de1a36a0d6
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 4m28s
CI / OCR Service Tests (pull_request) Successful in 24s
CI / Backend Unit Tests (pull_request) Successful in 5m12s
CI / fail2ban Regex (pull_request) Successful in 48s
CI / Semgrep Security Scan (pull_request) Successful in 22s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m9s
Adds §Renovate + Nightly Audit — Token Model covering: - Two-token model: RENOVATE_TOKEN vs NIGHTLY_AUDIT_TOKEN (issues-only), blast radius rationale, PAT rotation cadence (annual + on-compromise) - OSV vs platform alerts on Gitea — osvVulnerabilityAlerts is the load-bearing detector; Gitea exposes no vulnerability graph for vulnerabilityAlerts - Nightly vs PR gate divergence table (dev deps in/out) - Runbook: triage severity → pin/upgrade/override → close issue Refs #818. See ADR-041 for full rationale. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>