chore: update electron-to-chromium version to 1.5.342 in package-lock.json

Add automated accessibility suite execution to the standard non-security
end-to-end browser shards so regressions are caught during routine CI runs.

This change is necessary to enforce accessibility checks consistently across
Chromium, Firefox, and WebKit without creating a separate pipeline path.

Behavior impact:
- Non-security shard jobs now run accessibility tests alongside existing suites
- Security-specific job behavior remains unchanged
- Sharding logic remains unchanged, with only test scope expanded

Operational consideration:
- Monitor shard runtime balance after rollout; if sustained skew appears,
  split accessibility coverage into its own sharded workflow stage.

.archive/legacy-tests-phase3/frontend-e2e/security-mobile.spec.ts

@@ -1,297 +0,0 @@
-/**
- * Security Dashboard Mobile Responsive E2E Tests
- * Test IDs: MR-01 through MR-10
- *
- * Tests mobile viewport (375x667), tablet viewport (768x1024),
- * touch targets, scrolling, and layout responsiveness.
- */
-import { test, expect } from '@bgotink/playwright-coverage'
-
-const base = process.env.CHARON_BASE_URL || 'http://localhost:8080'
-
-test.describe('Security Dashboard Mobile (375x667)', () => {
-  test.use({ viewport: { width: 375, height: 667 } })
-
-  test('MR-01: cards stack vertically on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-
-    // Wait for page to load
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // On mobile, grid should be single column
-    const grid = page.locator('.grid.grid-cols-1')
-    await expect(grid).toBeVisible()
-
-    // Get the computed grid-template-columns
-    const cardsContainer = page.locator('.grid').first()
-    const gridStyle = await cardsContainer.evaluate((el) => {
-      const style = window.getComputedStyle(el)
-      return style.gridTemplateColumns
-    })
-
-    // Single column should have just one value (not multiple columns like "repeat(4, ...)")
-    const columns = gridStyle.split(' ').filter((s) => s.trim().length > 0)
-    expect(columns.length).toBeLessThanOrEqual(2) // Single column or flexible
-  })
-
-  test('MR-04: toggle switches have accessible touch targets', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Check CrowdSec toggle
-    const crowdsecToggle = page.getByTestId('toggle-crowdsec')
-    const crowdsecBox = await crowdsecToggle.boundingBox()
-
-    // Touch target should be at least 24px (component) + padding
-    // Most switches have a reasonable touch target
-    expect(crowdsecBox).not.toBeNull()
-    if (crowdsecBox) {
-      expect(crowdsecBox.height).toBeGreaterThanOrEqual(20)
-      expect(crowdsecBox.width).toBeGreaterThanOrEqual(35)
-    }
-
-    // Check WAF toggle
-    const wafToggle = page.getByTestId('toggle-waf')
-    const wafBox = await wafToggle.boundingBox()
-    expect(wafBox).not.toBeNull()
-    if (wafBox) {
-      expect(wafBox.height).toBeGreaterThanOrEqual(20)
-    }
-  })
-
-  test('MR-05: config buttons are tappable on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Find config/configure buttons
-    const configButtons = page.locator('button:has-text("Config"), button:has-text("Configure")')
-    const buttonCount = await configButtons.count()
-
-    expect(buttonCount).toBeGreaterThan(0)
-
-    // Check first config button has reasonable size
-    const firstButton = configButtons.first()
-    const box = await firstButton.boundingBox()
-    expect(box).not.toBeNull()
-    if (box) {
-      expect(box.height).toBeGreaterThanOrEqual(28) // Minimum tap height
-    }
-  })
-
-  test('MR-06: page content is scrollable on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Check if page is scrollable (content height > viewport)
-    const bodyHeight = await page.evaluate(() => document.body.scrollHeight)
-    const viewportHeight = 667
-
-    // If content is taller than viewport, page should scroll
-    if (bodyHeight > viewportHeight) {
-      // Attempt to scroll down
-      await page.evaluate(() => window.scrollBy(0, 200))
-      const scrollY = await page.evaluate(() => window.scrollY)
-      expect(scrollY).toBeGreaterThan(0)
-    }
-  })
-
-  test('MR-10: navigation is accessible on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // On mobile, there should be some form of navigation
-    // Check if sidebar or mobile menu toggle exists
-    const sidebar = page.locator('nav, aside, [role="navigation"]')
-    const sidebarCount = await sidebar.count()
-
-    // Navigation should exist in some form
-    expect(sidebarCount).toBeGreaterThanOrEqual(0) // May be hidden on mobile
-  })
-
-  test('MR-06b: overlay renders correctly on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Skip if Cerberus is disabled (toggles would be disabled)
-    const cerberusDisabled = await page.locator('text=Cerberus Disabled').isVisible()
-    if (cerberusDisabled) {
-      test.skip()
-      return
-    }
-
-    // Trigger loading state by clicking a toggle
-    const wafToggle = page.getByTestId('toggle-waf')
-    const isDisabled = await wafToggle.isDisabled()
-
-    if (!isDisabled) {
-      await wafToggle.click()
-
-      // Check for overlay (may appear briefly)
-      // Use a short timeout since it might disappear quickly
-      try {
-        const overlay = page.locator('.fixed.inset-0')
-        await overlay.waitFor({ state: 'visible', timeout: 2000 })
-
-        // If overlay appeared, verify it fits screen
-        const box = await overlay.boundingBox()
-        if (box) {
-          expect(box.width).toBeLessThanOrEqual(375 + 10) // Allow small margin
-        }
-      } catch {
-        // Overlay might have disappeared before we could check
-        // This is acceptable for a fast operation
-      }
-    }
-  })
-})
-
-test.describe('Security Dashboard Tablet (768x1024)', () => {
-  test.use({ viewport: { width: 768, height: 1024 } })
-
-  test('MR-02: cards show 2 columns on tablet', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // On tablet (md breakpoint), should have md:grid-cols-2
-    const grid = page.locator('.grid').first()
-    await expect(grid).toBeVisible()
-
-    // Get computed style
-    const gridStyle = await grid.evaluate((el) => {
-      const style = window.getComputedStyle(el)
-      return style.gridTemplateColumns
-    })
-
-    // Should have 2 columns at md breakpoint
-    const columns = gridStyle.split(' ').filter((s) => s.trim().length > 0 && s !== 'none')
-    expect(columns.length).toBeGreaterThanOrEqual(2)
-  })
-
-  test('MR-08: cards have proper spacing on tablet', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Check gap between cards
-    const grid = page.locator('.grid.gap-6').first()
-    const hasGap = await grid.isVisible()
-    expect(hasGap).toBe(true)
-  })
-})
-
-test.describe('Security Dashboard Desktop (1920x1080)', () => {
-  test.use({ viewport: { width: 1920, height: 1080 } })
-
-  test('MR-03: cards show 4 columns on desktop', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // On desktop (lg breakpoint), should have lg:grid-cols-4
-    const grid = page.locator('.grid').first()
-    await expect(grid).toBeVisible()
-
-    // Get computed style
-    const gridStyle = await grid.evaluate((el) => {
-      const style = window.getComputedStyle(el)
-      return style.gridTemplateColumns
-    })
-
-    // Should have 4 columns at lg breakpoint
-    const columns = gridStyle.split(' ').filter((s) => s.trim().length > 0 && s !== 'none')
-    expect(columns.length).toBeGreaterThanOrEqual(4)
-  })
-})
-
-test.describe('Security Dashboard Layout Tests', () => {
-  test('cards maintain correct order across viewports', async ({ page }) => {
-    // Test on mobile
-    await page.setViewportSize({ width: 375, height: 667 })
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Get card headings
-    const getCardOrder = async () => {
-      const headings = await page.locator('h3').allTextContents()
-      return headings.filter((h) => ['CrowdSec', 'Access Control', 'Coraza', 'Rate Limiting'].includes(h))
-    }
-
-    const mobileOrder = await getCardOrder()
-
-    // Test on tablet
-    await page.setViewportSize({ width: 768, height: 1024 })
-    await page.waitForTimeout(100) // Allow reflow
-    const tabletOrder = await getCardOrder()
-
-    // Test on desktop
-    await page.setViewportSize({ width: 1920, height: 1080 })
-    await page.waitForTimeout(100) // Allow reflow
-    const desktopOrder = await getCardOrder()
-
-    // Order should be consistent
-    expect(mobileOrder).toEqual(tabletOrder)
-    expect(tabletOrder).toEqual(desktopOrder)
-    expect(desktopOrder).toEqual(['CrowdSec', 'Access Control', 'Coraza', 'Rate Limiting'])
-  })
-
-  test('MR-09: all security cards are visible on scroll', async ({ page }) => {
-    await page.setViewportSize({ width: 375, height: 667 })
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Scroll to each card type
-    const cardTypes = ['CrowdSec', 'Access Control', 'Coraza', 'Rate Limiting']
-
-    for (const cardType of cardTypes) {
-      const card = page.locator(`h3:has-text("${cardType}")`)
-      await card.scrollIntoViewIfNeeded()
-      await expect(card).toBeVisible()
-    }
-  })
-})
-
-test.describe('Security Dashboard Interaction Tests', () => {
-  test.use({ viewport: { width: 375, height: 667 } })
-
-  test('MR-07: config buttons navigate correctly on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Skip if Cerberus disabled
-    const cerberusDisabled = await page.locator('text=Cerberus Disabled').isVisible()
-    if (cerberusDisabled) {
-      test.skip()
-      return
-    }
-
-    // Find and click WAF Configure button
-    const configureButton = page.locator('button:has-text("Configure")').first()
-
-    if (await configureButton.isVisible()) {
-      await configureButton.click()
-
-      // Should navigate to a config page
-      await page.waitForTimeout(500)
-      const url = page.url()
-
-      // URL should include security/waf or security/rate-limiting etc
-      expect(url).toMatch(/security\/(waf|rate-limiting|access-lists|crowdsec)/i)
-    }
-  })
-
-  test('documentation button works on mobile', async ({ page }) => {
-    await page.goto(`${base}/security`)
-    await page.waitForSelector('[data-testid="toggle-crowdsec"]', { timeout: 10000 })
-
-    // Find documentation button
-    const docButton = page.locator('button:has-text("Documentation"), a:has-text("Documentation")').first()
-
-    if (await docButton.isVisible()) {
-      // Check it has correct external link behavior
-      const href = await docButton.getAttribute('href')
-
-      // Should open external docs
-      if (href) {
-        expect(href).toContain('wikid82.github.io')
-      }
-    }
-  })
-})

.archive/legacy-tests-phase3/frontend-e2e/waf.spec.ts

@@ -1,34 +0,0 @@
-import { test, expect } from '@bgotink/playwright-coverage'
-
-const base = process.env.CHARON_BASE_URL || 'http://localhost:8080'
-
-// Hit an API route inside /api/v1 to ensure Cerberus middleware executes.
-const targetPath = '/api/v1/system/my-ip'
-
-test.describe('WAF blocking and monitoring', () => {
-  test('blocks malicious query when mode=block', async ({ request }) => {
-    // Use literal '<script>' to trigger naive WAF check
-    const res = await request.get(`${base}${targetPath}?<script>=x`)
-    expect([400, 401]).toContain(res.status())
-    // When WAF runs before auth, expect 400; if auth runs first, we still validate that the server rejects
-    if (res.status() === 400) {
-      const body = await res.json()
-      expect(body?.error).toMatch(/WAF: suspicious payload/i)
-    }
-  })
-
-  test('does not block when mode=monitor (returns 401 due to auth)', async ({ request }) => {
-    const res = await request.get(`${base}${targetPath}?safe=yes`)
-    // Unauthenticated → expect 401, not 400; proves WAF did not block
-    expect([401, 403]).toContain(res.status())
-  })
-
-  test('metrics endpoint exposes Prometheus counters', async ({ request }) => {
-    const res = await request.get(`${base}/metrics`)
-    expect(res.status()).toBe(200)
-    const text = await res.text()
-    expect(text).toContain('charon_waf_requests_total')
-    expect(text).toContain('charon_waf_blocked_total')
-    expect(text).toContain('charon_waf_monitored_total')
-  })
-})

.archive/legacy-tests-phase3/frontend-tests/login.smoke.spec.ts

@@ -1,26 +0,0 @@
-import { test, expect } from '@bgotink/playwright-coverage'
-
-test.describe('Login - smoke', () => {
-  test('renders and has no console errors on load', async ({ page }) => {
-    const consoleErrors: string[] = []
-
-    page.on('console', msg => {
-      if (msg.type() === 'error') {
-        consoleErrors.push(msg.text())
-      }
-    })
-
-    await page.goto('/login', { waitUntil: 'domcontentloaded' })
-
-    await expect(page).toHaveURL(/\/login(?:\?|$)/)
-
-    const emailInput = page.getByRole('textbox', { name: /email/i })
-    const passwordInput = page.getByLabel(/password/i)
-
-    await expect(emailInput).toBeVisible()
-    await expect(passwordInput).toBeVisible()
-    await expect(page.getByRole('button', { name: /sign in/i })).toBeVisible()
-
-    expect(consoleErrors, 'Console errors during /login load').toEqual([])
-  })
-})

.docker/README.md

@@ -94,7 +94,7 @@ Configure the application via `docker-compose.yml`:
 | `CHARON_ENV` | `production` | Set to `development` for verbose logging (`CPM_ENV` supported for backward compatibility). |
 | `CHARON_HTTP_PORT` | `8080` | Port for the Web UI (`CPM_HTTP_PORT` supported for backward compatibility). |
 | `CHARON_DB_PATH` | `/app/data/charon.db` | Path to the SQLite database (`CPM_DB_PATH` supported for backward compatibility). |
-| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). |
+| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). Must resolve to an internal allowlisted host on port `2019`. |
 | `CHARON_CADDY_CONFIG_ROOT` | `/config` | Path to Caddy autosave configuration directory. |
 | `CHARON_CADDY_LOG_DIR` | `/var/log/caddy` | Directory for Caddy access logs. |
 | `CHARON_CROWDSEC_LOG_DIR` | `/var/log/crowdsec` | Directory for CrowdSec logs. |
@@ -218,6 +218,8 @@ environment:
   - CPM_CADDY_ADMIN_API=http://your-caddy-host:2019
 ```
 
+If using a non-localhost internal hostname, add it to `CHARON_SSRF_INTERNAL_HOST_ALLOWLIST`.
+
 **Warning**: Charon will replace Caddy's entire configuration. Backup first!
 
 ## Performance Tuning

.docker/compose/docker-compose.dev.yml

@@ -32,6 +32,8 @@ services:
       #- CPM_SECURITY_RATELIMIT_ENABLED=false
       #- CPM_SECURITY_ACL_ENABLED=false
       - FEATURE_CERBERUS_ENABLED=true
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro # For local container discovery
       - crowdsec_data:/app/data/crowdsec

.docker/compose/docker-compose.local.yml

@@ -27,6 +27,8 @@ services:
       - FEATURE_CERBERUS_ENABLED=true
       # Emergency "break-glass" token for security reset when ACL blocks access
       - CHARON_EMERGENCY_TOKEN=03e4682c1164f0c1cb8e17c99bd1a2d9156b59824dde41af3bb67c513e5c5e92
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
     extra_hosts:
       - "host.docker.internal:host-gateway"
     cap_add:
@@ -45,7 +47,7 @@ services:
 #      - <PATH_TO_YOUR_CADDYFILE>:/import/Caddyfile:ro
 #      - <PATH_TO_YOUR_SITES_DIR>:/import/sites:ro # If your Caddyfile imports other files
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

.docker/compose/docker-compose.override.example.yml

@@ -0,0 +1,26 @@
+# Docker Compose override — copy to docker-compose.override.yml to activate.
+#
+# Use case: grant the container access to the host Docker socket so that
+# Charon can discover running containers.
+#
+# 1. cp docker-compose.override.example.yml docker-compose.override.yml
+# 2. Uncomment the service that matches your compose file:
+#      - "charon" for docker-compose.local.yml
+#      - "app"    for docker-compose.dev.yml
+# 3. Replace <GID> with the output of:  stat -c '%g' /var/run/docker.sock
+# 4. docker compose up -d
+
+services:
+  # Uncomment for docker-compose.local.yml
+  charon:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  # Uncomment for docker-compose.dev.yml
+  app:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro

.docker/compose/docker-compose.playwright-ci.yml

@@ -85,8 +85,9 @@ services:
       - playwright_data:/app/data
       - playwright_caddy_data:/data
       - playwright_caddy_config:/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 5s
       timeout: 3s
       retries: 12
@@ -111,6 +112,7 @@ services:
     volumes:
       - playwright_crowdsec_data:/var/lib/crowdsec/data
       - playwright_crowdsec_config:/etc/crowdsec
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
       test: ["CMD", "cscli", "version"]
       interval: 10s

.docker/compose/docker-compose.playwright-local.yml

@@ -48,9 +48,12 @@ services:
     tmpfs:
       # True tmpfs for E2E test data - fresh on every run, in-memory only
       # mode=1777 allows any user to write (container runs as non-root)
-      - /app/data:size=100M,mode=1777
+      # 256M gives headroom for the backup service's 100MB disk-space check
+      - /app/data:size=256M,mode=1777
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 5s
       timeout: 5s
       retries: 10

.docker/compose/docker-compose.yml

@@ -52,7 +52,7 @@ services:
       # - ./my-existing-Caddyfile:/import/Caddyfile:ro
       # - ./sites:/import/sites:ro # If your Caddyfile imports other files
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

.docker/docker-entrypoint.sh

@@ -27,30 +27,24 @@ get_group_by_gid() {
 }
 
 create_group_with_gid() {
-    local gid="$1"
-    local name="$2"
-
     if command -v addgroup >/dev/null 2>&1; then
-        addgroup -g "$gid" "$name" 2>/dev/null || true
+        addgroup -g "$1" "$2" 2>/dev/null || true
         return
     fi
 
     if command -v groupadd >/dev/null 2>&1; then
-        groupadd -g "$gid" "$name" 2>/dev/null || true
+        groupadd -g "$1" "$2" 2>/dev/null || true
     fi
 }
 
 add_user_to_group() {
-    local user="$1"
-    local group="$2"
-
     if command -v addgroup >/dev/null 2>&1; then
-        addgroup "$user" "$group" 2>/dev/null || true
+        addgroup "$1" "$2" 2>/dev/null || true
         return
     fi
 
     if command -v usermod >/dev/null 2>&1; then
-        usermod -aG "$group" "$user" 2>/dev/null || true
+        usermod -aG "$2" "$1" 2>/dev/null || true
     fi
 }
 
@@ -142,8 +136,15 @@ if [ -S "/var/run/docker.sock" ] && is_root; then
         fi
     fi
 elif [ -S "/var/run/docker.sock" ]; then
-    echo "Note: Docker socket mounted but container is running non-root; skipping docker.sock group setup."
-    echo "      If Docker discovery is needed, run with matching group permissions (e.g., --group-add)"
+    DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "unknown")
+    echo "Note: Docker socket mounted (GID=$DOCKER_SOCK_GID) but container is running non-root; skipping docker.sock group setup."
+    echo "      If Docker discovery is needed, add 'group_add: [\"$DOCKER_SOCK_GID\"]' to your compose service."
+    if [ "$DOCKER_SOCK_GID" = "0" ]; then
+        if [ "${ALLOW_DOCKER_SOCK_GID_0:-false}" != "true" ]; then
+            echo "⚠️  WARNING: Docker socket GID is 0 (root group). group_add: [\"0\"] grants root-group access."
+            echo "   Set ALLOW_DOCKER_SOCK_GID_0=true to acknowledge this risk."
+        fi
+    fi
 else
     echo "Note: Docker socket not found. Docker container discovery will be unavailable."
 fi
@@ -191,7 +192,7 @@ if command -v cscli >/dev/null; then
         echo "Initializing persistent CrowdSec configuration..."
 
         # Check if .dist has content
-        if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
+        if [ -d "/etc/crowdsec.dist" ] && find /etc/crowdsec.dist -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
             echo "Copying config from /etc/crowdsec.dist..."
             if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
                 echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
@@ -208,7 +209,7 @@ if command -v cscli >/dev/null; then
                 exit 1
             fi
             echo "✓ Successfully initialized config from .dist directory"
-        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
+        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && find /etc/crowdsec -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
             echo "Copying config from /etc/crowdsec (fallback)..."
             if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
                 echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
@@ -248,7 +249,7 @@ if command -v cscli >/dev/null; then
         echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
         echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
         echo "DEBUG: Directory check:"
-        ls -la /etc/ | grep crowdsec || echo "  (no crowdsec entry found)"
+        find /etc -mindepth 1 -maxdepth 1 -name '*crowdsec*' -exec ls -ld {} \; 2>/dev/null || echo "  (no crowdsec entry found)"
         exit 1
     fi
 
@@ -302,6 +303,19 @@ ACQUIS_EOF
     # Also handle case where it might be without trailing slash
     sed -i 's|log_dir: /var/log$|log_dir: /var/log/crowdsec|g' "$CS_CONFIG_DIR/config.yaml"
 
+    # Redirect CrowdSec LAPI database to persistent volume
+    # Default path /var/lib/crowdsec/data/crowdsec.db is ephemeral (not volume-mounted),
+    # so it is destroyed on every container rebuild. The bouncer API key (stored on the
+    # persistent volume at /app/data/crowdsec/) survives rebuilds but the LAPI database
+    # that validates it does not — causing perpetual key rejection.
+    # Redirecting db_path to the volume-mounted CS_DATA_DIR fixes this.
+    sed -i "s|db_path: /var/lib/crowdsec/data/crowdsec.db|db_path: ${CS_DATA_DIR}/crowdsec.db|g" "$CS_CONFIG_DIR/config.yaml"
+    if grep -q "db_path:.*${CS_DATA_DIR}" "$CS_CONFIG_DIR/config.yaml"; then
+        echo "✓ CrowdSec LAPI database redirected to persistent volume: ${CS_DATA_DIR}/crowdsec.db"
+    else
+        echo "⚠️  WARNING: Could not verify LAPI db_path redirect — bouncer keys may not survive rebuilds"
+    fi
+
     # Verify LAPI configuration was applied correctly
     if grep -q "listen_uri:.*:8085" "$CS_CONFIG_DIR/config.yaml"; then
         echo "✓ CrowdSec LAPI configured for port 8085"
@@ -309,10 +323,11 @@ ACQUIS_EOF
         echo "✗ WARNING: LAPI port configuration may be incorrect"
     fi
 
-    # Update hub index to ensure CrowdSec can start
-    if [ ! -f "/etc/crowdsec/hub/.index.json" ]; then
-        echo "Updating CrowdSec hub index..."
-        timeout 60s cscli hub update 2>/dev/null || echo "⚠️ Hub update timed out or failed, continuing..."
+    # Always refresh hub index on startup (stale index causes hash mismatch errors on collection install)
+    echo "Updating CrowdSec hub index..."
+    if ! timeout 60s cscli hub update 2>&1; then
+        echo "⚠️ Hub index update failed (network issue?). Collections may fail to install."
+        echo "   CrowdSec will still start with whatever index is cached."
     fi
 
     # Ensure local machine is registered (auto-heal for volume/config mismatch)
@@ -320,12 +335,11 @@ ACQUIS_EOF
     echo "Registering local machine..."
     cscli machines add -a --force 2>/dev/null || echo "Warning: Machine registration may have failed"
 
-    # Install hub items (parsers, scenarios, collections) if local mode enabled
-    if [ "$SECURITY_CROWDSEC_MODE" = "local" ]; then
-        echo "Installing CrowdSec hub items..."
-        if [ -x /usr/local/bin/install_hub_items.sh ]; then
-            /usr/local/bin/install_hub_items.sh 2>/dev/null || echo "Warning: Some hub items may not have installed"
-        fi
+    # Always ensure required collections are present (idempotent — already-installed items are skipped).
+    # Collections are just config files with zero runtime cost when CrowdSec is disabled.
+    echo "Ensuring CrowdSec hub items are installed..."
+    if [ -x /usr/local/bin/install_hub_items.sh ]; then
+        /usr/local/bin/install_hub_items.sh || echo "⚠️ Some hub items may not have installed. CrowdSec can still start."
     fi
 
     # Fix ownership AFTER cscli commands (they run as root and create root-owned files)
@@ -364,7 +378,7 @@ echo "Caddy started (PID: $CADDY_PID)"
 echo "Waiting for Caddy admin API..."
 i=1
 while [ "$i" -le 30 ]; do
-    if curl -sf http://127.0.0.1:2019/config/ > /dev/null 2>&1; then
+    if wget -qO /dev/null http://127.0.0.1:2019/config/ 2>/dev/null; then
         echo "Caddy is ready!"
         break
     fi

.dockerignore

@@ -9,13 +9,12 @@
 .git/
 .gitignore
 .github/
-.pre-commit-config.yaml
 codecov.yml
 .goreleaser.yaml
 .sourcery.yml
 
 # -----------------------------------------------------------------------------
-# Python (pre-commit, tooling)
+# Python (tooling)
 # -----------------------------------------------------------------------------
 __pycache__/
 *.py[cod]

.github/agents/Backend_Dev.agent.md

@@ -2,9 +2,10 @@
 name: 'Backend Dev'
 description: 'Senior Go Engineer focused on high-performance, secure backend implementation.'
 argument-hint: 'The specific backend task from the Plan (e.g., "Implement ProxyHost CRUD endpoints")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -15,6 +16,9 @@ Your priority is writing code that is clean, tested, and secure by default.
 
 <context>
 
+- **Governance**: When this agent file conflicts with canonical instruction
+    files (`.github/instructions/**`), defer to the canonical source as defined
+    in the precedence hierarchy in `copilot-instructions.md`.
 - **MANDATORY**: Read all relevant instructions in `.github/instructions/` for the specific task before starting.
 - **Project**: Charon (Self-hosted Reverse Proxy)
 - **Stack**: Go 1.22+, Gin, GORM, SQLite.
@@ -41,14 +45,21 @@ Your priority is writing code that is clean, tested, and secure by default.
         - Define the structs in `internal/models` to fix compilation errors.
     - **Step 3 (The Logic)**:
         - Implement the handler in `internal/api/handlers`.
-    - **Step 4 (The Green Light)**:
+    - **Step 4 (Lint and Format)**:
+        - Run `lefthook run pre-commit` to ensure code quality.
+    - **Step 5 (The Green Light)**:
         - Run `go test ./...`.
         - **CRITICAL**: If it fails, fix the *Code*, NOT the *Test* (unless the test was wrong about the contract).
 
 3. **Verification (Definition of Done)**:
     - Run `go mod tidy`.
     - Run `go fmt ./...`.
-    - Run `go test ./...` to ensure no regressions.
+        - Run `go test ./...` to ensure no regressions.
+        - **Conditional GORM Gate**: If task changes include model/database-related
+            files (`backend/internal/models/**`, GORM query logic, migrations), run
+            GORM scanner in check mode and treat CRITICAL/HIGH findings as blocking:
+                - Run: `lefthook run pre-commit` (which includes manual gorm-security-scan) OR `./scripts/scan-gorm-security.sh --check`
+                - Policy: Process-blocking gate even while automation is manual stage
     - **Local Patch Coverage Preflight (MANDATORY)**: Run VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` before backend coverage runs.
         - Ensure artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`.
         - Use the file-level coverage gap list to target tests before final coverage validation.
@@ -58,9 +69,9 @@ Your priority is writing code that is clean, tested, and secure by default.
         - **Manual Script**: Execute `/projects/Charon/scripts/go-test-coverage.sh` from the root directory
         - **Minimum**: 85% coverage (configured via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`)
         - **Critical**: If coverage drops below threshold, write additional tests immediately. Do not skip this step.
-        - **Why**: Coverage tests are in manual stage of pre-commit for performance. You MUST run them via VS Code tasks or scripts before completing your task.
+        - **Why**: Coverage tests are in manual stage of lefthook for performance. You MUST run them via VS Code tasks or scripts before completing your task.
     - Ensure coverage goals are met as well as all tests pass. Just because Tests pass does not mean you are done. Goal Coverage Needs to be met even if the tests to get us there are outside the scope of your task. At this point, your task is to maintain coverage goal and all tests pass because we cannot commit changes if they fail.
-    - Run `pre-commit run --all-files` as final check (this runs fast hooks only; coverage was verified above).
+    - Run `lefthook run pre-commit` as final check (this runs fast hooks only; coverage was verified above).
 </workflow>
 
 <constraints>

.github/agents/DevOps.agent.md

@@ -2,9 +2,9 @@
 name: 'DevOps'
 description: 'DevOps specialist for CI/CD pipelines, deployment debugging, and GitOps workflows focused on making deployments boring and reliable'
 argument-hint: 'The CI/CD or infrastructure task (e.g., "Debug failing GitHub Action workflow")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false

.github/agents/Doc_Writer.agent.md

@@ -2,9 +2,9 @@
 name: 'Docs Writer'
 description: 'User Advocate and Writer focused on creating simple, layman-friendly documentation.'
 argument-hint: 'The feature to document (e.g., "Write the guide for the new Real-Time Logs")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false

.github/agents/Frontend_Dev.agent.md

@@ -2,9 +2,10 @@
 name: 'Frontend Dev'
 description: 'Senior React/TypeScript Engineer for frontend implementation.'
 argument-hint: 'The frontend feature or component to implement (e.g., "Implement the Real-Time Logs dashboard component")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -48,8 +49,7 @@ You are a SENIOR REACT/TYPESCRIPT ENGINEER with deep expertise in:
    - Run tests with `npm test` in `frontend/` directory
 
 4. **Quality Checks**:
-   - Run `npm run lint` to check for linting issues
-   - Run `npm run typecheck` for TypeScript errors
+   - Run `lefthook run pre-commit` to ensure linting and formatting
    - Ensure accessibility with proper ARIA attributes
 </workflow>
 

.github/agents/Management.agent.md

@@ -3,9 +3,9 @@ name: 'Management'
 description: 'Engineering Director. Delegates ALL research and execution. DO NOT ask it to debug code directly.'
 argument-hint: 'The high-level goal (e.g., "Build the new Proxy Host Dashboard widget")'
 
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openIntegratedBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'gopls/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment
+tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/askQuestions, execute, read, agent, edit, search, web, 'github/*', 'playwright/*', 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'mcp-refactor-typescript/*', 'microsoftdocs/mcp/*', browser, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -18,19 +18,22 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
 
 1. **Initialize**: ALWAYS read `.github/instructions/copilot-instructions.md` first to load global project rules.
 2.  **MANDATORY**: Read all relevant instructions in `.github/instructions/**` for the specific task before starting.
-3. **Team Roster**:
+3. **Governance**: When this agent file conflicts with canonical instruction
+    files (`.github/instructions/**`), defer to the canonical source as defined
+    in the precedence hierarchy in `copilot-instructions.md`.
+4. **Team Roster**:
     - `Planning`: The Architect. (Delegate research & planning here).
     - `Supervisor`: The Senior Advisor. (Delegate plan review here).
-    - `Backend_Dev`: The Engineer. (Delegate Go implementation here).
-    - `Frontend_Dev`: The Designer. (Delegate React implementation here).
-    - `QA_Security`: The Auditor. (Delegate verification and testing here).
-    - `Docs_Writer`: The Scribe. (Delegate docs here).
+    - `Backend Dev`: The Engineer. (Delegate Go implementation here).
+    - `Frontend Dev`: The Designer. (Delegate React implementation here).
+    - `QA Security`: The Auditor. (Delegate verification and testing here).
+    - `Docs Writer`: The Scribe. (Delegate docs here).
     - `DevOps`: The Packager. (Delegate CI/CD and infrastructure here).
-    - `Playwright_Dev`: The E2E Specialist. (Delegate Playwright test creation and maintenance here).
-4. **Parallel Execution**:
+    - `Playwright Dev`: The E2E Specialist. (Delegate Playwright test creation and maintenance here).
+5. **Parallel Execution**:
     - You may delegate to `runSubagent` multiple times in parallel if tasks are independent. The only exception is `QA_Security`, which must run last as this validates the entire codebase after all changes.
-5. **Implementation Choices**:
-    - When faced with multiple implementation options, ALWAYS choose the "Prroper" fix over a "Quick" fix. This ensures long-term maintainability and saves double work. The "Quick" fix will only cause more work later when the "Proper" fix is eventually needed.
+6. **Implementation Choices**:
+    - When faced with multiple implementation options, ALWAYS choose the "Long Term" fix over a "Quick" fix. This ensures long-term maintainability and saves double work. The "Quick" fix will only cause more work later when the "Long Term" fix is eventually needed.
 </global_context>
 
 <workflow>
@@ -40,7 +43,7 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
     -   **Identify Goal**: Understand the user's request.
     -   **STOP**: Do not look at the code. Do not run `list_dir`. No code is to be changed or implemented until there is a fundamentally sound plan of action that has been approved by the user.
     -   **Action**: Immediately call `Planning` subagent.
-        -   *Prompt*: "Research the necessary files for '{user_request}' and write a comprehensive plan detailing as many specifics as possible to `docs/plans/current_spec.md`. Be an artist with directions and discriptions. Include file names, function names, and component names wherever possible. Break the plan into phases based on the least amount of requests. Include a PR Slicing Strategy section that decides whether to split work into multiple PRs and, when split, defines PR-1/PR-2/PR-3 scope, dependencies, and acceptance criteria. Review and suggest updaetes to `.gitignore`, `codecov.yml`, `.dockerignore`, and `Dockerfile` if necessary. Return only when the plan is complete."
+        -   *Prompt*: "Research the necessary files for '{user_request}' and write a comprehensive plan detailing as many specifics as possible to `docs/plans/current_spec.md`. Be an artist with directions and discriptions. Include file names, function names, and component names wherever possible. Break the plan into phases based on the least amount of requests. Include a Commit Slicing Strategy section that organizes work into logical commits within a single PR — one feature = one PR, with ordered commits (Commit 1, Commit 2, …) each defining scope, files, dependencies, and validation gates. Review and suggest updaetes to `.gitignore`, `codecov.yml`, `.dockerignore`, and `Dockerfile` if necessary. Return only when the plan is complete."
     - **Task Specifics**:
         - If the task is to just run tests or audits, there is no need for a plan. Directly call `QA_Security` to perform the tests and write the report. If issues are found, return to `Planning` for a remediation plan and delegate the fixes to the corresponding subagents.
 
@@ -56,26 +59,26 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
     -   **Ask**: "Plan created. Shall I authorize the construction?"
 
 4. **Phase 4: Execution (Waterfall)**:
-        - **Single-PR or Multi-PR Decision**: Read the PR Slicing Strategy in `docs/plans/current_spec.md`.
-        - **If single PR**:
+        - **Read Commit Slicing Strategy**: Read the Commit Slicing Strategy in `docs/plans/current_spec.md` to understand the ordered commits.
+        - **Single PR, Multiple Commits**: All work ships as one PR. Each commit maps to a phase in the plan.
             - **Backend**: Call `Backend_Dev` with the plan file.
             - **Frontend**: Call `Frontend_Dev` with the plan file.
-        - **If multi-PR**:
-            - Execute in PR slices, one slice at a time, in dependency order.
-            - Require each slice to pass review + QA gates before starting the next slice.
-            - Keep every slice deployable and independently testable.
+        - Execute commits in dependency order. Each commit must pass its validation gates before the next commit begins.
+        - The PR is merged only when all commits are complete and all DoD gates pass.
+        - **MANDATORY**: Implementation agents must perform linting and type checks locally before declaring their commit "DONE". This is a critical step that must not be skipped to avoid broken commits and security issues.
 
 5. **Phase 5: Review**:
     - **Supervisor**: Call `Supervisor` to review the implementation against the plan. Provide feedback and ensure alignment with best practices.
 
 6. **Phase 6: Audit**:
-    - **QA**: Call `QA_Security` to meticulously test current implementation as well as regression test. Run all linting, security tasks, and manual pre-commit checks. Write a report to `docs/reports/qa_report.md`. Start back at Phase 1 if issues are found.
+    - Review Security: Read `security.md.instrutctions.md` and `SECURITY.md` to understand the security requirements and best practices for Charon. Ensure that any open concerns or issues are addressed in the QA Audit and `SECURITY.md` is updated accordingly.
+    - **QA**: Call `QA_Security` to meticulously test current implementation as well as regression test. Run all linting, security tasks, and manual lefthook checks. Write a report to `docs/reports/qa_report.md`. Start back at Phase 1 if issues are found.
 
 7. **Phase 7: Closure**:
     - **Docs**: Call `Docs_Writer`.
     - **Manual Testing**: create a new test plan in `docs/issues/*.md` for tracking manual testing focused on finding potential bugs of the implemented features.
     - **Final Report**: Summarize the successful subagent runs.
-    - **PR Roadmap**: If split mode was used, include a concise roadmap of completed and remaining PR slices.
+    - **Commit Roadmap**: Include a concise summary of completed and remaining commits within the PR.
 
 **Mandatory Commit Message**: When you reach a stopping point, provide a copy and paste code block commit message at the END of the response on format laid out in `.github/instructions/commit-message.instructions.md`
         - **STRICT RULES**:
@@ -145,6 +148,16 @@ The task is not complete until ALL of the following pass with zero issues:
             ```
       This ensures the container has latest code and proper environment variables (emergency token, encryption key from `.env`).
     - **Run**: `npx playwright test --project=chromium --project=firefox --project=webkit` from project root
+
+1.5. **GORM Security Scan (Conditional Gate)**:
+        - **Delegation Verification:** If implementation touched backend models
+            (`backend/internal/models/**`) or database-interaction paths
+            (GORM services, migrations), confirm `QA_Security` (or responsible
+            subagent) ran the GORM scanner using check mode (`--check`) and resolved
+            all CRITICAL/HIGH findings before accepting task completion
+        - **Manual Stage Clarification:** Scanner execution is manual
+            (not automated pre-commit), but enforcement is process-blocking for DoD
+            when triggered
     - **No Truncation**: Never pipe output through `head`, `tail`, or other truncating commands. Playwright requires user input to quit when piped, causing hangs.
     - **Why First**: If the app is broken at E2E level, unit tests may need updates. Catch integration issues early.
     - **Scope**: Run tests relevant to modified features (e.g., `tests/manual-dns-provider.spec.ts`)
@@ -152,23 +165,27 @@ The task is not complete until ALL of the following pass with zero issues:
     - **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js`
     - All E2E tests must pass before proceeding to unit tests
 
-2. **Local Patch Coverage Preflight (MANDATORY - Before Unit/Coverage Tests)**:
-    - Ensure the local patch report is run first via VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh`.
-    - Verify both artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`.
-    - Use this report to identify changed files needing coverage before running backend/frontend coverage suites.
-
-3. **Coverage Tests (MANDATORY - Verify Explicitly)**:
+2. **Coverage Tests (MANDATORY - Verify Explicitly)**:
     - **Backend**: Ensure `Backend_Dev` ran VS Code task "Test: Backend with Coverage" or `scripts/go-test-coverage.sh`
     - **Frontend**: Ensure `Frontend_Dev` ran VS Code task "Test: Frontend with Coverage" or `scripts/frontend-test-coverage.sh`
     - **Why**: These are in manual stage of pre-commit for performance. Subagents MUST run them via VS Code tasks or scripts.
     - Minimum coverage: 85% for both backend and frontend.
     - All tests must pass with zero failures.
+    - **Outputs**: `backend/coverage.txt` and `frontend/coverage/lcov.info` — these are required inputs for step 3.
+
+3. **Local Patch Coverage Report (MANDATORY - After Coverage Tests)**:
+    - **Purpose**: Identify uncovered lines in files modified by this task so missing tests are written before declaring Done. This is the bridge between "overall coverage is fine" and "the actual lines I changed are tested."
+    - **Prerequisites**: `backend/coverage.txt` and `frontend/coverage/lcov.info` must exist (generated by step 2). If missing, run coverage tests first.
+    - **Run**: VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh`.
+    - **Verify artifacts**: Both `test-results/local-patch-report.md` and `test-results/local-patch-report.json` must exist with non-empty results.
+    - **Act on findings**: If patch coverage for any changed file is below **90%**, delegate to the responsible agent (`Backend_Dev` or `Frontend_Dev`) to add targeted tests covering the uncovered lines. Re-run coverage (step 2) and this report until the threshold is met.
+    - **Blocking gate**: 90% overall patch coverage. Do not proceed to pre-commit or security scans until resolved or explicitly waived by the user.
 
 4. **Type Safety (Frontend)**:
     - Ensure `Frontend_Dev` ran VS Code task "Lint: TypeScript Check" or `npm run type-check`
     - **Why**: This check is in manual stage of pre-commit for performance. Subagents MUST run it explicitly.
 
-5. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 3)
+5. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 2)
 
 6. **Security Scans**: Ensure `QA_Security` ran the following with zero Critical or High severity issues:
    - **Trivy Filesystem Scan**: Fast scan of source code and dependencies

.github/agents/Planning.agent.md

@@ -2,9 +2,10 @@
 name: 'Planning'
 description: 'Principal Architect for technical planning and design decisions.'
 argument-hint: 'The feature or system to plan (e.g., "Design the architecture for Real-Time Logs")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment , 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -37,18 +38,18 @@ You are a PRINCIPAL ARCHITECT responsible for technical planning and system desi
    - Specify database schema changes
    - Document component interactions and data flow
    - Identify potential risks and mitigation strategies
-   - Determine PR sizing and whether to split the work into multiple PRs for safer and faster review
+   - Determine commit sizing and how to organize work into logical commits within a single PR for safer and faster review
 
 3. **Documentation**:
    - Write plan to `docs/plans/current_spec.md`
    - Include acceptance criteria
    - Break down into implementable tasks using examples, diagrams, and tables
    - Estimate complexity for each component
-    - Add a **PR Slicing Strategy** section with:
-       - Decision: single PR or multiple PRs
+    - Add a **Commit Slicing Strategy** section with:
+       - Decision: single PR with ordered logical commits (one feature = one PR)
        - Trigger reasons (scope, risk, cross-domain changes, review size)
-       - Ordered PR slices (`PR-1`, `PR-2`, ...), each with scope, files, dependencies, and validation gates
-       - Rollback and contingency notes per slice
+       - Ordered commits (`Commit 1`, `Commit 2`, ...), each with scope, files, dependencies, and validation gates
+       - Rollback and contingency notes for the PR as a whole
 
 4. **Handoff**:
    - Once plan is approved, delegate to `Supervisor` agent for review.

.github/agents/Playwright_Dev.agent.md

@@ -3,9 +3,10 @@ name: 'Playwright Dev'
 description: 'E2E Testing Specialist for Playwright test automation.'
 argument-hint: 'The feature or flow to test (e.g., "Write E2E tests for the login flow")'
 
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openIntegratedBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'gopls/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false

.github/agents/QA_Security.agent.md

@@ -2,9 +2,10 @@
 name: 'QA Security'
 description: 'Quality Assurance and Security Engineer for testing and vulnerability assessment.'
 argument-hint: 'The component or feature to test (e.g., "Run security scan on authentication endpoints")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -13,7 +14,11 @@ You are a QA AND SECURITY ENGINEER responsible for testing and vulnerability ass
 
 <context>
 
+- **Governance**: When this agent file conflicts with canonical instruction
+   files (`.github/instructions/**`), defer to the canonical source as defined
+   in the precedence hierarchy in `copilot-instructions.md`.
 - **MANDATORY**: Read all relevant instructions in `.github/instructions/**` for the specific task before starting.
+- **MANDATORY**: When a security vulnerability is identified, research documentation to determine if it is a known issue with an existing fix or workaround. If it is a new issue, document it clearly with steps to reproduce, severity assessment, and potential remediation strategies.
 - Charon is a self-hosted reverse proxy management tool
 - Backend tests: `.github/skills/test-backend-unit.SKILL.md`
 - Frontend tests: `.github/skills/test-frontend-react.SKILL.md`
@@ -40,6 +45,19 @@ You are a QA AND SECURITY ENGINEER responsible for testing and vulnerability ass
    - Review test failure outputs with `test_failure` tool
 
 4. **Security Scanning**:
+   - - Review Security: Read `security.md.instrutctions.md` and `SECURITY.md` to understand the security requirements and best practices for Charon. Ensure that any open concerns or issues are addressed in the QA Audit and `SECURITY.md` is updated accordingly.
+    - **Conditional GORM Scan**: When backend model/database-related changes are
+       in scope (`backend/internal/models/**`, GORM services, migrations), run
+       GORM scanner in check mode and report pass/fail as DoD gate:
+       - Run: VS Code task `Lint: GORM Security Scan` OR
+          `./scripts/scan-gorm-security.sh --check`
+       - Block approval on unresolved CRITICAL/HIGH findings
+    - **Gotify Token Review**: Verify no Gotify tokens appear in:
+       - Logs, test artifacts, screenshots
+       - API examples, report output
+       - Tokenized URL query strings (e.g., `?token=...`)
+       - Verify URL query parameters are redacted in
+          diagnostics/examples/log artifacts
    - Run Trivy scans on filesystem and container images
    - Analyze vulnerabilities with `mcp_trivy_mcp_findings_list`
    - Prioritize by severity (CRITICAL > HIGH > MEDIUM > LOW)

.github/agents/Supervisor.agent.md

@@ -2,9 +2,9 @@
 name: 'Supervisor'
 description: 'Code Review Lead for quality assurance and PR review.'
 argument-hint: 'The PR or code change to review (e.g., "Review PR #123 for security issues")'
-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+tools: vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/extensions, vscode/askQuestions, execute, read, edit, search, web, browser, github/add_comment_to_pending_review, github/add_issue_comment, github/add_reply_to_pull_request_comment, github/assign_copilot_to_issue, github/create_branch, github/create_or_update_file, github/create_pull_request, github/create_pull_request_with_copilot, github/create_repository, github/delete_file, github/fork_repository, github/get_commit, github/get_copilot_job_status, github/get_file_contents, github/get_label, github/get_latest_release, github/get_me, github/get_release_by_tag, github/get_tag, github/get_team_members, github/get_teams, github/issue_read, github/issue_write, github/list_branches, github/list_commits, github/list_issue_types, github/list_issues, github/list_pull_requests, github/list_releases, github/list_tags, github/merge_pull_request, github/pull_request_read, github/pull_request_review_write, github/push_files, github/request_copilot_review, github/search_code, github/search_issues, github/search_pull_requests, github/search_repositories, github/search_users, github/sub_issue_write, github/update_pull_request, github/update_pull_request_branch, playwright/*, github/*, io.github.goreleaser/mcp/*, mcp-refactor-typescript/*, microsoftdocs/mcp/*, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+
 
-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -15,8 +15,10 @@ You are a CODE REVIEW LEAD responsible for quality assurance and maintaining cod
 
 - **MANDATORY**: Read all relevant instructions in `.github/instructions/` for the specific task before starting.
 - Charon is a self-hosted reverse proxy management tool
+- The codebase includes Go for backend and TypeScript for frontend
 - Code style: Go follows `gofmt`, TypeScript follows ESLint config
 - Review guidelines: `.github/instructions/code-review-generic.instructions.md`
+   - Think "mature Saas product codebase with security-sensitive features and a high standard for code quality" over "open source project with varying contribution quality"
 - Security guidelines: `.github/instructions/security-and-owasp.instructions.md`
 </context>
 

.github/badges/ghcr-downloads.json

@@ -1,7 +0,0 @@
-{
-  "schemaVersion": 1,
-  "label": "GHCR pulls",
-  "message": "0",
-  "color": "blue",
-  "cacheSeconds": 3600
-}

.github/instructions/ARCHITECTURE.instructions.md

@@ -126,11 +126,11 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.0-beta.2 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
-| **Notifications** | Shoutrrr | Latest | Multi-platform alerts |
+| **Notifications** | Notify | Latest | Multi-platform alerts |
 | **Docker Client** | Docker SDK | Latest | Container discovery |
 | **Logging** | Logrus + Lumberjack | Latest | Structured logging with rotation |
 
@@ -1263,8 +1263,8 @@ docker exec charon /app/scripts/restore-backup.sh \
    - Future: Dynamic plugin loading for custom providers
 
 2. **Notification Channels:**
-   - Shoutrrr provides 40+ channels (Discord, Slack, Email, etc.)
-   - Custom channels via Shoutrrr service URLs
+   - Notify provides multi-platform channels (Discord, Slack, Gotify, etc.)
+   - Provider-based configuration with per-channel feature flags
 
 3. **Authentication Providers:**
    - Current: Local database authentication

.github/instructions/copilot-instructions.md

@@ -17,6 +17,23 @@ Every session should improve the codebase, not just add to it. Actively refactor
 - **READABLE**: Maintain comments and clear naming for complex logic. Favor clarity over cleverness.
 - **CONVENTIONAL COMMITS**: Write commit messages using `feat:`, `fix:`, `chore:`, `refactor:`, or `docs:` prefixes.
 
+## Governance & Precedence
+
+When policy statements conflict across documentation sources, resolve using this precedence hierarchy:
+
+1. **Highest Precedence**: `.github/instructions/**` files (canonical source of truth)
+2. **Agent Overrides**: `.github/agents/**` files (agent-specific customizations)
+3. **Operator Documentation**: `SECURITY.md`, `docs/security.md`,
+   `docs/features/notifications.md` (user-facing guidance)
+
+**Reconciliation Rule**: When conflicts arise, the stricter security requirement
+wins. Update downstream documentation to match canonical text in
+`.github/instructions/**`.
+
+**Example**: If `.github/instructions/security.instructions.md` mandates token
+redaction but operator docs suggest logging is acceptable, token redaction
+requirement takes precedence and operator docs must be updated.
+
 ## 🚨 CRITICAL ARCHITECTURE RULES 🚨
 
 - **Single Frontend Source**: All frontend code MUST reside in `frontend/`. NEVER create `backend/frontend/` or any other nested frontend directory.
@@ -50,7 +67,7 @@ Before proposing ANY code change or fix, you must build a mental map of the feat
 
 - **Run**: `cd backend && go run ./cmd/api`.
 - **Test**: `go test ./...`.
-- **Static Analysis (BLOCKING)**: Fast linters run automatically on every commit via pre-commit hooks.
+- **Static Analysis (BLOCKING)**: Fast linters run automatically on every commit via lefthook pre-commit-phase hooks.
   - **Staticcheck errors MUST be fixed** - commits are BLOCKED until resolved
   - Manual run: `make lint-fast` or VS Code task "Lint: Staticcheck (Fast)"
   - Staticcheck-only: `make lint-staticcheck-only`
@@ -62,7 +79,7 @@ Before proposing ANY code change or fix, you must build a mental map of the feat
 - **Security**: Sanitize all file paths using `filepath.Clean`. Use `fmt.Errorf("context: %w", err)` for error wrapping.
 - **Graceful Shutdown**: Long-running work must respect `server.Run(ctx)`.
 
-### Troubleshooting Pre-Commit Staticcheck Failures
+### Troubleshooting Lefthook Staticcheck Failures
 
 **Common Issues:**
 
@@ -150,6 +167,21 @@ Before marking an implementation task as complete, perform the following in orde
     - **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js`
     - All E2E tests must pass before proceeding to unit tests
 
+1.5. **GORM Security Scan** (CONDITIONAL, BLOCKING):
+    - **Trigger Condition**: Execute this gate when changes include backend models or database interaction logic:
+        - `backend/internal/models/**`
+        - GORM query/service layers
+        - Database migrations or seeding logic
+    - **Exclusions**: Skip this gate for docs-only (`**/*.md`) or frontend-only (`frontend/**`) changes
+    - **Run One Of**:
+        - VS Code task: `Lint: GORM Security Scan`
+        - Lefthook: `lefthook run pre-commit` (includes gorm-security-scan)
+        - Direct: `./scripts/scan-gorm-security.sh --check`
+        - **Gate Enforcement**: DoD is process-blocking until scanner reports zero
+            CRITICAL/HIGH findings, even while automation remains in manual stage
+        - **Check Mode Required**: Gate decisions must use check mode semantics
+            (`--check` flag or equivalent task wiring) for pass/fail determination
+
 2. **Local Patch Coverage Preflight** (MANDATORY - Run Before Unit/Coverage Tests):
     - **Run**: VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` from repo root.
     - **Purpose**: Surface exact changed files and uncovered changed lines before adding/refining unit tests.
@@ -157,15 +189,15 @@ Before marking an implementation task as complete, perform the following in orde
     - **Expected Behavior**: Report may warn (non-blocking rollout), but artifact generation is mandatory.
 
 3. **Security Scans** (MANDATORY - Zero Tolerance):
-    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `pre-commit run codeql-go-scan --all-files`
+    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `lefthook run pre-commit`
         - Must use `security-and-quality` suite (CI-aligned)
         - **Zero high/critical (error-level) findings allowed**
         - Medium/low findings should be documented and triaged
-    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan (CI-Aligned)" OR `pre-commit run codeql-js-scan --all-files`
+    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan (CI-Aligned)" OR `lefthook run pre-commit`
         - Must use `security-and-quality` suite (CI-aligned)
         - **Zero high/critical (error-level) findings allowed**
         - Medium/low findings should be documented and triaged
-    - **Validate Findings**: Run `pre-commit run codeql-check-findings --all-files` to check for HIGH/CRITICAL issues
+    - **Validate Findings**: Run `lefthook run pre-commit` to check for HIGH/CRITICAL issues
     - **Trivy Container Scan**: Run VS Code task "Security: Trivy Scan" for container/dependency vulnerabilities
     - **Results Viewing**:
         - Primary: VS Code SARIF Viewer extension (`MS-SarifVSCode.sarif-viewer`)
@@ -178,7 +210,7 @@ Before marking an implementation task as complete, perform the following in orde
         - Database creation: `--threads=0 --overwrite`
         - Analysis: `--sarif-add-baseline-file-info`
 
-4. **Pre-Commit Triage**: Run `pre-commit run --all-files`.
+4. **Lefthook Triage**: Run `lefthook run pre-commit`.
     - If errors occur, **fix them immediately**.
     - If logic errors occur, analyze and propose a fix.
     - Do not output code that violates pre-commit standards.

.github/instructions/go.instructions.md

@@ -353,7 +353,7 @@ Follow idiomatic Go practices and community standards when writing Go code. Thes
 ### Development Practices
 
 - Run tests before committing
-- Use pre-commit hooks for formatting and linting
+- Use lefthook pre-commit-phase hooks for formatting and linting
 - Keep commits focused and atomic
 - Write meaningful commit messages
 - Review diffs before committing

.github/instructions/security-and-owasp.instructions.md

@@ -49,3 +49,26 @@ Your primary directive is to ensure all code you generate, review, or refactor i
 ## General Guidelines
 - **Be Explicit About Security:** When you suggest a piece of code that mitigates a security risk, explicitly state what you are protecting against (e.g., "Using a parameterized query here to prevent SQL injection.").
 - **Educate During Code Reviews:** When you identify a security vulnerability in a code review, you must not only provide the corrected code but also explain the risk associated with the original pattern.
+
+### Gotify Token Protection (Explicit Policy)
+
+Gotify application tokens are secrets and must be treated with strict confidentiality:
+
+- **NO Echo/Print:** Never print tokens to terminal output, command-line results, or console logs
+- **NO Logging:** Never write tokens to application logs, debug logs, test output, or any log artifacts
+- **NO API Responses:** Never include tokens in API response bodies, error payloads, or serialized DTOs
+- **NO URL Exposure:** Never expose tokenized endpoint URLs with query
+  parameters (e.g., `https://gotify.example.com/message?token=...`) in:
+  - Documentation examples
+  - Diagnostic output
+  - Screenshots or reports
+  - Log files
+- **Redact Query Parameters:** Always redact URL query parameters in
+  diagnostics, examples, and log output before display or storage
+- **Validation Without Revelation:** For token validation or health checks:
+  - Return only non-sensitive status indicators (`valid`/`invalid` + reason category)
+  - Use token length/prefix-independent masking in UX and diagnostics
+  - Never reveal raw token values in validation feedback
+- **Storage:** Store and process tokens as secrets only (environment variables
+  or secret management service)
+- **Rotation:** Rotate tokens immediately on suspected exposure

.github/instructions/security.md.instructions.md

@@ -0,0 +1,204 @@
+---
+applyTo: SECURITY.md
+---
+
+# Instructions: Maintaining `SECURITY.md`
+
+`SECURITY.md` is the project's living security record. It serves two audiences simultaneously: users who need to know what risks exist right now, and the broader community who need confidence that vulnerabilities are being tracked and remediated with discipline. Treat it like a changelog, but for security events — every known issue gets an entry, every resolved issue keeps its entry.
+
+---
+
+## File Structure
+
+`SECURITY.md` must always contain the following top-level sections, in this order:
+
+1. A brief project security policy preamble (responsible disclosure contact, response SLA)
+2. **`## Known Vulnerabilities`** — active, unpatched issues
+3. **`## Patched Vulnerabilities`** — resolved issues, retained permanently for audit trail
+
+No other top-level sections are required. Do not collapse or remove sections even when they are empty — use the explicit empty-state placeholder defined below.
+
+---
+
+## Section 1: Known Vulnerabilities
+
+This section lists every vulnerability that is currently unpatched or only partially mitigated. Entries must be sorted with the highest severity first, then by discovery date descending within the same severity tier.
+
+### Entry Format
+
+Each entry is an H3 heading followed by a structured block:
+
+```markdown
+### [SEVERITY] CVE-XXXX-XXXXX · Short Title
+
+| Field        | Value |
+|--------------|-------|
+| **ID**       | CVE-XXXX-XXXXX (or `CHARON-YYYY-NNN` if no CVE assigned yet) |
+| **Severity** | Critical / High / Medium / Low · CVSS v3.1 score if known (e.g. `8.1 · High`) |
+| **Status**   | Investigating / Fix In Progress / Awaiting Upstream / Mitigated (partial) |
+
+**What**
+One to three sentences describing the vulnerability class and its impact.
+Be specific: name the weakness type (e.g. SQL injection, path traversal, SSRF).
+
+**Who**
+- Discovered by: [Reporter name or handle, or "Internal audit", or "Automated scan (tool name)"]
+- Reported: YYYY-MM-DD
+- Affects: [User roles, API consumers, unauthenticated users, etc.]
+
+**Where**
+- Component: [Module or service name]
+- File(s): `path/to/affected/file.go`, `path/to/other/file.ts`
+- Versions affected: `>= X.Y.Z` (or "all versions" / "prior to X.Y.Z")
+
+**When**
+- Discovered: YYYY-MM-DD
+- Disclosed (if public): YYYY-MM-DD (or "Not yet publicly disclosed")
+- Target fix: YYYY-MM-DD (or sprint/milestone reference)
+
+**How**
+A concise technical description of the attack vector, prerequisites, and exploitation
+method. Omit proof-of-concept code. Reference CVE advisories or upstream issue
+trackers where appropriate.
+
+**Planned Remediation**
+Describe the fix strategy: library upgrade, logic refactor, config change, etc.
+If a workaround is available in the meantime, document it here.
+Link to the tracking issue: [#NNN](https://github.com/owner/repo/issues/NNN)
+```
+
+### Empty State
+
+When there are no known vulnerabilities:
+
+```markdown
+## Known Vulnerabilities
+
+No known unpatched vulnerabilities at this time.
+Last reviewed: YYYY-MM-DD
+```
+
+---
+
+## Section 2: Patched Vulnerabilities
+
+This section is a permanent, append-only ledger. Entries are never deleted. Sort newest-patched first. This section builds community trust by demonstrating that issues are resolved promptly and transparently.
+
+### Entry Format
+
+```markdown
+### ✅ [SEVERITY] CVE-XXXX-XXXXX · Short Title
+
+| Field        | Value |
+|--------------|-------|
+| **ID**       | CVE-XXXX-XXXXX (or internal ID) |
+| **Severity** | Critical / High / Medium / Low · CVSS v3.1 score |
+| **Patched**  | YYYY-MM-DD in `vX.Y.Z` |
+
+**What**
+Same description carried over from the Known Vulnerabilities entry.
+
+**Who**
+- Discovered by: [Reporter or method]
+- Reported: YYYY-MM-DD
+
+**Where**
+- Component: [Module or service name]
+- File(s): `path/to/affected/file.go`
+- Versions affected: `< X.Y.Z`
+
+**When**
+- Discovered: YYYY-MM-DD
+- Patched: YYYY-MM-DD
+- Time to patch: N days
+
+**How**
+Same technical description as the original entry.
+
+**Resolution**
+Describe exactly what was changed to fix the issue.
+- Commit: [`abc1234`](https://github.com/owner/repo/commit/abc1234)
+- PR: [#NNN](https://github.com/owner/repo/pull/NNN)
+- Release: [`vX.Y.Z`](https://github.com/owner/repo/releases/tag/vX.Y.Z)
+
+**Credit**
+[Optional] Thank the reporter if they consented to attribution.
+```
+
+### Empty State
+
+```markdown
+## Patched Vulnerabilities
+
+No patched vulnerabilities on record yet.
+```
+
+---
+
+## Lifecycle: Moving an Entry from Known → Patched
+
+When a fix ships:
+
+1. Remove the entry from `## Known Vulnerabilities` entirely.
+2. Add a new entry to the **top** of `## Patched Vulnerabilities` using the patched format above.
+3. Carry forward all original fields verbatim — do not rewrite the history of the issue.
+4. Add the `**Resolution**` and `**Credit**` blocks with patch details.
+5. Update the `Last reviewed` date on the Known Vulnerabilities section if it is now empty.
+
+Do not edit or backfill existing Patched entries once they are committed.
+
+---
+
+## Severity Classification
+
+Use the following definitions consistently:
+
+| Severity | CVSS Range | Meaning |
+|----------|------------|---------|
+| **Critical** | 9.0–10.0 | Remote code execution, auth bypass, full data exposure |
+| **High**     | 7.0–8.9  | Significant data exposure, privilege escalation, DoS |
+| **Medium**   | 4.0–6.9  | Limited data exposure, requires user interaction or auth |
+| **Low**      | 0.1–3.9  | Minimal impact, difficult to exploit, defense-in-depth |
+
+When a CVE CVSS score is not yet available, assign a preliminary severity based on these definitions and note it as `(preliminary)` until confirmed.
+
+---
+
+## Internal IDs
+
+If a vulnerability has no CVE assigned, use the format `CHARON-YYYY-NNN` where `YYYY` is the year and `NNN` is a zero-padded sequence number starting at `001` for each year. Example: `CHARON-2025-003`. Assign a CVE ID in the entry retroactively if one is issued later, and add the internal ID as an alias in parentheses.
+
+---
+
+## Responsible Disclosure Preamble
+
+The preamble at the top of `SECURITY.md` (before the vulnerability sections) must include:
+
+- The preferred contact method for reporting vulnerabilities (e.g. a GitHub private advisory link, a security email address, or both)
+- An acknowledgment-first response commitment: confirm receipt within 48 hours, even if the full investigation takes longer
+- A statement that reporters will not be penalized or publicly named without consent
+- A link to the full disclosure policy if one exists
+
+Example:
+
+```markdown
+## Reporting a Vulnerability
+
+To report a security issue, please use
+[GitHub Private Security Advisories](https://github.com/owner/repo/security/advisories/new)
+or email `security@example.com`.
+
+We will acknowledge your report within **48 hours** and provide a remediation
+timeline within **7 days**. Reporters are credited with their consent.
+We do not pursue legal action against good-faith security researchers.
+```
+
+---
+
+## Maintenance Rules
+
+- **Review cadence**: Update the `Last reviewed` date in the Known Vulnerabilities section at least once per release cycle, even if no entries changed.
+- **No silent patches**: Every security fix — no matter how minor — must produce an entry in `## Patched Vulnerabilities` before or alongside the release.
+- **No redaction**: Do not redact or soften historical entries. Accuracy builds trust; minimizing past issues destroys it.
+- **Dependency vulnerabilities**: Transitive dependency CVEs that affect Charon's exposed attack surface must be tracked here the same as first-party vulnerabilities. Pure dev-dependency CVEs with no runtime impact may be omitted at maintainer discretion, but must still be noted in the relevant dependency update PR.
+- **Partial mitigations**: If a workaround is deployed but the root cause is not fixed, the entry stays in `## Known Vulnerabilities` with `Status: Mitigated (partial)` and the workaround documented in `**Planned Remediation**`.

.github/instructions/structure.instructions.md

@@ -9,7 +9,7 @@ description: 'Repository structure guidelines to maintain organized file placeme
 
 The repository root should contain ONLY:
 
-- Essential config files (`.gitignore`, `.pre-commit-config.yaml`, `Makefile`, etc.)
+- Essential config files (`.gitignore`, `Makefile`, etc.)
 - Standard project files (`README.md`, `CONTRIBUTING.md`, `LICENSE`, `CHANGELOG.md`)
 - Go workspace files (`go.work`, `go.work.sum`)
 - VS Code workspace (`Chiron.code-workspace`)

.github/instructions/subagent.instructions.md

@@ -23,21 +23,21 @@ runSubagent({
 
 - Validate: `plan_file` exists and contains a `Handoff Contract` JSON.
 - Kickoff: call `Planning` to create the plan if not present.
-- Decide: check if work should be split into multiple PRs (size, risk, cross-domain impact).
+- Decide: check how to organize work into logical commits within a single PR (size, risk, cross-domain impact).
 - Run: execute `Backend Dev` then `Frontend Dev` sequentially.
 - Parallel: run `QA and Security`, `DevOps` and `Doc Writer` in parallel for CI / QA checks and documentation.
 - Return: a JSON summary with `subagent_results`, `overall_status`, and aggregated artifacts.
 
-2.1) Multi-PR Slicing Protocol
+2.1) Multi-Commit Slicing Protocol
 
-- If a task is large or high-risk, split into PR slices and execute in order.
-- Each slice must have:
+- All work for a single feature ships as one PR with ordered logical commits.
+- Each commit must have:
   - Scope boundary (what is included/excluded)
-  - Dependency on previous slices
-  - Validation gates (tests/scans required for that slice)
-  - Explicit rollback notes
-- Do not start the next slice until the current slice is complete and verified.
-- Keep each slice independently reviewable and deployable.
+  - Dependency on previous commits
+  - Validation gates (tests/scans required for that commit)
+  - Explicit rollback notes for the PR as a whole
+- Do not start the next commit until the current commit is complete and verified.
+- Keep each commit independently reviewable within the PR.
 
 3) Return Contract that all subagents must return
 
@@ -55,7 +55,7 @@ runSubagent({
 
 - On a subagent failure, the Management agent must capture `tests.output` and decide to retry (1 retry maximum), or request a revert/rollback.
 - Clearly mark the `status` as `failed`, and include `errors` and `failing_tests` in the `summary`.
-- For multi-PR execution, mark failed slice as blocked and stop downstream slices until resolved.
+- For multi-commit execution, mark failed commit as blocked and stop downstream commits until resolved.
 
 5) Example: Run a full Feature Implementation
 

.github/instructions/testing.instructions.md

@@ -4,13 +4,27 @@ description: 'Strict protocols for test execution, debugging, and coverage valid
 ---
 # Testing Protocols
 
+**Governance Note**: This file is subject to the precedence hierarchy defined in
+`.github/instructions/copilot-instructions.md`. When conflicts arise, canonical
+instruction files take precedence over agent files and operator documentation.
+
 ## 0. E2E Verification First (Playwright)
 
 **MANDATORY**: Before running unit tests, verify the application UI/UX functions correctly end-to-end.
 
-## 0.5 Local Patch Coverage Preflight (Before Unit Tests)
+## 0.5 Local Patch Coverage Report (After Coverage Tests)
 
-**MANDATORY**: After E2E and before backend/frontend unit coverage runs, generate a local patch report so uncovered changed lines are visible early.
+**MANDATORY**: After running backend and frontend coverage tests (which generate
+`backend/coverage.txt` and `frontend/coverage/lcov.info`), run the local patch
+report to identify uncovered lines in changed files.
+
+**Purpose**: Overall coverage can be healthy while the specific lines you changed
+are untested. This step catches that gap. If uncovered lines are found in
+feature code, add targeted tests before completing the task.
+
+**Prerequisites**: Coverage artifacts must exist before running the report:
+- `backend/coverage.txt` — generated by `scripts/go-test-coverage.sh`
+- `frontend/coverage/lcov.info` — generated by `scripts/frontend-test-coverage.sh`
 
 Run one of the following from `/projects/Charon`:
 
@@ -22,11 +36,14 @@ Test: Local Patch Report
 bash scripts/local-patch-report.sh
 ```
 
