The template targets the OWASP top-10 surface for a small Python+React service plus the LLM-specific risks that come with hosting an agent. Each layer below is independent — defence in depth, not a single chokepoint.

LLM coder edits  ──►  PreToolUse hook (forbidden flags + secret scan + audit log)
                  │
                  ▼
Local commit     ──►  pre-commit (ruff, gitleaks, commitizen, mypy, hygiene)
                  │
                  ▼
git push         ──►  CI:
                       • Lint & Format (ruff)
                       • Type Check (mypy --strict)
                       • Architecture (import-linter)
                       • Unit tests + Coverage ≥ 75 %
                       • Pre-commit (re-run, no-bypass)
                       • Frontend Build + Frontend Quality
                       • Branch-protection contexts sync
                       • Commit-type sync
                       • Lint PR title (conventional commits)
                       • Secret scan (gitleaks)
                       • Python deps (pip-audit --strict)
                       • Frontend deps (npm audit --audit-level=high)
                       • Container image scan (trivy)
                  │
                  ▼
PR review        ──►  Code owner approval (CODEOWNERS)
                  │
                  ▼
Merge to develop ──►  develop branch protection (15 required contexts, strict: false)
                  │
                  ▼
Release PR       ──►  develop → main; main branch protection (15 required, strict: true)
                  │
                  ▼
Tag v*.*.*       ──►  release.yml: build image, push to ghcr.io, generate SBOM, publish Release

Dockerfile ships a multi-stage build:

• Builder — runs uv sync --frozen --no-dev. Has uv, pip cache, build tools.
• Runtime — python:3.14-slim, copies only .venv + src/ from the builder, runs as non-root user app. No uv, no pip cache, no build tools, no dev deps.

Runtime stage env: PYTHONDONTWRITEBYTECODE=1 (no .pyc writes — would EROFS-fail under the read-only root FS) and PYTHONUNBUFFERED=1 (uvicorn stdout flushed immediately).

docker-compose.yml's app service runs with read_only: true and a tmpfs: /tmp:size=64m,mode=1777 mount. The kernel rejects writes to every path except the 64 MB tmpfs, so a post-exploit shell under the app user cannot modify /app, persist binaries, or fill the host's disk under app's ownership. Verified locally: touch /app/foo → Read-only file system; touch /tmp/foo succeeds; healthcheck reports healthy.

Healthcheck uses stdlib urllib.request so curl isn't in the image.

gcr.io/distroless/python3-debian12 ships Python at /usr/bin/python3 while the current builder stage materialises a venv whose pyvenv.cfg and interpreter symlinks reference /usr/local/bin/python3.14 (Dockerfile comment makes this constraint explicit). Migrating requires either matching Python paths between stages (no distroless variant matches slim's /usr/local) or rebuilding the venv inside the runtime stage (distroless has no pip / uv). Either route adds engineering risk and operational friction (no docker exec ... sh) that outweighs the marginal attack-surface reduction now that read-only-FS + non-root + no-build-tools + trivy-scanning are all in place. Revisit when distroless ships a /usr/local variant or when the venv-in-runtime cost shrinks.

• WAF / DDoS — deployment-environment concerns, not template concerns.
• Authentication — the scaffold ships no auth; the right layer (OIDC, mTLS, API keys, sessions) is project-specific.
• Secret manager integration — Settings reads from env / .env. A real deployment should fetch LLM_API_KEY from a vault and inject it as env, but the wiring is environment-specific.
• Rate limiting — same — depends on infrastructure.

Each of these is a slot to fill once your domain is decided. The harness doesn't try to pretend any of them exist out of the box.