fix(auth): update SameSite cookie policy description for clarity

fix(auth): rename isLocalHost to isLocalOrPrivateHost and update related tests
feat(auth): implement Bearer token fallback in fetchSessionUser for private network HTTP connections
2026-03-15 03:23:06 +00:00 · 2026-03-15 03:20:11 +00:00 · 2026-03-15 02:25:07 +00:00 · 2026-03-11 14:05:55 -04:00 · 2026-03-11 13:20:47 -04:00 · 2026-03-11 16:54:54 +00:00
620 changed files with 37404 additions and 8747 deletions
@@ -94,7 +94,7 @@ Configure the application via `docker-compose.yml`:
 | `CHARON_ENV` | `production` | Set to `development` for verbose logging (`CPM_ENV` supported for backward compatibility). |
 | `CHARON_HTTP_PORT` | `8080` | Port for the Web UI (`CPM_HTTP_PORT` supported for backward compatibility). |
 | `CHARON_DB_PATH` | `/app/data/charon.db` | Path to the SQLite database (`CPM_DB_PATH` supported for backward compatibility). |
-| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). |
+| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). Must resolve to an internal allowlisted host on port `2019`. |
 | `CHARON_CADDY_CONFIG_ROOT` | `/config` | Path to Caddy autosave configuration directory. |
 | `CHARON_CADDY_LOG_DIR` | `/var/log/caddy` | Directory for Caddy access logs. |
 | `CHARON_CROWDSEC_LOG_DIR` | `/var/log/crowdsec` | Directory for CrowdSec logs. |
@@ -218,6 +218,8 @@ environment:
  - CPM_CADDY_ADMIN_API=http://your-caddy-host:2019
 ```

+If using a non-localhost internal hostname, add it to `CHARON_SSRF_INTERNAL_HOST_ALLOWLIST`.
+
 **Warning**: Charon will replace Caddy's entire configuration. Backup first!

 ## Performance Tuning
@@ -32,6 +32,8 @@ services:
      #- CPM_SECURITY_RATELIMIT_ENABLED=false
      #- CPM_SECURITY_ACL_ENABLED=false
      - FEATURE_CERBERUS_ENABLED=true
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # For local container discovery
      - crowdsec_data:/app/data/crowdsec
@@ -27,6 +27,8 @@ services:
      - FEATURE_CERBERUS_ENABLED=true
      # Emergency "break-glass" token for security reset when ACL blocks access
      - CHARON_EMERGENCY_TOKEN=03e4682c1164f0c1cb8e17c99bd1a2d9156b59824dde41af3bb67c513e5c5e92
+    # Docker socket group access: copy docker-compose.override.example.yml
+    # to docker-compose.override.yml and set your host's docker GID.
    extra_hosts:
      - "host.docker.internal:host-gateway"
    cap_add:
@@ -0,0 +1,26 @@
+# Docker Compose override — copy to docker-compose.override.yml to activate.
+#
+# Use case: grant the container access to the host Docker socket so that
+# Charon can discover running containers.
+#
+# 1. cp docker-compose.override.example.yml docker-compose.override.yml
+# 2. Uncomment the service that matches your compose file:
+#      - "charon" for docker-compose.local.yml
+#      - "app"    for docker-compose.dev.yml
+# 3. Replace <GID> with the output of:  stat -c '%g' /var/run/docker.sock
+# 4. docker compose up -d
+
+services:
+  # Uncomment for docker-compose.local.yml
+  charon:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  # Uncomment for docker-compose.dev.yml
+  app:
+    group_add:
+      - "<GID>"   # e.g. "988" — run: stat -c '%g' /var/run/docker.sock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -85,6 +85,7 @@ services:
      - playwright_data:/app/data
      - playwright_caddy_data:/data
      - playwright_caddy_config:/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
      interval: 5s
@@ -111,6 +112,7 @@ services:
    volumes:
      - playwright_crowdsec_data:/var/lib/crowdsec/data
      - playwright_crowdsec_config:/etc/crowdsec
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
      test: ["CMD", "cscli", "version"]
      interval: 10s
@@ -49,6 +49,8 @@ services:
      # True tmpfs for E2E test data - fresh on every run, in-memory only
      # mode=1777 allows any user to write (container runs as non-root)
      - /app/data:size=100M,mode=1777
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
      interval: 5s
@@ -27,30 +27,24 @@ get_group_by_gid() {
 }

 create_group_with_gid() {
-    local gid="$1"
-    local name="$2"
-
    if command -v addgroup >/dev/null 2>&1; then
-        addgroup -g "$gid" "$name" 2>/dev/null || true
+        addgroup -g "$1" "$2" 2>/dev/null || true
        return
    fi

    if command -v groupadd >/dev/null 2>&1; then
-        groupadd -g "$gid" "$name" 2>/dev/null || true
+        groupadd -g "$1" "$2" 2>/dev/null || true
    fi
 }

 add_user_to_group() {
-    local user="$1"
-    local group="$2"
-
    if command -v addgroup >/dev/null 2>&1; then
-        addgroup "$user" "$group" 2>/dev/null || true
+        addgroup "$1" "$2" 2>/dev/null || true
        return
    fi

    if command -v usermod >/dev/null 2>&1; then
-        usermod -aG "$group" "$user" 2>/dev/null || true
+        usermod -aG "$2" "$1" 2>/dev/null || true
    fi
 }

@@ -142,8 +136,15 @@ if [ -S "/var/run/docker.sock" ] && is_root; then
        fi
    fi
 elif [ -S "/var/run/docker.sock" ]; then
-    echo "Note: Docker socket mounted but container is running non-root; skipping docker.sock group setup."
-    echo "      If Docker discovery is needed, run with matching group permissions (e.g., --group-add)"
+    DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "unknown")
+    echo "Note: Docker socket mounted (GID=$DOCKER_SOCK_GID) but container is running non-root; skipping docker.sock group setup."
+    echo "      If Docker discovery is needed, add 'group_add: [\"$DOCKER_SOCK_GID\"]' to your compose service."
+    if [ "$DOCKER_SOCK_GID" = "0" ]; then
+        if [ "${ALLOW_DOCKER_SOCK_GID_0:-false}" != "true" ]; then
+            echo "⚠️  WARNING: Docker socket GID is 0 (root group). group_add: [\"0\"] grants root-group access."
+            echo "   Set ALLOW_DOCKER_SOCK_GID_0=true to acknowledge this risk."
+        fi
+    fi
 else
    echo "Note: Docker socket not found. Docker container discovery will be unavailable."
 fi
@@ -191,7 +192,7 @@ if command -v cscli >/dev/null; then
        echo "Initializing persistent CrowdSec configuration..."

        # Check if .dist has content
-        if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
+        if [ -d "/etc/crowdsec.dist" ] && find /etc/crowdsec.dist -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
            echo "Copying config from /etc/crowdsec.dist..."
            if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
                echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
@@ -208,7 +209,7 @@ if command -v cscli >/dev/null; then
                exit 1
            fi
            echo "✓ Successfully initialized config from .dist directory"
-        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
+        elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && find /etc/crowdsec -mindepth 1 -maxdepth 1 -print -quit 2>/dev/null | grep -q .; then
            echo "Copying config from /etc/crowdsec (fallback)..."
            if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
                echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
@@ -248,7 +249,7 @@ if command -v cscli >/dev/null; then
        echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
        echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
        echo "DEBUG: Directory check:"
-        ls -la /etc/ | grep crowdsec || echo "  (no crowdsec entry found)"
+        find /etc -mindepth 1 -maxdepth 1 -name '*crowdsec*' -exec ls -ld {} \; 2>/dev/null || echo "  (no crowdsec entry found)"
        exit 1
    fi

@@ -9,13 +9,12 @@
 .git/
 .gitignore
 .github/
-.pre-commit-config.yaml
 codecov.yml
 .goreleaser.yaml
 .sourcery.yml

 # -----------------------------------------------------------------------------
-# Python (pre-commit, tooling)
+# Python (tooling)
 # -----------------------------------------------------------------------------
 __pycache__/
 *.py[cod]
@@ -3,9 +3,9 @@ name: 'Management'
 description: 'Engineering Director. Delegates ALL research and execution. DO NOT ask it to debug code directly.'
 argument-hint: 'The high-level goal (e.g., "Build the new Proxy Host Dashboard widget")'

-tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openIntegratedBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*',  edit, search, web, 'github/*', '', 'playwright/*',  todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment
+tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/runCommand, vscode/vscodeAPI, vscode/askQuestions, execute, read, agent, edit, search, web, 'github/*', 'playwright/*', 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'mcp-refactor-typescript/*', 'microsoftdocs/mcp/*', browser, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/pullRequestStatusChecks, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, todo
+

-model: GPT-5.3-Codex (copilot)
 target: vscode
 user-invocable: true
 disable-model-invocation: false
@@ -24,16 +24,16 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
 4. **Team Roster**:
    - `Planning`: The Architect. (Delegate research & planning here).
    - `Supervisor`: The Senior Advisor. (Delegate plan review here).
-    - `Backend_Dev`: The Engineer. (Delegate Go implementation here).
-    - `Frontend_Dev`: The Designer. (Delegate React implementation here).
-    - `QA_Security`: The Auditor. (Delegate verification and testing here).
-    - `Docs_Writer`: The Scribe. (Delegate docs here).
+    - `Backend Dev`: The Engineer. (Delegate Go implementation here).
+    - `Frontend Dev`: The Designer. (Delegate React implementation here).
+    - `QA Security`: The Auditor. (Delegate verification and testing here).
+    - `Docs Writer`: The Scribe. (Delegate docs here).
    - `DevOps`: The Packager. (Delegate CI/CD and infrastructure here).
-    - `Playwright_Dev`: The E2E Specialist. (Delegate Playwright test creation and maintenance here).
+    - `Playwright Dev`: The E2E Specialist. (Delegate Playwright test creation and maintenance here).
 5. **Parallel Execution**:
    - You may delegate to `runSubagent` multiple times in parallel if tasks are independent. The only exception is `QA_Security`, which must run last as this validates the entire codebase after all changes.
 6. **Implementation Choices**:
-    - When faced with multiple implementation options, ALWAYS choose the "Prroper" fix over a "Quick" fix. This ensures long-term maintainability and saves double work. The "Quick" fix will only cause more work later when the "Proper" fix is eventually needed.
+    - When faced with multiple implementation options, ALWAYS choose the "Long Term" fix over a "Quick" fix. This ensures long-term maintainability and saves double work. The "Quick" fix will only cause more work later when the "Long Term" fix is eventually needed.
 </global_context>

 <workflow>
@@ -43,7 +43,7 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
    -   **Identify Goal**: Understand the user's request.
    -   **STOP**: Do not look at the code. Do not run `list_dir`. No code is to be changed or implemented until there is a fundamentally sound plan of action that has been approved by the user.
    -   **Action**: Immediately call `Planning` subagent.
-        -   *Prompt*: "Research the necessary files for '{user_request}' and write a comprehensive plan detailing as many specifics as possible to `docs/plans/current_spec.md`. Be an artist with directions and discriptions. Include file names, function names, and component names wherever possible. Break the plan into phases based on the least amount of requests. Include a PR Slicing Strategy section that decides whether to split work into multiple PRs and, when split, defines PR-1/PR-2/PR-3 scope, dependencies, and acceptance criteria. Review and suggest updaetes to `.gitignore`, `codecov.yml`, `.dockerignore`, and `Dockerfile` if necessary. Return only when the plan is complete."
+        -   *Prompt*: "Research the necessary files for '{user_request}' and write a comprehensive plan detailing as many specifics as possible to `docs/plans/current_spec.md`. Be an artist with directions and discriptions. Include file names, function names, and component names wherever possible. Break the plan into phases based on the least amount of requests. Include a Commit Slicing Strategy section that decides whether to split work into multiple PRs and, when split, defines PR-1/PR-2/PR-3 scope, dependencies, and acceptance criteria. Review and suggest updaetes to `.gitignore`, `codecov.yml`, `.dockerignore`, and `Dockerfile` if necessary. Return only when the plan is complete."
    - **Task Specifics**:
        - If the task is to just run tests or audits, there is no need for a plan. Directly call `QA_Security` to perform the tests and write the report. If issues are found, return to `Planning` for a remediation plan and delegate the fixes to the corresponding subagents.

@@ -59,7 +59,7 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
    -   **Ask**: "Plan created. Shall I authorize the construction?"

 4. **Phase 4: Execution (Waterfall)**:
-        - **Single-PR or Multi-PR Decision**: Read the PR Slicing Strategy in `docs/plans/current_spec.md`.
+        - **Single-PR or Multi-PR Decision**: Read the Commit Slicing Strategy in `docs/plans/current_spec.md`.
        - **If single PR**:
            - **Backend**: Call `Backend_Dev` with the plan file.
            - **Frontend**: Call `Frontend_Dev` with the plan file.
@@ -67,12 +67,13 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
            - Execute in PR slices, one slice at a time, in dependency order.
            - Require each slice to pass review + QA gates before starting the next slice.
            - Keep every slice deployable and independently testable.
+        - **MANDATORY**: Implementation agents must perform linting and type checks locally before declaring their slice "DONE". This is a critical step that must not be skipped to avoid broken commits and security issues.

 5. **Phase 5: Review**:
    - **Supervisor**: Call `Supervisor` to review the implementation against the plan. Provide feedback and ensure alignment with best practices.

 6. **Phase 6: Audit**:
-    - **QA**: Call `QA_Security` to meticulously test current implementation as well as regression test. Run all linting, security tasks, and manual pre-commit checks. Write a report to `docs/reports/qa_report.md`. Start back at Phase 1 if issues are found.
+    - **QA**: Call `QA_Security` to meticulously test current implementation as well as regression test. Run all linting, security tasks, and manual lefthook checks. Write a report to `docs/reports/qa_report.md`. Start back at Phase 1 if issues are found.

 7. **Phase 7: Closure**:
    - **Docs**: Call `Docs_Writer`.
@@ -126,11 +126,11 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.0-beta.2 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
-| **Notifications** | Shoutrrr | Latest | Multi-platform alerts |
+| **Notifications** | Notify | Latest | Multi-platform alerts |
 | **Docker Client** | Docker SDK | Latest | Container discovery |
 | **Logging** | Logrus + Lumberjack | Latest | Structured logging with rotation |

@@ -1263,8 +1263,8 @@ docker exec charon /app/scripts/restore-backup.sh \
   - Future: Dynamic plugin loading for custom providers

 2. **Notification Channels:**
-   - Shoutrrr provides 40+ channels (Discord, Slack, Email, etc.)
-   - Custom channels via Shoutrrr service URLs
+   - Notify provides multi-platform channels (Discord, Slack, Gotify, etc.)
+   - Provider-based configuration with per-channel feature flags

 3. **Authentication Providers:**
   - Current: Local database authentication
@@ -67,7 +67,7 @@ Before proposing ANY code change or fix, you must build a mental map of the feat

 - **Run**: `cd backend && go run ./cmd/api`.
 - **Test**: `go test ./...`.
- **Static Analysis (BLOCKING)**: Fast linters run automatically on every commit via pre-commit hooks.
+- **Static Analysis (BLOCKING)**: Fast linters run automatically on every commit via lefthook pre-commit-phase hooks.
  - **Staticcheck errors MUST be fixed** - commits are BLOCKED until resolved
  - Manual run: `make lint-fast` or VS Code task "Lint: Staticcheck (Fast)"
  - Staticcheck-only: `make lint-staticcheck-only`
@@ -79,7 +79,7 @@ Before proposing ANY code change or fix, you must build a mental map of the feat
 - **Security**: Sanitize all file paths using `filepath.Clean`. Use `fmt.Errorf("context: %w", err)` for error wrapping.
 - **Graceful Shutdown**: Long-running work must respect `server.Run(ctx)`.

-### Troubleshooting Pre-Commit Staticcheck Failures
+### Troubleshooting Lefthook Staticcheck Failures

 **Common Issues:**

@@ -175,7 +175,7 @@ Before marking an implementation task as complete, perform the following in orde
    - **Exclusions**: Skip this gate for docs-only (`**/*.md`) or frontend-only (`frontend/**`) changes
    - **Run One Of**:
        - VS Code task: `Lint: GORM Security Scan`
-        - Pre-commit: `pre-commit run --hook-stage manual gorm-security-scan --all-files`
+        - Lefthook: `lefthook run pre-commit` (includes gorm-security-scan)
        - Direct: `./scripts/scan-gorm-security.sh --check`
        - **Gate Enforcement**: DoD is process-blocking until scanner reports zero
            CRITICAL/HIGH findings, even while automation remains in manual stage
@@ -189,15 +189,15 @@ Before marking an implementation task as complete, perform the following in orde
    - **Expected Behavior**: Report may warn (non-blocking rollout), but artifact generation is mandatory.

 3. **Security Scans** (MANDATORY - Zero Tolerance):
-    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `pre-commit run codeql-go-scan --all-files`
+    - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `lefthook run pre-commit`
        - Must use `security-and-quality` suite (CI-aligned)
        - **Zero high/critical (error-level) findings allowed**
        - Medium/low findings should be documented and triaged
-    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan (CI-Aligned)" OR `pre-commit run codeql-js-scan --all-files`
+    - **CodeQL JS Scan**: Run VS Code task "Security: CodeQL JS Scan (CI-Aligned)" OR `lefthook run pre-commit`
        - Must use `security-and-quality` suite (CI-aligned)
        - **Zero high/critical (error-level) findings allowed**
        - Medium/low findings should be documented and triaged
-    - **Validate Findings**: Run `pre-commit run codeql-check-findings --all-files` to check for HIGH/CRITICAL issues
+    - **Validate Findings**: Run `lefthook run pre-commit` to check for HIGH/CRITICAL issues
    - **Trivy Container Scan**: Run VS Code task "Security: Trivy Scan" for container/dependency vulnerabilities
    - **Results Viewing**:
        - Primary: VS Code SARIF Viewer extension (`MS-SarifVSCode.sarif-viewer`)
@@ -210,7 +210,7 @@ Before marking an implementation task as complete, perform the following in orde
        - Database creation: `--threads=0 --overwrite`
        - Analysis: `--sarif-add-baseline-file-info`

-4. **Pre-Commit Triage**: Run `pre-commit run --all-files`.
+4. **Lefthook Triage**: Run `lefthook run pre-commit`.
    - If errors occur, **fix them immediately**.
    - If logic errors occur, analyze and propose a fix.
    - Do not output code that violates pre-commit standards.
@@ -353,7 +353,7 @@ Follow idiomatic Go practices and community standards when writing Go code. Thes
 ### Development Practices

 - Run tests before committing
- Use pre-commit hooks for formatting and linting
+- Use lefthook pre-commit-phase hooks for formatting and linting
 - Keep commits focused and atomic
 - Write meaningful commit messages
 - Review diffs before committing
@@ -9,7 +9,7 @@ description: 'Repository structure guidelines to maintain organized file placeme

 The repository root should contain ONLY:

- Essential config files (`.gitignore`, `.pre-commit-config.yaml`, `Makefile`, etc.)
+- Essential config files (`.gitignore`, `Makefile`, etc.)
 - Standard project files (`README.md`, `CONTRIBUTING.md`, `LICENSE`, `CHANGELOG.md`)
 - Go workspace files (`go.work`, `go.work.sum`)
 - VS Code workspace (`Chiron.code-workspace`)
@@ -28,7 +28,7 @@ runSubagent({
 - Parallel: run `QA and Security`, `DevOps` and `Doc Writer` in parallel for CI / QA checks and documentation.
 - Return: a JSON summary with `subagent_results`, `overall_status`, and aggregated artifacts.

-2.1) Multi-PR Slicing Protocol
+2.1) Multi-Commit Slicing Protocol

 - If a task is large or high-risk, split into PR slices and execute in order.
 - Each slice must have:
@@ -27,7 +27,10 @@
  "rebaseWhen": "auto",

  "vulnerabilityAlerts": {
-    "enabled": true
+    "enabled": true,
+    "dependencyDashboardApproval": false,
+    "automerge": false,
+    "labels": ["security", "vulnerability"]
  },

  "rangeStrategy": "bump",
@@ -36,6 +39,19 @@
  "platformAutomerge": true,

  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track caddy-security plugin version in Dockerfile",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "ARG CADDY_SECURITY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/greenpau/caddy-security",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
    {
      "customType": "regex",
      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
@@ -53,12 +69,45 @@
      "description": "Track Alpine base image digest in Dockerfile for security updates",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
-        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG CADDY_IMAGE=alpine:(?<currentValue>[^\\s@]+@sha256:[a-f0-9]+)"
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=alpine.*\\nARG ALPINE_IMAGE=alpine:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
      ],
      "depNameTemplate": "alpine",
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
    },
+    {
+      "customType": "regex",
+      "description": "Track Go toolchain version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=golang.*\\nARG GO_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang",
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    },
+    {
+      "customType": "regex",
+      "description": "Track expr-lang version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/expr-lang/expr.*\\nARG EXPR_LANG_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/expr-lang/expr",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track golang.org/x/net version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/net.*\\nARG XNET_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/net",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
    {
      "customType": "regex",
      "description": "Track Delve version in Dockerfile",
@@ -117,13 +166,45 @@
    {
      "customType": "regex",
      "description": "Track GO_VERSION in Actions workflows",
-      "fileMatch": ["^\\.github/workflows/.*\\.yml$"],
+      "managerFilePatterns": ["/^\\.github/workflows/.*\\.yml$/"],
      "matchStrings": [
        "GO_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
      ],
      "depNameTemplate": "golang/go",
      "datasourceTemplate": "golang-version",
      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Syft version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/nightly-build\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "SYFT_VERSION=\\\"v(?<currentValue>[^\\\"\\s]+)\\\"",
+        "set_default_env \\\"SYFT_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/syft",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Grype version in workflows and scripts",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/supply-chain-pr\\.yml$/",
+        "/^\\.github/skills/security-scan-docker-image-scripts/run\\.sh$/"
+      ],
+      "matchStrings": [
+        "anchore/grype/main/install\\.sh \\| sh -s -- -b /usr/local/bin v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)",
+        "set_default_env \\\"GRYPE_VERSION\\\" \\\"v(?<currentValue>[^\\\"]+)\\\""
+      ],
+      "depNameTemplate": "anchore/grype",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)$"
    }
  ],

@@ -0,0 +1,55 @@
+version: 1
+effective_date: 2026-02-25
+scope:
+  - local pre-commit manual security hooks
+  - github actions security workflows
+
+defaults:
+  blocking:
+    - critical
+    - high
+  medium:
+    mode: risk-based
+    default_action: report
+    require_sla: true
+    default_sla_days: 14
+    escalation:
+      trigger: high-signal class or repeated finding
+      action: require issue + owner + due date
+  low:
+    action: report
+
+codeql:
+  severity_mapping:
+    error: high_or_critical
+    warning: medium_or_lower
+    note: informational
+  blocking_levels:
+    - error
+  warning_policy:
+    default_action: report
+    escalation_high_signal_rule_ids:
+      - go/request-forgery
+      - js/missing-rate-limiting
+      - js/insecure-randomness
+
+trivy:
+  blocking_severities:
+    - CRITICAL
+    - HIGH
+  medium_policy:
+    action: report
+    escalation: issue-with-sla
+
+grype:
+  blocking_severities:
+    - Critical
+    - High
+  medium_policy:
+    action: report
+    escalation: issue-with-sla
+
+enforcement_contract:
+  codeql_local_vs_ci: "local and ci block on codeql error-level findings only"
+  supply_chain_medium: "medium vulnerabilities are non-blocking by default and require explicit triage"
+  auth_regression_guard: "state-changing routes must remain protected by auth middleware"
@@ -63,7 +63,7 @@ Agent Skills are self-documenting, AI-discoverable task definitions that combine

 | Skill Name | Category | Description | Status |
 |------------|----------|-------------|--------|
-| [qa-precommit-all](./qa-precommit-all.SKILL.md) | qa | Run all pre-commit hooks on entire codebase | ✅ Active |
+| [qa-lefthook-all](./qa-lefthook-all.SKILL.md) | qa | Run all lefthook pre-commit‑phase hooks on entire codebase | ✅ Active |

 ### Utility Skills

@@ -25,7 +25,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.23'
+          go-version: "1.26.1"

      - name: Run GORM Security Scanner
        id: gorm-scan
@@ -0,0 +1,349 @@
+---
+# agentskills.io specification v1.0
+name: "qa-lefthook-all"
+version: "1.0.0"
+description: "Run all lefthook pre-commit-phase hooks for comprehensive code quality validation"
+author: "Charon Project"
+license: "MIT"
+tags:
+  - "qa"
+  - "quality"
+  - "pre-commit"
+  - "linting"
+  - "validation"
+compatibility:
+  os:
+    - "linux"
+    - "darwin"
+  shells:
+    - "bash"
+requirements:
+  - name: "python3"
+    version: ">=3.8"
+    optional: false
+  - name: "lefthook"
+    version: ">=0.14"
+    optional: false
+environment_variables:
+    - name: "SKIP"
+    description: "Comma-separated list of hook IDs to skip"
+    default: ""
+    required: false
+parameters:
+  - name: "files"
+    type: "string"
+    description: "Specific files to check (default: all staged files)"
+    default: "--all-files"
+    required: false
+outputs:
+  - name: "validation_report"
+    type: "stdout"
+    description: "Results of all pre-commit hook executions"
+  - name: "exit_code"
+    type: "number"
+    description: "0 if all hooks pass, non-zero if any fail"
+metadata:
+  category: "qa"
+  subcategory: "quality"
+  execution_time: "medium"
+  risk_level: "low"
+  ci_cd_safe: true
+  requires_network: false
+  idempotent: true
+---
+
+# QA Pre-commit All
+
+## Overview
+
+Executes all configured lefthook pre-commit-phase hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.
+
+This skill is designed for CI/CD pipelines and local quality validation before committing code.
+
+## Prerequisites
+
+- Python 3.8 or higher installed and in PATH
+- Python virtual environment activated (`.venv`)
+- Pre-commit installed in virtual environment: `pip install pre-commit`
+- Pre-commit hooks installed: `pre-commit install`
+- All language-specific tools installed (Go, Node.js, etc.)
