Track the not-yet-wired items from docs/plans/PRODUCTION_HARDENING_PLAN.md (git history): dynamic/container scanning (OWASP ZAP, Snyk, Trivy) as CI-wired controls + annual pen-test. Much hardening is already shipped; this tracks the gaps noted in the thesis 5.7/5.10.
Track the not-yet-wired items from docs/plans/PRODUCTION_HARDENING_PLAN.md (git history): dynamic/container scanning (OWASP ZAP, Snyk, Trivy) as CI-wired controls + annual pen-test. Much hardening is already shipped; this tracks the gaps noted in the thesis 5.7/5.10.