[ZK] Research spike: ZK verification on Soroban

[Gbangbolaoluwagbemiga]

Goal

Decide how SecureFlow will do zero-knowledge verification before building the ZK features
(#36, #37, #38). This is a research/design spike that ends in a written ADR, not production code.

Questions to answer

• Can a ZK verifier run on-chain in Soroban within instruction/cost limits? Which proof
  systems are feasible (Groth16 / PLONK / STARK / Bulletproofs) given available host functions
  (pairing/curve ops)?
• If on-chain verification is too costly: off-chain proof generation + on-chain attestation
  (an oracle/attester posts a verified result) — what are the trust assumptions?
• Proving stack: which toolchain (e.g. circom/snarkjs, halo2, noir) fits a Rust/Soroban project?
• Where do proofs get generated — client-side in the browser/wallet, or a service?
• Nullifier + commitment scheme shared across the three ZK features

Deliverable

• An ADR in docs/adr/ documenting the chosen architecture, trade-offs, and a reference flow
• A throwaway proof-of-concept proving one trivial statement end-to-end

Acceptance criteria

• Architecture decided and written up; [ZK] ZK reputation proofs #36/[ZK] ZK freelancer credentials (Sybil resistance) #37/[ZK] ZK dispute evidence #38 can be scoped against it

This is the foundational ZK issue and a centerpiece of the SCF pitch — do it first.