From 347eef91e48b35a359ed39014a731ab57671a639 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 20:10:54 +0100
Subject: [PATCH 01/13] feat: sec hardening - passlib -> pwdlib - preciser
 limit enforcements for k8s pods, also psa labels - bumped up dependencies
 (last ones got CVEs inside), also added up passwords

---
 backend/app/core/security.py                  | 15 ++-
 .../app/services/k8s_worker/pod_builder.py    |  2 +
 backend/app/services/k8s_worker/worker.py     | 99 +++++++++++++++++++
 backend/app/settings.py                       |  1 +
 backend/pyproject.toml                        |  2 +-
 backend/scripts/seed_users.py                 |  9 +-
 backend/secrets.example.toml                  |  1 +
 backend/uv.lock                               | 77 ++++++++++++---
 backend/workers/run_k8s_worker.py             |  3 +-
 docker-compose.yaml                           |  8 +-
 frontend/nginx.conf.template                  |  2 +-
 11 files changed, 189 insertions(+), 30 deletions(-)

diff --git a/backend/app/core/security.py b/backend/app/core/security.py
index 93e5c4dc..6a70321d 100644
--- a/backend/app/core/security.py
+++ b/backend/app/core/security.py
@@ -6,7 +6,8 @@
 import jwt
 from fastapi import Request
 from fastapi.security import OAuth2PasswordBearer
-from passlib.context import CryptContext
+from pwdlib import PasswordHash
+from pwdlib.hashers.bcrypt import BcryptHasher
 
 from app.core.metrics import SecurityMetrics
 from app.domain.user import CSRFValidationError, InvalidCredentialsError
@@ -20,17 +21,15 @@ def __init__(self, settings: Settings, security_metrics: SecurityMetrics) -> Non
         self.settings = settings
         self._security_metrics = security_metrics
         # --8<-- [start:password_hashing]
-        self.pwd_context = CryptContext(
-            schemes=["bcrypt"],
-            deprecated="auto",
-            bcrypt__rounds=self.settings.BCRYPT_ROUNDS,
-        )
+        self._password_hash = PasswordHash((
+            BcryptHasher(rounds=self.settings.BCRYPT_ROUNDS),
+        ))
 
     def verify_password(self, plain_password: str, hashed_password: str) -> bool:
-        return self.pwd_context.verify(plain_password, hashed_password)  # type: ignore
+        return self._password_hash.verify(plain_password, hashed_password)
 
     def get_password_hash(self, password: str) -> str:
-        return self.pwd_context.hash(password)  # type: ignore
+        return self._password_hash.hash(password)
     # --8<-- [end:password_hashing]
 
     # --8<-- [start:create_access_token]
diff --git a/backend/app/services/k8s_worker/pod_builder.py b/backend/app/services/k8s_worker/pod_builder.py
index 1579fdee..65e4af2d 100644
--- a/backend/app/services/k8s_worker/pod_builder.py
+++ b/backend/app/services/k8s_worker/pod_builder.py
@@ -106,6 +106,8 @@ def _build_pod_spec(
             containers=[container],
             restart_policy="Never",
             active_deadline_seconds=timeout,
+            runtime_class_name=self._settings.K8S_POD_RUNTIME_CLASS_NAME,
+            host_users=False,  # User namespace isolation — remaps container UIDs to unprivileged host UIDs
             volumes=[
                 k8s_client.V1Volume(
                     name="script-volume",
diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 14fbff23..6a471bcc 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -56,6 +56,7 @@ def __init__(
         # Kubernetes clients created from ApiClient
         self.v1 = k8s_client.CoreV1Api(api_client)
         self.apps_v1 = k8s_client.AppsV1Api(api_client)
+        self.networking_v1 = k8s_client.NetworkingV1Api(api_client)
 
         # Components
         self.pod_builder = PodBuilder(settings=settings)
@@ -252,6 +253,104 @@ async def _publish_pod_creation_failed(self, command: CreatePodCommandEvent, err
         )
         await self.producer.produce(event_to_produce=event, key=command.execution_id)
 
+    async def ensure_namespace_security(self) -> None:
+        """Apply security controls to the executor namespace at startup.
+
+        Creates:
+        - Default-deny NetworkPolicy for executor pods (blocks lateral movement and exfiltration)
+        - ResourceQuota to cap aggregate pod/resource consumption
+        - Pod Security Admission labels (Restricted profile)
+        """
+        namespace = self._settings.K8S_NAMESPACE
+        await self._ensure_executor_network_policy(namespace)
+        await self._ensure_executor_resource_quota(namespace)
+        await self._apply_psa_labels(namespace)
+
+    async def _ensure_executor_network_policy(self, namespace: str) -> None:
+        """Create default-deny NetworkPolicy for executor pods."""
+        policy_name = "executor-deny-all"
+
+        policy = k8s_client.V1NetworkPolicy(
+            api_version="networking.k8s.io/v1",
+            kind="NetworkPolicy",
+            metadata=k8s_client.V1ObjectMeta(
+                name=policy_name,
+                namespace=namespace,
+                labels={"app": "integr8s", "component": "security"},
+            ),
+            spec=k8s_client.V1NetworkPolicySpec(
+                pod_selector=k8s_client.V1LabelSelector(
+                    match_labels={"component": "executor"},
+                ),
+                policy_types=["Ingress", "Egress"],
+                ingress=[],
+                egress=[],
+            ),
+        )
+
+        try:
+            await self.networking_v1.read_namespaced_network_policy(name=policy_name, namespace=namespace)
+            await self.networking_v1.replace_namespaced_network_policy(
+                name=policy_name, namespace=namespace, body=policy,
+            )
+            self.logger.info(f"NetworkPolicy '{policy_name}' updated in namespace {namespace}")
+        except ApiException as e:
+            if e.status == 404:
+                await self.networking_v1.create_namespaced_network_policy(namespace=namespace, body=policy)
+                self.logger.info(f"NetworkPolicy '{policy_name}' created in namespace {namespace}")
+            else:
+                self.logger.error(f"Failed to apply NetworkPolicy '{policy_name}': {e.reason}")
+
+    async def _ensure_executor_resource_quota(self, namespace: str) -> None:
+        """Create ResourceQuota to cap aggregate executor pod consumption."""
+        quota_name = "executor-quota"
+
+        quota = k8s_client.V1ResourceQuota(
+            api_version="v1",
+            kind="ResourceQuota",
+            metadata=k8s_client.V1ObjectMeta(
+                name=quota_name,
+                namespace=namespace,
+                labels={"app": "integr8s", "component": "security"},
+            ),
+            spec=k8s_client.V1ResourceQuotaSpec(
+                hard={
+                    "pods": str(self._settings.K8S_MAX_CONCURRENT_PODS),
+                    "requests.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
+                    "requests.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
+                    "limits.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
+                    "limits.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
+                },
+            ),
+        )
+
+        try:
+            await self.v1.read_namespaced_resource_quota(name=quota_name, namespace=namespace)
+            await self.v1.replace_namespaced_resource_quota(name=quota_name, namespace=namespace, body=quota)
+            self.logger.info(f"ResourceQuota '{quota_name}' updated in namespace {namespace}")
+        except ApiException as e:
+            if e.status == 404:
+                await self.v1.create_namespaced_resource_quota(namespace=namespace, body=quota)
+                self.logger.info(f"ResourceQuota '{quota_name}' created in namespace {namespace}")
+            else:
+                self.logger.error(f"Failed to apply ResourceQuota '{quota_name}': {e.reason}")
+
+    async def _apply_psa_labels(self, namespace: str) -> None:
+        """Apply Pod Security Admission labels to the executor namespace."""
+        psa_labels = {
+            "pod-security.kubernetes.io/enforce": "restricted",
+            "pod-security.kubernetes.io/enforce-version": "latest",
+            "pod-security.kubernetes.io/warn": "restricted",
+            "pod-security.kubernetes.io/audit": "restricted",
+        }
+
+        patch_body = {"metadata": {"labels": psa_labels}}
+        try:
+            await self.v1.patch_namespace(name=namespace, body=patch_body)
+            self.logger.info(f"Pod Security Admission labels applied to namespace {namespace}")
+        except ApiException as e:
+            self.logger.error(f"Failed to apply PSA labels to namespace {namespace}: {e.reason}")
+
     async def ensure_image_pre_puller_daemonset(self) -> None:
         """Ensure the runtime image pre-puller DaemonSet exists."""
         daemonset_name = "runtime-image-pre-puller"
diff --git a/backend/app/settings.py b/backend/app/settings.py
index 61dbcaca..35e9c1f8 100644
--- a/backend/app/settings.py
+++ b/backend/app/settings.py
@@ -78,6 +78,7 @@ def __init__(
     K8S_POD_MEMORY_REQUEST: str = "128Mi"
     K8S_POD_EXECUTION_TIMEOUT: int = 300  # in seconds
     K8S_POD_PRIORITY_CLASS_NAME: str | None = None
+    K8S_POD_RUNTIME_CLASS_NAME: str | None = None  # e.g. "gvisor" for sandboxed execution
 
     SUPPORTED_RUNTIMES: dict[str, LanguageInfoDomain] = Field(default_factory=lambda: RUNTIME_MATRIX)
 
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index 8b646ab3..8576fed5 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -70,7 +70,7 @@ dependencies = [
     "opentelemetry-util-http==0.60b1",
     "packaging==24.1",
     "beanie==2.0.1",
-    "passlib==1.7.4",
+    "pwdlib[bcrypt]==0.2.1",
     "pathspec==0.12.1",
     "prometheus-fastapi-instrumentator==7.0.0",
     "prometheus_client==0.21.0",
diff --git a/backend/scripts/seed_users.py b/backend/scripts/seed_users.py
index e4f5d6d1..5378e22c 100755
--- a/backend/scripts/seed_users.py
+++ b/backend/scripts/seed_users.py
@@ -18,11 +18,12 @@
 
 from app.settings import Settings
 from bson import ObjectId
-from passlib.context import CryptContext
+from pwdlib import PasswordHash
+from pwdlib.hashers.bcrypt import BcryptHasher
 from pymongo.asynchronous.database import AsyncDatabase
 from pymongo.asynchronous.mongo_client import AsyncMongoClient
 
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+pwd_hasher = PasswordHash((BcryptHasher(rounds=12),))
 
 
 async def upsert_user(
@@ -42,7 +43,7 @@ async def upsert_user(
             {"username": username},
             {
                 "$set": {
-                    "hashed_password": pwd_context.hash(password),
+                    "hashed_password": pwd_hasher.hash(password),
                     "role": role,
                     "is_superuser": is_superuser,
                     "is_active": True,
@@ -58,7 +59,7 @@ async def upsert_user(
                 "user_id": str(ObjectId()),
                 "username": username,
                 "email": email,
-                "hashed_password": pwd_context.hash(password),
+                "hashed_password": pwd_hasher.hash(password),
                 "role": role,
                 "is_active": True,
                 "is_superuser": is_superuser,
diff --git a/backend/secrets.example.toml b/backend/secrets.example.toml
index 0f7b41ef..c12eb784 100644
--- a/backend/secrets.example.toml
+++ b/backend/secrets.example.toml
@@ -15,3 +15,4 @@
 
 SECRET_KEY = "CHANGE_ME_min_32_chars_long_!!!!"
 MONGODB_URL = "mongodb://root:rootpassword@mongo:27017/integr8scode?authSource=admin"
+REDIS_PASSWORD = "redispassword"
diff --git a/backend/uv.lock b/backend/uv.lock
index 6bd53ded..f8c8f62a 100644
--- a/backend/uv.lock
+++ b/backend/uv.lock
@@ -253,6 +253,56 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/df/73/b6e24bd22e6720ca8ee9a85a0c4a2971af8497d8f3193fa05390cbd46e09/backoff-2.2.1-py3-none-any.whl", hash = "sha256:63579f9a0628e06278f7e47b7d7d5b6ce20dc65c5e96a6f3ca99a6adca0396e8", size = 15148, upload-time = "2022-10-05T19:19:30.546Z" },
 ]
 
