Work in the `platform` repo and continue from the current remediation state.

Use Gitea issues as the source of truth:
- `#1` umbrella
- `#5` Gateway Trust Model
- `#7` Transport Security
- `#8` Dependency Security
- `#9` Performance Hardening

First, re-verify the repo state before changing anything. Do not trust prior summaries blindly.

Current known remaining work:
1. `#7`
- Gateway proxy still uses `_internal_ssl_ctx` with disabled cert/hostname verification
- Fix the real proxy path, not just external image fetches

2. `#5`
- `SERVICE_LEVEL_AUTH` trust model still exists in the gateway
- Inventory still exposes `/debug-nocodb`
- Inventory search/filter construction still needs hardening

3. `#9`
- Inventory `/issues` and `/needs-review-count` still do full scans
- Budget `/transactions/recent` still fans out across all accounts
- Existing cache improvements are helpful but do not complete the issue

4. `#8`
- `.gitea/workflows/security.yml` exists
- The remaining work is operational: verify/document exactly what still requires a Gitea runner and avoid overstating completion

Instructions:
- Make minimal, production-oriented fixes
- After each issue-sized change, verify it
- Comment on the relevant Gitea issue with:
  - what changed
  - files touched
  - verification performed
  - what remains
- Do not close `#5`, `#7`, or `#9` unless the actual code and behavior support it
- Do not mark `#8` completed unless the repo-side work is fully done and the remaining runner dependency is clearly documented
- Do not reopen already completed issues unless you find a real regression
- Do not revert unrelated user changes

Final output format:
- `Completed:`
- `Partial:`
- `Blocked:`
- `Manual ops actions:`