fix: complete remaining remediation (#5, #8, #9)
#5 Gateway Trust Model:
- Token validation now uses protected endpoints, not health checks
- Unknown services rejected (no fallback to unprotected endpoint)
- Trust model documented in docs/trust-model.md
#8 CI Enforcement:
- Added .gitea/workflows/security.yml with:
- Dependency audit (npm audit --audit-level=high for budget)
- Secret scanning (checks for tracked .env/.db, hardcoded secrets)
- Dockerfile lint (non-root USER, HEALTHCHECK presence)
#9 Performance Hardening:
- Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out)
- Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat)
- Inventory health endpoint added before auth middleware
Closes #5, #8, #9
4ecd2336b5