-Required artifacts:
+Required output artifacts:
 - `test-results/local-patch-report.md`
 - `test-results/local-patch-report.json`
 
-This preflight is advisory for thresholds during rollout, but artifact generation is required in DoD.
+**Action on results**: If patch coverage for any changed file is below 90%, add
+tests targeting the uncovered changed lines. Re-run coverage and this report to
+verify improvement. Artifact generation is required for DoD regardless of
+threshold results.
 
 ### PREREQUISITE: Start E2E Environment
 
@@ -170,16 +187,39 @@ Before pushing code, verify E2E coverage:
 * **Threshold Compliance:** You must compare the final coverage percentage against the project's threshold (Default: 85% unless specified otherwise). If coverage drops, you must identify the "uncovered lines" and add targeted tests.
 * **Patch Coverage (Suggestion):** Codecov reports patch coverage as an indicator. While developers should aim for 100% coverage of modified lines, patch coverage is **not a hard requirement** and will not block PR approval. If patch coverage is low, consider adding targeted tests to improve the metric.
 * **Review Patch Coverage:** When reviewing patch coverage reports, assess whether missing lines represent genuine gaps or are acceptable (e.g., error handling branches, deprecated code paths). Use the report to inform testing decisions, not as an absolute gate.
+
 ## 4. GORM Security Validation (Manual Stage)
 
-**Requirement:** All backend changes involving GORM models or database interactions must pass the GORM Security Scanner.
+**Requirement:** For any change that touches backend models or
+database-related logic, the GORM Security Scanner is a mandatory local DoD gate
+and must pass with zero CRITICAL/HIGH findings.
 
-### When to Run
+**Policy vs. Automation Reconciliation:** "Manual stage" describes execution
+mechanism only (not automated pre-commit hook); policy enforcement remains
+process-blocking for DoD. Gate decisions must use check semantics
+(`./scripts/scan-gorm-security.sh --check` or equivalent task wiring).
 
-* **Before Committing:** When modifying GORM models (files in `backend/internal/models/`)
-* **Before Opening PR:** Verify no security issues introduced
-* **After Code Review:** If model-related changes were requested
-* **Definition of Done:** Scanner must pass with zero CRITICAL/HIGH issues
+### When to Run (Conditional Trigger Matrix)
+
+**Mandatory Trigger Paths (Include):**
+- `backend/internal/models/**` — GORM model definitions
+- Backend services/repositories with GORM query logic
+- Database migrations or seeding logic affecting model persistence behavior
+
+**Explicit Exclusions:**
+- Docs-only changes (`**/*.md`, governance documentation)
+- Frontend-only changes (`frontend/**`)
+
+**Gate Decision Rule:** IF any Include path matches, THEN scanner execution in
+check mode is mandatory DoD gate. IF only Exclude paths match, THEN GORM gate
+is not required for that change set.
+
+### Definition of Done
+- **Before Committing:** When modifying trigger paths listed above
+- **Before Opening PR:** Verify no security issues introduced
+- **After Code Review:** If model-related changes were requested
+- **Blocking Gate:** Scanner must pass with zero CRITICAL/HIGH issues before
+   task completion
 
 ### Running the Scanner
 

.github/renovate.json

@@ -6,11 +6,11 @@
     ":separateMultipleMajorReleases",
     "helpers:pinGitHubActionDigests"
   ],
-  "baseBranches": [
+  "baseBranchPatterns": [
     "feature/beta-release",
     "development"
-
   ],
+  "postUpdateOptions": ["npmDedupe"],
   "timezone": "America/New_York",
   "dependencyDashboard": true,
   "dependencyDashboardApproval": true,
@@ -27,7 +27,10 @@
   "rebaseWhen": "auto",
 
   "vulnerabilityAlerts": {
-    "enabled": true
+    "enabled": true,
+    "dependencyDashboardApproval": false,
+    "automerge": false,
+    "labels": ["security", "vulnerability"]
   },
 
   "rangeStrategy": "bump",
@@ -36,6 +39,19 @@
   "platformAutomerge": true,
 
   "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track caddy-security plugin version in Dockerfile",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/greenpau/caddy-security",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
     {
       "customType": "regex",
       "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
@@ -53,12 +69,45 @@
       "description": "Track Alpine base image digest in Dockerfile for security updates",
       "managerFilePatterns": ["/^Dockerfile$/"],
       "matchStrings": [
-        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG CADDY_IMAGE=alpine:(?<currentValue>[^\\s@]+@sha256:[a-f0-9]+)"
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
       ],
       "depNameTemplate": "alpine",
       "datasourceTemplate": "docker",
       "versioningTemplate": "docker"
     },
+    {
+      "customType": "regex",
+      "description": "Track Go toolchain version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang",
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    },
+    {
+      "customType": "regex",
+      "description": "Track expr-lang version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/expr-lang/expr",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track golang.org/x/net version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/net",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
     {
       "customType": "regex",
       "description": "Track Delve version in Dockerfile",
@@ -81,6 +130,32 @@
       "datasourceTemplate": "go",
       "versioningTemplate": "semver"
     },
+    {
+      "customType": "regex",
+      "description": "Track gotestsum version in codecov workflow",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/codecov-upload\\.yml$/"
+      ],
+      "matchStrings": [
+        "gotestsum@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "gotest.tools/gotestsum",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track gotestsum version in quality checks workflow",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/quality-checks\\.yml$/"
+      ],
+      "matchStrings": [
+        "gotestsum@v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "gotest.tools/gotestsum",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
     {
       "customType": "regex",
       "description": "Track govulncheck version in scripts",
@@ -117,27 +192,78 @@
     {
       "customType": "regex",
       "description": "Track GO_VERSION in Actions workflows",
-      "fileMatch": ["^\\.github/workflows/.*\\.yml$"],
+      "managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
       "matchStrings": [
         "GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
       ],
       "depNameTemplate": "golang/go",
       "datasourceTemplate": "golang-version",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Syft version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/nightly-build\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
+        "set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/syft",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Grype version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/supply-chain-pr\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
+        "set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/grype",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Track go-version in skill example workflows",
+      "managerFilePatterns": ["/^\\.github/skills/examples/.*\\.yml$/"],
+      "matchStrings": [
+        "go-version: [\"']?(?<currentValue>[\\d\\.]+)[\"']?"
+      ],
+      "depNameTemplate": "golang/go",
+      "datasourceTemplate": "golang-version",
+      "versioningTemplate": "semver"
     }
   ],
 
+  "github-actions": {
+    "managerFilePatterns": [
+      "/^\\.github/skills/examples/.*\\.ya?ml$/"
+    ]
+  },
+
   "packageRules": [
     {
       "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
-      "matchPackagePatterns": ["*"],
       "matchUpdateTypes": [
         "minor",
         "patch",
         "pin",
         "digest"
       ],
-      "groupName": "non-major-updates"
+      "groupName": "non-major-updates",
+      "matchPackageNames": [
+        "*"
+      ]
     },
         {
       "description": "Feature branches: Auto-merge non-major updates after proven stable",
@@ -169,11 +295,41 @@
       "matchPackageNames": ["caddy"],
       "allowedVersions": "<3.0.0"
     },
+    {
+      "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path)",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/jackc/pgx/v4"],
+      "allowedVersions": "<5.0.0"
+    },
+    {
+      "description": "Go: keep go-jose/v3 within v3 (v4 is a different Go module path)",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/go-jose/go-jose/v3"],
+      "allowedVersions": "<4.0.0"
+    },
+    {
+      "description": "Go: keep go-jose/v4 within v4 (v5 would be a different Go module path)",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/go-jose/go-jose/v4"],
+      "allowedVersions": "<5.0.0"
+    },
     {
       "description": "Safety: Keep MAJOR updates separate and require manual review",
       "matchUpdateTypes": ["major"],
       "automerge": false,
       "labels": ["manual-review"]
+    },
+    {
+      "description": "Fix Renovate lookup for geoip2-golang v2 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"],
+      "sourceUrl": "https://github.com/oschwald/geoip2-golang"
+    },
+    {
+      "description": "Fix Renovate lookup for google/uuid",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/google/uuid"],
+      "sourceUrl": "https://github.com/google/uuid"
     }
   ]
 }

.github/security-severity-policy.yml

@@ -0,0 +1,55 @@
+version: 1
+effective_date: 2026-02-25
+scope:
+  - local pre-commit manual security hooks
+  - github actions security workflows
+
+defaults:
+  blocking:
+    - critical
+    - high
+  medium:
+    mode: risk-based
+    default_action: report
+    require_sla: true
+    default_sla_days: 14
+    escalation:
+      trigger: high-signal class or repeated finding
+      action: require issue + owner + due date
+  low:
+    action: report
+
+codeql:
+  severity_mapping:
+    error: high_or_critical
+    warning: medium_or_lower
+    note: informational
+  blocking_levels:
+    - error
+  warning_policy:
+    default_action: report
+    escalation_high_signal_rule_ids:
+      - go/request-forgery
+      - js/missing-rate-limiting
+      - js/insecure-randomness
+
+trivy:
+  blocking_severities:
+    - CRITICAL
+    - HIGH
+  medium_policy:
+    action: report
+    escalation: issue-with-sla
+
+grype:
+  blocking_severities:
+    - Critical
+    - High
+  medium_policy:
+    action: report
+    escalation: issue-with-sla
+
+enforcement_contract:
+  codeql_local_vs_ci: "local and ci block on codeql error-level findings only"
+  supply_chain_medium: "medium vulnerabilities are non-blocking by default and require explicit triage"
+  auth_regression_guard: "state-changing routes must remain protected by auth middleware"

.github/skills/README.md

@@ -63,7 +63,7 @@ Agent Skills are self-documenting, AI-discoverable task definitions that combine
 
 | Skill Name | Category | Description | Status |
 |------------|----------|-------------|--------|
-| [qa-precommit-all](./qa-precommit-all.SKILL.md) | qa | Run all pre-commit hooks on entire codebase | ✅ Active |
+| [qa-lefthook-all](./qa-lefthook-all.SKILL.md) | qa | Run all lefthook pre-commit‑phase hooks on entire codebase | ✅ Active |
 
 ### Utility Skills
 

.github/skills/examples/gorm-scanner-ci-workflow.yml

@@ -20,12 +20,12 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version: '1.23'
+          go-version: "1.26.2"
 
       - name: Run GORM Security Scanner
         id: gorm-scan
@@ -56,7 +56,7 @@ jobs:
 
       - name: Comment on PR
         if: always() && github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const critical = ${{ steps.parse-report.outputs.critical }};
@@ -89,7 +89,7 @@ jobs:
 
       - name: Upload GORM Scan Report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: gorm-security-report-${{ github.run_id }}
           path: docs/reports/gorm-scan-ci-*.txt

.github/skills/qa-lefthook-all.SKILL.md

@@ -0,0 +1,349 @@
+---
+# agentskills.io specification v1.0
+name: "qa-lefthook-all"
+version: "1.0.0"
+description: "Run all lefthook pre-commit-phase hooks for comprehensive code quality validation"
+author: "Charon Project"
+license: "MIT"
+tags:
+  - "qa"
+  - "quality"
+  - "pre-commit"
+  - "linting"
+  - "validation"
+compatibility:
+  os:
+    - "linux"
+    - "darwin"
+  shells:
+    - "bash"
+requirements:
+  - name: "python3"
+    version: ">=3.8"
+    optional: false
+  - name: "lefthook"
+    version: ">=0.14"
+    optional: false
+environment_variables:
+    - name: "SKIP"
+    description: "Comma-separated list of hook IDs to skip"
+    default: ""
+    required: false
+parameters:
+  - name: "files"
+    type: "string"
+    description: "Specific files to check (default: all staged files)"
+    default: "--all-files"
+    required: false
+outputs:
+  - name: "validation_report"
+    type: "stdout"
+    description: "Results of all pre-commit hook executions"
+  - name: "exit_code"
+    type: "number"
+    description: "0 if all hooks pass, non-zero if any fail"
+metadata:
+  category: "qa"
+  subcategory: "quality"
+  execution_time: "medium"
+  risk_level: "low"
+  ci_cd_safe: true
+  requires_network: false
+  idempotent: true
+---
+
+# QA Pre-commit All
+
+## Overview
+
+Executes all configured lefthook pre-commit-phase hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.
+
+This skill is designed for CI/CD pipelines and local quality validation before committing code.
+
+## Prerequisites
+
+- Python 3.8 or higher installed and in PATH
+- Python virtual environment activated (`.venv`)
+- Pre-commit installed in virtual environment: `pip install pre-commit`
+- Pre-commit hooks installed: `pre-commit install`
+- All language-specific tools installed (Go, Node.js, etc.)
+
+## Usage
+
+### Basic Usage
+
+Run all pre-commit-phase hooks on all files:
+
+```bash
+cd /path/to/charon
+lefthook run pre-commit
+```
+
+### Staged Files Only
+
+Run lefthook on staged files only (faster):
+
+```bash
+lefthook run pre-commit --staged
+```
+
+### Specific Hook
+
+Run only a specific hook by ID:
+
+```bash
+lefthook run pre-commit --hooks=trailing-whitespace
+```
+
+### Skip Specific Hooks
+
+Skip certain hooks during execution:
+
+```bash
+SKIP=prettier,eslint .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+## Parameters
+
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| files     | string | No     | --all-files | File selection mode (--all-files or staged) |
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| SKIP | No | "" | Comma-separated hook IDs to skip |
+| PRE_COMMIT_HOME | No | ~/.cache/pre-commit | Pre-commit cache directory |
+
+## Outputs
+
+- **Success Exit Code**: 0 (all hooks passed)
+- **Error Exit Codes**: Non-zero (one or more hooks failed)
+- **Output**: Detailed results from each hook
+
+## Pre-commit Hooks Included
+
+The following hooks are configured in `.pre-commit-config.yaml`:
+
+### General Hooks
+- **trailing-whitespace**: Remove trailing whitespace
+- **end-of-file-fixer**: Ensure files end with newline
+- **check-yaml**: Validate YAML syntax
+- **check-json**: Validate JSON syntax
+- **check-merge-conflict**: Detect merge conflict markers
+- **check-added-large-files**: Prevent committing large files
+
+### Python Hooks
+- **black**: Code formatting
+- **isort**: Import sorting
+- **flake8**: Linting
+- **mypy**: Type checking
+
+### Go Hooks
+- **gofmt**: Code formatting
+- **go-vet**: Static analysis
+- **golangci-lint**: Comprehensive linting
+
+### JavaScript/TypeScript Hooks
+- **prettier**: Code formatting
+- **eslint**: Linting and code quality
+
+### Markdown Hooks
+- **markdownlint**: Markdown linting and formatting
+
+### Security Hooks
+- **detect-private-key**: Prevent committing private keys
+- **detect-aws-credentials**: Prevent committing AWS credentials
+
+## Examples
+
+### Example 1: Full Quality Check
+
+```bash
+# Run all hooks on all files
+source .venv/bin/activate
+.github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+Output:
+```
+Trim Trailing Whitespace.....................................Passed
+Fix End of Files.............................................Passed
+Check Yaml...................................................Passed
+Check JSON...................................................Passed
+Check for merge conflicts....................................Passed
+Check for added large files..................................Passed
+black........................................................Passed
+isort........................................................Passed
+prettier.....................................................Passed
+eslint.......................................................Passed
+markdownlint.................................................Passed
+```
+
+### Example 2: Quick Staged Files Check
+
+```bash
+# Run only on staged files (faster for pre-commit)
+.github/skills/scripts/skill-runner.sh qa-precommit-all staged
+```
+
+### Example 3: Skip Slow Hooks
+
+```bash
+# Skip time-consuming hooks for quick validation
+SKIP=golangci-lint,mypy .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+### Example 4: CI/CD Pipeline Integration
+
+```yaml
+# GitHub Actions example
+- name: Set up Python
+  uses: actions/setup-python@v4
+  with:
+    python-version: '3.11'
+
+- name: Install pre-commit
+  run: pip install pre-commit
+
+- name: Run QA Pre-commit Checks
+  run: .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+### Example 5: Auto-fix Mode
+
+```bash
+# Some hooks can auto-fix issues
+# Run twice: first to fix, second to validate
+.github/skills/scripts/skill-runner.sh qa-precommit-all || \
+.github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+## Error Handling
+
+### Common Issues
+
+**Virtual environment not activated**:
+```bash
+Error: pre-commit not found
+Solution: source .venv/bin/activate
+```
+
+**Pre-commit not installed**:
+```bash
+Error: pre-commit command not available
+Solution: pip install pre-commit
+```
+
+**Hooks not installed**:
+```bash
+Error: Run 'pre-commit install'
+Solution: pre-commit install
+```
+
+**Hook execution failed**:
+```bash
+Hook X failed
+Solution: Review error output and fix reported issues
+```
+
+**Language tool missing**:
+```bash
+Error: golangci-lint not found
+Solution: Install required language tools
+```
+
+## Exit Codes
+
+- **0**: All hooks passed
+- **1**: One or more hooks failed
+- **Other**: Hook execution error
+
+## Hook Fixing Strategies
+
+### Auto-fixable Issues
+These hooks automatically fix issues:
+- `trailing-whitespace`
+- `end-of-file-fixer`
+- `black`
+- `isort`
+- `prettier`
+- `gofmt`
+
+**Workflow**: Run pre-commit, review changes, commit fixed files
+
+### Manual Fixes Required
+These hooks only report issues:
+- `check-yaml`
+- `check-json`
+- `flake8`
+- `eslint`
+- `markdownlint`
+- `go-vet`
+- `golangci-lint`
+
+**Workflow**: Review errors, manually fix code, re-run pre-commit
+
+## Related Skills
+
+- [test-backend-coverage](./test-backend-coverage.SKILL.md) - Backend test coverage
+- [test-frontend-coverage](./test-frontend-coverage.SKILL.md) - Frontend test coverage
+- [security-scan-trivy](./security-scan-trivy.SKILL.md) - Security scanning
+
+## Notes
+
+- Pre-commit hooks cache their environments for faster execution
+- First run may be slow while environments are set up
+- Subsequent runs are much faster (seconds vs minutes)
+- Hooks run in parallel where possible
+- Failed hooks stop execution (fail-fast behavior)
+- Use `SKIP` to bypass specific hooks temporarily
+- Recommended to run before every commit
+- Can be integrated into Git pre-commit hook for automatic checks
+- Cache location: `~/.cache/pre-commit` (configurable)
+
+## Performance Tips
+
+- **Initial Setup**: First run takes longer (installing hook environments)
+- **Incremental**: Run on staged files only for faster feedback
+- **Parallel**: Pre-commit runs compatible hooks in parallel
+- **Cache**: Hook environments are cached and reused
+- **Skip**: Use `SKIP` to bypass slow hooks during development
+
+## Integration with Git
+
+To automatically run on every commit:
+
+```bash
+# Install Git pre-commit hook
+pre-commit install
+
+# Now pre-commit runs automatically on git commit
+git commit -m "Your commit message"
+```
+
+To bypass pre-commit hook temporarily:
+
+```bash
+git commit --no-verify -m "Emergency commit"
+```
+
+## Configuration
+
+Pre-commit configuration is in `.pre-commit-config.yaml`. To update hooks:
+
+```bash
+# Update to latest versions
+pre-commit autoupdate
+
+# Clean cache and re-install
+pre-commit clean
+pre-commit install --install-hooks
+```
+
+---
+
+**Last Updated**: 2025-12-20
+**Maintained by**: Charon Project
+**Source**: `pre-commit run --all-files`

.github/skills/qa-precommit-all.SKILL.md

@@ -1,8 +1,8 @@
 ---
 # agentskills.io specification v1.0
-name: "qa-precommit-all"
+name: "qa-lefthook-all"
 version: "1.0.0"
-description: "Run all pre-commit hooks for comprehensive code quality validation"
+description: "Run all lefthook pre-commit-phase hooks for comprehensive code quality validation"
 author: "Charon Project"
 license: "MIT"
 tags:
@@ -21,15 +21,11 @@ requirements:
   - name: "python3"
     version: ">=3.8"
     optional: false
-  - name: "pre-commit"
-    version: ">=2.0"
+  - name: "lefthook"
+    version: ">=0.14"
     optional: false
 environment_variables:
-  - name: "PRE_COMMIT_HOME"
-    description: "Pre-commit cache directory"
-    default: "~/.cache/pre-commit"
-    required: false
-  - name: "SKIP"
+    - name: "SKIP"
     description: "Comma-separated list of hook IDs to skip"
     default: ""
     required: false
@@ -60,7 +56,7 @@ metadata:
 
 ## Overview
 
-Executes all configured pre-commit hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.
+Executes all configured lefthook pre-commit-phase hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.
 
