feat(ci): verify-ledger GitHub Action — verify AI work as a CI gate

[New1Direction]

Turns the verifiable-cognition moat into a one-line CI check any repo can adopt: recompute a korgex receipt/journal's hash-chain (+ causal DAG + Ed25519 signature) and fail the build if anything was tampered — zero trust in the tool that produced the ledger.

- uses: New1Direction/korgex/.github/actions/verify-ledger@main
  with:
    path: ".korg/journal.json"          # or "**/*.korgreceipt.json"
    pubkey: ${{ vars.KORG_SIGNER_PUBKEY }}   # optional: pin the signer

How it works

• verify_ledger.py resolves a verifier — KORG_VERIFY_BIN override · npx @korgg/ledger-verify (JS) · korg-verify from crates.io (default, installed if absent). All three implementations emit the same --json verdict, so parsing is uniform. Globs the path, verifies each file, writes a markdown verdict table to $GITHUB_STEP_SUMMARY.
• Exit codes: 0 all valid · 1 any invalid (the gate) · 2 setup error. A no-match fails loudly — no silent pass with nothing verified.
• action.yml is a composite action (caches the korg-verify binary).

Why here / why now

Placed in-repo (uses: …/korgex/.github/actions/verify-ledger@…) so there's no new repo to stand up; it can be promoted to a standalone Marketplace action later. It directly leverages everything just shipped: korg-verify (crates.io), the receipt format, and the three independent verifiers.

Verification

• Self-test workflow proves it on real GitHub CI: an intact frozen conformance vector passes the gate; a tampered one fails it (asserted via steps.*.outcome).
• Locally validated with the real korg-verify binary against the committed vectors: intact → exit 0, tampered → exit 1 (exact seq error), missing → exit 2, glob handled, step-summary table rendered.
• Additive only — new files under .github/, no existing code touched.