Summary
This patch release promotes the runtime and deployment hardening work to production.
Included
- deterministic release promotion with a pinned Railway CLI version
- fail-fast validation for token duration configuration
- safer production defaults for
/metrics, with optional bearer protection viaMETRICS_AUTH_TOKEN - bounded in-memory rate-limit fallback behaviour under Redis degradation
- explicit bearer header parsing that resolves the CodeQL regex finding
Operational impact
Production promotion stays release-driven and fully verified, and the default runtime posture is safer under both configuration drift and dependency degradation.