 This skill is designed for CI/CD pipelines and local quality validation before committing code.
 
@@ -76,19 +72,19 @@ This skill is designed for CI/CD pipelines and local quality validation before c
 
 ### Basic Usage
 
-Run all hooks on all files:
+Run all pre-commit-phase hooks on all files:
 
 ```bash
 cd /path/to/charon
-.github/skills/scripts/skill-runner.sh qa-precommit-all
+lefthook run pre-commit
 ```
 
 ### Staged Files Only
 
-Run hooks on staged files only (faster):
+Run lefthook on staged files only (faster):
 
 ```bash
-.github/skills/scripts/skill-runner.sh qa-precommit-all staged
+lefthook run pre-commit --staged
 ```
 
 ### Specific Hook
@@ -96,7 +92,7 @@ Run hooks on staged files only (faster):
 Run only a specific hook by ID:
 
 ```bash
-SKIP="" .github/skills/scripts/skill-runner.sh qa-precommit-all trailing-whitespace
+lefthook run pre-commit --hooks=trailing-whitespace
 ```
 
 ### Skip Specific Hooks

.github/skills/scripts/_environment_helpers.sh

@@ -192,6 +192,101 @@ get_project_root() {
     return 1
 }
 
+# ensure_charon_encryption_key: Ensure CHARON_ENCRYPTION_KEY is present and valid
+# for backend tests. Generates an ephemeral base64-encoded 32-byte key when
+# missing or invalid.
+ensure_charon_encryption_key() {
+    local key_source="existing"
+    local decoded_key_hex=""
+    local decoded_key_bytes=0
+
+    generate_key() {
+        if command -v openssl >/dev/null 2>&1; then
+            openssl rand -base64 32 | tr -d '\n'
+            return
+        fi
+
+        if command -v python3 >/dev/null 2>&1; then
+            python3 - <<'PY'
+import base64
+import os
+
+print(base64.b64encode(os.urandom(32)).decode())
+PY
+            return
+        fi
+
+        echo ""
+    }
+
+    if [[ -z "${CHARON_ENCRYPTION_KEY:-}" ]]; then
+        key_source="generated"
+        CHARON_ENCRYPTION_KEY="$(generate_key)"
+    fi
+
+    if [[ -z "${CHARON_ENCRYPTION_KEY:-}" ]]; then
+        if declare -f log_error >/dev/null 2>&1; then
+            log_error "Could not auto-provision CHARON_ENCRYPTION_KEY (requires openssl or python3)"
+        else
+            echo "[ERROR] Could not auto-provision CHARON_ENCRYPTION_KEY (requires openssl or python3)" >&2
+        fi
+        return 1
+    fi
+
+    if ! decoded_key_hex=$(printf '%s' "$CHARON_ENCRYPTION_KEY" | base64 --decode 2>/dev/null | od -An -tx1 -v | tr -d ' \n'); then
+        key_source="regenerated"
+        CHARON_ENCRYPTION_KEY="$(generate_key)"
+        if ! decoded_key_hex=$(printf '%s' "$CHARON_ENCRYPTION_KEY" | base64 --decode 2>/dev/null | od -An -tx1 -v | tr -d ' \n'); then
+            if declare -f log_error >/dev/null 2>&1; then
+                log_error "CHARON_ENCRYPTION_KEY is invalid and regeneration failed"
+            else
+                echo "[ERROR] CHARON_ENCRYPTION_KEY is invalid and regeneration failed" >&2
+            fi
+            return 1
+        fi
+    fi
+
+    decoded_key_bytes=$(( ${#decoded_key_hex} / 2 ))
+    if [[ "$decoded_key_bytes" -ne 32 ]]; then
+        key_source="regenerated"
+        CHARON_ENCRYPTION_KEY="$(generate_key)"
+        if ! decoded_key_hex=$(printf '%s' "$CHARON_ENCRYPTION_KEY" | base64 --decode 2>/dev/null | od -An -tx1 -v | tr -d ' \n'); then
+            if declare -f log_error >/dev/null 2>&1; then
+                log_error "CHARON_ENCRYPTION_KEY has invalid length and regeneration failed"
+            else
+                echo "[ERROR] CHARON_ENCRYPTION_KEY has invalid length and regeneration failed" >&2
+            fi
+            return 1
+        fi
+
+        decoded_key_bytes=$(( ${#decoded_key_hex} / 2 ))
+        if [[ "$decoded_key_bytes" -ne 32 ]]; then
+            if declare -f log_error >/dev/null 2>&1; then
+                log_error "Could not provision a valid 32-byte CHARON_ENCRYPTION_KEY"
+            else
+                echo "[ERROR] Could not provision a valid 32-byte CHARON_ENCRYPTION_KEY" >&2
+            fi
+            return 1
+        fi
+    fi
+
+    export CHARON_ENCRYPTION_KEY
+
+    if [[ "$key_source" == "generated" ]]; then
+        if declare -f log_info >/dev/null 2>&1; then
+            log_info "CHARON_ENCRYPTION_KEY not set; generated ephemeral test key"
+        fi
+    elif [[ "$key_source" == "regenerated" ]]; then
+        if declare -f log_warn >/dev/null 2>&1; then
+            log_warn "CHARON_ENCRYPTION_KEY invalid; generated ephemeral test key"
+        elif declare -f log_info >/dev/null 2>&1; then
+            log_info "CHARON_ENCRYPTION_KEY invalid; generated ephemeral test key"
+        fi
+    fi
+
+    return 0
+}
+
 # Export functions
 export -f validate_go_environment
 export -f validate_python_environment
@@ -200,3 +295,4 @@ export -f validate_docker_environment
 export -f set_default_env
 export -f validate_project_structure
 export -f get_project_root
+export -f ensure_charon_encryption_key

.github/skills/security-scan-codeql-scripts/run.sh

@@ -95,6 +95,7 @@ run_codeql_scan() {
     local source_root=$2
     local db_name="codeql-db-${lang}"
     local sarif_file="codeql-results-${lang}.sarif"
+    local suite=""
     local build_mode_args=()
     local codescanning_config="${PROJECT_ROOT}/.github/codeql/codeql-config.yml"
 
@@ -107,6 +108,9 @@ run_codeql_scan() {
 
     if [[ "${lang}" == "javascript" ]]; then
         build_mode_args=(--build-mode=none)
+        suite="codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls"
+    else
+        suite="codeql/go-queries:codeql-suites/go-security-and-quality.qls"
     fi
 
     log_step "CODEQL" "Scanning ${lang} code in ${source_root}/"
@@ -135,8 +139,9 @@ run_codeql_scan() {
     fi
 
     # Run analysis
-    log_info "Analyzing with Code Scanning config (CI-aligned query filters)..."
+    log_info "Analyzing with CI-aligned suite: ${suite}"
     if ! codeql database analyze "${db_name}" \
+        "${suite}" \
         --format=sarif-latest \
         --output="${sarif_file}" \
         --sarif-add-baseline-file-info \

.github/skills/security-scan-codeql.SKILL.md

@@ -136,8 +136,8 @@ This skill uses the **security-and-quality** suite to match CI:
 
 | Language | Suite | Queries | Coverage |
 |----------|-------|---------|----------|
-| Go | go-security-and-quality.qls | 61 | Security + quality issues |
-| JavaScript | javascript-security-and-quality.qls | 204 | Security + quality issues |
+| Go | go-security-and-quality.qls | version-dependent | Security + quality issues |
+| JavaScript | javascript-security-and-quality.qls | version-dependent | Security + quality issues |
 
 **Note:** This matches GitHub Actions CodeQL default configuration exactly.
 
@@ -251,7 +251,7 @@ Solution: Verify source-root points to correct directory
 
 - [security-scan-trivy](./security-scan-trivy.SKILL.md) - Container/dependency vulnerabilities
 - [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific CVE checking
-- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks
 
 ## CI Alignment
 
@@ -260,8 +260,7 @@ This skill is specifically designed to match GitHub Actions CodeQL workflow:
 | Parameter | Local | CI | Aligned |
 |-----------|-------|-----|---------|
 | Query Suite | security-and-quality | security-and-quality | ✅ |
-| Go Queries | 61 | 61 | ✅ |
-| JS Queries | 204 | 204 | ✅ |
+| Query Expansion | version-dependent | version-dependent | ✅ (when versions match) |
 | Threading | auto | auto | ✅ |
 | Baseline Info | enabled | enabled | ✅ |
 

.github/skills/security-scan-docker-image-scripts/run.sh

@@ -35,7 +35,7 @@ fi
 # Check Grype
 if ! command -v grype >/dev/null 2>&1; then
     log_error "Grype not found - install from: https://github.com/anchore/grype"
-    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.0"
+    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.111.0"
     error_exit "Grype is required for vulnerability scanning" 2
 fi
 
@@ -50,8 +50,8 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
 GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 
 # Set defaults matching CI workflow
-set_default_env "SYFT_VERSION" "v1.17.0"
-set_default_env "GRYPE_VERSION" "v0.107.0"
+set_default_env "SYFT_VERSION" "v1.42.4"
+set_default_env "GRYPE_VERSION" "v0.111.0"
 set_default_env "IMAGE_TAG" "charon:local"
 set_default_env "FAIL_ON_SEVERITY" "Critical,High"
 
@@ -139,7 +139,10 @@ log_info "This may take 30-60 seconds on first run (database download)"
 
 # Run Grype against the SBOM (generated from image, not filesystem)
 # This matches exactly what CI does in supply-chain-pr.yml
+# --config ensures .grype.yaml ignore rules are applied, separating
+# ignored matches from actionable ones in the JSON output
 if grype sbom:sbom.cyclonedx.json \
+    --config .grype.yaml \
     --output json \
     --file grype-results.json; then
     log_success "Vulnerability scan complete"
@@ -149,6 +152,7 @@ fi
 
 # Generate SARIF output for GitHub Security (matches CI)
 grype sbom:sbom.cyclonedx.json \
+    --config .grype.yaml \
     --output sarif \
     --file grype-results.sarif 2>/dev/null || true
 

.github/skills/security-scan-gorm.SKILL.md

@@ -545,7 +545,7 @@ Solution: Add suppression comment: // gorm-scanner:ignore [reason]
 
 - [security-scan-trivy](./security-scan-trivy.SKILL.md) - Container vulnerability scanning
 - [security-scan-codeql](./security-scan-codeql.SKILL.md) - Static analysis for Go/JS
-- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks
 
 ## Best Practices
 

.github/skills/security-scan-trivy-scripts/run.sh

@@ -26,6 +26,7 @@ validate_docker_environment || error_exit "Docker is required but not available"
 # Set defaults
 set_default_env "TRIVY_SEVERITY" "CRITICAL,HIGH,MEDIUM"
 set_default_env "TRIVY_TIMEOUT" "10m"
+set_default_env "TRIVY_DOCKER_RM" "true"
 
 # Parse arguments
 # Default scanners exclude misconfig to avoid non-actionable policy bundle issues
@@ -88,8 +89,19 @@ for d in "${SKIP_DIRS[@]}"; do
     SKIP_DIR_FLAGS+=("--skip-dirs" "/app/${d}")
 done
 
+log_step "PREPARE" "Pulling latest Trivy Docker image"
+if ! docker pull aquasec/trivy:latest >/dev/null; then
+    log_error "Failed to pull Docker image aquasec/trivy:latest"
+    exit 1
+fi
+
 # Run Trivy via Docker
-if docker run --rm \
+DOCKER_RUN_ARGS=(run)
+if [[ "${TRIVY_DOCKER_RM}" == "true" ]]; then
+    DOCKER_RUN_ARGS+=(--rm)
+fi
+
+if docker "${DOCKER_RUN_ARGS[@]}" \
     -v "$(pwd):/app:ro" \
     -e "TRIVY_SEVERITY=${TRIVY_SEVERITY}" \
     -e "TRIVY_TIMEOUT=${TRIVY_TIMEOUT}" \

.github/skills/security-scan-trivy.SKILL.md

@@ -227,7 +227,7 @@ Solution: Review and remediate reported vulnerabilities
 ## Related Skills
 
 - [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific vulnerability checking
-- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks
 
 ## Notes
 

.github/skills/test-backend-coverage-scripts/run.sh

@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
 validate_project_structure "backend" "scripts/go-test-coverage.sh" || error_exit "Invalid project structure"
 
 # Set default environment variables
-set_default_env "CHARON_MIN_COVERAGE" "85"
+set_default_env "CHARON_MIN_COVERAGE" "87"
 set_default_env "PERF_MAX_MS_GETSTATUS_P95" "25ms"
 set_default_env "PERF_MAX_MS_GETSTATUS_P95_PARALLEL" "50ms"
 set_default_env "PERF_MAX_MS_LISTDECISIONS_P95" "75ms"

.github/skills/test-backend-coverage.SKILL.md

@@ -25,6 +25,10 @@ requirements:
     version: ">=3.8"
     optional: false
 environment_variables:
+  - name: "CHARON_ENCRYPTION_KEY"
+    description: "Encryption key for backend test runtime. Auto-generated ephemerally by the script if missing/invalid."
+    default: "(auto-generated for test run)"
+    required: false
   - name: "CHARON_MIN_COVERAGE"
     description: "Minimum coverage percentage required (overrides default)"
     default: "85"
@@ -125,6 +129,7 @@ For use in GitHub Actions or other CI/CD pipelines:
 
 | Variable | Required | Default | Description |
 |----------|----------|---------|-------------|
+| CHARON_ENCRYPTION_KEY | No | auto-generated for test run | Backend test encryption key. If missing/invalid, an ephemeral 32-byte base64 key is generated for the run. |
 | CHARON_MIN_COVERAGE | No | 85 | Minimum coverage percentage required for success |
 | CPM_MIN_COVERAGE | No | 85 | Legacy name for minimum coverage (fallback) |
 | PERF_MAX_MS_GETSTATUS_P95 | No | 25ms | Max P95 latency for GetStatus endpoint |

.github/skills/test-backend-unit-scripts/run.sh

@@ -11,10 +11,13 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Helper scripts are in .github/skills/scripts/
 SKILLS_SCRIPTS_DIR="$(cd "${SCRIPT_DIR}/../scripts" && pwd)"
 
+# shellcheck disable=SC1091
 # shellcheck source=../scripts/_logging_helpers.sh
 source "${SKILLS_SCRIPTS_DIR}/_logging_helpers.sh"
+# shellcheck disable=SC1091
 # shellcheck source=../scripts/_error_handling_helpers.sh
 source "${SKILLS_SCRIPTS_DIR}/_error_handling_helpers.sh"
+# shellcheck disable=SC1091
 # shellcheck source=../scripts/_environment_helpers.sh
 source "${SKILLS_SCRIPTS_DIR}/_environment_helpers.sh"
 
@@ -24,6 +27,7 @@ PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
 # Validate environment
 log_step "ENVIRONMENT" "Validating prerequisites"
 validate_go_environment "1.23" || error_exit "Go 1.23+ is required"
+ensure_charon_encryption_key || error_exit "Failed to provision CHARON_ENCRYPTION_KEY for backend tests"
 
 # Validate project structure
 log_step "VALIDATION" "Checking project structure"

.github/skills/test-backend-unit.SKILL.md

@@ -21,7 +21,11 @@ requirements:
   - name: "go"
     version: ">=1.23"
     optional: false
-environment_variables: []
+environment_variables:
+  - name: "CHARON_ENCRYPTION_KEY"
+    description: "Encryption key for backend test runtime. Auto-generated ephemerally if missing/invalid."
+    default: "(auto-generated for test run)"
+    required: false
 parameters:
   - name: "verbose"
     type: "boolean"
@@ -106,7 +110,9 @@ For use in GitHub Actions or other CI/CD pipelines:
 
 ## Environment Variables
 
-No environment variables are required for this skill.
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| CHARON_ENCRYPTION_KEY | No | auto-generated for test run | Backend test encryption key. If missing/invalid, an ephemeral 32-byte base64 key is generated for the run. |
 
 ## Outputs
 

.github/skills/test-frontend-coverage-scripts/run.sh

@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
 validate_project_structure "frontend" "scripts/frontend-test-coverage.sh" || error_exit "Invalid project structure"
 
 # Set default environment variables
-set_default_env "CHARON_MIN_COVERAGE" "85"
+set_default_env "CHARON_MIN_COVERAGE" "87"
 
 # Execute the legacy script
 log_step "EXECUTION" "Running frontend tests with coverage"

.github/workflows/auto-add-to-project.yml

@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     runs-on: ubuntu-latest

.github/workflows/auto-changelog.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+
 jobs:
   update-draft:
     runs-on: ubuntu-latest
@@ -21,6 +24,6 @@ jobs:
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
       - name: Draft Release
-        uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6
+        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/auto-label-issues.yml

@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   auto-label:
     runs-on: ubuntu-latest
@@ -15,7 +18,7 @@ jobs:
       issues: write
     steps:
       - name: Auto-label based on title and body
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const issue = context.payload.issue;

.github/workflows/auto-versioning.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Calculate Semantic Version
         id: semver
-        uses: paulhatch/semantic-version@f29500c9d60a99ed5168e39ee367e0976884c46e # v6.0.1
+        uses: paulhatch/semantic-version@9f72830310d5ed81233b641ee59253644cd8a8fc # v6.0.2
         with:
           # The prefix to use to create tags
           tag_prefix: "v"
@@ -89,7 +89,7 @@ jobs:
 
       - name: Create GitHub Release (creates tag via API)
         if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }}
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         with:
           tag_name: ${{ steps.determine_tag.outputs.tag }}
           name: Release ${{ steps.determine_tag.outputs.tag }}

.github/workflows/badge-ghcr-downloads.yml

@@ -1,54 +0,0 @@
-name: "Badge: GHCR downloads"
-
-on:
-  schedule:
-    # Update periodically (GitHub schedules may be delayed)
-    - cron: '17 * * * *'
-  workflow_dispatch: {}
-
-permissions:
-  contents: write
-  packages: read
-
-concurrency:
-  group: ghcr-downloads-badge
-  cancel-in-progress: false
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout (main)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: main
-
-      - name: Set up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
-        with:
-          node-version: 24.13.1
-
-      - name: Update GHCR downloads badge
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GHCR_OWNER: ${{ github.repository_owner }}
-          GHCR_PACKAGE: charon
-          BADGE_OUTPUT: .github/badges/ghcr-downloads.json
-        run: node scripts/update-ghcr-downloads-badge.mjs
-
-      - name: Commit and push (if changed)
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if git diff --quiet; then
-            echo "No changes."
-            exit 0
-          fi
-
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-          git add .github/badges/ghcr-downloads.json
-          git commit -m "chore(badges): update GHCR downloads [skip ci]"
-          git push origin HEAD:main

.github/workflows/benchmark.yml

@@ -3,6 +3,8 @@ name: Go Benchmark
 on:
   pull_request:
   push:
+    branches:
+      - main
   workflow_dispatch:
 
 concurrency:
@@ -10,7 +12,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   GOTOOLCHAIN: auto
 
 # Minimal permissions at workflow level; write permissions granted at job level for push only
@@ -33,9 +35,10 @@ jobs:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ env.GO_VERSION }}
+
           cache-dependency-path: backend/go.sum
 
       - name: Run Benchmark
@@ -49,7 +52,7 @@ jobs:
         # This avoids gh-pages branch errors and permission issues on fork PRs
         if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main'
         # Security: Pinned to full SHA for supply chain security
-        uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1
+        uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
         with:
           name: Go Benchmark
           tool: 'go'

.github/workflows/caddy-major-monitor.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check for Caddy v3 and open issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const upstream = { owner: 'caddyserver', repo: 'caddy' };

.github/workflows/cerberus-integration.yml

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   cerberus-integration:
     name: Cerberus Security Stack Integration
@@ -31,7 +34,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run Cerberus integration tests

.github/workflows/codecov-upload.yml

@@ -3,6 +3,8 @@ name: Upload Coverage to Codecov
 on:
   pull_request:
   push:
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       run_backend:
@@ -17,11 +19,11 @@ on:
         type: boolean
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.run_id }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   NODE_VERSION: '24.12.0'
   GOTOOLCHAIN: auto
 
@@ -43,9 +45,10 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ env.GO_VERSION }}
+
           cache-dependency-path: backend/go.sum
 
       # SECURITY: Keep pull_request (not pull_request_target) for secret-bearing backend tests.
@@ -123,6 +126,9 @@ jobs:
             echo "__CHARON_EOF__"
           } >> "$GITHUB_ENV"
 
+      - name: Install gotestsum
+        run: go install gotest.tools/gotestsum@v1.13.0
+
       - name: Run Go tests with coverage
         working-directory: ${{ github.workspace }}
         env:
@@ -131,8 +137,16 @@ jobs:
           bash scripts/go-test-coverage.sh 2>&1 | tee backend/test-output.txt
           exit "${PIPESTATUS[0]}"
 
+      - name: Upload test output artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: backend-test-output
+          path: backend/test-output.txt
+          retention-days: 7
+
       - name: Upload backend coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./backend/coverage.txt
@@ -152,7 +166,7 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
@@ -169,7 +183,7 @@ jobs:
           exit "${PIPESTATUS[0]}"
 
       - name: Upload frontend coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./frontend/coverage

.github/workflows/codeql.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main, nightly, development]
   push:
-    branches: [main, nightly, development, 'feature/**', 'fix/**']
+    branches: [main]
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * 1' # Mondays 03:00 UTC
@@ -15,6 +15,7 @@ concurrency:
 
 env:
   GOTOOLCHAIN: auto
+  GO_VERSION: '1.26.2'
 
 permissions:
   contents: read
@@ -39,14 +40,19 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          ref: ${{ github.sha }}
+          # Use github.ref (full ref path) instead of github.ref_name:
+          # - push/schedule: resolves to refs/heads/<branch>, checking out latest HEAD
+          # - pull_request:  resolves to refs/pull/<n>/merge, the correct PR merge ref
+          # github.ref_name fails for PRs because it yields "<n>/merge" which checkout
+          # interprets as a branch name (refs/heads/<n>/merge) that does not exist.
+          ref: ${{ github.ref }}
 
       - name: Verify CodeQL parity guard
         if: matrix.language == 'go'
         run: bash scripts/ci/check-codeql-parity.sh
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -57,9 +63,9 @@ jobs:
 
       - name: Setup Go
         if: matrix.language == 'go'
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version: 1.26.0
+          go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: backend/go.sum
 
       - name: Verify Go toolchain and build
@@ -86,10 +92,10 @@ jobs:
         run: mkdir -p sarif-results
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/language:${{ matrix.language }}"
           output: sarif-results/${{ matrix.language }}
@@ -122,10 +128,28 @@ jobs:
             exit 1
           fi
 
+          # shellcheck disable=SC2016
+          EFFECTIVE_LEVELS_JQ='[
+            .runs[] as $run
+            | $run.results[]
+            | . as $result
+            | ($run.tool.driver.rules // []) as $rules
+            | ((
+                $result.level
+                // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                // ([
+                    $rules[]?
+                    | select((.id // "") == ($result.ruleId // ""))
+                    | (.defaultConfiguration.level // empty)
+                  ][0] // empty)
+                // ""
+              ) | ascii_downcase)
+          ]'
+
           echo "Found SARIF file: $SARIF_FILE"
-          ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE")
-          WARNING_COUNT=$(jq '[.runs[].results[] | select(.level == "warning")] | length' "$SARIF_FILE")
-          NOTE_COUNT=$(jq '[.runs[].results[] | select(.level == "note")] | length' "$SARIF_FILE")
+          ERROR_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"error\")) | length" "$SARIF_FILE")
+          WARNING_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"warning\")) | length" "$SARIF_FILE")
+          NOTE_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"note\")) | length" "$SARIF_FILE")
 
           {
             echo "**Findings:**"
@@ -135,14 +159,32 @@ jobs:
             echo ""
 
             if [ "$ERROR_COUNT" -gt 0 ]; then
-              echo "❌ **CRITICAL:** High-severity security issues found!"
+              echo "❌ **BLOCKING:** CodeQL error-level security issues found"
               echo ""
               echo "### Top Issues:"
               echo '```'
-              jq -r '.runs[].results[] | select(.level == "error") | "\(.ruleId): \(.message.text)"' "$SARIF_FILE" | head -5
+              # shellcheck disable=SC2016
+              jq -r '
+                .runs[] as $run
+                | $run.results[]
+                | . as $result
+                | ($run.tool.driver.rules // []) as $rules
+                | ((
+                    $result.level
+                    // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                    // ([
+                        $rules[]?
+                        | select((.id // "") == ($result.ruleId // ""))
+                        | (.defaultConfiguration.level // empty)
+                      ][0] // empty)
+                    // ""
+                  ) | ascii_downcase) as $effectiveLevel
+                | select($effectiveLevel == "error")
+                | "\($effectiveLevel): \($result.ruleId // \"<unknown-rule>\"): \($result.message.text)"
+              ' "$SARIF_FILE" | head -5
               echo '```'
             else
-              echo "✅ No high-severity issues found"
+              echo "✅ No blocking CodeQL issues found"
             fi
           } >> "$GITHUB_STEP_SUMMARY"
 
@@ -169,9 +211,26 @@ jobs:
             exit 1
           fi
 
-          ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE")
+          # shellcheck disable=SC2016
+          ERROR_COUNT=$(jq -r '[
+            .runs[] as $run
+            | $run.results[]
+            | . as $result
+            | ($run.tool.driver.rules // []) as $rules
+            | ((
+                $result.level
+                // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                // ([
+                    $rules[]?
+                    | select((.id // "") == ($result.ruleId // ""))
+                    | (.defaultConfiguration.level // empty)
+                  ][0] // empty)
+                // ""
+              ) | ascii_downcase) as $effectiveLevel
+            | select($effectiveLevel == "error")
+          ] | length' "$SARIF_FILE")
 
           if [ "$ERROR_COUNT" -gt 0 ]; then
-            echo "::error::CodeQL found $ERROR_COUNT high-severity security issues. Fix before merging."
+            echo "::error::CodeQL found $ERROR_COUNT blocking findings (effective-level=error). Fix before merging. Policy: .github/security-severity-policy.yml"
             exit 1
           fi

.github/workflows/container-prune.yml

@@ -5,10 +5,6 @@ on:
     - cron: '0 3 * * 0' # Weekly: Sundays at 03:00 UTC
   workflow_dispatch:
     inputs:
-      registries:
-        description: 'Comma-separated registries to prune (ghcr,dockerhub)'
-        required: false
-        default: 'ghcr,dockerhub'
       keep_days:
         description: 'Number of days to retain images (unprotected)'
         required: false
@@ -27,16 +23,17 @@ permissions:
   contents: read
 
 jobs:
-  prune:
+  prune-ghcr:
     runs-on: ubuntu-latest
     env:
       OWNER: ${{ github.repository_owner }}
       IMAGE_NAME: charon
-      REGISTRIES: ${{ github.event.inputs.registries || 'ghcr,dockerhub' }}
       KEEP_DAYS: ${{ github.event.inputs.keep_days || '30' }}
       KEEP_LAST_N: ${{ github.event.inputs.keep_last_n || '30' }}
-      DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
-      PROTECTED_REGEX: '["^v","^latest$","^main$","^develop$"]'
+      DRY_RUN: ${{ github.event_name == 'pull_request' && 'true' || github.event.inputs.dry_run || 'false' }}
+      PROTECTED_REGEX: '["^v?[0-9]+\\.[0-9]+\\.[0-9]+$","^latest$","^main$","^develop$"]'
+      PRUNE_UNTAGGED: 'true'
+      PRUNE_SBOM_TAGS: 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -45,21 +42,19 @@ jobs:
         run: |
           sudo apt-get update && sudo apt-get install -y jq curl
 
-      - name: Run container prune
+      - name: Run GHCR prune
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         run: |
-          chmod +x scripts/prune-container-images.sh
-          ./scripts/prune-container-images.sh 2>&1 | tee prune-${{ github.run_id }}.log
+          chmod +x scripts/prune-ghcr.sh
+          ./scripts/prune-ghcr.sh 2>&1 | tee prune-ghcr-${{ github.run_id }}.log
 
-      - name: Summarize prune results (space reclaimed)
-        if: ${{ always() }}
+      - name: Summarize GHCR results
+        if: always()
         run: |
           set -euo pipefail
-          SUMMARY_FILE=prune-summary.env
-          LOG_FILE=prune-${{ github.run_id }}.log
+          SUMMARY_FILE=prune-summary-ghcr.env
+          LOG_FILE=prune-ghcr-${{ github.run_id }}.log
 
           human() {
             local bytes=${1:-0}
@@ -67,7 +62,7 @@ jobs:
               echo "0 B"
               return
             fi
-            awk -v b="$bytes" 'function human(x){ split("B KiB MiB GiB TiB",u," "); i=0; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1]} END{human(b)}'
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
           }
 
           if [ -f "$SUMMARY_FILE" ]; then
@@ -77,34 +72,155 @@ jobs:
             TOTAL_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
 
             {
-              echo "## Container prune summary"
+              echo "## GHCR prune summary"
               echo "- candidates: ${TOTAL_CANDIDATES} (≈ $(human "${TOTAL_CANDIDATES_BYTES}"))"
               echo "- deleted: ${TOTAL_DELETED} (≈ $(human "${TOTAL_DELETED_BYTES}"))"
             } >> "$GITHUB_STEP_SUMMARY"
-
-            printf 'PRUNE_SUMMARY: candidates=%s candidates_bytes=%s deleted=%s deleted_bytes=%s\n' \
-              "${TOTAL_CANDIDATES}" "${TOTAL_CANDIDATES_BYTES}" "${TOTAL_DELETED}" "${TOTAL_DELETED_BYTES}"
-            echo "Deleted approximately: $(human "${TOTAL_DELETED_BYTES}")"
-            echo "space_saved=$(human "${TOTAL_DELETED_BYTES}")" >> "$GITHUB_OUTPUT"
           else
             deleted_bytes=$(grep -oE '\( *approx +[0-9]+ bytes\)' "$LOG_FILE" | sed -E 's/.*approx +([0-9]+) bytes.*/\1/' | awk '{s+=$1} END {print s+0}' || true)
             deleted_count=$(grep -cE 'deleting |DRY RUN: would delete' "$LOG_FILE" || true)
 
             {
-              echo "## Container prune summary"
+              echo "## GHCR prune summary"
               echo "- deleted (approx): ${deleted_count} (≈ $(human "${deleted_bytes}"))"
             } >> "$GITHUB_STEP_SUMMARY"
-
-            printf 'PRUNE_SUMMARY: deleted_approx=%s deleted_bytes=%s\n' "${deleted_count}" "${deleted_bytes}"
-            echo "Deleted approximately: $(human "${deleted_bytes}")"
-            echo "space_saved=$(human "${deleted_bytes}")" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Upload prune artifacts
-        if: ${{ always() }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - name: Upload GHCR prune artifacts
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
-          name: prune-log-${{ github.run_id }}
+          name: prune-ghcr-log-${{ github.run_id }}
           path: |
-            prune-${{ github.run_id }}.log
-            prune-summary.env
+            prune-ghcr-${{ github.run_id }}.log
+            prune-summary-ghcr.env
+
+  prune-dockerhub:
+    runs-on: ubuntu-latest
+    env:
+      OWNER: ${{ github.repository_owner }}
+      IMAGE_NAME: charon
+      KEEP_DAYS: ${{ github.event.inputs.keep_days || '30' }}
+      KEEP_LAST_N: ${{ github.event.inputs.keep_last_n || '30' }}
+      DRY_RUN: ${{ github.event_name == 'pull_request' && 'true' || github.event.inputs.dry_run || 'false' }}
+      PROTECTED_REGEX: '["^v?[0-9]+\\.[0-9]+\\.[0-9]+$","^latest$","^main$","^develop$"]'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install tools
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq curl
+
+      - name: Run Docker Hub prune
+        env:
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          chmod +x scripts/prune-dockerhub.sh
+          ./scripts/prune-dockerhub.sh 2>&1 | tee prune-dockerhub-${{ github.run_id }}.log
+
+      - name: Summarize Docker Hub results
+        if: always()
+        run: |
+          set -euo pipefail
+          SUMMARY_FILE=prune-summary-dockerhub.env
+          LOG_FILE=prune-dockerhub-${{ github.run_id }}.log
+
+          human() {
+            local bytes=${1:-0}
+            if [ -z "$bytes" ] || [ "$bytes" -eq 0 ]; then
+              echo "0 B"
+              return
+            fi
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
+          }
+
+          if [ -f "$SUMMARY_FILE" ]; then
+            TOTAL_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_DELETED=$(grep -E '^TOTAL_DELETED=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+
+            {
+              echo "## Docker Hub prune summary"
+              echo "- candidates: ${TOTAL_CANDIDATES} (≈ $(human "${TOTAL_CANDIDATES_BYTES}"))"
+              echo "- deleted: ${TOTAL_DELETED} (≈ $(human "${TOTAL_DELETED_BYTES}"))"
+            } >> "$GITHUB_STEP_SUMMARY"
+          else
+            deleted_bytes=$(grep -oE '\( *approx +[0-9]+ bytes\)' "$LOG_FILE" | sed -E 's/.*approx +([0-9]+) bytes.*/\1/' | awk '{s+=$1} END {print s+0}' || true)
+            deleted_count=$(grep -cE 'deleting |DRY RUN: would delete' "$LOG_FILE" || true)
+
+            {
+              echo "## Docker Hub prune summary"
+              echo "- deleted (approx): ${deleted_count} (≈ $(human "${deleted_bytes}"))"
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Upload Docker Hub prune artifacts
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: prune-dockerhub-log-${{ github.run_id }}
+          path: |
+            prune-dockerhub-${{ github.run_id }}.log
+            prune-summary-dockerhub.env
+
+  summarize:
+    runs-on: ubuntu-latest
+    needs: [prune-ghcr, prune-dockerhub]
+    if: always()
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          pattern: prune-*-log-${{ github.run_id }}
+          merge-multiple: true
+
+      - name: Combined summary
+        run: |
+          set -euo pipefail
+
+          human() {
+            local bytes=${1:-0}
+            if [ -z "$bytes" ] || [ "$bytes" -eq 0 ]; then
+              echo "0 B"
+              return
+            fi
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
+          }
+
+          GHCR_CANDIDATES=0 GHCR_CANDIDATES_BYTES=0 GHCR_DELETED=0 GHCR_DELETED_BYTES=0
+          if [ -f prune-summary-ghcr.env ]; then
+            GHCR_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_DELETED=$(grep -E '^TOTAL_DELETED=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+          fi
+
+          HUB_CANDIDATES=0 HUB_CANDIDATES_BYTES=0 HUB_DELETED=0 HUB_DELETED_BYTES=0
+          if [ -f prune-summary-dockerhub.env ]; then
+            HUB_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_DELETED=$(grep -E '^TOTAL_DELETED=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+          fi
+
+          TOTAL_CANDIDATES=$((GHCR_CANDIDATES + HUB_CANDIDATES))
+          TOTAL_CANDIDATES_BYTES=$((GHCR_CANDIDATES_BYTES + HUB_CANDIDATES_BYTES))
+          TOTAL_DELETED=$((GHCR_DELETED + HUB_DELETED))
+          TOTAL_DELETED_BYTES=$((GHCR_DELETED_BYTES + HUB_DELETED_BYTES))
+
+          {
+            echo "## Combined container prune summary"
+            echo ""
+            echo "| Registry | Candidates | Deleted | Space Reclaimed |"
+            echo "|----------|------------|---------|-----------------|"
+            echo "| GHCR | ${GHCR_CANDIDATES} | ${GHCR_DELETED} | $(human "${GHCR_DELETED_BYTES}") |"
+            echo "| Docker Hub | ${HUB_CANDIDATES} | ${HUB_DELETED} | $(human "${HUB_DELETED_BYTES}") |"
+            echo "| **Total** | **${TOTAL_CANDIDATES}** | **${TOTAL_DELETED}** | **$(human "${TOTAL_DELETED_BYTES}")** |"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          printf 'PRUNE_SUMMARY: candidates=%s candidates_bytes=%s deleted=%s deleted_bytes=%s\n' \
+            "${TOTAL_CANDIDATES}" "${TOTAL_CANDIDATES_BYTES}" "${TOTAL_DELETED}" "${TOTAL_DELETED_BYTES}"
+          echo "Total space reclaimed: $(human "${TOTAL_DELETED_BYTES}")"

.github/workflows/create-labels.yml

@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   create-labels:
     runs-on: ubuntu-latest
@@ -15,7 +18,7 @@ jobs:
       issues: write
     steps:
       - name: Create all project labels
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const labels = [

.github/workflows/crowdsec-integration.yml

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   crowdsec-integration:
     name: CrowdSec Bouncer Integration
@@ -31,7 +34,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run CrowdSec integration tests