+[[package]]
+name = "bcrypt"
+version = "4.3.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/bb/5d/6d7433e0f3cd46ce0b43cd65e1db465ea024dbb8216fb2404e919c2ad77b/bcrypt-4.3.0.tar.gz", hash = "sha256:3a3fd2204178b6d2adcf09cb4f6426ffef54762577a7c9b54c159008cb288c18", size = 25697, upload-time = "2025-02-28T01:24:09.174Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/bf/2c/3d44e853d1fe969d229bd58d39ae6902b3d924af0e2b5a60d17d4b809ded/bcrypt-4.3.0-cp313-cp313t-macosx_10_12_universal2.whl", hash = "sha256:f01e060f14b6b57bbb72fc5b4a83ac21c443c9a2ee708e04a10e9192f90a6281", size = 483719, upload-time = "2025-02-28T01:22:34.539Z" },
+    { url = "https://files.pythonhosted.org/packages/a1/e2/58ff6e2a22eca2e2cff5370ae56dba29d70b1ea6fc08ee9115c3ae367795/bcrypt-4.3.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c5eeac541cefd0bb887a371ef73c62c3cd78535e4887b310626036a7c0a817bb", size = 272001, upload-time = "2025-02-28T01:22:38.078Z" },
+    { url = "https://files.pythonhosted.org/packages/37/1f/c55ed8dbe994b1d088309e366749633c9eb90d139af3c0a50c102ba68a1a/bcrypt-4.3.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:59e1aa0e2cd871b08ca146ed08445038f42ff75968c7ae50d2fdd7860ade2180", size = 277451, upload-time = "2025-02-28T01:22:40.787Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/1c/794feb2ecf22fe73dcfb697ea7057f632061faceb7dcf0f155f3443b4d79/bcrypt-4.3.0-cp313-cp313t-manylinux_2_28_aarch64.whl", hash = "sha256:0042b2e342e9ae3d2ed22727c1262f76cc4f345683b5c1715f0250cf4277294f", size = 272792, upload-time = "2025-02-28T01:22:43.144Z" },
+    { url = "https://files.pythonhosted.org/packages/13/b7/0b289506a3f3598c2ae2bdfa0ea66969812ed200264e3f61df77753eee6d/bcrypt-4.3.0-cp313-cp313t-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74a8d21a09f5e025a9a23e7c0fd2c7fe8e7503e4d356c0a2c1486ba010619f09", size = 289752, upload-time = "2025-02-28T01:22:45.56Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/24/d0fb023788afe9e83cc118895a9f6c57e1044e7e1672f045e46733421fe6/bcrypt-4.3.0-cp313-cp313t-manylinux_2_28_x86_64.whl", hash = "sha256:0142b2cb84a009f8452c8c5a33ace5e3dfec4159e7735f5afe9a4d50a8ea722d", size = 277762, upload-time = "2025-02-28T01:22:47.023Z" },
+    { url = "https://files.pythonhosted.org/packages/e4/38/cde58089492e55ac4ef6c49fea7027600c84fd23f7520c62118c03b4625e/bcrypt-4.3.0-cp313-cp313t-manylinux_2_34_aarch64.whl", hash = "sha256:12fa6ce40cde3f0b899729dbd7d5e8811cb892d31b6f7d0334a1f37748b789fd", size = 272384, upload-time = "2025-02-28T01:22:49.221Z" },
+    { url = "https://files.pythonhosted.org/packages/de/6a/d5026520843490cfc8135d03012a413e4532a400e471e6188b01b2de853f/bcrypt-4.3.0-cp313-cp313t-manylinux_2_34_x86_64.whl", hash = "sha256:5bd3cca1f2aa5dbcf39e2aa13dd094ea181f48959e1071265de49cc2b82525af", size = 277329, upload-time = "2025-02-28T01:22:51.603Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/a3/4fc5255e60486466c389e28c12579d2829b28a527360e9430b4041df4cf9/bcrypt-4.3.0-cp313-cp313t-musllinux_1_1_aarch64.whl", hash = "sha256:335a420cfd63fc5bc27308e929bee231c15c85cc4c496610ffb17923abf7f231", size = 305241, upload-time = "2025-02-28T01:22:53.283Z" },
+    { url = "https://files.pythonhosted.org/packages/c7/15/2b37bc07d6ce27cc94e5b10fd5058900eb8fb11642300e932c8c82e25c4a/bcrypt-4.3.0-cp313-cp313t-musllinux_1_1_x86_64.whl", hash = "sha256:0e30e5e67aed0187a1764911af023043b4542e70a7461ad20e837e94d23e1d6c", size = 309617, upload-time = "2025-02-28T01:22:55.461Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/1f/99f65edb09e6c935232ba0430c8c13bb98cb3194b6d636e61d93fe60ac59/bcrypt-4.3.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:3b8d62290ebefd49ee0b3ce7500f5dbdcf13b81402c05f6dafab9a1e1b27212f", size = 335751, upload-time = "2025-02-28T01:22:57.81Z" },
+    { url = "https://files.pythonhosted.org/packages/00/1b/b324030c706711c99769988fcb694b3cb23f247ad39a7823a78e361bdbb8/bcrypt-4.3.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:2ef6630e0ec01376f59a006dc72918b1bf436c3b571b80fa1968d775fa02fe7d", size = 355965, upload-time = "2025-02-28T01:22:59.181Z" },
+    { url = "https://files.pythonhosted.org/packages/aa/dd/20372a0579dd915dfc3b1cd4943b3bca431866fcb1dfdfd7518c3caddea6/bcrypt-4.3.0-cp313-cp313t-win32.whl", hash = "sha256:7a4be4cbf241afee43f1c3969b9103a41b40bcb3a3f467ab19f891d9bc4642e4", size = 155316, upload-time = "2025-02-28T01:23:00.763Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/52/45d969fcff6b5577c2bf17098dc36269b4c02197d551371c023130c0f890/bcrypt-4.3.0-cp313-cp313t-win_amd64.whl", hash = "sha256:5c1949bf259a388863ced887c7861da1df681cb2388645766c89fdfd9004c669", size = 147752, upload-time = "2025-02-28T01:23:02.908Z" },
+    { url = "https://files.pythonhosted.org/packages/11/22/5ada0b9af72b60cbc4c9a399fdde4af0feaa609d27eb0adc61607997a3fa/bcrypt-4.3.0-cp38-abi3-macosx_10_12_universal2.whl", hash = "sha256:f81b0ed2639568bf14749112298f9e4e2b28853dab50a8b357e31798686a036d", size = 498019, upload-time = "2025-02-28T01:23:05.838Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/8c/252a1edc598dc1ce57905be173328eda073083826955ee3c97c7ff5ba584/bcrypt-4.3.0-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:864f8f19adbe13b7de11ba15d85d4a428c7e2f344bac110f667676a0ff84924b", size = 279174, upload-time = "2025-02-28T01:23:07.274Z" },
+    { url = "https://files.pythonhosted.org/packages/29/5b/4547d5c49b85f0337c13929f2ccbe08b7283069eea3550a457914fc078aa/bcrypt-4.3.0-cp38-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3e36506d001e93bffe59754397572f21bb5dc7c83f54454c990c74a468cd589e", size = 283870, upload-time = "2025-02-28T01:23:09.151Z" },
+    { url = "https://files.pythonhosted.org/packages/be/21/7dbaf3fa1745cb63f776bb046e481fbababd7d344c5324eab47f5ca92dd2/bcrypt-4.3.0-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:842d08d75d9fe9fb94b18b071090220697f9f184d4547179b60734846461ed59", size = 279601, upload-time = "2025-02-28T01:23:11.461Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/64/e042fc8262e971347d9230d9abbe70d68b0a549acd8611c83cebd3eaec67/bcrypt-4.3.0-cp38-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7c03296b85cb87db865d91da79bf63d5609284fc0cab9472fdd8367bbd830753", size = 297660, upload-time = "2025-02-28T01:23:12.989Z" },
+    { url = "https://files.pythonhosted.org/packages/50/b8/6294eb84a3fef3b67c69b4470fcdd5326676806bf2519cda79331ab3c3a9/bcrypt-4.3.0-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:62f26585e8b219cdc909b6a0069efc5e4267e25d4a3770a364ac58024f62a761", size = 284083, upload-time = "2025-02-28T01:23:14.5Z" },
+    { url = "https://files.pythonhosted.org/packages/62/e6/baff635a4f2c42e8788fe1b1633911c38551ecca9a749d1052d296329da6/bcrypt-4.3.0-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:beeefe437218a65322fbd0069eb437e7c98137e08f22c4660ac2dc795c31f8bb", size = 279237, upload-time = "2025-02-28T01:23:16.686Z" },
+    { url = "https://files.pythonhosted.org/packages/39/48/46f623f1b0c7dc2e5de0b8af5e6f5ac4cc26408ac33f3d424e5ad8da4a90/bcrypt-4.3.0-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:97eea7408db3a5bcce4a55d13245ab3fa566e23b4c67cd227062bb49e26c585d", size = 283737, upload-time = "2025-02-28T01:23:18.897Z" },
+    { url = "https://files.pythonhosted.org/packages/49/8b/70671c3ce9c0fca4a6cc3cc6ccbaa7e948875a2e62cbd146e04a4011899c/bcrypt-4.3.0-cp38-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:191354ebfe305e84f344c5964c7cd5f924a3bfc5d405c75ad07f232b6dffb49f", size = 312741, upload-time = "2025-02-28T01:23:21.041Z" },
+    { url = "https://files.pythonhosted.org/packages/27/fb/910d3a1caa2d249b6040a5caf9f9866c52114d51523ac2fb47578a27faee/bcrypt-4.3.0-cp38-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:41261d64150858eeb5ff43c753c4b216991e0ae16614a308a15d909503617732", size = 316472, upload-time = "2025-02-28T01:23:23.183Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/cf/7cf3a05b66ce466cfb575dbbda39718d45a609daa78500f57fa9f36fa3c0/bcrypt-4.3.0-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:33752b1ba962ee793fa2b6321404bf20011fe45b9afd2a842139de3011898fef", size = 343606, upload-time = "2025-02-28T01:23:25.361Z" },
+    { url = "https://files.pythonhosted.org/packages/e3/b8/e970ecc6d7e355c0d892b7f733480f4aa8509f99b33e71550242cf0b7e63/bcrypt-4.3.0-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:50e6e80a4bfd23a25f5c05b90167c19030cf9f87930f7cb2eacb99f45d1c3304", size = 362867, upload-time = "2025-02-28T01:23:26.875Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/97/8d3118efd8354c555a3422d544163f40d9f236be5b96c714086463f11699/bcrypt-4.3.0-cp38-abi3-win32.whl", hash = "sha256:67a561c4d9fb9465ec866177e7aebcad08fe23aaf6fbd692a6fab69088abfc51", size = 160589, upload-time = "2025-02-28T01:23:28.381Z" },
+    { url = "https://files.pythonhosted.org/packages/29/07/416f0b99f7f3997c69815365babbc2e8754181a4b1899d921b3c7d5b6f12/bcrypt-4.3.0-cp38-abi3-win_amd64.whl", hash = "sha256:584027857bc2843772114717a7490a37f68da563b3620f78a849bcb54dc11e62", size = 152794, upload-time = "2025-02-28T01:23:30.187Z" },
+    { url = "https://files.pythonhosted.org/packages/6e/c1/3fa0e9e4e0bfd3fd77eb8b52ec198fd6e1fd7e9402052e43f23483f956dd/bcrypt-4.3.0-cp39-abi3-macosx_10_12_universal2.whl", hash = "sha256:0d3efb1157edebfd9128e4e46e2ac1a64e0c1fe46fb023158a407c7892b0f8c3", size = 498969, upload-time = "2025-02-28T01:23:31.945Z" },
+    { url = "https://files.pythonhosted.org/packages/ce/d4/755ce19b6743394787fbd7dff6bf271b27ee9b5912a97242e3caf125885b/bcrypt-4.3.0-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:08bacc884fd302b611226c01014eca277d48f0a05187666bca23aac0dad6fe24", size = 279158, upload-time = "2025-02-28T01:23:34.161Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/5d/805ef1a749c965c46b28285dfb5cd272a7ed9fa971f970435a5133250182/bcrypt-4.3.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f6746e6fec103fcd509b96bacdfdaa2fbde9a553245dbada284435173a6f1aef", size = 284285, upload-time = "2025-02-28T01:23:35.765Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/2b/698580547a4a4988e415721b71eb45e80c879f0fb04a62da131f45987b96/bcrypt-4.3.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:afe327968aaf13fc143a56a3360cb27d4ad0345e34da12c7290f1b00b8fe9a8b", size = 279583, upload-time = "2025-02-28T01:23:38.021Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/87/62e1e426418204db520f955ffd06f1efd389feca893dad7095bf35612eec/bcrypt-4.3.0-cp39-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:d9af79d322e735b1fc33404b5765108ae0ff232d4b54666d46730f8ac1a43676", size = 297896, upload-time = "2025-02-28T01:23:39.575Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/c6/8fedca4c2ada1b6e889c52d2943b2f968d3427e5d65f595620ec4c06fa2f/bcrypt-4.3.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f1e3ffa1365e8702dc48c8b360fef8d7afeca482809c5e45e653af82ccd088c1", size = 284492, upload-time = "2025-02-28T01:23:40.901Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/4d/c43332dcaaddb7710a8ff5269fcccba97ed3c85987ddaa808db084267b9a/bcrypt-4.3.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3004df1b323d10021fda07a813fd33e0fd57bef0e9a480bb143877f6cba996fe", size = 279213, upload-time = "2025-02-28T01:23:42.653Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/7f/1e36379e169a7df3a14a1c160a49b7b918600a6008de43ff20d479e6f4b5/bcrypt-4.3.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:531457e5c839d8caea9b589a1bcfe3756b0547d7814e9ce3d437f17da75c32b0", size = 284162, upload-time = "2025-02-28T01:23:43.964Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/0a/644b2731194b0d7646f3210dc4d80c7fee3ecb3a1f791a6e0ae6bb8684e3/bcrypt-4.3.0-cp39-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:17a854d9a7a476a89dcef6c8bd119ad23e0f82557afbd2c442777a16408e614f", size = 312856, upload-time = "2025-02-28T01:23:46.011Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/62/2a871837c0bb6ab0c9a88bf54de0fc021a6a08832d4ea313ed92a669d437/bcrypt-4.3.0-cp39-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:6fb1fd3ab08c0cbc6826a2e0447610c6f09e983a281b919ed721ad32236b8b23", size = 316726, upload-time = "2025-02-28T01:23:47.575Z" },
+    { url = "https://files.pythonhosted.org/packages/0c/a1/9898ea3faac0b156d457fd73a3cb9c2855c6fd063e44b8522925cdd8ce46/bcrypt-4.3.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:e965a9c1e9a393b8005031ff52583cedc15b7884fce7deb8b0346388837d6cfe", size = 343664, upload-time = "2025-02-28T01:23:49.059Z" },
+    { url = "https://files.pythonhosted.org/packages/40/f2/71b4ed65ce38982ecdda0ff20c3ad1b15e71949c78b2c053df53629ce940/bcrypt-4.3.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:79e70b8342a33b52b55d93b3a59223a844962bef479f6a0ea318ebbcadf71505", size = 363128, upload-time = "2025-02-28T01:23:50.399Z" },
+    { url = "https://files.pythonhosted.org/packages/11/99/12f6a58eca6dea4be992d6c681b7ec9410a1d9f5cf368c61437e31daa879/bcrypt-4.3.0-cp39-abi3-win32.whl", hash = "sha256:b4d4e57f0a63fd0b358eb765063ff661328f69a04494427265950c71b992a39a", size = 160598, upload-time = "2025-02-28T01:23:51.775Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/cf/45fb5261ece3e6b9817d3d82b2f343a505fd58674a92577923bc500bd1aa/bcrypt-4.3.0-cp39-abi3-win_amd64.whl", hash = "sha256:e53e074b120f2877a35cc6c736b8eb161377caae8925c17688bd46ba56daaa5b", size = 152799, upload-time = "2025-02-28T01:23:53.139Z" },
+]
+
 [[package]]
 name = "beanie"
 version = "2.0.1"
@@ -1257,13 +1307,13 @@ dependencies = [
     { name = "opentelemetry-semantic-conventions" },
     { name = "opentelemetry-util-http" },
     { name = "packaging" },
-    { name = "passlib" },
     { name = "pathspec" },
     { name = "prometheus-client" },
     { name = "prometheus-fastapi-instrumentator" },
     { name = "propcache" },
     { name = "protobuf" },
     { name = "psutil" },
+    { name = "pwdlib", extra = ["bcrypt"] },
     { name = "pyasn1" },
     { name = "pyasn1-modules" },
     { name = "pydantic" },
@@ -1417,13 +1467,13 @@ requires-dist = [
     { name = "opentelemetry-semantic-conventions", specifier = "==0.60b1" },
     { name = "opentelemetry-util-http", specifier = "==0.60b1" },
     { name = "packaging", specifier = "==24.1" },
-    { name = "passlib", specifier = "==1.7.4" },
     { name = "pathspec", specifier = "==0.12.1" },
     { name = "prometheus-client", specifier = "==0.21.0" },
     { name = "prometheus-fastapi-instrumentator", specifier = "==7.0.0" },
     { name = "propcache", specifier = "==0.4.1" },
     { name = "protobuf", specifier = "==6.33.5" },
     { name = "psutil", specifier = "==7.2.2" },
+    { name = "pwdlib", extras = ["bcrypt"], specifier = "==0.2.1" },
     { name = "pyasn1", specifier = "==0.6.2" },
     { name = "pyasn1-modules", specifier = "==0.4.2" },
     { name = "pydantic", specifier = "==2.9.2" },
@@ -2321,15 +2371,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/08/aa/cc0199a5f0ad350994d660967a8efb233fe0416e4639146c089643407ce6/packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124", size = 53985, upload-time = "2024-06-09T23:19:21.909Z" },
 ]
 
-[[package]]
-name = "passlib"
-version = "1.7.4"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/06/9da9ee59a67fae7761aab3ccc84fa4f3f33f125b370f1ccdb915bf967c11/passlib-1.7.4.tar.gz", hash = "sha256:defd50f72b65c5402ab2c573830a6978e5f202ad0d984793c8dde2c4152ebe04", size = 689844, upload-time = "2020-10-08T19:00:52.121Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/3b/a4/ab6b7589382ca3df236e03faa71deac88cae040af60c071a78d254a62172/passlib-1.7.4-py2.py3-none-any.whl", hash = "sha256:aa6bca462b8d8bda89c70b382f0c298a20b5560af6cbfa2dce410c0a2fb669f1", size = 525554, upload-time = "2020-10-08T19:00:49.856Z" },
-]
-
 [[package]]
 name = "pathspec"
 version = "0.12.1"
@@ -2588,6 +2629,20 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/8c/c7/7bb2e321574b10df20cbde462a94e2b71d05f9bbda251ef27d104668306a/psutil-7.2.2-cp37-abi3-win_arm64.whl", hash = "sha256:8c233660f575a5a89e6d4cb65d9f938126312bca76d8fe087b947b3a1aaac9ee", size = 134617, upload-time = "2026-01-28T18:15:36.514Z" },
 ]
 
+[[package]]
+name = "pwdlib"
+version = "0.2.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/82/a0/9daed437a6226f632a25d98d65d60ba02bdafa920c90dcb6454c611ead6c/pwdlib-0.2.1.tar.gz", hash = "sha256:9a1d8a8fa09a2f7ebf208265e55d7d008103cbdc82b9e4902ffdd1ade91add5e", size = 11699, upload-time = "2024-08-19T06:48:59.58Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/01/f3/0dae5078a486f0fdf4d4a1121e103bc42694a9da9bea7b0f2c63f29cfbd3/pwdlib-0.2.1-py3-none-any.whl", hash = "sha256:1823dc6f22eae472b540e889ecf57fd424051d6a4023ec0bcf7f0de2d9d7ef8c", size = 8082, upload-time = "2024-08-19T06:49:00.997Z" },
+]
+
+[package.optional-dependencies]
+bcrypt = [
+    { name = "bcrypt" },
+]
+
 [[package]]
 name = "pyasn1"
 version = "0.6.2"
diff --git a/backend/workers/run_k8s_worker.py b/backend/workers/run_k8s_worker.py
index b69a84c9..4e47d5b6 100644
--- a/backend/workers/run_k8s_worker.py
+++ b/backend/workers/run_k8s_worker.py
@@ -44,8 +44,9 @@ async def run() -> None:
 
         async def init_k8s_worker() -> None:
             worker = await container.get(KubernetesWorker)
+            await worker.ensure_namespace_security()
             await worker.ensure_image_pre_puller_daemonset()
-            logger.info("KubernetesWorker initialized with pre-puller daemonset")
+            logger.info("KubernetesWorker initialized with namespace security and pre-puller daemonset")
 
         app = FastStream(broker, on_startup=[init_k8s_worker], on_shutdown=[container.close])
         await app.run()
diff --git a/docker-compose.yaml b/docker-compose.yaml
index c89bfe2c..1f017ce5 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -40,7 +40,7 @@ services:
         condition: service_completed_successfully
 
   mongo:
-    image: mongo:8.0
+    image: mongo:8.0.17
     command: ["mongod", "--wiredTigerCacheSizeGB", "0.4"]
     ports:
       - "127.0.0.1:27017:27017"
@@ -67,11 +67,11 @@ services:
       start_period: 5s
 
   redis:
-    image: redis:7-alpine
+    image: redis:7.4.6-alpine
     container_name: redis
     ports:
       - "127.0.0.1:6379:6379"
-    command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru --save ""
+    command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru --save "" --requirepass ${REDIS_PASSWORD:-redispassword}
     volumes:
       - redis_data:/data
     networks:
@@ -79,7 +79,7 @@ services:
     mem_limit: 300m
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-redispassword}", "--no-auth-warning", "ping"]
       interval: 2s
       timeout: 3s
       retries: 10
diff --git a/frontend/nginx.conf.template b/frontend/nginx.conf.template
index a0284f90..143630a0 100644
--- a/frontend/nginx.conf.template
+++ b/frontend/nginx.conf.template
@@ -14,7 +14,7 @@ server {
 # --8<-- [end:server_block]
 
     # --8<-- [start:security_headers]
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; connect-src 'self';";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-Pkom4KvU0VljnDtiOAuXdz1y9CQQFryJJLwdtlZ9fZg='; style-src 'self' 'sha256-sWLv0aySm7JTFhODjborN/q7xArZ+wUwhzTHzamJ2+4=' 'sha256-QpmcrFOkZac1E5hPaOFYcWTG9FtSYScZl4hAh4XuqZU=' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; connect-src 'self';";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header X-Frame-Options "DENY";
     add_header X-Content-Type-Options "nosniff";

From d46ae062e756b95385d6b52ecfc27ab7fbc6ec04 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 21:33:01 +0100
Subject: [PATCH 02/13] feat: csp nonce + replaced ansi-to-html with ansi_up -
 better class application

---
 .github/workflows/release-deploy.yml          |   8 +-
 docs/SECURITY.md                              |  49 +++-
 docs/operations/nginx-configuration.md        | 210 ++++++++++--------
 docs/security/policies.md                     |  81 +++++--
 frontend/nginx.conf.template                  |   8 +-
 frontend/package-lock.json                    |  25 +--
 frontend/package.json                         |   2 +-
 frontend/public/index.html                    |  24 +-
 frontend/src/app.css                          |  41 ++++
 .../components/editor/CodeMirrorEditor.svelte |   5 +
 .../src/components/editor/OutputPanel.svelte  |  18 +-
 .../editor/__tests__/CodeMirrorEditor.test.ts |   1 +
 12 files changed, 320 insertions(+), 152 deletions(-)

diff --git a/.github/workflows/release-deploy.yml b/.github/workflows/release-deploy.yml
index a72a3e07..a1d213ba 100644
--- a/.github/workflows/release-deploy.yml
+++ b/.github/workflows/release-deploy.yml
@@ -129,11 +129,14 @@ jobs:
           MAILJET_FROM_ADDRESS: ${{ secrets.MAILJET_FROM_ADDRESS }}
           MAILJET_HOST: ${{ secrets.MAILJET_HOST }}
           GRAFANA_ALERT_RECIPIENTS: ${{ secrets.GRAFANA_ALERT_RECIPIENTS }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
+          MONGO_ROOT_USER: ${{ secrets.MONGO_ROOT_USER }}
+          MONGO_ROOT_PASSWORD: ${{ secrets.MONGO_ROOT_PASSWORD }}
         with:
           host: ${{ secrets.DEPLOY_HOST }}
           username: ${{ secrets.DEPLOY_USER }}
           key: ${{ secrets.DEPLOY_SSH_KEY }}
-          envs: GHCR_TOKEN,GHCR_USER,IMAGE_TAG,GRAFANA_ADMIN_USER,GRAFANA_ADMIN_PASSWORD,MAILJET_API_KEY,MAILJET_SECRET_KEY,MAILJET_FROM_ADDRESS,MAILJET_HOST,GRAFANA_ALERT_RECIPIENTS
+          envs: GHCR_TOKEN,GHCR_USER,IMAGE_TAG,GRAFANA_ADMIN_USER,GRAFANA_ADMIN_PASSWORD,MAILJET_API_KEY,MAILJET_SECRET_KEY,MAILJET_FROM_ADDRESS,MAILJET_HOST,GRAFANA_ALERT_RECIPIENTS,REDIS_PASSWORD,MONGO_ROOT_USER,MONGO_ROOT_PASSWORD
           command_timeout: 10m
           script: |
             set -e
@@ -153,6 +156,9 @@ jobs:
             export MAILJET_FROM_ADDRESS="$MAILJET_FROM_ADDRESS"
             export GF_SMTP_HOST="$MAILJET_HOST"
             export GRAFANA_ALERT_RECIPIENTS="$GRAFANA_ALERT_RECIPIENTS"
+            export REDIS_PASSWORD="$REDIS_PASSWORD"
+            export MONGO_ROOT_USER="$MONGO_ROOT_USER"
+            export MONGO_ROOT_PASSWORD="$MONGO_ROOT_PASSWORD"
             docker compose pull
             docker compose up -d --remove-orphans --no-build --wait --wait-timeout 180
 
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 410e73a1..1bdf51dc 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -4,16 +4,55 @@ Security patches go into `main` and the latest release. If you're running someth
 
 ## Reporting vulnerabilities
 
-Found a security issue? Don't open a public GitHub issue - email [max.azatian@gmail.com](mailto:max.azatian@gmail.com) instead.
+Found a security issue? Don't open a public GitHub issue - email [max.azatian@gmail.com](mailto:max.azatian@gmail.com)
+instead.
 