+
+## Usage
+
+### Basic Usage
+
+Run all pre-commit-phase hooks on all files:
+
+```bash
+cd /path/to/charon
+lefthook run pre-commit
+```
+
+### Staged Files Only
+
+Run lefthook on staged files only (faster):
+
+```bash
+lefthook run pre-commit --staged
+```
+
+### Specific Hook
+
+Run only a specific hook by ID:
+
+```bash
+lefthook run pre-commit --hooks=trailing-whitespace
+```
+
+### Skip Specific Hooks
+
+Skip certain hooks during execution:
+
+```bash
+SKIP=prettier,eslint .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+## Parameters
+
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| files     | string | No     | --all-files | File selection mode (--all-files or staged) |
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| SKIP | No | "" | Comma-separated hook IDs to skip |
+| PRE_COMMIT_HOME | No | ~/.cache/pre-commit | Pre-commit cache directory |
+
+## Outputs
+
+- **Success Exit Code**: 0 (all hooks passed)
+- **Error Exit Codes**: Non-zero (one or more hooks failed)
+- **Output**: Detailed results from each hook
+
+## Pre-commit Hooks Included
+
+The following hooks are configured in `.pre-commit-config.yaml`:
+
+### General Hooks
+- **trailing-whitespace**: Remove trailing whitespace
+- **end-of-file-fixer**: Ensure files end with newline
+- **check-yaml**: Validate YAML syntax
+- **check-json**: Validate JSON syntax
+- **check-merge-conflict**: Detect merge conflict markers
+- **check-added-large-files**: Prevent committing large files
+
+### Python Hooks
+- **black**: Code formatting
+- **isort**: Import sorting
+- **flake8**: Linting
+- **mypy**: Type checking
+
+### Go Hooks
+- **gofmt**: Code formatting
+- **go-vet**: Static analysis
+- **golangci-lint**: Comprehensive linting
+
+### JavaScript/TypeScript Hooks
+- **prettier**: Code formatting
+- **eslint**: Linting and code quality
+
+### Markdown Hooks
+- **markdownlint**: Markdown linting and formatting
+
+### Security Hooks
+- **detect-private-key**: Prevent committing private keys
+- **detect-aws-credentials**: Prevent committing AWS credentials
+
+## Examples
+
+### Example 1: Full Quality Check
+
+```bash
+# Run all hooks on all files
+source .venv/bin/activate
+.github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+Output:
+```
+Trim Trailing Whitespace.....................................Passed
+Fix End of Files.............................................Passed
+Check Yaml...................................................Passed
+Check JSON...................................................Passed
+Check for merge conflicts....................................Passed
+Check for added large files..................................Passed
+black........................................................Passed
+isort........................................................Passed
+prettier.....................................................Passed
+eslint.......................................................Passed
+markdownlint.................................................Passed
+```
+
+### Example 2: Quick Staged Files Check
+
+```bash
+# Run only on staged files (faster for pre-commit)
+.github/skills/scripts/skill-runner.sh qa-precommit-all staged
+```
+
+### Example 3: Skip Slow Hooks
+
+```bash
+# Skip time-consuming hooks for quick validation
+SKIP=golangci-lint,mypy .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+### Example 4: CI/CD Pipeline Integration
+
+```yaml
+# GitHub Actions example
+- name: Set up Python
+  uses: actions/setup-python@v4
+  with:
+    python-version: '3.11'
+
+- name: Install pre-commit
+  run: pip install pre-commit
+
+- name: Run QA Pre-commit Checks
+  run: .github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+### Example 5: Auto-fix Mode
+
+```bash
+# Some hooks can auto-fix issues
+# Run twice: first to fix, second to validate
+.github/skills/scripts/skill-runner.sh qa-precommit-all || \
+.github/skills/scripts/skill-runner.sh qa-precommit-all
+```
+
+## Error Handling
+
+### Common Issues
+
+**Virtual environment not activated**:
+```bash
+Error: pre-commit not found
+Solution: source .venv/bin/activate
+```
+
+**Pre-commit not installed**:
+```bash
+Error: pre-commit command not available
+Solution: pip install pre-commit
+```
+
+**Hooks not installed**:
+```bash
+Error: Run 'pre-commit install'
+Solution: pre-commit install
+```
+
+**Hook execution failed**:
+```bash
+Hook X failed
+Solution: Review error output and fix reported issues
+```
+
+**Language tool missing**:
+```bash
+Error: golangci-lint not found
+Solution: Install required language tools
+```
+
+## Exit Codes
+
+- **0**: All hooks passed
+- **1**: One or more hooks failed
+- **Other**: Hook execution error
+
+## Hook Fixing Strategies
+
+### Auto-fixable Issues
+These hooks automatically fix issues:
+- `trailing-whitespace`
+- `end-of-file-fixer`
+- `black`
+- `isort`
+- `prettier`
+- `gofmt`
+
+**Workflow**: Run pre-commit, review changes, commit fixed files
+
+### Manual Fixes Required
+These hooks only report issues:
+- `check-yaml`
+- `check-json`
+- `flake8`
+- `eslint`
+- `markdownlint`
+- `go-vet`
+- `golangci-lint`
+
+**Workflow**: Review errors, manually fix code, re-run pre-commit
+
+## Related Skills
+
+- [test-backend-coverage](./test-backend-coverage.SKILL.md) - Backend test coverage
+- [test-frontend-coverage](./test-frontend-coverage.SKILL.md) - Frontend test coverage
+- [security-scan-trivy](./security-scan-trivy.SKILL.md) - Security scanning
+
+## Notes
+
+- Pre-commit hooks cache their environments for faster execution
+- First run may be slow while environments are set up
+- Subsequent runs are much faster (seconds vs minutes)
+- Hooks run in parallel where possible
+- Failed hooks stop execution (fail-fast behavior)
+- Use `SKIP` to bypass specific hooks temporarily
+- Recommended to run before every commit
+- Can be integrated into Git pre-commit hook for automatic checks
+- Cache location: `~/.cache/pre-commit` (configurable)
+
+## Performance Tips
+
+- **Initial Setup**: First run takes longer (installing hook environments)
+- **Incremental**: Run on staged files only for faster feedback
+- **Parallel**: Pre-commit runs compatible hooks in parallel
+- **Cache**: Hook environments are cached and reused
+- **Skip**: Use `SKIP` to bypass slow hooks during development
+
+## Integration with Git
+
+To automatically run on every commit:
+
+```bash
+# Install Git pre-commit hook
+pre-commit install
+
+# Now pre-commit runs automatically on git commit
+git commit -m "Your commit message"
+```
+
+To bypass pre-commit hook temporarily:
+
+```bash
+git commit --no-verify -m "Emergency commit"
+```
+
+## Configuration
+
+Pre-commit configuration is in `.pre-commit-config.yaml`. To update hooks:
+
+```bash
+# Update to latest versions
+pre-commit autoupdate
+
+# Clean cache and re-install
+pre-commit clean
+pre-commit install --install-hooks
+```
+
+---
+
+**Last Updated**: 2025-12-20
+**Maintained by**: Charon Project
+**Source**: `pre-commit run --all-files`
@@ -1,8 +1,8 @@
 ---
 # agentskills.io specification v1.0
-name: "qa-precommit-all"
+name: "qa-lefthook-all"
 version: "1.0.0"
-description: "Run all pre-commit hooks for comprehensive code quality validation"
+description: "Run all lefthook pre-commit-phase hooks for comprehensive code quality validation"
 author: "Charon Project"
 license: "MIT"
 tags:
@@ -21,15 +21,11 @@ requirements:
  - name: "python3"
    version: ">=3.8"
    optional: false
-  - name: "pre-commit"
-    version: ">=2.0"
+  - name: "lefthook"
+    version: ">=0.14"
    optional: false
 environment_variables:
-  - name: "PRE_COMMIT_HOME"
-    description: "Pre-commit cache directory"
-    default: "~/.cache/pre-commit"
-    required: false
-  - name: "SKIP"
+    - name: "SKIP"
    description: "Comma-separated list of hook IDs to skip"
    default: ""
    required: false
@@ -60,7 +56,7 @@ metadata:

 ## Overview

-Executes all configured pre-commit hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.
+Executes all configured lefthook pre-commit-phase hooks to validate code quality, formatting, security, and best practices across the entire codebase. This skill runs checks for Python, Go, JavaScript/TypeScript, Markdown, YAML, and more.

 This skill is designed for CI/CD pipelines and local quality validation before committing code.

@@ -76,19 +72,19 @@ This skill is designed for CI/CD pipelines and local quality validation before c

 ### Basic Usage

-Run all hooks on all files:
+Run all pre-commit-phase hooks on all files:

 ```bash
 cd /path/to/charon
-.github/skills/scripts/skill-runner.sh qa-precommit-all
+lefthook run pre-commit
 ```

 ### Staged Files Only

-Run hooks on staged files only (faster):
+Run lefthook on staged files only (faster):

 ```bash
-.github/skills/scripts/skill-runner.sh qa-precommit-all staged
+lefthook run pre-commit --staged
 ```

 ### Specific Hook
@@ -96,7 +92,7 @@ Run hooks on staged files only (faster):
 Run only a specific hook by ID:

 ```bash
-SKIP="" .github/skills/scripts/skill-runner.sh qa-precommit-all trailing-whitespace
+lefthook run pre-commit --hooks=trailing-whitespace
 ```

 ### Skip Specific Hooks
@@ -251,7 +251,7 @@ Solution: Verify source-root points to correct directory

 - [security-scan-trivy](./security-scan-trivy.SKILL.md) - Container/dependency vulnerabilities
 - [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific CVE checking
- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks

 ## CI Alignment

@@ -35,7 +35,7 @@ fi
 # Check Grype
 if ! command -v grype >/dev/null 2>&1; then
    log_error "Grype not found - install from: https://github.com/anchore/grype"
-    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.0"
+    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.1"
    error_exit "Grype is required for vulnerability scanning" 2
 fi

@@ -50,8 +50,8 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
 GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")

 # Set defaults matching CI workflow
-set_default_env "SYFT_VERSION" "v1.17.0"
-set_default_env "GRYPE_VERSION" "v0.107.0"
+set_default_env "SYFT_VERSION" "v1.42.2"
+set_default_env "GRYPE_VERSION" "v0.109.1"
 set_default_env "IMAGE_TAG" "charon:local"
 set_default_env "FAIL_ON_SEVERITY" "Critical,High"

@@ -545,7 +545,7 @@ Solution: Add suppression comment: // gorm-scanner:ignore [reason]

 - [security-scan-trivy](./security-scan-trivy.SKILL.md) - Container vulnerability scanning
 - [security-scan-codeql](./security-scan-codeql.SKILL.md) - Static analysis for Go/JS
- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks

 ## Best Practices

@@ -227,7 +227,7 @@ Solution: Review and remediate reported vulnerabilities
 ## Related Skills

 - [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific vulnerability checking
- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
+- [qa-lefthook-all](./qa-lefthook-all.SKILL.md) - Lefthook pre-commit-phase quality checks

 ## Notes

@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
 validate_project_structure "backend" "scripts/go-test-coverage.sh" || error_exit "Invalid project structure"

 # Set default environment variables
-set_default_env "CHARON_MIN_COVERAGE" "85"
+set_default_env "CHARON_MIN_COVERAGE" "87"
 set_default_env "PERF_MAX_MS_GETSTATUS_P95" "25ms"
 set_default_env "PERF_MAX_MS_GETSTATUS_P95_PARALLEL" "50ms"
 set_default_env "PERF_MAX_MS_LISTDECISIONS_P95" "75ms"
@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
 validate_project_structure "frontend" "scripts/frontend-test-coverage.sh" || error_exit "Invalid project structure"

 # Set default environment variables
-set_default_env "CHARON_MIN_COVERAGE" "85"
+set_default_env "CHARON_MIN_COVERAGE" "87"

 # Execute the legacy script
 log_step "EXECUTION" "Running frontend tests with coverage"
@@ -21,6 +21,6 @@ jobs:
        with:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
      - name: Draft Release
-        uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6
+        uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -3,6 +3,8 @@ name: Go Benchmark
 on:
  pull_request:
  push:
+    branches:
+      - main
  workflow_dispatch:

 concurrency:
@@ -10,7 +12,7 @@ concurrency:
  cancel-in-progress: true

 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  GOTOOLCHAIN: auto

 # Minimal permissions at workflow level; write permissions granted at job level for push only
@@ -33,9 +35,10 @@ jobs:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}

      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: ${{ env.GO_VERSION }}
+
          cache-dependency-path: backend/go.sum

      - name: Run Benchmark
@@ -3,6 +3,8 @@ name: Upload Coverage to Codecov
 on:
  pull_request:
  push:
+    branches:
+      - main
  workflow_dispatch:
    inputs:
      run_backend:
@@ -17,11 +19,11 @@ on:
        type: boolean

 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.run_id }}
+  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  NODE_VERSION: '24.12.0'
  GOTOOLCHAIN: auto

@@ -43,9 +45,10 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: ${{ env.GO_VERSION }}
+
          cache-dependency-path: backend/go.sum

      # SECURITY: Keep pull_request (not pull_request_target) for secret-bearing backend tests.
@@ -152,7 +155,7 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
@@ -4,7 +4,7 @@ on:
  pull_request:
    branches: [main, nightly, development]
  push:
-    branches: [main, nightly, development, 'feature/**', 'fix/**']
+    branches: [main]
  workflow_dispatch:
  schedule:
    - cron: '0 3 * * 1' # Mondays 03:00 UTC
@@ -15,6 +15,7 @@ concurrency:

 env:
  GOTOOLCHAIN: auto
+  GO_VERSION: '1.26.1'

 permissions:
  contents: read
@@ -39,14 +40,19 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          ref: ${{ github.sha }}
+          # Use github.ref (full ref path) instead of github.ref_name:
+          # - push/schedule: resolves to refs/heads/<branch>, checking out latest HEAD
+          # - pull_request:  resolves to refs/pull/<n>/merge, the correct PR merge ref
+          # github.ref_name fails for PRs because it yields "<n>/merge" which checkout
+          # interprets as a branch name (refs/heads/<n>/merge) that does not exist.
+          ref: ${{ github.ref }}

      - name: Verify CodeQL parity guard
        if: matrix.language == 'go'
        run: bash scripts/ci/check-codeql-parity.sh

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
        with:
          languages: ${{ matrix.language }}
          queries: security-and-quality
@@ -57,9 +63,9 @@ jobs:

      - name: Setup Go
        if: matrix.language == 'go'
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
-          go-version: 1.26.0
+          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum

      - name: Verify Go toolchain and build
@@ -86,10 +92,10 @@ jobs:
        run: mkdir -p sarif-results

      - name: Autobuild
-        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
        with:
          category: "/language:${{ matrix.language }}"
          output: sarif-results/${{ matrix.language }}
@@ -122,10 +128,28 @@ jobs:
            exit 1
          fi

+          # shellcheck disable=SC2016
+          EFFECTIVE_LEVELS_JQ='[
+            .runs[] as $run
+            | $run.results[]
+            | . as $result
+            | ($run.tool.driver.rules // []) as $rules
+            | ((
+                $result.level
+                // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                // ([
+                    $rules[]?
+                    | select((.id // "") == ($result.ruleId // ""))
+                    | (.defaultConfiguration.level // empty)
+                  ][0] // empty)
+                // ""
+              ) | ascii_downcase)
+          ]'
+
          echo "Found SARIF file: $SARIF_FILE"
-          ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE")
-          WARNING_COUNT=$(jq '[.runs[].results[] | select(.level == "warning")] | length' "$SARIF_FILE")
-          NOTE_COUNT=$(jq '[.runs[].results[] | select(.level == "note")] | length' "$SARIF_FILE")
+          ERROR_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"error\")) | length" "$SARIF_FILE")
+          WARNING_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"warning\")) | length" "$SARIF_FILE")
+          NOTE_COUNT=$(jq -r "${EFFECTIVE_LEVELS_JQ} | map(select(. == \"note\")) | length" "$SARIF_FILE")

          {
            echo "**Findings:**"
@@ -135,14 +159,32 @@ jobs:
            echo ""

            if [ "$ERROR_COUNT" -gt 0 ]; then
-              echo "❌ **CRITICAL:** High-severity security issues found!"
+              echo "❌ **BLOCKING:** CodeQL error-level security issues found"
              echo ""
              echo "### Top Issues:"
              echo '```'
-              jq -r '.runs[].results[] | select(.level == "error") | "\(.ruleId): \(.message.text)"' "$SARIF_FILE" | head -5
+              # shellcheck disable=SC2016
+              jq -r '
+                .runs[] as $run
+                | $run.results[]
+                | . as $result
+                | ($run.tool.driver.rules // []) as $rules
+                | ((
+                    $result.level
+                    // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                    // ([
+                        $rules[]?
+                        | select((.id // "") == ($result.ruleId // ""))
+                        | (.defaultConfiguration.level // empty)
+                      ][0] // empty)
+                    // ""
+                  ) | ascii_downcase) as $effectiveLevel
+                | select($effectiveLevel == "error")
+                | "\($effectiveLevel): \($result.ruleId // \"<unknown-rule>\"): \($result.message.text)"
+              ' "$SARIF_FILE" | head -5
              echo '```'
            else
-              echo "✅ No high-severity issues found"
+              echo "✅ No blocking CodeQL issues found"
            fi
          } >> "$GITHUB_STEP_SUMMARY"

@@ -169,9 +211,26 @@ jobs:
            exit 1
          fi

-          ERROR_COUNT=$(jq '[.runs[].results[] | select(.level == "error")] | length' "$SARIF_FILE")
+          # shellcheck disable=SC2016
+          ERROR_COUNT=$(jq -r '[
+            .runs[] as $run
+            | $run.results[]
+            | . as $result
+            | ($run.tool.driver.rules // []) as $rules
+            | ((
+                $result.level
+                // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                // ([
+                    $rules[]?
+                    | select((.id // "") == ($result.ruleId // ""))
+                    | (.defaultConfiguration.level // empty)
+                  ][0] // empty)
+                // ""
+              ) | ascii_downcase) as $effectiveLevel
+            | select($effectiveLevel == "error")
+          ] | length' "$SARIF_FILE")

          if [ "$ERROR_COUNT" -gt 0 ]; then
-            echo "::error::CodeQL found $ERROR_COUNT high-severity security issues. Fix before merging."
+            echo "::error::CodeQL found $ERROR_COUNT blocking findings (effective-level=error). Fix before merging. Policy: .github/security-severity-policy.yml"
            exit 1
          fi
@@ -5,10 +5,6 @@ on:
    - cron: '0 3 * * 0' # Weekly: Sundays at 03:00 UTC
  workflow_dispatch:
    inputs:
-      registries:
-        description: 'Comma-separated registries to prune (ghcr,dockerhub)'
-        required: false
-        default: 'ghcr,dockerhub'
      keep_days:
        description: 'Number of days to retain images (unprotected)'
        required: false
@@ -27,16 +23,17 @@ permissions:
  contents: read

 jobs:
-  prune:
+  prune-ghcr:
    runs-on: ubuntu-latest
    env:
      OWNER: ${{ github.repository_owner }}
      IMAGE_NAME: charon
-      REGISTRIES: ${{ github.event.inputs.registries || 'ghcr,dockerhub' }}
      KEEP_DAYS: ${{ github.event.inputs.keep_days || '30' }}
      KEEP_LAST_N: ${{ github.event.inputs.keep_last_n || '30' }}
-      DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
-      PROTECTED_REGEX: '["^v","^latest$","^main$","^develop$"]'
+      DRY_RUN: ${{ github.event_name == 'pull_request' && 'true' || github.event.inputs.dry_run || 'false' }}
+      PROTECTED_REGEX: '["^v?[0-9]+\\.[0-9]+\\.[0-9]+$","^latest$","^main$","^develop$"]'
+      PRUNE_UNTAGGED: 'true'
+      PRUNE_SBOM_TAGS: 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -45,21 +42,19 @@ jobs:
        run: |
          sudo apt-get update && sudo apt-get install -y jq curl

-      - name: Run container prune
+      - name: Run GHCR prune
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
        run: |
-          chmod +x scripts/prune-container-images.sh
-          ./scripts/prune-container-images.sh 2>&1 | tee prune-${{ github.run_id }}.log
+          chmod +x scripts/prune-ghcr.sh
+          ./scripts/prune-ghcr.sh 2>&1 | tee prune-ghcr-${{ github.run_id }}.log

-      - name: Summarize prune results (space reclaimed)
-        if: ${{ always() }}
+      - name: Summarize GHCR results
+        if: always()
        run: |
          set -euo pipefail
-          SUMMARY_FILE=prune-summary.env
-          LOG_FILE=prune-${{ github.run_id }}.log
+          SUMMARY_FILE=prune-summary-ghcr.env
+          LOG_FILE=prune-ghcr-${{ github.run_id }}.log

          human() {
            local bytes=${1:-0}
@@ -67,7 +62,7 @@ jobs:
              echo "0 B"
              return
            fi
-            awk -v b="$bytes" 'function human(x){ split("B KiB MiB GiB TiB",u," "); i=0; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1]} END{human(b)}'
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
          }

          if [ -f "$SUMMARY_FILE" ]; then
@@ -77,34 +72,155 @@ jobs:
            TOTAL_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)

            {
-              echo "## Container prune summary"
+              echo "## GHCR prune summary"
              echo "- candidates: ${TOTAL_CANDIDATES} (≈ $(human "${TOTAL_CANDIDATES_BYTES}"))"
              echo "- deleted: ${TOTAL_DELETED} (≈ $(human "${TOTAL_DELETED_BYTES}"))"
            } >> "$GITHUB_STEP_SUMMARY"
-
-            printf 'PRUNE_SUMMARY: candidates=%s candidates_bytes=%s deleted=%s deleted_bytes=%s\n' \
-              "${TOTAL_CANDIDATES}" "${TOTAL_CANDIDATES_BYTES}" "${TOTAL_DELETED}" "${TOTAL_DELETED_BYTES}"
-            echo "Deleted approximately: $(human "${TOTAL_DELETED_BYTES}")"
-            echo "space_saved=$(human "${TOTAL_DELETED_BYTES}")" >> "$GITHUB_OUTPUT"
          else
            deleted_bytes=$(grep -oE '\( *approx +[0-9]+ bytes\)' "$LOG_FILE" | sed -E 's/.*approx +([0-9]+) bytes.*/\1/' | awk '{s+=$1} END {print s+0}' || true)
            deleted_count=$(grep -cE 'deleting |DRY RUN: would delete' "$LOG_FILE" || true)

            {
-              echo "## Container prune summary"
+              echo "## GHCR prune summary"
              echo "- deleted (approx): ${deleted_count} (≈ $(human "${deleted_bytes}"))"
            } >> "$GITHUB_STEP_SUMMARY"
-
-            printf 'PRUNE_SUMMARY: deleted_approx=%s deleted_bytes=%s\n' "${deleted_count}" "${deleted_bytes}"
-            echo "Deleted approximately: $(human "${deleted_bytes}")"
-            echo "space_saved=$(human "${deleted_bytes}")" >> "$GITHUB_OUTPUT"
          fi

-      - name: Upload prune artifacts
-        if: ${{ always() }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - name: Upload GHCR prune artifacts
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: prune-log-${{ github.run_id }}
+          name: prune-ghcr-log-${{ github.run_id }}
          path: |
-            prune-${{ github.run_id }}.log
-            prune-summary.env
+            prune-ghcr-${{ github.run_id }}.log
+            prune-summary-ghcr.env
+
+  prune-dockerhub:
+    runs-on: ubuntu-latest
+    env:
+      OWNER: ${{ github.repository_owner }}
+      IMAGE_NAME: charon
+      KEEP_DAYS: ${{ github.event.inputs.keep_days || '30' }}
+      KEEP_LAST_N: ${{ github.event.inputs.keep_last_n || '30' }}
+      DRY_RUN: ${{ github.event_name == 'pull_request' && 'true' || github.event.inputs.dry_run || 'false' }}
+      PROTECTED_REGEX: '["^v?[0-9]+\\.[0-9]+\\.[0-9]+$","^latest$","^main$","^develop$"]'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install tools
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq curl
+
+      - name: Run Docker Hub prune
+        env:
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          chmod +x scripts/prune-dockerhub.sh
+          ./scripts/prune-dockerhub.sh 2>&1 | tee prune-dockerhub-${{ github.run_id }}.log
+
+      - name: Summarize Docker Hub results
+        if: always()
+        run: |
+          set -euo pipefail
+          SUMMARY_FILE=prune-summary-dockerhub.env
+          LOG_FILE=prune-dockerhub-${{ github.run_id }}.log
+
+          human() {
+            local bytes=${1:-0}
+            if [ -z "$bytes" ] || [ "$bytes" -eq 0 ]; then
+              echo "0 B"
+              return
+            fi
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
+          }
+
+          if [ -f "$SUMMARY_FILE" ]; then
+            TOTAL_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_DELETED=$(grep -E '^TOTAL_DELETED=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+            TOTAL_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' "$SUMMARY_FILE" | cut -d= -f2 || echo 0)
+
+            {
+              echo "## Docker Hub prune summary"
+              echo "- candidates: ${TOTAL_CANDIDATES} (≈ $(human "${TOTAL_CANDIDATES_BYTES}"))"
+              echo "- deleted: ${TOTAL_DELETED} (≈ $(human "${TOTAL_DELETED_BYTES}"))"
+            } >> "$GITHUB_STEP_SUMMARY"
+          else
+            deleted_bytes=$(grep -oE '\( *approx +[0-9]+ bytes\)' "$LOG_FILE" | sed -E 's/.*approx +([0-9]+) bytes.*/\1/' | awk '{s+=$1} END {print s+0}' || true)
+            deleted_count=$(grep -cE 'deleting |DRY RUN: would delete' "$LOG_FILE" || true)
+
+            {
+              echo "## Docker Hub prune summary"
+              echo "- deleted (approx): ${deleted_count} (≈ $(human "${deleted_bytes}"))"
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Upload Docker Hub prune artifacts
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: prune-dockerhub-log-${{ github.run_id }}
+          path: |
+            prune-dockerhub-${{ github.run_id }}.log
+            prune-summary-dockerhub.env
+
+  summarize:
+    runs-on: ubuntu-latest
+    needs: [prune-ghcr, prune-dockerhub]
+    if: always()
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          pattern: prune-*-log-${{ github.run_id }}
+          merge-multiple: true
+
+      - name: Combined summary
+        run: |
+          set -euo pipefail
+
+          human() {
+            local bytes=${1:-0}
+            if [ -z "$bytes" ] || [ "$bytes" -eq 0 ]; then
+              echo "0 B"
+              return
+            fi
+            awk -v b="$bytes" 'BEGIN { split("B KiB MiB GiB TiB",u," "); i=0; x=b; while(x>1024){x/=1024;i++} printf "%0.2f %s", x, u[i+1] }'
+          }
+
+          GHCR_CANDIDATES=0 GHCR_CANDIDATES_BYTES=0 GHCR_DELETED=0 GHCR_DELETED_BYTES=0
+          if [ -f prune-summary-ghcr.env ]; then
+            GHCR_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_DELETED=$(grep -E '^TOTAL_DELETED=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+            GHCR_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' prune-summary-ghcr.env | cut -d= -f2 || echo 0)
+          fi
+
+          HUB_CANDIDATES=0 HUB_CANDIDATES_BYTES=0 HUB_DELETED=0 HUB_DELETED_BYTES=0
+          if [ -f prune-summary-dockerhub.env ]; then
+            HUB_CANDIDATES=$(grep -E '^TOTAL_CANDIDATES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_CANDIDATES_BYTES=$(grep -E '^TOTAL_CANDIDATES_BYTES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_DELETED=$(grep -E '^TOTAL_DELETED=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+            HUB_DELETED_BYTES=$(grep -E '^TOTAL_DELETED_BYTES=' prune-summary-dockerhub.env | cut -d= -f2 || echo 0)
+          fi
+
+          TOTAL_CANDIDATES=$((GHCR_CANDIDATES + HUB_CANDIDATES))
+          TOTAL_CANDIDATES_BYTES=$((GHCR_CANDIDATES_BYTES + HUB_CANDIDATES_BYTES))
+          TOTAL_DELETED=$((GHCR_DELETED + HUB_DELETED))
+          TOTAL_DELETED_BYTES=$((GHCR_DELETED_BYTES + HUB_DELETED_BYTES))
+
+          {
+            echo "## Combined container prune summary"
+            echo ""
+            echo "| Registry | Candidates | Deleted | Space Reclaimed |"
+            echo "|----------|------------|---------|-----------------|"
+            echo "| GHCR | ${GHCR_CANDIDATES} | ${GHCR_DELETED} | $(human "${GHCR_DELETED_BYTES}") |"
+            echo "| Docker Hub | ${HUB_CANDIDATES} | ${HUB_DELETED} | $(human "${HUB_DELETED_BYTES}") |"
+            echo "| **Total** | **${TOTAL_CANDIDATES}** | **${TOTAL_DELETED}** | **$(human "${TOTAL_DELETED_BYTES}")** |"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          printf 'PRUNE_SUMMARY: candidates=%s candidates_bytes=%s deleted=%s deleted_bytes=%s\n' \
+            "${TOTAL_CANDIDATES}" "${TOTAL_CANDIDATES_BYTES}" "${TOTAL_DELETED}" "${TOTAL_DELETED_BYTES}"
+          echo "Total space reclaimed: $(human "${TOTAL_DELETED_BYTES}")"
@@ -23,7 +23,11 @@ name: Docker Build, Publish & Test
 on:
  pull_request:
  push:
+    branches: [main]
  workflow_dispatch:
+  workflow_run:
+    workflows: ["Docker Lint"]
+    types: [completed]

 concurrency:
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
@@ -38,7 +42,7 @@ env:
  TRIGGER_HEAD_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
  TRIGGER_REF: ${{ github.event_name == 'workflow_run' && format('refs/heads/{0}', github.event.workflow_run.head_branch) || github.ref }}
  TRIGGER_HEAD_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref }}
-  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.pull_requests[0].number || github.event.pull_request.number }}
+  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || github.event.pull_request.number }}
  TRIGGER_ACTOR: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.actor.login || github.actor }}

 jobs:
@@ -111,21 +115,22 @@ jobs:

      - name: Set up QEMU
        if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
        if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Resolve Alpine base image digest
        if: steps.skip.outputs.skip_build != 'true'
-        id: caddy
+        id: alpine
        run: |
-          docker pull alpine:3.23.3
-          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' alpine:3.23.3)
+          ALPINE_TAG=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | sed 's/ARG ALPINE_IMAGE=alpine://' | cut -d'@' -f1)
+          docker pull "alpine:${ALPINE_TAG}"
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "alpine:${ALPINE_TAG}")
          echo "image=$DIGEST" >> "$GITHUB_OUTPUT"

      - name: Log in to GitHub Container Registry
        if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.actor }}
@@ -133,7 +138,7 @@ jobs:

      - name: Log in to Docker Hub
        if: steps.skip.outputs.skip_build != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -195,7 +200,7 @@ jobs:

      - name: Generate Docker metadata
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -267,7 +272,7 @@ jobs:
              --build-arg "VERSION=${{ steps.meta.outputs.version }}"
              --build-arg "BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}"
              --build-arg "VCS_REF=${{ env.TRIGGER_HEAD_SHA }}"
-              --build-arg "CADDY_IMAGE=${{ steps.caddy.outputs.image }}"
+              --build-arg "ALPINE_IMAGE=${{ steps.alpine.outputs.image }}"
              --iidfile /tmp/image-digest.txt
              .
