chore: easy-issue sweep 2026-05-11

[mvillmow]

Bundled implementation of EASY audit-finding issues from the 2026-04-28 audit (#504), per the 2026-05-11 ecosystem-wide sweep.

Closes — implemented

• Closes [MINOR] §12: Helm values.yaml uses 'latest' as default image tag #530 — helm/projectkeystone/values.yaml: change image.tag default from "latest" to "" so the existing _helpers.tpl default .Chart.AppVersion fallback wins; deployments are now reproducible by default.
• Closes [MINOR] §13: setup-env.sh required for Docker but its contents are undocumented #529 — README.md: document what ./scripts/setup-env.sh writes (GIT_COMMIT, BUILD_UID, BUILD_GID) and that its only side effect is creating ./.env.
• Closes [MINOR] §15: CPack CONTACT set to placeholder email address #528 — CMakeLists.txt:904: replace placeholder projectkeystone@example.com with ProjectKeystone Maintainers <noreply@homericintelligence.dev> and update the homepage URL to the canonical HomericIntelligence/ProjectKeystone repo.
• Closes [MINOR] §9: NATSListener.stop() does not drain or close subscription #527 — src/keystone/nats_listener.py: stop() now drains the JetStream subscription (or unsubscribes if drain is unsupported) instead of only logging.
• Closes [MINOR] §8: Production container missing allowPrivilegeEscalation and readOnlyRootFilesystem #526 — k8s/deployment.yaml + helm/projectkeystone/values.yaml: container securityContext now sets allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, and drops all capabilities.
• Closes [MINOR] §7: requirements.txt and pyproject.toml are redundant Python dep manifests #523 — delete requirements.txt; the same two test deps (pytest, pytest-asyncio) are already declared in pyproject.toml's dev extras, so the file was redundant.
• Closes [MINOR] §4: NATSListener.start() subscribes but does not wire message callback #521 — src/keystone/nats_listener.py: start() now passes cb=self._dispatch_message to js.subscribe, wiring the previously dead _on_task_event handler. Added _dispatch_message to parse the subject and invoke the existing validated handler.
• Closes [MINOR] §11: CLAUDE.md C++20 mandate contradicts presence of Python modules #520 — CLAUDE.md: clarify the C++20-only mandate. The transport runtime stays C++20-only; the small Python orchestration layer in src/keystone/ is documented as a maintained-but-frozen exception (no new responsibilities — those go to ProjectAgamemnon).

Closes — verified ALREADY-DONE

• Closes [MINOR] §6: Benchmark failures suppressed in CI with '|| true' #525 — .github/workflows/extras.yml:69 is now run: make benchmark.native (no || true). Removed in chore: remove silent-failure workarounds; add forbid-suppressions guard #549 (refactor || true workarounds) and reinforced by the forbid-suppressions pre-commit + CI guard introduced in the same PR plus Forbid ::warning:: advisory pattern; pip-audit + benchmark fail-fast #550.

Skipped — out of 50-LoC sweep scope

• [MINOR] §7: FetchContent C++ deps not covered by Dependabot vulnerability scanning #524 (Dependabot for FetchContent C++ deps): Dependabot has no native CMake FetchContent ecosystem; a real fix needs Renovate config or a custom CVE workflow. Defer to a dedicated PR.
• [MINOR] §4: getenv() called during NatsConfig constructor initialization #522 (getenv() in NatsConfig constructor): the env-var reads in NatsTlsConfig::validate() are intentional today (validate cert/key parity using the effective path, env-overridden). Removing them moves env-aware validation from construction to apply-time and risks changing observable behavior for env-only deployments. Needs a small design discussion + cert/key parity tests at apply-time before flipping. Out of sweep scope.

Notes

• Pre-commit was attempted but the local sandbox lacks python3.12 (pre-commit env pinned in .pre-commit-config.yaml). Local YAML / Python AST sanity checks pass; relying on CI for full validation.
• All commits anchored on origin/main (0c83068); no unrelated diff.
• Per-issue commits, one logical change each, to make Closes-list verification trivial.