.github/workflows/docker-build.yml

@@ -23,12 +23,19 @@ name: Docker Build, Publish & Test
 on:
   pull_request:
   push:
+    branches: [main, development]
   workflow_dispatch:
+  workflow_run:
+    workflows: ["Docker Lint"]
+    types: [completed]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   GHCR_REGISTRY: ghcr.io
   DOCKERHUB_REGISTRY: docker.io
@@ -38,7 +45,7 @@ env:
   TRIGGER_HEAD_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
   TRIGGER_REF: ${{ github.event_name == 'workflow_run' && format('refs/heads/{0}', github.event.workflow_run.head_branch) || github.ref }}
   TRIGGER_HEAD_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref }}
-  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.pull_requests[0].number || github.event.pull_request.number }}
+  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || format('{0}', github.event.pull_request.number) }}
   TRIGGER_ACTOR: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.actor.login || github.actor }}
 
 jobs:
@@ -111,21 +118,22 @@ jobs:
 
       - name: Set up QEMU
         if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
         if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Resolve Alpine base image digest
         if: steps.skip.outputs.skip_build != 'true'
-        id: caddy
+        id: alpine
         run: |
-          docker pull alpine:3.23.3
-          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' alpine:3.23.3)
+          ALPINE_TAG=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | sed 's/ARG ALPINE_IMAGE=alpine://' | cut -d'@' -f1)
+          docker pull "alpine:${ALPINE_TAG}"
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "alpine:${ALPINE_TAG}")
           echo "image=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
         if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -133,7 +141,7 @@ jobs:
 
       - name: Log in to Docker Hub
         if: steps.skip.outputs.skip_build != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -195,7 +203,7 @@ jobs:
 
       - name: Generate Docker metadata
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: |
             ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -229,7 +237,7 @@ jobs:
       - name: Build and push Docker image (with retry)
         if: steps.skip.outputs.skip_build != 'true'
         id: build-and-push
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 25
           max_attempts: 3
@@ -267,7 +275,7 @@ jobs:
               --build-arg "VERSION=${{ steps.meta.outputs.version }}"
               --build-arg "BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}"
               --build-arg "VCS_REF=${{ env.TRIGGER_HEAD_SHA }}"
-              --build-arg "CADDY_IMAGE=${{ steps.caddy.outputs.image }}"
+              --build-arg "ALPINE_IMAGE=${{ steps.alpine.outputs.image }}"
               --iidfile /tmp/image-digest.txt
               .
             )
@@ -339,7 +347,7 @@ jobs:
 
       - name: Upload Image Artifact
         if: success() && steps.skip.outputs.skip_build != 'true' && env.TRIGGER_EVENT == 'pull_request'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ env.TRIGGER_EVENT == 'pull_request' && format('pr-image-{0}', env.TRIGGER_PR_NUMBER) || 'push-image' }}
           path: /tmp/charon-pr-image.tar
@@ -527,23 +535,25 @@ jobs:
 
       - name: Run Trivy scan (table output)
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
           exit-code: '0'
+          version: 'v0.70.0'
         continue-on-error: true
 
       - name: Run Trivy vulnerability scanner (SARIF)
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
         id: trivy
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          version: 'v0.70.0'
         continue-on-error: true
 
       - name: Check Trivy SARIF exists
@@ -558,15 +568,16 @@ jobs:
 
       - name: Upload Trivy results
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           sarif_file: 'trivy-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
           token: ${{ secrets.GITHUB_TOKEN }}
 
       # Generate SBOM (Software Bill of Materials) for supply chain security
       # Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml
       - name: Generate SBOM
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
         with:
           image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -575,7 +586,7 @@ jobs:
 
       # Create verifiable attestation for the SBOM
       - name: Attest SBOM
-        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+        uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
         with:
           subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -586,7 +597,7 @@ jobs:
       # Install Cosign for keyless signing
       - name: Install Cosign
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
       # Sign GHCR image with keyless signing (Sigstore/Fulcio)
       - name: Sign GHCR Image
@@ -652,7 +663,7 @@ jobs:
           echo "image_ref=${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${PR_TAG}" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -684,31 +695,67 @@ jobs:
           echo "✅ Image freshness validated"
 
       - name: Run Trivy scan on PR image (table output)
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ steps.pr-image.outputs.image_ref }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
           exit-code: '0'
+          version: 'v0.70.0'
 
       - name: Run Trivy scan on PR image (SARIF - blocking)
         id: trivy-scan
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ steps.pr-image.outputs.image_ref }}
           format: 'sarif'
           output: 'trivy-pr-results.sarif'
           severity: 'CRITICAL,HIGH'
           exit-code: '1'  # Intended to block, but continued on error for now
+          version: 'v0.70.0'
         continue-on-error: true
 
-      - name: Upload Trivy scan results
+      - name: Check Trivy PR SARIF exists
         if: always()
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        id: trivy-pr-check
+        run: |
+          if [ -f trivy-pr-results.sarif ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload Trivy scan results
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: 'docker-pr-image'
 
+      - name: Upload Trivy compatibility results (docker-build category)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (docker-publish alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-publish.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (nightly alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: 'trivy-nightly'
+        continue-on-error: true
+
       - name: Create scan summary
         if: always()
         run: |

.github/workflows/docs-to-issues.yml

@@ -44,7 +44,7 @@ jobs:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -53,7 +53,7 @@ jobs:
 
       - name: Detect changed files
         id: changes
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           COMMIT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
         with:
@@ -95,7 +95,7 @@ jobs:
 
       - name: Process issue files
         id: process
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
         with:

.github/workflows/docs.yml

@@ -38,7 +38,7 @@ jobs:
 
       # Step 2: Set up Node.js (for building any JS-based doc tools)
       - name: 🔧 Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -352,7 +352,7 @@ jobs:
 
       # Step 4: Upload the built site
       - name: 📤 Upload artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
         with:
           path: '_site'
 
@@ -372,7 +372,7 @@ jobs:
       # Deploy to GitHub Pages
       - name: 🚀 Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
 
       # Create a summary
       - name: 📋 Create deployment summary

.github/workflows/e2e-tests-split.yml

@@ -80,11 +80,10 @@ on:
         default: false
         type: boolean
   pull_request:
-  push:
 
 env:
   NODE_VERSION: '20'
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   GOTOOLCHAIN: auto
   DOCKERHUB_REGISTRY: docker.io
   IMAGE_NAME: ${{ github.repository_owner }}/charon
@@ -96,7 +95,7 @@ env:
   CI_LOG_LEVEL: 'verbose'
 
 concurrency:
-  group: e2e-split-${{ github.workflow }}-${{ github.ref }}-${{ github.event.pull_request.head.sha || github.sha }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -143,22 +142,23 @@ jobs:
 
       - name: Set up Go
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ env.GO_VERSION }}
+
           cache: true
           cache-dependency-path: backend/go.sum
 
       - name: Set up Node.js
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
       - name: Cache npm dependencies
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.npm
           key: npm-${{ hashFiles('package-lock.json') }}
@@ -170,12 +170,12 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Build Docker image
         id: build-image
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: ./Dockerfile
@@ -191,7 +191,7 @@ jobs:
 
       - name: Upload Docker image artifact
         if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-image
           path: charon-e2e-image.tar
@@ -225,14 +225,15 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -247,7 +248,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -347,7 +348,7 @@ jobs:
 
       - name: Upload HTML report (Chromium Security)
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-report-chromium-security
           path: playwright-report/
@@ -355,7 +356,7 @@ jobs:
 
       - name: Upload Chromium Security coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-coverage-chromium-security
           path: coverage/e2e/
@@ -363,7 +364,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: traces-chromium-security
           path: test-results/**/*.zip
@@ -382,7 +383,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-diagnostics-chromium-security
           path: diagnostics/
@@ -395,7 +396,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-logs-chromium-security
           path: docker-logs-chromium-security.txt
@@ -426,14 +427,15 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -448,7 +450,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -556,7 +558,7 @@ jobs:
 
       - name: Upload HTML report (Firefox Security)
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-report-firefox-security
           path: playwright-report/
@@ -564,7 +566,7 @@ jobs:
 
       - name: Upload Firefox Security coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-coverage-firefox-security
           path: coverage/e2e/
@@ -572,7 +574,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: traces-firefox-security
           path: test-results/**/*.zip
@@ -591,7 +593,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-diagnostics-firefox-security
           path: diagnostics/
@@ -604,7 +606,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-logs-firefox-security
           path: docker-logs-firefox-security.txt
@@ -635,14 +637,15 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -657,7 +660,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -765,7 +768,7 @@ jobs:
 
       - name: Upload HTML report (WebKit Security)
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-report-webkit-security
           path: playwright-report/
@@ -773,7 +776,7 @@ jobs:
 
       - name: Upload WebKit Security coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-coverage-webkit-security
           path: coverage/e2e/
@@ -781,7 +784,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: traces-webkit-security
           path: test-results/**/*.zip
@@ -800,7 +803,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-diagnostics-webkit-security
           path: diagnostics/
@@ -813,7 +816,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-logs-webkit-security
           path: docker-logs-webkit-security.txt
@@ -856,14 +859,47 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -878,7 +914,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -944,6 +980,7 @@ jobs:
             --project=chromium \
             --shard=${{ matrix.shard }}/${{ matrix.total-shards }} \
             --output=playwright-output/chromium-shard-${{ matrix.shard }} \
+            tests/a11y \
             tests/core \
             tests/dns-provider-crud.spec.ts \
             tests/dns-provider-types.spec.ts \
@@ -968,7 +1005,7 @@ jobs:
 
       - name: Upload HTML report (Chromium shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-report-chromium-shard-${{ matrix.shard }}
           path: playwright-report/
@@ -976,7 +1013,7 @@ jobs:
 
       - name: Upload Playwright output (Chromium shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-output-chromium-shard-${{ matrix.shard }}
           path: playwright-output/chromium-shard-${{ matrix.shard }}/
@@ -984,7 +1021,7 @@ jobs:
 
       - name: Upload Chromium coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-coverage-chromium-shard-${{ matrix.shard }}
           path: coverage/e2e/
@@ -992,7 +1029,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: traces-chromium-shard-${{ matrix.shard }}
           path: test-results/**/*.zip
@@ -1011,7 +1048,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-diagnostics-chromium-shard-${{ matrix.shard }}
           path: diagnostics/
@@ -1024,7 +1061,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-logs-chromium-shard-${{ matrix.shard }}
           path: docker-logs-chromium-shard-${{ matrix.shard }}.txt
@@ -1060,14 +1097,47 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -1082,7 +1152,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -1156,6 +1226,7 @@ jobs:
             --project=firefox \
             --shard=${{ matrix.shard }}/${{ matrix.total-shards }} \
             --output=playwright-output/firefox-shard-${{ matrix.shard }} \
+            tests/a11y \
             tests/core \
             tests/dns-provider-crud.spec.ts \
             tests/dns-provider-types.spec.ts \
@@ -1180,7 +1251,7 @@ jobs:
 
       - name: Upload HTML report (Firefox shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-report-firefox-shard-${{ matrix.shard }}
           path: playwright-report/
@@ -1188,7 +1259,7 @@ jobs:
 
       - name: Upload Playwright output (Firefox shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-output-firefox-shard-${{ matrix.shard }}
           path: playwright-output/firefox-shard-${{ matrix.shard }}/
@@ -1196,7 +1267,7 @@ jobs:
 
       - name: Upload Firefox coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-coverage-firefox-shard-${{ matrix.shard }}
           path: coverage/e2e/
@@ -1204,7 +1275,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: traces-firefox-shard-${{ matrix.shard }}
           path: test-results/**/*.zip
@@ -1223,7 +1294,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: e2e-diagnostics-firefox-shard-${{ matrix.shard }}
           path: diagnostics/
@@ -1236,7 +1307,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: docker-logs-firefox-shard-${{ matrix.shard }}
           path: docker-logs-firefox-shard-${{ matrix.shard }}.txt
@@ -1272,14 +1343,47 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
 
+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
       - name: Log in to Docker Hub
         if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKERHUB_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -1294,7 +1398,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -1368,6 +1472,7 @@ jobs:
             --project=webkit \
             --shard=${{ matrix.shard }}/${{ matrix.total-shards }} \
             --output=playwright-output/webkit-shard-${{ matrix.shard }} \
+            tests/a11y \
             tests/core \
             tests/dns-provider-crud.spec.ts \
             tests/dns-provider-types.spec.ts \
@@ -1392,7 +1497,7 @@ jobs:
 
       - name: Upload HTML report (WebKit shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: playwright-report-webkit-shard-${{ matrix.shard }}
           path: playwright-report/
@@ -1400,7 +1505,7 @@ jobs:
 
       - name: Upload Playwright output (WebKit shard ${{ matrix.shard }})
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: playwright-output-webkit-shard-${{ matrix.shard }}
           path: playwright-output/webkit-shard-${{ matrix.shard }}/
@@ -1408,7 +1513,7 @@ jobs:
 
       - name: Upload WebKit coverage (if enabled)
         if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: e2e-coverage-webkit-shard-${{ matrix.shard }}
           path: coverage/e2e/
@@ -1416,7 +1521,7 @@ jobs:
 
       - name: Upload test traces on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: traces-webkit-shard-${{ matrix.shard }}
           path: test-results/**/*.zip
@@ -1435,7 +1540,7 @@ jobs:
 
       - name: Upload diagnostics
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: e2e-diagnostics-webkit-shard-${{ matrix.shard }}
           path: diagnostics/
@@ -1448,7 +1553,7 @@ jobs:
 
       - name: Upload Docker logs on failure
         if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: docker-logs-webkit-shard-${{ matrix.shard }}
           path: docker-logs-webkit-shard-${{ matrix.shard }}.txt
@@ -1504,7 +1609,7 @@ jobs:
 
     steps:
       - name: Check test results
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           EFFECTIVE_BROWSER: ${{ inputs.browser || 'all' }}
           EFFECTIVE_CATEGORY: ${{ inputs.test_category || 'all' }}

.github/workflows/e2e-tests.yml.backup

@@ -1,632 +0,0 @@
-# E2E Tests Workflow
-# Runs Playwright E2E tests with sharding for faster execution
-# and collects frontend code coverage via @bgotink/playwright-coverage
-#
-# Test Execution Architecture:
-#   - Parallel Sharding: Tests split across 4 shards for speed
-#   - Per-Shard HTML Reports: Each shard generates its own HTML report
-#   - No Merging Needed: Smaller reports are easier to debug
-#   - Trace Collection: Failure traces captured for debugging
-#
-# Coverage Architecture:
-#   - Backend: Docker container at localhost:8080 (API)
-#   - Frontend: Vite dev server at localhost:3000 (serves source files)
-#   - Tests hit Vite, which proxies API calls to Docker
-#   - V8 coverage maps directly to source files for accurate reporting
-#   - Coverage disabled by default (requires PLAYWRIGHT_COVERAGE=1)
-#
-# Triggers:
-#   - Pull requests to main/develop (with path filters)
-#   - Push to main branch
-#   - Manual dispatch with browser selection
-#
-# Jobs:
-#   1. build: Build Docker image and upload as artifact
-#   2. e2e-tests: Run tests in parallel shards, upload per-shard HTML reports
-#   3. test-summary: Generate summary with links to shard reports
-#   4. comment-results: Post test results as PR comment
-#   5. upload-coverage: Merge and upload E2E coverage to Codecov (if enabled)
-#   6. e2e-results: Status check to block merge on failure
-
-name: E2E Tests
-
-on:
-  pull_request:
-    branches:
-      - main
-      - development
-      - 'feature/**'
-    paths:
-      - 'frontend/**'
-      - 'backend/**'
-      - 'tests/**'
-      - 'playwright.config.js'
-      - '.github/workflows/e2e-tests.yml'
-
-  workflow_dispatch:
-    inputs:
-      browser:
-        description: 'Browser to test'
-        required: false
-        default: 'chromium'
-        type: choice
-        options:
-          - chromium
-          - firefox
-          - webkit
-          - all
-
-env:
-  NODE_VERSION: '20'
-  GO_VERSION: '1.25.6'
-  GOTOOLCHAIN: auto
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository_owner }}/charon
-  PLAYWRIGHT_COVERAGE: ${{ vars.PLAYWRIGHT_COVERAGE || '0' }}
-  # Enhanced debugging environment variables
-  DEBUG: 'charon:*,charon-test:*'
-  PLAYWRIGHT_DEBUG: '1'
-  CI_LOG_LEVEL: 'verbose'
-
-concurrency:
-  group: e2e-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  # Build application once, share across test shards
-  build:
-    name: Build Application
-    runs-on: ubuntu-latest
-    outputs:
-      image_digest: ${{ steps.build-image.outputs.digest }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-
-      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          cache-dependency-path: backend/go.sum
-
-      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-
-      - name: Cache npm dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
-        with:
-          path: ~/.npm
-          key: npm-${{ hashFiles('package-lock.json') }}
-          restore-keys: npm-
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
-
-      - name: Build Docker image
-        id: build-image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
-        with:
-          context: .
-          file: ./Dockerfile
-          push: false
-          load: true
-          tags: charon:e2e-test
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Save Docker image
-        run: docker save charon:e2e-test -o charon-e2e-image.tar
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-        with:
-          name: docker-image
-          path: charon-e2e-image.tar
-          retention-days: 1
-
-  # Run tests in parallel shards
-  e2e-tests:
-    name: E2E ${{ matrix.browser }} (Shard ${{ matrix.shard }}/${{ matrix.total-shards }})
-    runs-on: ubuntu-latest
-    needs: build
-    timeout-minutes: 30
-    env:
-      # Required for security teardown (emergency reset fallback when ACL blocks API)
-      CHARON_EMERGENCY_TOKEN: ${{ secrets.CHARON_EMERGENCY_TOKEN }}
-      # Enable security-focused endpoints and test gating
-      CHARON_EMERGENCY_SERVER_ENABLED: "true"
-      CHARON_SECURITY_TESTS_ENABLED: "true"
-      CHARON_E2E_IMAGE_TAG: charon:e2e-test
-    strategy:
-      fail-fast: false
-      matrix:
-        shard: [1, 2, 3, 4]
-        total-shards: [4]
-        browser: [chromium, firefox, webkit]
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-
-      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-
-      - name: Download Docker image
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
-        with:
-          name: docker-image
-
-      - name: Validate Emergency Token Configuration
-        run: |
-          echo "🔐 Validating emergency token configuration..."
-
-          if [ -z "$CHARON_EMERGENCY_TOKEN" ]; then
-            echo "::error title=Missing Secret::CHARON_EMERGENCY_TOKEN secret not configured in repository settings"
-            echo "::error::Navigate to: Repository Settings → Secrets and Variables → Actions"
-            echo "::error::Create secret: CHARON_EMERGENCY_TOKEN"
-            echo "::error::Generate value with: openssl rand -hex 32"
-            echo "::error::See docs/github-setup.md for detailed instructions"
-            exit 1
-          fi
-
-          TOKEN_LENGTH=${#CHARON_EMERGENCY_TOKEN}
-          if [ $TOKEN_LENGTH -lt 64 ]; then
-            echo "::error title=Invalid Token Length::CHARON_EMERGENCY_TOKEN must be at least 64 characters (current: $TOKEN_LENGTH)"
-            echo "::error::Generate new token with: openssl rand -hex 32"
-            exit 1
-          fi
-
-          # Mask token in output (show first 8 chars only)
-          MASKED_TOKEN="${CHARON_EMERGENCY_TOKEN:0:8}...${CHARON_EMERGENCY_TOKEN: -4}"
-          echo "::notice::Emergency token validated (length: $TOKEN_LENGTH, preview: $MASKED_TOKEN)"
-        env:
-          CHARON_EMERGENCY_TOKEN: ${{ secrets.CHARON_EMERGENCY_TOKEN }}
-
-      - name: Load Docker image
-        run: |
-          docker load -i charon-e2e-image.tar
-          docker images | grep charon
-
-      - name: Generate ephemeral encryption key
-        run: |
-          # Generate a unique, ephemeral encryption key for this CI run
-          # Key is 32 bytes, base64-encoded as required by CHARON_ENCRYPTION_KEY
-          echo "CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> $GITHUB_ENV
-          echo "✅ Generated ephemeral encryption key for E2E tests"
-
-      - name: Start test environment
-        run: |
-          # Use docker-compose.playwright-ci.yml for CI (no .env file, uses GitHub Secrets)
-          # Note: Using pre-built image loaded from artifact - no rebuild needed
-          docker compose -f .docker/compose/docker-compose.playwright-ci.yml --profile security-tests up -d
-          echo "✅ Container started via docker-compose.playwright-ci.yml"
-
-      - name: Wait for service health
-        run: |
-          echo "⏳ Waiting for Charon to be healthy..."
-          MAX_ATTEMPTS=30
-          ATTEMPT=0
-
-          while [[ ${ATTEMPT} -lt ${MAX_ATTEMPTS} ]]; do
-            ATTEMPT=$((ATTEMPT + 1))
-            echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}..."
-
-            if curl -sf http://localhost:8080/api/v1/health > /dev/null 2>&1; then
-              echo "✅ Charon is healthy!"
-              curl -s http://localhost:8080/api/v1/health | jq .
-              exit 0
-            fi
-
-            sleep 2
-          done
-
-          echo "❌ Health check failed"
-          docker compose -f .docker/compose/docker-compose.playwright-ci.yml logs
-          exit 1
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Clean Playwright browser cache
-        run: rm -rf ~/.cache/ms-playwright
-
-
-      - name: Cache Playwright browsers
-        id: playwright-cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
-        with:
-          path: ~/.cache/ms-playwright
-          # Use exact match only - no restore-keys fallback
-          # This ensures we don't restore stale browsers when Playwright version changes
-          key: playwright-${{ matrix.browser }}-${{ hashFiles('package-lock.json') }}
-
-      - name: Install & verify Playwright browsers
-        run: |
-          npx playwright install --with-deps --force
-
-          set -euo pipefail
-
-          echo "🎯 Playwright CLI version"
-          npx playwright --version || true
-
-          echo "🔍 Showing Playwright cache root (if present)"
-          ls -la ~/.cache/ms-playwright || true
-
-          echo "📥 Install or verify browser: ${{ matrix.browser }}"
-
-          # Install when cache miss, otherwise verify the expected executables exist
-          if [[ "${{ steps.playwright-cache.outputs.cache-hit }}" != "true" ]]; then
-            echo "📥 Cache miss - downloading ${{ matrix.browser }} browser..."
-            npx playwright install --with-deps ${{ matrix.browser }}
-          else
-            echo "✅ Cache hit - verifying ${{ matrix.browser }} browser files..."
-          fi
-
-          # Look for the browser-specific headless shell executable(s)
-          case "${{ matrix.browser }}" in
-            chromium)
-              EXPECTED_PATTERN="chrome-headless-shell*"
-              ;;
-            firefox)
-              EXPECTED_PATTERN="firefox*"
-              ;;
-            webkit)
-              EXPECTED_PATTERN="webkit*"
-              ;;
-            *)
-              EXPECTED_PATTERN="*"
-              ;;
-          esac
-
-          echo "Searching for expected files (pattern=$EXPECTED_PATTERN)..."
-          find ~/.cache/ms-playwright -maxdepth 4 -type f -name "$EXPECTED_PATTERN" -print || true
-
-          # Attempt to derive the exact executable path Playwright will use
-          echo "Attempting to resolve Playwright's executable path via Node API (best-effort)"
-          node -e "try{ const pw = require('playwright'); const b = pw['${{ matrix.browser }}']; console.log('exePath:', b.executablePath ? b.executablePath() : 'n/a'); }catch(e){ console.error('node-check-failed', e.message); process.exit(0); }" || true
-
-          # If the expected binary is missing, force reinstall
-          MISSING_COUNT=$(find ~/.cache/ms-playwright -maxdepth 4 -type f -name "$EXPECTED_PATTERN" | wc -l || true)
-          if [[ "$MISSING_COUNT" -lt 1 ]]; then
-            echo "⚠️ Expected Playwright browser executable not found (count=$MISSING_COUNT). Forcing reinstall..."
-            npx playwright install --with-deps ${{ matrix.browser }} --force
-          fi
-
-          echo "Post-install: show cache contents (top 5 lines)"
-          find ~/.cache/ms-playwright -maxdepth 3 -printf '%p\n' | head -40 || true
-
-          # Final sanity check: try a headless launch via a tiny Node script (browser-specific args, retry without args)
-          echo "🔁 Verifying browser can be launched (headless)"
-          node -e "(async()=>{ try{ const pw=require('playwright'); const name='${{ matrix.browser }}'; const browser = pw[name]; const argsMap = { chromium: ['--no-sandbox'], firefox: ['--no-sandbox'], webkit: [] }; const args = argsMap[name] || [];
-            // First attempt: launch with recommended args for this browser
-            try {
-              console.log('attempt-launch', name, 'args', JSON.stringify(args));
-              const b = await browser.launch({ headless: true, args });
-              await b.close();
-              console.log('launch-ok', 'argsUsed', JSON.stringify(args));
-              process.exit(0);
-            } catch (err) {
-              console.warn('launch-with-args-failed', err && err.message);
-              if (args.length) {
-                // Retry without args (some browsers reject unknown flags)
-                console.log('retrying-without-args');
-                const b2 = await browser.launch({ headless: true });
-                await b2.close();
-                console.log('launch-ok-no-args');
-                process.exit(0);
-              }
-              throw err;
-            }
-          } catch (e) { console.error('launch-failed', e && e.message); process.exit(2); } })()" || (echo '❌ Browser launch verification failed' && exit 1)
-
-          echo "✅ Playwright ${{ matrix.browser }} ready and verified"
-
-      - name: Run E2E tests (Shard ${{ matrix.shard }}/${{ matrix.total-shards }})
-        run: |
-          echo "════════════════════════════════════════════════════════════"
-          echo "E2E Test Shard ${{ matrix.shard }}/${{ matrix.total-shards }}"
-          echo "Browser: ${{ matrix.browser }}"
-          echo "Start Time: $(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-          echo ""
-          echo "Reporter: HTML (per-shard reports)"
-          echo "Output: playwright-report/ directory"
-          echo "════════════════════════════════════════════════════════════"
-
-          # Capture start time for performance budget tracking
-          SHARD_START=$(date +%s)
-          echo "SHARD_START=$SHARD_START" >> $GITHUB_ENV
-
-          npx playwright test \
-            --project=${{ matrix.browser }} \
-            --shard=${{ matrix.shard }}/${{ matrix.total-shards }}
-
-          # Capture end time for performance budget tracking
-          SHARD_END=$(date +%s)
-          echo "SHARD_END=$SHARD_END" >> $GITHUB_ENV
-
-          SHARD_DURATION=$((SHARD_END - SHARD_START))
-
-          echo ""
-          echo "════════════════════════════════════════════════════════════"
-          echo "Shard ${{ matrix.shard }} Complete | Duration: ${SHARD_DURATION}s"
-          echo "════════════════════════════════════════════════════════════"
-        env:
-          # Test directly against Docker container (no coverage)
-          PLAYWRIGHT_BASE_URL: http://localhost:8080
-          CI: true
-          TEST_WORKER_INDEX: ${{ matrix.shard }}
-
-      - name: Verify shard performance budget
-        if: always()
-        run: |
-          # Calculate shard execution time
-          SHARD_DURATION=$((SHARD_END - SHARD_START))
-          MAX_DURATION=900  # 15 minutes
-
-          echo "📊 Performance Budget Check"
-          echo "   Shard Duration: ${SHARD_DURATION}s"
-          echo "   Budget Limit:   ${MAX_DURATION}s"
-          echo "   Utilization:    $((SHARD_DURATION * 100 / MAX_DURATION))%"
-
-          # Fail if shard exceeded performance budget
-          if [[ $SHARD_DURATION -gt $MAX_DURATION ]]; then
-            echo "::error::Shard exceeded performance budget: ${SHARD_DURATION}s > ${MAX_DURATION}s"
-            echo "::error::This likely indicates feature flag polling regression or API bottleneck"
-            echo "::error::Review test logs and consider optimizing wait helpers or API calls"
-            exit 1
-          fi
-
-          echo "✅ Shard completed within budget: ${SHARD_DURATION}s"
-
-      - name: Upload HTML report (per-shard)
-        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-        with:
-          name: playwright-report-${{ matrix.browser }}-shard-${{ matrix.shard }}
-          path: playwright-report/
-          retention-days: 14
-
-      - name: Upload test traces on failure
-        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-        with:
-          name: traces-${{ matrix.browser }}-shard-${{ matrix.shard }}
-          path: test-results/**/*.zip
-          retention-days: 7
-
-      - name: Collect Docker logs on failure
-        if: failure()
-        run: |
-          echo "📋 Container logs:"
-          docker compose -f .docker/compose/docker-compose.playwright-ci.yml logs > docker-logs-${{ matrix.browser }}-shard-${{ matrix.shard }}.txt 2>&1
-
-      - name: Upload Docker logs on failure
-        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-        with:
-          name: docker-logs-${{ matrix.browser }}-shard-${{ matrix.shard }}
-          path: docker-logs-${{ matrix.browser }}-shard-${{ matrix.shard }}.txt
-          retention-days: 7
-
-      - name: Cleanup
-        if: always()
-        run: |
-          docker compose -f .docker/compose/docker-compose.playwright-ci.yml down -v 2>/dev/null || true
-
-  # Summarize test results from all shards (no merging needed)
-  test-summary:
-    name: E2E Test Summary
-    runs-on: ubuntu-latest
-    needs: e2e-tests
-    if: always()
-
-    steps:
-      - name: Generate job summary with per-shard links
-        run: |
-          echo "## 📊 E2E Test Results" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Per-Shard HTML Reports" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Each shard generates its own HTML report for easier debugging:" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Browser | Shards | HTML Reports | Traces (on failure) |" >> $GITHUB_STEP_SUMMARY
-          echo "|---------|--------|--------------|---------------------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Chromium | 1-4 | \`playwright-report-chromium-shard-{1..4}\` | \`traces-chromium-shard-{1..4}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Firefox | 1-4 | \`playwright-report-firefox-shard-{1..4}\` | \`traces-firefox-shard-{1..4}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| WebKit | 1-4 | \`playwright-report-webkit-shard-{1..4}\` | \`traces-webkit-shard-{1..4}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### How to View Reports" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "1. Download the shard HTML report artifact (zip file)" >> $GITHUB_STEP_SUMMARY
-          echo "2. Extract and open \`index.html\` in your browser" >> $GITHUB_STEP_SUMMARY
-          echo "3. Or run: \`npx playwright show-report path/to/extracted-folder\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Debugging Tips" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "- **Failed tests?** Download the shard report that failed. Each shard has a focused subset of tests." >> $GITHUB_STEP_SUMMARY
-          echo "- **Traces**: Available in trace artifacts (only on failure)" >> $GITHUB_STEP_SUMMARY
-          echo "- **Docker Logs**: Backend errors available in docker-logs-shard-N artifacts" >> $GITHUB_STEP_SUMMARY
-          echo "- **Local repro**: \`npx playwright test --grep=\"test name\"\`" >> $GITHUB_STEP_SUMMARY
-
-  # Comment on PR with results
-  comment-results:
-    name: Comment Test Results
-    runs-on: ubuntu-latest
-    needs: [e2e-tests, test-summary]
-    if: github.event_name == 'pull_request' && always()
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Determine test status
-        id: status
-        run: |
-          if [[ "${{ needs.e2e-tests.result }}" == "success" ]]; then
-            echo "emoji=✅" >> $GITHUB_OUTPUT
-            echo "status=PASSED" >> $GITHUB_OUTPUT
-            echo "message=All E2E tests passed!" >> $GITHUB_OUTPUT
-          elif [[ "${{ needs.e2e-tests.result }}" == "failure" ]]; then
-            echo "emoji=❌" >> $GITHUB_OUTPUT
-            echo "status=FAILED" >> $GITHUB_OUTPUT
-            echo "message=Some E2E tests failed. Check artifacts for per-shard reports." >> $GITHUB_OUTPUT
-          else
-            echo "emoji=⚠️" >> $GITHUB_OUTPUT
-            echo "status=UNKNOWN" >> $GITHUB_OUTPUT
-            echo "message=E2E tests did not complete successfully." >> $GITHUB_OUTPUT
-          fi
-
-      - name: Comment on PR
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        with:
-          script: |
-            const emoji = '${{ steps.status.outputs.emoji }}';
-            const status = '${{ steps.status.outputs.status }}';
-            const message = '${{ steps.status.outputs.message }}';
-            const runUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-
-            const body = `## ${emoji} E2E Test Results: ${status}
-
-            ${message}
-
-            | Metric | Result |
-            |--------|--------|
-            | Browsers | Chromium, Firefox, WebKit |
-            | Shards per Browser | 4 |
-            | Total Jobs | 12 |
-            | Status | ${status} |
-
-            **Per-Shard HTML Reports** (easier to debug):
-            - \`playwright-report-{browser}-shard-{1..4}\` (12 total artifacts)
-            - Trace artifacts: \`traces-{browser}-shard-{N}\`
-
-            [📊 View workflow run & download reports](${runUrl})
-
-            ---
-            <sub>🤖 This comment was automatically generated by the E2E Tests workflow.</sub>`;
-
-            // Find existing comment
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-
-            const botComment = comments.find(comment =>
-              comment.user.type === 'Bot' &&
-              comment.body.includes('E2E Test Results')
-            );
-
-            if (botComment) {
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: body
-              });
-            } else {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: body
-              });
-            }
-
-  # Upload merged E2E coverage to Codecov
-  upload-coverage:
-    name: Upload E2E Coverage
-    runs-on: ubuntu-latest
-    needs: e2e-tests
-    # Coverage is only produced when PLAYWRIGHT_COVERAGE=1 (requires Vite dev server)
-    if: vars.PLAYWRIGHT_COVERAGE == '1'
-
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-
-      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-
-      - name: Download all coverage artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
-        with:
-          pattern: e2e-coverage-*
-          path: all-coverage
-          merge-multiple: false
-
-      - name: Merge LCOV coverage files
-        run: |
-          # Install lcov for merging
-          sudo apt-get update && sudo apt-get install -y lcov
-
-          # Create merged coverage directory
-          mkdir -p coverage/e2e-merged
-
-          # Find all lcov.info files and merge them
-          LCOV_FILES=$(find all-coverage -name "lcov.info" -type f)
-
-          if [[ -n "$LCOV_FILES" ]]; then
-            # Build merge command
-            MERGE_ARGS=""
-            for file in $LCOV_FILES; do
-              MERGE_ARGS="$MERGE_ARGS -a $file"
-            done
-
-            lcov $MERGE_ARGS -o coverage/e2e-merged/lcov.info
-            echo "✅ Merged $(echo "$LCOV_FILES" | wc -w) coverage files"
-          else
-            echo "⚠️ No coverage files found to merge"
-            exit 0
-          fi
-
-      - name: Upload E2E coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./coverage/e2e-merged/lcov.info
-          flags: e2e
-          name: e2e-coverage
-          fail_ci_if_error: false
-
-      - name: Upload merged coverage artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
-        with:
-          name: e2e-coverage-merged
-          path: coverage/e2e-merged/
-          retention-days: 30
-
-  # Final status check - blocks merge if tests fail
-  e2e-results:
-    name: E2E Test Results
-    runs-on: ubuntu-latest
-    needs: e2e-tests
-    if: always()
-
-    steps:
-      - name: Check test results
-        run: |
-          if [[ "${{ needs.e2e-tests.result }}" == "success" ]]; then
-            echo "✅ All E2E tests passed"
-            exit 0
-          elif [[ "${{ needs.e2e-tests.result }}" == "skipped" ]]; then
-            echo "⏭️ E2E tests were skipped"
-            exit 0
-          else
-            echo "❌ E2E tests failed or were cancelled"
-            echo "Result: ${{ needs.e2e-tests.result }}"
-            exit 1
-          fi

.github/workflows/gh_cache_cleanup.yml

@@ -7,6 +7,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/history-rewrite-tests.yml

@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

.github/workflows/nightly-build.yml

@@ -15,13 +15,16 @@ on:
       default: "false"
 
 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   NODE_VERSION: '24.12.0'
   GOTOOLCHAIN: auto
   GHCR_REGISTRY: ghcr.io
   DOCKERHUB_REGISTRY: docker.io
   IMAGE_NAME: wikid82/charon
 
+permissions:
+  contents: read
+
 jobs:
   sync-development-to-nightly:
     runs-on: ubuntu-latest
@@ -86,7 +89,7 @@ jobs:
       contents: read
     steps:
       - name: Dispatch Missing Nightly Validation Workflows
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const owner = context.repo.owner;
@@ -103,11 +106,12 @@ jobs:
             const workflows = [
               { id: 'e2e-tests-split.yml' },
               { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
-              { id: 'security-pr.yml' },
               { id: 'supply-chain-verify.yml' },
               { id: 'codeql.yml' },
             ];
 
+            core.info('Skipping security-pr.yml: PR-only workflow intentionally excluded from nightly non-PR dispatch');
+
             for (const workflow of workflows) {
               const { data: workflowRuns } = await github.rest.actions.listWorkflowRuns({
                 owner,
@@ -147,27 +151,37 @@ jobs:
       id-token: write
     outputs:
       version: ${{ steps.meta.outputs.version }}
-      tags: ${{ steps.meta.outputs.tags }}
-      digest: ${{ steps.build.outputs.digest }}
+      digest: ${{ steps.resolve_digest.outputs.digest }}
 
     steps:
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}
           fetch-depth: 0
 
       - name: Set lowercase image name
         run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Resolve Alpine base image digest
+        id: alpine
+        run: |
+          ALPINE_IMAGE_REF=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | cut -d'=' -f2-)
+          if [[ -z "$ALPINE_IMAGE_REF" ]]; then
+            echo "::error::Failed to parse ALPINE_IMAGE from Dockerfile"
+            exit 1
+          fi
+          echo "Resolved Alpine image: ${ALPINE_IMAGE_REF}"
+          echo "image=${ALPINE_IMAGE_REF}" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -175,7 +189,7 @@ jobs:
 
       - name: Log in to Docker Hub
         if: env.HAS_DOCKERHUB_TOKEN == 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -183,7 +197,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051  # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6.0.0
         with:
           images: |
             ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -198,7 +212,7 @@ jobs:
 
       - name: Build and push Docker image
         id: build
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6.19.2
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7.1.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -209,25 +223,112 @@ jobs:
             VERSION=nightly-${{ github.sha }}
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.event.repository.pushed_at }}
+            ALPINE_IMAGE=${{ steps.alpine.outputs.image }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           provenance: true
           sbom: true
 
+      - name: Resolve and export image digest
+        id: resolve_digest
+        run: |
+          set -euo pipefail
+          DIGEST="${{ steps.build.outputs.digest }}"
+
+          if [[ -z "$DIGEST" ]]; then
+            echo "Build action digest empty; querying GHCR registry API..."
+            GHCR_TOKEN=$(curl -sf \
+              -u "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \
+              "https://ghcr.io/token?scope=repository:${{ env.IMAGE_NAME }}:pull&service=ghcr.io" \
+              | jq -r '.token')
+            DIGEST=$(curl -sfI \
+              -H "Authorization: Bearer ${GHCR_TOKEN}" \
+              -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.manifest.v1+json" \
+              "https://ghcr.io/v2/${{ env.IMAGE_NAME }}/manifests/nightly" \
+              | grep -i '^docker-content-digest:' | awk '{print $2}' | tr -d '\r' || true)
+            [[ -n "$DIGEST" ]] && echo "Resolved from GHCR API: ${DIGEST}"
+          fi
+
+          if [[ -z "$DIGEST" ]]; then
+            echo "::error::Could not determine image digest from step output or GHCR registry API"
+            exit 1
+          fi
+
+          echo "RESOLVED_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
+          echo "Exported digest: ${DIGEST}"
+
       - name: Record nightly image digest
         run: |
           echo "## 🧾 Nightly Image Digest" >> "$GITHUB_STEP_SUMMARY"
-          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"
+          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.resolve_digest.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Generate SBOM
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad  # v0.22.2
+        id: sbom_primary
+        continue-on-error: true
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
         with:
-          image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}
+          image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}
           format: cyclonedx-json
           output-file: sbom-nightly.json
+          syft-version: v1.42.1
+
+      - name: Generate SBOM fallback with pinned Syft
+        if: always()
+        run: |
+          set -euo pipefail
+
+          if [[ "${{ steps.sbom_primary.outcome }}" == "success" ]] && [[ -s sbom-nightly.json ]] && jq -e . sbom-nightly.json >/dev/null 2>&1; then
+            echo "Primary SBOM generation succeeded with valid JSON; skipping fallback"
+            exit 0
+          fi
+
+          echo "Primary SBOM generation failed or produced missing/invalid output; using deterministic Syft fallback"
+
+          SYFT_VERSION="v1.42.4"
+          OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+          ARCH="$(uname -m)"
+          case "$ARCH" in
+            x86_64) ARCH="amd64" ;;
+            aarch64|arm64) ARCH="arm64" ;;
+            *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+          esac
+
+          TARBALL="syft_${SYFT_VERSION#v}_${OS}_${ARCH}.tar.gz"
+          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
+
+          curl -fsSLo "$TARBALL" "${BASE_URL}/${TARBALL}"
+          curl -fsSLo checksums.txt "${BASE_URL}/syft_${SYFT_VERSION#v}_checksums.txt"
+
+          grep "  ${TARBALL}$" checksums.txt > checksum_line.txt
+          sha256sum -c checksum_line.txt
+
+          tar -xzf "$TARBALL" syft
+          chmod +x syft
+
+          DIGEST="${{ steps.resolve_digest.outputs.digest }}"
+          if [[ -z "$DIGEST" ]]; then
+            echo "::error::Digest from resolve_digest step is empty; the digest-resolution step did not complete successfully"
+            exit 1
+          fi
+          ./syft "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${DIGEST}" -o cyclonedx-json=sbom-nightly.json
+
+      - name: Verify SBOM artifact
+        if: always()
+        run: |
+          set -euo pipefail
+          test -s sbom-nightly.json
+          jq -e . sbom-nightly.json >/dev/null
+          jq -e '
+            .bomFormat == "CycloneDX"
+            and (.specVersion | type == "string" and length > 0)
+            and has("version")
+            and has("metadata")
+            and (.components | type == "array")
+          ' sbom-nightly.json >/dev/null
 