-Include what you can: vulnerability type, where it occurs, reproduction steps, PoC if you have one. You'll get an acknowledgment within 48 hours. If confirmed, we'll patch it and credit you in the disclosure (unless you prefer to stay anonymous).
+Include what you can: vulnerability type, where it occurs, reproduction steps, PoC if you have one. You'll get an
+acknowledgment within 48 hours. If confirmed, we'll patch it and credit you in the disclosure (unless you prefer to stay
+anonymous).
 
 ## Automated scanning
 
-The CI pipeline runs [Bandit](https://bandit.readthedocs.io/) on the Python backend for static analysis, and [Dependabot](https://docs.github.com/en/code-security/dependabot) keeps dependencies patched across Python, npm, and Docker. For SBOM generation and vulnerability scanning, see [Supply Chain Security](security/supply-chain.md).
+The CI pipeline runs [Bandit](https://bandit.readthedocs.io/) on the Python backend for static analysis,
+and [Dependabot](https://docs.github.com/en/code-security/dependabot) keeps dependencies patched across Python, npm, and
+Docker. For SBOM generation and vulnerability scanning, see [Supply Chain Security](security/supply-chain.md).
+
+## Frontend hardening
+
+The frontend uses a nonce-based Content Security Policy:
+
+- **`script-src 'nonce-...'`** — blocks injected `<script>` tags (XSS). Nonce is per-request, generated by nginx.
+- **`style-src-elem 'nonce-...'`** — blocks injected `<style>` tags.
+- **`style-src-attr 'unsafe-inline'`** — allows `style=""` attributes (required by Svelte transitions and CodeMirror).
+
+Nonce injection is handled by nginx's `sub_filter` directive.
+See [Nginx Configuration](operations/nginx-configuration.md#nonce-injection) for the full mechanism.
 
 ## Runtime hardening
 
-Executor pods run user code with non-root users, read-only filesystems, dropped capabilities, and no service account tokens. Network policies deny all traffic by default. Details in [Network Isolation](security/policies.md).
+Executor pods run user code with non-root users, read-only filesystems, dropped capabilities, user namespace isolation (
+`host_users: false`), and no service account tokens. An optional sandboxed runtime (e.g., gVisor) can be configured via
+`K8S_POD_RUNTIME_CLASS_NAME`.
+
+At the namespace level, the k8s_worker automatically applies:
+
+- **NetworkPolicy** — default-deny ingress + egress for executor pods (blocks lateral movement and exfiltration)
+- **ResourceQuota** — caps aggregate pod, CPU, and memory consumption
+- **Pod Security Admission** — `restricted` profile enforced via namespace labels
+
+Details in [Pod & Namespace Security](security/policies.md).
+
+## Authentication
+
+Password hashing uses `pwdlib` with `BcryptHasher` (configurable rounds). Authentication is cookie-based JWT with CSRF
+protection via the double-submit pattern. See [Authentication](architecture/authentication.md).
+
+## Infrastructure
+
+- Redis is password-protected (`--requirepass`)
+- MongoDB uses authentication (`authSource=admin`)
+- All database ports bound to `127.0.0.1` (not exposed to host network)
+- Docker image versions are pinned to specific patches
+- TLS everywhere (self-signed for development, generated by `cert-generator` container)
 
-Secrets stay out of the repo - `.env` files and credentials are your responsibility to manage in deployment.
+Secrets stay out of the repo — `.env` files and credentials are your responsibility to manage in deployment.
diff --git a/docs/operations/nginx-configuration.md b/docs/operations/nginx-configuration.md
index 55db200a..f2b5ac43 100644
--- a/docs/operations/nginx-configuration.md
+++ b/docs/operations/nginx-configuration.md
@@ -24,11 +24,11 @@ backend, and reverse proxy for Grafana (when the `observability` Docker Compose
 --8<-- "frontend/nginx.conf.template:server_block"
 ```
 
-| Directive       | Purpose                                          |
-|-----------------|--------------------------------------------------|
+| Directive       | Purpose                                             |
+|-----------------|-----------------------------------------------------|
 | `listen 5001`   | Internal container port (mapped via Docker Compose) |
-| `server_name _` | Catch-all server name                            |
-| `root`          | Static files from Svelte build                   |
+| `server_name _` | Catch-all server name                               |
+| `root`          | Static files from Svelte build                      |
 
 ### Compression
 
@@ -39,13 +39,13 @@ backend, and reverse proxy for Grafana (when the `observability` Docker Compose
 Gzip compression reduces bandwidth for text-based assets. Binary files (images, fonts) are excluded as they're already
 compressed.
 
-| Directive        | Value                     | Purpose                                                           |
-|------------------|---------------------------|-------------------------------------------------------------------|
-| `gzip on`        |                           | Enable gzip compression globally                                  |
-| `gzip_vary`      | `on`                      | Add `Vary: Accept-Encoding` header so caches store both versions  |
-| `gzip_min_length` | `1024`                   | Skip compression for responses under 1 KB (overhead not worth it) |
-| `gzip_types`     | text/css, application/json, ... | MIME types to compress (text-based only, not images/video) |
-| `gzip_disable`   | `"msie6"`                 | Disable for IE6 which mishandles gzipped responses                |
+| Directive         | Value                           | Purpose                                                           |
+|-------------------|---------------------------------|-------------------------------------------------------------------|
+| `gzip on`         |                                 | Enable gzip compression globally                                  |
+| `gzip_vary`       | `on`                            | Add `Vary: Accept-Encoding` header so caches store both versions  |
+| `gzip_min_length` | `1024`                          | Skip compression for responses under 1 KB (overhead not worth it) |
+| `gzip_types`      | text/css, application/json, ... | MIME types to compress (text-based only, not images/video)        |
+| `gzip_disable`    | `"msie6"`                       | Disable for IE6 which mishandles gzipped responses                |
 
 ### API proxy
 
@@ -53,16 +53,16 @@ compressed.
 --8<-- "frontend/nginx.conf.template:api_proxy"
 ```
 
-| Directive                      | Purpose                                                                      |
-|--------------------------------|------------------------------------------------------------------------------|
-| `proxy_pass ${BACKEND_URL}`    | Forward requests to the backend; the variable is replaced by `envsubst` at container start |
-| `proxy_ssl_verify off`         | Skip TLS certificate verification — safe because this is container-to-container traffic on an internal Docker network. **Never use this when proxying to external or untrusted backends** — it disables certificate validation entirely, making the connection vulnerable to MITM attacks |
-| `proxy_set_header Host $host`  | Forward the original `Host` header so the backend sees the client's requested hostname |
-| `proxy_set_header X-Real-IP`   | Pass the client's real IP address for rate limiting and audit logging         |
-| `proxy_set_header X-Forwarded-For` | Append client IP to the proxy chain header (standard for multi-layer proxies) |
-| `proxy_set_header X-Forwarded-Proto` | Preserve the original protocol (`http`/`https`) so the backend can build correct redirect URLs |
-| `proxy_pass_request_headers on` | Forward all client request headers to the backend (default, made explicit for clarity) |
-| `proxy_set_header Cookie`      | Forward authentication cookies (`access_token`, `csrf_token`) to the backend |
+| Directive                            | Purpose                                                                                                                                                                                                                                                                                   |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `proxy_pass ${BACKEND_URL}`          | Forward requests to the backend; the variable is replaced by `envsubst` at container start                                                                                                                                                                                                |
+| `proxy_ssl_verify off`               | Skip TLS certificate verification — safe because this is container-to-container traffic on an internal Docker network. **Never use this when proxying to external or untrusted backends** — it disables certificate validation entirely, making the connection vulnerable to MITM attacks |
+| `proxy_set_header Host $host`        | Forward the original `Host` header so the backend sees the client's requested hostname                                                                                                                                                                                                    |
+| `proxy_set_header X-Real-IP`         | Pass the client's real IP address for rate limiting and audit logging                                                                                                                                                                                                                     |
+| `proxy_set_header X-Forwarded-For`   | Append client IP to the proxy chain header (standard for multi-layer proxies)                                                                                                                                                                                                             |
+| `proxy_set_header X-Forwarded-Proto` | Preserve the original protocol (`http`/`https`) so the backend can build correct redirect URLs                                                                                                                                                                                            |
+| `proxy_pass_request_headers on`      | Forward all client request headers to the backend (default, made explicit for clarity)                                                                                                                                                                                                    |
+| `proxy_set_header Cookie`            | Forward authentication cookies (`access_token`, `csrf_token`) to the backend                                                                                                                                                                                                              |
 
 ### SSE (Server-Sent Events)
 
@@ -72,15 +72,15 @@ SSE endpoints require special handling to prevent buffering:
 --8<-- "frontend/nginx.conf.template:sse_proxy"
 ```
 
-| Directive                            | Purpose                                                                                   |
-|--------------------------------------|-------------------------------------------------------------------------------------------|
-| `proxy_set_header Connection ''`     | Clear the `Connection` header so nginx doesn't inject `close` — required for HTTP/1.1 keep-alive streaming |
-| `proxy_http_version 1.1`            | Use HTTP/1.1 between nginx and the backend, which supports chunked transfer encoding needed by SSE |
-| `proxy_buffering off`               | Disable response buffering — pass each chunk from the backend to the client immediately    |
-| `proxy_cache off`                   | Disable response caching — SSE streams must never be served from cache                      |
-| `proxy_read_timeout 86400s`         | 24-hour read timeout — SSE connections are long-lived; the default 60s would close them     |
-| `proxy_send_timeout 86400s`         | 24-hour send timeout — matches read timeout to prevent asymmetric timeout disconnects       |
-| `proxy_set_header X-Accel-Buffering no` | Tell nginx's upstream module to disable buffering (belt-and-suspenders with `proxy_buffering off`) |
+| Directive                               | Purpose                                                                                                    |
+|-----------------------------------------|------------------------------------------------------------------------------------------------------------|
+| `proxy_set_header Connection ''`        | Clear the `Connection` header so nginx doesn't inject `close` — required for HTTP/1.1 keep-alive streaming |
+| `proxy_http_version 1.1`                | Use HTTP/1.1 between nginx and the backend, which supports chunked transfer encoding needed by SSE         |
+| `proxy_buffering off`                   | Disable response buffering — pass each chunk from the backend to the client immediately                    |
+| `proxy_cache off`                       | Disable response caching — SSE streams must never be served from cache                                     |
+| `proxy_read_timeout 86400s`             | 24-hour read timeout — SSE connections are long-lived; the default 60s would close them                    |
+| `proxy_send_timeout 86400s`             | 24-hour send timeout — matches read timeout to prevent asymmetric timeout disconnects                      |
+| `proxy_set_header X-Accel-Buffering no` | Tell nginx's upstream module to disable buffering (belt-and-suspenders with `proxy_buffering off`)         |
 
 Without these settings, SSE events would be buffered and delivered in batches instead of real-time.
 
@@ -100,18 +100,19 @@ Grafana is only available when the `observability` Docker Compose profile is act
 return 502 (expected).
 
 The `resolver` + `set $upstream` pattern is used here so nginx resolves `grafana` at request time instead of at startup.
-Without this, nginx would fail to start when the Grafana container is not running (e.g., when the `observability` profile
+Without this, nginx would fail to start when the Grafana container is not running (e.g., when the `observability`
+profile
 is not active). Docker's embedded DNS resolver (`127.0.0.11`) handles container name resolution on the internal network.
 
-| Directive                                                     | Purpose                                                                      |
-|---------------------------------------------------------------|------------------------------------------------------------------------------|
-| `resolver 127.0.0.11 valid=30s ipv6=off`                     | Use Docker's embedded DNS; cache results for 30s; skip IPv6 (Docker bridge is IPv4) |
-| `set $grafana_upstream http://grafana:3000`                   | Store upstream in a variable so nginx resolves it at request time, not startup |
-| `proxy_pass $grafana_upstream`                                | Forward requests to the Grafana container on the internal Docker network     |
-| `proxy_set_header Host $host`                                 | Forward the original `Host` header so Grafana sees the client's hostname     |
-| `proxy_set_header X-Real-IP $remote_addr`                     | Pass the client's real IP address                                            |
-| `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for` | Append client IP to the proxy chain header                                   |
-| `proxy_set_header X-Forwarded-Proto $scheme`                  | Preserve the original protocol so Grafana can build correct redirect URLs    |
+| Directive                                                     | Purpose                                                                             |
+|---------------------------------------------------------------|-------------------------------------------------------------------------------------|
+| `resolver 127.0.0.11 valid=30s ipv6=off`                      | Use Docker's embedded DNS; cache results for 30s; skip IPv6 (Docker bridge is IPv4) |
+| `set $grafana_upstream http://grafana:3000`                   | Store upstream in a variable so nginx resolves it at request time, not startup      |
+| `proxy_pass $grafana_upstream`                                | Forward requests to the Grafana container on the internal Docker network            |
+| `proxy_set_header Host $host`                                 | Forward the original `Host` header so Grafana sees the client's hostname            |
+| `proxy_set_header X-Real-IP $remote_addr`                     | Pass the client's real IP address                                                   |
+| `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for` | Append client IP to the proxy chain header                                          |
+| `proxy_set_header X-Forwarded-Proto $scheme`                  | Preserve the original protocol so Grafana can build correct redirect URLs           |
 
 Grafana must also be configured to serve from a subpath. This is done in `backend/grafana/grafana.ini`:
 
@@ -127,17 +128,41 @@ serve_from_sub_path = true
 --8<-- "frontend/nginx.conf.template:static_caching"
 ```
 
-| Location pattern                   | `expires` value | Effect                                                                |
-|------------------------------------|-----------------|-----------------------------------------------------------------------|
-| `~* \.(js\|css\|png\|...)`         | `1y`            | Sets `Cache-Control: max-age=31536000` — browser caches for one year  |
-| `/build/`                          | `1y`            | Same treatment for the Svelte build output directory                  |
-| `~* \.html$`                       | `-1`            | Sets `Cache-Control: no-cache` — browser must revalidate every time   |
+| Location pattern           | `expires` value | Effect                                                               |
+|----------------------------|-----------------|----------------------------------------------------------------------|
+| `~* \.(js\|css\|png\|...)` | `1y`            | Sets `Cache-Control: max-age=31536000` — browser caches for one year |
+| `/build/`                  | `1y`            | Same treatment for the Svelte build output directory                 |
+| `~* \.html$`               | `-1`            | Sets `Cache-Control: no-cache` — browser must revalidate every time  |
 
 Svelte build outputs hashed filenames (`app.abc123.js`), making them safe to cache indefinitely. HTML files must never
 be cached to ensure users get the latest asset references.
 
 The `~*` modifier makes the regex case-insensitive (matches `.JS`, `.Css`, etc.).
 
