- docs/DEPLOY_CHECKLIST.md: the prod-config items that only lived in
session notes are now in the repo — TOKEN_ENCRYPTION_KEY (v2:->e2:
migration), WEBAUTHN_RP_ID/_ORIGIN, simplefin_debug_logging off,
cdn.sheetjs.com egress, Node-version alignment, TS7 deferral
- renovate.json: weekly grouped non-majors, dashboard-approval majors,
xlsx (CDN-pinned) excluded, typescript capped <7 until
typescript-eslint supports it
- .forgejo/workflows/deps-audit.yml: weekly scheduled audit that FAILS
on high+ prod vulns + prints npm outdated — the durable QA-B0-02 fix
that works even before Renovate is enabled on the Forgejo instance
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>