            )
@@ -339,7 +344,7 @@ jobs:

      - name: Upload Image Artifact
        if: success() && steps.skip.outputs.skip_build != 'true' && env.TRIGGER_EVENT == 'pull_request'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ env.TRIGGER_EVENT == 'pull_request' && format('pr-image-{0}', env.TRIGGER_PR_NUMBER) || 'push-image' }}
          path: /tmp/charon-pr-image.tar
@@ -527,23 +532,25 @@ jobs:

      - name: Run Trivy scan (table output)
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
        id: trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Check Trivy SARIF exists
@@ -558,15 +565,16 @@ jobs:

      - name: Upload Trivy results
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          sarif_file: 'trivy-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
          token: ${{ secrets.GITHUB_TOKEN }}

      # Generate SBOM (Software Bill of Materials) for supply chain security
      # Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml
      - name: Generate SBOM
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
        with:
          image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -575,7 +583,7 @@ jobs:

      # Create verifiable attestation for the SBOM
      - name: Attest SBOM
-        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+        uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
        with:
          subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -586,7 +594,7 @@ jobs:
      # Install Cosign for keyless signing
      - name: Install Cosign
        if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

      # Sign GHCR image with keyless signing (Sigstore/Fulcio)
      - name: Sign GHCR Image
@@ -652,7 +660,7 @@ jobs:
          echo "image_ref=${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${PR_TAG}" >> "$GITHUB_OUTPUT"

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.actor }}
@@ -684,31 +692,67 @@ jobs:
          echo "✅ Image freshness validated"

      - name: Run Trivy scan on PR image (table output)
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ steps.pr-image.outputs.image_ref }}
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'
+          version: 'v0.69.3'

      - name: Run Trivy scan on PR image (SARIF - blocking)
        id: trivy-scan
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ steps.pr-image.outputs.image_ref }}
          format: 'sarif'
          output: 'trivy-pr-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'  # Intended to block, but continued on error for now
+          version: 'v0.69.3'
        continue-on-error: true

-      - name: Upload Trivy scan results
+      - name: Check Trivy PR SARIF exists
        if: always()
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        id: trivy-pr-check
+        run: |
+          if [ -f trivy-pr-results.sarif ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload Trivy scan results
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          sarif_file: 'trivy-pr-results.sarif'
          category: 'docker-pr-image'

+      - name: Upload Trivy compatibility results (docker-build category)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (docker-publish alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-publish.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (nightly alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: 'trivy-nightly'
+        continue-on-error: true
+
      - name: Create scan summary
        if: always()
        run: |
@@ -44,7 +44,7 @@ jobs:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -38,7 +38,7 @@ jobs:

      # Step 2: Set up Node.js (for building any JS-based doc tools)
      - name: 🔧 Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -80,11 +80,10 @@ on:
        default: false
        type: boolean
  pull_request:
-  push:

 env:
  NODE_VERSION: '20'
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  GOTOOLCHAIN: auto
  DOCKERHUB_REGISTRY: docker.io
  IMAGE_NAME: ${{ github.repository_owner }}/charon
@@ -96,7 +95,7 @@ env:
  CI_LOG_LEVEL: 'verbose'

 concurrency:
-  group: e2e-split-${{ github.workflow }}-${{ github.ref }}-${{ github.event.pull_request.head.sha || github.sha }}
+  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

 jobs:
@@ -143,15 +142,16 @@ jobs:

      - name: Set up Go
        if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: ${{ env.GO_VERSION }}
+
          cache: true
          cache-dependency-path: backend/go.sum

      - name: Set up Node.js
        if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
@@ -170,12 +170,12 @@ jobs:

      - name: Set up Docker Buildx
        if: steps.resolve-image.outputs.image_source == 'build'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

      - name: Build Docker image
        id: build-image
        if: steps.resolve-image.outputs.image_source == 'build'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          file: ./Dockerfile
@@ -191,7 +191,7 @@ jobs:

      - name: Upload Docker image artifact
        if: steps.resolve-image.outputs.image_source == 'build'
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-image
          path: charon-e2e-image.tar
@@ -225,14 +225,15 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -247,7 +248,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -347,7 +348,7 @@ jobs:

      - name: Upload HTML report (Chromium Security)
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-report-chromium-security
          path: playwright-report/
@@ -355,7 +356,7 @@ jobs:

      - name: Upload Chromium Security coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-coverage-chromium-security
          path: coverage/e2e/
@@ -363,7 +364,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: traces-chromium-security
          path: test-results/**/*.zip
@@ -382,7 +383,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-diagnostics-chromium-security
          path: diagnostics/
@@ -395,7 +396,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-logs-chromium-security
          path: docker-logs-chromium-security.txt
@@ -426,14 +427,15 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -448,7 +450,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -556,7 +558,7 @@ jobs:

      - name: Upload HTML report (Firefox Security)
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-report-firefox-security
          path: playwright-report/
@@ -564,7 +566,7 @@ jobs:

      - name: Upload Firefox Security coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-coverage-firefox-security
          path: coverage/e2e/
@@ -572,7 +574,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: traces-firefox-security
          path: test-results/**/*.zip
@@ -591,7 +593,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-diagnostics-firefox-security
          path: diagnostics/
@@ -604,7 +606,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-logs-firefox-security
          path: docker-logs-firefox-security.txt
@@ -635,14 +637,15 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -657,7 +660,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -765,7 +768,7 @@ jobs:

      - name: Upload HTML report (WebKit Security)
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-report-webkit-security
          path: playwright-report/
@@ -773,7 +776,7 @@ jobs:

      - name: Upload WebKit Security coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-coverage-webkit-security
          path: coverage/e2e/
@@ -781,7 +784,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: traces-webkit-security
          path: test-results/**/*.zip
@@ -800,7 +803,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-diagnostics-webkit-security
          path: diagnostics/
@@ -813,7 +816,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-logs-webkit-security
          path: docker-logs-webkit-security.txt
@@ -856,14 +859,47 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -878,7 +914,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -968,7 +1004,7 @@ jobs:

      - name: Upload HTML report (Chromium shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-report-chromium-shard-${{ matrix.shard }}
          path: playwright-report/
@@ -976,7 +1012,7 @@ jobs:

      - name: Upload Playwright output (Chromium shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-output-chromium-shard-${{ matrix.shard }}
          path: playwright-output/chromium-shard-${{ matrix.shard }}/
@@ -984,7 +1020,7 @@ jobs:

      - name: Upload Chromium coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-coverage-chromium-shard-${{ matrix.shard }}
          path: coverage/e2e/
@@ -992,7 +1028,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: traces-chromium-shard-${{ matrix.shard }}
          path: test-results/**/*.zip
@@ -1011,7 +1047,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-diagnostics-chromium-shard-${{ matrix.shard }}
          path: diagnostics/
@@ -1024,7 +1060,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-logs-chromium-shard-${{ matrix.shard }}
          path: docker-logs-chromium-shard-${{ matrix.shard }}.txt
@@ -1060,14 +1096,47 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -1082,7 +1151,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -1180,7 +1249,7 @@ jobs:

      - name: Upload HTML report (Firefox shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-report-firefox-shard-${{ matrix.shard }}
          path: playwright-report/
@@ -1188,7 +1257,7 @@ jobs:

      - name: Upload Playwright output (Firefox shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: playwright-output-firefox-shard-${{ matrix.shard }}
          path: playwright-output/firefox-shard-${{ matrix.shard }}/
@@ -1196,7 +1265,7 @@ jobs:

      - name: Upload Firefox coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-coverage-firefox-shard-${{ matrix.shard }}
          path: coverage/e2e/
@@ -1204,7 +1273,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: traces-firefox-shard-${{ matrix.shard }}
          path: test-results/**/*.zip
@@ -1223,7 +1292,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-diagnostics-firefox-shard-${{ matrix.shard }}
          path: diagnostics/
@@ -1236,7 +1305,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docker-logs-firefox-shard-${{ matrix.shard }}
          path: docker-logs-firefox-shard-${{ matrix.shard }}.txt
@@ -1272,14 +1341,47 @@ jobs:
          ref: ${{ github.sha }}

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'

+      - name: Preflight disk diagnostics (before cleanup)
+        run: |
+          echo "Disk usage before cleanup"
+          df -h
+          docker system df || true
+
+      - name: Preflight cleanup (best effort)
+        run: |
+          echo "Best-effort cleanup for CI runner"
+          docker system prune -af || true
+          rm -rf playwright-report playwright-output coverage/e2e test-results diagnostics || true
+          rm -f docker-logs-*.txt charon-e2e-image.tar || true
+
+      - name: Preflight disk diagnostics and threshold gate
+        run: |
+          set -euo pipefail
+          MIN_FREE_BYTES=$((5 * 1024 * 1024 * 1024))
+          echo "Disk usage after cleanup"
+          df -h
+          docker system df || true
+
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
+          FREE_ROOT_BYTES=$(df -PB1 / | awk 'NR==2 {print $4}')
+          FREE_WORKSPACE_BYTES=$(df -PB1 "$WORKSPACE_PATH" | awk 'NR==2 {print $4}')
+
+          echo "Free bytes on /: $FREE_ROOT_BYTES"
+          echo "Free bytes on workspace ($WORKSPACE_PATH): $FREE_WORKSPACE_BYTES"
+
+          if [ "$FREE_ROOT_BYTES" -lt "$MIN_FREE_BYTES" ] || [ "$FREE_WORKSPACE_BYTES" -lt "$MIN_FREE_BYTES" ]; then
+            echo "::error::[CI_DISK_PRESSURE] Insufficient free disk after cleanup. Required >= 5GiB on both / and workspace. root=${FREE_ROOT_BYTES}B workspace=${FREE_WORKSPACE_BYTES}B"
+            exit 42
+          fi
+
      - name: Log in to Docker Hub
        if: needs.build.outputs.image_source == 'registry'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.DOCKERHUB_REGISTRY }}
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -1294,7 +1396,7 @@ jobs:

      - name: Download Docker image artifact
        if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

@@ -1392,7 +1494,7 @@ jobs:

      - name: Upload HTML report (WebKit shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: playwright-report-webkit-shard-${{ matrix.shard }}
          path: playwright-report/
@@ -1400,7 +1502,7 @@ jobs:

      - name: Upload Playwright output (WebKit shard ${{ matrix.shard }})
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: playwright-output-webkit-shard-${{ matrix.shard }}
          path: playwright-output/webkit-shard-${{ matrix.shard }}/
@@ -1408,7 +1510,7 @@ jobs:

      - name: Upload WebKit coverage (if enabled)
        if: always() && (inputs.playwright_coverage == 'true' || vars.PLAYWRIGHT_COVERAGE == '1')
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: e2e-coverage-webkit-shard-${{ matrix.shard }}
          path: coverage/e2e/
@@ -1416,7 +1518,7 @@ jobs:

      - name: Upload test traces on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: traces-webkit-shard-${{ matrix.shard }}
          path: test-results/**/*.zip
@@ -1435,7 +1537,7 @@ jobs:

      - name: Upload diagnostics
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: e2e-diagnostics-webkit-shard-${{ matrix.shard }}
          path: diagnostics/
@@ -1448,7 +1550,7 @@ jobs:

      - name: Upload Docker logs on failure
        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: docker-logs-webkit-shard-${{ matrix.shard }}
          path: docker-logs-webkit-shard-${{ matrix.shard }}.txt
@@ -15,7 +15,7 @@ on:
      default: "false"

 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  NODE_VERSION: '24.12.0'
  GOTOOLCHAIN: auto
  GHCR_REGISTRY: ghcr.io
@@ -103,11 +103,12 @@ jobs:
            const workflows = [
              { id: 'e2e-tests-split.yml' },
              { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
-              { id: 'security-pr.yml' },
              { id: 'supply-chain-verify.yml' },
              { id: 'codeql.yml' },
            ];

+            core.info('Skipping security-pr.yml: PR-only workflow intentionally excluded from nightly non-PR dispatch');
+
            for (const workflow of workflows) {
              const { data: workflowRuns } = await github.rest.actions.listWorkflowRuns({
                owner,
@@ -147,27 +148,37 @@ jobs:
      id-token: write
    outputs:
      version: ${{ steps.meta.outputs.version }}
-      tags: ${{ steps.meta.outputs.tags }}
-      digest: ${{ steps.build.outputs.digest }}
+      digest: ${{ steps.resolve_digest.outputs.digest }}

    steps:
      - name: Checkout nightly branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}
          fetch-depth: 0

      - name: Set lowercase image name
        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Resolve Alpine base image digest
+        id: alpine
+        run: |
+          ALPINE_IMAGE_REF=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | cut -d'=' -f2-)
+          if [[ -z "$ALPINE_IMAGE_REF" ]]; then
+            echo "::error::Failed to parse ALPINE_IMAGE from Dockerfile"
+            exit 1
+          fi
+          echo "Resolved Alpine image: ${ALPINE_IMAGE_REF}"
+          echo "image=${ALPINE_IMAGE_REF}" >> "$GITHUB_OUTPUT"

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.actor }}
@@ -175,7 +186,7 @@ jobs:

      - name: Log in to Docker Hub
        if: env.HAS_DOCKERHUB_TOKEN == 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -183,7 +194,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051  # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6.0.0
        with:
          images: |
            ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -198,7 +209,7 @@ jobs:

      - name: Build and push Docker image
        id: build
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -209,25 +220,112 @@ jobs:
            VERSION=nightly-${{ github.sha }}
            VCS_REF=${{ github.sha }}
            BUILD_DATE=${{ github.event.repository.pushed_at }}
+            ALPINE_IMAGE=${{ steps.alpine.outputs.image }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: true
          sbom: true

+      - name: Resolve and export image digest
+        id: resolve_digest
+        run: |
+          set -euo pipefail
+          DIGEST="${{ steps.build.outputs.digest }}"
+
+          if [[ -z "$DIGEST" ]]; then
+            echo "Build action digest empty; querying GHCR registry API..."
+            GHCR_TOKEN=$(curl -sf \
+              -u "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \
+              "https://ghcr.io/token?scope=repository:${{ env.IMAGE_NAME }}:pull&service=ghcr.io" \
+              | jq -r '.token')
+            DIGEST=$(curl -sfI \
+              -H "Authorization: Bearer ${GHCR_TOKEN}" \
+              -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.manifest.v1+json" \
+              "https://ghcr.io/v2/${{ env.IMAGE_NAME }}/manifests/nightly" \
+              | grep -i '^docker-content-digest:' | awk '{print $2}' | tr -d '\r' || true)
+            [[ -n "$DIGEST" ]] && echo "Resolved from GHCR API: ${DIGEST}"
+          fi
+
+          if [[ -z "$DIGEST" ]]; then
+            echo "::error::Could not determine image digest from step output or GHCR registry API"
+            exit 1
+          fi
+
+          echo "RESOLVED_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
+          echo "Exported digest: ${DIGEST}"
+
      - name: Record nightly image digest
        run: |
          echo "## 🧾 Nightly Image Digest" >> "$GITHUB_STEP_SUMMARY"
-          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"
+          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.resolve_digest.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"

      - name: Generate SBOM
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad  # v0.22.2
+        id: sbom_primary
+        continue-on-error: true
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d  # v0.23.1
        with:
-          image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}
+          image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}
          format: cyclonedx-json
          output-file: sbom-nightly.json
+          syft-version: v1.42.1
+
+      - name: Generate SBOM fallback with pinned Syft
+        if: always()
+        run: |
+          set -euo pipefail
+
+          if [[ "${{ steps.sbom_primary.outcome }}" == "success" ]] && [[ -s sbom-nightly.json ]] && jq -e . sbom-nightly.json >/dev/null 2>&1; then
+            echo "Primary SBOM generation succeeded with valid JSON; skipping fallback"
+            exit 0
+          fi
+
+          echo "Primary SBOM generation failed or produced missing/invalid output; using deterministic Syft fallback"
+
+          SYFT_VERSION="v1.42.2"
+          OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+          ARCH="$(uname -m)"
+          case "$ARCH" in
+            x86_64) ARCH="amd64" ;;
+            aarch64|arm64) ARCH="arm64" ;;
+            *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+          esac
+
+          TARBALL="syft_${SYFT_VERSION#v}_${OS}_${ARCH}.tar.gz"
+          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
+
+          curl -fsSLo "$TARBALL" "${BASE_URL}/${TARBALL}"
+          curl -fsSLo checksums.txt "${BASE_URL}/syft_${SYFT_VERSION#v}_checksums.txt"
+
+          grep "  ${TARBALL}$" checksums.txt > checksum_line.txt
+          sha256sum -c checksum_line.txt
+
+          tar -xzf "$TARBALL" syft
+          chmod +x syft
+
+          DIGEST="${{ steps.resolve_digest.outputs.digest }}"
+          if [[ -z "$DIGEST" ]]; then
+            echo "::error::Digest from resolve_digest step is empty; the digest-resolution step did not complete successfully"
+            exit 1
+          fi
+          ./syft "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${DIGEST}" -o cyclonedx-json=sbom-nightly.json
+
+      - name: Verify SBOM artifact
+        if: always()
+        run: |
+          set -euo pipefail
+          test -s sbom-nightly.json
+          jq -e . sbom-nightly.json >/dev/null
+          jq -e '
+            .bomFormat == "CycloneDX"
+            and (.specVersion | type == "string" and length > 0)
+            and has("version")
+            and has("metadata")
+            and (.components | type == "array")
+          ' sbom-nightly.json >/dev/null

      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
        with:
          name: sbom-nightly
          path: sbom-nightly.json
@@ -235,13 +333,13 @@ jobs:

      # Install Cosign for keyless signing
      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22  # v4.1.0

      # Sign GHCR image with keyless signing (Sigstore/Fulcio)
      - name: Sign GHCR Image
        run: |
          echo "Signing GHCR nightly image with keyless signing..."
-          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
          echo "✅ GHCR nightly image signed successfully"

      # Sign Docker Hub image with keyless signing (Sigstore/Fulcio)
@@ -249,7 +347,7 @@ jobs:
        if: env.HAS_DOCKERHUB_TOKEN == 'true'
        run: |
          echo "Signing Docker Hub nightly image with keyless signing..."
-          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
          echo "✅ Docker Hub nightly image signed successfully"

      # Attach SBOM to Docker Hub image
@@ -257,7 +355,7 @@ jobs:
        if: env.HAS_DOCKERHUB_TOKEN == 'true'
        run: |
          echo "Attaching SBOM to Docker Hub nightly image..."
-          cosign attach sbom --sbom sbom-nightly.json "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
+          cosign attach sbom --sbom sbom-nightly.json "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
          echo "✅ SBOM attached to Docker Hub nightly image"

  test-nightly-image:
@@ -271,13 +369,13 @@ jobs:
      - name: Checkout nightly branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}

      - name: Set lowercase image name
        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.actor }}
@@ -288,9 +386,10 @@ jobs:

      - name: Run container smoke test
        run: |
+          IMAGE_REF="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"
          docker run --name charon-nightly -d \
            -p 8080:8080 \
-            "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"
+            "${IMAGE_REF}"

          # Wait for container to start
          sleep 10
@@ -325,13 +424,13 @@ jobs:
      - name: Checkout nightly branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
-          ref: nightly
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'nightly' }}

      - name: Set lowercase image name
        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Download SBOM
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          name: sbom-nightly

@@ -343,22 +442,193 @@ jobs:
          severity-cutoff: high

      - name: Scan with Trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518  # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # 0.35.0
        with:
-          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-nightly.outputs.digest }}
+          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}
          format: 'sarif'
          output: 'trivy-nightly.sarif'
+          version: 'v0.69.3'
+          trivyignores: '.trivyignore'

      - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e  # v4.32.4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
        with:
          sarif_file: 'trivy-nightly.sarif'
          category: 'trivy-nightly'

-      - name: Check for critical CVEs
+      - name: Security severity policy summary
        run: |
-          if grep -q "CRITICAL" trivy-nightly.sarif; then
-            echo "❌ Critical vulnerabilities found in nightly build"
+          {
+            echo "## 🔐 Nightly Supply Chain Severity Policy"
+            echo ""
+            echo "- Blocking: Critical, High"
+            echo "- Medium: non-blocking by default (report + triage SLA)"
+            echo "- Policy file: .github/security-severity-policy.yml"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Check for Critical/High CVEs
+        run: |
+          set -euo pipefail
+
+          jq -e . trivy-nightly.sarif >/dev/null
+
+          CRITICAL_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 9.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          HIGH_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 7.0 and $score < 9.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          MEDIUM_COUNT=$(jq -r '
+            [
+              .runs[] as $run
+              | ($run.tool.driver.rules // []) as $rules
+              | $run.results[]?