+### Nonce injection
+
+```nginx
+--8<-- "frontend/nginx.conf.template:nonce_injection"
+```
+
+Nginx replaces every occurrence of the literal string `**CSP_NONCE**` in HTML responses with `$request_id` — a unique
+value generated per request. This same `$request_id` is interpolated into the CSP header's `nonce-` directive, so the
+browser sees matching nonces and allows those `<script>` and `<style>` tags.
+
+| Directive                                  | Purpose                                         |
+|--------------------------------------------|-------------------------------------------------|
+| `sub_filter_once off`                      | Replace all occurrences, not just the first     |
+| `sub_filter '**CSP_NONCE**' '$request_id'` | Inject the per-request nonce into HTML          |
+| `sub_filter_types text/html`               | Only process HTML responses (not JS, CSS, JSON) |
+
+**Nonce consumers in `index.html`:**
+
+- `<meta name="csp-nonce" content="**CSP_NONCE**">` — read at runtime by CodeMirror's `getCspNonce()` so dynamically
+  injected `<style>` tags carry the nonce
+- `<style nonce="**CSP_NONCE**">` — initial page styles
+- `<script nonce="**CSP_NONCE**" type="module">` — main app bundle
+- `<script nonce="**CSP_NONCE**">` — loading spinner cleanup
+
 ### Security headers
 
 ```nginx
@@ -149,33 +174,38 @@ All security headers are defined at the `server` level so they apply to every re
 
 #### Content Security Policy
 
-| Directive         | Value                    | Purpose                             |
-|-------------------|--------------------------|-------------------------------------|
-| `default-src`     | `'self'`                 | Fallback for unspecified directives |
-| `script-src`      | `'self' 'unsafe-inline'` | Allow inline scripts (Svelte)       |
-| `style-src`       | `'self' 'unsafe-inline'` | Allow inline styles (Svelte)        |
-| `img-src`         | `'self' data: blob:`     | Allow data: URLs for SVG icons      |
-| `font-src`        | `'self' data:`           | Allow embedded fonts                |
-| `object-src`      | `'none'`                 | Block plugins (Flash, Java)         |
-| `frame-ancestors` | `'none'`                 | Prevent clickjacking                |
-| `connect-src`     | `'self'`                 | XHR/fetch/WebSocket same-origin     |
-
-The `data:` source is required for the Monaco editor's inline SVG icons.
-
-`'unsafe-inline'` for `script-src` and `style-src` weakens CSP protection against XSS attacks, since it allows any
-inline `<script>` or `<style>` tag to execute. This is a trade-off for Svelte compatibility — the framework injects
-inline styles at runtime, and the build output includes inline scripts. Migrating to nonce-based CSP
-(`'nonce-<random>'`) would eliminate this trade-off but requires coordinating nonce generation between nginx and the
-backend.
+| Directive         | Value                        | Purpose                                                                 |
+|-------------------|------------------------------|-------------------------------------------------------------------------|
+| `default-src`     | `'self'`                     | Fallback for unspecified directives                                     |
+| `script-src`      | `'self' 'nonce-$request_id'` | Nonce-locked — only `<script>` tags with the matching nonce can execute |
+| `style-src-elem`  | `'self' 'nonce-$request_id'` | Nonce-locked — blocks injected `<style>` tags without the nonce         |
+| `style-src-attr`  | `'unsafe-inline'`            | Allows `style=""` attributes (Svelte transitions, CodeMirror)           |
+| `img-src`         | `'self' data: blob:`         | Allow data: URLs for inline SVG icons                                   |
+| `font-src`        | `'self' data:`               | Allow embedded fonts                                                    |
+| `object-src`      | `'none'`                     | Block plugins (Flash, Java)                                             |
+| `base-uri`        | `'self'`                     | Prevent `<base>` tag hijacking of relative URLs                         |
+| `form-action`     | `'self'`                     | Restrict form submission targets                                        |
+| `frame-ancestors` | `'none'`                     | Prevent clickjacking                                                    |
+| `connect-src`     | `'self'`                     | XHR/fetch/WebSocket/SSE same-origin only                                |
+
+**Why nonce-based `script-src`?** This is the critical XSS control. Without it, any injected `<script>` tag would
+execute. With the nonce, only scripts carrying the per-request nonce are allowed. An attacker cannot predict the nonce
+value (it changes on every request), so injected scripts are blocked.
+
+**Why `style-src-elem` + `style-src-attr` split instead of blanket `style-src`?** The `elem`/`attr` split is strictly
+tighter. `style-src-elem 'nonce-...'` blocks injected `<style>` tags (the more dangerous CSS vector for `@font-face` +
+attribute-selector exfiltration). `style-src-attr 'unsafe-inline'` allows `style=""` attributes, which Svelte
+transitions, CodeMirror, and inline style bindings require. CSS attribute injection can only exfiltrate data if
+`img-src`/`connect-src` allow attacker URLs — `default-src 'self'` blocks that channel entirely.
 
 #### Other security headers
 
-| Header                   | Value                             | Purpose                        |
-|--------------------------|-----------------------------------|--------------------------------|
+| Header                   | Value                             | Purpose                                                                   |
+|--------------------------|-----------------------------------|---------------------------------------------------------------------------|
 | `X-Frame-Options`        | `DENY`                            | Legacy clickjacking protection (aligns with CSP `frame-ancestors 'none'`) |
-| `X-Content-Type-Options` | `nosniff`                         | Prevent MIME sniffing          |
-| `Referrer-Policy`        | `strict-origin-when-cross-origin` | Limit referrer leakage         |
-| `Permissions-Policy`     | Deny geolocation, mic, camera     | Disable unused APIs            |
+| `X-Content-Type-Options` | `nosniff`                         | Prevent MIME sniffing                                                     |
+| `Referrer-Policy`        | `strict-origin-when-cross-origin` | Limit referrer leakage                                                    |
+| `Permissions-Policy`     | Deny geolocation, mic, camera     | Disable unused APIs                                                       |
 
 ### SPA routing
 
@@ -215,30 +245,30 @@ server {
 This config intentionally avoids `add_header` in every `location` block so that the five security headers defined at
 the `server` level apply uniformly to all responses:
 
-| Location                       | Has `add_header`? | Security headers inherited? |
-|--------------------------------|-------------------|-----------------------------|
-| `location /api/`               | No                | Yes                         |
+| Location                      | Has `add_header`? | Security headers inherited? |
+|-------------------------------|-------------------|-----------------------------|
+| `location /api/`              | No                | Yes                         |
 | `location ~ ^/api/v1/events/` | No                | Yes                         |
-| `location /grafana/`           | No                | Yes                         |
+| `location /grafana/`          | No                | Yes                         |
 | `location ~* \.(js\|css\|…)`  | No                | Yes                         |
-| `location /build/`             | No                | Yes                         |
+| `location /build/`            | No                | Yes                         |
 | `location ~* \.html$`         | No                | Yes                         |
-| `location /`                   | No                | Yes                         |
+| `location /`                  | No                | Yes                         |
 
 !!! warning "Adding `add_header` to a location"
-    If you need to add a response header in a specific location, you must **repeat all five security headers** in that
-    same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
-    when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
-    headers).
+If you need to add a response header in a specific location, you must **repeat all five security headers** in that
+same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
+when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
+headers).
 
 ### `proxy_set_header` vs `add_header`
 
 These two directives are often confused but serve different purposes:
 
-| Directive          | Direction         | Affects                            |
-|--------------------|-------------------|------------------------------------|
-| `proxy_set_header` | nginx → backend   | Modifies request headers sent to the upstream server |
-| `add_header`       | nginx → client    | Adds response headers sent to the browser            |
+| Directive          | Direction       | Affects                                              |
+|--------------------|-----------------|------------------------------------------------------|
+| `proxy_set_header` | nginx → backend | Modifies request headers sent to the upstream server |
+| `add_header`       | nginx → client  | Adds response headers sent to the browser            |
 
 `proxy_set_header` has its own inheritance rules (also all-or-nothing per block), but it does not interact with
 `add_header` inheritance. The SSE block uses `proxy_set_header X-Accel-Buffering no` to tell nginx's upstream module
@@ -275,11 +305,11 @@ docker compose restart frontend
 
 ## Troubleshooting
 
-| Issue                           | Cause                            | Solution                                                                 |
-|---------------------------------|----------------------------------|--------------------------------------------------------------------------|
-| SSE connections dropping        | Default 60s `proxy_read_timeout` | Verify 86400s timeout is set                                             |
-| CSP blocking resources          | Missing source in directive      | Check browser console, add blocked source                                |
-| 502 Bad Gateway                 | Backend unreachable              | `docker compose logs backend`                                            |
-| Assets not updating             | Browser cache                    | Clear cache or verify `no-cache` on HTML                                 |
-| Security headers missing on SSE | `add_header` in location block   | Remove `add_header` from the location; see [`add_header` inheritance](#add_header-inheritance) |
-| Security headers missing on some routes | Same inheritance issue  | Verify no location block has `add_header`; use `curl -I` to check        |
+| Issue                                   | Cause                            | Solution                                                                                       |
+|-----------------------------------------|----------------------------------|------------------------------------------------------------------------------------------------|
+| SSE connections dropping                | Default 60s `proxy_read_timeout` | Verify 86400s timeout is set                                                                   |
+| CSP blocking resources                  | Missing source in directive      | Check browser console, add blocked source                                                      |
+| 502 Bad Gateway                         | Backend unreachable              | `docker compose logs backend`                                                                  |
+| Assets not updating                     | Browser cache                    | Clear cache or verify `no-cache` on HTML                                                       |
+| Security headers missing on SSE         | `add_header` in location block   | Remove `add_header` from the location; see [`add_header` inheritance](#add_header-inheritance) |
+| Security headers missing on some routes | Same inheritance issue           | Verify no location block has `add_header`; use `curl -I` to check                              |
diff --git a/docs/security/policies.md b/docs/security/policies.md
index 8010dfa0..7850213d 100644
--- a/docs/security/policies.md
+++ b/docs/security/policies.md
@@ -1,6 +1,7 @@
-# Network Isolation
+# Pod & Namespace Security
 
-Executor pods run user code in a hardened environment with strict security controls. The pod builder in `backend/app/services/k8s_worker/pod_builder.py` enforces these at pod creation time.
+Executor pods run user code in a hardened environment with strict security controls. Defenses are layered across three
+levels: container, pod, and namespace.
 
 ## Container Security Context
 
@@ -12,11 +13,30 @@ Each executor container runs with:
 - All Linux capabilities dropped
 - RuntimeDefault seccomp profile
 
-The pod spec also sets `automount_service_account_token: false`, preventing containers from accessing the Kubernetes API.
+The pod spec also sets `automount_service_account_token: false`, preventing containers from accessing the Kubernetes
+API.
 
-## Network Policy
+These are enforced by the pod builder in `backend/app/services/k8s_worker/pod_builder.py`.
 
-Network isolation uses a standard Kubernetes NetworkPolicy that denies all ingress and egress traffic from executor pods. The policy is applied during cluster setup.
+## Pod-Level Isolation
+
+| Control                  | Setting                                              | Purpose                                                                                                              |
+|--------------------------|------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| User namespace isolation | `host_users: false`                                  | Remaps container UIDs to unprivileged host UIDs — even if a process escapes the container, it has no host privileges |
+| Runtime class            | `runtime_class_name` (configurable, e.g. `"gvisor"`) | Sandboxed execution via an alternative OCI runtime. Set via `K8S_POD_RUNTIME_CLASS_NAME` in settings                 |
+| Active deadline          | `active_deadline_seconds`                            | Hard timeout at the K8s level — the kubelet kills the pod regardless of what the process is doing                    |
+| Restart policy           | `Never`                                              | Pods are one-shot executors; no restart loops                                                                        |
+| Script injection         | ConfigMap volume mount                               | Script content is mounted read-only via a ConfigMap, not written to the container filesystem                         |
+
+## Namespace-Level Controls
+
+Applied automatically at k8s_worker startup via `ensure_namespace_security()` in
+`backend/app/services/k8s_worker/worker.py`. These are idempotent (create-or-update).
+
+### Network Policy
+
+A default-deny NetworkPolicy blocks all ingress and egress traffic from executor pods — preventing lateral movement
+within the cluster and data exfiltration to external hosts.
 
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -24,30 +44,57 @@ kind: NetworkPolicy
 metadata:
   name: executor-deny-all
   namespace: integr8scode
+  labels:
+    app: integr8s
+    component: security
 spec:
   podSelector:
     matchLabels:
-      app: integr8s
       component: executor
   policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
+  ingress: [ ]
+  egress: [ ]
 ```
 
-This policy matches pods with labels `app=integr8s` and `component=executor`, which the pod builder applies to all executor pods.
+This policy matches pods with the `component: executor` label, which the pod builder applies to all executor pods.
+
+### Resource Quota
 
-## Setup
+A ResourceQuota caps aggregate resource consumption in the executor namespace:
 
-The network policy and RBAC resources are created by the setup script during initial deployment:
+| Resource          | Limit                             | Derivation                       |
+|-------------------|-----------------------------------|----------------------------------|
+| `pods`            | `K8S_MAX_CONCURRENT_PODS`         | Maximum concurrent executor pods |
+| `requests.cpu`    | `K8S_MAX_CONCURRENT_PODS` cores   | 1 core per pod                   |
+| `requests.memory` | `K8S_MAX_CONCURRENT_PODS × 128Mi` | 128Mi per pod                    |
+| `limits.cpu`      | Same as requests                  | Prevents burst beyond quota      |
+| `limits.memory`   | Same as requests                  | Prevents OOM beyond quota        |
 
