Security defaults focus on safe-by-default routing, hardened cookies/sessions, and defensive validation in API routes.
Observability is environment-gated: Sentry/OTEL/RUM wiring is safe when keys are not set and becomes active when configured.
This keeps local development simple while allowing production rollouts with proper telemetry and rate limiting.