Work in the `platform` repo and use the existing Gitea issues as the source of truth.

Repo:
- `yusiboyz/platform`

Primary tracking issue:
- `#1 Production Security and Readiness Remediation`

Verified current state:
- Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10`
- Partial: `#5`, `#8`
- Open: `#9`

Important verified notes:
- Repo hygiene is fixed at the git level: live `.env` and `.db` files are no longer tracked, and `.gitignore` blocks them.
- Local untracked env files may still exist on disk and may still contain sensitive values. Treat those as manual ops cleanup and rotation work, not as tracked repo content.
- Inventory and Budget now require service API keys, but the broader gateway trust model still needs documentation and tightening.
- Budget dependency audit is clean, but CI-based automated scanning is still not fully in place.
- Performance hardening work is still open in inventory, budget, and dashboard summary paths.

Your job:
- Read issue `#1` and the remaining issue threads first
- Re-verify the current repo state before changing anything
- Only work on the remaining items: `#5`, `#8`, and `#9`
- Make code and config changes directly
- After each issue-sized change, verify it and post a concise Gitea comment with:
  - what changed
  - files touched
  - verification performed
  - what still remains, if anything
- Close only issues whose acceptance criteria are fully satisfied

Priority order:
1. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
2. `#8 Dependency Security and CI Enforcement`
3. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`

Specific required fixes:
- `#5`
  - Re-check the current gateway trust assumptions before editing
  - Tighten or document remaining service-global trust behavior
  - Remove or protect remaining permissive/debug surfaces, especially in internal services
  - Keep changes minimal and production-oriented
- `#8`
  - Keep the existing dependency state intact
  - Add or finish CI enforcement for dependency/security checks
  - Include secret scanning or equivalent repo-level safety checks if missing
  - Do not close this issue unless the CI path is actually committed and runnable in this repo
- `#9`
  - Address the worst full-scan endpoints first
  - Focus on targeted fixes in inventory, budget, and gateway summary paths
  - Prefer measurable reductions in repeated full-table or full-account scans over broad refactors

Constraints:
- Do not reopen already-completed issues unless verification proves a regression
- Do not revert unrelated user changes
- Keep changes minimal and production-oriented
- Do not claim something is fixed unless code and verification support it
- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary

Manual ops actions that are outside the repo:
- Rotate any secrets that were exposed in chat or local env files
- Clean up local untracked `.env` files that still contain real credentials
- Replace any weak local credentials still present in local-only env files

Final output format:
- `Completed:` issue numbers fully resolved
- `Partial:` issue numbers partially resolved and what remains
- `Blocked:` issue numbers blocked and why
- `Manual ops actions:` exact actions still required outside code