       - name: Upload SBOM artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sbom-nightly
           path: sbom-nightly.json
@@ -235,13 +336,13 @@ jobs:
 
       # Install Cosign for keyless signing
       - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
 
       # Sign GHCR image with keyless signing (Sigstore/Fulcio)
       - name: Sign GHCR Image
         run: |
           echo "Signing GHCR nightly image with keyless signing..."
-          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
           echo "✅ GHCR nightly image signed successfully"
 
       # Sign Docker Hub image with keyless signing (Sigstore/Fulcio)
@@ -249,7 +350,7 @@ jobs:
         if: env.HAS_DOCKERHUB_TOKEN == 'true'
         run: |
           echo "Signing Docker Hub nightly image with keyless signing..."
-          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
           echo "✅ Docker Hub nightly image signed successfully"
 
       # Attach SBOM to Docker Hub image
@@ -257,7 +358,7 @@ jobs:
         if: env.HAS_DOCKERHUB_TOKEN == 'true'
         run: |
           echo "Attaching SBOM to Docker Hub nightly image..."
-          cosign attach sbom --sbom sbom-nightly.json "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign attach sbom --sbom sbom-nightly.json "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
           echo "✅ SBOM attached to Docker Hub nightly image"
 
   test-nightly-image:
@@ -271,13 +372,13 @@ jobs:
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}
 
       - name: Set lowercase image name
         run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -288,18 +389,33 @@ jobs:
 
       - name: Run container smoke test
         run: |
+          IMAGE_REF="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"
           docker run --name charon-nightly -d \
             -p 8080:8080 \
-            "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"
+            "${IMAGE_REF}"
 
-          # Wait for container to start
-          sleep 10
+          # Wait for container to become healthy
+          echo "⏳ Waiting for Charon to be healthy..."
+          MAX_ATTEMPTS=30
+          ATTEMPT=0
+          while [[ ${ATTEMPT} -lt ${MAX_ATTEMPTS} ]]; do
+            ATTEMPT=$((ATTEMPT + 1))
+            echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}..."
+            if docker exec charon-nightly wget -qO- http://127.0.0.1:8080/health > /dev/null 2>&1; then
+              echo "✅ Charon is healthy!"
+              docker exec charon-nightly wget -qO- http://127.0.0.1:8080/health
+              break
+            fi
+            sleep 2
+          done
 
-          # Check container is running
-          docker ps | grep charon-nightly
-
-          # Basic health check
-          curl -f http://localhost:8080/health || exit 1
+          if [[ ${ATTEMPT} -ge ${MAX_ATTEMPTS} ]]; then
+            echo "❌ Health check failed after ${MAX_ATTEMPTS} attempts"
+            docker logs charon-nightly
+            docker stop charon-nightly
+            docker rm charon-nightly
+            exit 1
+          fi
 
           # Cleanup
           docker stop charon-nightly
@@ -325,40 +441,211 @@ jobs:
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}
 
       - name: Set lowercase image name
         run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Download SBOM
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: sbom-nightly
 
       - name: Scan with Grype
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c  # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2  # v7.4.0
         with:
           sbom: sbom-nightly.json
           fail-build: false
           severity-cutoff: high
 
       - name: Scan with Trivy
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284  # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # 0.35.0
         with:
-          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-nightly.outputs.digest }}
+          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}
           format: 'sarif'
           output: 'trivy-nightly.sarif'
+          version: 'v0.70.0'
+          trivyignores: '.trivyignore'
 
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6  # v4.32.3
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
         with:
           sarif_file: 'trivy-nightly.sarif'
           category: 'trivy-nightly'
 
-      - name: Check for critical CVEs
+      - name: Security severity policy summary
         run: |
-          if grep -q "CRITICAL" trivy-nightly.sarif; then
-            echo "❌ Critical vulnerabilities found in nightly build"
+          {
+            echo "## 🔐 Nightly Supply Chain Severity Policy"
+            echo ""
+            echo "- Blocking: Critical, High"
+            echo "- Medium: non-blocking by default (report + triage SLA)"
+            echo "- Policy file: .github/security-severity-policy.yml"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Check for Critical/High CVEs
+        run: |
+          set -euo pipefail
+
+          jq -e . trivy-nightly.sarif >/dev/null
+
+          CRITICAL_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 9.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          HIGH_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 7.0 and $score < 9.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          MEDIUM_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 4.0 and $score < 7.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          {
+            echo "- Structured SARIF counts: CRITICAL=${CRITICAL_COUNT}, HIGH=${HIGH_COUNT}, MEDIUM=${MEDIUM_COUNT}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # List all Critical/High/Medium findings with details for triage
+          # shellcheck disable=SC2016
+          LIST_FINDINGS='
+            .runs[] as $run
+            | ($run.tool.driver.rules // []) as $rules
+            | $run.results[]?
+            | . as $result
+            | (
+                (
+                  if (($result.ruleIndex | type) == "number") then
+                    ($rules[$result.ruleIndex] // {})
+                  else
+                    {}
+                  end
+                ) as $ruleByIndex
+                | (
+                    [$rules[]? | select((.id // "") == ($result.ruleId // ""))][0] // {}
+                  ) as $ruleById
+                | ($ruleByIndex // $ruleById) as $rule
+                | ($rule.properties["security-severity"] // null) as $sev
+                | (try ($sev | tonumber) catch null) as $score
+                | select($score != null and $score >= 4.0)
+                | {
+                    id: ($result.ruleId // "unknown"),
+                    score: $score,
+                    severity: (
+                      if $score >= 9.0 then "CRITICAL"
+                      elif $score >= 7.0 then "HIGH"
+                      else "MEDIUM"
+                      end
+                    ),
+                    message: ($result.message.text // $rule.shortDescription.text // "no description")[0:120]
+                  }
+              )
+          '
+
+          echo ""
+          echo "=== Vulnerability Details ==="
+          jq -r "[ ${LIST_FINDINGS} ] | sort_by(-.score) | .[] | \"\\(.severity) (\\(.score)): \\(.id) — \\(.message)\"" trivy-nightly.sarif || true
+          echo "============================="
+          echo ""
+
+          if [ "$CRITICAL_COUNT" -gt 0 ]; then
+            echo "❌ Critical vulnerabilities found in nightly build (${CRITICAL_COUNT})"
+            {
+              echo ""
+              echo "### ❌ Critical CVEs blocking nightly"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"CRITICAL\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
             exit 1
           fi
-          echo "✅ No critical vulnerabilities found"
+
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "❌ High vulnerabilities found in nightly build (${HIGH_COUNT})"
+            {
+              echo ""
+              echo "### ❌ High CVEs blocking nightly"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"HIGH\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          if [ "$MEDIUM_COUNT" -gt 0 ]; then
+            echo "::warning::Medium vulnerabilities found in nightly build (${MEDIUM_COUNT}). Non-blocking by policy; triage with SLA per .github/security-severity-policy.yml"
+            {
+              echo ""
+              echo "### ⚠️ Medium CVEs (non-blocking)"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"MEDIUM\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          echo "✅ No Critical/High vulnerabilities found"

.github/workflows/pr-checklist.yml

@@ -12,6 +12,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ inputs.pr_number || github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   validate:
     name: Validate history-rewrite checklist (conditional)
@@ -21,7 +25,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Validate PR checklist (only for history-rewrite changes)
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           PR_NUMBER: ${{ inputs.pr_number }}
         with:

.github/workflows/propagate-changes.yml

@@ -28,15 +28,17 @@ jobs:
       (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'development')
     steps:
       - name: Set up Node (for github-script)
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Propagate Changes
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           CURRENT_BRANCH: ${{ github.event.workflow_run.head_branch || github.ref_name }}
           CURRENT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
         with:
           script: |
             const currentBranch = process.env.CURRENT_BRANCH || context.ref.replace('refs/heads/', '');
@@ -133,7 +135,9 @@ jobs:
 
                 const sensitive = files.some(fn => configPaths.some(sp => fn.startsWith(sp) || fn.includes(sp)));
                 if (sensitive) {
-                  core.info(`${src} -> ${base} contains sensitive changes (${files.join(', ')}). Skipping automatic propagation.`);
+                  const preview = files.slice(0, 25).join(', ');
+                  const suffix = files.length > 25 ? ` …(+${files.length - 25} more)` : '';
+                  core.info(`${src} -> ${base} contains sensitive changes (${preview}${suffix}). Skipping automatic propagation.`);
                   return;
                 }
               } catch (error) {
@@ -203,6 +207,3 @@ jobs:
                 await createPR('development', targetBranch);
               }
             }
-            env:
-              GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

.github/workflows/quality-checks.yml

@@ -3,6 +3,9 @@ name: Quality Checks
 on:
   pull_request:
   push:
+    branches:
+      - nightly
+      - main
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -13,11 +16,33 @@ permissions:
   checks: write
 
 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   NODE_VERSION: '24.12.0'
   GOTOOLCHAIN: auto
 
 jobs:
+  auth-route-protection-contract:
+    name: Auth Route Protection Contract
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.sha }}
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+          cache-dependency-path: backend/go.sum
+
+      - name: Run auth protection contract tests
+        run: |
+          set -euo pipefail
+          cd backend
+          go test ./internal/api/routes -run 'TestRegister_StateChangingRoutesRequireAuthentication|TestRegister_StateChangingRoutesDenyByDefaultWithExplicitAllowlist|TestRegister_AuthenticatedRoutes' -count=1 -v
+
   codecov-trigger-parity-guard:
     name: Codecov Trigger/Comment Parity Guard
     runs-on: ubuntu-latest
@@ -113,23 +138,34 @@ jobs:
           } >> "$GITHUB_ENV"
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
+
           cache-dependency-path: backend/go.sum
 
       - name: Repo health check
         run: |
           bash "scripts/repo_health_check.sh"
 
+      - name: Install gotestsum
+        run: go install gotest.tools/gotestsum@v1.13.0
+
       - name: Run Go tests
         id: go-tests
         working-directory: ${{ github.workspace }}
         env:
           CGO_ENABLED: 1
         run: |
-          bash "scripts/go-test-coverage.sh" 2>&1 | tee backend/test-output.txt
-          exit "${PIPESTATUS[0]}"
+          bash "scripts/go-test-coverage.sh" 2>&1 | tee backend/test-output.txt; exit "${PIPESTATUS[0]}"
+
+      - name: Upload test output artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: backend-test-output
+          path: backend/test-output.txt
+          retention-days: 7
 
       - name: Go Test Summary
         if: always()
@@ -206,11 +242,12 @@ jobs:
           PERF_MAX_MS_GETSTATUS_P95_PARALLEL: 1500ms
           PERF_MAX_MS_LISTDECISIONS_P95: 2000ms
         run: |
+          go test -run TestPerf -v ./internal/api/handlers -count=1 2>&1 | tee perf-output.txt; PERF_STATUS="${PIPESTATUS[0]}"
           {
             echo "## 🔍 Running performance assertions (TestPerf)"
-            go test -run TestPerf -v ./internal/api/handlers -count=1 | tee perf-output.txt
+            cat perf-output.txt
           } >> "$GITHUB_STEP_SUMMARY"
-          exit "${PIPESTATUS[0]}"
+          exit "$PERF_STATUS"
 
   frontend-quality:
     name: Frontend (React)
@@ -225,12 +262,18 @@ jobs:
           bash "scripts/repo_health_check.sh"
 
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
           cache-dependency-path: frontend/package-lock.json
 
+      - name: Verify lockfile integrity and audit dependencies
+        working-directory: frontend
+        run: |
+          npm ci --ignore-scripts
+          npm audit --audit-level=critical
+
       - name: Check if frontend was modified in PR
         id: check-frontend
         run: |
@@ -272,8 +315,7 @@ jobs:
         id: frontend-tests
         working-directory: ${{ github.workspace }}
         run: |
-          bash scripts/frontend-test-coverage.sh 2>&1 | tee frontend/test-output.txt
-          exit "${PIPESTATUS[0]}"
+          bash scripts/frontend-test-coverage.sh 2>&1 | tee frontend/test-output.txt; exit "${PIPESTATUS[0]}"
 
       - name: Frontend Test Summary
         if: always()

.github/workflows/rate-limit-integration.yml

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   rate-limit-integration:
     name: Rate Limiting Integration
@@ -31,7 +34,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run rate limit integration tests
@@ -68,7 +71,7 @@ jobs:
 
             echo "### Caddy Admin Config (rate_limit handlers)"
             echo '```json'
-            curl -s http://localhost:2119/config 2>/dev/null | grep -A 20 '"handler":"rate_limit"' | head -30 || echo "Could not retrieve Caddy config"
+            curl -s http://localhost:2119/config/ 2>/dev/null | grep -A 20 '"handler":"rate_limit"' | head -30 || echo "Could not retrieve Caddy config"
             echo '```'
             echo ""
 

.github/workflows/release-goreleaser.yml

@@ -10,7 +10,7 @@ concurrency:
   cancel-in-progress: false
 
 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.2'
   NODE_VERSION: '24.12.0'
   GOTOOLCHAIN: auto
 
@@ -20,6 +20,7 @@ permissions:
 
 jobs:
   goreleaser:
+    if: ${{ !contains(github.ref_name, '-candidate') && !contains(github.ref_name, '-rc') }}
     runs-on: ubuntu-latest
     env:
       # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
@@ -32,13 +33,26 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Enforce PR-2 release promotion guard
+        env:
+          REPO_VARS_JSON: ${{ toJSON(vars) }}
+        run: |
+          PR2_GATE_STATUS="$(printf '%s' "$REPO_VARS_JSON" | jq -r '.CHARON_PR2_GATES_PASSED // "false"')"
+          if [[ "$PR2_GATE_STATUS" != "true" ]]; then
+            echo "::error::Releasable tag promotion is blocked until PR-2 security/retirement gates pass."
+            echo "::error::Set repository variable CHARON_PR2_GATES_PASSED=true only after PR-2 approval."
+            exit 1
+          fi
+
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ env.GO_VERSION }}
 
+          cache-dependency-path: backend/go.sum
+
       - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -53,7 +67,7 @@ jobs:
 
       - name: Install Cross-Compilation Tools (Zig)
         # Security: Pinned to full SHA for supply chain security
-        uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
         with:
           version: 0.13.0
 
@@ -61,7 +75,7 @@ jobs:
 
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
+        uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7
         with:
           distribution: goreleaser
           version: '~> v2.5'

.github/workflows/renovate.yml

@@ -14,6 +14,9 @@ permissions:
   pull-requests: write
   issues: write
 
+env:
+  GO_VERSION: '1.26.2'
+
 jobs:
   renovate:
     runs-on: ubuntu-latest
@@ -24,8 +27,13 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Run Renovate
-        uses: renovatebot/github-action@d65ef9e20512193cc070238b49c3873a361cd50c # v46.1.1
+        uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 # v46.1.10
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/renovate_prune.yml

@@ -30,7 +30,7 @@ jobs:
             echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> "$GITHUB_ENV"
           fi
       - name: Prune renovate branches
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           github-token: ${{ env.GITHUB_TOKEN }}
           script: |

.github/workflows/repo-health.yml

@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   repo_health:
     name: Repo health
@@ -34,7 +37,7 @@ jobs:
 
       - name: Upload health output
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: repo-health-output
           path: |

.github/workflows/security-pr.yml

@@ -4,35 +4,44 @@
 name: Security Scan (PR)
 
 on:
+  workflow_run:
+    workflows: ["Docker Build, Publish & Test"]
+    types: [completed]
   workflow_dispatch:
     inputs:
       pr_number:
-        description: 'PR number to scan (optional)'
-        required: false
+        description: 'PR number to scan'
+        required: true
         type: string
   pull_request:
   push:
+    branches: [main]
 
 
 concurrency:
-  group: security-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
+  group: security-pr-${{ github.event_name == 'workflow_run' && github.event.workflow_run.event || github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   security-scan:
     name: Trivy Binary Scan
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    # Run for: manual dispatch, PR builds, or any push builds from docker-build
+    # Run for manual dispatch, direct PR/push, or successful upstream workflow_run
     if: >-
       github.event_name == 'workflow_dispatch' ||
       github.event_name == 'pull_request' ||
-      ((github.event.workflow_run.event == 'push' || github.event.workflow_run.pull_requests[0].number != null) &&
-       (github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success'))
+      github.event_name == 'push' ||
+      (github.event_name == 'workflow_run' &&
+       github.event.workflow_run.event == 'pull_request' &&
+       github.event.workflow_run.status == 'completed' &&
+       github.event.workflow_run.conclusion == 'success')
 
     permissions:
       contents: read
-      pull-requests: write
       security-events: write
       actions: read
 
@@ -41,27 +50,65 @@ jobs:
         # actions/checkout v4.2.2
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
         with:
-          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
 
       - name: Extract PR number from workflow_run
         id: pr-info
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            # Manual dispatch - use input or fail gracefully
-            if [[ -n "${{ inputs.pr_number }}" ]]; then
-              echo "pr_number=${{ inputs.pr_number }}" >> "$GITHUB_OUTPUT"
-              echo "✅ Using manually provided PR number: ${{ inputs.pr_number }}"
-            else
-              echo "⚠️ No PR number provided for manual dispatch"
-              echo "pr_number=" >> "$GITHUB_OUTPUT"
-            fi
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            echo "is_push=true" >> "$GITHUB_OUTPUT"
+            echo "✅ Push event detected; using local image path"
             exit 0
           fi
 
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "pr_number=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
+            echo "✅ Pull request event detected: PR #${{ github.event.pull_request.number }}"
+            exit 0
+          fi
+
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            INPUT_PR_NUMBER="${{ inputs.pr_number }}"
+            if [[ -z "${INPUT_PR_NUMBER}" ]]; then
+              echo "❌ workflow_dispatch requires inputs.pr_number"
+              exit 1
+            fi
+
+            if [[ ! "${INPUT_PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+              echo "❌ reason_category=invalid_input"
+              echo "reason=workflow_dispatch pr_number must be digits-only"
+              exit 1
+            fi
+
+            PR_NUMBER="${INPUT_PR_NUMBER}"
+            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
+            echo "✅ Using manually provided PR number: ${PR_NUMBER}"
+            exit 0
+          fi
+
+          if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            if [[ "${{ github.event.workflow_run.event }}" != "pull_request" ]]; then
+              # Explicit contract validation happens in the dedicated guard step.
+              echo "pr_number=" >> "$GITHUB_OUTPUT"
+              echo "is_push=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            if [[ -n "${{ github.event.workflow_run.pull_requests[0].number || '' }}" ]]; then
+              echo "pr_number=${{ github.event.workflow_run.pull_requests[0].number }}" >> "$GITHUB_OUTPUT"
+              echo "is_push=false" >> "$GITHUB_OUTPUT"
+              echo "✅ Found PR number from workflow_run payload: ${{ github.event.workflow_run.pull_requests[0].number }}"
+              exit 0
+            fi
+          fi
+
           # Extract PR number from context
-          HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
+          HEAD_SHA="${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
           echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}"
 
           # Query GitHub API for PR associated with this commit
@@ -73,21 +120,38 @@ jobs:
 
           if [[ -n "${PR_NUMBER}" ]]; then
             echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
             echo "✅ Found PR number: ${PR_NUMBER}"
           else
-            echo "⚠️ Could not find PR number for SHA: ${HEAD_SHA}"
-            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            echo "❌ Could not determine PR number for workflow_run SHA: ${HEAD_SHA}"
+            exit 1
           fi
 
-          # Check if this is a push event (not a PR)
-          if [[ "${{ github.event_name }}" == "push" || "${{ github.event.workflow_run.event }}" == "push" || -z "${PR_NUMBER}" ]]; then
-            HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}"
-            echo "is_push=true" >> "$GITHUB_OUTPUT"
-            echo "✅ Detected push build from branch: ${HEAD_BRANCH}"
-          else
-            echo "is_push=false" >> "$GITHUB_OUTPUT"
+      - name: Validate workflow_run trust boundary and event contract
+        if: github.event_name == 'workflow_run'
+        run: |
+          if [[ "${{ github.event.workflow_run.name }}" != "Docker Build, Publish & Test" ]]; then
+            echo "❌ reason_category=unexpected_upstream_workflow"
+            echo "workflow_name=${{ github.event.workflow_run.name }}"
+            exit 1
           fi
 
+          if [[ "${{ github.event.workflow_run.event }}" != "pull_request" ]]; then
+            echo "❌ reason_category=unsupported_upstream_event"
+            echo "upstream_event=${{ github.event.workflow_run.event }}"
+            echo "run_id=${{ github.event.workflow_run.id }}"
+            exit 1
+          fi
+
+          if [[ "${{ github.event.workflow_run.head_repository.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "❌ reason_category=untrusted_upstream_repository"
+            echo "upstream_head_repository=${{ github.event.workflow_run.head_repository.full_name }}"
+            echo "expected_repository=${{ github.repository }}"
+            exit 1
+          fi
+
+          echo "✅ workflow_run trust boundary and event contract validated"
+
       - name: Build Docker image (Local)
         if: github.event_name == 'push' || github.event_name == 'pull_request'
         run: |
@@ -97,95 +161,149 @@ jobs:
 
       - name: Check for PR image artifact
         id: check-artifact
-        if: (steps.pr-info.outputs.pr_number != '' || steps.pr-info.outputs.is_push == 'true') && github.event_name != 'push' && github.event_name != 'pull_request'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Determine artifact name based on event type
-          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-            ARTIFACT_NAME="push-image"
-          else
-            PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
-            ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
+          if [[ ! "${PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+            echo "❌ reason_category=invalid_input"
+            echo "reason=Resolved PR number must be digits-only"
+            exit 1
           fi
-          RUN_ID="${{ github.event.workflow_run.id }}"
+
+          ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          RUN_ID="${{ github.event_name == 'workflow_run' && github.event.workflow_run.id || '' }}"
 
           echo "🔍 Checking for artifact: ${ARTIFACT_NAME}"
 
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            # For manual dispatch, find the most recent workflow run with this artifact
-            RUN_ID=$(gh api \
+            # Manual replay path: find latest successful docker-build pull_request run for this PR.
+            RUNS_JSON=$(gh api \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
-              "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?status=success&per_page=10" \
-              --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
+              "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?event=pull_request&status=success&per_page=100" 2>&1)
+            RUNS_STATUS=$?
+
+            if [[ ${RUNS_STATUS} -ne 0 ]]; then
+              echo "❌ reason_category=api_error"
+              echo "reason=Failed to query workflow runs for PR lookup"
+              echo "upstream_run_id=unknown"
+              echo "artifact_name=${ARTIFACT_NAME}"
+              echo "api_output=${RUNS_JSON}"
+              exit 1
+            fi
+
+            RUN_ID=$(printf '%s' "${RUNS_JSON}" | jq -r --argjson pr "${PR_NUMBER}" '.workflow_runs[] | select((.pull_requests // []) | any(.number == $pr)) | .id' | head -n 1)
 
             if [[ -z "${RUN_ID}" ]]; then
-              echo "⚠️ No successful workflow runs found"
-              echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
-              exit 0
+              echo "❌ reason_category=not_found"
+              echo "reason=No successful docker-build pull_request run found for PR #${PR_NUMBER}"
+              echo "upstream_run_id=unknown"
+              echo "artifact_name=${ARTIFACT_NAME}"
+              exit 1
             fi
-          elif [[ -z "${RUN_ID}" ]]; then
-            # If triggered by push/pull_request, RUN_ID is empty. Find recent run for this commit.
-            HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
-            echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}"
-            # Retry a few times as the run might be just starting or finishing
-            for i in {1..3}; do
-              RUN_ID=$(gh api \
-                -H "Accept: application/vnd.github+json" \
-                -H "X-GitHub-Api-Version: 2022-11-28" \
-                "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \
-                --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
-              if [[ -n "${RUN_ID}" ]]; then break; fi
-              echo "⏳ Waiting for workflow run to appear/complete... ($i/3)"
-              sleep 5
-            done
           fi
 
           echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"
 
           # Check if the artifact exists in the workflow run
-          ARTIFACT_ID=$(gh api \
+          ARTIFACTS_JSON=$(gh api \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \
-            --jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "")
+            "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" 2>&1)
+          ARTIFACTS_STATUS=$?
 
-          if [[ -n "${ARTIFACT_ID}" ]]; then
-            echo "artifact_exists=true" >> "$GITHUB_OUTPUT"
-            echo "artifact_id=${ARTIFACT_ID}" >> "$GITHUB_OUTPUT"
-            echo "✅ Found artifact: ${ARTIFACT_NAME} (ID: ${ARTIFACT_ID})"
-          else
-            echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
-            echo "⚠️ Artifact not found: ${ARTIFACT_NAME}"
-            echo "ℹ️ This is expected for non-PR builds or if the image was not uploaded"
+          if [[ ${ARTIFACTS_STATUS} -ne 0 ]]; then
+            echo "❌ reason_category=api_error"
+            echo "reason=Failed to query artifacts for upstream run"
+            echo "upstream_run_id=${RUN_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+            echo "api_output=${ARTIFACTS_JSON}"
+            exit 1
           fi
 
-      - name: Skip if no artifact
-        if: ((steps.pr-info.outputs.pr_number == '' && steps.pr-info.outputs.is_push != 'true') || steps.check-artifact.outputs.artifact_exists != 'true') && github.event_name != 'push' && github.event_name != 'pull_request'
-        run: |
-          echo "ℹ️ Skipping security scan - no PR image artifact available"
-          echo "This is expected for:"
-          echo "  - Pushes to main/release branches"
-          echo "  - PRs where Docker build failed"
-          echo "  - Manual dispatch without PR number"
-          exit 0
+          ARTIFACT_ID=$(printf '%s' "${ARTIFACTS_JSON}" | jq -r --arg name "${ARTIFACT_NAME}" '.artifacts[] | select(.name == $name) | .id' | head -n 1)
+
+          if [[ -z "${ARTIFACT_ID}" ]]; then
+            echo "❌ reason_category=not_found"
+            echo "reason=Required artifact was not found"
+            echo "upstream_run_id=${RUN_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+            exit 1
+          fi
+
+          {
+            echo "artifact_exists=true"
+            echo "artifact_id=${ARTIFACT_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+          } >> "$GITHUB_OUTPUT"
+          echo "✅ Found artifact: ${ARTIFACT_NAME} (ID: ${ARTIFACT_ID})"
 
       - name: Download PR image artifact
-        if: steps.check-artifact.outputs.artifact_exists == 'true'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
         # actions/download-artifact v4.1.8
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+        uses: actions/download-artifact@484a0b528fb4d7bd804637ccb632e47a0e638317
         with:
-          name: ${{ steps.pr-info.outputs.is_push == 'true' && 'push-image' || format('pr-image-{0}', steps.pr-info.outputs.pr_number) }}
+          name: ${{ steps.check-artifact.outputs.artifact_name }}
           run-id: ${{ steps.check-artifact.outputs.run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Load Docker image
-        if: steps.check-artifact.outputs.artifact_exists == 'true'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
+        id: load-image
         run: |
           echo "📦 Loading Docker image..."
-          docker load < charon-pr-image.tar
-          echo "✅ Docker image loaded"
+
+          if [[ ! -r "charon-pr-image.tar" ]]; then
+            echo "❌ ERROR: Artifact image tar is missing or unreadable"
+            exit 1
+          fi
+
+          MANIFEST_TAGS=""
+          if tar -tf charon-pr-image.tar | grep -qx "manifest.json"; then
+            MANIFEST_TAGS=$(tar -xOf charon-pr-image.tar manifest.json 2>/dev/null | jq -r '.[]?.RepoTags[]?' 2>/dev/null | sed '/^$/d' || true)
+          else
+            echo "⚠️ manifest.json not found in artifact tar; will try docker-load-image-id fallback"
+          fi
+
+          LOAD_OUTPUT=$(docker load < charon-pr-image.tar 2>&1)
+          echo "${LOAD_OUTPUT}"
+
+          SOURCE_IMAGE_REF=""
+          SOURCE_RESOLUTION_MODE=""
+
+          while IFS= read -r tag; do
+            [[ -z "${tag}" ]] && continue
+            if docker image inspect "${tag}" >/dev/null 2>&1; then
+              SOURCE_IMAGE_REF="${tag}"
+              SOURCE_RESOLUTION_MODE="manifest_tag"
+              break
+            fi
+          done <<< "${MANIFEST_TAGS}"
+
+          if [[ -z "${SOURCE_IMAGE_REF}" ]]; then
+            LOAD_IMAGE_ID=$(printf '%s\n' "${LOAD_OUTPUT}" | sed -nE 's/^Loaded image ID: (sha256:[0-9a-f]+)$/\1/p' | head -n1)
+            if [[ -n "${LOAD_IMAGE_ID}" ]] && docker image inspect "${LOAD_IMAGE_ID}" >/dev/null 2>&1; then
+              SOURCE_IMAGE_REF="${LOAD_IMAGE_ID}"
+              SOURCE_RESOLUTION_MODE="load_image_id"
+            fi
+          fi
+
+          if [[ -z "${SOURCE_IMAGE_REF}" ]]; then
+            echo "❌ ERROR: Could not resolve a valid image reference from manifest tags or docker load image ID"
+            exit 1
+          fi
+
+          docker tag "${SOURCE_IMAGE_REF}" "charon:artifact"
+
+          {
+            echo "source_image_ref=${SOURCE_IMAGE_REF}"
+            echo "source_resolution_mode=${SOURCE_RESOLUTION_MODE}"
+            echo "image_ref=charon:artifact"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "✅ Docker image resolved via ${SOURCE_RESOLUTION_MODE} and tagged as charon:artifact"
           docker images | grep charon
 
       - name: Extract charon binary from container
@@ -214,31 +332,10 @@ jobs:
             exit 0
           fi
 
-          # Normalize image name for reference
-          IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
-          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-            BRANCH_NAME="${{ github.event.workflow_run.head_branch }}"
-            if [[ -z "${BRANCH_NAME}" ]]; then
-              echo "❌ ERROR: Branch name is empty for push build"
-              exit 1
-            fi
-            # Normalize branch name for Docker tag (replace / and other special chars with -)
-            # This matches docker/metadata-action behavior: type=ref,event=branch
-            TAG_SAFE_BRANCH="${BRANCH_NAME//\//-}"
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${TAG_SAFE_BRANCH}"
-          elif [[ -n "${{ steps.pr-info.outputs.pr_number }}" ]]; then
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
-          else
-            echo "❌ ERROR: Cannot determine image reference"
-            echo "  - is_push: ${{ steps.pr-info.outputs.is_push }}"
-            echo "  - pr_number: ${{ steps.pr-info.outputs.pr_number }}"
-            echo "  - branch: ${{ github.event.workflow_run.head_branch }}"
-            exit 1
-          fi
-
-          # Validate the image reference format
-          if [[ ! "${IMAGE_REF}" =~ ^ghcr\.io/[a-z0-9_-]+/[a-z0-9_-]+:[a-zA-Z0-9._-]+$ ]]; then
-            echo "❌ ERROR: Invalid image reference format: ${IMAGE_REF}"
+          # For workflow_run artifact path, always use locally tagged image from loaded artifact.
+          IMAGE_REF="${{ steps.load-image.outputs.image_ref }}"
+          if [[ -z "${IMAGE_REF}" ]]; then
+            echo "❌ ERROR: Loaded artifact image reference is empty"
             exit 1
           fi
 
@@ -267,8 +364,8 @@ jobs:
 
       - name: Run Trivy filesystem scan (SARIF output)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
-        # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
+        # aquasecurity/trivy-action 0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           scan-type: 'fs'
           scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -277,19 +374,30 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
         continue-on-error: true
 
+      - name: Check Trivy SARIF output exists
+        if: always() && (steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request')
+        id: trivy-sarif-check
+        run: |
+          if [[ -f trivy-binary-results.sarif ]]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "ℹ️ No Trivy SARIF output found; skipping SARIF/artifact upload steps"
+          fi
+
       - name: Upload Trivy SARIF to GitHub Security
-        if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
+        if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6
+        uses: github/codeql-action/upload-sarif@34950e1b113b30df4edee1a6d3a605242df0c40b
         with:
           sarif_file: 'trivy-binary-results.sarif'
-          category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
+          category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
         continue-on-error: true
 
       - name: Run Trivy filesystem scan (fail on CRITICAL/HIGH)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
-        # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
+        # aquasecurity/trivy-action 0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           scan-type: 'fs'
           scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -298,11 +406,11 @@ jobs:
           exit-code: '1'
 
       - name: Upload scan artifacts
-        if: always() && (steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request')
+        if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # actions/upload-artifact v4.4.3
-        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
-          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
+          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
           path: |
             trivy-binary-results.sarif
           retention-days: 14
@@ -312,7 +420,7 @@ jobs:
         run: |
           {
             if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-              echo "## 🔒 Security Scan Results - Branch: ${{ github.event.workflow_run.head_branch }}"
+              echo "## 🔒 Security Scan Results - Branch: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}"
             else
               echo "## 🔒 Security Scan Results - PR #${{ steps.pr-info.outputs.pr_number }}"
             fi

.github/workflows/security-weekly-rebuild.yml

@@ -6,7 +6,7 @@ name: Weekly Security Rebuild
 
 on:
   schedule:
-    - cron: '0 2 * * 0' # Sundays at 02:00 UTC
+    - cron: '0 12 * * 2' # Tuesdays at 12:00 UTC
   workflow_dispatch:
     inputs:
       force_rebuild:
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository_owner }}/charon
@@ -36,16 +39,21 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          # Explicitly fetch the current HEAD of the ref at run time, not the
+          # SHA that was frozen when this scheduled job was queued. Without this,
+          # a queued job can run days later with stale code.
+          ref: ${{ github.ref_name }}
 
       - name: Normalize image name
         run: |
           echo "IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Resolve Debian base image digest
         id: base-image
@@ -56,7 +64,7 @@ jobs:
           echo "Base image digest: $DIGEST"
 
       - name: Log in to Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -64,7 +72,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -72,7 +80,7 @@ jobs:
 
       - name: Build Docker image (NO CACHE)
         id: build
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           platforms: linux/amd64
@@ -88,38 +96,41 @@ jobs:
             BASE_IMAGE=${{ steps.base-image.outputs.digest }}
 
       - name: Run Trivy vulnerability scanner (CRITICAL+HIGH)
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
           exit-code: '1' # Fail workflow if vulnerabilities found
+          version: 'v0.70.0'
         continue-on-error: true
 
       - name: Run Trivy vulnerability scanner (SARIF)
         id: trivy-sarif
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
           format: 'sarif'
           output: 'trivy-weekly-results.sarif'
           severity: 'CRITICAL,HIGH,MEDIUM'
+          version: 'v0.70.0'
 
       - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           sarif_file: 'trivy-weekly-results.sarif'
 
       - name: Run Trivy vulnerability scanner (JSON for artifact)
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
           format: 'json'
           output: 'trivy-weekly-results.json'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          version: 'v0.70.0'
 
       - name: Upload Trivy JSON results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: trivy-weekly-scan-${{ github.run_number }}
           path: trivy-weekly-results.json

.github/workflows/supply-chain-pr.yml

@@ -11,6 +11,8 @@ on:
         type: string
   pull_request:
   push:
+    branches:
+      - main
 
 concurrency:
   group: supply-chain-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
@@ -264,7 +266,7 @@ jobs:
       # Generate SBOM using official Anchore action (auto-updated by Renovate)
       - name: Generate SBOM
         if: steps.set-target.outputs.image_name != ''
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
         id: sbom
         with:
           image: ${{ steps.set-target.outputs.image_name }}
@@ -279,19 +281,19 @@ jobs:
           echo "component_count=${COMPONENT_COUNT}" >> "$GITHUB_OUTPUT"
           echo "✅ SBOM generated with ${COMPONENT_COUNT} components"
 
-      # Scan for vulnerabilities using manual Grype installation (pinned to v0.107.1)
+      # Scan for vulnerabilities using manual Grype installation (pinned to v0.110.0)
       - name: Install Grype
         if: steps.set-target.outputs.image_name != ''
         run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.1
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.111.0
 
       - name: Scan for vulnerabilities
         if: steps.set-target.outputs.image_name != ''
         id: grype-scan
         run: |
           echo "🔍 Scanning SBOM for vulnerabilities..."
-          grype sbom:sbom.cyclonedx.json -o json > grype-results.json
-          grype sbom:sbom.cyclonedx.json -o sarif > grype-results.sarif
+          grype sbom:sbom.cyclonedx.json --config .grype.yaml -o json > grype-results.json
+          grype sbom:sbom.cyclonedx.json --config .grype.yaml -o sarif > grype-results.sarif
 
       - name: Debug Output Files
         if: steps.set-target.outputs.image_name != ''
@@ -337,9 +339,30 @@ jobs:
           echo "  Low: ${LOW_COUNT}"
           echo "  Total: ${TOTAL_COUNT}"
 
+      - name: Security severity policy summary
+        if: steps.set-target.outputs.image_name != ''
+        run: |
+          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"
+          MEDIUM_COUNT="${{ steps.vuln-summary.outputs.medium_count }}"
+
+          {
+            echo "## 🔐 Supply Chain Severity Policy"
+            echo ""
+            echo "- Blocking: Critical, High"
+            echo "- Medium: non-blocking by default (report + triage SLA)"
+            echo "- Policy file: .github/security-severity-policy.yml"
+            echo ""
+            echo "Current scan counts: Critical=${CRITICAL_COUNT}, High=${HIGH_COUNT}, Medium=${MEDIUM_COUNT}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [[ "${MEDIUM_COUNT}" -gt 0 ]]; then
+            echo "::warning::${MEDIUM_COUNT} medium vulnerabilities found. Non-blocking by policy; create/maintain triage issue with SLA per .github/security-severity-policy.yml"
+          fi
+
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif
@@ -348,7 +371,7 @@ jobs:
       - name: Upload supply chain artifacts
         if: steps.set-target.outputs.image_name != ''
         # actions/upload-artifact v4.6.0
-        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: ${{ steps.pr-number.outputs.is_push == 'true' && format('supply-chain-{0}', steps.sanitize.outputs.branch) || format('supply-chain-pr-{0}', steps.pr-number.outputs.pr_number) }}
           path: |
@@ -358,9 +381,12 @@ jobs:
 
       - name: Comment on PR
         if: steps.set-target.outputs.image_name != '' && steps.pr-number.outputs.is_push != 'true' && steps.pr-number.outputs.pr_number != ''
+        continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
+
           PR_NUMBER="${{ steps.pr-number.outputs.pr_number }}"
           COMPONENT_COUNT="${{ steps.sbom-count.outputs.component_count }}"
           CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
@@ -406,37 +432,47 @@ jobs:
           EOF
           )
 
-          # Find and update existing comment or create new one
-          COMMENT_ID=$(gh api \
+          # Fetch existing comments — skip gracefully on 403 / permission errors
+          COMMENTS_JSON=""
+          if ! COMMENTS_JSON=$(gh api \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-            --jq '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" 2>/dev/null); then
+            echo "⚠️ Cannot access PR comments (likely token permissions / fork / event context). Skipping PR comment."
+            exit 0
+          fi
 
-          if [[ -n "${COMMENT_ID}" ]]; then
+          COMMENT_ID=$(echo "${COMMENTS_JSON}" | jq -r '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+
+          if [[ -n "${COMMENT_ID:-}" && "${COMMENT_ID}" != "null" ]]; then
             echo "📝 Updating existing comment..."
-            gh api \
-              --method PATCH \
+            if ! gh api --method PATCH \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to update comment (permissions?). Skipping."
+              exit 0
+            fi
           else
             echo "📝 Creating new comment..."
-            gh api \
-              --method POST \
+            if ! gh api --method POST \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to create comment (permissions?). Skipping."
+              exit 0
+            fi
           fi
 
           echo "✅ PR comment posted"
 
-      - name: Fail on critical vulnerabilities
+      - name: Fail on Critical/High vulnerabilities
         if: steps.set-target.outputs.image_name != ''
         run: |
           CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"
 
           if [[ "${CRITICAL_COUNT}" -gt 0 ]]; then
             echo "🚨 Found ${CRITICAL_COUNT} CRITICAL vulnerabilities!"
@@ -444,4 +480,10 @@ jobs:
             exit 1
           fi
 
-          echo "✅ No critical vulnerabilities found"
+          if [[ "${HIGH_COUNT}" -gt 0 ]]; then
+            echo "🚨 Found ${HIGH_COUNT} HIGH vulnerabilities!"
+            echo "Please review the vulnerability report and address high severity issues before merging."
+            exit 1
+          fi
+
+          echo "✅ No Critical/High vulnerabilities found"

.github/workflows/supply-chain-verify.yml

@@ -119,7 +119,7 @@ jobs:
       # Generate SBOM using official Anchore action (auto-updated by Renovate)
       - name: Generate and Verify SBOM
         if: steps.image-check.outputs.exists == 'true'
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
         with:
           image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}
           format: cyclonedx-json
@@ -144,7 +144,7 @@ jobs:
 
       - name: Upload SBOM Artifact
         if: steps.image-check.outputs.exists == 'true' && always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sbom-${{ steps.tag.outputs.tag }}
           path: sbom-verify.cyclonedx.json
@@ -233,7 +233,7 @@ jobs:
       # Scan for vulnerabilities using official Anchore action (auto-updated by Renovate)
       - name: Scan for Vulnerabilities
         if: steps.validate-sbom.outputs.valid == 'true'
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         id: scan
         with:
           sbom: sbom-verify.cyclonedx.json
@@ -324,7 +324,7 @@ jobs:
 
