New

• security: add gitleaks CI guard and SECURITY.md policy #421
• monitoring: expose prometheus scrape annotations on euromail-worker pod

Fixed

• api: add WWW-Authenticate header to metrics 401 and harden tests
• api: require METRICS_BEARER_TOKEN in production and constant-time compare
• ci: allowlist k8s/secrets/ SealedSecret manifests in gitleaks
• ci: preserve original tarball filename for gitleaks sha256sum verification
• config: move METRICS_BEARER_TOKEN production validation from AppConfig to ApiConfig
• security: harden worker/monitor metrics auth and fix Prometheus scraping
• security: narrow gitleaks allowlist and remove misleading IngressRoute annotation
• security: raise IngressRoute priority to 100 so IPAllowList beats catch-all Ingress
• tests: add missing AppState/AppConfig fields to metrics_auth test
• tests: correct misleading subtle::ct_eq comment in metrics_rejects_token_prefix
• llms: remove hardcoded [email protected] from skill description
• openapi: correct batch response schema and domain update docs
• ci: pin shared docker-build-targets to multi-arch commit
• landing: add llms.txt discovery to robots.txt and nginx aliases
• smtp: add accepted_domains to RouterReceiveConfig test helpers
• smtp: rename local_part to strip_angle_brackets and update stale liveness doc
• smtp: replace manual splitn with split_once for clippy
• smtp: validate RCPT TO domain at connect time, reject unknown domains
• ci: update shared workflow to multi-arch build commit #490
• security: disable k8s API token automount in all pods + seal secrets