+              | . as $result
+              | (
+                  (
+                    if (($result.ruleIndex | type) == "number") then
+                      ($rules[$result.ruleIndex].properties["security-severity"] // empty)
+                    else
+                      empty
+                    end
+                  )
+                  // ([
+                      $rules[]?
+                      | select((.id // "") == ($result.ruleId // ""))
+                      | .properties["security-severity"]
+                    ][0] // empty)
+                  // empty
+                ) as $securitySeverity
+              | (try ($securitySeverity | tonumber) catch empty) as $score
+              | select($score != null and $score >= 4.0 and $score < 7.0)
+            ] | length
+          ' trivy-nightly.sarif)
+
+          {
+            echo "- Structured SARIF counts: CRITICAL=${CRITICAL_COUNT}, HIGH=${HIGH_COUNT}, MEDIUM=${MEDIUM_COUNT}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # List all Critical/High/Medium findings with details for triage
+          # shellcheck disable=SC2016
+          LIST_FINDINGS='
+            .runs[] as $run
+            | ($run.tool.driver.rules // []) as $rules
+            | $run.results[]?
+            | . as $result
+            | (
+                (
+                  if (($result.ruleIndex | type) == "number") then
+                    ($rules[$result.ruleIndex] // {})
+                  else
+                    {}
+                  end
+                ) as $ruleByIndex
+                | (
+                    [$rules[]? | select((.id // "") == ($result.ruleId // ""))][0] // {}
+                  ) as $ruleById
+                | ($ruleByIndex // $ruleById) as $rule
+                | ($rule.properties["security-severity"] // null) as $sev
+                | (try ($sev | tonumber) catch null) as $score
+                | select($score != null and $score >= 4.0)
+                | {
+                    id: ($result.ruleId // "unknown"),
+                    score: $score,
+                    severity: (
+                      if $score >= 9.0 then "CRITICAL"
+                      elif $score >= 7.0 then "HIGH"
+                      else "MEDIUM"
+                      end
+                    ),
+                    message: ($result.message.text // $rule.shortDescription.text // "no description")[0:120]
+                  }
+              )
+          '
+
+          echo ""
+          echo "=== Vulnerability Details ==="
+          jq -r "[ ${LIST_FINDINGS} ] | sort_by(-.score) | .[] | \"\\(.severity) (\\(.score)): \\(.id) — \\(.message)\"" trivy-nightly.sarif || true
+          echo "============================="
+          echo ""
+
+          if [ "$CRITICAL_COUNT" -gt 0 ]; then
+            echo "❌ Critical vulnerabilities found in nightly build (${CRITICAL_COUNT})"
+            {
+              echo ""
+              echo "### ❌ Critical CVEs blocking nightly"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"CRITICAL\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi
-          echo "✅ No critical vulnerabilities found"
+
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "❌ High vulnerabilities found in nightly build (${HIGH_COUNT})"
+            {
+              echo ""
+              echo "### ❌ High CVEs blocking nightly"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"HIGH\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          if [ "$MEDIUM_COUNT" -gt 0 ]; then
+            echo "::warning::Medium vulnerabilities found in nightly build (${MEDIUM_COUNT}). Non-blocking by policy; triage with SLA per .github/security-severity-policy.yml"
+            {
+              echo ""
+              echo "### ⚠️ Medium CVEs (non-blocking)"
+              echo '```'
+              jq -r "[ ${LIST_FINDINGS} | select(.severity == \"MEDIUM\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          echo "✅ No Critical/High vulnerabilities found"
@@ -28,7 +28,7 @@ jobs:
      (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'development')
    steps:
      - name: Set up Node (for github-script)
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -3,6 +3,9 @@ name: Quality Checks
 on:
  pull_request:
  push:
+    branches:
+      - nightly
+      - main

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -13,11 +16,33 @@ permissions:
  checks: write

 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  NODE_VERSION: '24.12.0'
  GOTOOLCHAIN: auto

 jobs:
+  auth-route-protection-contract:
+    name: Auth Route Protection Contract
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.sha }}
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+          cache-dependency-path: backend/go.sum
+
+      - name: Run auth protection contract tests
+        run: |
+          set -euo pipefail
+          cd backend
+          go test ./internal/api/routes -run 'TestRegister_StateChangingRoutesRequireAuthentication|TestRegister_StateChangingRoutesDenyByDefaultWithExplicitAllowlist|TestRegister_AuthenticatedRoutes' -count=1 -v
+
  codecov-trigger-parity-guard:
    name: Codecov Trigger/Comment Parity Guard
    runs-on: ubuntu-latest
@@ -113,9 +138,10 @@ jobs:
          } >> "$GITHUB_ENV"

      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
+
          cache-dependency-path: backend/go.sum

      - name: Repo health check
@@ -225,7 +251,7 @@ jobs:
          bash "scripts/repo_health_check.sh"

      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: false

 env:
-  GO_VERSION: '1.26.0'
+  GO_VERSION: '1.26.1'
  NODE_VERSION: '24.12.0'
  GOTOOLCHAIN: auto

@@ -20,6 +20,7 @@ permissions:

 jobs:
  goreleaser:
+    if: ${{ !contains(github.ref_name, '-candidate') && !contains(github.ref_name, '-rc') }}
    runs-on: ubuntu-latest
    env:
      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
@@ -32,13 +33,26 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Enforce PR-2 release promotion guard
+        env:
+          REPO_VARS_JSON: ${{ toJSON(vars) }}
+        run: |
+          PR2_GATE_STATUS="$(printf '%s' "$REPO_VARS_JSON" | jq -r '.CHARON_PR2_GATES_PASSED // "false"')"
+          if [[ "$PR2_GATE_STATUS" != "true" ]]; then
+            echo "::error::Releasable tag promotion is blocked until PR-2 security/retirement gates pass."
+            echo "::error::Set repository variable CHARON_PR2_GATES_PASSED=true only after PR-2 approval."
+            exit 1
+          fi
+
      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: ${{ env.GO_VERSION }}

+          cache-dependency-path: backend/go.sum
+
      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -25,7 +25,7 @@ jobs:
          fetch-depth: 1

      - name: Run Renovate
-        uses: renovatebot/github-action@d65ef9e20512193cc070238b49c3873a361cd50c # v46.1.1
+        uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
        with:
          configurationFile: .github/renovate.json
          token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}
@@ -34,7 +34,7 @@ jobs:

      - name: Upload health output
        if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: repo-health-output
          path: |
@@ -4,18 +4,22 @@
 name: Security Scan (PR)

 on:
+  workflow_run:
+    workflows: ["Docker Build, Publish & Test"]
+    types: [completed]
  workflow_dispatch:
    inputs:
      pr_number:
-        description: 'PR number to scan (optional)'
-        required: false
+        description: 'PR number to scan'
+        required: true
        type: string
  pull_request:
  push:
+    branches: [main]


 concurrency:
-  group: security-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
+  group: security-pr-${{ github.event_name == 'workflow_run' && github.event.workflow_run.event || github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref }}
  cancel-in-progress: true

 jobs:
@@ -23,16 +27,18 @@ jobs:
    name: Trivy Binary Scan
    runs-on: ubuntu-latest
    timeout-minutes: 10
-    # Run for: manual dispatch, PR builds, or any push builds from docker-build
+    # Run for manual dispatch, direct PR/push, or successful upstream workflow_run
    if: >-
      github.event_name == 'workflow_dispatch' ||
      github.event_name == 'pull_request' ||
-      ((github.event.workflow_run.event == 'push' || github.event.workflow_run.pull_requests[0].number != null) &&
-       (github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success'))
+      github.event_name == 'push' ||
+      (github.event_name == 'workflow_run' &&
+       github.event.workflow_run.event == 'pull_request' &&
+       github.event.workflow_run.status == 'completed' &&
+       github.event.workflow_run.conclusion == 'success')

    permissions:
      contents: read
-      pull-requests: write
      security-events: write
      actions: read

@@ -41,27 +47,65 @@ jobs:
        # actions/checkout v4.2.2
        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
        with:
-          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}

      - name: Extract PR number from workflow_run
        id: pr-info
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            # Manual dispatch - use input or fail gracefully
-            if [[ -n "${{ inputs.pr_number }}" ]]; then
-              echo "pr_number=${{ inputs.pr_number }}" >> "$GITHUB_OUTPUT"
-              echo "✅ Using manually provided PR number: ${{ inputs.pr_number }}"
-            else
-              echo "⚠️ No PR number provided for manual dispatch"
-              echo "pr_number=" >> "$GITHUB_OUTPUT"
-            fi
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            echo "is_push=true" >> "$GITHUB_OUTPUT"
+            echo "✅ Push event detected; using local image path"
            exit 0
          fi

+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "pr_number=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
+            echo "✅ Pull request event detected: PR #${{ github.event.pull_request.number }}"
+            exit 0
+          fi
+
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            INPUT_PR_NUMBER="${{ inputs.pr_number }}"
+            if [[ -z "${INPUT_PR_NUMBER}" ]]; then
+              echo "❌ workflow_dispatch requires inputs.pr_number"
+              exit 1
+            fi
+
+            if [[ ! "${INPUT_PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+              echo "❌ reason_category=invalid_input"
+              echo "reason=workflow_dispatch pr_number must be digits-only"
+              exit 1
+            fi
+
+            PR_NUMBER="${INPUT_PR_NUMBER}"
+            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
+            echo "✅ Using manually provided PR number: ${PR_NUMBER}"
+            exit 0
+          fi
+
+          if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            if [[ "${{ github.event.workflow_run.event }}" != "pull_request" ]]; then
+              # Explicit contract validation happens in the dedicated guard step.
+              echo "pr_number=" >> "$GITHUB_OUTPUT"
+              echo "is_push=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            if [[ -n "${{ github.event.workflow_run.pull_requests[0].number || '' }}" ]]; then
+              echo "pr_number=${{ github.event.workflow_run.pull_requests[0].number }}" >> "$GITHUB_OUTPUT"
+              echo "is_push=false" >> "$GITHUB_OUTPUT"
+              echo "✅ Found PR number from workflow_run payload: ${{ github.event.workflow_run.pull_requests[0].number }}"
+              exit 0
+            fi
+          fi
+
          # Extract PR number from context
-          HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
+          HEAD_SHA="${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
          echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}"

          # Query GitHub API for PR associated with this commit
@@ -73,21 +117,38 @@ jobs:

          if [[ -n "${PR_NUMBER}" ]]; then
            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
            echo "✅ Found PR number: ${PR_NUMBER}"
          else
-            echo "⚠️ Could not find PR number for SHA: ${HEAD_SHA}"
-            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            echo "❌ Could not determine PR number for workflow_run SHA: ${HEAD_SHA}"
+            exit 1
          fi

-          # Check if this is a push event (not a PR)
-          if [[ "${{ github.event_name }}" == "push" || "${{ github.event.workflow_run.event }}" == "push" || -z "${PR_NUMBER}" ]]; then
-            HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}"
-            echo "is_push=true" >> "$GITHUB_OUTPUT"
-            echo "✅ Detected push build from branch: ${HEAD_BRANCH}"
-          else
-            echo "is_push=false" >> "$GITHUB_OUTPUT"
+      - name: Validate workflow_run trust boundary and event contract
+        if: github.event_name == 'workflow_run'
+        run: |
+          if [[ "${{ github.event.workflow_run.name }}" != "Docker Build, Publish & Test" ]]; then
+            echo "❌ reason_category=unexpected_upstream_workflow"
+            echo "workflow_name=${{ github.event.workflow_run.name }}"
+            exit 1
          fi

+          if [[ "${{ github.event.workflow_run.event }}" != "pull_request" ]]; then
+            echo "❌ reason_category=unsupported_upstream_event"
+            echo "upstream_event=${{ github.event.workflow_run.event }}"
+            echo "run_id=${{ github.event.workflow_run.id }}"
+            exit 1
+          fi
+
+          if [[ "${{ github.event.workflow_run.head_repository.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "❌ reason_category=untrusted_upstream_repository"
+            echo "upstream_head_repository=${{ github.event.workflow_run.head_repository.full_name }}"
+            echo "expected_repository=${{ github.repository }}"
+            exit 1
+          fi
+
+          echo "✅ workflow_run trust boundary and event contract validated"
+
      - name: Build Docker image (Local)
        if: github.event_name == 'push' || github.event_name == 'pull_request'
        run: |
@@ -97,95 +158,149 @@ jobs:

      - name: Check for PR image artifact
        id: check-artifact
-        if: (steps.pr-info.outputs.pr_number != '' || steps.pr-info.outputs.is_push == 'true') && github.event_name != 'push' && github.event_name != 'pull_request'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          # Determine artifact name based on event type
-          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-            ARTIFACT_NAME="push-image"
-          else
-            PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
-            ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
+          if [[ ! "${PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+            echo "❌ reason_category=invalid_input"
+            echo "reason=Resolved PR number must be digits-only"
+            exit 1
          fi
-          RUN_ID="${{ github.event.workflow_run.id }}"
+
+          ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          RUN_ID="${{ github.event_name == 'workflow_run' && github.event.workflow_run.id || '' }}"

          echo "🔍 Checking for artifact: ${ARTIFACT_NAME}"

          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            # For manual dispatch, find the most recent workflow run with this artifact
-            RUN_ID=$(gh api \
+            # Manual replay path: find latest successful docker-build pull_request run for this PR.
+            RUNS_JSON=$(gh api \
              -H "Accept: application/vnd.github+json" \
              -H "X-GitHub-Api-Version: 2022-11-28" \
-              "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?status=success&per_page=10" \
-              --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
+              "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?event=pull_request&status=success&per_page=100" 2>&1)
+            RUNS_STATUS=$?
+
+            if [[ ${RUNS_STATUS} -ne 0 ]]; then
+              echo "❌ reason_category=api_error"
+              echo "reason=Failed to query workflow runs for PR lookup"
+              echo "upstream_run_id=unknown"
+              echo "artifact_name=${ARTIFACT_NAME}"
+              echo "api_output=${RUNS_JSON}"
+              exit 1
+            fi
+
+            RUN_ID=$(printf '%s' "${RUNS_JSON}" | jq -r --argjson pr "${PR_NUMBER}" '.workflow_runs[] | select((.pull_requests // []) | any(.number == $pr)) | .id' | head -n 1)

            if [[ -z "${RUN_ID}" ]]; then
-              echo "⚠️ No successful workflow runs found"
-              echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
-              exit 0
+              echo "❌ reason_category=not_found"
+              echo "reason=No successful docker-build pull_request run found for PR #${PR_NUMBER}"
+              echo "upstream_run_id=unknown"
+              echo "artifact_name=${ARTIFACT_NAME}"
+              exit 1
            fi
-          elif [[ -z "${RUN_ID}" ]]; then
-            # If triggered by push/pull_request, RUN_ID is empty. Find recent run for this commit.
-            HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
-            echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}"
-            # Retry a few times as the run might be just starting or finishing
-            for i in {1..3}; do
-              RUN_ID=$(gh api \
-                -H "Accept: application/vnd.github+json" \
-                -H "X-GitHub-Api-Version: 2022-11-28" \
-                "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \
-                --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
-              if [[ -n "${RUN_ID}" ]]; then break; fi
-              echo "⏳ Waiting for workflow run to appear/complete... ($i/3)"
-              sleep 5
-            done
          fi

          echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"

          # Check if the artifact exists in the workflow run
-          ARTIFACT_ID=$(gh api \
+          ARTIFACTS_JSON=$(gh api \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \
-            --jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "")
+            "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" 2>&1)
+          ARTIFACTS_STATUS=$?

-          if [[ -n "${ARTIFACT_ID}" ]]; then
-            echo "artifact_exists=true" >> "$GITHUB_OUTPUT"
-            echo "artifact_id=${ARTIFACT_ID}" >> "$GITHUB_OUTPUT"
-            echo "✅ Found artifact: ${ARTIFACT_NAME} (ID: ${ARTIFACT_ID})"
-          else
-            echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
-            echo "⚠️ Artifact not found: ${ARTIFACT_NAME}"
-            echo "ℹ️ This is expected for non-PR builds or if the image was not uploaded"
+          if [[ ${ARTIFACTS_STATUS} -ne 0 ]]; then
+            echo "❌ reason_category=api_error"
+            echo "reason=Failed to query artifacts for upstream run"
+            echo "upstream_run_id=${RUN_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+            echo "api_output=${ARTIFACTS_JSON}"
+            exit 1
          fi

-      - name: Skip if no artifact
-        if: ((steps.pr-info.outputs.pr_number == '' && steps.pr-info.outputs.is_push != 'true') || steps.check-artifact.outputs.artifact_exists != 'true') && github.event_name != 'push' && github.event_name != 'pull_request'
-        run: |
-          echo "ℹ️ Skipping security scan - no PR image artifact available"
-          echo "This is expected for:"
-          echo "  - Pushes to main/release branches"
-          echo "  - PRs where Docker build failed"
-          echo "  - Manual dispatch without PR number"
-          exit 0
+          ARTIFACT_ID=$(printf '%s' "${ARTIFACTS_JSON}" | jq -r --arg name "${ARTIFACT_NAME}" '.artifacts[] | select(.name == $name) | .id' | head -n 1)
+
+          if [[ -z "${ARTIFACT_ID}" ]]; then
+            echo "❌ reason_category=not_found"
+            echo "reason=Required artifact was not found"
+            echo "upstream_run_id=${RUN_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+            exit 1
+          fi
+
+          {
+            echo "artifact_exists=true"
+            echo "artifact_id=${ARTIFACT_ID}"
+            echo "artifact_name=${ARTIFACT_NAME}"
+          } >> "$GITHUB_OUTPUT"
+          echo "✅ Found artifact: ${ARTIFACT_NAME} (ID: ${ARTIFACT_ID})"

      - name: Download PR image artifact
-        if: steps.check-artifact.outputs.artifact_exists == 'true'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
        # actions/download-artifact v4.1.8
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
-          name: ${{ steps.pr-info.outputs.is_push == 'true' && 'push-image' || format('pr-image-{0}', steps.pr-info.outputs.pr_number) }}
+          name: ${{ steps.check-artifact.outputs.artifact_name }}
          run-id: ${{ steps.check-artifact.outputs.run_id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Load Docker image
-        if: steps.check-artifact.outputs.artifact_exists == 'true'
+        if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
+        id: load-image
        run: |
          echo "📦 Loading Docker image..."
-          docker load < charon-pr-image.tar
-          echo "✅ Docker image loaded"
+
+          if [[ ! -r "charon-pr-image.tar" ]]; then
+            echo "❌ ERROR: Artifact image tar is missing or unreadable"
+            exit 1
+          fi
+
+          MANIFEST_TAGS=""
+          if tar -tf charon-pr-image.tar | grep -qx "manifest.json"; then
+            MANIFEST_TAGS=$(tar -xOf charon-pr-image.tar manifest.json 2>/dev/null | jq -r '.[]?.RepoTags[]?' 2>/dev/null | sed '/^$/d' || true)
+          else
+            echo "⚠️ manifest.json not found in artifact tar; will try docker-load-image-id fallback"
+          fi
+
+          LOAD_OUTPUT=$(docker load < charon-pr-image.tar 2>&1)
+          echo "${LOAD_OUTPUT}"
+
+          SOURCE_IMAGE_REF=""
+          SOURCE_RESOLUTION_MODE=""
+
+          while IFS= read -r tag; do
+            [[ -z "${tag}" ]] && continue
+            if docker image inspect "${tag}" >/dev/null 2>&1; then
+              SOURCE_IMAGE_REF="${tag}"
+              SOURCE_RESOLUTION_MODE="manifest_tag"
+              break
+            fi
+          done <<< "${MANIFEST_TAGS}"
+
+          if [[ -z "${SOURCE_IMAGE_REF}" ]]; then
+            LOAD_IMAGE_ID=$(printf '%s\n' "${LOAD_OUTPUT}" | sed -nE 's/^Loaded image ID: (sha256:[0-9a-f]+)$/\1/p' | head -n1)
+            if [[ -n "${LOAD_IMAGE_ID}" ]] && docker image inspect "${LOAD_IMAGE_ID}" >/dev/null 2>&1; then
+              SOURCE_IMAGE_REF="${LOAD_IMAGE_ID}"
+              SOURCE_RESOLUTION_MODE="load_image_id"
+            fi
+          fi
+
+          if [[ -z "${SOURCE_IMAGE_REF}" ]]; then
+            echo "❌ ERROR: Could not resolve a valid image reference from manifest tags or docker load image ID"
+            exit 1
+          fi
+
+          docker tag "${SOURCE_IMAGE_REF}" "charon:artifact"
+
+          {
+            echo "source_image_ref=${SOURCE_IMAGE_REF}"
+            echo "source_resolution_mode=${SOURCE_RESOLUTION_MODE}"
+            echo "image_ref=charon:artifact"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "✅ Docker image resolved via ${SOURCE_RESOLUTION_MODE} and tagged as charon:artifact"
          docker images | grep charon

      - name: Extract charon binary from container
@@ -214,31 +329,10 @@ jobs:
            exit 0
          fi

-          # Normalize image name for reference
-          IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
-          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-            BRANCH_NAME="${{ github.event.workflow_run.head_branch }}"
-            if [[ -z "${BRANCH_NAME}" ]]; then
-              echo "❌ ERROR: Branch name is empty for push build"
-              exit 1
-            fi
-            # Normalize branch name for Docker tag (replace / and other special chars with -)
-            # This matches docker/metadata-action behavior: type=ref,event=branch
-            TAG_SAFE_BRANCH="${BRANCH_NAME//\//-}"
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${TAG_SAFE_BRANCH}"
-          elif [[ -n "${{ steps.pr-info.outputs.pr_number }}" ]]; then
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
-          else
-            echo "❌ ERROR: Cannot determine image reference"
-            echo "  - is_push: ${{ steps.pr-info.outputs.is_push }}"
-            echo "  - pr_number: ${{ steps.pr-info.outputs.pr_number }}"
-            echo "  - branch: ${{ github.event.workflow_run.head_branch }}"
-            exit 1
-          fi
-
-          # Validate the image reference format
-          if [[ ! "${IMAGE_REF}" =~ ^ghcr\.io/[a-z0-9_-]+/[a-z0-9_-]+:[a-zA-Z0-9._-]+$ ]]; then
-            echo "❌ ERROR: Invalid image reference format: ${IMAGE_REF}"
+          # For workflow_run artifact path, always use locally tagged image from loaded artifact.
+          IMAGE_REF="${{ steps.load-image.outputs.image_ref }}"
+          if [[ -z "${IMAGE_REF}" ]]; then
+            echo "❌ ERROR: Loaded artifact image reference is empty"
            exit 1
          fi

@@ -268,7 +362,7 @@ jobs:
      - name: Run Trivy filesystem scan (SARIF output)
        if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
        # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
        with:
          scan-type: 'fs'
          scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -277,19 +371,30 @@ jobs:
          severity: 'CRITICAL,HIGH,MEDIUM'
        continue-on-error: true

+      - name: Check Trivy SARIF output exists
+        if: always() && (steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request')
+        id: trivy-sarif-check
+        run: |
+          if [[ -f trivy-binary-results.sarif ]]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "ℹ️ No Trivy SARIF output found; skipping SARIF/artifact upload steps"
+          fi
+
      - name: Upload Trivy SARIF to GitHub Security
-        if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
+        if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
        # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@710e2945787622b429f8982cacb154faa182de18
+        uses: github/codeql-action/upload-sarif@1a97b0f94ec9297d6f58aefe5a6b5441c045bed4
        with:
          sarif_file: 'trivy-binary-results.sarif'
-          category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
+          category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
        continue-on-error: true

      - name: Run Trivy filesystem scan (fail on CRITICAL/HIGH)
        if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
        # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
        with:
          scan-type: 'fs'
          scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -298,11 +403,11 @@ jobs:
          exit-code: '1'

      - name: Upload scan artifacts
-        if: always() && (steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request')
+        if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
        # actions/upload-artifact v4.4.3
-        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
        with:
-          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
+          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
          path: |
            trivy-binary-results.sarif
          retention-days: 14
@@ -312,7 +417,7 @@ jobs:
        run: |
          {
            if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-              echo "## 🔒 Security Scan Results - Branch: ${{ github.event.workflow_run.head_branch }}"
+              echo "## 🔒 Security Scan Results - Branch: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}"
            else
              echo "## 🔒 Security Scan Results - PR #${{ steps.pr-info.outputs.pr_number }}"
            fi
@@ -6,7 +6,7 @@ name: Weekly Security Rebuild

 on:
  schedule:
-    - cron: '0 2 * * 0' # Sundays at 02:00 UTC
+    - cron: '0 12 * * 2' # Tuesdays at 12:00 UTC
  workflow_dispatch:
    inputs:
      force_rebuild:
@@ -36,16 +36,21 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          # Explicitly fetch the current HEAD of the ref at run time, not the
+          # SHA that was frozen when this scheduled job was queued. Without this,
+          # a queued job can run days later with stale code.
