security: make CI gates blocking, add smoke test, clean up dead code

- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows

nora-registry/src/openapi.rs

@@ -5,7 +5,8 @@
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.
 
-#![allow(dead_code)]
+
+#![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros
 
 use axum::Router;
 use std::sync::Arc;