chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /agent-governance-python/agent-os/services/cloud-board

agent-governance-python/agent-os/services/cloud-board/requirements.txt

@@ -22,7 +22,7 @@ pydantic==2.10.3
 # aiocache>=0.12.0
 
 # Cryptography
-cryptography==46.0.7  # CVE fix: subgroup attack on SECT curves
+cryptography==48.0.1  # CVE fix: subgroup attack on SECT curves
 pynacl==1.6.2
 
 # Observability

docs/dependency-audits/2026-06-15-cloud-board-cryptography-48.0.1.md

@@ -0,0 +1,23 @@
+# Dependency Audit: cryptography 46.0.7 to 48.0.1 (agent-os cloud-board service)
+
+**Date:** 2026-06-15
+**PR:** #3036
+**Lockfiles changed:** `agent-governance-python/agent-os/services/cloud-board/requirements.txt`
+
+## Dependencies changed
+
+| Package | From | To | Reason |
+|---|---|---|---|
+| `cryptography` | 46.0.7 | 48.0.1 | Routine Dependabot bump |
+
+## Security advisory relevance
+
+No specific CVE motivates this bump. cryptography 48.0.1 is a maintenance release in the 48.x series. Keeping the cryptography package current is good hygiene for a governance framework — the library underpins TLS, key operations, and certificate handling throughout the agent-os stack.
+
+## Breaking change risk
+
+**Risk: low.** The cloud-board service uses cryptography for standard TLS and certificate operations. The 46.x to 48.x range follows semantic versioning; no breaking API changes affect the surface used here. The 7-day cooling-off gate provides additional assurance before merge.
+
+## Rollback plan
+
+Revert `agent-governance-python/agent-os/services/cloud-board/requirements.txt` to pin `cryptography==46.0.7`.