+          ref: ${{ github.ref_name }}

      - name: Normalize image name
        run: |
          echo "IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV"

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Resolve Debian base image digest
        id: base-image
@@ -56,7 +61,7 @@ jobs:
          echo "Base image digest: $DIGEST"

      - name: Log in to Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -64,7 +69,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -72,7 +77,7 @@ jobs:

      - name: Build Docker image (NO CACHE)
        id: build
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          platforms: linux/amd64
@@ -88,38 +93,41 @@ jobs:
            BASE_IMAGE=${{ steps.base-image.outputs.digest }}

      - name: Run Trivy vulnerability scanner (CRITICAL+HIGH)
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '1' # Fail workflow if vulnerabilities found
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
        id: trivy-sarif
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
          format: 'sarif'
          output: 'trivy-weekly-results.sarif'
          severity: 'CRITICAL,HIGH,MEDIUM'
+          version: 'v0.69.3'

      - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          sarif_file: 'trivy-weekly-results.sarif'

      - name: Run Trivy vulnerability scanner (JSON for artifact)
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
          format: 'json'
          output: 'trivy-weekly-results.json'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          version: 'v0.69.3'

      - name: Upload Trivy JSON results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: trivy-weekly-scan-${{ github.run_number }}
          path: trivy-weekly-results.json
@@ -11,6 +11,8 @@ on:
        type: string
  pull_request:
  push:
+    branches:
+      - main

 concurrency:
  group: supply-chain-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
@@ -264,7 +266,7 @@ jobs:
      # Generate SBOM using official Anchore action (auto-updated by Renovate)
      - name: Generate SBOM
        if: steps.set-target.outputs.image_name != ''
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
        id: sbom
        with:
          image: ${{ steps.set-target.outputs.image_name }}
@@ -283,7 +285,7 @@ jobs:
      - name: Install Grype
        if: steps.set-target.outputs.image_name != ''
        run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.1
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.109.1

      - name: Scan for vulnerabilities
        if: steps.set-target.outputs.image_name != ''
@@ -337,9 +339,30 @@ jobs:
          echo "  Low: ${LOW_COUNT}"
          echo "  Total: ${TOTAL_COUNT}"

+      - name: Security severity policy summary
+        if: steps.set-target.outputs.image_name != ''
+        run: |
+          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"
+          MEDIUM_COUNT="${{ steps.vuln-summary.outputs.medium_count }}"
+
+          {
+            echo "## 🔐 Supply Chain Severity Policy"
+            echo ""
+            echo "- Blocking: Critical, High"
+            echo "- Medium: non-blocking by default (report + triage SLA)"
+            echo "- Policy file: .github/security-severity-policy.yml"
+            echo ""
+            echo "Current scan counts: Critical=${CRITICAL_COUNT}, High=${HIGH_COUNT}, Medium=${MEDIUM_COUNT}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [[ "${MEDIUM_COUNT}" -gt 0 ]]; then
+            echo "::warning::${MEDIUM_COUNT} medium vulnerabilities found. Non-blocking by policy; create/maintain triage issue with SLA per .github/security-severity-policy.yml"
+          fi
+
      - name: Upload SARIF to GitHub Security
        if: steps.check-artifact.outputs.artifact_found == 'true'
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
        continue-on-error: true
        with:
          sarif_file: grype-results.sarif
@@ -348,7 +371,7 @@ jobs:
      - name: Upload supply chain artifacts
        if: steps.set-target.outputs.image_name != ''
        # actions/upload-artifact v4.6.0
-        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
        with:
          name: ${{ steps.pr-number.outputs.is_push == 'true' && format('supply-chain-{0}', steps.sanitize.outputs.branch) || format('supply-chain-pr-{0}', steps.pr-number.outputs.pr_number) }}
          path: |
@@ -433,10 +456,11 @@ jobs:

          echo "✅ PR comment posted"

-      - name: Fail on critical vulnerabilities
+      - name: Fail on Critical/High vulnerabilities
        if: steps.set-target.outputs.image_name != ''
        run: |
          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"

          if [[ "${CRITICAL_COUNT}" -gt 0 ]]; then
            echo "🚨 Found ${CRITICAL_COUNT} CRITICAL vulnerabilities!"
@@ -444,4 +468,10 @@ jobs:
            exit 1
          fi

-          echo "✅ No critical vulnerabilities found"
+          if [[ "${HIGH_COUNT}" -gt 0 ]]; then
+            echo "🚨 Found ${HIGH_COUNT} HIGH vulnerabilities!"
+            echo "Please review the vulnerability report and address high severity issues before merging."
+            exit 1
+          fi
+
+          echo "✅ No Critical/High vulnerabilities found"
@@ -119,7 +119,7 @@ jobs:
      # Generate SBOM using official Anchore action (auto-updated by Renovate)
      - name: Generate and Verify SBOM
        if: steps.image-check.outputs.exists == 'true'
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
        with:
          image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}
          format: cyclonedx-json
@@ -144,7 +144,7 @@ jobs:

      - name: Upload SBOM Artifact
        if: steps.image-check.outputs.exists == 'true' && always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
        with:
          name: sbom-${{ steps.tag.outputs.tag }}
          path: sbom-verify.cyclonedx.json
@@ -324,7 +324,7 @@ jobs:

      - name: Upload Vulnerability Scan Artifact
        if: steps.validate-sbom.outputs.valid == 'true' && always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
        with:
          name: vulnerability-scan-${{ steps.tag.outputs.tag }}
          path: |
@@ -5,9 +5,9 @@ name: Weekly Nightly to Main Promotion

 on:
  schedule:
-    # Every Monday at 10:30 UTC (5:30am EST / 6:30am EDT)
+    # Every Monday at 12:00 UTC (7:00am EST / 8:00am EDT)
    # Offset from nightly sync (09:00 UTC) to avoid schedule race and allow validation completion.
-    - cron: '30 10 * * 1'
+    - cron: '0 12 * * 1'
  workflow_dispatch:
    inputs:
      reason:
@@ -78,6 +78,11 @@ backend/node_modules/
 backend/package.json
 backend/package-lock.json

+# Root-level artifact files (non-documentation)
+FIREFOX_E2E_FIXES_SUMMARY.md
+verify-security-state-for-ui-tests
+categories.txt
+
 # -----------------------------------------------------------------------------
 # Databases
 # -----------------------------------------------------------------------------
@@ -297,6 +302,7 @@ docs/plans/current_spec_notes.md
 tests/etc/passwd
 trivy-image-report.json
 trivy-fs-report.json
+trivy-report.json
 backend/# Tools Configuration.md
 docs/plans/requirements.md
 docs/plans/design.md
@@ -50,7 +50,7 @@ ignore:
      as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
      process untrusted tar archives. Attack surface limited to base OS utilities.
      Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-01-23"  # Re-evaluate in 7 days
+    expiry: "2026-03-14"  # Re-evaluate in 7 days

    # Action items when this suppression expires:
    # 1. Check Alpine security feed: https://security.alpinelinux.org/
@@ -1,211 +0,0 @@
-# NOTE: golangci-lint-fast now includes test files (_test.go) to catch security
-# issues earlier. The fast config uses gosec with critical-only checks (G101,
-# G110, G305, G401, G501, G502, G503) for acceptable performance.
-# Last updated: 2026-02-02
-
-repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
-    hooks:
-      - id: end-of-file-fixer
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
-      - id: trailing-whitespace
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
-      - id: check-yaml
-      - id: check-added-large-files
-        args: ['--maxkb=2500']
-  - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
-    hooks:
-      - id: shellcheck
-        name: shellcheck
-        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|test-results|codeql-agent-results)/'
-        args: ['--severity=error']
-  - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.10
-    hooks:
-      - id: actionlint
-        name: actionlint (GitHub Actions)
-        files: '^\.github/workflows/.*\.ya?ml$'
-  - repo: local
-    hooks:
-      - id: dockerfile-check
-        name: dockerfile validation
-        entry: tools/dockerfile_check.sh
-        language: script
-        files: "Dockerfile.*"
-        pass_filenames: true
-      - id: go-test-coverage
-        name: Go Test Coverage (Manual)
-        entry: scripts/go-test-coverage.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs when explicitly called
-      - id: go-vet
-        name: Go Vet
-        entry: bash -c 'cd backend && go vet ./...'
-        language: system
-        files: '\.go$'
-        pass_filenames: false
-      - id: golangci-lint-fast
-        name: golangci-lint (Fast Linters - BLOCKING)
-        entry: scripts/pre-commit-hooks/golangci-lint-fast.sh
-        language: script
-        files: '\.go$'
-        # Test files are now included to catch security issues (gosec critical checks)
-        pass_filenames: false
-        description: "Runs fast, essential linters (staticcheck, govet, errcheck, ineffassign, unused, gosec critical) - BLOCKS commits on failure"
-      - id: check-version-match
-        name: Check .version matches latest Git tag
-        entry: bash -c 'scripts/check-version-match-tag.sh'
-        language: system
-        files: '\.version$'
-        pass_filenames: false
-      - id: check-lfs-large-files
-        name: Prevent large files that are not tracked by LFS
-        entry: bash scripts/pre-commit-hooks/check-lfs-for-large-files.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-      - id: block-codeql-db-commits
-        name: Prevent committing CodeQL DB artifacts
-        entry: bash scripts/pre-commit-hooks/block-codeql-db-commits.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-      - id: block-data-backups-commit
-        name: Prevent committing data/backups files
-        entry: bash scripts/pre-commit-hooks/block-data-backups-commit.sh
-        language: system
-        pass_filenames: false
-        verbose: true
-        always_run: true
-
-      # === MANUAL/CI-ONLY HOOKS ===
-      # These are slow and should only run on-demand or in CI
-      # Run manually with: pre-commit run golangci-lint-full --all-files
-      - id: go-test-race
-        name: Go Test Race (Manual)
-        entry: bash -c 'cd backend && go test -race ./...'
-        language: system
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: golangci-lint-full
-        name: golangci-lint (Full - Manual)
-        entry: scripts/pre-commit-hooks/golangci-lint-full.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: hadolint
-        name: Hadolint Dockerfile Check (Manual)
-        entry: bash -c 'docker run --rm -i hadolint/hadolint < Dockerfile'
-        language: system
-        files: 'Dockerfile'
-        pass_filenames: false
-        stages: [manual]  # Only runs when explicitly called
-      - id: frontend-type-check
-        name: Frontend TypeScript Check
-        entry: bash -c 'cd frontend && npm run type-check'
-        language: system
-        files: '^frontend/.*\.(ts|tsx)$'
-        pass_filenames: false
-      - id: frontend-lint
-        name: Frontend Lint (Fix)
-        entry: bash -c 'cd frontend && npm run lint -- --fix'
-        language: system
-        files: '^frontend/.*\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-
-      - id: frontend-test-coverage
-        name: Frontend Test Coverage (Manual)
-        entry: scripts/frontend-test-coverage.sh
-        language: script
-        files: '^frontend/.*\\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]
-
-      - id: security-scan
-        name: Security Vulnerability Scan (Manual)
-        entry: scripts/security-scan.sh
-        language: script
-        files: '(\.go$|go\.mod$|go\.sum$)'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs when explicitly called
-
-      - id: codeql-go-scan
-        name: CodeQL Go Security Scan (Manual - Slow)
-        entry: scripts/pre-commit-hooks/codeql-go-scan.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Performance: 30-60s, only run on-demand
-
-      - id: codeql-js-scan
-        name: CodeQL JavaScript/TypeScript Security Scan (Manual - Slow)
-        entry: scripts/pre-commit-hooks/codeql-js-scan.sh
-        language: script
-        files: '^frontend/.*\.(ts|tsx|js|jsx)$'
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Performance: 30-60s, only run on-demand
-
-      - id: codeql-check-findings
-        name: Block HIGH/CRITICAL CodeQL Findings
-        entry: scripts/pre-commit-hooks/codeql-check-findings.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Only runs after CodeQL scans
-
-      - id: codeql-parity-check
-        name: CodeQL Suite/Trigger Parity Guard (Manual)
-        entry: scripts/ci/check-codeql-parity.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]
-
-      - id: gorm-security-scan
-        name: GORM Security Scanner (Manual)
-        entry: scripts/pre-commit-hooks/gorm-security-check.sh
-        language: script
-        files: '\.go$'
-        pass_filenames: false
-        stages: [manual]  # Manual stage initially (soft launch)
-        verbose: true
-        description: "Detects GORM ID leaks and common GORM security mistakes"
-
-      - id: semgrep-scan
-        name: Semgrep Security Scan (Manual)
-        entry: scripts/pre-commit-hooks/semgrep-scan.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Manual stage initially (reversible rollout)
-
-      - id: gitleaks-tuned-scan
-        name: Gitleaks Security Scan (Tuned, Manual)
-        entry: scripts/pre-commit-hooks/gitleaks-tuned-scan.sh
-        language: script
-        pass_filenames: false
-        verbose: true
-        stages: [manual]  # Manual stage initially (reversible rollout)
-
-  - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.47.0
-    hooks:
-      - id: markdownlint
-        args: ["--fix"]
-        exclude: '^(node_modules|\.venv|test-results|codeql-db|codeql-agent-results)/'
-        stages: [manual]
@@ -7,3 +7,10 @@ playwright/.auth/
 # Charon does not use Nebula VPN PKI by default. Review by: 2026-03-05
 # See also: .grype.yaml for full justification
 CVE-2026-25793
+
+# CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
+# Severity: CRITICAL (CVSS 9.8) — Package: zlib 1.3.1-r2 in Alpine base image
+# No upstream fix available: Alpine 3.23 (including edge) still ships zlib 1.3.1-r2.
+# Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14
+# See also: .grype.yaml for full justification
+CVE-2026-22184
@@ -1 +1 @@
-v0.19.0
+v0.21.0
@@ -371,9 +371,9 @@
            }
        },
        {
-            "label": "Lint: Pre-commit (All Files)",
+            "label": "Lint: Lefthook Pre-commit (All Files)",
            "type": "shell",
-            "command": ".github/skills/scripts/skill-runner.sh qa-precommit-all",
+            "command": "lefthook run pre-commit",
            "group": "test",
            "problemMatcher": []
        },
@@ -466,9 +466,9 @@
            "problemMatcher": []
        },
        {
-            "label": "Security: Semgrep Scan (Manual Hook)",
+            "label": "Security: Semgrep Scan (Lefthook Pre-push)",
            "type": "shell",
-            "command": "pre-commit run --hook-stage manual semgrep-scan --all-files",
+            "command": "lefthook run pre-push",
            "group": "test",
            "problemMatcher": []
        },
@@ -480,9 +480,9 @@
            "problemMatcher": []
        },
        {
-            "label": "Security: Gitleaks Scan (Tuned Manual Hook)",
+            "label": "Security: Gitleaks Scan (Lefthook Pre-push)",
            "type": "shell",
-            "command": "pre-commit run --hook-stage manual gitleaks-tuned-scan --all-files",
+            "command": "lefthook run pre-push",
            "group": "test",
            "problemMatcher": []
        },
@@ -724,6 +724,13 @@
            "group": "test",
            "problemMatcher": []
        },
+        {
+            "label": "Security: Caddy PR-1 Compatibility Matrix",
+            "type": "shell",
+            "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.2 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md",
+            "group": "test",
+            "problemMatcher": []
+        },
        {
            "label": "Test: E2E Playwright (Skill)",
            "type": "shell",
@@ -808,6 +815,162 @@
                "close": false
            }
        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shards 1/4-4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=chromium --shard=1/4 --output=playwright-output/chromium-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=chromium --shard=2/4 --output=playwright-output/chromium-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=chromium --shard=3/4 --output=playwright-output/chromium-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=chromium --shard=4/4 --output=playwright-output/chromium-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 1/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=chromium --shard=1/4 --output=playwright-output/chromium-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 2/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=chromium --shard=2/4 --output=playwright-output/chromium-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 3/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=chromium --shard=3/4 --output=playwright-output/chromium-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Non-Security Shard 4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=chromium --shard=4/4 --output=playwright-output/chromium-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shards 1/4-4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=webkit --shard=1/4 --output=playwright-output/webkit-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=webkit --shard=2/4 --output=playwright-output/webkit-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=webkit --shard=3/4 --output=playwright-output/webkit-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks && cd /projects/Charon && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=webkit --shard=4/4 --output=playwright-output/webkit-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 1/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=1 npx playwright test --project=webkit --shard=1/4 --output=playwright-output/webkit-shard-1 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 2/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=2 npx playwright test --project=webkit --shard=2/4 --output=playwright-output/webkit-shard-2 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 3/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=3 npx playwright test --project=webkit --shard=3/4 --output=playwright-output/webkit-shard-3 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Non-Security Shard 4/4",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=false PLAYWRIGHT_SKIP_SECURITY_DEPS=1 TEST_WORKER_INDEX=4 npx playwright test --project=webkit --shard=4/4 --output=playwright-output/webkit-shard-4 tests/core tests/dns-provider-crud.spec.ts tests/dns-provider-types.spec.ts tests/integration tests/manual-dns-provider.spec.ts tests/monitoring tests/settings tests/tasks",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (Chromium) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=security-tests --output=playwright-output/chromium-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (FireFox) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=firefox --output=playwright-output/firefox-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
+        {
+            "label": "Test: E2E Playwright (WebKit) - Security Suite",
+            "type": "shell",
+            "command": "cd /projects/Charon && if [ -f .env ]; then set -a; . ./.env; set +a; fi && : \"${CHARON_EMERGENCY_TOKEN:?CHARON_EMERGENCY_TOKEN is required (set it in /projects/Charon/.env)}\" && CI=true PLAYWRIGHT_BASE_URL=http://127.0.0.1:8080 CHARON_SECURITY_TESTS_ENABLED=true PLAYWRIGHT_SKIP_SECURITY_DEPS=0 npx playwright test --project=webkit --output=playwright-output/webkit-security tests/security",
+            "group": "test",
+            "problemMatcher": [],
+            "presentation": {
+                "reveal": "always",
+                "panel": "dedicated",
+                "close": false
+            }
+        },
        {
            "label": "Test: E2E Playwright with Coverage",
            "type": "shell",
@@ -126,7 +126,7 @@ graph TB
 | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
 | **Database** | SQLite | 3.x | Embedded database |
 | **ORM** | GORM | Latest | Database abstraction layer |
-| **Reverse Proxy** | Caddy Server | 2.11.0-beta.2 | Embedded HTTP/HTTPS proxy |
+| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy |
 | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming |
 | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption |
 | **Metrics** | Prometheus Client | Latest | Application metrics |
@@ -1259,6 +1259,14 @@ go test ./integration/...
 9. **Release Notes:** Generate changelog from commits
 10. **Notify:** Send release notification (Discord, email)

+**Mandatory rollout gates (sign-off block):**
+
+1. Digest freshness and index digest parity across GHCR and Docker Hub
+2. Per-arch digest parity across GHCR and Docker Hub
+3. SBOM and vulnerability scans against immutable refs (`image@sha256:...`)
+4. Artifact freshness timestamps after push
+5. Evidence block with required rollout verification fields
+
 ### Supply Chain Security

 **Components:**
@@ -1292,10 +1300,10 @@ cosign verify \
  wikid82/charon:latest

 # Inspect SBOM
-syft wikid82/charon:latest -o json
+syft ghcr.io/wikid82/charon@sha256:<index-digest> -o json

 # Scan for vulnerabilities
-grype wikid82/charon:latest
+grype ghcr.io/wikid82/charon@sha256:<index-digest>
 ```

 ### Rollback Strategy
@@ -31,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 - Fixed: Added robust validation and debug logging for Docker image tags to prevent invalid reference errors.
 - Fixed: Removed log masking for image references and added manifest validation to debug CI failures.
+- **Proxy Hosts**: Fixed ACL and Security Headers dropdown selections so create/edit saves now keep the selected values (including clearing to none) after submit and reload.
 - **CI**: Fixed Docker image reference output so integration jobs never pull an empty image ref
 - **E2E Test Reliability**: Resolved test timeout issues affecting CI/CD pipeline stability
  - Fixed config reload overlay blocking test interactions
@@ -33,7 +33,19 @@ This project follows a Code of Conduct that all contributors are expected to adh

 ### Development Tools

-Install golangci-lint for pre-commit hooks (required for Go development):
+Install golangci-lint for lefthook pre-commit-phase hooks (required for Go development):
+
+Also install lefthook itself so the git hooks work:
+
+```bash
+# Option 1: Homebrew (macOS/Linux)
+brew install lefthook
+
+# Option 2: Go install
+go install github.com/evilmartians/lefthook@latest
+```
+
+

 ```bash
 # Option 1: Homebrew (macOS/Linux)
@@ -59,7 +71,7 @@ golangci-lint --version
 # Should output: golangci-lint has version 1.xx.x ...
 ```

-**Note:** Pre-commit hooks will **BLOCK commits** if golangci-lint finds issues. This is intentional - fix the issues before committing.
+**Note:** Lefthook pre-commit-phase hooks will **BLOCK commits** if golangci-lint finds issues. This is intentional - fix the issues before committing.

 ### CI/CD Go Version Management

@@ -84,7 +96,7 @@ When the project's Go version is updated (usually by Renovate):

 3. **Rebuild your development tools**
   ```bash
-   # This fixes pre-commit hook errors and IDE issues
+   # This fixes lefthook hook errors and IDE issues
   ./scripts/rebuild-go-tools.sh
   ```

@@ -104,7 +116,7 @@ Rebuilding tools with `./scripts/rebuild-go-tools.sh` fixes this by compiling th

 **What if I forget?**

-Don't worry! The pre-commit hook will detect the version mismatch and automatically rebuild tools for you. You'll see:
+Don't worry! The lefthook pre-commit hook will detect the version mismatch and automatically rebuild tools for you. You'll see:

 ```
 ⚠️  golangci-lint Go version mismatch:
@@ -8,21 +8,45 @@ ARG VCS_REF
 # Set BUILD_DEBUG=1 to build with debug symbols (required for Delve debugging)
 ARG BUILD_DEBUG=0

+# ---- Pinned Toolchain Versions ----
+# renovate: datasource=docker depName=golang versioning=docker
+ARG GO_VERSION=1.26.1
+
+# renovate: datasource=docker depName=alpine versioning=docker
+ARG ALPINE_IMAGE=alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
+
+# ---- Shared CrowdSec Version ----
+# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
+ARG CROWDSEC_VERSION=1.7.6
+# CrowdSec fallback tarball checksum (v${CROWDSEC_VERSION})
+ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+
+# ---- Shared Go Security Patches ----
+# renovate: datasource=go depName=github.com/expr-lang/expr
+ARG EXPR_LANG_VERSION=1.17.7
+# renovate: datasource=go depName=golang.org/x/net
+ARG XNET_VERSION=0.51.0
+
 # Allow pinning Caddy version - Renovate will update this
 # Build the most recent Caddy 2.x release (keeps major pinned under v3).
 # Setting this to '2' tells xcaddy to resolve the latest v2.x tag so we
 # avoid accidentally pulling a v3 major release. Renovate can still update
 # this ARG to a specific v2.x tag when desired.
 ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
-## If the requested tag isn't available, fall back to a known-good v2.11.0-beta.2 build.
-ARG CADDY_VERSION=2.11.0-beta.2
+## If the requested tag isn't available, fall back to a known-good v2.11.2 build.
+ARG CADDY_VERSION=2.11.2
+ARG CADDY_CANDIDATE_VERSION=2.11.2
+ARG CADDY_USE_CANDIDATE=0
+ARG CADDY_PATCH_SCENARIO=B
+# renovate: datasource=go depName=github.com/greenpau/caddy-security
+ARG CADDY_SECURITY_VERSION=1.1.45
+# renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
+ARG CORAZA_CADDY_VERSION=2.2.0
 ## When an official caddy image tag isn't available on the host, use a
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on
 ## upstream caddy image tags while still shipping a pinned caddy binary.
 ## Alpine 3.23 base to reduce glibc CVE exposure and image size.
-# renovate: datasource=docker depName=alpine versioning=docker
-ARG CADDY_IMAGE=alpine:3.23.3

 # ---- Cross-Compilation Helpers ----
 # renovate: datasource=docker depName=tonistiigi/xx
@@ -33,8 +57,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9
 # This fixes 22 HIGH/CRITICAL CVEs in stdlib embedded in Debian's gosu package
 # CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404,
 #             CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS gosu-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS gosu-builder
 COPY --from=xx / /

 WORKDIR /tmp/gosu
@@ -65,7 +88,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Frontend Builder ----
 # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
 # renovate: datasource=docker depName=node
-FROM --platform=$BUILDPLATFORM node:24.13.1-alpine AS frontend-builder
+FROM --platform=$BUILDPLATFORM node:24.14.0-alpine@sha256:7fddd9ddeae8196abf4a3ef2de34e11f7b1a722119f91f28ddf1e99dcafdf114 AS frontend-builder
 WORKDIR /app/frontend

 # Copy frontend package files
@@ -88,8 +111,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \
    npm run build

 # ---- Backend Builder ----
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS backend-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS backend-builder
 # Copy xx helpers for cross-compilation
 COPY --from=xx / /

@@ -131,7 +153,7 @@ RUN set -eux; \
 # Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling.
