fix: security problems, outdated deps versions

backend/pyproject.toml

@@ -20,7 +20,7 @@ dependencies = [
     "cachetools==6.2.4",
     "certifi==2024.8.30",
     "charset-normalizer==3.4.0",
-    "click==8.1.7",
+    "click==8.3.1",
     "ConfigArgParse==1.7.1",
     "aiokafka==0.12.0",
     "contourpy==1.3.3",
@@ -54,7 +54,7 @@ dependencies = [
     "MarkupSafe==3.0.2",
     "mdurl==0.1.2",
     "msgpack==1.1.0",
-    "multidict==6.7.0",
+    "multidict==6.7.1",
     "oauthlib==3.3.1",
     "opentelemetry-api==1.39.1",
     "opentelemetry-exporter-otlp==1.39.1",
@@ -80,7 +80,7 @@ dependencies = [
     "pathspec==0.12.1",
     "prometheus-fastapi-instrumentator==7.0.0",
     "prometheus_client==0.21.0",
-    "propcache==0.3.2",
+    "propcache==0.4.1",
     "protobuf==6.33.5",
     "psutil==6.1.0",
     "pyasn1==0.6.2",
@@ -106,7 +106,7 @@ dependencies = [
     "slowapi==0.1.9",
     "sniffio==1.3.1",
     "sortedcontainers==2.4.0",
-    "sse-starlette==2.2.1",
+    "sse-starlette==3.2.0",
     "starlette==0.49.1",
     "tiktoken==0.11.0",
     "tomli==2.0.2",
@@ -136,7 +136,7 @@ dev = [
     "async-asgi-testclient>=1.4.11",
     "coverage==7.13.0",
     "hypothesis==6.103.4",
-    "iniconfig==2.0.0",
+    "iniconfig==2.3.0",
     "matplotlib==3.10.8",
     "mypy==1.19.1",
     "mypy_extensions==1.1.0",

cert-generator/Dockerfile

@@ -1,28 +1,23 @@
 FROM alpine:3.23
 
 # Pin versions for reproducible builds
-# kubectl: Use supported version (N-2 policy: 1.35, 1.34, 1.33 as of Dec 2025)
-# mkcert: Latest stable release
-ARG KUBECTL_VERSION=v1.33.6
-ARG MKCERT_VERSION=v1.4.4
+# kubectl: Use supported version (N-2 policy: 1.35, 1.34, 1.33 as of Feb 2026)
+ARG KUBECTL_VERSION=v1.35.0
 
 # Install required packages and tools for all architectures
-RUN apk add --no-cache wget ca-certificates openssl curl dos2unix netcat-openbsd iproute2 && \
+RUN apk add --no-cache ca-certificates openssl curl dos2unix netcat-openbsd iproute2 && \
     update-ca-certificates && \
     # Detect architecture and install appropriate binaries
     ARCH=$(uname -m); \
     case $ARCH in \
-        x86_64) KUBECTL_ARCH=amd64; MKCERT_ARCH=amd64 ;; \
-        aarch64) KUBECTL_ARCH=arm64; MKCERT_ARCH=arm64 ;; \
-        armv7l) KUBECTL_ARCH=arm; MKCERT_ARCH=arm ;; \
+        x86_64) KUBECTL_ARCH=amd64 ;; \
+        aarch64) KUBECTL_ARCH=arm64 ;; \
+        armv7l) KUBECTL_ARCH=arm ;; \
         *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
     esac && \
     # Install kubectl (pinned version for reproducibility)
     curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${KUBECTL_ARCH}/kubectl" -o /usr/local/bin/kubectl && \
-    chmod +x /usr/local/bin/kubectl && \
-    # Install mkcert
-    wget -q "https://github.com/FiloSottile/mkcert/releases/download/${MKCERT_VERSION}/mkcert-${MKCERT_VERSION}-linux-${MKCERT_ARCH}" -O /usr/local/bin/mkcert && \
-    chmod +x /usr/local/bin/mkcert
+    chmod +x /usr/local/bin/kubectl
 
 # Create shared directory for root CA
 RUN mkdir -p /shared_ca
@@ -37,4 +32,4 @@ RUN echo '#!/bin/sh\necho "Cert Generator Health Check: OK"\n' > /health.sh && \
     chmod +x /health.sh
 
 # Run both setup scripts
-ENTRYPOINT ["/bin/sh", "-c", "/setup-k8s.sh && /setup-certs.sh"]
+ENTRYPOINT ["/bin/sh", "-c", "/setup-k8s.sh && /setup-certs.sh"]

cert-generator/setup-certs.sh

@@ -28,7 +28,7 @@ echo "Copied cert/key to frontend directory"
 
