From 603477c5f11b6db98e6c115983862a466030e469 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 16 Jun 2026 20:30:31 +0000
Subject: [PATCH 1/2] chore(deps): bump cryptography

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.7...48.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .../agent-os/services/cloud-board/requirements.txt              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/agent-governance-python/agent-os/services/cloud-board/requirements.txt b/agent-governance-python/agent-os/services/cloud-board/requirements.txt
index ba852518e..06e92a869 100644
--- a/agent-governance-python/agent-os/services/cloud-board/requirements.txt
+++ b/agent-governance-python/agent-os/services/cloud-board/requirements.txt
@@ -22,7 +22,7 @@ pydantic==2.10.3
 # aiocache>=0.12.0
 
 # Cryptography
-cryptography==46.0.7  # CVE fix: subgroup attack on SECT curves
+cryptography==48.0.1  # CVE fix: subgroup attack on SECT curves
 pynacl==1.6.2
 
 # Observability

From c73773c8031892013b80aec1fa3e933ee91fe8e9 Mon Sep 17 00:00:00 2001
From: Imran Siddique <imran.siddique@opaque.co>
Date: Tue, 16 Jun 2026 21:29:02 -0700
Subject: [PATCH 2/2] docs(audit): add dependency audit for cryptography 48.0.1
 in cloud-board

---
 ...6-06-15-cloud-board-cryptography-48.0.1.md | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 docs/dependency-audits/2026-06-15-cloud-board-cryptography-48.0.1.md

diff --git a/docs/dependency-audits/2026-06-15-cloud-board-cryptography-48.0.1.md b/docs/dependency-audits/2026-06-15-cloud-board-cryptography-48.0.1.md
new file mode 100644
index 000000000..0ed88d72d
--- /dev/null
+++ b/docs/dependency-audits/2026-06-15-cloud-board-cryptography-48.0.1.md
@@ -0,0 +1,23 @@
+# Dependency Audit: cryptography 46.0.7 to 48.0.1 (agent-os cloud-board service)
+
+**Date:** 2026-06-15
+**PR:** #3036
+**Lockfiles changed:** `agent-governance-python/agent-os/services/cloud-board/requirements.txt`
+
+## Dependencies changed
+
+| Package | From | To | Reason |
+|---|---|---|---|
+| `cryptography` | 46.0.7 | 48.0.1 | Routine Dependabot bump |
+
+## Security advisory relevance
+
+No specific CVE motivates this bump. cryptography 48.0.1 is a maintenance release in the 48.x series. Keeping the cryptography package current is good hygiene for a governance framework — the library underpins TLS, key operations, and certificate handling throughout the agent-os stack.
+
+## Breaking change risk
+
+**Risk: low.** The cloud-board service uses cryptography for standard TLS and certificate operations. The 46.x to 48.x range follows semantic versioning; no breaking API changes affect the surface used here. The 7-day cooling-off gate provides additional assurance before merge.
+
+## Rollback plan
+
+Revert `agent-governance-python/agent-os/services/cloud-board/requirements.txt` to pin `cryptography==46.0.7`.