 # We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage.
 # renovate: datasource=go depName=github.com/go-delve/delve
-ARG DLV_VERSION=1.26.0
+ARG DLV_VERSION=1.26.1
 # hadolint ignore=DL3059,DL4006
 RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
    DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
@@ -191,16 +213,22 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Caddy Builder ----
 # Build Caddy from source to ensure we use the latest Go version and dependencies
 # This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues)
-# renovate: datasource=docker depName=golang
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS caddy-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS caddy-builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG CADDY_VERSION
+ARG CADDY_CANDIDATE_VERSION
+ARG CADDY_USE_CANDIDATE
+ARG CADDY_PATCH_SCENARIO
+ARG CADDY_SECURITY_VERSION
+ARG CORAZA_CADDY_VERSION
 # renovate: datasource=go depName=github.com/caddyserver/xcaddy
 ARG XCADDY_VERSION=0.4.5
+ARG EXPR_LANG_VERSION
+ARG XNET_VERSION

 # hadolint ignore=DL3018
-RUN apk add --no-cache git
+RUN apk add --no-cache bash git
 # hadolint ignore=DL3062
 RUN --mount=type=cache,target=/go/pkg/mod \
    go install github.com/caddyserver/xcaddy/cmd/xcaddy@v${XCADDY_VERSION}
@@ -212,13 +240,20 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 # hadolint ignore=SC2016
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-    sh -c 'set -e; \
+    bash -c 'set -e; \
+        CADDY_TARGET_VERSION="${CADDY_VERSION}"; \
+        if [ "${CADDY_USE_CANDIDATE}" = "1" ]; then \
+            CADDY_TARGET_VERSION="${CADDY_CANDIDATE_VERSION}"; \
+        fi; \
+        echo "Using Caddy target version: v${CADDY_TARGET_VERSION}"; \
+        echo "Using Caddy patch scenario: ${CADDY_PATCH_SCENARIO}"; \
        export XCADDY_SKIP_CLEANUP=1; \
        echo "Stage 1: Generate go.mod with xcaddy..."; \
        # Run xcaddy to generate the build directory and go.mod
-        GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_VERSION} \
-            --with github.com/greenpau/caddy-security \
-            --with github.com/corazawaf/coraza-caddy/v2 \
+        GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_TARGET_VERSION} \
+            --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION} \
+            --with github.com/greenpau/caddy-security@v${CADDY_SECURITY_VERSION} \
+            --with github.com/corazawaf/coraza-caddy/v2@v${CORAZA_CADDY_VERSION} \
            --with github.com/hslatman/caddy-crowdsec-bouncer@v0.10.0 \
            --with github.com/zhangjiayin/caddy-geoip2 \
            --with github.com/mholt/caddy-ratelimit \
@@ -235,16 +270,25 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
        # Patch ALL dependencies BEFORE building the final binary
        # These patches fix CVEs in transitive dependencies
        # Renovate tracks these via regex manager in renovate.json
-        # renovate: datasource=go depName=github.com/expr-lang/expr
-        go get github.com/expr-lang/expr@v1.17.7; \
+        go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION}; \
        # renovate: datasource=go depName=github.com/hslatman/ipstore
        go get github.com/hslatman/ipstore@v0.4.0; \
-        # NOTE: smallstep/certificates (pulled by caddy-security stack) currently
-        # uses legacy nebula APIs removed in nebula v1.10+, which causes compile
-        # failures in authority/provisioner. Keep this pinned to a known-compatible
-        # v1.9.x release until upstream stack supports nebula v1.10+.
-        # renovate: datasource=go depName=github.com/slackhq/nebula
-        go get github.com/slackhq/nebula@v1.9.7; \
+        go get golang.org/x/net@v${XNET_VERSION}; \
+        if [ "${CADDY_PATCH_SCENARIO}" = "A" ]; then \
+            # Rollback scenario: keep explicit nebula pin if upstream compatibility regresses.
+            # NOTE: smallstep/certificates (pulled by caddy-security stack) currently
+            # uses legacy nebula APIs removed in nebula v1.10+, which causes compile
+            # failures in authority/provisioner. Keep this pinned to a known-compatible
+            # v1.9.x release until upstream stack supports nebula v1.10+.
+            # renovate: datasource=go depName=github.com/slackhq/nebula
+            go get github.com/slackhq/nebula@v1.9.7; \
+        elif [ "${CADDY_PATCH_SCENARIO}" = "B" ] || [ "${CADDY_PATCH_SCENARIO}" = "C" ]; then \
+            # Default PR-2 posture: retire explicit nebula pin and use upstream resolution.
+            echo "Skipping nebula pin for scenario ${CADDY_PATCH_SCENARIO}"; \
+        else \
+            echo "Unsupported CADDY_PATCH_SCENARIO=${CADDY_PATCH_SCENARIO}"; \
+            exit 1; \
+        fi; \
        # Clean up go.mod and ensure all dependencies are resolved
        go mod tidy; \
        echo "Dependencies patched successfully"; \
@@ -263,10 +307,9 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
        rm -rf /tmp/buildenv_* /tmp/caddy-initial'

 # ---- CrowdSec Builder ----
-# Build CrowdSec from source to ensure we use Go 1.26.0+ and avoid stdlib vulnerabilities
+# Build CrowdSec from source to ensure we use Go 1.26.1+ and avoid stdlib vulnerabilities
 # (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
-# renovate: datasource=docker depName=golang versioning=docker
-FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine AS crowdsec-builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS crowdsec-builder
 COPY --from=xx / /

 WORKDIR /tmp/crowdsec
@@ -274,11 +317,10 @@ WORKDIR /tmp/crowdsec
 ARG TARGETPLATFORM
 ARG TARGETOS
 ARG TARGETARCH
-# CrowdSec version - Renovate can update this
-# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
-ARG CROWDSEC_VERSION=1.7.6
-# CrowdSec fallback tarball checksum (v${CROWDSEC_VERSION})
-ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+ARG CROWDSEC_VERSION
+ARG CROWDSEC_RELEASE_SHA256
+ARG EXPR_LANG_VERSION
+ARG XNET_VERSION

 # hadolint ignore=DL3018
 RUN apk add --no-cache git clang lld
@@ -292,10 +334,10 @@ RUN git clone --depth 1 --branch "v${CROWDSEC_VERSION}" https://github.com/crowd

 # Patch dependencies to fix CVEs in transitive dependencies
 # This follows the same pattern as Caddy's dependency patches
-# renovate: datasource=go depName=github.com/expr-lang/expr
 # renovate: datasource=go depName=golang.org/x/crypto
-RUN go get github.com/expr-lang/expr@v1.17.7 && \
+RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
    go get golang.org/x/crypto@v0.46.0 && \
+    go get golang.org/x/net@v${XNET_VERSION} && \
    go mod tidy

 # Fix compatibility issues with expr-lang v1.17.7
@@ -325,18 +367,15 @@ RUN mkdir -p /crowdsec-out/config && \
    cp -r config/* /crowdsec-out/config/ || true

 # ---- CrowdSec Fallback (for architectures where build fails) ----
-# renovate: datasource=docker depName=alpine versioning=docker
-FROM alpine:3.23.3 AS crowdsec-fallback
+FROM ${ALPINE_IMAGE} AS crowdsec-fallback

 SHELL ["/bin/ash", "-o", "pipefail", "-c"]

 WORKDIR /tmp/crowdsec

 ARG TARGETARCH
-# CrowdSec version - Renovate can update this
-# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
-ARG CROWDSEC_VERSION=1.7.6
-ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
+ARG CROWDSEC_VERSION
+ARG CROWDSEC_RELEASE_SHA256

 # hadolint ignore=DL3018
 RUN apk add --no-cache curl ca-certificates
@@ -365,7 +404,7 @@ RUN set -eux; \
    fi

 # ---- Final Runtime with Caddy ----
-FROM ${CADDY_IMAGE}
+FROM ${ALPINE_IMAGE}
 WORKDIR /app

 # Install runtime dependencies for Charon, including bash for maintenance scripts
@@ -392,7 +431,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 # Note: In production, users should provide their own MaxMind license key
 # This uses the publicly available GeoLite2 database
 # In CI, timeout quickly rather than retrying to save build time
-ARG GEOLITE2_COUNTRY_SHA256=86fe00e0272865b8bec79defca2e9fb19ad0cf4458697992e1a37ba89077c13a
+ARG GEOLITE2_COUNTRY_SHA256=b79afc28a0a52f89c15e8d92b05c173f314dd4f687719f96cf921012d900fcce
 RUN mkdir -p /app/data/geoip && \
        if [ -n "$CI" ]; then \
            echo "⏱️  CI detected - quick download (10s timeout, no retries)"; \
@@ -425,7 +464,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 # Allow non-root to bind privileged ports (80/443) securely
 RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy

-# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.0+)
+# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.1+)
 # This ensures we don't have stdlib vulnerabilities from older Go versions
 COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
 COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli
@@ -1,4 +1,4 @@
-.PHONY: help install test build run clean docker-build docker-run release go-check gopls-logs lint-fast lint-staticcheck-only
+.PHONY: help install test build run clean docker-build docker-run release go-check gopls-logs lint-fast lint-staticcheck-only security-local

 # Default target
 help:
@@ -22,6 +22,7 @@ help:
 	@echo ""
 	@echo "Security targets:"
 	@echo "  security-scan          - Quick security scan (govulncheck on Go deps)"
+	@echo "  security-local         - Run govulncheck + semgrep (p/golang) locally before push"
 	@echo "  security-scan-full     - Full container scan with Trivy"
 	@echo "  security-scan-deps     - Check for outdated Go dependencies"

@@ -145,6 +146,12 @@ security-scan:
 	@echo "Running security scan (govulncheck)..."
 	@./scripts/security-scan.sh

+security-local: ## Run govulncheck + semgrep (p/golang) before push — fast local gate
+	@echo "[1/2] Running govulncheck..."
+	@./scripts/security-scan.sh
+	@echo "[2/2] Running Semgrep (p/golang, ERROR+WARNING)..."
+	@SEMGREP_CONFIG=p/golang ./scripts/pre-commit-hooks/semgrep-scan.sh
+
 security-scan-full:
 	@echo "Building local Docker image for security scan..."
 	docker build --build-arg VCS_REF=$(shell git rev-parse HEAD) -t charon:local .
@@ -94,6 +94,19 @@ services:
      retries: 3
      start_period: 40s
 ```
+> **Docker Socket Access:** Charon runs as a non-root user. If you mount the Docker socket for container discovery, the container needs permission to read it. Find your socket's group ID and add it to the compose file:
+>
+> ```bash
+> stat -c '%g' /var/run/docker.sock
+> ```
+>
+> Then add `group_add: ["<gid>"]` under your service (replace `<gid>` with the number from the command above). For example, if the result is `998`:
+>
+> ```yaml
+>     group_add:
+>       - "998"
+> ```
+
 ### 2️⃣ Generate encryption key:
 ```bash
 openssl rand -base64 32
@@ -25,11 +25,10 @@ We take security seriously. If you discover a security vulnerability in Charon,
   - Impact assessment
   - Suggested fix (if applicable)

-**Alternative Method**: Email
+**Alternative Method**: GitHub Issues (Public)

- Send to: `security@charon.dev` (if configured)
- Use PGP encryption (key available below, if applicable)
- Include same information as GitHub advisory
+1. Go to <https://github.com/Wikid82/Charon/issues>
+2. Create a new issue with the same information as above

 ### What to Include

@@ -125,6 +124,7 @@ For complete technical details, see:

 ### Infrastructure Security

+- **Non-root by default**: Charon runs as an unprivileged user (`charon`, uid 1000) inside the container. Docker socket access is granted via a minimal supplemental group matching the host socket's GID—never by running as root. If the socket GID is `0` (root group), Charon requires explicit opt-in before granting access.
 - **Container isolation**: Docker-based deployment
 - **Minimal attack surface**: Alpine Linux base image
 - **Dependency scanning**: Regular Trivy and govulncheck scans
@@ -19,36 +19,76 @@ Example: `0.1.0-alpha`, `1.0.0-beta.1`, `2.0.0-rc.2`

 ## Creating a Release

-### Automated Release Process
+### Canonical Release Process (Tag-Derived CI)

-1. **Update version** in `.version` file:
+1. **Create and push a release tag**:

   ```bash
-   echo "1.0.0" > .version
+  git tag -a v1.0.0 -m "Release v1.0.0"
+  git push origin v1.0.0
   ```

-2. **Commit version bump**:
+2. **GitHub Actions automatically**:
+  - Runs release workflow from the pushed tag (`.github/workflows/release-goreleaser.yml`)
+  - Builds and publishes release artifacts/images through CI (`.github/workflows/docker-build.yml`)
+  - Creates/updates GitHub Release metadata
+
+3. **Container tags are published**:
+  - `v1.0.0` (exact version)
+  - `1.0` (minor version)
+  - `1` (major version)
+  - `latest` (for non-prerelease on main branch)
+
+### Legacy/Optional `.version` Path
+
+The `.version` file is optional and not the canonical release trigger.
+
+Use it only when you need local/version-file parity checks:
+
+1. **Set `.version` locally (optional)**:

   ```bash
-   git add .version
-   git commit -m "chore: bump version to 1.0.0"
+  echo "1.0.0" > .version
   ```

-3. **Create and push tag**:
+2. **Validate `.version` matches the latest tag**:

   ```bash
-   git tag -a v1.0.0 -m "Release v1.0.0"
-   git push origin v1.0.0
+  bash scripts/check-version-match-tag.sh
   ```

-4. **GitHub Actions automatically**:
-   - Creates GitHub Release with changelog
-   - Builds multi-arch Docker images (amd64, arm64)
-   - Publishes to GitHub Container Registry with tags:
-     - `v1.0.0` (exact version)
-     - `1.0` (minor version)
-     - `1` (major version)
-     - `latest` (for non-prerelease on main branch)
+### Deterministic Rollout Verification Gates (Mandatory)
+
+Release sign-off is blocked until all items below pass in the same validation
+run.
+
+Enforcement points:
+
+- Release sign-off checklist/process (mandatory): All gates below remain required for release sign-off.
+- CI-supported checks (current): `.github/workflows/docker-build.yml` and `.github/workflows/supply-chain-verify.yml` enforce the subset currently implemented in workflows.
+- Manual validation required until CI parity: Validate any not-yet-implemented workflow gates via VS Code tasks `Security: Full Supply Chain Audit`, `Security: Verify SBOM`, `Security: Generate SLSA Provenance`, and `Security: Sign with Cosign`.
+- Optional version-file parity check: `Utility: Check Version Match Tag` (script: `scripts/check-version-match-tag.sh`).
+
+- [ ] **Digest freshness/parity:** Capture pre-push and post-push index digests
+  for the target tag in GHCR and Docker Hub, confirm expected freshness,
+  and confirm cross-registry index digest parity.
+- [ ] **Per-arch parity:** Confirm per-platform (`linux/amd64`, `linux/arm64`,
+  and any published platform) digest parity between GHCR and Docker Hub.
+- [ ] **Immutable digest scanning:** Run SBOM and vulnerability scans against
+  immutable refs only, using `image@sha256:<index-digest>`.
+- [ ] **Artifact freshness:** Confirm scan artifacts are generated after the
+  push timestamp and in the same validation run.
+- [ ] **Evidence block present:** Include the mandatory evidence block fields
+  listed below.
+
+#### Mandatory Evidence Block Fields
+
+- Tag name
+- Index digest (`sha256:...`)
+- Per-arch digests (platform -> digest)
+- Scan tool versions
+- Push timestamp and scan timestamp(s)
+- Artifact file names generated in this run

 ## Container Image Tags

@@ -12,7 +12,7 @@ linters:
    - ineffassign  # Ineffectual assignments
    - unused       # Unused code detection
    - gosec        # Security checks (critical issues only)
-  linters-settings:
+  settings:
    govet:
      enable:
        - shadow
@@ -1,5 +1,5 @@
 # golangci-lint configuration
-version: 2
+version: "2"
 run:
  timeout: 5m
  tests: true
@@ -14,7 +14,7 @@ linters:
    - staticcheck
    - unused
    - errcheck
-  linters-settings:
+  settings:
    gocritic:
      enabled-tags:
        - diagnostic
@@ -260,7 +260,7 @@ func main() {
 	}

 	// Register import handler with config dependencies
-	routes.RegisterImportHandler(router, db, cfg.CaddyBinary, cfg.ImportDir, cfg.ImportCaddyfile)
+	routes.RegisterImportHandler(router, db, cfg, cfg.CaddyBinary, cfg.ImportDir, cfg.ImportCaddyfile)

 	// Check for mounted Caddyfile on startup
 	if err := handlers.CheckMountedImport(db, cfg.ImportCaddyfile, cfg.CaddyBinary, cfg.ImportDir); err != nil {
@@ -40,7 +40,7 @@ func TestResetPasswordCommand_Succeeds(t *testing.T) {
 	}

 	email := "user@example.com"
-	user := models.User{UUID: "u-1", Email: email, Name: "User", Role: "admin", Enabled: true}
+	user := models.User{UUID: "u-1", Email: email, Name: "User", Role: models.RoleAdmin, Enabled: true}
 	user.PasswordHash = "$2a$10$example_hashed_password"
 	if err = db.Create(&user).Error; err != nil {
 		t.Fatalf("seed user: %v", err)
@@ -257,7 +257,7 @@ func TestMain_ResetPasswordCommand_InProcess(t *testing.T) {
 	}

 	email := "user@example.com"
-	user := models.User{UUID: "u-1", Email: email, Name: "User", Role: "admin", Enabled: true}
+	user := models.User{UUID: "u-1", Email: email, Name: "User", Role: models.RoleAdmin, Enabled: true}
 	user.PasswordHash = "$2a$10$example_hashed_password"
 	user.FailedLoginAttempts = 3
 	if err = db.Create(&user).Error; err != nil {
@@ -311,7 +311,8 @@ func TestMain_DefaultStartupGracefulShutdown_Subprocess(t *testing.T) {
 	if err != nil {
 		t.Fatalf("find free http port: %v", err)
 	}
-	if err := os.MkdirAll(filepath.Dir(dbPath), 0o750); err != nil {
+	err = os.MkdirAll(filepath.Dir(dbPath), 0o750)
+	if err != nil {
 		t.Fatalf("mkdir db dir: %v", err)
 	}

@@ -64,11 +64,13 @@ func main() {
 	jsonOutPath := resolvePath(repoRoot, *jsonOutFlag)
 	mdOutPath := resolvePath(repoRoot, *mdOutFlag)

-	if err := assertFileExists(backendCoveragePath, "backend coverage file"); err != nil {
+	err = assertFileExists(backendCoveragePath, "backend coverage file")
+	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
-	if err := assertFileExists(frontendCoveragePath, "frontend coverage file"); err != nil {
+	err = assertFileExists(frontendCoveragePath, "frontend coverage file")
+	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
@@ -235,7 +235,8 @@ func TestGitDiffAndWriters(t *testing.T) {
 		t.Fatalf("expected empty diff for HEAD...HEAD, got: %q", diffContent)
 	}

-	if _, err := gitDiff(repoRoot, "bad-baseline"); err == nil {
+	_, err = gitDiff(repoRoot, "bad-baseline")
+	if err == nil {
 		t.Fatal("expected gitDiff failure for invalid baseline")
 	}

@@ -263,7 +264,8 @@ func TestGitDiffAndWriters(t *testing.T) {
 	}

 	jsonPath := filepath.Join(t.TempDir(), "report.json")
-	if err := writeJSON(jsonPath, report); err != nil {
+	err = writeJSON(jsonPath, report)
+	if err != nil {
 		t.Fatalf("writeJSON should succeed: %v", err)
 	}
 	// #nosec G304 -- Test reads artifact path created by this test.
@@ -276,7 +278,8 @@ func TestGitDiffAndWriters(t *testing.T) {
 	}

 	markdownPath := filepath.Join(t.TempDir(), "report.md")
-	if err := writeMarkdown(markdownPath, report, "backend/coverage.txt", "frontend/coverage/lcov.info"); err != nil {
+	err = writeMarkdown(markdownPath, report, "backend/coverage.txt", "frontend/coverage/lcov.info")
+	if err != nil {
 		t.Fatalf("writeMarkdown should succeed: %v", err)
 	}
 	// #nosec G304 -- Test reads artifact path created by this test.
@@ -72,7 +72,7 @@ func TestSeedMain_ForceAdminUpdatesExistingUserPassword(t *testing.T) {
 		UUID:         "existing-user",
 		Email:        "admin@localhost",
 		Name:         "Old Name",
-		Role:         "viewer",
+		Role:         models.RolePassthrough,
 		Enabled:      false,
 		PasswordHash: "$2a$10$example_hashed_password",
 	}
@@ -134,7 +134,7 @@ func TestSeedMain_ForceAdminWithoutPasswordUpdatesMetadata(t *testing.T) {
 		UUID:         "existing-user-no-pass",
 		Email:        "admin@localhost",
 		Name:         "Old Name",
-		Role:         "viewer",
+		Role:         models.RolePassthrough,
 		Enabled:      false,
 		PasswordHash: "$2a$10$example_hashed_password",
 	}
@@ -1,11 +1,11 @@
 module github.com/Wikid82/charon/backend

-go 1.26
+go 1.26.1

 require (
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/gin-contrib/gzip v1.2.5
-	github.com/gin-gonic/gin v1.11.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/glebarez/sqlite v1.11.0
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
@@ -17,9 +17,9 @@ require (
 	github.com/sirupsen/logrus v1.9.4
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.48.0
-	golang.org/x/net v0.50.0
-	golang.org/x/text v0.34.0
-	golang.org/x/time v0.14.0
+	golang.org/x/net v0.51.0
+	golang.org/x/text v0.35.0
+	golang.org/x/time v0.15.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gorm.io/driver/sqlite v1.6.0
 	gorm.io/gorm v1.31.1
@@ -29,8 +29,8 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic v1.14.1 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
@@ -42,16 +42,16 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -66,6 +66,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/oschwald/maxminddb-golang/v2 v2.1.1 // indirect
@@ -73,28 +74,29 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/arch v0.22.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
+	golang.org/x/arch v0.25.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
-	modernc.org/libc v1.22.5 // indirect
-	modernc.org/mathutil v1.5.0 // indirect
-	modernc.org/memory v1.5.0 // indirect
-	modernc.org/sqlite v1.23.1 // indirect
+	modernc.org/libc v1.70.0 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.46.1 // indirect
 )
@@ -6,10 +6,10 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.1 h1:FBMC0zVz5XUmE4z9wF4Jey0An5FueFvOsTKKKtwIl7w=
-github.com/bytedance/sonic v1.14.1/go.mod h1:gi6uhQLMbTdeP0muCnrjHLeCUPyb70ujhnNlhOylAFc=
-github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -37,16 +37,16 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/gzip v1.2.5 h1:fIZs0S+l17pIu1P5XRJOo/YNqfIuPCrZZ3TWB7pjckI=
 github.com/gin-contrib/gzip v1.2.5/go.mod h1:aomRgR7ftdZV3uWY0gW/m8rChfxau0n8YVvwlOHONzw=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
-github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo=
-github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -64,21 +64,23 @@ github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy0
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
-github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -118,6 +120,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -136,21 +140,20 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
 github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
-github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -161,52 +164,61 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
-golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
-golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
+go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
+golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE=
+golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
@@ -229,11 +241,31 @@ gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE=
-modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
-modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
-modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
-modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/sqlite v1.23.1 h1:nrSBg4aRQQwq59JpvGEQ15tNxoO5pX/kUjcRNwSAGQM=
-modernc.org/sqlite v1.23.1/go.mod h1:OrDj17Mggn6MhE+iPbBNf7RGKODDE9NFT0f3EwDzJqk=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
+modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
@@ -0,0 +1,124 @@
+//go:build integration
+// +build integration
+
+package integration
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"sync/atomic"
+	"testing"
+
+	"github.com/Wikid82/charon/backend/internal/notifications"
+)
+
+func TestNotificationHTTPWrapperIntegration_RetriesOn429AndSucceeds(t *testing.T) {
+	t.Parallel()
+
+	var calls int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		current := atomic.AddInt32(&calls, 1)
+		if current == 1 {
+			w.WriteHeader(http.StatusTooManyRequests)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"ok":true}`))
+	}))
+	defer server.Close()
+
+	wrapper := notifications.NewNotifyHTTPWrapper()
+	result, err := wrapper.Send(context.Background(), notifications.HTTPWrapperRequest{
+		URL:  server.URL,
+		Body: []byte(`{"message":"hello"}`),
+	})
+	if err != nil {
+		t.Fatalf("expected retry success, got error: %v", err)
+	}
+	if result.Attempts != 2 {
+		t.Fatalf("expected 2 attempts, got %d", result.Attempts)
+	}
+}
+
+func TestNotificationHTTPWrapperIntegration_DoesNotRetryOn400(t *testing.T) {
+	t.Parallel()
+
+	var calls int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		atomic.AddInt32(&calls, 1)
+		w.WriteHeader(http.StatusBadRequest)
+	}))
+	defer server.Close()
+
+	wrapper := notifications.NewNotifyHTTPWrapper()
+	_, err := wrapper.Send(context.Background(), notifications.HTTPWrapperRequest{
+		URL:  server.URL,
+		Body: []byte(`{"message":"hello"}`),
+	})
+	if err == nil {
+		t.Fatalf("expected non-retryable 400 error")
+	}
+	if atomic.LoadInt32(&calls) != 1 {
+		t.Fatalf("expected one request attempt, got %d", calls)
+	}
+}
+
+func TestNotificationHTTPWrapperIntegration_RejectsTokenizedQueryWithoutEcho(t *testing.T) {
+	t.Parallel()
+
+	wrapper := notifications.NewNotifyHTTPWrapper()
+	secret := "pr1-secret-token-value"
+	_, err := wrapper.Send(context.Background(), notifications.HTTPWrapperRequest{
+		URL:  "http://example.com/hook?token=" + secret,
+		Body: []byte(`{"message":"hello"}`),
+	})
+	if err == nil {
+		t.Fatalf("expected tokenized query rejection")
+	}
+	if !strings.Contains(err.Error(), "query authentication is not allowed") {
+		t.Fatalf("expected sanitized query-auth rejection, got: %v", err)
+	}
+	if strings.Contains(err.Error(), secret) {
+		t.Fatalf("error must not echo secret token")
+	}
+}
+
+func TestNotificationHTTPWrapperIntegration_HeaderAllowlistSafety(t *testing.T) {
+	t.Parallel()
+
+	var seenAuthHeader string
+	var seenCookieHeader string
+	var seenGotifyKey string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		seenAuthHeader = r.Header.Get("Authorization")
+		seenCookieHeader = r.Header.Get("Cookie")
+		seenGotifyKey = r.Header.Get("X-Gotify-Key")
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	wrapper := notifications.NewNotifyHTTPWrapper()
+	_, err := wrapper.Send(context.Background(), notifications.HTTPWrapperRequest{
+		URL: server.URL,
+		Headers: map[string]string{
+			"Authorization": "Bearer should-not-leak",
+			"Cookie":        "session=should-not-leak",
+			"X-Gotify-Key":  "allowed-token",
+		},
+		Body: []byte(`{"message":"hello"}`),
+	})
+	if err != nil {
+		t.Fatalf("expected success, got error: %v", err)
+	}
+	if seenAuthHeader != "" {
+		t.Fatalf("authorization header must be stripped")
+	}
+	if seenCookieHeader != "" {
+		t.Fatalf("cookie header must be stripped")
+	}
+	if seenGotifyKey != "allowed-token" {
+		t.Fatalf("expected X-Gotify-Key to pass through")
+	}
+}
@@ -170,6 +170,7 @@ func TestSecurityHandler_UpdateConfig_ApplyCaddyError(t *testing.T) {

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
+	setAdminContext(c)
 	c.Request = httptest.NewRequest("PUT", "/security/config", bytes.NewBuffer(body))
 	c.Request.Header.Set("Content-Type", "application/json")

@@ -190,6 +191,7 @@ func TestSecurityHandler_GenerateBreakGlass_Error(t *testing.T) {

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
+	setAdminContext(c)
 	c.Request = httptest.NewRequest("POST", "/security/breakglass", http.NoBody)

 	h.GenerateBreakGlass(c)
@@ -252,6 +254,7 @@ func TestSecurityHandler_UpsertRuleSet_Error(t *testing.T) {

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
+	setAdminContext(c)
 	c.Request = httptest.NewRequest("POST", "/security/rulesets", bytes.NewBuffer(body))
 	c.Request.Header.Set("Content-Type", "application/json")

@@ -277,6 +280,7 @@ func TestSecurityHandler_CreateDecision_LogError(t *testing.T) {

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
+	setAdminContext(c)
 	c.Request = httptest.NewRequest("POST", "/security/decisions", bytes.NewBuffer(body))
 	c.Request.Header.Set("Content-Type", "application/json")

@@ -297,6 +301,7 @@ func TestSecurityHandler_DeleteRuleSet_Error(t *testing.T) {

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
+	setAdminContext(c)
 	c.Params = gin.Params{{Key: "id", Value: "999"}}

 	h.DeleteRuleSet(c)
@@ -63,7 +63,10 @@ func (h *AuditLogHandler) List(c *gin.Context) {
 	}

 	// Calculate pagination metadata
-	totalPages := (int(total) + limit - 1) / limit
+	var totalPages int
+	if limit > 0 {
+		totalPages = (int(total) + limit - 1) / limit
+	}

 	c.JSON(http.StatusOK, gin.H{
 		"audit_logs": audits,
@@ -127,7 +130,10 @@ func (h *AuditLogHandler) ListByProvider(c *gin.Context) {
 	}

 	// Calculate pagination metadata
-	totalPages := (int(total) + limit - 1) / limit
+	var totalPages int
+	if limit > 0 {
+		totalPages = (int(total) + limit - 1) / limit
+	}

 	c.JSON(http.StatusOK, gin.H{
 		"audit_logs": audits,
@@ -77,12 +77,12 @@ func originHost(rawURL string) string {
 	return normalizeHost(parsedURL.Host)
 }

-func isLocalHost(host string) bool {
+func isLocalOrPrivateHost(host string) bool {
 	if strings.EqualFold(host, "localhost") {
 		return true
 	}

-	if ip := net.ParseIP(host); ip != nil && ip.IsLoopback() {
+	if ip := net.ParseIP(host); ip != nil && (ip.IsLoopback() || ip.IsPrivate()) {
 		return true
 	}

@@ -117,7 +117,7 @@ func isLocalRequest(c *gin.Context) bool {
 			continue
 		}

-		if isLocalHost(host) {
+		if isLocalOrPrivateHost(host) {
 			return true
 		}
 	}
@@ -127,18 +127,21 @@ func isLocalRequest(c *gin.Context) bool {

 // setSecureCookie sets an auth cookie with security best practices
 // - HttpOnly: prevents JavaScript access (XSS protection)
-// - Secure: derived from request scheme to allow HTTP/IP logins when needed
-// - SameSite: Strict for HTTPS, Lax for HTTP/IP to allow forward-auth redirects
+// - Secure: true for HTTPS; false for local/private network HTTP requests
+// - SameSite: Lax for any local/private-network request (regardless of scheme),
+//   Strict otherwise (public HTTPS only)
 func setSecureCookie(c *gin.Context, name, value string, maxAge int) {
 	scheme := requestScheme(c)
-	secure := scheme == "https"
+	secure := true
 	sameSite := http.SameSiteStrictMode
 	if scheme != "https" {
 		sameSite = http.SameSiteLaxMode
+		if isLocalRequest(c) {
+			secure = false
+		}
 	}

 	if isLocalRequest(c) {
-		secure = false
 		sameSite = http.SameSiteLaxMode
 	}

@@ -146,13 +149,14 @@ func setSecureCookie(c *gin.Context, name, value string, maxAge int) {
 	domain := ""

 	c.SetSameSite(sameSite)
-	c.SetCookie(
+	// secure is intentionally false for local/private network HTTP requests; always true for external or HTTPS requests.
