diff --git a/.github/workflows/agentops-fleet.yml b/.github/workflows/agentops-fleet.yml
new file mode 100644
index 0000000..3088da4
--- /dev/null
+++ b/.github/workflows/agentops-fleet.yml
@@ -0,0 +1,22 @@
+name: AgentOps Fleet Gate
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: '31 8 * * 1'
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+  pull-requests: read
+
+jobs:
+  agentops:
+    uses: donny-devops/github-actions-templates/.github/workflows/reusable-agentops.yml@main
+    with:
+      python-version: '3.12'
+      node-version: '22'
+      run-security-audit: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7be5d57..5325c25 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,17 +9,15 @@ on:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint (ruff)
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v7
 
       - uses: actions/setup-python@v5
         with:
@@ -31,18 +29,13 @@ jobs:
       - name: Lint with ruff
         run: ruff check . --output-format=github
 
-      - name: Format with ruff
-        run: |
-          ruff format .
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config user.name "github-actions[bot]"
-          git diff --quiet || git commit -am "style: auto-format with ruff" && git push
+      - name: Format check with ruff
+        run: ruff format --check .
 
   test:
     name: Test (pytest + PostgreSQL)
     runs-on: ubuntu-latest
     needs: lint
-
     services:
       postgres:
         image: postgres:16-alpine
@@ -57,13 +50,12 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
-
     env:
       DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb
       SECRET_KEY: test-secret
-
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
+
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -75,38 +67,37 @@ jobs:
           pip install -r requirements.txt
 
       - name: Run migrations
-        run: |
-          flask db upgrade
+        run: flask db upgrade
         env:
           FLASK_APP: "app:create_app()"
 
       - name: Run pytest
-        run: |
-          pytest --cov=app --cov-report=xml --cov-fail-under=85 -v
+        run: pytest --cov=app --cov-report=xml --cov-fail-under=85 -v
 
       - name: Upload coverage
         uses: actions/upload-artifact@v4
         with:
           name: coverage-report
           path: coverage.xml
+          retention-days: 7
 
   docker:
     name: Build & Push Docker Image
     runs-on: ubuntu-latest
     needs: test
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       contents: read
       packages: write
-
+      security-events: write
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -114,7 +105,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -122,10 +113,27 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        id: build
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true
+
+      - name: Trivy image scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest
+          format: sarif
+          output: trivy.sarif
+          severity: HIGH,CRITICAL
+          exit-code: '0'
+
+      - name: Upload Trivy results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif
diff --git a/.github/workflows/security-hygiene.yml b/.github/workflows/security-hygiene.yml
new file mode 100644
index 0000000..0f873a1
--- /dev/null
+++ b/.github/workflows/security-hygiene.yml
@@ -0,0 +1,35 @@
+name: Security Hygiene
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  hygiene:
+    name: Secret hygiene
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Block obvious private keys and tokens
+        shell: bash
+        run: |
+          SECRET_PATTERN='BEGIN (RSA |OPENSSH |EC |DSA )?PRIVATE KEY|ghp_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{20,}|sk-[A-Za-z0-9]{20,}'
+          if grep -RInE "$SECRET_PATTERN" . \
+            --exclude-dir=.git \
+            --exclude=.github/workflows/security-hygiene.yml; then
+            echo "Potential secret material found. Remove it and rotate the credential."
+            exit 1
+          fi