       - name: Upload Vulnerability Scan Artifact
         if: steps.validate-sbom.outputs.valid == 'true' && always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: vulnerability-scan-${{ steps.tag.outputs.tag }}
           path: |
@@ -362,7 +362,7 @@ jobs:
         if: |
           github.event_name == 'pull_request' ||
           (github.event_name == 'workflow_run' && github.event.workflow_run.event == 'pull_request')
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3  # v9.0.0
         with:
           result-encoding: string
           script: |

.github/workflows/update-geolite2.yml

@@ -2,7 +2,7 @@ name: Update GeoLite2 Checksum
 
 on:
   schedule:
-    - cron: '0 2 * * 1'  # Weekly on Mondays at 2 AM UTC
+    - cron: '0 2 * * 0'  # Weekly on Sundays at 2 AM UTC
   workflow_dispatch:
 
 permissions:
@@ -105,7 +105,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.checksum.outputs.needs_update == 'true'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           title: "chore(docker): update GeoLite2-Country.mmdb checksum"
           body: |
@@ -141,7 +141,8 @@ jobs:
             ---
 
             **Auto-generated by:** `.github/workflows/update-geolite2.yml`
-            **Trigger:** Scheduled weekly check (Mondays 2 AM UTC)
+            - **Trigger:** Scheduled weekly check (Sundays 2 AM UTC)
+          base: development
           branch: bot/update-geolite2-checksum
           delete-branch: true
           commit-message: |
@@ -160,7 +161,7 @@ jobs:
 
       - name: Report failure via GitHub Issue
         if: failure()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const errorType = '${{ steps.checksum.outputs.error }}' || 'unknown';
@@ -182,7 +183,7 @@ jobs:
 
             ### Workflow Details
             - **Run URL:** ${runUrl}
-            - **Triggered:** ${context.eventName === 'schedule' ? 'Scheduled (weekly)' : 'Manual dispatch'}
+            - **Triggered:** ${context.eventName === 'schedule' ? 'Scheduled (weekly, Sundays)' : 'Manual dispatch'}
             - **Timestamp:** ${new Date().toISOString()}
 
             ### Required Actions

.github/workflows/waf-integration.yml

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   waf-integration:
     name: Coraza WAF Integration
@@ -31,7 +34,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run WAF integration tests

.github/workflows/weekly-nightly-promotion.yml

@@ -5,9 +5,9 @@ name: Weekly Nightly to Main Promotion
 
 on:
   schedule:
-    # Every Monday at 10:30 UTC (5:30am EST / 6:30am EDT)
+    # Every Monday at 12:00 UTC (7:00am EST / 8:00am EDT)
     # Offset from nightly sync (09:00 UTC) to avoid schedule race and allow validation completion.
-    - cron: '30 10 * * 1'
+    - cron: '0 12 * * 1'
   workflow_dispatch:
     inputs:
       reason:
@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Check Nightly Workflow Status
         id: check
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const skipCheck = '${{ inputs.skip_workflow_check }}' === 'true';
@@ -200,8 +200,8 @@ jobs:
     runs-on: ubuntu-latest
     if: needs.check-nightly-health.outputs.is_healthy == 'true'
     outputs:
-      pr_number: ${{ steps.create-pr.outputs.pr_number }}
-      pr_url: ${{ steps.create-pr.outputs.pr_url }}
+      pr_number: ${{ steps.create-pr.outputs.pr_number || steps.existing-pr.outputs.pr_number }}
+      pr_url: ${{ steps.create-pr.outputs.pr_url || steps.existing-pr.outputs.pr_url }}
       skipped: ${{ steps.check-diff.outputs.skipped }}
 
     steps:
@@ -274,7 +274,7 @@ jobs:
       - name: Check for Existing PR
         id: existing-pr
         if: steps.check-diff.outputs.skipped != 'true'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const { data: pulls } = await github.rest.pulls.list({
@@ -297,7 +297,7 @@ jobs:
       - name: Create Promotion PR
         id: create-pr
         if: steps.check-diff.outputs.skipped != 'true' && steps.existing-pr.outputs.exists != 'true'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const fs = require('fs');
@@ -399,7 +399,7 @@ jobs:
 
       - name: Update Existing PR
         if: steps.check-diff.outputs.skipped != 'true' && steps.existing-pr.outputs.exists == 'true'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const prNumber = ${{ steps.existing-pr.outputs.pr_number }};
@@ -425,7 +425,7 @@ jobs:
       contents: read
     steps:
       - name: Dispatch missing required workflows on nightly head
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const owner = context.repo.owner;
@@ -483,7 +483,7 @@ jobs:
 
     steps:
       - name: Create Failure Issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         with:
           script: |
             const isHealthy = '${{ needs.check-nightly-health.outputs.is_healthy }}';

.gitignore

@@ -78,6 +78,11 @@ backend/node_modules/
 backend/package.json
 backend/package-lock.json
 
+# Root-level artifact files (non-documentation)
+FIREFOX_E2E_FIXES_SUMMARY.md
+verify-security-state-for-ui-tests
+categories.txt
+
 # -----------------------------------------------------------------------------
 # Databases
 # -----------------------------------------------------------------------------
@@ -297,6 +302,7 @@ docs/plans/current_spec_notes.md
 tests/etc/passwd
 trivy-image-report.json
 trivy-fs-report.json
+trivy-report.json
 backend/# Tools Configuration.md
 docs/plans/requirements.md
 docs/plans/design.md
@@ -306,4 +312,14 @@ frontend/temp**
 playwright-output/**
 validation-evidence/**
 .github/agents/# Tools Configuration.md
-docs/plans/codecove_patch_report.md
+docs/reports/codecove_patch_report.md
+vuln-results.json
+test_output.txt
+coverage_results.txt
+final-results.json
+new-results.json
+scan_output.json
+coverage_output.txt
+frontend/lint_output.txt
+lefthook_out.txt
+backend/test_out.txt

.grype.yaml

@@ -4,60 +4,618 @@
 # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
 
 ignore:
-  # CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
-  # Severity: CRITICAL
-  # Package: zlib 1.3.1-r2 (Alpine Linux base image)
-  # Status: No upstream fix available as of 2026-01-16
+  # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
+  # Severity: HIGH (CVSS 7.5)
+  # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
+  # Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18
   #
   # Vulnerability Details:
-  # - Global buffer overflow in TGZfname() function
-  # - Unbounded strcpy() allows attacker-controlled archive names
-  # - Can lead to memory corruption, DoS, potential RCE
+  # - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select
+  #   a weaker key exchange group than preferred, enabling a limited key exchange downgrade.
+  # - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation.
   #
-  # Risk Assessment: ACCEPTED (Low exploitability in Charon context)
-  # - Charon does not use untgz utility directly
-  # - No untrusted tar archive processing in application code
-  # - Attack surface limited to OS-level utilities
-  # - Multiple layers of containerization and isolation
+  # Root Cause (No Fix Available):
+  # - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
+  # - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
+  # - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
+  #   and remove this suppression.
   #
-  # Mitigation:
-  # - Monitor Alpine Linux security feed daily for zlib patches
-  # - Container runs with minimal privileges (no-new-privileges)
-  # - Read-only filesystem where possible
-  # - Network isolation via Docker networks
+  # Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context)
+  # - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
+  # - The vulnerability requires the affected application to directly configure TLS 1.3 server
+  #   group negotiation via OpenSSL, which Charon does not do.
+  # - Container-level isolation reduces the attack surface further.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673
+  # - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
   #
   # Review:
-  # - Daily checks for Alpine security updates
-  # - Automatic re-scan via CI/CD on every commit
-  # - Manual review scheduled for 2026-01-23 (7 days)
+  # - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review.
+  # - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available.
+  # - Next review: 2026-05-18. Remove suppression immediately once upstream fixes.
   #
   # Removal Criteria:
-  # - Alpine releases zlib 1.3.1-r3 or higher with CVE fix
-  # - OR upstream zlib project releases patched version
-  # - Remove this suppression immediately after fix available
+  # - Alpine publishes a patched version of libcrypto3 and libssl3
+  # - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json
+  # - Remove both these entries and the corresponding .trivyignore entry simultaneously
   #
   # References:
-  # - CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-22184
-  # - Alpine Security: https://security.alpinelinux.org/
-  # - GitHub Issue: https://github.com/Wikid82/Charon/issues/TBD
-  - vulnerability: CVE-2026-22184
+  # - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673
+  # - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
+  - vulnerability: CVE-2026-2673
     package:
-      name: zlib
-      version: "1.3.1-r2"
-      type: apk  # Alpine package
+      name: libcrypto3
+      version: "3.5.5-r0"
+      type: apk
     reason: |
-      CRITICAL buffer overflow in untgz utility. No fix available from Alpine
-      as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
-      process untrusted tar archives. Attack surface limited to base OS utilities.
-      Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-01-23"  # Re-evaluate in 7 days
+      HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image).
+      No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon
+      terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
+      Risk accepted pending Alpine upstream patch.
+    expiry: "2026-05-18"  # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18.
 
     # Action items when this suppression expires:
-    # 1. Check Alpine security feed: https://security.alpinelinux.org/
-    # 2. Check zlib releases: https://github.com/madler/zlib/releases
-    # 3. If fix available: Update Dockerfile, rebuild, remove suppression
-    # 4. If no fix: Extend expiry by 7 days, document justification
-    # 5. If extended 3+ times: Escalate to security team for review
+    # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673
+    # 2. If a patched Alpine package is now available:
+    #    a. Rebuild Docker image without suppression
+    #    b. Run local security-scan-docker-image and confirm CVE is resolved
+    #    c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
+    # 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
+    # 4. If extended 3+ times: Open an issue to track the upstream status formally
+
+  # CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above
+  - vulnerability: CVE-2026-2673
+    package:
+      name: libssl3
+      version: "3.5.5-r0"
+      type: apk
+    reason: |
+      HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image).
+      No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon
+      terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server.
+      Risk accepted pending Alpine upstream patch.
+    expiry: "2026-05-18"  # Extended 2026-04-04: see libcrypto3 entry above for action items.
+
+  # CVE-2026-31790: OpenSSL vulnerability in Alpine base image packages
+  # Severity: HIGH
+  # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
+  # Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09
+  #
+  # Root Cause (No Fix Available):
+  # - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23.
+  # - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09.
+  # - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image
+  #   and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (No upstream fix; documented in SECURITY.md)
+  # - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS server.
+  # - Container-level isolation reduces the attack surface further.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-31790
+  # - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image.
+  #
+  # Review:
+  # - Reviewed 2026-04-09 (initial suppression): no upstream fix available. Set 30-day review.
+  # - Next review: 2026-05-09. Remove suppression immediately once upstream fixes.
+  #
+  # Removal Criteria:
+  # - Alpine publishes a patched version of libcrypto3 and libssl3
+  # - Rebuild Docker image and verify CVE-2026-31790 no longer appears in grype-results.json
+  # - Remove both these entries and the corresponding .trivyignore entry simultaneously
+  #
+  # References:
+  # - CVE-2026-31790: https://nvd.nist.gov/vuln/detail/CVE-2026-31790
+  # - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790
+  - vulnerability: CVE-2026-31790
+    package:
+      name: libcrypto3
+      version: "3.5.5-r0"
+      type: apk
+    reason: |
+      HIGH — OpenSSL vulnerability in libcrypto3 3.5.5-r0 (Alpine base image).
+      No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-04-09. Charon
+      terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server.
+      Risk accepted pending Alpine upstream patch. Documented in SECURITY.md.
+    expiry: "2026-05-09"  # Reviewed 2026-04-09: no upstream fix available. Next review 2026-05-09.
+
+    # Action items when this suppression expires:
+    # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790
+    # 2. If a patched Alpine package is now available:
+    #    a. Rebuild Docker image without suppression
+    #    b. Run local security-scan-docker-image and confirm CVE is resolved
+    #    c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry
+    # 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above
+    # 4. If extended 3+ times: Open an issue to track the upstream status formally
+
+  # CVE-2026-31790 (libssl3) — see full justification in the libcrypto3 entry above
+  - vulnerability: CVE-2026-31790
+    package:
+      name: libssl3
+      version: "3.5.5-r0"
+      type: apk
+    reason: |
+      HIGH — OpenSSL vulnerability in libssl3 3.5.5-r0 (Alpine base image).
+      No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-04-09. Charon
+      terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server.
+      Risk accepted pending Alpine upstream patch. Documented in SECURITY.md.
+    expiry: "2026-05-09"  # Reviewed 2026-04-09: see libcrypto3 entry above for action items.
+
+  # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
+  # Severity: HIGH (CVSS 8.1)
+  # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy via smallstep/certificates)
+  # Status: Fix exists in nebula v1.10.3 — smallstep/certificates cannot compile against v1.10+ APIs
+  #
+  # Vulnerability Details:
+  # - ECDSA signature malleability in nebula allows potential authentication bypass via
+  #   crafted certificate signatures (CWE-347).
+  # - CVSSv3: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (CVSS 8.1)
+  #
+  # Root Cause (Third-Party Binary + Upstream API Incompatibility):
+  # - Charon does not use nebula directly. The library is compiled into the Caddy binary
+  #   via the caddy-security plugin → smallstep/certificates dependency chain.
+  # - Nebula v1.10.3 patches the vulnerability but removes legacy APIs that
+  #   smallstep/certificates (through v0.30.2) depends on, causing compile failures.
+  # - Fix path: once smallstep/certificates releases a version compatible with nebula >= v1.10.3,
+  #   update the Dockerfile and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (No direct use + upstream API incompatibility blocks fix)
+  # - Charon does not use Nebula VPN PKI by default. The vulnerable code path is only
+  #   reachable if Nebula-based certificate provisioning is explicitly configured.
+  # - The attack requires network access and a crafted certificate, which is not part of
+  #   standard Charon deployment.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor smallstep/certificates releases: https://github.com/smallstep/certificates/releases
+  # - Monitor nebula releases: https://github.com/slackhq/nebula/releases
+  # - Weekly CI security rebuild flags the moment a compatible upstream ships.
+  #
+  # Review:
+  # - Reviewed 2026-02-19 (initial suppression in .trivyignore): certificates v0.27.5 pins nebula v1.9.x.
+  # - Re-evaluated 2026-04-10: nebula v1.10.3 has the fix but certificates (through v0.30.2)
+  #   uses legacy APIs removed in v1.10+. Still blocked. Set 30-day review.
+  # - Next review: 2026-05-10. Remove suppression once certificates ships with nebula >= v1.10.3.
+  #
+  # Removal Criteria:
+  # - smallstep/certificates releases a version compatible with nebula >= v1.10.3
+  # - Update Dockerfile nebula pin, rebuild, run security-scan-docker-image, confirm resolved
+  # - Remove this entry and the corresponding .trivyignore entry simultaneously
+  #
+  # References:
+  # - GHSA-69x3-g4r3-p962: https://github.com/advisories/GHSA-69x3-g4r3-p962
+  # - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
+  # - Nebula releases: https://github.com/slackhq/nebula/releases
+  # - smallstep/certificates releases: https://github.com/smallstep/certificates/releases
+  - vulnerability: CVE-2026-25793
+    package:
+      name: github.com/slackhq/nebula
+      version: "v1.9.7"
+      type: go-module
+    reason: |
+      HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
+      Fix exists in nebula v1.10.3 but smallstep/certificates (through v0.30.2) uses legacy APIs
+      removed in v1.10+, causing compile failures. Charon does not use Nebula VPN PKI by default.
+      Risk accepted; no remediation until smallstep/certificates ships with nebula >= v1.10.3.
+      Re-evaluated 2026-04-10: still blocked by upstream API incompatibility.
+    expiry: "2026-05-10"  # Re-evaluated 2026-04-10: certificates through v0.30.2 incompatible with nebula v1.10+.
+
+  # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
+  # Severity: HIGH (CVSS 7.5)
+  # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
+  # Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency
+  # NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image.
+  #       This suppression is retained as a safety net in case future DB updates re-surface it.
+  #
+  # Vulnerability Details:
+  # - The Delete function fails to validate offsets on malformed JSON input, producing a
+  #   negative slice index and a runtime panic — denial of service (CWE-125).
+  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+  #
+  # Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec):
+  # - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
+  # - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275.
+  # - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2.
+  # - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image
+  #   and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec)
+  # - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
+  #   CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
+  # - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2.
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review.
+  # - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open.
+  # - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated.
+  #   Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained
+  #   as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+.
+  #
+  # Removal Criteria:
+  # - CrowdSec releases a version built with buger/jsonparser >= v1.1.2
+  # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
+  # - Remove this entry and the corresponding .trivyignore entry simultaneously
+  #
+  # References:
+  # - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
+  # - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2
+  # - golang/vulndb: https://github.com/golang/vulndb/issues/4514
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  - vulnerability: GHSA-6g7g-w4f8-9c9x
+    package:
+      name: github.com/buger/jsonparser
+      version: "v1.1.1"
+      type: go-module
+    reason: |
+      HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
+      Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their
+      dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as
+      safety net pending CrowdSec update. Charon does not use this package directly.
+      Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update.
+    expiry: "2026-05-19"  # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2.
+
+    # Action items when this suppression expires:
+    # 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image,
+    #    and remove this suppression entry and the corresponding .trivyignore entry
+    # 3. If grype still does not flag it with fresh DB: consider removing the suppression as
+    #    it may no longer be necessary
+    # 4. If no CrowdSec update yet: Extend expiry by 30 days
+
+  # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+  # Severity: HIGH (CVSS 7.5)
+  # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
+  # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
+  #
+  # Vulnerability Details:
+  # - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
+  #   can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
+  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+  #
+  # Root Cause (EOL Module + Third-Party Binary):
+  # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
+  #   is compiled into CrowdSec binaries for their internal database communication.
+  # - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
+  #   is migration to pgx/v5, which embeds an updated pgproto3/v3.
+  # - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
+  #   the Docker image and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
+  # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
+  #   internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
+  #   external traffic in a standard Charon deployment.
+  # - The attack requires a compromised database server, which would imply full host compromise.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor CrowdSec releases for pgx/v5 migration:
+  #   https://github.com/crowdsecurity/crowdsec/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
+  #   Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review.
+  # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
+  # - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5.
+  #
+  # Removal Criteria:
+  # - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2
+  # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
+  # - Remove this entry and the corresponding .trivyignore entry simultaneously
+  #
+  # References:
+  # - GHSA-jqcq-xjh3-6g23: https://github.com/advisories/GHSA-jqcq-xjh3-6g23
+  # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
+  # - pgx/v5 (replacement): https://github.com/jackc/pgx
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  - vulnerability: GHSA-jqcq-xjh3-6g23
+    package:
+      name: github.com/jackc/pgproto3/v2
+      version: "v2.3.3"
+      type: go-module
+    reason: |
+      HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
+      pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
+      Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
+      Risk accepted; no remediation until CrowdSec ships with pgx/v5.
+      Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
+    expiry: "2026-05-19"  # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
+
+    # Action items when this suppression expires:
+    # 1. Check CrowdSec releases for pgx/v5 migration:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
+    #    Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
+    # 3. If CrowdSec has migrated:
+    #    a. Rebuild Docker image and run local security-scan-docker-image
+    #    b. Remove this suppression entry and the corresponding .trivyignore entry
+    # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
+
+  # GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+  # Severity: HIGH (CVSS 7.5)
+  # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
+  # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
+  # Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23
+  #
+  # Vulnerability Details:
+  # - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server
+  #   can send a negative field length causing a slice-bounds panic — denial of service (CWE-129).
+  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
+  #
+  # Root Cause (EOL Module + Third-Party Binary):
+  # - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427.
+  # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
+  #   is compiled into CrowdSec binaries for their internal database communication.
+  # - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path
+  #   is migration to pgx/v5, which embeds an updated pgproto3/v3.
+  # - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild
+  #   the Docker image and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
+  # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
+  #   internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
+  #   external traffic in a standard Charon deployment.
+  # - The attack requires a compromised database server, which would imply full host compromise.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor CrowdSec releases for pgx/v5 migration:
+  #   https://github.com/crowdsecurity/crowdsec/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
+  #   Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23
+  #   was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking.
+  # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet.
+  # - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5.
+  #
+  # Removal Criteria:
+  # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
+  # - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved
+  # - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6
+  # - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427
+  # - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427
+  # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
+  # - pgx/v5 (replacement): https://github.com/jackc/pgx
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  - vulnerability: GHSA-x6gf-mpr2-68h6
+    package:
+      name: github.com/jackc/pgproto3/v2
+      version: "v2.3.3"
+      type: go-module
+    reason: |
+      HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries.
+      NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
+      pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5.
+      Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
+      Risk accepted; no remediation until CrowdSec ships with pgx/v5.
+      Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
+    expiry: "2026-05-21"  # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5.
+
+    # Action items when this suppression expires:
+    # 1. Check CrowdSec releases for pgx/v5 migration:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
+    #    Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
+    # 3. If CrowdSec has migrated:
+    #    a. Rebuild Docker image and run local security-scan-docker-image
+    #    b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries
+    # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
+
+  # CVE-2026-32286: pgproto3/v2 buffer overflow in DataRow handling (DoS)
+  # Severity: HIGH (CVSS 7.5)
+  # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
+  # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5
+  #
+  # Vulnerability Details:
+  # - Buffer overflow in pgproto3/v2 DataRow handling allows a malicious or compromised PostgreSQL
+  #   server to trigger a denial of service via crafted protocol messages (CWE-120).
+  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5)
+  #
+  # Root Cause (EOL Module + Third-Party Binary):
+  # - Same affected module as GHSA-jqcq-xjh3-6g23 and GHSA-x6gf-mpr2-68h6 — pgproto3/v2 v2.3.3
+  #   is the final release (repository archived Jul 12, 2025). No fix will be released.
+  # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package
+  #   is compiled into CrowdSec binaries for their internal database communication.
+  # - Fix exists only in pgproto3/v3 (used by pgx/v5). CrowdSec v1.7.7 (latest) still depends
+  #   on pgx/v4 → pgproto3/v2. Dockerfile already applies best-effort mitigation (pgx/v4@v4.18.3).
+  # - Fix path: once CrowdSec migrates to pgx/v5, rebuild the Docker image and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path)
+  # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite
+  #   internally and does not run PostgreSQL. CrowdSec's database path is not exposed to
+  #   external traffic in a standard Charon deployment.
+  # - CrowdSec's PostgreSQL code path is not directly exposed to untrusted network input in
+  #   Charon's deployment.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor CrowdSec releases for pgx/v5 migration:
+  #   https://github.com/crowdsecurity/crowdsec/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-04-10 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist.
+  #   Waiting on CrowdSec to migrate to pgx/v5. Set 90-day review.
+  # - Next review: 2026-07-09. Remove suppression once CrowdSec ships with pgx/v5.
+  #
+  # Removal Criteria:
+  # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2
+  # - Rebuild Docker image, run security-scan-docker-image, confirm all pgproto3/v2 advisories are resolved
+  # - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries simultaneously
+  #
+  # References:
+  # - CVE-2026-32286: https://nvd.nist.gov/vuln/detail/CVE-2026-32286
+  # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3
+  # - pgx/v5 (replacement): https://github.com/jackc/pgx
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  - vulnerability: CVE-2026-32286
+    package:
+      name: github.com/jackc/pgproto3/v2
+      version: "v2.3.3"
+      type: go-module
+    reason: |
+      HIGH — Buffer overflow in pgproto3/v2 v2.3.3 DataRow handling, embedded in CrowdSec binaries.
+      pgproto3/v2 v2.3.3 is the final release (archived Jul 2025); no fix will be released.
+      Fix exists only in pgproto3/v3 (pgx/v5). CrowdSec v1.7.7 still depends on pgx/v4 → pgproto3/v2.
+      Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment.
+      Risk accepted; no remediation until CrowdSec ships with pgx/v5.
+      Reviewed 2026-04-10: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet.
+    expiry: "2026-07-09"  # Reviewed 2026-04-10: no fix path until CrowdSec migrates to pgx/v5. 90-day expiry.
+
+    # Action items when this suppression expires:
+    # 1. Check CrowdSec releases for pgx/v5 migration:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3`
+    #    Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced)
+    # 3. If CrowdSec has migrated:
+    #    a. Rebuild Docker image and run local security-scan-docker-image
+    #    b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries
+    # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
+
+  # GHSA-pxq6-2prw-chj9 / CVE-2026-33997: Moby off-by-one error in plugin privilege validation
+  # Severity: MEDIUM (CVSS 6.8)
+  # Package: github.com/docker/docker v28.5.2+incompatible (go-module)
+  # Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
+  #
+  # Vulnerability Details:
+  # - Off-by-one error in Moby's plugin privilege validation allows potential privilege escalation
+  #   via crafted plugin configurations.
+  #
+  # Root Cause (No Fix Available for Import Path):
+  # - Same import path issue as CVE-2026-34040. The fix exists in moby/moby v29.3.1 but not
+  #   for the docker/docker import path that Charon uses.
+  # - Fix path: same dependency migration pattern as CVE-2026-34040 (if needed) or upstream fix.
+  #
+  # Risk Assessment: ACCEPTED (Not exploitable in Charon context)
+  # - Charon uses the Docker client SDK only (list containers). The vulnerability is in Docker's
+  #   plugin privilege validation, which is server-side functionality.
+  # - Charon does not run a Docker daemon, install Docker plugins, or interact with plugin privileges.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor docker/docker releases: https://github.com/moby/moby/releases
+  # - Weekly CI security rebuild flags the moment a fixed version ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
+  # - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
+  #
+  # Removal Criteria:
+  # - docker/docker publishes a patched version OR moby/moby/v2 stabilizes
+  # - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
+  # - Remove this entry and all corresponding .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-pxq6-2prw-chj9: https://github.com/advisories/GHSA-pxq6-2prw-chj9
+  # - CVE-2026-33997: https://nvd.nist.gov/vuln/detail/CVE-2026-33997
+  # - moby/moby releases: https://github.com/moby/moby/releases
+  - vulnerability: GHSA-pxq6-2prw-chj9
+    package:
+      name: github.com/docker/docker
+      version: "v28.5.2+incompatible"
+      type: go-module
+    reason: |
+      MEDIUM — Off-by-one error in Moby plugin privilege validation in docker/docker v28.5.2+incompatible.
+      Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+      Charon uses Docker client SDK only (list containers); the vulnerability is in Docker's server-side
+      plugin privilege validation. Charon does not run a Docker daemon or install Docker plugins.
+      Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
+      Reviewed 2026-03-30: no patched release available for docker/docker import path.
+    expiry: "2026-04-30"  # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
+
+    # Action items when this suppression expires:
+    # 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
+    # 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
+    # 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
+    #    a. Update the dependency and rebuild Docker image
+    #    b. Run local security-scan-docker-image and confirm finding is resolved
+    #    c. Remove this entry and all corresponding .trivyignore entries
+    # 4. If no fix yet: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
+
+  # GHSA-78h2-9frx-2jm8: go-jose JWE decryption panic (DoS)
+  # Severity: HIGH
+  # Packages: github.com/go-jose/go-jose/v3 v3.0.4 and github.com/go-jose/go-jose/v4 v4.1.3
+  #           (embedded in /usr/bin/caddy)
+  # Status: Fix available in go-jose/v3 v3.0.5 and go-jose/v4 v4.1.4 — requires upstream Caddy rebuild
+  #
+  # Vulnerability Details:
+  # - JWE decryption can trigger a panic due to improper input validation, causing
+  #   a denial-of-service condition (runtime crash).
+  #
+  # Root Cause (Third-Party Binary):
+  # - Charon does not use go-jose directly. The library is compiled into the Caddy binary
+  #   shipped in the Docker image.
+  # - Fixes are available upstream (v3.0.5 and v4.1.4) but require a Caddy rebuild to pick up.
+  # - Fix path: once the upstream Caddy release includes the patched go-jose versions,
+  #   rebuild the Docker image and remove these suppressions.
+  #
+  # Risk Assessment: ACCEPTED (No direct use + fix requires upstream rebuild)
+  # - Charon does not import or call go-jose functions; the library is only present as a
+  #   transitive dependency inside the Caddy binary.
+  # - The attack vector requires crafted JWE input reaching Caddy's internal JWT handling,
+  #   which is limited to authenticated admin-API paths not exposed in Charon deployments.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases
+  # - Weekly CI security rebuild flags the moment a fixed image ships.
+  #
+  # Review:
+  # - Reviewed 2026-04-05 (initial suppression): fix available upstream but not yet in Caddy release.
+  #   Set 30-day review.
+  # - Next review: 2026-05-05. Remove suppression once Caddy ships with patched go-jose.
+  #
+  # Removal Criteria:
+  # - Caddy releases a version built with go-jose/v3 >= v3.0.5 and go-jose/v4 >= v4.1.4
+  # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
+  # - Remove both entries (v3 and v4) and any corresponding .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-78h2-9frx-2jm8: https://github.com/advisories/GHSA-78h2-9frx-2jm8
+  # - go-jose releases: https://github.com/go-jose/go-jose/releases
+  # - Caddy releases: https://github.com/caddyserver/caddy/releases
+  - vulnerability: GHSA-78h2-9frx-2jm8
+    package:
+      name: github.com/go-jose/go-jose/v3
+      version: "v3.0.4"
+      type: go-module
+    reason: |
+      HIGH — JWE decryption panic in go-jose v3.0.4 embedded in /usr/bin/caddy.
+      Fix available in v3.0.5 but requires upstream Caddy rebuild. Charon does not use go-jose
+      directly. Deferring to next Caddy release.
+    expiry: "2026-05-05"  # 30-day review: remove once Caddy ships with go-jose/v3 >= v3.0.5.
+
+    # Action items when this suppression expires:
+    # 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases
+    # 2. Verify with: `go version -m /usr/bin/caddy | grep go-jose`
+    #    Expected: go-jose/v3 >= v3.0.5
+    # 3. If Caddy has updated:
+    #    a. Rebuild Docker image and run local security-scan-docker-image
+    #    b. Remove this entry, the v4 entry below, and any corresponding .trivyignore entries
+    # 4. If not yet updated: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an upstream issue on caddyserver/caddy requesting go-jose update
+
+  # GHSA-78h2-9frx-2jm8 (go-jose/v4) — see full justification in the go-jose/v3 entry above
+  - vulnerability: GHSA-78h2-9frx-2jm8
+    package:
+      name: github.com/go-jose/go-jose/v4
+      version: "v4.1.3"
+      type: go-module
+    reason: |
+      HIGH — JWE decryption panic in go-jose v4.1.3 embedded in /usr/bin/caddy.
+      Fix available in v4.1.4 but requires upstream Caddy rebuild. Charon does not use go-jose
+      directly. Deferring to next Caddy release.
+    expiry: "2026-05-05"  # 30-day review: see go-jose/v3 entry above for action items.
 
 # Match exclusions (patterns to ignore during scanning)
 # Use sparingly - prefer specific CVE suppressions above

.pre-commit-config.yaml

@@ -1,211 +0,0 @@
-# NOTE: golangci-lint-fast now includes test files (_test.go) to catch security
-# issues earlier. The fast config uses gosec with critical-only checks (G101,
-# G110, G305, G401, G501, G502, G503) for acceptable performance.
-# Last updated: 2026-02-02
-
-repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
-    hooks:
-      - id: end-of-file-fixer
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
-      - id: trailing-whitespace
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
-      - id: check-yaml
-      - id: check-added-large-files
-        args: ['--maxkb=2500']
-  - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
-    hooks:
-      - id: shellcheck
-        name: shellcheck
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|test-results|codeql-agent-results)/'
-        args: ['--severity=error']
-  - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.10
-    hooks:
-      - id: actionlint
-        name: actionlint (GitHub Actions)
-        files: '^\.github/workflows/.*\.ya?ml$'
-  - repo: local
-    hooks:
-      - id: dockerfile-check
-        name: dockerfile validation
-        entry: tools/dockerfile_check.sh
-        language: script
-        files: "Dockerfile.*"
-        pass_filenames: true
-      - id: go-test-coverage
-        name: Go Test Coverage (Manual)
-        entry: scripts/go-test-coverage.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs when explicitly called
-      - id: go-vet
-        name: Go Vet
-        entry: bash -c 'cd backend && go vet ./...'
-        language: system
-        files: '\.go$'
-        pass_filenames: false
-      - id: golangci-lint-fast
-        name: golangci-lint (Fast Linters - BLOCKING)
-        entry: scripts/pre-commit-hooks/golangci-lint-fast.sh
-        language: script
-        files: '\.go$'
-        # Test files are now included to catch security issues (gosec critical checks)
-        pass_filenames: false
-        description: "Runs fast, essential linters (staticcheck, govet, errcheck, ineffassign, unused, gosec critical) - BLOCKS commits on failure"
-      - id: check-version-match
-        name: Check .version matches latest Git tag
-        entry: bash -c 'scripts/check-version-match-tag.sh'
-        language: system
-        files: '\.version$'
-        pass_filenames: false
-      - id: check-lfs-large-files
-        name: Prevent large files that are not tracked by LFS
-        entry: bash scripts/pre-commit-hooks/check-lfs-for-large-files.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-      - id: block-codeql-db-commits
-        name: Prevent committing CodeQL DB artifacts
-        entry: bash scripts/pre-commit-hooks/block-codeql-db-commits.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-      - id: block-data-backups-commit
-        name: Prevent committing data/backups files
-        entry: bash scripts/pre-commit-hooks/block-data-backups-commit.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-
-      # === MANUAL/CI-ONLY HOOKS ===
-      # These are slow and should only run on-demand or in CI
-      # Run manually with: pre-commit run golangci-lint-full --all-files
-      - id: go-test-race
-        name: Go Test Race (Manual)
-        entry: bash -c 'cd backend && go test -race ./...'
-        language: system
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: golangci-lint-full
-        name: golangci-lint (Full - Manual)
-        entry: scripts/pre-commit-hooks/golangci-lint-full.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: hadolint
-        name: Hadolint Dockerfile Check (Manual)
-        entry: bash -c 'docker run --rm -i hadolint/hadolint < Dockerfile'
-        language: system
-        files: 'Dockerfile'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-      - id: frontend-type-check
-        name: Frontend TypeScript Check
-        entry: bash -c 'cd frontend && npm run type-check'
-        language: system
-        files: '^frontend/.*\.(ts|tsx)$'
-        pass_filenames: false
-      - id: frontend-lint
-        name: Frontend Lint (Fix)
-        entry: bash -c 'cd frontend && npm run lint -- --fix'
-        language: system
-        files: '^frontend/.*\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-
-      - id: frontend-test-coverage
-        name: Frontend Test Coverage (Manual)
-        entry: scripts/frontend-test-coverage.sh
-        language: script
-        files: '^frontend/.*\\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]
-
-      - id: security-scan
-        name: Security Vulnerability Scan (Manual)
-        entry: scripts/security-scan.sh
-        language: script
-        files: '(\.go$|go\.mod$|go\.sum$)'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: codeql-go-scan
-        name: CodeQL Go Security Scan (Manual - Slow)
-        entry: scripts/pre-commit-hooks/codeql-go-scan.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Performance: 30-60s, only run on-demand
-
-      - id: codeql-js-scan
-        name: CodeQL JavaScript/TypeScript Security Scan (Manual - Slow)
-        entry: scripts/pre-commit-hooks/codeql-js-scan.sh
-        language: script
-        files: '^frontend/.*\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Performance: 30-60s, only run on-demand
-
-      - id: codeql-check-findings
-        name: Block HIGH/CRITICAL CodeQL Findings
-        entry: scripts/pre-commit-hooks/codeql-check-findings.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs after CodeQL scans
-
-      - id: codeql-parity-check
-        name: CodeQL Suite/Trigger Parity Guard (Manual)
-        entry: scripts/ci/check-codeql-parity.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]
-
-      - id: gorm-security-scan
-        name: GORM Security Scanner (Manual)
-        entry: scripts/pre-commit-hooks/gorm-security-check.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Manual stage initially (soft launch)
-        verbose: true
-        description: "Detects GORM ID leaks and common GORM security mistakes"
-
-      - id: semgrep-scan
-        name: Semgrep Security Scan (Manual)
-        entry: scripts/pre-commit-hooks/semgrep-scan.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Manual stage initially (reversible rollout)
-
-      - id: gitleaks-tuned-scan
-        name: Gitleaks Security Scan (Tuned, Manual)
-        entry: scripts/pre-commit-hooks/gitleaks-tuned-scan.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Manual stage initially (reversible rollout)
-
-  - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.47.0
-    hooks:
-      - id: markdownlint
-        args: ["--fix"]
-        exclude: '^(node_modules|\.venv|test-results|codeql-db|codeql-agent-results)/'
-        stages: [manual]

.trivyignore

@@ -1,2 +1,105 @@
 .cache/
 playwright/.auth/
+
+# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
+# Severity: HIGH (CVSS 8.1) — Package: github.com/slackhq/nebula v1.9.7 in /usr/bin/caddy
+# Fix exists in nebula v1.10.3, but smallstep/certificates (through v0.30.2) uses legacy nebula
+# APIs removed in v1.10+, causing compile failures. Waiting on certificates upstream update.
+# Charon does not use Nebula VPN PKI by default. Review by: 2026-05-10
+# See also: .grype.yaml for full justification
+# exp: 2026-05-10
+CVE-2026-25793
+
+# CVE-2026-27171: zlib CPU spin via crc32_combine64 infinite loop (DoS)
+# Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image
+# Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2.
+# Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's
+# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-05-21
+# exp: 2026-05-21
+CVE-2026-27171
+
+# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
+# Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image
+# No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
+# When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group.
+# Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
+# Review by: 2026-05-18
+# See also: .grype.yaml for full justification
+# exp: 2026-05-18
+CVE-2026-2673
+
+# CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
+# Severity: CRITICAL (CVSS 9.1) — Package: google.golang.org/grpc, embedded in CrowdSec (v1.74.2) and Caddy (v1.79.1)
+# Fix exists at v1.79.3 — Charon's own dep is patched. Waiting on CrowdSec and Caddy upstream releases.
+# CrowdSec's and Caddy's grpc servers are not exposed externally in a standard Charon deployment.
+# Suppressed for CrowdSec/Caddy embedded binaries only — Charon's direct deps are fixed (v1.79.3).
+# Review by: 2026-05-04
+# See also: .grype.yaml for full justification
+# exp: 2026-05-04
+CVE-2026-33186
+
+# GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/russellhaering/goxmldsig v1.5.0, embedded in /usr/bin/caddy
+# Fix exists at v1.6.0 — waiting on Caddy upstream (or caddy-security plugin) to release with patched goxmldsig.
+# Charon does not configure SAML-based SSO by default; the vulnerable path is not reachable in a standard deployment.
+# Awaiting Caddy upstream update to include goxmldsig v1.6.0.
+# Review by: 2026-05-04
+# See also: .grype.yaml for full justification
+# exp: 2026-05-04
+GHSA-479m-364c-43vc
+
+# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/buger/jsonparser v1.1.1, embedded in CrowdSec binaries
+# No upstream fix available as of 2026-03-19 (issue #275 open, golang/vulndb #4514 open).
+# Charon does not use this package; the vector requires reaching CrowdSec's internal processing pipeline.
+# Review by: 2026-05-19
+# See also: .grype.yaml for full justification
+# exp: 2026-05-19
+GHSA-6g7g-w4f8-9c9x
+
+# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
+# pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
+# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
+# Review by: 2026-05-19
+# See also: .grype.yaml for full justification
+# exp: 2026-05-19
+GHSA-jqcq-xjh3-6g23
+
+# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
+# NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
+# pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
+# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
+# Review by: 2026-05-21
+# See also: .grype.yaml for full justification
+# exp: 2026-05-21
+GHSA-x6gf-mpr2-68h6
+
+# CVE-2026-32286: pgproto3/v2 buffer overflow in DataRow handling (DoS)
+# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
+# pgproto3/v2 v2.3.3 is the final release — repository archived Jul 12, 2025. No fix will be released.
+# Fix exists only in pgproto3/v3 (used by pgx/v5). CrowdSec v1.7.7 (latest) still depends on pgx/v4 → pgproto3/v2.
+# Dockerfile already applies best-effort mitigation (pgx/v4@v4.18.3).
+# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
+# Review by: 2026-07-09
+# See also: .grype.yaml for full justification
+# exp: 2026-07-09
+CVE-2026-32286
+
+# CVE-2026-33997 / GHSA-pxq6-2prw-chj9: Moby off-by-one error in plugin privilege validation
+# Severity: MEDIUM (CVSS 6.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+# Charon uses Docker client SDK only (list containers); plugin privilege validation is server-side.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+CVE-2026-33997
+
+# GHSA-pxq6-2prw-chj9: Moby off-by-one error in plugin privilege validation (GHSA alias)
+# Severity: MEDIUM (CVSS 6.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# GHSA alias for CVE-2026-33997. See CVE-2026-33997 entry above for full details.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+GHSA-pxq6-2prw-chj9

.version

@@ -1 +1 @@
-v0.18.13
+v0.27.0

.vscode/mcp.json

@@ -1,4 +1,5 @@
 {
+	"inputs": [],
 	"servers": {
 		"microsoft/playwright-mcp": {
 			"type": "stdio",
@@ -8,11 +9,6 @@
 			],
 			"gallery": "https://api.mcp.github.com",
 			"version": "0.0.1-seed"
-		},
-		"gopls": {
-			"url": "http://localhost:8092",
-			"type": "sse"
 		}
-	},
-	"inputs": []
+	}
 }