+	c.SetCookie( // codeql[go/cookie-secure-not-set]
 		name,   // name
 		value,  // value
 		maxAge, // maxAge in seconds
 		"/",    // path
 		domain, // domain (empty = current host)
-		secure, // secure (HTTPS only in production)
+		secure, // secure
 		true,   // httpOnly (no JS access)
 	)
 }
@@ -379,7 +383,7 @@ func (h *AuthHandler) Verify(c *gin.Context) {

 	// Set headers for downstream services
 	c.Header("X-Forwarded-User", user.Email)
-	c.Header("X-Forwarded-Groups", user.Role)
+	c.Header("X-Forwarded-Groups", string(user.Role))
 	c.Header("X-Forwarded-Name", user.Name)

 	// Return 200 OK - access granted
@@ -94,10 +94,28 @@ func TestSetSecureCookie_HTTP_Lax(t *testing.T) {
 	cookies := recorder.Result().Cookies()
 	require.Len(t, cookies, 1)
 	c := cookies[0]
-	assert.False(t, c.Secure)
+	assert.True(t, c.Secure)
 	assert.Equal(t, http.SameSiteLaxMode, c.SameSite)
 }

+func TestSetSecureCookie_HTTP_Loopback_Insecure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://127.0.0.1:8080/login", http.NoBody)
+	req.Host = "127.0.0.1:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.False(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
 func TestSetSecureCookie_ForwardedHTTPS_LocalhostForcesInsecure(t *testing.T) {
 	t.Parallel()
 	gin.SetMode(gin.TestMode)
@@ -115,7 +133,7 @@ func TestSetSecureCookie_ForwardedHTTPS_LocalhostForcesInsecure(t *testing.T) {
 	cookies := recorder.Result().Cookies()
 	require.Len(t, cookies, 1)
 	cookie := cookies[0]
-	assert.False(t, cookie.Secure)
+	assert.True(t, cookie.Secure)
 	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 }

@@ -136,7 +154,7 @@ func TestSetSecureCookie_ForwardedHTTPS_LoopbackForcesInsecure(t *testing.T) {
 	cookies := recorder.Result().Cookies()
 	require.Len(t, cookies, 1)
 	cookie := cookies[0]
-	assert.False(t, cookie.Secure)
+	assert.True(t, cookie.Secure)
 	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 }

@@ -158,7 +176,7 @@ func TestSetSecureCookie_ForwardedHostLocalhostForcesInsecure(t *testing.T) {
 	cookies := recorder.Result().Cookies()
 	require.Len(t, cookies, 1)
 	cookie := cookies[0]
-	assert.False(t, cookie.Secure)
+	assert.True(t, cookie.Secure)
 	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 }

@@ -176,6 +194,24 @@ func TestSetSecureCookie_OriginLoopbackForcesInsecure(t *testing.T) {
 	req.Header.Set("Origin", "http://127.0.0.1:8080")
 	ctx.Request = req

+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.True(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
+func TestSetSecureCookie_HTTP_PrivateIP_Insecure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://192.168.1.50:8080/login", http.NoBody)
+	req.Host = "192.168.1.50:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
 	setSecureCookie(ctx, "auth_token", "abc", 60)
 	cookies := recorder.Result().Cookies()
 	require.Len(t, cookies, 1)
@@ -184,6 +220,96 @@ func TestSetSecureCookie_OriginLoopbackForcesInsecure(t *testing.T) {
 	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 }

+func TestSetSecureCookie_HTTP_10Network_Insecure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://10.0.0.5:8080/login", http.NoBody)
+	req.Host = "10.0.0.5:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.False(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
+func TestSetSecureCookie_HTTP_172Network_Insecure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://172.16.0.1:8080/login", http.NoBody)
+	req.Host = "172.16.0.1:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.False(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
+func TestSetSecureCookie_HTTPS_PrivateIP_Secure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "https://192.168.1.50:8080/login", http.NoBody)
+	req.Host = "192.168.1.50:8080"
+	req.Header.Set("X-Forwarded-Proto", "https")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.True(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
+func TestSetSecureCookie_HTTP_IPv6ULA_Insecure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://[fd12::1]:8080/login", http.NoBody)
+	req.Host = "[fd12::1]:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.False(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
+func TestSetSecureCookie_HTTP_PublicIP_Secure(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest("POST", "http://203.0.113.5:8080/login", http.NoBody)
+	req.Host = "203.0.113.5:8080"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	ctx.Request = req
+
+	setSecureCookie(ctx, "auth_token", "abc", 60)
+	cookies := recorder.Result().Cookies()
+	require.Len(t, cookies, 1)
+	cookie := cookies[0]
+	assert.True(t, cookie.Secure)
+	assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+}
+
 func TestIsProduction(t *testing.T) {
 	t.Setenv("CHARON_ENV", "production")
 	assert.True(t, isProduction())
@@ -253,11 +379,16 @@ func TestHostHelpers(t *testing.T) {
 		assert.Equal(t, "localhost", originHost("http://localhost:8080/path"))
 	})

-	t.Run("isLocalHost", func(t *testing.T) {
-		assert.True(t, isLocalHost("localhost"))
-		assert.True(t, isLocalHost("127.0.0.1"))
-		assert.True(t, isLocalHost("::1"))
-		assert.False(t, isLocalHost("example.com"))
+	t.Run("isLocalOrPrivateHost", func(t *testing.T) {
+		assert.True(t, isLocalOrPrivateHost("localhost"))
+		assert.True(t, isLocalOrPrivateHost("127.0.0.1"))
+		assert.True(t, isLocalOrPrivateHost("::1"))
+		assert.True(t, isLocalOrPrivateHost("192.168.1.50"))
+		assert.True(t, isLocalOrPrivateHost("10.0.0.1"))
+		assert.True(t, isLocalOrPrivateHost("172.16.0.1"))
+		assert.True(t, isLocalOrPrivateHost("fd12::1"))
+		assert.False(t, isLocalOrPrivateHost("203.0.113.5"))
+		assert.False(t, isLocalOrPrivateHost("example.com"))
 	})
 }

@@ -412,7 +543,7 @@ func TestAuthHandler_Me(t *testing.T) {
 		UUID:  uuid.NewString(),
 		Email: "me@example.com",
 		Name:  "Me User",
-		Role:  "admin",
+		Role:  models.RoleAdmin,
 	}
 	db.Create(user)

@@ -612,7 +743,7 @@ func TestAuthHandler_Verify_ValidToken(t *testing.T) {
 		UUID:    uuid.NewString(),
 		Email:   "test@example.com",
 		Name:    "Test User",
-		Role:    "user",
+		Role:    models.RoleUser,
 		Enabled: true,
 	}
 	_ = user.SetPassword("password123")
@@ -643,7 +774,7 @@ func TestAuthHandler_Verify_BearerToken(t *testing.T) {
 		UUID:    uuid.NewString(),
 		Email:   "bearer@example.com",
 		Name:    "Bearer User",
-		Role:    "admin",
+		Role:    models.RoleAdmin,
 		Enabled: true,
 	}
 	_ = user.SetPassword("password123")
@@ -672,7 +803,7 @@ func TestAuthHandler_Verify_DisabledUser(t *testing.T) {
 		UUID:  uuid.NewString(),
 		Email: "disabled@example.com",
 		Name:  "Disabled User",
-		Role:  "user",
+		Role:  models.RoleUser,
 	}
 	_ = user.SetPassword("password123")
 	db.Create(user)
@@ -712,7 +843,7 @@ func TestAuthHandler_Verify_ForwardAuthDenied(t *testing.T) {
 		UUID:           uuid.NewString(),
 		Email:          "denied@example.com",
 		Name:           "Denied User",
-		Role:           "user",
+		Role:           models.RoleUser,
 		Enabled:        true,
 		PermissionMode: models.PermissionModeDenyAll,
 	}
@@ -777,7 +908,7 @@ func TestAuthHandler_VerifyStatus_Authenticated(t *testing.T) {
 		UUID:    uuid.NewString(),
 		Email:   "status@example.com",
 		Name:    "Status User",
-		Role:    "user",
+		Role:    models.RoleUser,
 		Enabled: true,
 	}
 	_ = user.SetPassword("password123")
@@ -810,7 +941,7 @@ func TestAuthHandler_VerifyStatus_DisabledUser(t *testing.T) {
 		UUID:  uuid.NewString(),
 		Email: "disabled2@example.com",
 		Name:  "Disabled User 2",
-		Role:  "user",
+		Role:  models.RoleUser,
 	}
 	_ = user.SetPassword("password123")
 	db.Create(user)
@@ -862,7 +993,7 @@ func TestAuthHandler_GetAccessibleHosts_AllowAll(t *testing.T) {
 		UUID:           uuid.NewString(),
 		Email:          "allowall@example.com",
 		Name:           "Allow All User",
-		Role:           "user",
+		Role:           models.RoleUser,
 		Enabled:        true,
 		PermissionMode: models.PermissionModeAllowAll,
 	}
@@ -899,7 +1030,7 @@ func TestAuthHandler_GetAccessibleHosts_DenyAll(t *testing.T) {
 		UUID:           uuid.NewString(),
 		Email:          "denyall@example.com",
 		Name:           "Deny All User",
-		Role:           "user",
+		Role:           models.RoleUser,
 		Enabled:        true,
 		PermissionMode: models.PermissionModeDenyAll,
 	}
@@ -938,7 +1069,7 @@ func TestAuthHandler_GetAccessibleHosts_PermittedHosts(t *testing.T) {
 		UUID:           uuid.NewString(),
 		Email:          "permitted@example.com",
 		Name:           "Permitted User",
-		Role:           "user",
+		Role:           models.RoleUser,
 		Enabled:        true,
 		PermissionMode: models.PermissionModeDenyAll,
 		PermittedHosts: []models.ProxyHost{*host1}, // Only host1
@@ -1093,7 +1224,7 @@ func TestAuthHandler_Logout_InvalidatesBearerSession(t *testing.T) {
 		UUID:    uuid.NewString(),
 		Email:   "logout-session@example.com",
 		Name:    "Logout Session",
-		Role:    "admin",
+		Role:    models.RoleAdmin,
 		Enabled: true,
 	}
 	_ = user.SetPassword("password123")
@@ -1204,10 +1335,10 @@ func TestAuthHandler_HelperFunctions(t *testing.T) {
 		assert.Equal(t, "example.com", originHost("https://example.com/path"))
 	})

-	t.Run("isLocalHost and isLocalRequest", func(t *testing.T) {
-		assert.True(t, isLocalHost("localhost"))
-		assert.True(t, isLocalHost("127.0.0.1"))
-		assert.False(t, isLocalHost("example.com"))
+	t.Run("isLocalOrPrivateHost and isLocalRequest", func(t *testing.T) {
+		assert.True(t, isLocalOrPrivateHost("localhost"))
+		assert.True(t, isLocalOrPrivateHost("127.0.0.1"))
+		assert.False(t, isLocalOrPrivateHost("example.com"))

 		recorder := httptest.NewRecorder()
 		ctx, _ := gin.CreateTestContext(recorder)
@@ -1224,7 +1355,7 @@ func TestAuthHandler_Refresh(t *testing.T) {

 	handler, db := setupAuthHandler(t)

-	user := &models.User{UUID: uuid.NewString(), Email: "refresh@example.com", Name: "Refresh User", Role: "user", Enabled: true}
+	user := &models.User{UUID: uuid.NewString(), Email: "refresh@example.com", Name: "Refresh User", Role: models.RoleUser, Enabled: true}
 	require.NoError(t, user.SetPassword("password123"))
 	require.NoError(t, db.Create(user).Error)

@@ -1314,7 +1445,7 @@ func TestAuthHandler_Verify_UsesOriginalHostFallback(t *testing.T) {
 		UUID:           uuid.NewString(),
 		Email:          "originalhost@example.com",
 		Name:           "Original Host User",
-		Role:           "user",
+		Role:           models.RoleUser,
 		Enabled:        true,
 		PermissionMode: models.PermissionModeAllowAll,
 	}
@@ -41,7 +41,8 @@ func (h *CerberusLogsHandler) LiveLogs(c *gin.Context) {
 	logger.Log().Info("Cerberus logs WebSocket connection attempt")

 	// Upgrade HTTP connection to WebSocket
-	conn, err := upgrader.Upgrade(c.Writer, c.Request, nil)
+	// CheckOrigin is enforced on the shared upgrader in logs_ws.go (same package).
+	conn, err := upgrader.Upgrade(c.Writer, c.Request, nil) // nosemgrep: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check
 	if err != nil {
 		logger.Log().WithError(err).Error("Failed to upgrade Cerberus logs WebSocket")
 		return
@@ -125,7 +125,7 @@ func (h *CertificateHandler) Upload(c *gin.Context) {
 		h.notificationService.SendExternal(c.Request.Context(),
 			"cert",
 			"Certificate Uploaded",
-			fmt.Sprintf("Certificate %s uploaded", util.SanitizeForLog(cert.Name)),
+			"A new custom certificate was successfully uploaded.",
 			map[string]any{
 				"Name":    util.SanitizeForLog(cert.Name),
 				"Domains": util.SanitizeForLog(cert.Domains),
@@ -17,6 +17,8 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"

@@ -516,6 +518,42 @@ func generateSelfSignedCertPEM() (certPEM, keyPEM string, err error) {

 // Note: mockCertificateService removed — helper tests now use real service instances or testify mocks inlined where required.

+// TestCertificateHandler_Upload_WithNotificationService verifies that the notification
+// path is exercised when a non-nil NotificationService is provided.
+func TestCertificateHandler_Upload_WithNotificationService(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})
+	require.NoError(t, err)
+	require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{}, &models.Setting{}, &models.NotificationProvider{}))
+
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	r.Use(mockAuthMiddleware())
+
+	tmpDir := t.TempDir()
+	svc := services.NewCertificateService(tmpDir, db)
+	ns := services.NewNotificationService(db, nil)
+	h := NewCertificateHandler(svc, nil, ns)
+	r.POST("/api/certificates", h.Upload)
+
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	_ = writer.WriteField("name", "cert-with-ns")
+	certPEM, keyPEM, err := generateSelfSignedCertPEM()
+	require.NoError(t, err)
+	part, _ := writer.CreateFormFile("certificate_file", "cert.pem")
+	_, _ = part.Write([]byte(certPEM))
+	part2, _ := writer.CreateFormFile("key_file", "key.pem")
+	_, _ = part2.Write([]byte(keyPEM))
+	_ = writer.Close()
+
+	req := httptest.NewRequest(http.MethodPost, "/api/certificates", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusCreated, w.Code)
+}
+
 // Test Delete with invalid ID format
 func TestDeleteCertificate_InvalidID(t *testing.T) {
 	db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})
@@ -721,7 +759,7 @@ func TestDeleteCertificate_NotificationRateLimit(t *testing.T) {
 	r := gin.New()
 	r.Use(mockAuthMiddleware())
 	svc := services.NewCertificateService("/tmp", db)
-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)

 	mockBackupService := &mockBackupService{
 		createFunc: func() (string, error) {
@@ -71,10 +71,14 @@ func (h *DockerHandler) ListContainers(c *gin.Context) {
 	if err != nil {
 		var unavailableErr *services.DockerUnavailableError
 		if errors.As(err, &unavailableErr) {
+			details := unavailableErr.Details()
+			if details == "" {
+				details = "Cannot connect to Docker. Please ensure Docker is running and the socket is accessible (e.g., /var/run/docker.sock is mounted)."
+			}
 			log.WithFields(map[string]any{"server_id": util.SanitizeForLog(serverID), "host": util.SanitizeForLog(host), "error": util.SanitizeForLog(err.Error())}).Warn("docker unavailable")
 			c.JSON(http.StatusServiceUnavailable, gin.H{
 				"error":   "Docker daemon unavailable",
-				"details": "Cannot connect to Docker. Please ensure Docker is running and the socket is accessible (e.g., /var/run/docker.sock is mounted).",
+				"details": details,
 			})
 			return
 		}
@@ -63,7 +63,7 @@ func TestDockerHandler_ListContainers_DockerUnavailableMappedTo503(t *testing.T)
 	gin.SetMode(gin.TestMode)
 	router := gin.New()

-	dockerSvc := &fakeDockerService{err: services.NewDockerUnavailableError(errors.New("no docker socket"))}
+	dockerSvc := &fakeDockerService{err: services.NewDockerUnavailableError(errors.New("no docker socket"), "Local Docker socket is mounted but not accessible by current process")}
 	remoteSvc := &fakeRemoteServerService{}
 	h := NewDockerHandler(dockerSvc, remoteSvc)

@@ -78,7 +78,7 @@ func TestDockerHandler_ListContainers_DockerUnavailableMappedTo503(t *testing.T)
 	assert.Contains(t, w.Body.String(), "Docker daemon unavailable")
 	// Verify the new details field is included in the response
 	assert.Contains(t, w.Body.String(), "details")
-	assert.Contains(t, w.Body.String(), "Docker is running")
+	assert.Contains(t, w.Body.String(), "not accessible by current process")
 }

 func TestDockerHandler_ListContainers_ServerIDResolvesToTCPHost(t *testing.T) {
@@ -360,3 +360,47 @@ func TestDockerHandler_ListContainers_GenericError(t *testing.T) {
 		})
 	}
 }
+
+func TestDockerHandler_ListContainers_503FallbackDetailsWhenEmpty(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	dockerSvc := &fakeDockerService{err: services.NewDockerUnavailableError(errors.New("socket error"))}
+	remoteSvc := &fakeRemoteServerService{}
+	h := NewDockerHandler(dockerSvc, remoteSvc)
+
+	api := router.Group("/api/v1")
+	h.RegisterRoutes(api)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/docker/containers", http.NoBody)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, w.Code)
+	assert.Contains(t, w.Body.String(), "Docker daemon unavailable")
+	assert.Contains(t, w.Body.String(), "docker.sock is mounted")
+}
+
+func TestDockerHandler_ListContainers_503DetailsWithGroupGuidance(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	groupDetails := `Local Docker socket is mounted but not accessible by current process (uid=1000 gid=1000). Process groups (1000) do not include socket gid 988; run container with matching supplemental group (e.g., --group-add 988 or compose group_add: ["988"]).`
+	dockerSvc := &fakeDockerService{
+		err: services.NewDockerUnavailableError(errors.New("EACCES"), groupDetails),
+	}
+	remoteSvc := &fakeRemoteServerService{}
+	h := NewDockerHandler(dockerSvc, remoteSvc)
+
+	api := router.Group("/api/v1")
+	h.RegisterRoutes(api)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/docker/containers?host=local", http.NoBody)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, w.Code)
+	assert.Contains(t, w.Body.String(), "Docker daemon unavailable")
+	assert.Contains(t, w.Body.String(), "--group-add 988")
+	assert.Contains(t, w.Body.String(), "group_add")
+}
@@ -1,7 +1,6 @@
 package handlers

 import (
-	"fmt"
 	"net/http"

 	"github.com/Wikid82/charon/backend/internal/models"
@@ -56,7 +55,7 @@ func (h *DomainHandler) Create(c *gin.Context) {
 		h.notificationService.SendExternal(c.Request.Context(),
 			"domain",
 			"Domain Added",
-			fmt.Sprintf("Domain %s added", util.SanitizeForLog(domain.Name)),
+			"A new domain was successfully added.",
 			map[string]any{
 				"Name":   util.SanitizeForLog(domain.Name),
 				"Action": "created",
@@ -76,7 +75,7 @@ func (h *DomainHandler) Delete(c *gin.Context) {
 			h.notificationService.SendExternal(c.Request.Context(),
 				"domain",
 				"Domain Deleted",
-				fmt.Sprintf("Domain %s deleted", util.SanitizeForLog(domain.Name)),
+				"A domain was successfully deleted.",
 				map[string]any{
 					"Name":   util.SanitizeForLog(domain.Name),
 					"Action": "deleted",
@@ -24,7 +24,7 @@ func setupDomainTestRouter(t *testing.T) (*gin.Engine, *gorm.DB) {
 	require.NoError(t, err)
 	require.NoError(t, db.AutoMigrate(&models.Domain{}, &models.Notification{}, &models.NotificationProvider{}))

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	h := NewDomainHandler(db, ns)
 	r := gin.New()

@@ -384,10 +384,7 @@ func (h *EmergencyHandler) syncSecurityState(ctx context.Context) {
 // POST /api/v1/emergency/token/generate
 // Requires admin authentication
 func (h *EmergencyHandler) GenerateToken(c *gin.Context) {
-	// Check admin role
-	role, exists := c.Get("role")
-	if !exists || role != "admin" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin access required"})
+	if !requireAdmin(c) {
 		return
 	}

@@ -437,10 +434,7 @@ func (h *EmergencyHandler) GenerateToken(c *gin.Context) {
 // GET /api/v1/emergency/token/status
 // Requires admin authentication
 func (h *EmergencyHandler) GetTokenStatus(c *gin.Context) {
-	// Check admin role
-	role, exists := c.Get("role")
-	if !exists || role != "admin" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin access required"})
+	if !requireAdmin(c) {
 		return
 	}

@@ -458,10 +452,7 @@ func (h *EmergencyHandler) GetTokenStatus(c *gin.Context) {
 // DELETE /api/v1/emergency/token
 // Requires admin authentication
 func (h *EmergencyHandler) RevokeToken(c *gin.Context) {
-	// Check admin role
-	role, exists := c.Get("role")
-	if !exists || role != "admin" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin access required"})
+	if !requireAdmin(c) {
 		return
 	}

@@ -485,10 +476,7 @@ func (h *EmergencyHandler) RevokeToken(c *gin.Context) {
 // PATCH /api/v1/emergency/token/expiration
 // Requires admin authentication
 func (h *EmergencyHandler) UpdateTokenExpiration(c *gin.Context) {
-	// Check admin role
-	role, exists := c.Get("role")
-	if !exists || role != "admin" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Admin access required"})
+	if !requireAdmin(c) {
 		return
 	}

@@ -1,7 +1,6 @@
 package handlers

 import (
-	"bytes"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -127,179 +126,3 @@ func TestBlocker3_SecurityProviderEventsFlagCanBeEnabled(t *testing.T) {
 	assert.True(t, response["feature.notifications.security_provider_events.enabled"],
 		"security_provider_events flag should be true when enabled in DB")
 }
-
-// TestLegacyFallbackRemoved_UpdateFlagsRejectsTrue tests that attempting to set legacy fallback to true returns error code LEGACY_FALLBACK_REMOVED.
