Summary

• harden auth boundaries for workspace selection, webhook management routes, internal HMAC/bearer auth, CLI OAuth callbacks, and persistent-agent internal routes
• strengthen SSRF protections, outbound webhook/Slack redirect handling, and untrusted response body caps
• upgrade vulnerable dependencies and modernize affected OpenTelemetry/Fastify compatibility code
• harden Kubernetes workload/sidecar security contexts and enable production network policies/cache defaults
• remove tracked local run token and ignore local production values/secrets files

Verification

• pnpm audit --audit-level low
• pnpm format:check
• pnpm lint
• pnpm typecheck
• pnpm exec turbo test --force
• helm lint helm/optio -f helm/optio/values.production.yaml --set api.secretKey=test --set api.cookieSecret=test --set postgresql.auth.password=test --set redis.auth.password=test
• helm template optio helm/optio -f helm/optio/values.production.yaml --set api.secretKey=test --set api.cookieSecret=test --set postgresql.auth.password=test --set redis.auth.password=test
• git diff --check

Known Follow-ups

• lint currently passes with existing warnings; the warning count should still be reduced before treating lint as enterprise-grade signal
• tests still emit Redis ECONNREFUSED noise in paths that run without Redis and duplicate-key warnings in shared reconcile tests
• production deployments should pin immutable image tags/digests instead of relying on mutable defaults
• any real secret previously placed in ignored local production values files should be rotated and moved to a secret manager workflow