- Remove secrets from Dockerfile build args, pass as runtime env vars only
- Add non-root user to Docker container
- Add SKU format validation to prevent S3 key injection
- Sanitize error responses in sanity-lookup route
- Fix zod import to use @medusajs/framework/zod
- Clean up .env.template defaults and .dockerignore
