Security (10 findings fixed): sub-agent capability escalation; data_query fail-open;
provider-tools (SSRF, approval-bypass, deny-gate, secret redaction, actor spoofing,
IDOR, FAL webhook signature); graph-RAG access scope; agent-run IDOR; realtime
tool-dispatch deny-bypass; admin scaffold RCE; admin open-by-default gate; engine
SSRF/LFI; driver model-name URL-path injection.

Behavior: goal-agent restored natively under AiNative (no classic routing); use_rag
gate dropped (AiNative/search_knowledge owns the retrieval decision); realtime
identity hardening + LiveKit 422.

Infra: CI now runs Unit+Feature (security tests gated); dead RoutingDecisionAction
constants removed; force_rag cost documented.

NOTE — behavior changes with blast radius (now fail-closed by default; opt-outs in config):
data_query.require_scope, admin_ui access gate (allow_any_authenticated/allow_localhost),
provider-tools owner_resolver, graph.require_access_scope.