-```bash
-./cert-generator/setup-k8s.sh
+This prevents a burst of executions from starving other workloads in the cluster.
+
+### Pod Security Admission (PSA)
+
+The executor namespace is labeled with the **restricted** Pod Security Standard:
+
+```yaml
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit: restricted
 ```
 
-This script creates the `integr8scode` namespace, a ServiceAccount with appropriate permissions, and the deny-all NetworkPolicy.
+This is a Kubernetes-native admission control (no webhook required). Pods that violate the restricted profile (e.g.,
+requesting privileged mode, host networking, or writable root filesystem) are rejected at admission time.
 
-## Notes
+## CNI Requirements
 
-The NetworkPolicy requires a CNI plugin that supports network policies (Calico, Cilium, Weave Net, etc). K3s includes Flannel by default, which does not enforce policies. For production, install a policy-capable CNI or use K3s with the `--flannel-backend=none` flag and a separate CNI.
+The NetworkPolicy requires a CNI plugin that supports network policies (Calico, Cilium, Weave Net, etc). K3s includes
+Flannel by default, which does not enforce policies. For production, install a policy-capable CNI or use K3s with the
+`--flannel-backend=none` flag and a separate CNI.
 
-To allow specific egress traffic (for example, to internal services), create an additional NetworkPolicy with explicit egress rules rather than modifying the deny-all policy.
+To allow specific egress traffic (for example, to internal services), create an additional NetworkPolicy with explicit
+egress rules rather than modifying the deny-all policy.
diff --git a/frontend/nginx.conf.template b/frontend/nginx.conf.template
index 143630a0..f77e5760 100644
--- a/frontend/nginx.conf.template
+++ b/frontend/nginx.conf.template
@@ -13,8 +13,14 @@ server {
     index index.html;
 # --8<-- [end:server_block]
 
+    # --8<-- [start:nonce_injection]
+    sub_filter_once off;
+    sub_filter '**CSP_NONCE**' '$request_id';
+    sub_filter_types text/html;
+    # --8<-- [end:nonce_injection]
+
     # --8<-- [start:security_headers]
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-Pkom4KvU0VljnDtiOAuXdz1y9CQQFryJJLwdtlZ9fZg='; style-src 'self' 'sha256-sWLv0aySm7JTFhODjborN/q7xArZ+wUwhzTHzamJ2+4=' 'sha256-QpmcrFOkZac1E5hPaOFYcWTG9FtSYScZl4hAh4XuqZU=' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; connect-src 'self';";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src-elem 'self' 'nonce-$request_id'; style-src-attr 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; connect-src 'self';";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header X-Frame-Options "DENY";
     add_header X-Content-Type-Options "nosniff";
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index c752f107..891dd724 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -25,7 +25,7 @@
         "@uiw/codemirror-theme-github": "^4.25.5",
         "@uiw/codemirror-theme-monokai": "^4.24.2",
         "@uiw/codemirror-theme-vscode": "^4.24.2",
-        "ansi-to-html": "^0.7.2",
+        "ansi_up": "^6.0.2",
         "codemirror": "^6.0.1",
         "consola": "^3.4.2",
         "date-fns": "^4.1.0",
@@ -3063,6 +3063,14 @@
         "url": "https://github.com/sponsors/epoberezkin"
       }
     },
+    "node_modules/ansi_up": {
+      "version": "6.0.6",
+      "resolved": "https://registry.npmjs.org/ansi_up/-/ansi_up-6.0.6.tgz",
+      "integrity": "sha512-yIa1x3Ecf8jWP4UWEunNjqNX6gzE4vg2gGz+xqRGY+TBSucnYp6RRdPV4brmtg6bQ1ljD48mZ5iGSEj7QEpRKA==",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/ansi-colors": {
       "version": "4.1.3",
       "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.3.tgz",
@@ -3096,20 +3104,6 @@
         "url": "https://github.com/chalk/ansi-styles?sponsor=1"
       }
     },
-    "node_modules/ansi-to-html": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/ansi-to-html/-/ansi-to-html-0.7.2.tgz",
-      "integrity": "sha512-v6MqmEpNlxF+POuyhKkidusCHWWkaLcGRURzivcU3I9tv7k4JVhFcnukrM5Rlk2rUywdZuzYAZ+kbZqWCnfN3g==",
-      "dependencies": {
-        "entities": "^2.2.0"
-      },
-      "bin": {
-        "ansi-to-html": "bin/ansi-to-html"
-      },
-      "engines": {
-        "node": ">=8.0.0"
-      }
-    },
     "node_modules/anymatch": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
@@ -4285,6 +4279,7 @@
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/entities/-/entities-2.2.0.tgz",
       "integrity": "sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==",
+      "dev": true,
       "funding": {
         "url": "https://github.com/fb55/entities?sponsor=1"
       }
diff --git a/frontend/package.json b/frontend/package.json
index 36bf5798..49cfd7ee 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -35,7 +35,7 @@
     "@uiw/codemirror-theme-github": "^4.25.5",
     "@uiw/codemirror-theme-monokai": "^4.24.2",
     "@uiw/codemirror-theme-vscode": "^4.24.2",
-    "ansi-to-html": "^0.7.2",
+    "ansi_up": "^6.0.2",
     "codemirror": "^6.0.1",
     "consola": "^3.4.2",
     "date-fns": "^4.1.0",
diff --git a/frontend/public/index.html b/frontend/public/index.html
index da0c9786..0d5868ad 100644
--- a/frontend/public/index.html
+++ b/frontend/public/index.html
@@ -3,42 +3,44 @@
 <head>
     <meta charset='utf-8'>
     <meta name='viewport' content='width=device-width,initial-scale=1'>
+    <meta name="csp-nonce" content="**CSP_NONCE**">
 
     <title>Integr8sCode</title>
     <meta name="description" content="Integr8sCode - Write, compile, and manage code directly in your browser with our powerful online development environment">
 
     <link rel='icon' type='image/png' href='/favicon.png'>
 
-    <style>
+    <style nonce="**CSP_NONCE**">
         body { margin: 0; font-family: system-ui, -apple-system, sans-serif; }
         .app-container { max-width: 1280px; margin: 0 auto; padding: 0 1rem; }
         header { position: fixed; top: 0; left: 0; right: 0; z-index: 50; }
         main { padding-top: 1rem; }
-        /* Prevent layout shift */
         img { max-width: 100%; height: auto; }
         @media (prefers-color-scheme: dark) {
             body { background-color: #0f172a; color: #e2e8f0; }
         }
+        .app-loading { min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+        .app-loading-inner { text-align: center; }
+        .app-loading-spinner { width: 40px; height: 40px; border: 3px solid #f3f4f6; border-top-color: #3b82f6; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto; }
+        .app-loading-hidden { display: none; }
+        @keyframes spin { to { transform: rotate(360deg); } }
     </style>
 
     <link rel="stylesheet" href="/build/bundle.css">
-    <script type="module" src='/build/main.js'></script>
+    <script nonce="**CSP_NONCE**" type="module" src='/build/main.js'></script>
 </head>
 
 <body>
-    <div id="app-loading" style="min-height: 100vh; display: flex; align-items: center; justify-content: center;">
-        <div style="text-align: center;">
-            <div style="width: 40px; height: 40px; border: 3px solid #f3f4f6; border-top-color: #3b82f6; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto;"></div>
-            <style>
-                @keyframes spin { to { transform: rotate(360deg); } }
-            </style>
+    <div id="app-loading" class="app-loading">
+        <div class="app-loading-inner">
+            <div class="app-loading-spinner"></div>
         </div>
     </div>
-    <script>
+    <script nonce="**CSP_NONCE**">
         window.addEventListener('DOMContentLoaded', () => {
             setTimeout(() => {
                 const loader = document.getElementById('app-loading');
-                if (loader) loader.style.display = 'none';
+                if (loader) loader.classList.add('app-loading-hidden');
             }, 100);
         });
     </script>
diff --git a/frontend/src/app.css b/frontend/src/app.css
index cacacc20..98a0b3df 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -579,4 +579,45 @@
     @apply px-2 py-1 text-sm border border-border-input dark:border-dark-border-input
            rounded bg-surface-overlay dark:bg-dark-surface-overlay text-fg-default dark:text-dark-fg-default;
   }
+
+  /* ANSI color classes for ansi_up (class-based mode) */
+  .ansi-black-fg { color: #000; }
+  .ansi-red-fg { color: #C00; }
+  .ansi-green-fg { color: #0C0; }
+  .ansi-yellow-fg { color: #C50; }
+  .ansi-blue-fg { color: #00C; }
+  .ansi-magenta-fg { color: #C0C; }
+  .ansi-cyan-fg { color: #0CC; }
+  .ansi-white-fg { color: #CCC; }
+  .ansi-bright-black-fg { color: #555; }
+  .ansi-bright-red-fg { color: #F55; }
+  .ansi-bright-green-fg { color: #5F5; }
+  .ansi-bright-yellow-fg { color: #FF5; }
+  .ansi-bright-blue-fg { color: #55F; }
+  .ansi-bright-magenta-fg { color: #F5F; }
+  .ansi-bright-cyan-fg { color: #5FF; }
+  .ansi-bright-white-fg { color: #FFF; }
+  .ansi-black-bg { background-color: #000; }
+  .ansi-red-bg { background-color: #C00; }
+  .ansi-green-bg { background-color: #0C0; }
+  .ansi-yellow-bg { background-color: #C50; }
+  .ansi-blue-bg { background-color: #00C; }
+  .ansi-magenta-bg { background-color: #C0C; }
+  .ansi-cyan-bg { background-color: #0CC; }
+  .ansi-white-bg { background-color: #CCC; }
+  .ansi-bright-black-bg { background-color: #555; }
+  .ansi-bright-red-bg { background-color: #F55; }
+  .ansi-bright-green-bg { background-color: #5F5; }
+  .ansi-bright-yellow-bg { background-color: #FF5; }
+  .ansi-bright-blue-bg { background-color: #55F; }
+  .ansi-bright-magenta-bg { background-color: #F5F; }
+  .ansi-bright-cyan-bg { background-color: #5FF; }
+  .ansi-bright-white-bg { background-color: #FFF; }
+  .ansi-bold { font-weight: bold; }
+  .ansi-italic { font-style: italic; }
+  .ansi-underline { text-decoration: underline; }
+
+  :is(.dark) .ansi-black-fg { color: #555; }
+  :is(.dark) .ansi-white-fg { color: #e2e8f0; }
+  :is(.dark) .ansi-bright-white-fg { color: #FFF; }
 }
diff --git a/frontend/src/components/editor/CodeMirrorEditor.svelte b/frontend/src/components/editor/CodeMirrorEditor.svelte
index 41c2538d..53f8421e 100644
--- a/frontend/src/components/editor/CodeMirrorEditor.svelte
+++ b/frontend/src/components/editor/CodeMirrorEditor.svelte
@@ -23,6 +23,10 @@
     let container: HTMLElement;
     let view: EditorView | null = null;
 
+    function getCspNonce(): string {
+        return document.querySelector('meta[name="csp-nonce"]')?.getAttribute('content') ?? '';
+    }
+
     const themeCompartment = new Compartment();
     const fontSizeCompartment = new Compartment();
     const tabSizeCompartment = new Compartment();
@@ -36,6 +40,7 @@
 
     function getStaticExtensions() {
         return [
+            EditorView.cspNonce.of(getCspNonce()),
             lineNumbersCompartment.of(settings.show_line_numbers ? lineNumbers() : []),
             highlightActiveLineGutter(),
             highlightActiveLine(),
diff --git a/frontend/src/components/editor/OutputPanel.svelte b/frontend/src/components/editor/OutputPanel.svelte
index b8fe9794..c89ab718 100644
--- a/frontend/src/components/editor/OutputPanel.svelte
+++ b/frontend/src/components/editor/OutputPanel.svelte
@@ -3,7 +3,7 @@
     import type { ExecutionPhase } from '$lib/editor';
     import Spinner from '$components/Spinner.svelte';
     import { AlertTriangle, FileText, Copy } from '@lucide/svelte';
-    import AnsiToHtml from 'ansi-to-html';
+    import { AnsiUp } from 'ansi_up';
     import DOMPurify from 'dompurify';
     import { toast } from 'svelte-sonner';
 
@@ -13,18 +13,14 @@
         error: string | null;
     } = $props();
 
-    const ansiConverter = new AnsiToHtml({
-        fg: '#000', bg: '#FFF', newline: true, escapeXML: true, stream: false,
-        colors: {
-            0: '#000', 1: '#C00', 2: '#0C0', 3: '#C50', 4: '#00C', 5: '#C0C', 6: '#0CC', 7: '#CCC',
-            8: '#555', 9: '#F55', 10: '#5F5', 11: '#FF5', 12: '#55F', 13: '#F5F', 14: '#5FF', 15: '#FFF'
-        }
-    });
+    const ansiConverter = new AnsiUp();
+    ansiConverter.use_classes = true;
+    ansiConverter.escape_html = true;
 
     function sanitize(html: string): string {
         return DOMPurify.sanitize(html, {
             ALLOWED_TAGS: ['span', 'br', 'div'],
-            ALLOWED_ATTR: ['class', 'style']
+            ALLOWED_ATTR: ['class']
         });
     }
 
@@ -99,7 +95,7 @@
                     <div class="output-section">
                         <h4 class="text-xs font-medium text-fg-muted dark:text-dark-fg-muted mb-1 uppercase tracking-wider">Output:</h4>
                         <div class="relative">
-                            <pre class="output-pre custom-scrollbar" data-testid="output-pre">{@html sanitize(ansiConverter.toHtml(result.stdout || ''))}</pre>
+                            <pre class="output-pre custom-scrollbar" data-testid="output-pre">{@html sanitize(ansiConverter.ansi_to_html(result.stdout))}</pre>
                             <div class="absolute bottom-2 right-2 group">
                                 <button type="button" class="inline-flex items-center p-1.5 rounded-lg text-fg-muted dark:text-dark-fg-muted hover:text-fg-default dark:hover:text-dark-fg-default hover:bg-neutral-100 dark:hover:bg-neutral-700 transition-colors duration-150 cursor-pointer opacity-70 hover:opacity-100"
                                         aria-label="Copy output to clipboard"
@@ -119,7 +115,7 @@
                         <h4 class="text-xs font-medium text-red-700 dark:text-red-300 mb-1 uppercase tracking-wider">Errors:</h4>
                         <div class="relative">
                             <div class="p-3 rounded-lg bg-red-50 dark:bg-red-950 border border-red-200 dark:border-red-800">
-                                <pre class="text-xs text-red-600 dark:text-red-300 whitespace-pre-wrap break-words font-mono bg-transparent p-0 pr-8">{@html sanitize(ansiConverter.toHtml(result.stderr || ''))}</pre>
+                                <pre class="text-xs text-red-600 dark:text-red-300 whitespace-pre-wrap break-words font-mono bg-transparent p-0 pr-8">{@html sanitize(ansiConverter.ansi_to_html(result.stderr))}</pre>
                             </div>
                             <div class="absolute bottom-2 right-2 group">
                                 <button type="button" class="inline-flex items-center p-1.5 rounded-lg text-red-600 dark:text-red-400 hover:text-red-800 dark:hover:text-red-200 hover:bg-red-100 dark:hover:bg-red-900 transition-colors duration-150 cursor-pointer opacity-70 hover:opacity-100"
diff --git a/frontend/src/components/editor/__tests__/CodeMirrorEditor.test.ts b/frontend/src/components/editor/__tests__/CodeMirrorEditor.test.ts
index 74e1453c..f6ef7e64 100644
--- a/frontend/src/components/editor/__tests__/CodeMirrorEditor.test.ts
+++ b/frontend/src/components/editor/__tests__/CodeMirrorEditor.test.ts
@@ -36,6 +36,7 @@ Object.assign(mocks.editorViewConstructor, {
   lineWrapping: 'lineWrapping-ext',
   theme: mocks.themeFn,
   updateListener: { of: vi.fn((fn: unknown) => ({ updateListener: fn })) },
+  cspNonce: { of: vi.fn((v: string) => ({ cspNonce: v })) },
 });
 
 vi.mock('@codemirror/state', () => {

From 9c774fc39e106621cd074076e2c5bc77378be29c Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 23:14:48 +0100
Subject: [PATCH 03/13] fix: detected issues - index.html: aria labels for
 loading wheel - worker: well-typed objs for k8s-client internal stuff - seed
 user: moved pwd hasher creation to main, taking num of rounds from settings
 obj - docs: update on diff between style-src-elem vs. style-src-attr - docs:
 fix of identation in nginx-config doc

---
 backend/app/services/k8s_worker/worker.py | 139 +++++++++-------------
 backend/scripts/seed_users.py             |   6 +-
 docs/operations/nginx-configuration.md    |  27 +++--
 frontend/public/index.html                |   6 +-
 4 files changed, 82 insertions(+), 96 deletions(-)

diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 6a471bcc..5335c2be 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -1,7 +1,6 @@
 import asyncio
 import time
 from pathlib import Path
-from typing import Any
 
 import structlog
 from kubernetes_asyncio import client as k8s_client
@@ -267,7 +266,7 @@ async def ensure_namespace_security(self) -> None:
         await self._apply_psa_labels(namespace)
 
     async def _ensure_executor_network_policy(self, namespace: str) -> None:
-        """Create default-deny NetworkPolicy for executor pods."""
+        """Create or update default-deny NetworkPolicy for executor pods."""
         policy_name = "executor-deny-all"
 
         policy = k8s_client.V1NetworkPolicy(
@@ -279,31 +278,24 @@ async def _ensure_executor_network_policy(self, namespace: str) -> None:
                 labels={"app": "integr8s", "component": "security"},
             ),
             spec=k8s_client.V1NetworkPolicySpec(
-                pod_selector=k8s_client.V1LabelSelector(
-                    match_labels={"component": "executor"},
-                ),
+                pod_selector=k8s_client.V1LabelSelector(match_labels={"component": "executor"}),
                 policy_types=["Ingress", "Egress"],
                 ingress=[],
                 egress=[],
             ),
         )
 
-        try:
-            await self.networking_v1.read_namespaced_network_policy(name=policy_name, namespace=namespace)
-            await self.networking_v1.replace_namespaced_network_policy(
-                name=policy_name, namespace=namespace, body=policy,
-            )
-            self.logger.info(f"NetworkPolicy '{policy_name}' updated in namespace {namespace}")
-        except ApiException as e:
-            if e.status == 404:
-                await self.networking_v1.create_namespaced_network_policy(namespace=namespace, body=policy)
-                self.logger.info(f"NetworkPolicy '{policy_name}' created in namespace {namespace}")
-            else:
-                self.logger.error(f"Failed to apply NetworkPolicy '{policy_name}': {e.reason}")
+        await self.networking_v1.patch_namespaced_network_policy(  # type: ignore[call-arg]
+            name=policy_name, namespace=namespace, body=policy,
+            field_manager="integr8s", force=True,
+            _content_type="application/apply-patch+yaml",
+        )
+        self.logger.info(f"NetworkPolicy '{policy_name}' applied in namespace {namespace}")
 
     async def _ensure_executor_resource_quota(self, namespace: str) -> None:
-        """Create ResourceQuota to cap aggregate executor pod consumption."""
+        """Create or update ResourceQuota to cap aggregate executor pod consumption."""
         quota_name = "executor-quota"
+        n = self._settings.K8S_MAX_CONCURRENT_PODS
 
         quota = k8s_client.V1ResourceQuota(
             api_version="v1",
@@ -315,25 +307,21 @@ async def _ensure_executor_resource_quota(self, namespace: str) -> None:
             ),
             spec=k8s_client.V1ResourceQuotaSpec(
                 hard={
-                    "pods": str(self._settings.K8S_MAX_CONCURRENT_PODS),
