chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Caution

[High Risk] New API server will be directly exposed from a public subnet with broad internal and customer reachability

The change creates github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server as a production-tagged EC2 instance in subnet-07b5b1fb2ba02f964, which is a public subnet routed to internet gateway igw-0beefc4b4a0653a6e. Its user data starts a Python HTTP server bound to 0.0.0.0:9090, and the instance is attached to sg-089e5107637083db5, which permits tcp/9090 from all 10.0.0.0/8, plus sg-03cf38efd953aa056, which permits tcp/443 from many customer CIDRs.

This creates a new directly reachable EC2 endpoint outside the managed front-door pattern required by our security guidance. The same module also includes an Elastic IP resource and a live ec2-address query shows an existing production-api-eip, so this instance is likely to become publicly addressable even though the subnet does not auto-assign public IPs. The result is a production API/health host exposed from a public subnet with broad internal and customer network reachability, increasing attack surface and violating segmentation controls; if the instance is assigned the EIP as intended, it becomes a direct internet-reachable endpoint rather than being reachable only through the ALB/WAF path.
_{View reasoning tree here.}

Warning

[Medium Risk] New production EC2 instance is being launched without a demonstrated IAM role and with conflicting environment tags

A new production API instance is being created as t4g.nano in subnet-07b5b1fb2ba02f964, but the plan does not show any IAM instance profile being attached and the closest existing instance pattern in this environment already runs with IamInstanceProfile: null. Under our compute standards, launching EC2 without an instance profile is a policy violation because any monitoring, backup, SSM, or bootstrap logic that expects instance-role credentials will fail once the instance comes up.

The same instance is also tagged Environment=production while both the target subnet and VPC are tagged Environment=development. That mismatch will cause environment-scoped automation, governance, and incident handling to classify the host inconsistently from the network it actually resides in. Even if the ARM bootstrap script itself is fine, this change introduces a real production compute/governance risk through a role-less instance in development-tagged network boundaries.
_{View reasoning tree here.}

Signals

Routine → Multiple compute, access, and monitoring resources showing unusual infrequent update patterns at 1-2 events/week for the last 3 months, with one monitoring resource at 1 event/week for the last 2 months, which is infrequent compared to typical patterns.
Policies → Multiple policy checks show unusual security and compliance issues that may need review: the S3 bucket does not have server-side encryption configured and is missing required tags, while the security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

_{Additional Change Details:} Items 115 Edges 223 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 7 · Edges 23

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 83 · Edges 189

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 1 · Low 0

---

💥 Blast Radius

Items 92 · Edges 260

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 57 · Edges 126

---

View full analysis in Overmind ↗