diff --git a/.env.example b/.env.example
index 0eb60228..43db7e8c 100644
--- a/.env.example
+++ b/.env.example
@@ -58,6 +58,13 @@ PLUGIN_INSTALL_BODY_MAX_BYTES=65536        # max request body size (default: 64
 PLUGIN_INSTALL_FETCH_TIMEOUT=5m            # duration string; whole fetch+copy deadline
 PLUGIN_INSTALL_MAX_DIR_BYTES=104857600     # max staged-tree size (default: 100 MiB)
 
+# ---- Plugin supply chain hardening (issue #768, PR #775) ----
+# Set to 'true' to allow unpinned plugin refs (no #tag/#sha). Local dev only.
+# When unset or 'false' (default), installing a plugin from a source without
+# an explicit ref is rejected — prevents supply chain attacks via floating HEAD.
+# NEVER set in production. Pending: PR #775 must merge before this takes effect.
+PLUGIN_ALLOW_UNPINNED=
+
 # Phase 30.7 — remote-agent liveness threshold. Workspaces with
 # runtime='external' are marked offline if their last_heartbeat_at is
 # older than this many seconds. Slightly larger than the 60s Redis TTL
@@ -65,6 +72,16 @@ PLUGIN_INSTALL_MAX_DIR_BYTES=104857600     # max staged-tree size (default: 100
 # the built-in default (90s).
 REMOTE_LIVENESS_STALE_AFTER=90
 
+# ---- Workspace hibernation (issue #724, PR #724) ----
+# Workspaces with no active tasks hibernate after this many minutes.
+# Leave empty to disable. Per-workspace override via the hibernation_idle_minutes
+# column (set via PATCH /workspaces/:id or org.yaml). This env var sets the
+# platform-wide default applied to workspaces that have no per-workspace setting.
+# Note: the global-default behaviour (reading this env var) is pending — currently
+# only the per-workspace DB column is active. Setting this has no effect until that
+# code lands.
+HIBERNATION_IDLE_MINUTES=60
+
 # Canvas
 NEXT_PUBLIC_PLATFORM_URL=http://localhost:8080
 NEXT_PUBLIC_WS_URL=ws://localhost:8080/ws
diff --git a/docker-compose.yml b/docker-compose.yml
index 408050a9..83a95a8b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -144,6 +144,12 @@ services:
       # Generate: openssl rand -base64 32
       # Store in fly secrets / deployment env — NEVER commit the actual value.
       ADMIN_TOKEN: "${ADMIN_TOKEN:-}"
+      # Workspace hibernation default (issue #724 / PR #724). Sets platform-wide idle
+      # threshold (minutes); per-workspace column takes precedence. Leave empty to
+      # rely on per-workspace config only (current behaviour — global-default code pending).
+      HIBERNATION_IDLE_MINUTES: "${HIBERNATION_IDLE_MINUTES:-}"
+      # Plugin supply chain hardening (issue #768 / PR #775). Never set in production.
+      PLUGIN_ALLOW_UNPINNED: "${PLUGIN_ALLOW_UNPINNED:-}"
     volumes:
       - ./workspace-configs-templates:/configs
       - ./org-templates:/org-templates:ro