diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6420391
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,18 @@
+# Secrets / local overrides — never commit
+config/rbac-builder-job.yaml
+*.values
+*.env
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.venv/
+venv/
+dist/
+build/
+
+# IDE
+.idea/
+.vscode/
+*.iml
diff --git a/builder/Dockerfile b/builder/Dockerfile
index ca86dea..3efac01 100644
--- a/builder/Dockerfile
+++ b/builder/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.12-slim as builder
+FROM python:3.13-slim AS builder
 
 ENV LANG=C.UTF-8
 ENV PYTHONDONTWRITEBYTECODE=1
@@ -10,19 +10,17 @@ WORKDIR /app
 COPY requirements.txt requirements.txt
 RUN python -m venv /app/venv
 
-RUN pip3 install --use-deprecated=legacy-resolver -r requirements.txt
+RUN pip3 install --use-deprecated=legacy-resolver --upgrade "pip>=25.3" \
+ && pip3 install --use-deprecated=legacy-resolver -r requirements.txt
 
-FROM python:3.12-slim
+FROM gcr.io/distroless/python3-debian13
 
 WORKDIR /app/
 
 ENV PYTHONUNBUFFERED=1
-ENV PATH="/venv/bin:$PATH"
-ENV PYTHONPATH=$PYTHONPATH:.
+ENV PYTHONPATH=/app:/venv/lib/python3.13/site-packages
 
 COPY ./ ./builder/
 COPY --from=builder /app/venv /venv
 
-ENV PYTHONPATH=$PYTHONPATH:.
-
-CMD [ "python3", "-u", "/app/builder/main.py"]
\ No newline at end of file
+CMD ["-u", "/app/builder/main.py"]
diff --git a/builder/requirements.txt b/builder/requirements.txt
index 7490e33..96195c8 100644
--- a/builder/requirements.txt
+++ b/builder/requirements.txt
@@ -1,4 +1,4 @@
-pydantic==2.7.1
+pydantic>=2.11.7
 supabase==2.28.0
 httpx[http2]
 regex
diff --git a/config/test-definitions.yaml b/config/test-definitions.yaml
new file mode 100644
index 0000000..0b9a11f
--- /dev/null
+++ b/config/test-definitions.yaml
@@ -0,0 +1,22 @@
+account_id: 6c2cbf41-c7b5-48ab-9777-76d320b985d4
+scopes:
+  - name: test-namespace-scope
+    type: namespace
+    clusters:
+      test-cluster-a: ["default", "kube-system"]
+      test-cluster-b: ["*"]
+  - name: test-cluster-scope
+    type: cluster
+    clusters:
+      test-cluster-c: ["*"]
+groups:
+  - name: test-viewers
+    provider_group_id: 11111111-1111-1111-1111-111111111111
+    type: namespace
+    permissions: ["POD_LOGS", "METRICS_VIEW"]
+    scopes: ["test-namespace-scope"]
+  - name: test-admins
+    provider_group_id: 22222222-2222-2222-2222-222222222222
+    type: cluster
+    permissions: ["CLUSTER_DELETE", "POPEYE_SCAN", "NODE_DRAIN"]
+    scopes: ["test-cluster-scope"]