Security and deployment notes

This scaffold is aligned to the PDF’s MVP guidance: verify GitHub HMAC signatures, use delivery IDs for idempotency, keep heavy work out of the request path, and prefer short-lived credentials or secret storage over hard-coded tokens.

Recommended next steps

• Move secrets into user secrets, environment variables, or a vault before deploying.
• Replace the MVP GitHub access token with GitHub App installation auth for production.
• Swap the heuristic summarizer with a hosted or local LLM provider behind the existing `IChangeSummarizer` interface.
• Upgrade from the in-memory channel to a durable queue if you need retry resilience across restarts.
• For production, point the SQL Server connection string at your real SQL Server or Azure SQL instance.