-                    "requests.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
-                    "requests.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
-                    "limits.cpu": f"{self._settings.K8S_MAX_CONCURRENT_PODS}",
-                    "limits.memory": f"{self._settings.K8S_MAX_CONCURRENT_PODS * 128}Mi",
+                    "pods": str(n),
+                    "requests.cpu": f"{int(self._settings.K8S_POD_CPU_REQUEST.removesuffix('m')) * n}m",
+                    "requests.memory": f"{int(self._settings.K8S_POD_MEMORY_REQUEST.removesuffix('Mi')) * n}Mi",
+                    "limits.cpu": f"{int(self._settings.K8S_POD_CPU_LIMIT.removesuffix('m')) * n}m",
+                    "limits.memory": f"{int(self._settings.K8S_POD_MEMORY_LIMIT.removesuffix('Mi')) * n}Mi",
                 },
             ),
         )
 
-        try:
-            await self.v1.read_namespaced_resource_quota(name=quota_name, namespace=namespace)
-            await self.v1.replace_namespaced_resource_quota(name=quota_name, namespace=namespace, body=quota)
-            self.logger.info(f"ResourceQuota '{quota_name}' updated in namespace {namespace}")
-        except ApiException as e:
-            if e.status == 404:
-                await self.v1.create_namespaced_resource_quota(namespace=namespace, body=quota)
-                self.logger.info(f"ResourceQuota '{quota_name}' created in namespace {namespace}")
-            else:
-                self.logger.error(f"Failed to apply ResourceQuota '{quota_name}': {e.reason}")
+        await self.v1.patch_namespaced_resource_quota(  # type: ignore[call-arg]
+            name=quota_name, namespace=namespace, body=quota,
+            field_manager="integr8s", force=True,
+            _content_type="application/apply-patch+yaml",
+        )
+        self.logger.info(f"ResourceQuota '{quota_name}' applied in namespace {namespace}")
 
     async def _apply_psa_labels(self, namespace: str) -> None:
         """Apply Pod Security Admission labels to the executor namespace."""
@@ -344,12 +332,8 @@ async def _apply_psa_labels(self, namespace: str) -> None:
             "pod-security.kubernetes.io/audit": "restricted",
         }
 
-        patch_body = {"metadata": {"labels": psa_labels}}
-        try:
-            await self.v1.patch_namespace(name=namespace, body=patch_body)
-            self.logger.info(f"Pod Security Admission labels applied to namespace {namespace}")
-        except ApiException as e:
-            self.logger.error(f"Failed to apply PSA labels to namespace {namespace}: {e.reason}")
+        await self.v1.patch_namespace(name=namespace, body={"metadata": {"labels": psa_labels}})
+        self.logger.info(f"Pod Security Admission labels applied to namespace {namespace}")
 
     async def ensure_image_pre_puller_daemonset(self) -> None:
         """Ensure the runtime image pre-puller DaemonSet exists."""
@@ -357,56 +341,45 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
         namespace = self._settings.K8S_NAMESPACE
 
         try:
-            init_containers = []
+            init_containers: list[k8s_client.V1Container] = []
             all_images = {config.image for lang in RUNTIME_REGISTRY.values() for config in lang.values()}
 
             for i, image_ref in enumerate(sorted(all_images)):
                 sanitized_image_ref = image_ref.split("/")[-1].replace(":", "-").replace(".", "-").replace("_", "-")
                 self.logger.info(f"DAEMONSET: before: {image_ref} -> {sanitized_image_ref}")
-                container_name = f"pull-{i}-{sanitized_image_ref}"
-                init_containers.append(
-                    {
-                        "name": container_name,
-                        "image": image_ref,
-                        "command": ["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
-                        "imagePullPolicy": "Always",
-                    }
-                )
-
-            manifest: dict[str, Any] = {
-                "apiVersion": "apps/v1",
-                "kind": "DaemonSet",
-                "metadata": {"name": daemonset_name, "namespace": namespace},
-                "spec": {
-                    "selector": {"matchLabels": {"name": daemonset_name}},
-                    "template": {
-                        "metadata": {"labels": {"name": daemonset_name}},
-                        "spec": {
-                            "initContainers": init_containers,
-                            "containers": [{"name": "pause", "image": "registry.k8s.io/pause:3.9"}],
-                            "tolerations": [{"operator": "Exists"}],
-                        },
-                    },
-                    "updateStrategy": {"type": "RollingUpdate"},
-                },
-            }
+                init_containers.append(k8s_client.V1Container(
+                    name=f"pull-{i}-{sanitized_image_ref}",
+                    image=image_ref,
+                    command=["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
+                    image_pull_policy="Always",
+                ))
+
+            daemonset = k8s_client.V1DaemonSet(
+                api_version="apps/v1",
+                kind="DaemonSet",
+                metadata=k8s_client.V1ObjectMeta(name=daemonset_name, namespace=namespace),
+                spec=k8s_client.V1DaemonSetSpec(
+                    selector=k8s_client.V1LabelSelector(match_labels={"name": daemonset_name}),
+                    template=k8s_client.V1PodTemplateSpec(
+                        metadata=k8s_client.V1ObjectMeta(labels={"name": daemonset_name}),
+                        spec=k8s_client.V1PodSpec(
+                            init_containers=init_containers,
+                            containers=[k8s_client.V1Container(
+                                name="pause", image="registry.k8s.io/pause:3.9",
+                            )],
+                            tolerations=[k8s_client.V1Toleration(operator="Exists")],
+                        ),
+                    ),
+                    update_strategy=k8s_client.V1DaemonSetUpdateStrategy(type="RollingUpdate"),
+                ),
+            )
 
-            try:
-                await self.apps_v1.read_namespaced_daemon_set(name=daemonset_name, namespace=namespace)
-                self.logger.info(f"DaemonSet '{daemonset_name}' exists. Replacing to ensure it is up-to-date.")
-                await self.apps_v1.replace_namespaced_daemon_set(
-                    name=daemonset_name, namespace=namespace, body=manifest  # type: ignore[arg-type]
-                )
-                self.logger.info(f"DaemonSet '{daemonset_name}' replaced successfully.")
-            except ApiException as e:
-                if e.status == 404:
-                    self.logger.info(f"DaemonSet '{daemonset_name}' not found. Creating...")
-                    await self.apps_v1.create_namespaced_daemon_set(
-                        namespace=namespace, body=manifest  # type: ignore[arg-type]
-                    )
-                    self.logger.info(f"DaemonSet '{daemonset_name}' created successfully.")
-                else:
-                    raise
+            await self.apps_v1.patch_namespaced_daemon_set(  # type: ignore[call-arg]
+                name=daemonset_name, namespace=namespace, body=daemonset,
+                field_manager="integr8s", force=True,
+                _content_type="application/apply-patch+yaml",
+            )
+            self.logger.info(f"DaemonSet '{daemonset_name}' applied successfully")
 
         except ApiException as e:
             self.logger.error(f"K8s API error applying DaemonSet '{daemonset_name}': {e.reason}", exc_info=True)
diff --git a/backend/scripts/seed_users.py b/backend/scripts/seed_users.py
index 5378e22c..f3e9349d 100755
--- a/backend/scripts/seed_users.py
+++ b/backend/scripts/seed_users.py
@@ -23,11 +23,10 @@
 from pymongo.asynchronous.database import AsyncDatabase
 from pymongo.asynchronous.mongo_client import AsyncMongoClient
 
-pwd_hasher = PasswordHash((BcryptHasher(rounds=12),))
-
 
 async def upsert_user(
     db: AsyncDatabase[dict[str, Any]],
+    pwd_hasher: PasswordHash,
     username: str,
     email: str,
     password: str,
@@ -71,6 +70,7 @@ async def upsert_user(
 
 async def seed_users(settings: Settings) -> None:
     """Seed default users using provided settings for MongoDB connection."""
+    pwd_hasher = PasswordHash((BcryptHasher(rounds=settings.BCRYPT_ROUNDS),))
     default_password = os.environ.get("DEFAULT_USER_PASSWORD", "user123")
     admin_password = os.environ.get("ADMIN_USER_PASSWORD", "admin123")
 
@@ -81,6 +81,7 @@ async def seed_users(settings: Settings) -> None:
     # Default user
     await upsert_user(
         db,
+        pwd_hasher,
         username="user",
         email="user@integr8scode.com",
         password=default_password,
@@ -91,6 +92,7 @@ async def seed_users(settings: Settings) -> None:
     # Admin user
     await upsert_user(
         db,
+        pwd_hasher,
         username="admin",
         email="admin@integr8scode.com",
         password=admin_password,
diff --git a/docs/operations/nginx-configuration.md b/docs/operations/nginx-configuration.md
index f2b5ac43..3b86b092 100644
--- a/docs/operations/nginx-configuration.md
+++ b/docs/operations/nginx-configuration.md
@@ -192,11 +192,20 @@ All security headers are defined at the `server` level so they apply to every re
 execute. With the nonce, only scripts carrying the per-request nonce are allowed. An attacker cannot predict the nonce
 value (it changes on every request), so injected scripts are blocked.
 
-**Why `style-src-elem` + `style-src-attr` split instead of blanket `style-src`?** The `elem`/`attr` split is strictly
-tighter. `style-src-elem 'nonce-...'` blocks injected `<style>` tags (the more dangerous CSS vector for `@font-face` +
-attribute-selector exfiltration). `style-src-attr 'unsafe-inline'` allows `style=""` attributes, which Svelte
-transitions, CodeMirror, and inline style bindings require. CSS attribute injection can only exfiltrate data if
-`img-src`/`connect-src` allow attacker URLs — `default-src 'self'` blocks that channel entirely.
+**Why `style-src-elem` + `style-src-attr` split instead of blanket `style-src`?** CSP Level 3 splits the old
+`style-src` into two directives. `style-src-elem` governs `<style>` tags and `<link rel="stylesheet">` — the dangerous
+vector where an injected `<style>` tag can use `@font-face` + attribute selectors to exfiltrate secrets
+character-by-character. We lock this down with nonces. `style-src-attr` governs `style=""` attributes on elements —
+much lower risk because exfiltration (e.g., `background-image: url(...)`) requires `img-src`/`connect-src` to allow
+attacker domains, and our `default-src 'self'` blocks that channel entirely. We allow `'unsafe-inline'` only on
+`style-src-attr` because Svelte transitions, CodeMirror, and inline style bindings inject `style=""` attributes at
+runtime, where nonces/hashes are impossible (CSP has no mechanism for per-attribute nonces).
+
+!!! note "Scanner false positives"
+    Security scanners that only understand CSP Level 2 (`style-src`) will flag `'unsafe-inline'` without recognizing
+    the Level 3 `style-src-elem` / `style-src-attr` split. Since `style-src-elem` is nonce-locked, the
+    `'unsafe-inline'` on `style-src-attr` does not weaken the policy — the dangerous CSS vector (`<style>` tag
+    injection) is already blocked.
 
 #### Other security headers
 
@@ -256,10 +265,10 @@ the `server` level apply uniformly to all responses:
 | `location /`                  | No                | Yes                         |
 
 !!! warning "Adding `add_header` to a location"
-If you need to add a response header in a specific location, you must **repeat all five security headers** in that
-same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
-when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
-headers).
+    If you need to add a response header in a specific location, you must **repeat all five security headers** in that
+    same block, or use the `always` parameter with an `include` file. Prefer solving the problem without `add_header`
+    when possible (e.g., use `proxy_set_header` for upstream-facing headers, or let the backend set its own response
+    headers).
 
 ### `proxy_set_header` vs `add_header`
 
diff --git a/frontend/public/index.html b/frontend/public/index.html
index 0d5868ad..7859f44b 100644
--- a/frontend/public/index.html
+++ b/frontend/public/index.html
@@ -23,6 +23,7 @@
         .app-loading-inner { text-align: center; }
         .app-loading-spinner { width: 40px; height: 40px; border: 3px solid #f3f4f6; border-top-color: #3b82f6; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto; }
         .app-loading-hidden { display: none; }
+        .sr-only { position: absolute; width: 1px; height: 1px; padding: 0; margin: -1px; overflow: hidden; clip: rect(0,0,0,0); white-space: nowrap; border: 0; }
         @keyframes spin { to { transform: rotate(360deg); } }
     </style>
 
@@ -31,9 +32,10 @@
 </head>
 
 <body>
-    <div id="app-loading" class="app-loading">
+    <div id="app-loading" class="app-loading" role="status" aria-live="polite" aria-busy="true">
         <div class="app-loading-inner">
-            <div class="app-loading-spinner"></div>
+            <div class="app-loading-spinner" aria-hidden="true"></div>
+            <span class="sr-only">Loading…</span>
         </div>
     </div>
     <script nonce="**CSP_NONCE**">

From f9d32c25c12831b8433aaf7418927b59cbaf3dc7 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 23:29:16 +0100
Subject: [PATCH 04/13] fix: missing permissions for created k8s role - added

---
 cert-generator/setup-k8s.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/cert-generator/setup-k8s.sh b/cert-generator/setup-k8s.sh
index cee3dcb0..591cbf46 100644
--- a/cert-generator/setup-k8s.sh
+++ b/cert-generator/setup-k8s.sh
@@ -107,7 +107,7 @@ metadata:
 rules:
 - apiGroups: [""]
   resources: ["namespaces"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "patch"]
 EOF
 
 # Create ClusterRoleBinding
@@ -139,10 +139,13 @@ rules:
   verbs: ["create", "get", "list", "watch", "delete", "patch", "update"]
 - apiGroups: ["apps"]
   resources: ["daemonsets"]
-  verbs: ["get", "list", "watch", "create", "delete", "replace", "update"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["networking.k8s.io"]
   resources: ["networkpolicies"]
-  verbs: ["get", "list", "watch", "create", "delete"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["resourcequotas"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 EOF
 
 # Create RoleBinding

From de03298344afd22990d02a8cbffc1a4d159a2e43 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 23:46:10 +0100
Subject: [PATCH 05/13] fix: deleting pods after any end (e.g.
 success/fail/timeout) in monitor

---
 backend/app/services/pod_monitor/monitor.py | 30 +++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/backend/app/services/pod_monitor/monitor.py b/backend/app/services/pod_monitor/monitor.py
index 2542b92c..06dd4a65 100644
--- a/backend/app/services/pod_monitor/monitor.py
+++ b/backend/app/services/pod_monitor/monitor.py
@@ -6,14 +6,22 @@
 import structlog
 from kubernetes_asyncio import client as k8s_client
 from kubernetes_asyncio import watch as k8s_watch
+from kubernetes_asyncio.client.rest import ApiException
 
 from app.core.metrics import KubernetesMetrics
 from app.core.utils import StringEnum
+from app.domain.enums import EventType
 from app.domain.events import DomainEvent
 from app.services.kafka_event_service import KafkaEventService
 from app.services.pod_monitor.config import PodMonitorConfig
 from app.services.pod_monitor.event_mapper import PodEventMapper, WatchEventType
 
+_TERMINAL_EVENT_TYPES: frozenset[str] = frozenset({
+    EventType.EXECUTION_COMPLETED,
+    EventType.EXECUTION_FAILED,
+    EventType.EXECUTION_TIMEOUT,
+})
+
 # Type aliases
 type ResourceVersion = str
 type KubeEvent = dict[str, Any]
@@ -179,6 +187,10 @@ async def _process_pod_event(self, event: PodEvent) -> None:
             for app_event in app_events:
                 await self._publish_event(app_event, event.pod)
 
+            # Delete pod once all data has been extracted and terminal events published
+            if any(e.event_type in _TERMINAL_EVENT_TYPES for e in app_events):
+                await self._delete_pod(event.pod)
+
             if app_events:
                 self.logger.info(
                     f"Processed {event.event_type} event for pod {pod_name} "
@@ -206,3 +218,21 @@ async def _publish_event(self, event: DomainEvent, pod: k8s_client.V1Pod) -> Non
 
         except Exception as e:
             self.logger.error(f"Error publishing event: {e}", exc_info=True)
+
+    async def _delete_pod(self, pod: k8s_client.V1Pod) -> None:
+        """Delete a pod after its data has been fully extracted.
+
+        Frees the ResourceQuota slot so new executor pods can be scheduled.
+        The ConfigMap is garbage-collected automatically via ownerReference.
+        """
+        pod_name = pod.metadata.name
+        try:
+            await self._v1.delete_namespaced_pod(
+                name=pod_name, namespace=pod.metadata.namespace, grace_period_seconds=0,
+            )
+            self.logger.info(f"Deleted completed pod {pod_name}")
+        except ApiException as e:
+            if e.status == 404:
+                self.logger.debug(f"Pod {pod_name} already deleted")
+            else:
+                self.logger.warning(f"Failed to delete pod {pod_name}: {e.reason}")

From 7c27762d3a830ccc3dbc106e04ac6d39d7a10213 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Mon, 2 Mar 2026 23:57:25 +0100
Subject: [PATCH 06/13] fix: cleaning up stale pods

---
 cert-generator/setup-k8s.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cert-generator/setup-k8s.sh b/cert-generator/setup-k8s.sh
index 591cbf46..9e906dd6 100644
--- a/cert-generator/setup-k8s.sh
+++ b/cert-generator/setup-k8s.sh
@@ -89,6 +89,9 @@ echo "Connected to Kubernetes"
 # Create namespace
 kubectl create namespace integr8scode --dry-run=client -o yaml | kubectl apply -f -
 
+# Clean up stale executor pods from previous runs so they don't consume ResourceQuota
+kubectl delete pods -n integr8scode -l component=executor --field-selector=status.phase!=Running --ignore-not-found 2>/dev/null || true
+
 # Create ServiceAccount
 kubectl apply -f - <<EOF
 apiVersion: v1

From 0626661aae589ae9ff0abcbf7f2932ad7213ddca Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 00:13:36 +0100
Subject: [PATCH 07/13] fix: adding security context

---
 backend/app/services/k8s_worker/worker.py  | 15 +++++++++++++++
 backend/app/services/pod_monitor/config.py |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 5335c2be..84a4cd31 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -344,6 +344,14 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
             init_containers: list[k8s_client.V1Container] = []
             all_images = {config.image for lang in RUNTIME_REGISTRY.values() for config in lang.values()}
 