-func TestLegacyFallbackRemoved_UpdateFlagsRejectsTrue(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	assert.NoError(t, err)
-	assert.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	handler := NewFeatureFlagsHandler(db)
-
-	// Attempt to set legacy fallback to true
-	payload := map[string]bool{
-		"feature.notifications.legacy.fallback_enabled": true,
-	}
-	jsonPayload, err := json.Marshal(payload)
-	assert.NoError(t, err)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request, _ = http.NewRequest("PUT", "/api/v1/feature-flags", bytes.NewBuffer(jsonPayload))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.UpdateFlags(c)
-
-	// Must return 400 with code LEGACY_FALLBACK_REMOVED
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-
-	var response map[string]interface{}
-	err = json.Unmarshal(w.Body.Bytes(), &response)
-	assert.NoError(t, err)
-	assert.Contains(t, response["error"], "retired")
-	assert.Equal(t, "LEGACY_FALLBACK_REMOVED", response["code"])
-}
-
-// TestLegacyFallbackRemoved_UpdateFlagsAcceptsFalse tests that setting legacy fallback to false is allowed (forced false).
-func TestLegacyFallbackRemoved_UpdateFlagsAcceptsFalse(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	assert.NoError(t, err)
-	assert.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	handler := NewFeatureFlagsHandler(db)
-
-	// Set legacy fallback to false (should be accepted and forced)
-	payload := map[string]bool{
-		"feature.notifications.legacy.fallback_enabled": false,
-	}
-	jsonPayload, err := json.Marshal(payload)
-	assert.NoError(t, err)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request, _ = http.NewRequest("PUT", "/api/v1/feature-flags", bytes.NewBuffer(jsonPayload))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.UpdateFlags(c)
-
-	assert.Equal(t, http.StatusOK, w.Code)
-
-	// Verify in DB that it's false
-	var setting models.Setting
-	db.Where("key = ?", "feature.notifications.legacy.fallback_enabled").First(&setting)
-	assert.Equal(t, "false", setting.Value)
-}
-
-// TestLegacyFallbackRemoved_GetFlagsReturnsHardFalse tests that GET always returns false for legacy fallback.
-func TestLegacyFallbackRemoved_GetFlagsReturnsHardFalse(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	assert.NoError(t, err)
-	assert.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	handler := NewFeatureFlagsHandler(db)
-
-	// Scenario 1: No DB entry
-	t.Run("no_db_entry", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		c, _ := gin.CreateTestContext(w)
-		c.Request, _ = http.NewRequest("GET", "/api/v1/feature-flags", nil)
-
-		handler.GetFlags(c)
-
-		assert.Equal(t, http.StatusOK, w.Code)
-
-		var response map[string]bool
-		err = json.Unmarshal(w.Body.Bytes(), &response)
-		assert.NoError(t, err)
-		assert.False(t, response["feature.notifications.legacy.fallback_enabled"], "Must return hard-false when no DB entry")
-	})
-
-	// Scenario 2: DB entry says true (invalid, forced false)
-	t.Run("db_entry_true", func(t *testing.T) {
-		// Force a true value in DB (simulating legacy state)
-		setting := models.Setting{
-			Key:      "feature.notifications.legacy.fallback_enabled",
-			Value:    "true",
-			Type:     "bool",
-			Category: "feature",
-		}
-		db.Create(&setting)
-
-		w := httptest.NewRecorder()
-		c, _ := gin.CreateTestContext(w)
-		c.Request, _ = http.NewRequest("GET", "/api/v1/feature-flags", nil)
-
-		handler.GetFlags(c)
-
-		assert.Equal(t, http.StatusOK, w.Code)
-
-		var response map[string]bool
-		err = json.Unmarshal(w.Body.Bytes(), &response)
-		assert.NoError(t, err)
-		assert.False(t, response["feature.notifications.legacy.fallback_enabled"], "Must return hard-false even when DB says true")
-
-		// Clean up
-		db.Unscoped().Delete(&setting)
-	})
-
-	// Scenario 3: DB entry says false
-	t.Run("db_entry_false", func(t *testing.T) {
-		setting := models.Setting{
-			Key:      "feature.notifications.legacy.fallback_enabled",
-			Value:    "false",
-			Type:     "bool",
-			Category: "feature",
-		}
-		db.Create(&setting)
-
-		w := httptest.NewRecorder()
-		c, _ := gin.CreateTestContext(w)
-		c.Request, _ = http.NewRequest("GET", "/api/v1/feature-flags", nil)
-
-		handler.GetFlags(c)
-
-		assert.Equal(t, http.StatusOK, w.Code)
-
-		var response map[string]bool
-		err = json.Unmarshal(w.Body.Bytes(), &response)
-		assert.NoError(t, err)
-		assert.False(t, response["feature.notifications.legacy.fallback_enabled"], "Must return hard-false when DB says false")
-
-		// Clean up
-		db.Unscoped().Delete(&setting)
-	})
-}
-
-// TestLegacyFallbackRemoved_InvalidEnvValue tests that invalid environment variable values are handled (lines 157-158)
-func TestLegacyFallbackRemoved_InvalidEnvValue(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	assert.NoError(t, err)
-	assert.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	// Set invalid environment variable value
-	t.Setenv("CHARON_NOTIFICATIONS_LEGACY_FALLBACK", "invalid-value")
-
-	handler := NewFeatureFlagsHandler(db)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request, _ = http.NewRequest("GET", "/api/v1/feature-flags", nil)
-
-	// Lines 157-158: Should log warning for invalid env value and return hard-false
-	handler.GetFlags(c)
-
-	assert.Equal(t, http.StatusOK, w.Code)
-
-	var response map[string]bool
-	err = json.Unmarshal(w.Body.Bytes(), &response)
-	assert.NoError(t, err)
-	assert.False(t, response["feature.notifications.legacy.fallback_enabled"], "Must return hard-false even with invalid env value")
-}
@@ -1,105 +0,0 @@
-package handlers
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/Wikid82/charon/backend/internal/models"
-	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"gorm.io/driver/sqlite"
-	"gorm.io/gorm"
-)
-
-// TestResolveRetiredLegacyFallback_InvalidPersistedValue covers lines 139-140
-func TestResolveRetiredLegacyFallback_InvalidPersistedValue(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	require.NoError(t, err)
-
-	require.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	// Create setting with invalid value for retired fallback flag
-	db.Create(&models.Setting{
-		Key:      "feature.notifications.legacy.fallback_enabled",
-		Value:    "invalid_value_not_bool",
-		Type:     "bool",
-		Category: "feature",
-	})
-
-	h := NewFeatureFlagsHandler(db)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	require.Equal(t, http.StatusOK, w.Code)
-
-	// Should log warning and return false (lines 139-140)
-	var flags map[string]bool
-	err = json.Unmarshal(w.Body.Bytes(), &flags)
-	require.NoError(t, err)
-
-	assert.False(t, flags["feature.notifications.legacy.fallback_enabled"])
-}
-
-// TestResolveRetiredLegacyFallback_InvalidEnvValue covers lines 149-150
-func TestResolveRetiredLegacyFallback_InvalidEnvValue(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	require.NoError(t, err)
-
-	require.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	// Set invalid env var for retired fallback flag
-	t.Setenv("CHARON_LEGACY_FALLBACK_ENABLED", "not_a_boolean")
-
-	h := NewFeatureFlagsHandler(db)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	require.Equal(t, http.StatusOK, w.Code)
-
-	// Should log warning and return false (lines 149-150)
-	var flags map[string]bool
-	err = json.Unmarshal(w.Body.Bytes(), &flags)
-	require.NoError(t, err)
-
-	assert.False(t, flags["feature.notifications.legacy.fallback_enabled"])
-}
-
-// TestResolveRetiredLegacyFallback_DefaultFalse covers lines 157-158
-func TestResolveRetiredLegacyFallback_DefaultFalse(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	require.NoError(t, err)
-
-	require.NoError(t, db.AutoMigrate(&models.Setting{}))
-
-	// No DB value, no env vars - should default to false
-	h := NewFeatureFlagsHandler(db)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	require.Equal(t, http.StatusOK, w.Code)
-
-	// Should return false (lines 157-158)
-	var flags map[string]bool
-	err = json.Unmarshal(w.Body.Bytes(), &flags)
-	require.NoError(t, err)
-
-	assert.False(t, flags["feature.notifications.legacy.fallback_enabled"])
-}
@@ -30,8 +30,10 @@ var defaultFlags = []string{
 	"feature.crowdsec.console_enrollment",
 	"feature.notifications.engine.notify_v1.enabled",
 	"feature.notifications.service.discord.enabled",
+	"feature.notifications.service.email.enabled",
 	"feature.notifications.service.gotify.enabled",
-	"feature.notifications.legacy.fallback_enabled",
+	"feature.notifications.service.webhook.enabled",
+	"feature.notifications.service.telegram.enabled",
 	"feature.notifications.security_provider_events.enabled", // Blocker 3: Add security_provider_events gate
 }

@@ -41,16 +43,13 @@ var defaultFlagValues = map[string]bool{
 	"feature.crowdsec.console_enrollment":                    false,
 	"feature.notifications.engine.notify_v1.enabled":         false,
 	"feature.notifications.service.discord.enabled":          false,
+	"feature.notifications.service.email.enabled":            false,
 	"feature.notifications.service.gotify.enabled":           false,
-	"feature.notifications.legacy.fallback_enabled":          false,
+	"feature.notifications.service.webhook.enabled":          false,
+	"feature.notifications.service.telegram.enabled":         false,
 	"feature.notifications.security_provider_events.enabled": false, // Blocker 3: Default disabled for this stage
 }

-var retiredLegacyFallbackEnvAliases = []string{
-	"FEATURE_NOTIFICATIONS_LEGACY_FALLBACK_ENABLED",
-	"NOTIFICATIONS_LEGACY_FALLBACK_ENABLED",
-}
-
 // GetFlags returns a map of feature flag -> bool. DB setting takes precedence
 // and falls back to environment variables if present.
 func (h *FeatureFlagsHandler) GetFlags(c *gin.Context) {
@@ -84,11 +83,6 @@ func (h *FeatureFlagsHandler) GetFlags(c *gin.Context) {
 			defaultVal = v
 		}

-		if key == "feature.notifications.legacy.fallback_enabled" {
-			result[key] = h.resolveRetiredLegacyFallback(settingsMap)
-			continue
-		}
-
 		// Check if flag exists in DB
 		if s, exists := settingsMap[key]; exists {
 			v := strings.ToLower(strings.TrimSpace(s.Value))
@@ -129,40 +123,6 @@ func (h *FeatureFlagsHandler) GetFlags(c *gin.Context) {
 	c.JSON(http.StatusOK, result)
 }

-func parseFlagBool(raw string) (bool, bool) {
-	v := strings.ToLower(strings.TrimSpace(raw))
-	switch v {
-	case "1", "true", "yes":
-		return true, true
-	case "0", "false", "no":
-		return false, true
-	default:
-		return false, false
-	}
-}
-
-func (h *FeatureFlagsHandler) resolveRetiredLegacyFallback(settingsMap map[string]models.Setting) bool {
-	const retiredKey = "feature.notifications.legacy.fallback_enabled"
-
-	if s, exists := settingsMap[retiredKey]; exists {
-		if _, ok := parseFlagBool(s.Value); !ok {
-			log.Printf("[WARN] Invalid persisted retired fallback flag value, forcing disabled: key=%s value=%q", retiredKey, s.Value)
-		}
-		return false
-	}
-
-	for _, alias := range retiredLegacyFallbackEnvAliases {
-		if ev, ok := os.LookupEnv(alias); ok {
-			if _, parsed := parseFlagBool(ev); !parsed {
-				log.Printf("[WARN] Invalid environment retired fallback flag value, forcing disabled: key=%s value=%q", alias, ev)
-			}
-			return false
-		}
-	}
-
-	return false
-}
-
 // UpdateFlags accepts a JSON object map[string]bool and upserts settings.
 func (h *FeatureFlagsHandler) UpdateFlags(c *gin.Context) {
 	// Phase 0: Performance instrumentation
@@ -178,14 +138,6 @@ func (h *FeatureFlagsHandler) UpdateFlags(c *gin.Context) {
 		return
 	}

-	if v, exists := payload["feature.notifications.legacy.fallback_enabled"]; exists && v {
-		c.JSON(http.StatusBadRequest, gin.H{
-			"error": "feature.notifications.legacy.fallback_enabled is retired and can only be false",
-			"code":  "LEGACY_FALLBACK_REMOVED",
-		})
-		return
-	}
-
 	// Phase 1: Transaction wrapping - all updates in single atomic transaction
 	if err := h.DB.Transaction(func(tx *gorm.DB) error {
 		for k, v := range payload {
@@ -201,10 +153,6 @@ func (h *FeatureFlagsHandler) UpdateFlags(c *gin.Context) {
 				continue
 			}

-			if k == "feature.notifications.legacy.fallback_enabled" {
-				v = false
-			}
-
 			s := models.Setting{Key: k, Value: strconv.FormatBool(v), Type: "bool", Category: "feature"}
 			if err := tx.Where(models.Setting{Key: k}).Assign(s).FirstOrCreate(&s).Error; err != nil {
 				return err // Rollback on error
@@ -460,3 +460,24 @@ func TestFeatureFlagsHandler_NewFeatureFlagsHandler(t *testing.T) {
 	assert.NotNil(t, h.DB)
 	assert.Equal(t, db, h.DB)
 }
+
+func TestFeatureFlagsHandler_GetFlags_EmailFlagDefaultFalse(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	db := setupFlagsDB(t)
+
+	h := NewFeatureFlagsHandler(db)
+	r := gin.New()
+	r.GET("/api/v1/feature-flags", h.GetFlags)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusOK, w.Code)
+
+	var flags map[string]bool
+	err := json.Unmarshal(w.Body.Bytes(), &flags)
+	require.NoError(t, err)
+
+	assert.False(t, flags["feature.notifications.service.email.enabled"])
+}
@@ -100,147 +100,6 @@ func TestFeatureFlags_EnvFallback(t *testing.T) {
 	}
 }

-func TestFeatureFlags_RetiredFallback_DenyByDefault(t *testing.T) {
-	db := setupFlagsDB(t)
-	h := NewFeatureFlagsHandler(db)
-
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 got %d body=%s", w.Code, w.Body.String())
-	}
-
-	var flags map[string]bool
-	if err := json.Unmarshal(w.Body.Bytes(), &flags); err != nil {
-		t.Fatalf("invalid json: %v", err)
-	}
-
-	if flags["feature.notifications.legacy.fallback_enabled"] {
-		t.Fatalf("expected retired fallback flag to be false by default")
-	}
-}
-
-func TestFeatureFlags_RetiredFallback_PersistedAndEnvStillResolveFalse(t *testing.T) {
-	db := setupFlagsDB(t)
-
-	if err := db.Create(&models.Setting{
-		Key:      "feature.notifications.legacy.fallback_enabled",
-		Value:    "true",
-		Type:     "bool",
-		Category: "feature",
-	}).Error; err != nil {
-		t.Fatalf("failed to seed setting: %v", err)
-	}
-
-	t.Setenv("FEATURE_NOTIFICATIONS_LEGACY_FALLBACK_ENABLED", "true")
-
-	h := NewFeatureFlagsHandler(db)
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 got %d body=%s", w.Code, w.Body.String())
-	}
-
-	var flags map[string]bool
-	if err := json.Unmarshal(w.Body.Bytes(), &flags); err != nil {
-		t.Fatalf("invalid json: %v", err)
-	}
-
-	if flags["feature.notifications.legacy.fallback_enabled"] {
-		t.Fatalf("expected retired fallback flag to remain false even when persisted/env are true")
-	}
-}
-
-func TestFeatureFlags_RetiredFallback_EnvAliasResolvesFalse(t *testing.T) {
-	db := setupFlagsDB(t)
-	t.Setenv("NOTIFICATIONS_LEGACY_FALLBACK_ENABLED", "true")
-
-	h := NewFeatureFlagsHandler(db)
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 got %d body=%s", w.Code, w.Body.String())
-	}
-
-	var flags map[string]bool
-	if err := json.Unmarshal(w.Body.Bytes(), &flags); err != nil {
-		t.Fatalf("invalid json: %v", err)
-	}
-
-	if flags["feature.notifications.legacy.fallback_enabled"] {
-		t.Fatalf("expected retired fallback flag to remain false for env alias")
-	}
-}
-
-func TestFeatureFlags_UpdateRejectsLegacyFallbackTrue(t *testing.T) {
-	db := setupFlagsDB(t)
-	h := NewFeatureFlagsHandler(db)
-
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.PUT("/api/v1/feature-flags", h.UpdateFlags)
-
-	payload := map[string]bool{
-		"feature.notifications.legacy.fallback_enabled": true,
-	}
-	b, _ := json.Marshal(payload)
-
-	req := httptest.NewRequest(http.MethodPut, "/api/v1/feature-flags", bytes.NewReader(b))
-	req.Header.Set("Content-Type", "application/json")
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	if w.Code != http.StatusBadRequest {
-		t.Fatalf("expected 400 got %d body=%s", w.Code, w.Body.String())
-	}
-}
-
-func TestFeatureFlags_UpdatePersistsLegacyFallbackFalse(t *testing.T) {
-	db := setupFlagsDB(t)
-	h := NewFeatureFlagsHandler(db)
-
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.PUT("/api/v1/feature-flags", h.UpdateFlags)
-
-	payload := map[string]bool{
-		"feature.notifications.legacy.fallback_enabled": false,
-	}
-	b, _ := json.Marshal(payload)
-
-	req := httptest.NewRequest(http.MethodPut, "/api/v1/feature-flags", bytes.NewReader(b))
-	req.Header.Set("Content-Type", "application/json")
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 got %d body=%s", w.Code, w.Body.String())
-	}
-
-	var s models.Setting
-	if err := db.Where("key = ?", "feature.notifications.legacy.fallback_enabled").First(&s).Error; err != nil {
-		t.Fatalf("expected setting persisted: %v", err)
-	}
-	if s.Value != "false" {
-		t.Fatalf("expected persisted fallback value false, got %s", s.Value)
-	}
-}
-
 // setupBenchmarkFlagsDB creates an in-memory SQLite database for feature flags benchmarks
 func setupBenchmarkFlagsDB(b *testing.B) *gorm.DB {
 	b.Helper()
@@ -428,32 +287,3 @@ func TestUpdateFlags_TransactionAtomic(t *testing.T) {
 		t.Errorf("expected crowdsec.console_enrollment to be true, got %s", s3.Value)
 	}
 }
-
-// TestFeatureFlags_InvalidRetiredEnvAlias covers lines 157-158 (invalid env var warning)
-func TestFeatureFlags_InvalidRetiredEnvAlias(t *testing.T) {
-	db := setupFlagsDB(t)
-	t.Setenv("NOTIFICATIONS_LEGACY_FALLBACK_ENABLED", "invalid-value")
-
-	h := NewFeatureFlagsHandler(db)
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	r.GET("/api/v1/feature-flags", h.GetFlags)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/feature-flags", http.NoBody)
-	w := httptest.NewRecorder()
-	r.ServeHTTP(w, req)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 got %d body=%s", w.Code, w.Body.String())
-	}
-
-	var flags map[string]bool
-	if err := json.Unmarshal(w.Body.Bytes(), &flags); err != nil {
-		t.Fatalf("invalid json: %v", err)
-	}
-
-	// Should force disabled due to invalid value (lines 157-158)
-	if flags["feature.notifications.legacy.fallback_enabled"] {
-		t.Fatalf("expected retired fallback flag to be false for invalid env value")
-	}
-}
@@ -50,7 +50,7 @@ func TestRemoteServerHandler_List(t *testing.T) {
 	}
 	db.Create(server)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -74,7 +74,7 @@ func TestRemoteServerHandler_Create(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	db := setupTestDB(t)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -119,7 +119,7 @@ func TestRemoteServerHandler_TestConnection(t *testing.T) {
 	}
 	db.Create(server)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -154,7 +154,7 @@ func TestRemoteServerHandler_Get(t *testing.T) {
 	}
 	db.Create(server)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -188,7 +188,7 @@ func TestRemoteServerHandler_Update(t *testing.T) {
 	}
 	db.Create(server)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -234,7 +234,7 @@ func TestRemoteServerHandler_Delete(t *testing.T) {
 	}
 	db.Create(server)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -271,7 +271,7 @@ func TestProxyHostHandler_List(t *testing.T) {
 	}
 	db.Create(host)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewProxyHostHandler(db, nil, ns, nil)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -295,7 +295,7 @@ func TestProxyHostHandler_Create(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	db := setupTestDB(t)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewProxyHostHandler(db, nil, ns, nil)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -343,7 +343,7 @@ func TestProxyHostHandler_PartialUpdate_DoesNotWipeFields(t *testing.T) {
 	}
 	db.Create(original)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewProxyHostHandler(db, nil, ns, nil)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -408,7 +408,7 @@ func TestRemoteServerHandler_Errors(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	db := setupTestDB(t)

-	ns := services.NewNotificationService(db)
+	ns := services.NewNotificationService(db, nil)
 	handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)
 	router := gin.New()
 	handler.RegisterRoutes(router.Group("/api/v1"))
@@ -93,6 +93,10 @@ func (h *ImportHandler) RegisterRoutes(router *gin.RouterGroup) {

 // GetStatus returns current import session status.
 func (h *ImportHandler) GetStatus(c *gin.Context) {
+	if !requireAuthenticatedAdmin(c) {
+		return
+	}
+
 	var session models.ImportSession
 	err := h.db.Where("status IN ?", []string{"pending", "reviewing"}).
 		Order("created_at DESC").
@@ -155,6 +159,10 @@ func (h *ImportHandler) GetStatus(c *gin.Context) {

 // GetPreview returns parsed hosts and conflicts for review.
 func (h *ImportHandler) GetPreview(c *gin.Context) {
+	if !requireAuthenticatedAdmin(c) {
+		return
+	}
+
 	var session models.ImportSession
 	err := h.db.Where("status IN ?", []string{"pending", "reviewing"}).
 		Order("created_at DESC").
@@ -340,6 +340,11 @@ func TestCommitAndCancel_InvalidSessionUUID(t *testing.T) {
 	r.ServeHTTP(wCommit, reqCommit)
 	assert.Equal(t, http.StatusBadRequest, wCommit.Code)

+	wCancelMissing := httptest.NewRecorder()
+	reqCancelMissing, _ := http.NewRequest(http.MethodDelete, "/api/v1/import/cancel", http.NoBody)
+	r.ServeHTTP(wCancelMissing, reqCancelMissing)
+	assert.Equal(t, http.StatusBadRequest, wCancelMissing.Code)
+
 	wCancel := httptest.NewRecorder()
 	reqCancel, _ := http.NewRequest(http.MethodDelete, "/api/v1/import/cancel?session_uuid=.", http.NoBody)
 	r.ServeHTTP(wCancel, reqCancel)
@@ -310,6 +310,11 @@ func (h *JSONImportHandler) Cancel(c *gin.Context) {
 		return
 	}

+	if strings.TrimSpace(req.SessionUUID) == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "session_uuid required"})
+		return
+	}
+
 	// Clean up session if it exists
 	jsonImportSessionsMu.Lock()
 	delete(jsonImportSessions, req.SessionUUID)
@@ -497,6 +497,62 @@ func TestJSONImportHandler_ConflictDetection(t *testing.T) {
 	assert.Contains(t, conflictDetails, "conflict.com")
 }

+func TestJSONImportHandler_Cancel_RequiresValidJSONBody(t *testing.T) {
+	db := setupJSONTestDB(t)
+	handler := NewJSONImportHandler(db)
+
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	api := router.Group("/api/v1")
+	handler.RegisterRoutes(api)
+
+	t.Run("missing body", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/api/v1/import/json/cancel", http.NoBody)
+		req.Header.Set("Content-Type", "application/json")
+		w := httptest.NewRecorder()
+
+		router.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+	})
+
+	t.Run("invalid json", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/api/v1/import/json/cancel", bytes.NewBufferString("{"))
+		req.Header.Set("Content-Type", "application/json")
+		w := httptest.NewRecorder()
+
+		router.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+	})
+
+	t.Run("empty object payload", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/api/v1/import/json/cancel", bytes.NewBufferString("{}"))
+		req.Header.Set("Content-Type", "application/json")
+		w := httptest.NewRecorder()
+
+		router.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+
+		var resp map[string]string
+		err := json.Unmarshal(w.Body.Bytes(), &resp)
+		require.NoError(t, err)
+		assert.Equal(t, "session_uuid required", resp["error"])
+	})
+
+	t.Run("missing session_uuid payload", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/api/v1/import/json/cancel", bytes.NewBufferString(`{"foo":"bar"}`))
+		req.Header.Set("Content-Type", "application/json")
+		w := httptest.NewRecorder()
+
+		router.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+
+		var resp map[string]string
+		err := json.Unmarshal(w.Body.Bytes(), &resp)
+		require.NoError(t, err)
+		assert.Equal(t, "session_uuid required", resp["error"])
+	})
+}
+
 func TestJSONImportHandler_IsCharonFormat(t *testing.T) {
 	db := setupJSONTestDB(t)
 	handler := NewJSONImportHandler(db)
--- a/Show More
+++ b/Show More