.vscode/tasks.json

@@ -371,9 +371,9 @@
             }
         },
         {
-            "label": "Lint: Pre-commit (All Files)",
+            "label": "Lint: Lefthook Pre-commit (All Files)",
             "type": "shell",
-            "command": ".github/skills/scripts/skill-runner.sh qa-precommit-all",
+            "command": "lefthook run pre-commit",
             "group": "test",
             "problemMatcher": []
         },
@@ -454,7 +454,7 @@
         {
             "label": "Security: Trivy Scan",
             "type": "shell",
-            "command": ".github/skills/scripts/skill-runner.sh security-scan-trivy",
+            "command": "TRIVY_DOCKER_RM=false .github/skills/scripts/skill-runner.sh security-scan-trivy",
             "group": "test",
             "problemMatcher": []
         },
@@ -466,9 +466,9 @@
             "problemMatcher": []
         },
         {
-            "label": "Security: Semgrep Scan (Manual Hook)",
+            "label": "Security: Semgrep Scan (Lefthook Pre-push)",
             "type": "shell",
-            "command": "pre-commit run --hook-stage manual semgrep-scan --all-files",
+            "command": "lefthook run pre-push",
             "group": "test",
             "problemMatcher": []
         },
@@ -480,9 +480,9 @@
             "problemMatcher": []
         },
         {
-            "label": "Security: Gitleaks Scan (Tuned Manual Hook)",
+            "label": "Security: Gitleaks Scan (Lefthook Pre-push)",
             "type": "shell",
-            "command": "pre-commit run --hook-stage manual gitleaks-tuned-scan --all-files",
+            "command": "lefthook run pre-push",
             "group": "test",
             "problemMatcher": []
         },
@@ -501,14 +501,14 @@
         {
             "label": "Security: CodeQL Go Scan (DEPRECATED)",
             "type": "shell",
-            "command": "codeql database create codeql-db-go --language=go --source-root=backend --overwrite && codeql database analyze codeql-db-go /projects/codeql/codeql/go/ql/src/codeql-suites/go-security-extended.qls --format=sarif-latest --output=codeql-results-go.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-go-scan.sh",
             "group": "test",
             "problemMatcher": []
         },
         {
             "label": "Security: CodeQL JS Scan (DEPRECATED)",
             "type": "shell",
-            "command": "codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite && codeql database analyze codeql-db-js /projects/codeql/codeql/javascript/ql/src/codeql-suites/javascript-security-extended.qls --format=sarif-latest --output=codeql-results-js.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-js-scan.sh",
             "group": "test",
             "problemMatcher": []
         },
@@ -724,6 +724,13 @@
             "group": "test",
             "problemMatcher": []
         },
+        {
+            "label": "Security: Caddy PR-1 Compatibility Matrix",
+            "type": "shell",
+            "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.2 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md",
+            "group": "test",
+            "problemMatcher": []
+        },
         {
             "label": "Test: E2E Playwright (Skill)",
             "type": "shell",
@@ -808,6 +815,162 @@
                 "close": false
             }
         },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shards 1/4-4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=chromium --shard=1/4 --output=playwright-output/chromium-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=chromium --shard=2/4 --output=playwright-output/chromium-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=chromium --shard=3/4 --output=playwright-output/chromium-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=chromium --shard=4/4 --output=playwright-output/chromium-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 1/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=chromium --shard=1/4 --output=playwright-output/chromium-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 2/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=chromium --shard=2/4 --output=playwright-output/chromium-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 3/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=chromium --shard=3/4 --output=playwright-output/chromium-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=chromium --shard=4/4 --output=playwright-output/chromium-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shards 1/4-4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=webkit --shard=1/4 --output=playwright-output/webkit-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=webkit --shard=2/4 --output=playwright-output/webkit-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=webkit --shard=3/4 --output=playwright-output/webkit-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=webkit --shard=4/4 --output=playwright-output/webkit-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 1/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=webkit --shard=1/4 --output=playwright-output/webkit-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 2/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=webkit --shard=2/4 --output=playwright-output/webkit-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 3/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=webkit --shard=3/4 --output=playwright-output/webkit-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=webkit --shard=4/4 --output=playwright-output/webkit-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=security-tests --output=playwright-output/chromium-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (FireFox) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=firefox --output=playwright-output/firefox-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=webkit --output=playwright-output/webkit-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
         {
             "label": "Test: E2E Playwright with Coverage",
             "type": "shell",

ARCHITECTURE.md

@@ -126,11 +126,11 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.0-beta.2 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
-| **Notifications** | Shoutrrr | Latest | Multi-platform alerts |
+| **Notifications** | Notify (Discord-first) | Current | Discord notifications now; additional services in phased rollout |
 | **Docker Client** | Docker SDK | Latest | Container discovery |
 | **Logging** | Logrus + Lumberjack | Latest | Structured logging with rotation |
 
@@ -139,15 +139,15 @@ graph TB
 | Component | Technology | Version | Purpose |
 |-----------|-----------|---------|---------|
 | **Framework** | React | 19.2.3 | UI framework |
-| **Language** | TypeScript | 5.x | Type-safe JavaScript |
-| **Build Tool** | Vite | 6.1.9 | Fast bundler and dev server |
-| **CSS Framework** | Tailwind CSS | 3.x | Utility-first CSS |
+| **Language** | TypeScript | 6.x | Type-safe JavaScript |
+| **Build Tool** | Vite | 8.0.0-beta.18 | Fast bundler and dev server |
+| **CSS Framework** | Tailwind CSS | 4.2.1 | Utility-first CSS |
 | **Routing** | React Router | 7.x | Client-side routing |
 | **HTTP Client** | Fetch API | Native | API communication |
 | **State Management** | React Hooks + Context | Native | Global state |
 | **Internationalization** | i18next | Latest | 5 language support |
-| **Unit Testing** | Vitest | 2.x | Fast unit test runner |
-| **E2E Testing** | Playwright | 1.50.x | Browser automation |
+| **Unit Testing** | Vitest | 4.1.0-beta.6 | Fast unit test runner |
+| **E2E Testing** | Playwright | 1.58.2 | Browser automation |
 
 ### Infrastructure
 
@@ -218,7 +218,7 @@ graph TB
 │   │   └── main.tsx            # Application entry point
 │   ├── public/                 # Static assets
 │   ├── package.json            # NPM dependencies
-│   └── vite.config.js          # Vite configuration
+│   └── vite.config.ts          # Vite configuration
 │
 ├── .docker/                    # Docker configuration
 │   ├── compose/                # Docker Compose files
@@ -306,11 +306,13 @@ graph TB
 **Key Modules:**
 
 #### API Layer (`internal/api/`)
+
 - **Handlers:** Process HTTP requests, validate input, return responses
 - **Middleware:** CORS, GZIP, authentication, logging, metrics, panic recovery
 - **Routes:** Route registration and grouping (public vs authenticated)
 
 **Example Endpoints:**
+
 - `GET /api/v1/proxy-hosts` - List all proxy hosts
 - `POST /api/v1/proxy-hosts` - Create new proxy host
 - `PUT /api/v1/proxy-hosts/:id` - Update proxy host
@@ -318,6 +320,7 @@ graph TB
 - `WS /api/v1/logs` - WebSocket for real-time logs
 
 #### Service Layer (`internal/services/`)
+
 - **ProxyService:** CRUD operations for proxy hosts, validation logic
 - **CertificateService:** ACME certificate provisioning and renewal
 - **DockerService:** Container discovery and monitoring
@@ -327,12 +330,14 @@ graph TB
 **Design Pattern:** Services contain business logic and call multiple repositories/managers
 
 #### Caddy Manager (`internal/caddy/`)
+
 - **Manager:** Orchestrates Caddy configuration updates
 - **Config Builder:** Generates Caddy JSON from database models
 - **Reload Logic:** Atomic config application with rollback on failure
 - **Security Integration:** Injects Cerberus middleware into Caddy pipelines
 
 **Responsibilities:**
+
 1. Generate Caddy JSON configuration from database state
 2. Validate configuration before applying
 3. Trigger Caddy reload via JSON API
@@ -340,22 +345,26 @@ graph TB
 5. Integrate security layers (WAF, ACL, Rate Limiting)
 
 #### Security Suite (`internal/cerberus/`)
+
 - **ACL (Access Control Lists):** IP-based allow/deny rules, GeoIP blocking
 - **WAF (Web Application Firewall):** Coraza engine with OWASP CRS
 - **CrowdSec:** Behavior-based threat detection with global intelligence
 - **Rate Limiter:** Per-IP request throttling
 
 **Integration Points:**
+
 - Middleware injection into Caddy request pipeline
 - Database-driven rule configuration
 - Metrics collection for security events
 
 #### Database Layer (`internal/database/`)
+
 - **Migrations:** Automatic schema versioning with GORM AutoMigrate
 - **Seeding:** Default settings and admin user creation
 - **Connection Management:** SQLite with WAL mode and connection pooling
 
 **Schema Overview:**
+
 - **ProxyHost:** Domain, upstream target, SSL config
 - **RemoteServer:** Upstream server definitions
 - **CaddyConfig:** Generated Caddy configuration (audit trail)
@@ -372,6 +381,7 @@ graph TB
 **Component Architecture:**
 
 #### Pages (`src/pages/`)
+
 - **Dashboard:** System overview, recent activity, quick actions
 - **ProxyHosts:** List, create, edit, delete proxy configurations
 - **Certificates:** Manage SSL/TLS certificates, view expiry
@@ -380,17 +390,20 @@ graph TB
 - **Users:** User management (admin only)
 
 #### Components (`src/components/`)
+
 - **Forms:** Reusable form inputs with validation
 - **Modals:** Dialog components for CRUD operations
 - **Tables:** Data tables with sorting, filtering, pagination
 - **Layout:** Header, sidebar, navigation
 
 #### API Client (`src/api/`)
+
 - Centralized API calls with error handling
 - Request/response type definitions
 - Authentication token management
 
 **Example:**
+
 ```typescript
 export const getProxyHosts = async (): Promise<ProxyHost[]> => {
   const response = await fetch('/api/v1/proxy-hosts', {
@@ -402,11 +415,13 @@ export const getProxyHosts = async (): Promise<ProxyHost[]> => {
 ```
 
 #### State Management
+
 - **React Context:** Global state for auth, theme, language
 - **Local State:** Component-specific state with `useState`
 - **Custom Hooks:** Encapsulate API calls and side effects
 
 **Example Hook:**
+
 ```typescript
 export const useProxyHosts = () => {
   const [hosts, setHosts] = useState<ProxyHost[]>([]);
@@ -425,11 +440,13 @@ export const useProxyHosts = () => {
 **Purpose:** High-performance reverse proxy with automatic HTTPS
 
 **Integration:**
+
 - Embedded as a library in the Go backend
 - Configured via JSON API (not Caddyfile)
 - Listens on ports 80 (HTTP) and 443 (HTTPS)
 
 **Features Used:**
+
 - Dynamic configuration updates without restarts
 - Automatic HTTPS with Let's Encrypt and ZeroSSL
 - DNS challenge support for wildcard certificates
@@ -437,6 +454,7 @@ export const useProxyHosts = () => {
 - Request logging and metrics
 
 **Configuration Flow:**
+
 1. User creates proxy host via frontend
 2. Backend validates and saves to database
 3. Caddy Manager generates JSON configuration
@@ -461,12 +479,14 @@ For each proxy host, Charon generates **two routes** with the same domain:
    - Handlers: Full Cerberus security suite
 
 This pattern is **intentional and valid**:
+
 - Emergency route provides break-glass access to security controls
 - Main route protects application with enterprise security features
 - Caddy processes routes in order (emergency matches first)
 - Validator allows duplicate hosts when one has paths and one doesn't
 
 **Example:**
+
 ```json
 // Emergency Route (evaluated first)
 {
@@ -488,6 +508,7 @@ This pattern is **intentional and valid**:
 **Purpose:** Persistent data storage
 
 **Why SQLite:**
+
 - Embedded (no external database server)
 - Serverless (perfect for single-user/small team)
 - ACID compliant with WAL mode
@@ -495,16 +516,19 @@ This pattern is **intentional and valid**:
 - Backup-friendly (single file)
 
 **Configuration:**
+
 - **WAL Mode:** Allows concurrent reads during writes
 - **Foreign Keys:** Enforced referential integrity
 - **Pragma Settings:** Performance optimizations
 
 **Backup Strategy:**
+
 - Automated daily backups to `data/backups/`
 - Retention: 7 daily, 4 weekly, 12 monthly backups
 - Backup during low-traffic periods
 
 **Migrations:**
+
 - GORM AutoMigrate for schema changes
 - Manual migrations for complex data transformations
 - Rollback support via backup restoration
@@ -537,6 +561,7 @@ graph LR
 **Purpose:** Prevent brute-force attacks and API abuse
 
 **Implementation:**
+
 - Per-IP request counters with sliding window
 - Configurable thresholds (e.g., 100 req/min, 1000 req/hour)
 - HTTP 429 response when limit exceeded
@@ -547,12 +572,15 @@ graph LR
 **Purpose:** Behavior-based threat detection
 
 **Features:**
+
 - Local log analysis (brute-force, port scans, exploits)
 - Global threat intelligence (crowd-sourced IP reputation)
 - Automatic IP banning with configurable duration
 - Decision management API (view, create, delete bans)
+- IP whitelist management: operators add/remove IPs and CIDRs via the management UI; entries are persisted in SQLite and regenerated into a `crowdsecurity/whitelists` parser YAML on every mutating operation and at startup
 
 **Modes:**
+
 - **Local Only:** No external API calls
 - **API Mode:** Sync with CrowdSec cloud for global intelligence
 
@@ -561,12 +589,14 @@ graph LR
 **Purpose:** IP-based access control
 
 **Features:**
+
 - Per-proxy-host allow/deny rules
 - CIDR range support (e.g., `192.168.1.0/24`)
 - Geographic blocking via GeoIP2 (MaxMind)
 - Admin whitelist (emergency access)
 
 **Evaluation Order:**
+
 1. Check admin whitelist (always allow)
 2. Check deny list (explicit block)
 3. Check allow list (explicit allow)
@@ -579,6 +609,7 @@ graph LR
 **Engine:** Coraza with OWASP Core Rule Set (CRS)
 
 **Detection Categories:**
+
 - SQL Injection (SQLi)
 - Cross-Site Scripting (XSS)
 - Remote Code Execution (RCE)
@@ -587,12 +618,14 @@ graph LR
 - Command Injection
 
 **Modes:**
+
 - **Monitor:** Log but don't block (testing)
 - **Block:** Return HTTP 403 for violations
 
 ### Layer 5: Application Security
 
 **Additional Protections:**
+
 - **SSRF Prevention:** Block requests to private IP ranges in webhooks/URL validation
 - **HTTP Security Headers:** CSP, HSTS, X-Frame-Options, X-Content-Type-Options
 - **Input Validation:** Server-side validation for all user inputs
@@ -610,6 +643,7 @@ graph LR
 3. **Direct Database Access:** Manual SQLite update as last resort
 
 **Emergency Token:**
+
 - 64-character hex token set via `CHARON_EMERGENCY_TOKEN`
 - Grants temporary admin access
 - Rotated after each use
@@ -635,6 +669,7 @@ Charon operates with **two distinct traffic flows** on separate ports, each with
 - **Testing:** Playwright E2E tests verify UI/UX functionality on this port
 
 **Why No Middleware?**
+
 - Management interface must remain accessible even when security modules are misconfigured
 - Emergency endpoints (`/api/v1/emergency/*`) require unrestricted access for system recovery
 - Separation of concerns: admin access control is handled by JWT, not proxy-level security
@@ -797,6 +832,7 @@ sequenceDiagram
 **Rationale:** Simplicity over scalability - target audience is home users and small teams
 
 **Container Contents:**
+
 - Frontend static files (Vite build output)
 - Go backend binary
 - Embedded Caddy server
@@ -911,11 +947,13 @@ services:
 ### High Availability Considerations
 
 **Current Limitations:**
+
 - SQLite does not support clustering
 - Single point of failure (one container)
 - Not designed for horizontal scaling
 
 **Future Options:**
+
 - PostgreSQL backend for HA deployments
 - Read replicas for load balancing
 - Container orchestration (Kubernetes, Docker Swarm)
@@ -927,6 +965,7 @@ services:
 ### Local Development Setup
 
 1. **Prerequisites:**
+
    ```bash
    - Go 1.26+ (backend development)
    - Node.js 23+ and npm (frontend development)
@@ -935,12 +974,14 @@ services:
    ```
 
 2. **Clone Repository:**
+
    ```bash
    git clone https://github.com/Wikid82/Charon.git
    cd Charon
    ```
 
 3. **Backend Development:**
+
    ```bash
    cd backend
    go mod download
@@ -949,6 +990,7 @@ services:
    ```
 
 4. **Frontend Development:**
+
    ```bash
    cd frontend
    npm install
@@ -957,6 +999,7 @@ services:
    ```
 
 5. **Full-Stack Development (Docker):**
+
    ```bash
    docker-compose -f .docker/compose/docker-compose.dev.yml up
    # Frontend + Backend + Caddy in one container
@@ -965,12 +1008,14 @@ services:
 ### Git Workflow
 
 **Branch Strategy:**
+
 - `main`: Stable production branch
 - `feature/*`: New feature development
 - `fix/*`: Bug fixes
 - `chore/*`: Maintenance tasks
 
 **Commit Convention:**
+
 - `feat:` New user-facing feature
 - `fix:` Bug fix in application code
 - `chore:` Infrastructure, CI/CD, dependencies
@@ -979,6 +1024,7 @@ services:
 - `test:` Adding or updating tests
 
 **Example:**
+
 ```
 feat: add DNS-01 challenge support for Cloudflare
 
@@ -1031,6 +1077,7 @@ Closes #123
 **Purpose:** Validate critical user flows in a real browser
 
 **Scope:**
+
 - User authentication
 - Proxy host CRUD operations
 - Certificate provisioning
@@ -1038,6 +1085,7 @@ Closes #123
 - Real-time log streaming
 
 **Execution:**
+
 ```bash
 # Run against Docker container
 npx playwright test --project=chromium
@@ -1050,10 +1098,12 @@ npx playwright test --debug
 ```
 
 **Coverage Modes:**
+
 - **Docker Mode:** Integration testing, no coverage (0% reported)
 - **Vite Dev Mode:** Coverage collection with V8 inspector
 
 **Why Two Modes?**
+
 - Playwright coverage requires source maps and raw source files
 - Docker serves pre-built production files (no source maps)
 - Vite dev server exposes source files for coverage instrumentation
@@ -1067,6 +1117,7 @@ npx playwright test --debug
 **Coverage Target:** 85% minimum
 
 **Execution:**
+
 ```bash
 # Run all tests
 go test ./...
@@ -1079,11 +1130,13 @@ go test -cover ./...
 ```
 
 **Test Organization:**
+
 - `*_test.go` files alongside source code
 - Table-driven tests for comprehensive coverage
 - Mocks for external dependencies (database, HTTP clients)
 
 **Example:**
+
 ```go
 func TestCreateProxyHost(t *testing.T) {
     tests := []struct {
@@ -1123,6 +1176,7 @@ func TestCreateProxyHost(t *testing.T) {
 **Coverage Target:** 85% minimum
 
 **Execution:**
+
 ```bash
 # Run all tests
 npm test
@@ -1135,6 +1189,7 @@ npm run test:coverage
 ```
 
 **Test Organization:**
+
 - `*.test.tsx` files alongside components
 - Mock API calls with MSW (Mock Service Worker)
 - Snapshot tests for UI consistency
@@ -1146,12 +1201,14 @@ npm run test:coverage
 **Location:** `backend/integration/`
 
 **Scope:**
+
 - API endpoint end-to-end flows
 - Database migrations
 - Caddy manager integration
 - CrowdSec API calls
 
 **Execution:**
+
 ```bash
 go test ./integration/...
 ```
@@ -1161,6 +1218,7 @@ go test ./integration/...
 **Automated Hooks (via `.pre-commit-config.yaml`):**
 
 **Fast Stage (< 5 seconds):**
+
 - Trailing whitespace removal
 - EOF fixer
 - YAML syntax check
@@ -1168,11 +1226,13 @@ go test ./integration/...
 - Markdown link validation
 
 **Manual Stage (run explicitly):**
+
 - Backend coverage tests (60-90s)
 - Frontend coverage tests (30-60s)
 - TypeScript type checking (10-20s)
 
 **Why Manual?**
+
 - Coverage tests are slow and would block commits
 - Developers run them on-demand before pushing
 - CI enforces coverage on pull requests
@@ -1180,10 +1240,12 @@ go test ./integration/...
 ### Continuous Integration (GitHub Actions)
 
 **Workflow Triggers:**
+
 - `push` to `main`, `feature/*`, `fix/*`
 - `pull_request` to `main`
 
 **CI Jobs:**
+
 1. **Lint:** golangci-lint, ESLint, markdownlint, hadolint
 2. **Test:** Go tests, Vitest, Playwright
 3. **Security:** Trivy, CodeQL, Grype, Govulncheck
@@ -1205,6 +1267,7 @@ go test ./integration/...
 - **PRERELEASE:** `-beta.1`, `-rc.1`, etc.
 
 **Examples:**
+
 - `1.0.0` - Stable release
 - `1.1.0` - New feature (DNS provider support)
 - `1.1.1` - Bug fix (GORM query fix)
@@ -1215,12 +1278,14 @@ go test ./integration/...
 ### Build Pipeline (Multi-Platform)
 
 **Platforms Supported:**
+
 - `linux/amd64`
 - `linux/arm64`
 
 **Build Process:**
 
 1. **Frontend Build:**
+
    ```bash
    cd frontend
    npm ci --only=production
@@ -1229,6 +1294,7 @@ go test ./integration/...
    ```
 
 2. **Backend Build:**
+
    ```bash
    cd backend
    go build -o charon cmd/api/main.go
@@ -1236,6 +1302,7 @@ go test ./integration/...
    ```
 
 3. **Docker Image Build:**
+
    ```bash
    docker buildx build \
      --platform linux/amd64,linux/arm64 \
@@ -1259,6 +1326,14 @@ go test ./integration/...
 9. **Release Notes:** Generate changelog from commits
 10. **Notify:** Send release notification (Discord, email)
 
+**Mandatory rollout gates (sign-off block):**
+
+1. Digest freshness and index digest parity across GHCR and Docker Hub
+2. Per-arch digest parity across GHCR and Docker Hub
+3. SBOM and vulnerability scans against immutable refs (`image@sha256:...`)
+4. Artifact freshness timestamps after push
+5. Evidence block with required rollout verification fields
+
 ### Supply Chain Security
 
 **Components:**
@@ -1284,6 +1359,7 @@ go test ./integration/...
    - Level: SLSA Build L3 (hermetic builds)
 
 **Verification Example:**
+
 ```bash
 # Verify image signature
 cosign verify \
@@ -1292,15 +1368,16 @@ cosign verify \
   wikid82/charon:latest
 
 # Inspect SBOM
-syft wikid82/charon:latest -o json
+syft ghcr.io/wikid82/charon@sha256:<index-digest> -o json
 
 # Scan for vulnerabilities
-grype wikid82/charon:latest
+grype ghcr.io/wikid82/charon@sha256:<index-digest>
 ```
 
 ### Rollback Strategy
 
 **Container Rollback:**
+
 ```bash
 # List available versions
 docker images wikid82/charon
@@ -1311,6 +1388,7 @@ docker-compose up -d --pull always wikid82/charon:1.1.1
 ```
 
 **Database Rollback:**
+
 ```bash
 # Restore from backup
 docker exec charon /app/scripts/restore-backup.sh \
@@ -1333,8 +1411,8 @@ docker exec charon /app/scripts/restore-backup.sh \
    - Future: Dynamic plugin loading for custom providers
 
 2. **Notification Channels:**
-   - Shoutrrr provides 40+ channels (Discord, Slack, Email, etc.)
-   - Custom channels via Shoutrrr service URLs
+    - Current rollout is Discord-only for notifications
+    - Additional services are enabled later in validated phases
 
 3. **Authentication Providers:**
    - Current: Local database authentication
@@ -1347,11 +1425,13 @@ docker exec charon /app/scripts/restore-backup.sh \
 ### API Extensibility
 
 **REST API Design:**
+
 - Version prefix: `/api/v1/`
 - Future versions: `/api/v2/` (backward-compatible)
 - Deprecation policy: 2 major versions supported
 
 **WebHooks (Future):**
+
 - Event notifications for external systems
 - Triggers: Proxy host created, certificate renewed, security event
 - Payload: JSON with event type and data
@@ -1361,6 +1441,7 @@ docker exec charon /app/scripts/restore-backup.sh \
 **Current:** Cerberus security middleware injected into Caddy pipeline
 
 **Future:**
+
 - User-defined middleware (rate limiting rules, custom headers)
 - JavaScript/Lua scripting for request transformation
 - Plugin marketplace for community contributions
@@ -1444,6 +1525,7 @@ docker exec charon /app/scripts/restore-backup.sh \
 **GitHub Copilot Instructions:**
 
 All agents (`Planning`, `Backend_Dev`, `Frontend_Dev`, `DevOps`) must reference `ARCHITECTURE.md` when:
+
 - Creating new components
 - Modifying core systems
 - Changing integration points

CHANGELOG.md

@@ -7,17 +7,55 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- **CrowdSec Dashboard**: Visual analytics for CrowdSec security data within the Security section
+  - Summary cards showing total bans, active bans, unique IPs, and top scenario
+  - Interactive charts: ban timeline (area), top attacking IPs (bar), scenario breakdown (pie)
+  - Configurable time range selector (1h, 6h, 24h, 7d, 30d)
+  - Active decisions table with IP, scenario, duration, type, and time remaining
+  - Alerts feed with pagination sourced from CrowdSec LAPI
+  - CSV and JSON export for decisions data
+  - Server-side caching (30–60s TTL) for fast dashboard loads
+  - Full i18n support across all 5 locales (en, de, fr, es, zh)
+  - Keyboard navigable, screen-reader compatible (WCAG 2.2 AA)
+
+- **Notifications:** Added Ntfy notification provider with support for self-hosted and cloud instances, optional Bearer token authentication, and JSON template customization
+
+- **Certificate Deletion**: Clean up expired and unused certificates directly from the Certificates page
+  - Expired Let's Encrypt certificates not attached to any proxy host can now be deleted
+  - Custom and staging certificates remain deletable when not in use
+  - In-use certificates show a disabled delete button with a tooltip explaining why
+  - Native browser confirmation replaced with an accessible, themed confirmation dialog
+
+- **Pushover Notification Provider**: Send push notifications to your devices via the Pushover app
+  - Supports JSON templates (minimal, detailed, custom)
+  - Application API Token stored securely — never exposed in API responses
+  - User Key stored in the URL field, following the same pattern as Telegram
+  - Feature flag: `feature.notifications.service.pushover.enabled` (on by default)
+  - Emergency priority (2) is intentionally unsupported — deferred to a future release
+
+- **Slack Notification Provider**: Send alerts to Slack channels via Incoming Webhooks
+  - Supports JSON templates (minimal, detailed, custom) with Slack's native `text` format
+  - Webhook URL stored securely — never exposed in API responses
+  - Optional channel display name for easy identification in provider list
+  - Feature flag: `feature.notifications.service.slack.enabled` (on by default)
+  - See [Notification Guide](docs/features/notifications.md) for setup instructions
+
 ### CI/CD
+
 - **Supply Chain**: Optimized verification workflow to prevent redundant builds
   - Change: Removed direct Push/PR triggers; now waits for 'Docker Build' via `workflow_run`
 
 ### Security
+
 - **Supply Chain**: Enhanced PR verification workflow stability and accuracy
   - **Vulnerability Reporting**: Eliminated false negatives ("0 vulnerabilities") by enforcing strict failure conditions
   - **Tooling**: Switched to manual Grype installation ensuring usage of latest stable binary
   - **Observability**: Improved debugging visibility for vulnerability scans and SARIF generation
 
 ### Performance
+
 - **E2E Tests**: Reduced feature flag API calls by 90% through conditional polling optimization (Phase 2)
   - Conditional skip: Exits immediately if flags already in expected state (~50% of cases)
   - Request coalescing: Shares in-flight API requests between parallel test workers
@@ -29,8 +67,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Prevents timeout errors in Firefox/WebKit caused by strict label matching
 
 ### Fixed
+
+- **Notifications:** Fixed Pushover token-clearing bug where tokens were silently stripped on provider create/update
+- **TCP Monitor Creation**: Fixed misleading form UX that caused silent HTTP 500 errors when creating TCP monitors
+  - Corrected URL placeholder to show `host:port` format instead of the incorrect `tcp://host:port` prefix
+  - Added dynamic per-type placeholder and helper text (HTTP monitors show a full URL example; TCP monitors show `host:port`)
+  - Added client-side validation that blocks form submission when a scheme prefix (e.g. `tcp://`) is detected, with an inline error message
+  - Reordered form fields so the monitor type selector appears above the URL input, making the dynamic helper text immediately relevant
+  - i18n: Added 5 new translation keys across en, de, fr, es, and zh locales
+- **CI: Rate Limit Integration Tests**: Hardened test script reliability — login now validates HTTP status, Caddy admin API readiness gated on `/config/` poll, security config failures are fatal with full diagnostics, and poll interval increased to 5s
+- **CI: Rate Limit Integration Tests**: Removed stale GeoIP database SHA256 checksum from Dockerfile non-CI path (hash was perpetually stale due to weekly upstream updates)
+- **CI: Rate Limit Integration Tests**: Fixed Caddy admin API debug dump URL to use canonical trailing slash in workflow
 - Fixed: Added robust validation and debug logging for Docker image tags to prevent invalid reference errors.
 - Fixed: Removed log masking for image references and added manifest validation to debug CI failures.
+- **Proxy Hosts**: Fixed ACL and Security Headers dropdown selections so create/edit saves now keep the selected values (including clearing to none) after submit and reload.
 - **CI**: Fixed Docker image reference output so integration jobs never pull an empty image ref
 - **E2E Test Reliability**: Resolved test timeout issues affecting CI/CD pipeline stability
   - Fixed config reload overlay blocking test interactions
@@ -40,6 +90,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Test Performance**: Reduced system settings test execution time by 31% (from 23 minutes to 16 minutes)
 
 ### Changed
+
 - **Testing Infrastructure**: Enhanced E2E test helpers with better synchronization and error handling
 - **CI**: Optimized E2E workflow shards [Reduced from 4 to 3]
 

CONTRIBUTING.md

@@ -33,7 +33,17 @@ This project follows a Code of Conduct that all contributors are expected to adh
 
 ### Development Tools
 
-Install golangci-lint for pre-commit hooks (required for Go development):
+Install golangci-lint for lefthook pre-commit-phase hooks (required for Go development):
+
+Also install lefthook itself so the git hooks work:
+
+```bash
+# Option 1: Homebrew (macOS/Linux)
+brew install lefthook
+
+# Option 2: Go install
+go install github.com/evilmartians/lefthook@latest
+```
 
 ```bash
 # Option 1: Homebrew (macOS/Linux)
@@ -59,7 +69,7 @@ golangci-lint --version
 # Should output: golangci-lint has version 1.xx.x ...
 ```
 
-**Note:** Pre-commit hooks will **BLOCK commits** if golangci-lint finds issues. This is intentional - fix the issues before committing.
+**Note:** Lefthook pre-commit-phase hooks will **BLOCK commits** if golangci-lint finds issues. This is intentional - fix the issues before committing.
 
 ### CI/CD Go Version Management
 
@@ -72,19 +82,22 @@ For local development, install go 1.26.0+ from [go.dev/dl](https://go.dev/dl/).
 When the project's Go version is updated (usually by Renovate):
 
 1. **Pull the latest changes**
+
    ```bash
    git pull
    ```
 
 2. **Update your local Go installation**
+
    ```bash
    # Run the Go update skill (downloads and installs the new version)
    .github/skills/scripts/skill-runner.sh utility-update-go-version
    ```
 
 3. **Rebuild your development tools**
+
    ```bash
-   # This fixes pre-commit hook errors and IDE issues
+   # This fixes lefthook hook errors and IDE issues
    ./scripts/rebuild-go-tools.sh
    ```
 
@@ -104,7 +117,7 @@ Rebuilding tools with `./scripts/rebuild-go-tools.sh` fixes this by compiling th
 