 # Copy to shared CA directory
 if [ -n "$SHARED_CA_DIR" ]; then
-    cp "$BACKEND_CERT_DIR/server.crt" "$SHARED_CA_DIR/mkcert-ca.pem"
+    cp "$BACKEND_CERT_DIR/server.crt" "$SHARED_CA_DIR/ca.pem"
     echo "Certificate copied to shared CA directory"
 fi
 

docker-compose.yaml

@@ -148,7 +148,7 @@ services:
       - app-network
     environment:
       - VITE_BACKEND_URL=https://backend:443
-      - NODE_EXTRA_CA_CERTS=/shared_ca/mkcert-ca.pem
+      - NODE_EXTRA_CA_CERTS=/shared_ca/ca.pem
     healthcheck:
       test: ["CMD-SHELL", "curl -k -f -s https://localhost:5001 >/dev/null || exit 1"]
       interval: 2s

docs/architecture/frontend-build.md

@@ -55,7 +55,7 @@ Rollup splits the bundle into chunks to improve load performance. The `manualChu
 
 The plugin pipeline processes files in order: **replace** substitutes `process.env.VITE_BACKEND_URL` with an empty string for relative API paths; **svelte** compiles `.svelte` files with TypeScript preprocessing and `runes: true` for Svelte 5; **postcss** processes CSS and extracts styles to `bundle.css`; **typescript** compiles TypeScript with source maps; **json** allows importing JSON files; **resolve** handles `node_modules` imports preferring ES modules; **commonjs** converts CommonJS to ES modules; and **terser** (production only) minifies JavaScript, removes console logs, and runs two compression passes.
 
-In development mode (`npm run dev`), Rollup watches for changes and a custom HTTPS server starts automatically. The server serves files from `public/` with SPA fallback to `index.html`, and proxies `/api/*` requests to the backend container over HTTPS. The proxy uses a custom `https.Agent` that trusts the local CA certificate at `/shared_ca/mkcert-ca.pem`, allowing secure communication with the backend during development on port 5001.
+In development mode (`npm run dev`), Rollup watches for changes and a custom HTTPS server starts automatically. The server serves files from `public/` with SPA fallback to `index.html`, and proxies `/api/*` requests to the backend container over HTTPS. The proxy uses a custom `https.Agent` that trusts the local CA certificate at `/shared_ca/ca.pem`, allowing secure communication with the backend during development on port 5001.
 
 ## TypeScript configuration
 
@@ -193,6 +193,6 @@ If you see TypeScript errors after SDK regeneration, check `types.gen.ts` for th
 
 For styles not applying, ensure the class exists in Tailwind's default utilities or is defined in `app.css`, and check for typos in semantic token names (e.g., `bg-default` vs `bg-bg-default`). 
 
-Dev server certificate errors mean the certificates at `./certs/server.key` and `./certs/server.crt` are missing, or the CA at `/shared_ca/mkcert-ca.pem` isn't available — run the cert-generator container first via Docker Compose. 
+Dev server certificate errors mean the certificates at `./certs/server.key` and `./certs/server.crt` are missing, or the CA at `/shared_ca/ca.pem` isn't available — run the cert-generator container first via Docker Compose. 
 
 If API calls fail in development, verify the backend is running and healthy; the dev server proxies to `https://backend:443`, so check Docker networking if the container can't resolve the hostname.

frontend/package.json

@@ -25,10 +25,10 @@
     "@codemirror/lang-python": "^6.1.6",
     "@codemirror/language": "^6.12.1",
     "@codemirror/legacy-modes": "^6.5.2",
-    "@codemirror/state": "^6.5.3",
+    "@codemirror/state": "^6.5.4",
     "@codemirror/theme-one-dark": "^6.1.2",
-    "@codemirror/view": "^6.39.8",
-    "@lucide/svelte": "^0.562.0",
+    "@codemirror/view": "^6.39.11",
+    "@lucide/svelte": "^0.563.1",
     "@mateothegreat/svelte5-router": "^2.16.19",
     "@rollup/plugin-commonjs": "^29.0.0",
     "@rollup/plugin-json": "^6.1.0",
@@ -59,7 +59,7 @@
   "devDependencies": {
     "@babel/runtime": "^7.28.6",
     "@eslint/js": "^9.39.2",
-    "@hey-api/openapi-ts": "0.90.4",
+    "@hey-api/openapi-ts": "^0.90.10",
     "@playwright/test": "^1.52.0",
     "@rollup/plugin-alias": "^6.0.0",
     "@rollup/plugin-typescript": "^12.1.2",
@@ -70,7 +70,7 @@
     "@testing-library/svelte": "^5.3.1",
     "@testing-library/user-event": "^14.6.1",
     "@typescript-eslint/eslint-plugin": "^8.53.0",
-    "@typescript-eslint/parser": "^8.53.0",
+    "@typescript-eslint/parser": "^8.53.1",
     "@vitest/coverage-v8": "^4.0.17",
     "eslint": "^9.39.2",
     "eslint-plugin-svelte": "^3.14.0",