GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docker-compose.x86-gpu.yml

@@ -0,0 +1,24 @@
+# Docker Compose x86_64 GPU Overlay
+# Auto-applied by installer when NVIDIA GPU + Container Toolkit detected
+# This overlay enables GPU passthrough for the vLLM embeddings container
+
+services:
+  vllm-embeddings:
+    deploy:
+      resources:
+        # GPU mode: model loads into VRAM (~2.5GB), minimal system RAM needed
+        limits:
+          memory: 4G
+        reservations:
+          memory: 2G
+          devices:
+            - driver: nvidia
+              count: 1
+              capabilities: [gpu]
+    environment:
+      # GPU-specific settings
+      - CUDA_VISIBLE_DEVICES=0
+      - PYTORCH_CUDA_ALLOC_CONF=expandable_segments:True
+    labels:
+      - "gt2.gpu=enabled"
+      - "gt2.gpu.vendor=nvidia"