+            psa_security_context = k8s_client.V1SecurityContext(
+                allow_privilege_escalation=False,
+                capabilities=k8s_client.V1Capabilities(drop=["ALL"]),
+                run_as_non_root=True,
+                run_as_user=65534,
+                seccomp_profile=k8s_client.V1SeccompProfile(type="RuntimeDefault"),
+            )
+
             for i, image_ref in enumerate(sorted(all_images)):
                 sanitized_image_ref = image_ref.split("/")[-1].replace(":", "-").replace(".", "-").replace("_", "-")
                 self.logger.info(f"DAEMONSET: before: {image_ref} -> {sanitized_image_ref}")
@@ -352,6 +360,7 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
                     image=image_ref,
                     command=["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
                     image_pull_policy="Always",
+                    security_context=psa_security_context,
                 ))
 
             daemonset = k8s_client.V1DaemonSet(
@@ -366,8 +375,14 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
                             init_containers=init_containers,
                             containers=[k8s_client.V1Container(
                                 name="pause", image="registry.k8s.io/pause:3.9",
+                                security_context=psa_security_context,
                             )],
                             tolerations=[k8s_client.V1Toleration(operator="Exists")],
+                            security_context=k8s_client.V1PodSecurityContext(
+                                run_as_non_root=True,
+                                run_as_user=65534,
+                                seccomp_profile=k8s_client.V1SeccompProfile(type="RuntimeDefault"),
+                            ),
                         ),
                     ),
                     update_strategy=k8s_client.V1DaemonSetUpdateStrategy(type="RollingUpdate"),
diff --git a/backend/app/services/pod_monitor/config.py b/backend/app/services/pod_monitor/config.py
index 33c7d497..25a900b9 100644
--- a/backend/app/services/pod_monitor/config.py
+++ b/backend/app/services/pod_monitor/config.py
@@ -15,7 +15,7 @@ class PodMonitorConfig:
     # Watch settings
     label_selector: str = "app=integr8s,component=executor"
     field_selector: str | None = None
-    watch_timeout_seconds: int = 300  # 5 minutes
+    watch_timeout_seconds: int = 30  # 30 seconds — short enough for APScheduler 5s interval
 
     # Monitoring settings
     enable_metrics: bool = True

From a0d2e9161cdb4d0721b4ff7cfed6459835ae8dd1 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 00:23:09 +0100
Subject: [PATCH 08/13] fix: limit to pre-pull containers added

---
 backend/app/services/k8s_worker/worker.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 84a4cd31..3505f2d7 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -352,6 +352,11 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
                 seccomp_profile=k8s_client.V1SeccompProfile(type="RuntimeDefault"),
             )
 
+            minimal_resources = k8s_client.V1ResourceRequirements(
+                requests={"cpu": "10m", "memory": "8Mi"},
+                limits={"cpu": "100m", "memory": "32Mi"},
+            )
+
             for i, image_ref in enumerate(sorted(all_images)):
                 sanitized_image_ref = image_ref.split("/")[-1].replace(":", "-").replace(".", "-").replace("_", "-")
                 self.logger.info(f"DAEMONSET: before: {image_ref} -> {sanitized_image_ref}")
@@ -361,6 +366,7 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
                     command=["/bin/sh", "-c", f'echo "Image {image_ref} pulled."'],
                     image_pull_policy="Always",
                     security_context=psa_security_context,
+                    resources=minimal_resources,
                 ))
 
             daemonset = k8s_client.V1DaemonSet(
@@ -376,6 +382,7 @@ async def ensure_image_pre_puller_daemonset(self) -> None:
                             containers=[k8s_client.V1Container(
                                 name="pause", image="registry.k8s.io/pause:3.9",
                                 security_context=psa_security_context,
+                                resources=minimal_resources,
                             )],
                             tolerations=[k8s_client.V1Toleration(operator="Exists")],
                             security_context=k8s_client.V1PodSecurityContext(

From 76b9efee32542beb177fe3d1d2d033a33c9a66d1 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 01:20:45 +0100
Subject: [PATCH 09/13] fix: remove backend-wide k8s_max_concurrent_pods,
 replaced with dedicated limits for system-wide k8s quota on cpu and memory

---
 backend/app/services/k8s_worker/worker.py     | 84 +++++++++----------
 backend/app/services/runtime_settings.py      |  1 -
 backend/app/settings.py                       |  7 +-
 .../tests/e2e/test_admin_settings_routes.py   |  1 -
 .../unit/services/test_runtime_settings.py    |  3 +-
 docs/security/policies.md                     | 18 ++--
 6 files changed, 54 insertions(+), 60 deletions(-)

diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 3505f2d7..67a699c0 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -63,7 +63,6 @@ def __init__(
 
         # State tracking
         self._active_creations: set[str] = set()
-        self._creation_semaphore = asyncio.Semaphore(self._settings.K8S_MAX_CONCURRENT_PODS)
 
         self.logger.info(f"KubernetesWorker initialized for namespace {self._settings.K8S_NAMESPACE}")
 
@@ -104,52 +103,51 @@ async def handle_delete_pod_command(self, command: DeletePodCommandEvent) -> Non
 
     async def _create_pod_for_execution(self, command: CreatePodCommandEvent) -> None:
         """Create pod for execution"""
-        async with self._creation_semaphore:
-            execution_id = command.execution_id
-            self._active_creations.add(execution_id)
-            self.metrics.update_active_pod_creations(len(self._active_creations))
+        execution_id = command.execution_id
+        self._active_creations.add(execution_id)
+        self.metrics.update_active_pod_creations(len(self._active_creations))
 
-            start_time = time.time()
+        start_time = time.time()
 
-            try:
-                script_content = command.script
-                entrypoint_content = await self._get_entrypoint_script()
+        try:
+            script_content = command.script
+            entrypoint_content = await self._get_entrypoint_script()
 
-                # Create ConfigMap
-                config_map = self.pod_builder.build_config_map(
-                    command=command, script_content=script_content, entrypoint_content=entrypoint_content
-                )
+            # Create ConfigMap
+            config_map = self.pod_builder.build_config_map(
+                command=command, script_content=script_content, entrypoint_content=entrypoint_content
+            )
 
-                await self._create_config_map(config_map)
+            await self._create_config_map(config_map)
 
-                pod = self.pod_builder.build_pod_manifest(command=command)
-                created_pod = await self._create_pod(pod)
+            pod = self.pod_builder.build_pod_manifest(command=command)
+            created_pod = await self._create_pod(pod)
 
-                # Set ownerReference so K8s garbage-collects the ConfigMap when the pod is deleted
-                if created_pod and created_pod.metadata and created_pod.metadata.uid:
-                    await self._set_configmap_owner(config_map, created_pod)
+            # Set ownerReference so K8s garbage-collects the ConfigMap when the pod is deleted
+            if created_pod and created_pod.metadata and created_pod.metadata.uid:
+                await self._set_configmap_owner(config_map, created_pod)
 
-                # Publish PodCreated event
-                await self._publish_pod_created(command, pod)
+            # Publish PodCreated event
+            await self._publish_pod_created(command, pod)
 
-                # Update metrics
-                duration = time.time() - start_time
-                self.metrics.record_k8s_pod_creation_duration(duration, command.language)
-                self.metrics.record_k8s_pod_created("success", command.language)
+            # Update metrics
+            duration = time.time() - start_time
+            self.metrics.record_k8s_pod_creation_duration(duration, command.language)
+            self.metrics.record_k8s_pod_created("success", command.language)
 
-                self.logger.info(
-                    f"Successfully created pod {pod.metadata.name} for execution {execution_id}. "
-                    f"Duration: {duration:.2f}s"
-                )
+            self.logger.info(
+                f"Successfully created pod {pod.metadata.name} for execution {execution_id}. "
+                f"Duration: {duration:.2f}s"
+            )
 
-            except Exception as e:
-                self.logger.error(f"Failed to create pod for execution {execution_id}: {e}", exc_info=True)
-                self.metrics.record_k8s_pod_created("failed", "unknown")
-                await self._publish_pod_creation_failed(command, str(e))
+        except Exception as e:
+            self.logger.error(f"Failed to create pod for execution {execution_id}: {e}", exc_info=True)
+            self.metrics.record_k8s_pod_created("failed", "unknown")
+            await self._publish_pod_creation_failed(command, str(e))
 
-            finally:
-                self._active_creations.discard(execution_id)
-                self.metrics.update_active_pod_creations(len(self._active_creations))
+        finally:
+            self._active_creations.discard(execution_id)
+            self.metrics.update_active_pod_creations(len(self._active_creations))
 
     async def _get_entrypoint_script(self) -> str:
         """Get entrypoint script content"""
@@ -257,7 +255,7 @@ async def ensure_namespace_security(self) -> None:
 
         Creates:
         - Default-deny NetworkPolicy for executor pods (blocks lateral movement and exfiltration)
-        - ResourceQuota to cap aggregate pod/resource consumption
+        - ResourceQuota to cap aggregate CPU/memory consumption (no pod count limit)
         - Pod Security Admission labels (Restricted profile)
         """
         namespace = self._settings.K8S_NAMESPACE
@@ -293,9 +291,8 @@ async def _ensure_executor_network_policy(self, namespace: str) -> None:
         self.logger.info(f"NetworkPolicy '{policy_name}' applied in namespace {namespace}")
 
     async def _ensure_executor_resource_quota(self, namespace: str) -> None:
-        """Create or update ResourceQuota to cap aggregate executor pod consumption."""
+        """Create or update ResourceQuota to cap aggregate CPU/memory in the executor namespace."""
         quota_name = "executor-quota"
-        n = self._settings.K8S_MAX_CONCURRENT_PODS
 
         quota = k8s_client.V1ResourceQuota(
             api_version="v1",
@@ -307,11 +304,10 @@ async def _ensure_executor_resource_quota(self, namespace: str) -> None:
             ),
             spec=k8s_client.V1ResourceQuotaSpec(
                 hard={
-                    "pods": str(n),
-                    "requests.cpu": f"{int(self._settings.K8S_POD_CPU_REQUEST.removesuffix('m')) * n}m",
-                    "requests.memory": f"{int(self._settings.K8S_POD_MEMORY_REQUEST.removesuffix('Mi')) * n}Mi",
-                    "limits.cpu": f"{int(self._settings.K8S_POD_CPU_LIMIT.removesuffix('m')) * n}m",
-                    "limits.memory": f"{int(self._settings.K8S_POD_MEMORY_LIMIT.removesuffix('Mi')) * n}Mi",
+                    "requests.cpu": self._settings.K8S_QUOTA_CPU,
+                    "requests.memory": self._settings.K8S_QUOTA_MEMORY,
+                    "limits.cpu": self._settings.K8S_QUOTA_CPU,
+                    "limits.memory": self._settings.K8S_QUOTA_MEMORY,
                 },
             ),
         )
diff --git a/backend/app/services/runtime_settings.py b/backend/app/services/runtime_settings.py
index eb342389..7d577b5d 100644
--- a/backend/app/services/runtime_settings.py
+++ b/backend/app/services/runtime_settings.py
@@ -51,6 +51,5 @@ def _build_toml_defaults(self) -> SystemSettings:
             max_timeout_seconds=s.K8S_POD_EXECUTION_TIMEOUT,
             memory_limit=s.K8S_POD_MEMORY_LIMIT,
             cpu_limit=s.K8S_POD_CPU_LIMIT,
-            max_concurrent_executions=s.K8S_MAX_CONCURRENT_PODS,
             session_timeout_minutes=s.ACCESS_TOKEN_EXPIRE_MINUTES,
         )
diff --git a/backend/app/settings.py b/backend/app/settings.py
index 35e9c1f8..077972a3 100644
--- a/backend/app/settings.py
+++ b/backend/app/settings.py
@@ -68,9 +68,6 @@ def __init__(
     # Kubernetes namespace for execution pods
     K8S_NAMESPACE: str = "integr8scode"
 
-    # Maximum concurrent pod creations allowed by k8s worker
-    K8S_MAX_CONCURRENT_PODS: int = 10
-
     # Settings for Kubernetes resource limits and requests
     K8S_POD_CPU_LIMIT: str = "1000m"
     K8S_POD_MEMORY_LIMIT: str = "128Mi"
@@ -80,6 +77,10 @@ def __init__(
     K8S_POD_PRIORITY_CLASS_NAME: str | None = None
     K8S_POD_RUNTIME_CLASS_NAME: str | None = None  # e.g. "gvisor" for sandboxed execution
 
+    # Namespace-level ResourceQuota caps (total budget, not per-pod)
+    K8S_QUOTA_CPU: str = "10000m"
+    K8S_QUOTA_MEMORY: str = "1280Mi"
+
     SUPPORTED_RUNTIMES: dict[str, LanguageInfoDomain] = Field(default_factory=lambda: RUNTIME_MATRIX)
 
     EXAMPLE_SCRIPTS: dict[str, str] = Field(default_factory=lambda: EXEC_EXAMPLE_SCRIPTS)
diff --git a/backend/tests/e2e/test_admin_settings_routes.py b/backend/tests/e2e/test_admin_settings_routes.py
index b5d19295..f4114bdb 100644
--- a/backend/tests/e2e/test_admin_settings_routes.py
+++ b/backend/tests/e2e/test_admin_settings_routes.py
@@ -172,7 +172,6 @@ async def test_reset_system_settings(
             max_timeout_seconds=test_settings.K8S_POD_EXECUTION_TIMEOUT,
             memory_limit=test_settings.K8S_POD_MEMORY_LIMIT,
             cpu_limit=test_settings.K8S_POD_CPU_LIMIT,
-            max_concurrent_executions=test_settings.K8S_MAX_CONCURRENT_PODS,
             session_timeout_minutes=test_settings.ACCESS_TOKEN_EXPIRE_MINUTES,
         )
         assert settings == expected
diff --git a/backend/tests/unit/services/test_runtime_settings.py b/backend/tests/unit/services/test_runtime_settings.py
index 62b3bcb6..fcf78b5d 100644
--- a/backend/tests/unit/services/test_runtime_settings.py
+++ b/backend/tests/unit/services/test_runtime_settings.py
@@ -19,7 +19,6 @@ def _make_settings() -> Settings:
         "K8S_POD_EXECUTION_TIMEOUT": 30,
         "K8S_POD_MEMORY_LIMIT": "128Mi",
         "K8S_POD_CPU_LIMIT": "1000m",
-        "K8S_MAX_CONCURRENT_PODS": 5,
         "ACCESS_TOKEN_EXPIRE_MINUTES": 60,
     })
 
@@ -58,7 +57,7 @@ async def test_passes_toml_defaults_to_repo() -> None:
     assert defaults.max_timeout_seconds == 30
     assert defaults.memory_limit == "128Mi"
     assert defaults.cpu_limit == "1000m"
-    assert defaults.max_concurrent_executions == 5
+    assert defaults.max_concurrent_executions == 10
     assert defaults.session_timeout_minutes == 60
 
 
diff --git a/docs/security/policies.md b/docs/security/policies.md
index 7850213d..27df494c 100644
--- a/docs/security/policies.md
+++ b/docs/security/policies.md
@@ -62,17 +62,17 @@ This policy matches pods with the `component: executor` label, which the pod bui
 
 ### Resource Quota
 
-A ResourceQuota caps aggregate resource consumption in the executor namespace:
+A ResourceQuota caps aggregate CPU and memory in the executor namespace. If the execution queue allows more pods than
+the namespace has resources for, Kubernetes keeps excess pods in Pending state rather than failing.
 
-| Resource          | Limit                             | Derivation                       |
-|-------------------|-----------------------------------|----------------------------------|
-| `pods`            | `K8S_MAX_CONCURRENT_PODS`         | Maximum concurrent executor pods |
-| `requests.cpu`    | `K8S_MAX_CONCURRENT_PODS` cores   | 1 core per pod                   |
-| `requests.memory` | `K8S_MAX_CONCURRENT_PODS × 128Mi` | 128Mi per pod                    |
-| `limits.cpu`      | Same as requests                  | Prevents burst beyond quota      |
-| `limits.memory`   | Same as requests                  | Prevents OOM beyond quota        |
+| Resource          | Limit              | Source setting     |
+|-------------------|--------------------|--------------------|
+| `requests.cpu`    | `K8S_QUOTA_CPU`    | Namespace CPU cap  |
+| `requests.memory` | `K8S_QUOTA_MEMORY` | Namespace memory cap |
+| `limits.cpu`      | `K8S_QUOTA_CPU`    | Same as requests   |
+| `limits.memory`   | `K8S_QUOTA_MEMORY` | Same as requests   |
 
-This prevents a burst of executions from starving other workloads in the cluster.
+No `pods` count in the quota — concurrency is controlled by the execution queue (`max_concurrent_executions`).
 
 ### Pod Security Admission (PSA)
 

From 922715097ef5c4245c095b9e4bce3b6cf392a7bc Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 09:25:34 +0100
Subject: [PATCH 10/13] fix: higher limits

---
 backend/app/settings.py  | 4 ++--
 backend/config.test.toml | 2 ++
 backend/config.toml      | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/backend/app/settings.py b/backend/app/settings.py
index 077972a3..c39cf019 100644
--- a/backend/app/settings.py
+++ b/backend/app/settings.py
@@ -78,8 +78,8 @@ def __init__(
     K8S_POD_RUNTIME_CLASS_NAME: str | None = None  # e.g. "gvisor" for sandboxed execution
 
     # Namespace-level ResourceQuota caps (total budget, not per-pod)
-    K8S_QUOTA_CPU: str = "10000m"
-    K8S_QUOTA_MEMORY: str = "1280Mi"
+    K8S_QUOTA_CPU: str = "32000m"
+    K8S_QUOTA_MEMORY: str = "4096Mi"
 
     SUPPORTED_RUNTIMES: dict[str, LanguageInfoDomain] = Field(default_factory=lambda: RUNTIME_MATRIX)
 
diff --git a/backend/config.test.toml b/backend/config.test.toml
index 4aa46cdd..f052fe14 100644
--- a/backend/config.test.toml
+++ b/backend/config.test.toml
@@ -16,6 +16,8 @@ K8S_POD_CPU_REQUEST = "200m"
 K8S_POD_MEMORY_REQUEST = "128Mi"
 K8S_POD_EXECUTION_TIMEOUT = 5
 K8S_NAMESPACE = "integr8scode"
+K8S_QUOTA_CPU = "32000m"
+K8S_QUOTA_MEMORY = "4096Mi"
 
 RATE_LIMITS = "99999/second"
 RATE_LIMIT_ENABLED = false
diff --git a/backend/config.toml b/backend/config.toml
index 37416975..e5d63b7a 100644
--- a/backend/config.toml
+++ b/backend/config.toml
@@ -21,6 +21,8 @@ K8S_POD_CPU_REQUEST = "200m"
 K8S_POD_MEMORY_REQUEST = "128Mi"
 K8S_POD_EXECUTION_TIMEOUT = 5
 K8S_NAMESPACE = "integr8scode"
+K8S_QUOTA_CPU = "32000m"
+K8S_QUOTA_MEMORY = "4096Mi"
 
 RATE_LIMITS = "100/minute"
 

From 6c3db529ec661c5b568e68eb4ed71b593ef5c2f1 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 09:51:16 +0100
Subject: [PATCH 11/13] fix: replaced hard enforced local limits with kueue

