguments: --all-features
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
new file mode 100644
index 0000000..630cda2
--- /dev/null
+++ b/.github/workflows/commitlint.yml
@@ -0,0 +1,22 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  commitlint:
+    name: commitlint
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          fetch-depth: 0
+
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
+        with:
+          configFile: .commitlintrc.json
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..1681cec
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,30 @@
+name: Dependency review
+
+# Runs GitHub's dependency-review-action on PRs. Diffs the lockfile
+# changes vs the base branch and BLOCKS merge if newly-introduced
+# dependencies have HIGH-severity vulnerabilities OR licenses outside
+# our allowlist. Complements cargo-deny (full-tree post-merge gate)
+# with a pre-merge diff-only gate.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
+        with:
+          fail-on-severity: high
+          # Mirror deny.toml [licenses].allow.
+          allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0
+          allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache
+          comment-summary-in-pr: on-failure
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..ec7c3dd
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,55 @@
+# cargo-deny configuration. Loaded by .github/workflows/cargo-deny.yml.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+all-features = true
+
+[advisories]
+yanked = "deny"
+ignore = [
+    # `paste` is unmaintained (author archived) but still a transitive dep
+    # of alloy / sqlx / prost. No vulnerability — just dormant. Mirrors
+    # the ignore in indexer-rs + the chain repo.
+    "RUSTSEC-2024-0436",
+    # `rustls-pemfile` is deprecated in favour of `rustls-pki-types`;
+    # transitive via reqwest -> rustls. No vulnerability.
+    "RUSTSEC-2025-0134",
+]
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.8
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MPL-2.0",
+    "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "CC0-1.0",
+    "Zlib",
+    "0BSD",
+    "BUSL-1.1",
+    # webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls).
+    "CDLA-Permissive-2.0",
+    # Boost Software License — permissive OSI-approved, transitive via
+    # xxhash-rust used by leptos's hashing layer.
+    "BSL-1.0",
+]
+
+[bans]
+# Multiple major versions tolerated for now (leptos + alloy ecosystems
+# regularly need two majors during migration). Tighten later if a
+# specific crate becomes the problem.
+multiple-versions = "warn"
+wildcards = "warn"
+allow-wildcard-paths = true
+highlight = "all"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-git = []