diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 056ed4a..3fa0c3d 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,7 +11,7 @@ jobs:
           fetch-depth: 1024
       - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
         with:
-          python-version: '3.8'
+          python-version: '3.9'
       - name: pre-commit
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha}}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cfa733e..af10b07 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,3 +23,8 @@ repos:
     rev: 5.12.0
     hooks:
       - id: isort
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 43.150.0
+    hooks:
+      - id: renovate-config-validator
+        args: [--strict, --no-global]
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 02871ff..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "packageRules": [
-    {
-      "description": "Security hardening for GitHub Actions (FIS-17871): pin to SHA digests, delay updates 3 days",
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "GitHub Actions",
-      "minimumReleaseAge": "3 days",
-      "pinDigests": true
-    }
-  ]
-}
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000..b82e81c
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,95 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // Renovate baseline: SHA-pinned GHA, 3-day release-age soak, OSV
+  // vulnerability alerts, per-ecosystem grouping, major-update isolation.
+  // Python (poetry + pep621) + GHA only — this repo has no Docker / npm /
+  // terraform / datastore deps.
+  extends: [
+    "config:best-practices",
+    // Don't widen semver ranges (`^1.2.3` stays `^1.2.3`).
+    ":preserveSemverRanges",
+  ],
+
+  labels: ["dependencies"],
+
+  // ---- Volume controls ----
+  // Renovate has no `prWeeklyLimit`; the effective weekly cap is achieved by
+  // combining a weekly schedule with prConcurrentLimit + prHourlyLimit. Net
+  // effect: at most 4 PRs created per Monday and at most 4 open at any time.
+  prConcurrentLimit: 4,
+  prHourlyLimit: 4,
+  schedule: ["before 5am on monday"],
+  lockFileMaintenance: { enabled: true, schedule: ["before 5am on monday"] },
+  // Suppress PRs for deps that fail Renovate's internal status checks
+  // (upstream CI red, deprecation flagged, etc.). Reduces autoclose noise.
+  internalChecksFilter: "strict",
+
+  // ---- Security baseline ----
+  osvVulnerabilityAlerts: true,
+  vulnerabilityAlerts: {
+    enabled: true,
+    labels: ["security"],
+    // groupName:null is INTENTIONAL: security/CVE PRs must NEVER be batched
+    // with manager-grouping rules.
+    groupName: null,
+  },
+
+  packageRules: [
+    // Bundle lock file maintenance across all managers into ONE PR per cycle
+    // so a multi-lockfile repo doesn't exhaust prConcurrentLimit.
+    {
+      description: "Bundle lock file maintenance across all managers into one PR",
+      matchUpdateTypes: ["lockFileMaintenance"],
+      groupName: "lockfile-maintenance",
+    },
+
+    // ---- GHA SHA-pin + 3-day soak ----
+    // SHA pin protects against tag-mutation supply-chain attacks; the soak
+    // window gives the community time to surface CVEs before they hit our
+    // workflows.
+    {
+      description: "GitHub Actions: pin to SHA digests + enforce 3-day release soak",
+      matchManagers: ["github-actions"],
+      pinDigests: true,
+      minimumReleaseAge: "3 days",
+    },
+
+    // ---- Backend Python grouping ----
+    // `pep621` covers pyproject.toml [project] (uv / hatch / pdm); `poetry`
+    // covers [tool.poetry.dependencies]. List both so the rule is robust if
+    // the build backend ever migrates.
+    {
+      description: "Backend non-major (minor + patch) -> backend-non-major",
+      matchManagers: ["poetry", "pep621"],
+      matchUpdateTypes: ["minor", "patch"],
+      groupName: "backend-non-major",
+      minimumReleaseAge: "3 days",
+    },
+    {
+      // groupName:null is INTENTIONAL. Majors must never be batched — one
+      // stuck major blocks every other major in the group.
+      description: "Backend major -> isolated PR per dep (no group)",
+      matchManagers: ["poetry", "pep621"],
+      matchUpdateTypes: ["major"],
+      groupName: null,
+      minimumReleaseAge: "3 days",
+    },
+
+    // ---- GHA grouping ----
+    {
+      // 'digest' + 'pin' types included so that pinDigests:true SHA refreshes
+      // land in this group, not ungrouped.
+      description: "GHA non-major (minor, patch, digest, pin refreshes) -> gha-non-major",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor", "patch", "digest", "pin"],
+      groupName: "gha-non-major",
+    },
+    {
+      description: "GHA major -> isolated PR per action (no group)",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["major"],
+      groupName: null,
+    },
+  ],
+}