mc#1570 RFC#563 ws-server binary strip (-trimpath, -s, -w). Build-time only, no behavioral change. Strips debug symbols + build-host paths (privacy improvement). GitSHA via -X preserved. Security APPROVE.
docs#56 next.config.mjs Cache-Control addition for HTML pages only. Negative lookahead excludes _next internals + /api/ routes (auth-bearing). No secrets/auth-state cached. Security APPROVE.
core-security re-approve at new head f2161bda (main-merge to clear unrelated shellcheck red; no security-relevant change). Original 5-axis pass stands (id=4809). APPROVE.
core-security re-approve at new head 23506ab7 (empty re-trigger commit only, no security-relevant change). Original 5-axis pass stands (id=4809): APPROVE.
core-security 5-axis review — APPROVE.
Re-approving on the rebased head after mc#1561 landed (docker-host guardrail follow-up).
Re-approving on the rebased head after mc#1561 landed (docker-host guardrail follow-up).
core-security 5-axis review (head a3cd84cb)
core-security 5-axis review (head 32121207)
aabf933a5c
feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146)
5-axis (code-review-and-quality):
5-axis review (code-review-and-quality):
/sop-n/a security-review
[core-security-agent] N/A — non-security-touching
Python test file for ci-required-drift.py + script comment update + status list limit bump. No auth/db/handler changes.
[core-security-agent] N/A — non-security-touching
aria-live regions added to loading/empty-state elements. All content is static hardcoded text — no user-controlled content rendered in…
[core-security-agent] N/A — non-security-touching
CI workflow changes only: cancel-in-progress on scheduled workflows. No auth/db/handler/code changes.
[core-security-agent] N/A — non-security-touching
CI workflow changes only: cancel-in-progress on gate-check-v3. No auth/db/handler/code changes.