P0 Ship-Blockers Exposed in 7-Agent Audit: Docker Auth Bypass, Neo4j OOM, Pinned CVEs

A proactive 7-agent security audit has flagged eight critical P0 ship-blockers that must be resolved before the next baseline run. The findings, detailed in the first of a four-part PR sequence, reveal severe vulnerabilities across authentication, production readiness, and dependency management. The most alarming is a Red Team discovery where a Docker Compose configuration using `--host 0.0.0.0` bypassed the A6 authorization check, causing both REST and GraphQL services to boot without any authentication.

Additional high-severity issues from the Prod Readiness and Dependency agents compound the risk. The Neo4j health check was found to be a simple port check, passing even when the database was in a disk-full, read-only state. A fresh clone of the system faces an immediate out-of-memory crash due to a default `NEO4J_CONTAINER_MEMORY_LIMIT` of 4GB, contradicting documentation stating 32GB. Dependency management is also critically flawed, with `src/requirements.txt` still pinning a vulnerable Airflow 2.x version containing over 18 CVEs, and GitHub Actions pinned to floating tags like `@v4` and `@v5`, a vector proven exploitable by a March 2025 attack on `tj-actions/changed-files`.

These independent but critical fixes, ranging from one-line changes to SHA pinning, represent foundational security and stability failures. The audit, employing specialized agents like Bug Hunter, Cross-Checker, and Devil's Advocate, signals deep systemic gaps in the project's security posture and operational resilience. Failure to land these fixes blocks all further baseline testing and exposes the deployment to immediate, high-risk exploitation and failure scenarios.