---
 .github/actions/e2e-ready/action.yml          | 38 ++++++++++++++++
 .github/workflows/stack-tests.yml             |  1 +
 .../app/services/k8s_worker/pod_builder.py    |  1 +
 backend/app/services/k8s_worker/worker.py     | 31 -------------
 backend/app/settings.py                       |  4 --
 backend/config.test.toml                      |  2 -
 backend/config.toml                           |  2 -
 cert-generator/setup-k8s.sh                   | 44 ++++++++++++++++---
 docs/security/policies.md                     | 28 +++++++-----
 9 files changed, 97 insertions(+), 54 deletions(-)

diff --git a/.github/actions/e2e-ready/action.yml b/.github/actions/e2e-ready/action.yml
index 502e561c..8f91f4b9 100644
--- a/.github/actions/e2e-ready/action.yml
+++ b/.github/actions/e2e-ready/action.yml
@@ -26,6 +26,44 @@ runs:
           /home/runner/.kube/config > backend/kubeconfig.yaml
         chmod 644 backend/kubeconfig.yaml
 
+    - name: Install Kueue
+      shell: bash
+      run: |
+        KUEUE_VERSION="${KUEUE_VERSION:-v0.16.1}"
+        kubectl apply --server-side -f "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+        kubectl wait --for=condition=Available --timeout=120s \
+          deployment/kueue-controller-manager -n kueue-system
+        kubectl apply --server-side -f - <<'EOF'
+        apiVersion: kueue.x-k8s.io/v1beta1
+        kind: ResourceFlavor
+        metadata:
+          name: default-flavor
+        ---
+        apiVersion: kueue.x-k8s.io/v1beta1
+        kind: ClusterQueue
+        metadata:
+          name: executor-queue
+        spec:
+          namespaceSelector: {}
+          resourceGroups:
+          - coveredResources: ["cpu", "memory"]
+            flavors:
+            - name: default-flavor
+              resources:
+              - name: cpu
+                nominalQuota: "32"
+              - name: memory
+                nominalQuota: "4Gi"
+        ---
+        apiVersion: kueue.x-k8s.io/v1beta1
+        kind: LocalQueue
+        metadata:
+          name: executor-queue
+          namespace: integr8scode
+        spec:
+          clusterQueue: executor-queue
+        EOF
+
     - name: Use test environment config
       shell: bash
       run: |
diff --git a/.github/workflows/stack-tests.yml b/.github/workflows/stack-tests.yml
index e2e2c713..5c3011eb 100644
--- a/.github/workflows/stack-tests.yml
+++ b/.github/workflows/stack-tests.yml
@@ -31,6 +31,7 @@ env:
   KAFKA_IMAGE: confluentinc/cp-kafka:7.8.2
   K3S_VERSION: v1.32.11+k3s1
   K3S_INSTALL_SHA256: d75e014f2d2ab5d30a318efa5c326f3b0b7596f194afcff90fa7a7a91166d5f7
+  KUEUE_VERSION: v0.16.1
 
 jobs:
   # Fast unit tests (no infrastructure needed)
diff --git a/backend/app/services/k8s_worker/pod_builder.py b/backend/app/services/k8s_worker/pod_builder.py
index 65e4af2d..5c0ee4ea 100644
--- a/backend/app/services/k8s_worker/pod_builder.py
+++ b/backend/app/services/k8s_worker/pod_builder.py
@@ -157,6 +157,7 @@ def _build_pod_metadata(
     ) -> k8s_client.V1ObjectMeta:
         """Build pod metadata with saga tracking"""
         labels = {"app": "integr8s", "component": "executor", "execution-id": execution_id, "language": language}
+        labels["kueue.x-k8s.io/queue-name"] = "executor-queue"
 
         labels["user-id"] = user_id[:63]  # K8s label value limit
 
diff --git a/backend/app/services/k8s_worker/worker.py b/backend/app/services/k8s_worker/worker.py
index 67a699c0..8b56ab56 100644
--- a/backend/app/services/k8s_worker/worker.py
+++ b/backend/app/services/k8s_worker/worker.py
@@ -255,12 +255,10 @@ async def ensure_namespace_security(self) -> None:
 
         Creates:
         - Default-deny NetworkPolicy for executor pods (blocks lateral movement and exfiltration)
-        - ResourceQuota to cap aggregate CPU/memory consumption (no pod count limit)
         - Pod Security Admission labels (Restricted profile)
         """
         namespace = self._settings.K8S_NAMESPACE
         await self._ensure_executor_network_policy(namespace)
-        await self._ensure_executor_resource_quota(namespace)
         await self._apply_psa_labels(namespace)
 
     async def _ensure_executor_network_policy(self, namespace: str) -> None:
@@ -290,35 +288,6 @@ async def _ensure_executor_network_policy(self, namespace: str) -> None:
         )
         self.logger.info(f"NetworkPolicy '{policy_name}' applied in namespace {namespace}")
 
-    async def _ensure_executor_resource_quota(self, namespace: str) -> None:
-        """Create or update ResourceQuota to cap aggregate CPU/memory in the executor namespace."""
-        quota_name = "executor-quota"
-
-        quota = k8s_client.V1ResourceQuota(
-            api_version="v1",
-            kind="ResourceQuota",
-            metadata=k8s_client.V1ObjectMeta(
-                name=quota_name,
-                namespace=namespace,
-                labels={"app": "integr8s", "component": "security"},
-            ),
-            spec=k8s_client.V1ResourceQuotaSpec(
-                hard={
-                    "requests.cpu": self._settings.K8S_QUOTA_CPU,
-                    "requests.memory": self._settings.K8S_QUOTA_MEMORY,
-                    "limits.cpu": self._settings.K8S_QUOTA_CPU,
-                    "limits.memory": self._settings.K8S_QUOTA_MEMORY,
-                },
-            ),
-        )
-
-        await self.v1.patch_namespaced_resource_quota(  # type: ignore[call-arg]
-            name=quota_name, namespace=namespace, body=quota,
-            field_manager="integr8s", force=True,
-            _content_type="application/apply-patch+yaml",
-        )
-        self.logger.info(f"ResourceQuota '{quota_name}' applied in namespace {namespace}")
-
     async def _apply_psa_labels(self, namespace: str) -> None:
         """Apply Pod Security Admission labels to the executor namespace."""
         psa_labels = {
diff --git a/backend/app/settings.py b/backend/app/settings.py
index c39cf019..abdc1846 100644
--- a/backend/app/settings.py
+++ b/backend/app/settings.py
@@ -77,10 +77,6 @@ def __init__(
     K8S_POD_PRIORITY_CLASS_NAME: str | None = None
     K8S_POD_RUNTIME_CLASS_NAME: str | None = None  # e.g. "gvisor" for sandboxed execution
 
-    # Namespace-level ResourceQuota caps (total budget, not per-pod)
-    K8S_QUOTA_CPU: str = "32000m"
-    K8S_QUOTA_MEMORY: str = "4096Mi"
-
     SUPPORTED_RUNTIMES: dict[str, LanguageInfoDomain] = Field(default_factory=lambda: RUNTIME_MATRIX)
 
     EXAMPLE_SCRIPTS: dict[str, str] = Field(default_factory=lambda: EXEC_EXAMPLE_SCRIPTS)
diff --git a/backend/config.test.toml b/backend/config.test.toml
index f052fe14..4aa46cdd 100644
--- a/backend/config.test.toml
+++ b/backend/config.test.toml
@@ -16,8 +16,6 @@ K8S_POD_CPU_REQUEST = "200m"
 K8S_POD_MEMORY_REQUEST = "128Mi"
 K8S_POD_EXECUTION_TIMEOUT = 5
 K8S_NAMESPACE = "integr8scode"
-K8S_QUOTA_CPU = "32000m"
-K8S_QUOTA_MEMORY = "4096Mi"
 
 RATE_LIMITS = "99999/second"
 RATE_LIMIT_ENABLED = false
diff --git a/backend/config.toml b/backend/config.toml
index e5d63b7a..37416975 100644
--- a/backend/config.toml
+++ b/backend/config.toml
@@ -21,8 +21,6 @@ K8S_POD_CPU_REQUEST = "200m"
 K8S_POD_MEMORY_REQUEST = "128Mi"
 K8S_POD_EXECUTION_TIMEOUT = 5
 K8S_NAMESPACE = "integr8scode"
-K8S_QUOTA_CPU = "32000m"
-K8S_QUOTA_MEMORY = "4096Mi"
 
 RATE_LIMITS = "100/minute"
 
diff --git a/cert-generator/setup-k8s.sh b/cert-generator/setup-k8s.sh
index 9e906dd6..00dbb632 100644
--- a/cert-generator/setup-k8s.sh
+++ b/cert-generator/setup-k8s.sh
@@ -89,8 +89,45 @@ echo "Connected to Kubernetes"
 # Create namespace
 kubectl create namespace integr8scode --dry-run=client -o yaml | kubectl apply -f -
 
-# Clean up stale executor pods from previous runs so they don't consume ResourceQuota
-kubectl delete pods -n integr8scode -l component=executor --field-selector=status.phase!=Running --ignore-not-found 2>/dev/null || true
+# Install Kueue (scheduling-gate based quota management)
+KUEUE_VERSION="${KUEUE_VERSION:-v0.16.1}"
+echo "Installing Kueue ${KUEUE_VERSION}..."
+kubectl apply --server-side -f "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+kubectl wait --for=condition=Available --timeout=120s \
+  deployment/kueue-controller-manager -n kueue-system
+
+# Kueue resources: ResourceFlavor + ClusterQueue + LocalQueue
+kubectl apply --server-side -f - <<'KUEUE_EOF'
+apiVersion: kueue.x-k8s.io/v1beta1
+kind: ResourceFlavor
+metadata:
+  name: default-flavor
+---
+apiVersion: kueue.x-k8s.io/v1beta1
+kind: ClusterQueue
+metadata:
+  name: executor-queue
+spec:
+  namespaceSelector: {}
+  resourceGroups:
+  - coveredResources: ["cpu", "memory"]
+    flavors:
+    - name: default-flavor
+      resources:
+      - name: cpu
+        nominalQuota: "32"
+      - name: memory
+        nominalQuota: "4Gi"
+---
+apiVersion: kueue.x-k8s.io/v1beta1
+kind: LocalQueue
+metadata:
+  name: executor-queue
+  namespace: integr8scode
+spec:
+  clusterQueue: executor-queue
+KUEUE_EOF
+echo "Kueue installed and configured"
 
 # Create ServiceAccount
 kubectl apply -f - <<EOF
@@ -146,9 +183,6 @@ rules:
 - apiGroups: ["networking.k8s.io"]
   resources: ["networkpolicies"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-- apiGroups: [""]
-  resources: ["resourcequotas"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 EOF
 
 # Create RoleBinding
diff --git a/docs/security/policies.md b/docs/security/policies.md
index 27df494c..1262a9e9 100644
--- a/docs/security/policies.md
+++ b/docs/security/policies.md
@@ -60,19 +60,27 @@ spec:
 
 This policy matches pods with the `component: executor` label, which the pod builder applies to all executor pods.
 
-### Resource Quota
+### Kueue (Resource Quota with Queuing)
 
-A ResourceQuota caps aggregate CPU and memory in the executor namespace. If the execution queue allows more pods than
-the namespace has resources for, Kubernetes keeps excess pods in Pending state rather than failing.
+[Kueue](https://kueue.sigs.k8s.io/) manages CPU/memory quota for executor pods. Unlike ResourceQuota (which rejects pod
+creation with 403 Forbidden when quota is full), Kueue adds a **scheduling gate** to pods — they exist in the API server
+but the scheduler ignores them (status: `SchedulingGated`). When quota frees up, the gate is removed and the pod is
+scheduled normally.
 
-| Resource          | Limit              | Source setting     |
-|-------------------|--------------------|--------------------|
-| `requests.cpu`    | `K8S_QUOTA_CPU`    | Namespace CPU cap  |
-| `requests.memory` | `K8S_QUOTA_MEMORY` | Namespace memory cap |
-| `limits.cpu`      | `K8S_QUOTA_CPU`    | Same as requests   |
-| `limits.memory`   | `K8S_QUOTA_MEMORY` | Same as requests   |
+Kueue resources (created by `setup-k8s.sh`):
 
-No `pods` count in the quota — concurrency is controlled by the execution queue (`max_concurrent_executions`).
+| Resource        | Name             | Purpose                                                      |
+|-----------------|------------------|--------------------------------------------------------------|
+| ResourceFlavor  | `default-flavor` | Represents the cluster's default resource pool               |
+| ClusterQueue    | `executor-queue` | Defines CPU/memory quota (32 CPU, 4Gi memory)               |
+| LocalQueue      | `executor-queue` | Namespace-scoped queue in `integr8scode`, bound to ClusterQueue |
+
+Executor pods carry the label `kueue.x-k8s.io/queue-name: executor-queue` (set by the pod builder). Kueue only manages
+pods with this label — DaemonSet pods (e.g., the image pre-puller) are invisible to Kueue.
+
+Key behavior:
+- `active_deadline_seconds` only counts from when the pod is scheduled, so gated time does not consume execution timeout
+- Concurrency is still controlled by the execution queue; Kueue acts as a safety net for aggregate resource consumption
 
 ### Pod Security Admission (PSA)
 

From 4b45347da453439c843d16b38d8dcabd90936645 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 12:41:05 +0100
Subject: [PATCH 12/13] fix: detected issues

---
 .github/actions/e2e-ready/action.yml           |  7 ++++++-
 .github/workflows/stack-tests.yml              |  1 +
 backend/app/services/pod_monitor/monitor.py    | 18 ++++++------------
 .../unit/services/pod_monitor/test_monitor.py  |  5 +++--
 cert-generator/setup-k8s.sh                    |  7 ++++++-
 5 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/.github/actions/e2e-ready/action.yml b/.github/actions/e2e-ready/action.yml
index 8f91f4b9..3c75f388 100644
--- a/.github/actions/e2e-ready/action.yml
+++ b/.github/actions/e2e-ready/action.yml
@@ -30,7 +30,12 @@ runs:
       shell: bash
       run: |
         KUEUE_VERSION="${KUEUE_VERSION:-v0.16.1}"
-        kubectl apply --server-side -f "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+        KUEUE_MANIFEST_SHA256="${KUEUE_MANIFEST_SHA256:-3201a66ff731be440ecfcf3c0fa5979d001b834f68389208fe7ee18017fbcfe8}"
+        KUEUE_MANIFEST="/tmp/kueue-manifests.yaml"
+        curl -fsSL -o "$KUEUE_MANIFEST" "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+        echo "${KUEUE_MANIFEST_SHA256}  ${KUEUE_MANIFEST}" | sha256sum -c -
+        kubectl apply --server-side -f "$KUEUE_MANIFEST"
+        rm -f "$KUEUE_MANIFEST"
         kubectl wait --for=condition=Available --timeout=120s \
           deployment/kueue-controller-manager -n kueue-system
         kubectl apply --server-side -f - <<'EOF'
diff --git a/.github/workflows/stack-tests.yml b/.github/workflows/stack-tests.yml
index 5c3011eb..d023820b 100644
--- a/.github/workflows/stack-tests.yml
+++ b/.github/workflows/stack-tests.yml
@@ -32,6 +32,7 @@ env:
   K3S_VERSION: v1.32.11+k3s1
   K3S_INSTALL_SHA256: d75e014f2d2ab5d30a318efa5c326f3b0b7596f194afcff90fa7a7a91166d5f7
   KUEUE_VERSION: v0.16.1
+  KUEUE_MANIFEST_SHA256: 3201a66ff731be440ecfcf3c0fa5979d001b834f68389208fe7ee18017fbcfe8
 
 jobs:
   # Fast unit tests (no infrastructure needed)
diff --git a/backend/app/services/pod_monitor/monitor.py b/backend/app/services/pod_monitor/monitor.py
index 06dd4a65..93881d7b 100644
--- a/backend/app/services/pod_monitor/monitor.py
+++ b/backend/app/services/pod_monitor/monitor.py
@@ -183,11 +183,9 @@ async def _process_pod_event(self, event: PodEvent) -> None:
             # Map to application events
             app_events = await self._event_mapper.map_pod_event(event.pod, event.event_type)
 
-            # Publish events
             for app_event in app_events:
                 await self._publish_event(app_event, event.pod)
 
-            # Delete pod once all data has been extracted and terminal events published
             if any(e.event_type in _TERMINAL_EVENT_TYPES for e in app_events):
                 await self._delete_pod(event.pod)
 
@@ -207,22 +205,18 @@ async def _process_pod_event(self, event: PodEvent) -> None:
 
     async def _publish_event(self, event: DomainEvent, pod: k8s_client.V1Pod) -> None:
         """Publish event to Kafka and store in events collection."""
-        try:
-            execution_id = getattr(event, "execution_id", None) or event.aggregate_id
-            key = str(execution_id or (pod.metadata.name if pod.metadata else "unknown"))
-
-            await self._kafka_event_service.publish_event(event=event, key=key)
+        execution_id = getattr(event, "execution_id", None) or event.aggregate_id
+        key = str(execution_id or (pod.metadata.name if pod.metadata else "unknown"))
 
-            phase = pod.status.phase if pod.status else "Unknown"
-            self._metrics.record_pod_monitor_event_published(event.event_type, phase)
+        await self._kafka_event_service.publish_event(event=event, key=key)
 
-        except Exception as e:
-            self.logger.error(f"Error publishing event: {e}", exc_info=True)
+        phase = pod.status.phase if pod.status else "Unknown"
+        self._metrics.record_pod_monitor_event_published(event.event_type, phase)
 
     async def _delete_pod(self, pod: k8s_client.V1Pod) -> None:
         """Delete a pod after its data has been fully extracted.
 
-        Frees the ResourceQuota slot so new executor pods can be scheduled.
+        Frees the Kueue quota slot so gated executor pods can be admitted.
         The ConfigMap is garbage-collected automatically via ownerReference.
         """
         pod_name = pod.metadata.name
diff --git a/backend/tests/unit/services/pod_monitor/test_monitor.py b/backend/tests/unit/services/pod_monitor/test_monitor.py
index 06d950a3..583fb8a5 100644
--- a/backend/tests/unit/services/pod_monitor/test_monitor.py
+++ b/backend/tests/unit/services/pod_monitor/test_monitor.py
@@ -403,5 +403,6 @@ async def produce(
     pod = make_pod(name="no-meta-pod", phase="Pending")
     pod.metadata = None  # type: ignore[assignment]
 
-    # Should not raise - errors are caught and logged
-    await pm._publish_event(event, pod)
+    # Exception propagates — _process_pod_event's broad except handles it
+    with pytest.raises(RuntimeError, match="Publish failed"):
+        await pm._publish_event(event, pod)
diff --git a/cert-generator/setup-k8s.sh b/cert-generator/setup-k8s.sh
index 00dbb632..c14915ee 100644
--- a/cert-generator/setup-k8s.sh
+++ b/cert-generator/setup-k8s.sh
@@ -91,8 +91,13 @@ kubectl create namespace integr8scode --dry-run=client -o yaml | kubectl apply -
 
 # Install Kueue (scheduling-gate based quota management)
 KUEUE_VERSION="${KUEUE_VERSION:-v0.16.1}"
+KUEUE_MANIFEST_SHA256="${KUEUE_MANIFEST_SHA256:-3201a66ff731be440ecfcf3c0fa5979d001b834f68389208fe7ee18017fbcfe8}"
 echo "Installing Kueue ${KUEUE_VERSION}..."
-kubectl apply --server-side -f "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+KUEUE_MANIFEST="/tmp/kueue-manifests.yaml"
+curl -fsSL -o "$KUEUE_MANIFEST" "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
+echo "${KUEUE_MANIFEST_SHA256}  ${KUEUE_MANIFEST}" | sha256sum -c -
+kubectl apply --server-side -f "$KUEUE_MANIFEST"
+rm -f "$KUEUE_MANIFEST"
 kubectl wait --for=condition=Available --timeout=120s \
   deployment/kueue-controller-manager -n kueue-system
 

From 43da70d4778dc59cc57c27ade0778dc7f251d4e4 Mon Sep 17 00:00:00 2001
From: HardMax71 <maxymazatyan@gmail.com>
Date: Tue, 3 Mar 2026 12:57:46 +0100
Subject: [PATCH 13/13] fix: detected issues

---
 cert-generator/setup-k8s.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cert-generator/setup-k8s.sh b/cert-generator/setup-k8s.sh
index c14915ee..19dbe9fd 100644
--- a/cert-generator/setup-k8s.sh
+++ b/cert-generator/setup-k8s.sh
@@ -93,7 +93,7 @@ kubectl create namespace integr8scode --dry-run=client -o yaml | kubectl apply -
 KUEUE_VERSION="${KUEUE_VERSION:-v0.16.1}"
 KUEUE_MANIFEST_SHA256="${KUEUE_MANIFEST_SHA256:-3201a66ff731be440ecfcf3c0fa5979d001b834f68389208fe7ee18017fbcfe8}"
 echo "Installing Kueue ${KUEUE_VERSION}..."
-KUEUE_MANIFEST="/tmp/kueue-manifests.yaml"
+KUEUE_MANIFEST="$(mktemp /tmp/kueue-manifests.XXXXXXXXXX)"
 curl -fsSL -o "$KUEUE_MANIFEST" "https://github.com/kubernetes-sigs/kueue/releases/download/${KUEUE_VERSION}/manifests.yaml"
 echo "${KUEUE_MANIFEST_SHA256}  ${KUEUE_MANIFEST}" | sha256sum -c -
 kubectl apply --server-side -f "$KUEUE_MANIFEST"