From 5d401b6f31d4530bccd60ac0c9d82d20d80068c7 Mon Sep 17 00:00:00 2001
From: Duncan Murchison <cpt.anything@gmail.com>
Date: Tue, 20 Jan 2026 13:15:47 -0500
Subject: [PATCH 1/4] feat: update default email sender to use notifications
 domain

---
 TODO.md                   | 2 +-
 backend/config.py         | 2 +-
 backend/utils/email.py    | 6 +++---
 docs/security/SECURITY.md | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/TODO.md b/TODO.md
index 8e5ab15..67812fb 100644
--- a/TODO.md
+++ b/TODO.md
@@ -158,7 +158,7 @@
   JWT_ACCESS_TOKEN_EXPIRES=14400
 
   RESEND_API_KEY=<YOUR_RESEND_API_KEY>
-  MAIL_DEFAULT_SENDER=noreply@computeranything.dev
+  MAIL_DEFAULT_SENDER=noreply@notifications.computeranything.dev
   CONTACT_FORM_RECIPIENTS=contact@computeranything.dev
 
   ADMIN_EMAIL=admin@computeranything.dev
diff --git a/backend/config.py b/backend/config.py
index 51bd1e9..b061054 100755
--- a/backend/config.py
+++ b/backend/config.py
@@ -25,7 +25,7 @@ class Config:
 
     # Email Configuration (Resend API)
     RESEND_API_KEY = os.environ.get('RESEND_API_KEY')
-    MAIL_DEFAULT_SENDER = os.environ.get('MAIL_DEFAULT_SENDER', 'noreply@computeranything.dev')
+    MAIL_DEFAULT_SENDER = os.environ.get('MAIL_DEFAULT_SENDER', 'noreply@notifications.computeranything.dev')
 
     # Admin Email (for security alerts)
     ADMIN_EMAIL = os.environ.get('ADMIN_EMAIL')
diff --git a/backend/utils/email.py b/backend/utils/email.py
index 7d5ec18..776cca4 100644
--- a/backend/utils/email.py
+++ b/backend/utils/email.py
@@ -16,7 +16,7 @@ def send_email(to: str | list[str], subject: str, html: str, from_email: str | N
         to: Email address or list of email addresses
         subject: Email subject
         html: HTML content of the email
-        from_email: Sender email (defaults to noreply@computeranything.dev)
+        from_email: Sender email (defaults to noreply@notifications.computeranything.dev)
         reply_to: Reply-to email address (optional)
 
     Returns:
@@ -48,7 +48,7 @@ def send_email(to: str | list[str], subject: str, html: str, from_email: str | N
             f"[DEVELOPMENT MODE] Email NOT sent - logged instead:\n"
             f"  To: {to}\n"
             f"  Subject: {subject}\n"
-            f"  From: {from_email or 'noreply@computeranything.dev'}\n"
+            f"  From: {from_email or 'noreply@notifications.computeranything.dev'}\n"
             f"  Reply-To: {reply_to or 'N/A'}\n"
         )
 
@@ -80,7 +80,7 @@ def send_email(to: str | list[str], subject: str, html: str, from_email: str | N
 
         # Get from email
         if from_email is None:
-            from_email = 'noreply@computeranything.dev'
+            from_email = 'noreply@notifications.computeranything.dev'
 
         # Ensure to is a list
         if isinstance(to, str):
diff --git a/docs/security/SECURITY.md b/docs/security/SECURITY.md
index ebc67cb..09ee6ee 100644
--- a/docs/security/SECURITY.md
+++ b/docs/security/SECURITY.md
@@ -777,7 +777,7 @@ FRONTEND_URL=https://blog.computeranything.dev
 # backend/utils/email.py:85-118
 def send_email(to: str, subject: str, html: str):
     params = {
-        "from": "Computer Anything Blog <noreply@computeranything.dev>",
+        "from": "Computer Anything Blog <noreply@notifications.computeranything.dev>",
         "to": [to],
         "subject": subject,
         "html": html,

From ba947de84c42ee63a4288b45c7fc297ef8c752cf Mon Sep 17 00:00:00 2001
From: Duncan Murchison <cpt.anything@gmail.com>
Date: Tue, 20 Jan 2026 13:24:18 -0500
Subject: [PATCH 2/4] feat: add jaraco.context as a security override for
 transitive dependencies

---
 backend/requirements.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index f68cd88..b767708 100755
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -35,3 +35,6 @@ gunicorn==22.0.0
 pytest==7.4.3
 pytest-cov==4.1.0
 ruff
+
+# Security overrides (transitive dependencies)
+jaraco.context>=6.1.0

From a536ab579fe31ec21158309fb9e8951acc4aa947 Mon Sep 17 00:00:00 2001
From: Duncan Murchison <cpt.anything@gmail.com>
Date: Tue, 20 Jan 2026 13:27:35 -0500
Subject: [PATCH 3/4] fix: pin jaraco.context version to 6.1.0 for consistency
 in dependencies

---
 backend/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index b767708..26423ed 100755
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -37,4 +37,4 @@ pytest-cov==4.1.0
 ruff
 
 # Security overrides (transitive dependencies)
-jaraco.context>=6.1.0
+jaraco.context==6.1.0

From ec91b1b709ca9301e5ab3aa5f8d682b2b0cdfa79 Mon Sep 17 00:00:00 2001
From: Duncan Murchison <cpt.anything@gmail.com>
Date: Tue, 20 Jan 2026 13:38:56 -0500
Subject: [PATCH 4/4] feat: add no-cache option for Docker image builds in
 security workflow

---
 .github/workflows/security.yml | 2 ++
 backend/requirements.txt       | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 355e668..dffdcec 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -93,6 +93,7 @@ jobs:
           push: false
           load: true
           tags: blog-backend:scan
+          no-cache: true
 
       - name: Build frontend image for scanning
         uses: docker/build-push-action@v5
@@ -102,6 +103,7 @@ jobs:
           push: false
           load: true
           tags: blog-frontend:scan
+          no-cache: true
 
       # Scan application libraries - BLOCKS pipeline on vulnerabilities
       - name: Run Trivy scanner on backend - Application Libraries
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 26423ed..994ada6 100755
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -1,3 +1,6 @@
+# Security overrides - MUST be first to take precedence
+jaraco.context==6.1.0
+
 # Core Flask
 Flask==2.3.3
 Flask-SQLAlchemy==3.0.5
@@ -35,6 +38,3 @@ gunicorn==22.0.0
 pytest==7.4.3
 pytest-cov==4.1.0
 ruff
-
-# Security overrides (transitive dependencies)
-jaraco.context==6.1.0