 **What if I forget?**
 
-Don't worry! The pre-commit hook will detect the version mismatch and automatically rebuild tools for you. You'll see:
+Don't worry! The lefthook pre-commit hook will detect the version mismatch and automatically rebuild tools for you. You'll see:
 
 ```
 ⚠️  golangci-lint Go version mismatch:

Dockerfile

@@ -8,21 +8,49 @@ ARG VCS_REF
 # Set BUILD_DEBUG=1 to build with debug symbols (required for Delve debugging)
 ARG BUILD_DEBUG=0
 
+# ---- Pinned Toolchain Versions ----
+# renovate: datasource=docker depName=golang versioning=docker
+ARG GO_VERSION=1.26.2
+
+# renovate: datasource=docker depName=alpine versioning=docker
+ARG ALPINE_IMAGE=alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
+
+# ---- Shared CrowdSec Version ----
+# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
+ARG CROWDSEC_VERSION=1.7.7
+# CrowdSec fallback tarball checksum (v${CROWDSEC_VERSION})
+ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+
+# ---- Shared Go Security Patches ----
+# renovate: datasource=go depName=github.com/expr-lang/expr
+ARG EXPR_LANG_VERSION=1.17.8
+# renovate: datasource=go depName=golang.org/x/net
+ARG XNET_VERSION=0.53.0
+# renovate: datasource=go depName=github.com/smallstep/certificates
+ARG SMALLSTEP_CERTIFICATES_VERSION=0.30.0
+# renovate: datasource=npm depName=npm
+ARG NPM_VERSION=11.11.1
+
 # Allow pinning Caddy version - Renovate will update this
 # Build the most recent Caddy 2.x release (keeps major pinned under v3).
 # Setting this to '2' tells xcaddy to resolve the latest v2.x tag so we
 # avoid accidentally pulling a v3 major release. Renovate can still update
 # this ARG to a specific v2.x tag when desired.
 ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
-## If the requested tag isn't available, fall back to a known-good v2.11.0-beta.2 build.
-ARG CADDY_VERSION=2.11.0-beta.2
+## If the requested tag isn't available, fall back to a known-good v2.11.2 build.
+ARG CADDY_VERSION=2.11.2
+ARG CADDY_CANDIDATE_VERSION=2.11.2
+ARG CADDY_USE_CANDIDATE=0
+ARG CADDY_PATCH_SCENARIO=B
+# renovate: datasource=go depName=github.com/greenpau/caddy-security
+ARG CADDY_SECURITY_VERSION=1.1.62
+# renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
+ARG CORAZA_CADDY_VERSION=2.5.0
 ## When an official caddy image tag isn't available on the host, use a
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on
 ## upstream caddy image tags while still shipping a pinned caddy binary.
 ## Alpine 3.23 base to reduce glibc CVE exposure and image size.
-# renovate: datasource=docker depName=alpine versioning=docker
-ARG CADDY_IMAGE=alpine:3.23.3
 
 # ---- Cross-Compilation Helpers ----
 # renovate: datasource=docker depName=tonistiigi/xx
@@ -33,8 +61,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9
 # This fixes 22 HIGH/CRITICAL CVEs in stdlib embedded in Debian's gosu package
 # CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404,
 #             CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS gosu-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS gosu-builder
 COPY --from=xx / /
 
 WORKDIR /tmp/gosu
@@ -65,7 +92,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Frontend Builder ----
 # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
 # renovate: datasource=docker depName=node
-FROM --platform=$BUILDPLATFORM node:24.13.1-alpine AS frontend-builder
+FROM --platform=$BUILDPLATFORM node:24.15.0-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f AS frontend-builder
 WORKDIR /app/frontend
 
 # Copy frontend package files
@@ -76,9 +103,12 @@ ARG VERSION=dev
 # Make version available to Vite as VITE_APP_VERSION during the frontend build
 ENV VITE_APP_VERSION=${VERSION}
 
-# Set environment to bypass native binary requirement for cross-arch builds
-ENV npm_config_rollup_skip_nodejs_native=1 \
-    ROLLUP_SKIP_NODEJS_NATIVE=1
+# Vite 8: Rolldown native bindings auto-resolved per platform via optionalDependencies
+ARG NPM_VERSION
+# hadolint ignore=DL3017
+RUN apk upgrade --no-cache && \
+    npm install -g npm@${NPM_VERSION} --no-fund --no-audit && \
+    npm cache clean --force
 
 RUN npm ci
 
@@ -88,8 +118,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \
     npm run build
 
 # ---- Backend Builder ----
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS backend-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS backend-builder
 # Copy xx helpers for cross-compilation
 COPY --from=xx / /
 
@@ -102,7 +131,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 ARG TARGETPLATFORM
 ARG TARGETARCH
 # hadolint ignore=DL3018
-RUN apk add --no-cache clang lld
+RUN apk add --no-cache git clang lld
 # hadolint ignore=DL3059
 # hadolint ignore=DL3018
 # Install musl (headers + runtime) and gcc for cross-compilation linker
@@ -131,7 +160,7 @@ RUN set -eux; \
 # Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling.
 # We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage.
 # renovate: datasource=go depName=github.com/go-delve/delve
-ARG DLV_VERSION=1.26.0
+ARG DLV_VERSION=1.26.2
 # hadolint ignore=DL3059,DL4006
 RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
     DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
@@ -191,16 +220,23 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Caddy Builder ----
 # Build Caddy from source to ensure we use the latest Go version and dependencies
 # This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues)
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS caddy-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS caddy-builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG CADDY_VERSION
+ARG CADDY_CANDIDATE_VERSION
+ARG CADDY_USE_CANDIDATE
+ARG CADDY_PATCH_SCENARIO
+ARG CADDY_SECURITY_VERSION
+ARG CORAZA_CADDY_VERSION
 # renovate: datasource=go depName=github.com/caddyserver/xcaddy
 ARG XCADDY_VERSION=0.4.5
+ARG EXPR_LANG_VERSION
+ARG XNET_VERSION
+ARG SMALLSTEP_CERTIFICATES_VERSION
 
 # hadolint ignore=DL3018
-RUN apk add --no-cache git
+RUN apk add --no-cache bash git
 # hadolint ignore=DL3062
 RUN --mount=type=cache,target=/go/pkg/mod \
     go install github.com/caddyserver/xcaddy/cmd/xcaddy@v${XCADDY_VERSION}
@@ -212,13 +248,20 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 # hadolint ignore=SC2016
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    sh -c 'set -e; \
+    bash -c 'set -e; \
+        CADDY_TARGET_VERSION="${CADDY_VERSION}"; \
+        if [ "${CADDY_USE_CANDIDATE}" = "1" ]; then \
+            CADDY_TARGET_VERSION="${CADDY_CANDIDATE_VERSION}"; \
+        fi; \
+        echo "Using Caddy target version: v${CADDY_TARGET_VERSION}"; \
+        echo "Using Caddy patch scenario: ${CADDY_PATCH_SCENARIO}"; \
         export XCADDY_SKIP_CLEANUP=1; \
         echo "Stage 1: Generate go.mod with xcaddy..."; \
         # Run xcaddy to generate the build directory and go.mod
-        GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_VERSION} \
-            --with github.com/greenpau/caddy-security \
-            --with github.com/corazawaf/coraza-caddy/v2 \
+        GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_TARGET_VERSION} \
+            --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION} \
+            --with github.com/greenpau/caddy-security@v${CADDY_SECURITY_VERSION} \
+            --with github.com/corazawaf/coraza-caddy/v2@v${CORAZA_CADDY_VERSION} \
             --with github.com/hslatman/caddy-crowdsec-bouncer@v0.10.0 \
             --with github.com/zhangjiayin/caddy-geoip2 \
             --with github.com/mholt/caddy-ratelimit \
@@ -235,16 +278,55 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         # Patch ALL dependencies BEFORE building the final binary
         # These patches fix CVEs in transitive dependencies
         # Renovate tracks these via regex manager in renovate.json
-        # renovate: datasource=go depName=github.com/expr-lang/expr
-        go get github.com/expr-lang/expr@v1.17.7; \
+        go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION}; \
         # renovate: datasource=go depName=github.com/hslatman/ipstore
         go get github.com/hslatman/ipstore@v0.4.0; \
-        # NOTE: smallstep/certificates (pulled by caddy-security stack) currently
-        # uses legacy nebula APIs removed in nebula v1.10+, which causes compile
-        # failures in authority/provisioner. Keep this pinned to a known-compatible
-        # v1.9.x release until upstream stack supports nebula v1.10+.
-        # renovate: datasource=go depName=github.com/slackhq/nebula
-        go get github.com/slackhq/nebula@v1.9.7; \
+        go get golang.org/x/net@v${XNET_VERSION}; \
+        # CVE-2026-33186: gRPC-Go auth bypass (fixed in v1.79.3)
+        # CVE-2026-34986: go-jose/v4 transitive fix (requires grpc >= v1.80.0)
+        # Pin here so the Caddy binary is patched immediately;
+        # remove once Caddy ships a release built with grpc >= v1.80.0.
+        # renovate: datasource=go depName=google.golang.org/grpc
+        go get google.golang.org/grpc@v1.80.0; \
+        # CVE-2026-34986: go-jose JOSE/JWT validation bypass
+        # renovate: datasource=go depName=github.com/go-jose/go-jose/v3
+        go get github.com/go-jose/go-jose/v3@v3.0.5; \
+        # renovate: datasource=go depName=github.com/go-jose/go-jose/v4
+        go get github.com/go-jose/go-jose/v4@v4.1.4; \
+        # CVE-2026-39883: OTel SDK resource leak
+        # renovate: datasource=go depName=go.opentelemetry.io/otel/sdk
+        go get go.opentelemetry.io/otel/sdk@v1.43.0; \
+        # CVE-2026-39882: OTel HTTP exporter request smuggling
+        # renovate: datasource=go depName=go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
+        go get go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp@v0.19.0; \
+        # renovate: datasource=go depName=go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
+        go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.43.0; \
+        # renovate: datasource=go depName=go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
+        go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.43.0; \
+        # GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
+        # Fix available at v1.6.0. Pin here so the Caddy binary is patched immediately;
+        # remove once caddy-security ships a release built with goxmldsig >= v1.6.0.
+        # renovate: datasource=go depName=github.com/russellhaering/goxmldsig
+        go get github.com/russellhaering/goxmldsig@v1.6.0; \
+        # CVE-2026-30836: smallstep/certificates 0.30.0-rc3 vulnerability
+        # Fix available at v0.30.0. Pin here so the Caddy binary is patched immediately;
+        # remove once caddy-security ships a release built with smallstep/certificates >= v0.30.0.
+        go get github.com/smallstep/certificates@v${SMALLSTEP_CERTIFICATES_VERSION}; \
+        if [ "${CADDY_PATCH_SCENARIO}" = "A" ]; then \
+            # Rollback scenario: keep explicit nebula pin if upstream compatibility regresses.
+            # NOTE: smallstep/certificates (pulled by caddy-security stack) currently
+            # uses legacy nebula APIs removed in nebula v1.10+, which causes compile
+            # failures in authority/provisioner. Keep this pinned to a known-compatible
+            # v1.9.x release until upstream stack supports nebula v1.10+.
+            # renovate: datasource=go depName=github.com/slackhq/nebula
+            go get github.com/slackhq/nebula@v1.9.7; \
+        elif [ "${CADDY_PATCH_SCENARIO}" = "B" ] || [ "${CADDY_PATCH_SCENARIO}" = "C" ]; then \
+            # Default PR-2 posture: retire explicit nebula pin and use upstream resolution.
+            echo "Skipping nebula pin for scenario ${CADDY_PATCH_SCENARIO}"; \
+        else \
+            echo "Unsupported CADDY_PATCH_SCENARIO=${CADDY_PATCH_SCENARIO}"; \
+            exit 1; \
+        fi; \
         # Clean up go.mod and ensure all dependencies are resolved
         go mod tidy; \
         echo "Dependencies patched successfully"; \
@@ -263,10 +345,9 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         rm -rf /tmp/buildenv_* /tmp/caddy-initial'
 
 # ---- CrowdSec Builder ----
-# Build CrowdSec from source to ensure we use Go 1.26.0+ and avoid stdlib vulnerabilities
+# Build CrowdSec from source to ensure we use Go 1.26.2+ and avoid stdlib vulnerabilities
 # (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
-# renovate: datasource=docker depName=golang versioning=docker
-FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine AS crowdsec-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS crowdsec-builder
 COPY --from=xx / /
 
 WORKDIR /tmp/crowdsec
@@ -274,11 +355,10 @@ WORKDIR /tmp/crowdsec
 ARG TARGETPLATFORM
 ARG TARGETOS
 ARG TARGETARCH
-# CrowdSec version - Renovate can update this
-# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
-ARG CROWDSEC_VERSION=1.7.6
-# CrowdSec fallback tarball checksum (v${CROWDSEC_VERSION})
-ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+ARG CROWDSEC_VERSION
+ARG CROWDSEC_RELEASE_SHA256
+ARG EXPR_LANG_VERSION
+ARG XNET_VERSION
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache git clang lld
@@ -292,10 +372,27 @@ RUN git clone --depth 1 --branch "v${CROWDSEC_VERSION}" https://github.com/crowd
 
 # Patch dependencies to fix CVEs in transitive dependencies
 # This follows the same pattern as Caddy's dependency patches
-# renovate: datasource=go depName=github.com/expr-lang/expr
 # renovate: datasource=go depName=golang.org/x/crypto
-RUN go get github.com/expr-lang/expr@v1.17.7 && \
+RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
     go get golang.org/x/crypto@v0.46.0 && \
+    go get golang.org/x/net@v${XNET_VERSION} && \
+    # CVE-2026-33186 (GHSA-p77j-4mvh-x3m3): gRPC-Go auth bypass via missing leading slash
+    # Fix available at v1.79.3. Pin here so the CrowdSec binary is patched immediately;
+    # remove once CrowdSec ships a release built with grpc >= v1.79.3.
+    # renovate: datasource=go depName=google.golang.org/grpc
+    go get google.golang.org/grpc@v1.80.0 && \
+    # CVE-2026-32286: pgproto3/v2 buffer overflow (no v2 fix exists; bump pgx/v4 to latest patch)
+    # renovate: datasource=go depName=github.com/jackc/pgx/v4
+    go get github.com/jackc/pgx/v4@v4.18.3 && \
+    # GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection
+    # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
+    go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.9 && \
+    # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs
+    go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.69.1 && \
+    # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/kinesis
+    go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.6 && \
+    # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/s3
+    go get github.com/aws/aws-sdk-go-v2/service/s3@v1.99.1 && \
     go mod tidy
 
 # Fix compatibility issues with expr-lang v1.17.7
@@ -325,18 +422,15 @@ RUN mkdir -p /crowdsec-out/config && \
     cp -r config/* /crowdsec-out/config/ || true
 
 # ---- CrowdSec Fallback (for architectures where build fails) ----
-# renovate: datasource=docker depName=alpine versioning=docker
-FROM alpine:3.23.3 AS crowdsec-fallback
+FROM ${ALPINE_IMAGE} AS crowdsec-fallback
 
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 
 WORKDIR /tmp/crowdsec
 
 ARG TARGETARCH
-# CrowdSec version - Renovate can update this
-# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
-ARG CROWDSEC_VERSION=1.7.6
-ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+ARG CROWDSEC_VERSION
+ARG CROWDSEC_RELEASE_SHA256
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache curl ca-certificates
@@ -365,17 +459,17 @@ RUN set -eux; \
     fi
 
 # ---- Final Runtime with Caddy ----
-FROM ${CADDY_IMAGE}
+FROM ${ALPINE_IMAGE}
 WORKDIR /app
 
 # Install runtime dependencies for Charon, including bash for maintenance scripts
 # Note: gosu is now built from source (see gosu-builder stage) to avoid CVEs from Debian's pre-compiled version
 # Explicitly upgrade packages to fix security vulnerabilities
-# binutils provides objdump for debug symbol detection in docker-entrypoint.sh
 # hadolint ignore=DL3018
 RUN apk add --no-cache \
-    bash ca-certificates sqlite-libs sqlite tzdata curl gettext libcap libcap-utils \
-    c-ares binutils libc-utils busybox-extras
+    bash ca-certificates sqlite-libs sqlite tzdata gettext libcap libcap-utils \
+    c-ares busybox-extras \
+    && apk upgrade --no-cache zlib libcrypto3 libssl3 musl musl-utils
 
 # Copy gosu binary from gosu-builder (built with Go 1.26+ to avoid stdlib CVEs)
 COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu
@@ -392,12 +486,13 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 # Note: In production, users should provide their own MaxMind license key
 # This uses the publicly available GeoLite2 database
 # In CI, timeout quickly rather than retrying to save build time
-ARG GEOLITE2_COUNTRY_SHA256=86fe00e0272865b8bec79defca2e9fb19ad0cf4458697992e1a37ba89077c13a
+ARG GEOLITE2_COUNTRY_SHA256=62049119bd084e19fff4689bebe258f18a5f27a386e6d26ba5180941b613fc2b
 RUN mkdir -p /app/data/geoip && \
-        if [ -n "$CI" ]; then \
+        if [ "$CI" = "true" ] || [ "$CI" = "1" ]; then \
             echo "⏱️  CI detected - quick download (10s timeout, no retries)"; \
-            if curl -fSL -m 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-                -o /app/data/geoip/GeoLite2-Country.mmdb 2>/dev/null; then \
+            if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \
+                -T 10 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" 2>/dev/null \
+                && [ -s /app/data/geoip/GeoLite2-Country.mmdb ]; then \
                 echo "✅ GeoIP downloaded"; \
             else \
                 echo "⚠️  GeoIP skipped"; \
@@ -405,16 +500,12 @@ RUN mkdir -p /app/data/geoip && \
             fi; \
         else \
             echo "Local - full download (30s timeout, 3 retries)"; \
-            if curl -fSL -m 30 --retry 3 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-                -o /app/data/geoip/GeoLite2-Country.mmdb; then \
-                if echo "${GEOLITE2_COUNTRY_SHA256}  /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -; then \
-                    echo "✅ GeoIP checksum verified"; \
-                else \
-                    echo "⚠️  Checksum failed"; \
-                    touch /app/data/geoip/GeoLite2-Country.mmdb.placeholder; \
-                fi; \
+            if wget -qO /app/data/geoip/GeoLite2-Country.mmdb \
+                -T 30 -t 4 "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
+                && [ -s /app/data/geoip/GeoLite2-Country.mmdb ]; then \
+                echo "✅ GeoIP downloaded"; \
             else \
-                echo "⚠️  Download failed"; \
+                echo "⚠️  GeoIP download failed or empty — skipping"; \
                 touch /app/data/geoip/GeoLite2-Country.mmdb.placeholder; \
             fi; \
         fi
@@ -425,7 +516,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 # Allow non-root to bind privileged ports (80/443) securely
 RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy
 
-# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.0+)
+# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.2+)
 # This ensures we don't have stdlib vulnerabilities from older Go versions
 COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
 COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli
@@ -540,21 +631,16 @@ EXPOSE 80 443 443/udp 2019 8080
 
 # Security: Add healthcheck to monitor container health
 # Verifies the Charon API is responding correctly
-HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:8080/api/v1/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
+    CMD wget -q -O /dev/null http://localhost:8080/api/v1/health || exit 1
 
 # Create CrowdSec symlink as root before switching to non-root user
 # This symlink allows CrowdSec to use persistent storage at /app/data/crowdsec/config
 # while maintaining the expected /etc/crowdsec path for compatibility
 RUN ln -sf /app/data/crowdsec/config /etc/crowdsec
 
-# Security: Container starts as root to handle Docker socket group permissions,
-# then the entrypoint script drops privileges to the charon user before starting
-# applications. This approach:
-#   1. Maintains CIS Docker Benchmark compliance (non-root execution)
-#   2. Enables Docker integration by dynamically adding charon to docker group
-#   3. Ensures proper ownership of mounted volumes
-# The entrypoint script uses gosu to securely drop privileges after setup.
+# Security: Run the container as non-root by default.
+USER charon
 
 # Use custom entrypoint to start both Caddy and Charon
 ENTRYPOINT ["/docker-entrypoint.sh"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help install test build run clean docker-build docker-run release go-check gopls-logs lint-fast lint-staticcheck-only
+.PHONY: help install test build run clean docker-build docker-run release go-check gopls-logs lint-fast lint-staticcheck-only security-local
 
 # Default target
 help:
@@ -22,6 +22,7 @@ help:
 	@echo ""
 	@echo "Security targets:"
 	@echo "  security-scan          - Quick security scan (govulncheck on Go deps)"
+	@echo "  security-local         - Run govulncheck + semgrep (p/golang) locally before push"
 	@echo "  security-scan-full     - Full container scan with Trivy"
 	@echo "  security-scan-deps     - Check for outdated Go dependencies"
 
@@ -145,6 +146,12 @@ security-scan:
 	@echo "Running security scan (govulncheck)..."
 	@./scripts/security-scan.sh
 
+security-local: ## Run govulncheck + semgrep (p/golang) before push — fast local gate
+	@echo "[1/2] Running govulncheck..."
+	@./scripts/security-scan.sh
+	@echo "[2/2] Running Semgrep (p/golang, ERROR+WARNING)..."
+	@SEMGREP_CONFIG=p/golang ./scripts/pre-commit-hooks/semgrep-scan.sh
+
 security-scan-full:
 	@echo "Building local Docker image for security scan..."
 	docker build --build-arg VCS_REF=$(shell git rev-parse HEAD) -t charon:local .

README.md

@@ -1,72 +1,138 @@
 <p align="center">
-  <img src="frontend/public/banner.png" alt="Charon" width="600">
+  <img src="https://raw.githubusercontent.com/Wikid82/Charon/refs/heads/main/frontend/public/banner.webp" alt="Charon" width="350">
 </p>
 
 <h1 align="center">Charon</h1>
 
-<br>
-
 <p align="center">
-  <a href="https://www.repostatus.org/#active"><img src="https://www.repostatus.org/badges/latest/active.svg" alt="Project Status: Active – The project is being actively developed." /></a>
- <a href="https://hub.docker.com/r/wikid82/charon"><img src="https://img.shields.io/docker/pulls/wikid82/charon.svg" alt="Docker Pulls"></a>
-  <a href="https://github.com/users/Wikid82/packages/container/package/charon"><img src="https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/Wikid82/Charon/main/.github/badges/ghcr-downloads.json" alt="GHCR Pulls"></a>
-  <a href="https://github.com/Wikid82/charon/releases"><img src="https://img.shields.io/github/v/release/Wikid82/charon?include_prereleases" alt="Release"></a>
-  <br>
-  <a href="https://codecov.io/gh/Wikid82/Charon" ><img src="https://codecov.io/gh/Wikid82/Charon/branch/main/graph/badge.svg?token=RXSINLQTGE" alt="Code Coverage"/></a>
- <a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT"></a>
-  <a href="SECURITY.md"><img src="https://img.shields.io/badge/Security-Audited-brightgreen.svg" alt="Security: Audited"></a>
-  <br>
-  <a href="https://github.com/Wikid82/Charon/actions/workflows/e2e-tests-split.yml"><img src="https://github.com/Wikid82/Charon/actions/workflows/e2e-tests-split.yml/badge.svg" alt="E2E Tests"></a>
-  <a href="https://github.com/Wikid82/Charon/actions/workflows/cerberus-integration.yml"><img src="https://github.com/Wikid82/Charon/actions/workflows/cerberus-integration.yml/badge.svg" alt="Cerberus Integration"></a><br>
-  <a href="https://github.com/Wikid82/Charon/actions/workflows/crowdsec-integration.yml"><img src="https://github.com/Wikid82/Charon/actions/workflows/crowdsec-integration.yml/badge.svg" alt="CrowdSec Integration"></a>
-  <a href="https://github.com/Wikid82/Charon/actions/workflows/waf-integration.yml"><img src="https://github.com/Wikid82/Charon/actions/workflows/waf-integration.yml/badge.svg" alt="WAF Integration"></a>
-  <a href="https://github.com/Wikid82/Charon/actions/workflows/rate-limit-integration.yml"><img src="https://github.com/Wikid82/Charon/actions/workflows/rate-limit-integration.yml/badge.svg" alt="Rate Limit Integration"></a>
+  <strong>Your server, your rules—without the headaches.</strong>
 </p>
-<br>
-<p align="center"><strong>Your server, your rules—without the headaches.</strong></p>
 
 <p align="center">
-Simply manage multiple websites and self-hosted applications. Click, save, done. No code, no config files, no PhD required.
+  Manage reverse proxies with a clean web interface.<br>
+  No config files. No cryptic syntax. No networking degree required.
+</p>
+
+<p align="center">
+  <a href="https://hub.docker.com/r/wikid82/charon">
+    <img src="https://img.shields.io/docker/pulls/wikid82/charon.svg" alt="Docker Pulls">
+  </a>
+  <a href="https://github.com/Wikid82/charon/releases">
+    <img src="https://img.shields.io/github/v/release/Wikid82/charon?include_prereleases" alt="Latest Release">
+  </a>
+  <a href="LICENSE">
+    <img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="MIT License">
+  </a>
+  <a href="https://discord.gg/Tvzg6BQx">
+    <img src="https://img.shields.io/badge/Community-Discord-5865F2?logo=discord&logoColor=white">
+  </a>
 </p>
 
 ---
 
-## Why Charon?
+## 🚀 Why Charon?
 
-You want your apps accessible online. You don't want to become a networking expert first.
+You want your apps online.
 
-**The problem:** Managing reverse proxies usually means editing config files, memorizing cryptic syntax, and hoping you didn't break everything.
+You don’t want to edit config files or memorize reverse proxy syntax.
 
-**Charon's answer:** A web interface where you click boxes and type domain names. That's it.
+Charon gives you:
 
-- ✅ **Your blog** gets a green lock (HTTPS) automatically
-- ✅ **Your chat server** works without weird port numbers
-- ✅ **Your admin panel** blocks everyone except you
-- ✅ **Everything stays up** even when you make changes
+- ✅ Automatic HTTPS certificates
+- ✅ Clean domain routing
+- ✅ Built-in security protection
+- ✅ One-click Docker app discovery
+- ✅ Live updates without restarts
+- ✅ Zero external dependencies
+
+If you can use a website, you can run Charon.
 
 ---
 
-## 🐕 Cerberus Security Suite
+## 🛡 Built-In Security
 
-### 🕵️‍♂️ **CrowdSec Integration**
+Charon includes security features that normally require multiple tools:
 
-- Protects your applications from attacks using behavior-based detection and automated remediation.
+- Web Application Firewall (WAF)
+- CrowdSec intrusion detection with analytics dashboard
+- Access Control Lists (ACLs)
+- Rate limiting
+- Emergency recovery tools
 
-### 🔐 **Access Control Lists (ACLs)**
+Secure by default. No extra containers required.
 
-- Define fine-grained access rules for your applications, controlling who can access what and under which conditions.
-
-### 🧱 **Web Application Firewall (WAF)**
-
-- Protects your applications from common web vulnerabilities such as SQL injection, XSS, and more using Coraza.
-
-### ⏱️ **Rate Limiting**
-
-- Protect your applications from abuse by limiting the number of requests a user or IP can make within a certain timeframe.
+📖 [Learn more about security →](https://wikid82.github.io/charon/security)
 
 ---
 
-## ✨ Top 10 Features
+## ⚡ Quick Start (5 Minutes)
+
+### 1️⃣ Create `docker-compose.yml`
+
+```yaml
+services:
+  charon:
+    image: wikid82/charon:latest
+    container_name: charon
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "8080:8080"
+    volumes:
+      - ./charon-data:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - TZ=America/New_York
+      # Generate with: openssl rand -base64 32
+      - CHARON_ENCRYPTION_KEY=your-32-byte-base64-key
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+```
+
+> **Docker Socket Access:** Charon runs as a non-root user. If you mount the Docker socket for container discovery, the container needs permission to read it. Find your socket's group ID and add it to the compose file:
+>
+> ```bash
+> stat -c '%g' /var/run/docker.sock
+> ```
+>
+> Then add `group_add: ["<gid>"]` under your service (replace `<gid>` with the number from the command above). For example, if the result is `998`:
+>
+> ```yaml
+>     group_add:
+>       - "998"
+> ```
+
+### 2️⃣ Generate encryption key
+
+```bash
+openssl rand -base64 32
+```
+
+### 3️⃣ Start Charon
+
+```bash
+docker-compose up -d
+```
+
+### 4️⃣ Access the dashboard
+
+Open your browser and navigate to `http://localhost:8080` to access the dashboard and create your admin account.
+
+```code
+http://localhost:8080
+```
+
+### Getting Started
+
+Full setup instructions and documentation are available at [https://wikid82.github.io/Charon/docs/getting-started.html](https://wikid82.github.io/Charon/docs/getting-started.html).
+
+--- ## ✨ Top 10 Features
 
 ### 🎯 **Point & Click Management**
 
@@ -78,11 +144,11 @@ Free SSL certificates that request, install, and renew themselves. Your sites ge
 
 ### 🌐 **DNS Challenge for Wildcard Certificates**
 
-Secure all your subdomains with a single `*.example.com` certificate. Supports 15+ DNS providers including Cloudflare, Route53, DigitalOcean, and Google Cloud DNS. Credentials are encrypted and automatically rotated.
+Secure all your subdomains with a single *.example.com certificate. Supports 15+ DNS providers including Cloudflare, Route53, DigitalOcean, and Google Cloud DNS. Credentials are encrypted and automatically rotated.
 
 ### 🛡️ **Enterprise-Grade Security Built In**
 
-Web Application Firewall, rate limiting, geographic blocking, access control lists, and intrusion detection via CrowdSec. Protection that "just works."
+Web Application Firewall, rate limiting, geographic blocking, access control lists, and intrusion detection via CrowdSec—with a built-in analytics dashboard showing attack trends, top offenders, and ban history. Protection that "just works."
 
 ### 🔐 **Supply Chain Security**
 
@@ -102,15 +168,14 @@ See exactly what's happening with live request logs, uptime monitoring, and inst
 
 ### 📥 **Migration Made Easy**
 
-Import your existing configurations with one click:
+Already invested in another reverse proxy? Bring your work with you by importing your existing configurations with one click:
+
 - **Caddyfile** — Migrate from other Caddy setups
 - **Nginx** — Import from Nginx based configurations (Coming Soon)
 - **Traefik** - Import from Traefik based configurations (Coming Soon)
-- **CrowdSec** - Import from CrowdSec configurations (WIP)
+- **CrowdSec** - Import from CrowdSec configurations
 - **JSON Import** — Restore from Charon backups or generic JSON configs
 
-Already invested in another reverse proxy? Bring your work with you.
-
 ### ⚡ **Live Configuration Changes**
 
 Update domains, add security rules, or modify settings instantly—no container restarts needed.* Your sites stay up while you make changes.
@@ -125,498 +190,22 @@ One Docker container. No databases to install. No external services required. No
 
 ### 💯 **100% Free & Open Source**
 
-No premium tiers. No feature paywalls. No usage limits. Everything you see is yours to use, forever, backed by the MIT license.
+No premium tiers. No feature paywalls. No usage limits. Everything you see is yours to use, forever, backed by the MIT license. <sup>* Note: Initial security engine setup (CrowdSec) requires a one-time container restart to initialize the protection layer. All subsequent changes happen live.</sup> **
 
-<sup>* Note: Initial security engine setup (CrowdSec) requires a one-time container restart to initialize the protection layer. All subsequent changes happen live.</sup>
+[Explore All Features →](https://github.com/Wikid82/Charon/blob/main/docs/features.md)**
 
-**[Explore All Features →](https://wikid82.github.io/charon/features)**
+---
+💬 Support
+<p align="center">   <a href="https://github.com/Wikid82/Charon/issues">
+    <img alt="GitHub issues"
+         src="https://img.shields.io/github/issues/Wikid82/Charon"><a href="https://github.com/Wikid82/Charon/issues/new/choose"> <img src="https://img.shields.io/badge/Support-Open%20Issue-blue?logo=github"> </a> <a href="https://discord.gg/Tvzg6BQx"> <img src="https://img.shields.io/badge/Community-Discord-5865F2?logo=discord&logoColor=white"> </a> </p>
 
 ---
 
-## Quick Start
+❤️ Free & Open Source
 
-### Container Registries
+Charon is 100% free and open source under the MIT License.
 
-Charon is available from two container registries:
+No premium tiers. No locked features. No usage limits.
 
-**Docker Hub (Recommended):**
-
-```bash
-docker pull wikid82/charon:latest
-```
-
-**GitHub Container Registry:**
-
-```bash
-docker pull ghcr.io/wikid82/charon:latest
-```
-
-### Docker Compose (Recommended)
-
-Save this as `docker-compose.yml`:
-
-```yaml
-services:
-  charon:
-    # Docker Hub (recommended)
-    image: wikid82/charon:latest
-    # Alternative: GitHub Container Registry
-    # image: ghcr.io/wikid82/charon:latest
-    container_name: charon
-    restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-      - "8080:8080"
-    volumes:
-      - ./charon-data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    environment:
-      - CHARON_ENV=production
-      # Generate with: openssl rand -base64 32
-      - CHARON_ENCRYPTION_KEY=your-32-byte-base64-key-here
-
-```
-
-**Using Nightly Builds:**
-
-To test the latest nightly build (automated daily at 02:00 UTC):
-
-```yaml
-services:
-  charon:
-    # Docker Hub
-    image: wikid82/charon:nightly
-    # Alternative: GitHub Container Registry
-    # image: ghcr.io/wikid82/charon:nightly
-    # ... rest of configuration
-```
-
-> **Note:** Nightly builds are for testing and may contain experimental features. Use `latest` for production.
-
-Then run:
-
-```bash
-docker-compose up -d
-```
-
-### Docker Run (One-Liner)
-
-**Stable Release (Docker Hub):**
-
-```bash
-docker run -d \
-  --name charon \
-  -p 80:80 \
-  -p 443:443 \
-  -p 443:443/udp \
-  -p 8080:8080 \
-  -v ./charon-data:/app/data \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
-  -e CHARON_ENV=production \
-  -e CHARON_ENCRYPTION_KEY=your-32-byte-base64-key-here \
-  wikid82/charon:latest
-```
-
-**Stable Release (GitHub Container Registry):**
-
-```bash
-docker run -d \
-  --name charon \
-  -p 80:80 \
-  -p 443:443 \
-  -p 443:443/udp \
-  -p 8080:8080 \
-  -v ./charon-data:/app/data \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
-  -e CHARON_ENV=production \
-  -e CHARON_ENCRYPTION_KEY=your-32-byte-base64-key-here \
-  ghcr.io/wikid82/charon:latest
-```
-
-**Nightly Build (Testing - Docker Hub):**
-
-```bash
-docker run -d \
-  --name charon \
-  -p 80:80 \
-  -p 443:443 \
-  -p 443:443/udp \
-  -p 8080:8080 \
-  -v ./charon-data:/app/data \
-  -v /var/run/docker.sock:/var/run/docker.sock:ro \
-  -e CHARON_ENV=production \
-  -e CHARON_ENCRYPTION_KEY=your-32-byte-base64-key-here \
-  wikid82/charon:nightly
-```
-
-> **Note:** Nightly builds include the latest development features and are rebuilt daily at 02:00 UTC. Use for testing only. Also available via GHCR: `ghcr.io/wikid82/charon:nightly`
-
-### What Just Happened?
-
-1. Charon downloaded and started
-2. The web interface opened on port 8080
-3. Your websites will use ports 80 (HTTP) and 443 (HTTPS)
-
-**Open <http://localhost:8080>** and start adding your websites!
-
-### Requirements
-
-**Server:**
-
-- Docker 20.10+ or Docker Compose V2
-- Linux, macOS, or Windows with WSL2
-
-**Browser:**
-
-- Tested with React 19.2.3
-- Compatible with modern browsers:
-  - Chrome/Edge 90+
-  - Firefox 88+
-  - Safari 14+
-  - Opera 76+
-
-> **Note:** If you encounter errors after upgrading, try a hard refresh (`Ctrl+Shift+R`) or clearing your browser cache. See [Troubleshooting Guide](docs/troubleshooting/react-production-errors.md) for details.
-
-### Development Setup
-
-**Requirements:**
-
-- **go 1.26.0+** — Download from [go.dev/dl](https://go.dev/dl/)
-- **Node.js 20+** and npm
-- Docker 20.10+
-
-**Install golangci-lint** (for contributors): `go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest`
-
-**GORM Security Scanner:** Charon includes an automated security scanner that detects GORM vulnerabilities (ID leaks, exposed secrets, DTO embedding issues). Runs automatically in CI on all PRs. Run locally via:
-
-```bash
-# VS Code: Command Palette → "Lint: GORM Security Scan"
-# Or via pre-commit:
-pre-commit run --hook-stage manual gorm-security-scan --all-files
-# Or directly:
-./scripts/scan-gorm-security.sh --report
-```
-
-See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scanner_complete.md) for details.
-
-See [CONTRIBUTING.md](CONTRIBUTING.md) for complete development environment setup.
-
-**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.26.0, even if your system has an older version installed. For local development, ensure you have go 1.26.0+ installed.
-
-#### Keeping Go Tools Up-to-Date
-
-After pulling a Go version update:
-
-```bash
-# Rebuild all Go development tools
-./scripts/rebuild-go-tools.sh
-```
-
-**Why?** Tools like golangci-lint are compiled programs. When Go upgrades, they need to be recompiled to work with the new version. This one command rebuilds all your tools automatically.
-
-See [Go Version Upgrades Guide](docs/development/go_version_upgrades.md) for details.
-
-### Environment Configuration
-
-Before running Charon or E2E tests, configure required environment variables:
-
-1. **Copy the example environment file:**
-   ```bash
-   cp .env.example .env
-   ```
-
-2. **Configure required secrets:**
-   ```bash
-   # Generate encryption key (32 bytes, base64-encoded)
-   openssl rand -base64 32
-
-   # Generate emergency token (64 characters hex)
-   openssl rand -hex 32
-   ```
-
-3. **Add to `.env` file:**
-   ```bash
-   CHARON_ENCRYPTION_KEY=<paste_encryption_key_here>
-   CHARON_EMERGENCY_TOKEN=<paste_emergency_token_here>
-   ```
-
-4. **Verify configuration:**
-   ```bash
-   # Encryption key should be ~44 chars (base64)
-   grep CHARON_ENCRYPTION_KEY .env | cut -d= -f2 | wc -c
-
-   # Emergency token should be 64 chars (hex)
-   grep CHARON_EMERGENCY_TOKEN .env | cut -d= -f2 | wc -c
-   ```
-
-⚠️ **Security:** Never commit actual secret values to the repository. The `.env` file is gitignored.
-
-📖 **More Info:** See [Getting Started Guide](docs/getting-started.md) for detailed setup instructions.
-
-### Upgrading? Run Migrations
-
-If you're upgrading from a previous version with persistent data:
-
-```bash
-docker exec charon /app/charon migrate
-docker restart charon
-```
-
-This ensures security features (especially CrowdSec) work correctly.
-
-**Important:** If you had CrowdSec enabled before the upgrade, it will **automatically restart** after migration. You don't need to manually re-enable it via the GUI. See [Migration Guide](https://wikid82.github.io/charon/migration-guide) for details.
-
----
-
-## 🔔 Smart Notifications
-
-Stay informed about your infrastructure with flexible notification support.
-
-### Supported Services
-
-Charon integrates with popular notification platforms using JSON templates for rich formatting:
-
-- **Discord** — Rich embeds with colors, fields, and custom formatting
-- **Slack** — Block Kit messages with interactive elements
-- **Gotify** — Self-hosted push notifications with priority levels
-- **Telegram** — Instant messaging with Markdown support
-- **Generic Webhooks** — Connect to any service with custom JSON payloads
-
-### JSON Template Examples
-
-**Discord Rich Embed:**
-
-```json
-{
-  "embeds": [{
-    "title": "🚨 {{.Title}}",
-    "description": "{{.Message}}",
-    "color": 15158332,
-    "timestamp": "{{.Timestamp}}",
-    "fields": [
-      {"name": "Host", "value": "{{.HostName}}", "inline": true},
-      {"name": "Event", "value": "{{.EventType}}", "inline": true}
-    ]
-  }]
-}
-```
-
-**Slack Block Kit:**
-
-```json
-{
-  "blocks": [
-    {
-      "type": "header",
-      "text": {"type": "plain_text", "text": "🔔 {{.Title}}"}
-    },
-    {
-      "type": "section",
-      "text": {"type": "mrkdwn", "text": "*Event:* {{.EventType}}\n*Message:* {{.Message}}"}
-    }
-  ]
-}
-```
-
-### Available Template Variables
-
-All JSON templates support these variables:
-
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `{{.Title}}` | Event title | "SSL Certificate Renewed" |
-| `{{.Message}}` | Event details | "Certificate for example.com renewed" |
-| `{{.EventType}}` | Type of event | "ssl_renewal", "uptime_down" |
-| `{{.Severity}}` | Severity level | "info", "warning", "error" |
-| `{{.HostName}}` | Affected host | "example.com" |
-| `{{.Timestamp}}` | ISO 8601 timestamp | "2025-12-24T10:30:00Z" |
-
-**[📖 Complete Notification Guide →](docs/features/notifications.md)**
-
----
-
-## 🚨 Emergency Break Glass Access
-
-Charon provides a **3-Tier Break Glass Protocol** for emergency lockout recovery when security modules (ACL, WAF, CrowdSec) block access to the admin interface.
-
-### Emergency Recovery Quick Reference
-
-**Tier 1 (Preferred):** Use emergency token via main endpoint
-
-```bash
-curl -X POST https://charon.example.com/api/v1/emergency/security-reset \
-  -H "X-Emergency-Token: $CHARON_EMERGENCY_TOKEN"
-```
-
-**Tier 2 (If Tier 1 blocked):** Use emergency server via SSH tunnel
-
-```bash
-ssh -L 2019:localhost:2019 admin@server
-curl -X POST http://localhost:2019/emergency/security-reset \
-  -H "X-Emergency-Token: $CHARON_EMERGENCY_TOKEN" \
-  -u admin:password
-```
-
-**Tier 3 (Catastrophic):** Direct SSH access - see [Emergency Runbook](docs/runbooks/emergency-lockout-recovery.md)
-
-### Tier 1: Emergency Token (Layer 7 Bypass)
-
-**Use when:** The application is accessible but security middleware is blocking you.
-
-```bash
-# Set emergency token (generate with: openssl rand -hex 32)
-export CHARON_EMERGENCY_TOKEN=your-64-char-hex-token
-
-# Use token to disable security
-curl -X POST https://charon.example.com/api/v1/emergency/security-reset \
-  -H "X-Emergency-Token: $CHARON_EMERGENCY_TOKEN"
-```
-
-**Response:**
-
-```json
-{
-  "success": true,
-  "message": "All security modules have been disabled",
-  "disabled_modules": [
-    "feature.cerberus.enabled",
-    "security.acl.enabled",
-    "security.waf.enabled",
-    "security.rate_limit.enabled",
-    "security.crowdsec.enabled"
-  ]
-}
-```
-
-### Tier 2: Emergency Server (Sidecar Port)
-
-**Use when:** Caddy/CrowdSec is blocking at the reverse proxy level, or you need a separate entry point.
-
-**Prerequisites:**
-
-- Emergency server enabled in configuration
-- SSH access to Docker host
-- Knowledge of Basic Auth credentials (if configured)
-
-**Setup:**
-
-```yaml
-# docker-compose.yml
-environment:
-  - CHARON_EMERGENCY_SERVER_ENABLED=true
-  - CHARON_EMERGENCY_BIND=127.0.0.1:2019  # Localhost only
-  - CHARON_EMERGENCY_USERNAME=admin
-  - CHARON_EMERGENCY_PASSWORD=your-strong-password
-```
-
-**Usage:**
-
-```bash
-# 1. SSH to server and create tunnel
-ssh -L 2019:localhost:2019 admin@server.example.com
-
-# 2. Access emergency endpoint (from local machine)
-curl -X POST http://localhost:2019/emergency/security-reset \
-  -H "X-Emergency-Token: $CHARON_EMERGENCY_TOKEN" \
-  -u admin:your-strong-password
-```
-
-### Tier 3: Direct System Access (Physical Key)
-
-**Use when:** All application-level recovery methods have failed.
-
-**Prerequisites:**
-
-- SSH or console access to Docker host
-- Root or sudo privileges
-- Knowledge of container name
-
-**Emergency Procedures:**
-
-```bash
-# SSH to host
-ssh admin@docker-host.example.com
-
-# Clear CrowdSec bans
-docker exec charon cscli decisions delete --all
-
-# Disable security via database
-docker exec charon sqlite3 /app/data/charon.db \
-  "UPDATE settings SET value='false' WHERE key LIKE 'security.%.enabled';"
-
-# Restart container
-docker restart charon
-```
-
-### When to Use Each Tier
-
-| Scenario | Tier | Solution |
-|----------|------|----------|
-| ACL blocked your IP | Tier 1 | Emergency token via main port |
-| Caddy/CrowdSec blocking at Layer 7 | Tier 2 | Emergency server on separate port |
-| Complete system failure | Tier 3 | Direct SSH + database access |
-
-### Security Considerations
-
-**⚠️ Emergency Server Security:**
-
-- The emergency server should **NEVER** be exposed to the public internet
-- Always bind to localhost (127.0.0.1) only
-- Use SSH tunneling or VPN access to reach the port
-- Optional Basic Auth provides defense in depth
-- Port 2019 should be blocked by firewall rules from public access
-
-**🔐 Emergency Token Security:**
-
-- Store token in secrets manager (Vault, AWS Secrets Manager, Azure Key Vault)
-- Rotate token every 90 days or after use
-- Never commit token to version control
-- Use HTTPS when calling emergency endpoint (HTTP leaks token)
-- Monitor audit logs for emergency token usage
-
-**<2A> API Key & Credential Management:**
-
-- **Never log sensitive credentials**: Charon automatically masks API keys in logs (e.g., `abcd...xyz9`)
-- **Secure storage**: CrowdSec API keys stored with 0600 permissions (owner read/write only)
-- **No HTTP exposure**: API keys never returned in API responses
-- **No cookie storage**: Keys never stored in browser cookies
-- **Regular rotation**: Rotate CrowdSec bouncer keys every 90 days (recommended)
-- **Environment variables**: Use `CHARON_SECURITY_CROWDSEC_API_KEY` for production deployments
-- **Compliance**: Implementation addresses CWE-312, CWE-315, CWE-359 (GDPR, PCI-DSS, SOC 2)
-
-For detailed security practices, see:
-- 📘 [API Key Handling Guide](docs/security/api-key-handling.md)
-- 🛡️ [Security Best Practices](docs/SECURITY_PRACTICES.md)
-
-**<2A>📍 Management Network Configuration:**
-
-```yaml
-# Restrict emergency access to trusted networks only
-environment:
-  - CHARON_MANAGEMENT_CIDRS=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-```
-
-Default: RFC1918 private networks + localhost
-
-### Complete Documentation
-
-📖 **[Emergency Lockout Recovery Runbook](docs/runbooks/emergency-lockout-recovery.md)** — Complete procedures for all 3 tiers
-🔄 **[Emergency Token Rotation Guide](docs/runbooks/emergency-token-rotation.md)** — Token rotation procedures
-⚙️ **[Configuration Examples](docs/configuration/emergency-setup.md)** — Docker Compose and secrets manager integration
-🛡️ **[Security Documentation](docs/security.md)** — Break glass protocol architecture
-
----
-
-## Getting Help
-
-**[📖 Full Documentation](https://wikid82.github.io/charon/)** — Everything explained simply
-**[🚀 5-Minute Guide](https://wikid82.github.io/charon/getting-started)** — Your first website up and running
-**[🔐 Supply Chain Security](docs/guides/supply-chain-security-user-guide.md)** — Verify signatures and build provenance
-**[<EFBFBD> Maintenance](docs/maintenance/)** — Keeping Charon running smoothly
-**[<EFBFBD>🛠️ Troubleshooting](docs/troubleshooting/)** — Common issues and solutions
-**[💬 Ask Questions](https://github.com/Wikid82/charon/discussions)** — Friendly community help
-**[🐛 Report Problems](https://github.com/Wikid82/charon/issues)** — Something broken? Let us know
-
----
+Built for the self-hosting community.

VERSION.md

@@ -19,36 +19,80 @@ Example: `0.1.0-alpha`, `1.0.0-beta.1`, `2.0.0-rc.2`
 
 ## Creating a Release
 
-### Automated Release Process
+### Canonical Release Process (Tag-Derived CI)
 
-1. **Update version** in `.version` file:
+1. **Create and push a release tag**:
 
    ```bash
-   echo "1.0.0" > .version
+
+  git tag -a v1.0.0 -m "Release v1.0.0"
+  git push origin v1.0.0
+
    ```
 
-2. **Commit version bump**:
+2. **GitHub Actions automatically**:
+  - Runs release workflow from the pushed tag (`.github/workflows/release-goreleaser.yml`)
+  - Builds and publishes release artifacts/images through CI (`.github/workflows/docker-build.yml`)
+  - Creates/updates GitHub Release metadata
+
+3. **Container tags are published**:
+  - `v1.0.0` (exact version)
+  - `1.0` (minor version)
+  - `1` (major version)
+  - `latest` (for non-prerelease on main branch)
+
+### Legacy/Optional `.version` Path
+
+The `.version` file is optional and not the canonical release trigger.
+
+Use it only when you need local/version-file parity checks:
+
+1. **Set `.version` locally (optional)**:
 
    ```bash
-   git add .version
-   git commit -m "chore: bump version to 1.0.0"
+  echo "1.0.0" > .version
    ```
 
-3. **Create and push tag**:
+1. **Validate `.version` matches the latest tag**:
 
    ```bash
-   git tag -a v1.0.0 -m "Release v1.0.0"
-   git push origin v1.0.0
+
+  bash scripts/check-version-match-tag.sh
+
    ```
 
-4. **GitHub Actions automatically**:
-   - Creates GitHub Release with changelog
-   - Builds multi-arch Docker images (amd64, arm64)
-   - Publishes to GitHub Container Registry with tags:
-     - `v1.0.0` (exact version)
-     - `1.0` (minor version)
-     - `1` (major version)
-     - `latest` (for non-prerelease on main branch)
+### Deterministic Rollout Verification Gates (Mandatory)
+
+Release sign-off is blocked until all items below pass in the same validation
+run.
+
+Enforcement points:
+
+- Release sign-off checklist/process (mandatory): All gates below remain required for release sign-off.
+- CI-supported checks (current): `.github/workflows/docker-build.yml` and `.github/workflows/supply-chain-verify.yml` enforce the subset currently implemented in workflows.
+- Manual validation required until CI parity: Validate any not-yet-implemented workflow gates via VS Code tasks `Security: Full Supply Chain Audit`, `Security: Verify SBOM`, `Security: Generate SLSA Provenance`, and `Security: Sign with Cosign`.
+- Optional version-file parity check: `Utility: Check Version Match Tag` (script: `scripts/check-version-match-tag.sh`).
+
+- [ ] **Digest freshness/parity:** Capture pre-push and post-push index digests
+  for the target tag in GHCR and Docker Hub, confirm expected freshness,
+  and confirm cross-registry index digest parity.
+- [ ] **Per-arch parity:** Confirm per-platform (`linux/amd64`, `linux/arm64`,
+  and any published platform) digest parity between GHCR and Docker Hub.
+- [ ] **Immutable digest scanning:** Run SBOM and vulnerability scans against
+  immutable refs only, using `image@sha256:<index-digest>`.
+- [ ] **Artifact freshness:** Confirm scan artifacts are generated after the
+  push timestamp and in the same validation run.
+- [ ] **Evidence block present:** Include the mandatory evidence block fields
+  listed below.
+
+#### Mandatory Evidence Block Fields
+
+- Tag name
+- Index digest (`sha256:...`)
+- Per-arch digests (platform -> digest)
+- Scan tool versions
+- Push timestamp and scan timestamp(s)
+- Artifact file names generated in this run
 
 ## Container Image Tags