Stability checkpoint — 4 surgical compat-matrix fixes (MR !189) All 4 regressions from COMPATIBILITY_MATRIX.md addressed surgically per CLAUDE.md 'Surgical fixes, not allow_failure bypasses' : 1. SB3+J21 unnamed _ variables (29 sites, 10 files) → ignored. 2. Maven java17 profile reordered to LAST in <profiles> so its java.version=17 override wins over compat's 21 (effective-pom verified : <release>17</release> with -Dcompat -Djava17). 3. ArchTest kafka_listeners_should_reside_in_messaging_package : switched from class-level annotation check (matched 0 classes) to method-level check (real listeners use @KafkaListener on methods). 4. ArchTest controllers-must-not-return-jpa-entities : excluded *DemoController via .haveSimpleNameNotEndingWith() — security demo controllers legitimately bypass service layer to demo SQL injection / OWASP A03 vulnerabilities. Local : 535/535 tests pass on J25 (ArchUnit suite skipped per @DisabledIfSystemProperty for J25+ until ArchUnit 1.5+). Compat jobs re-triggered on this pipeline (#802) to validate fixes work in real J17/J21 envs ; results tracked in COMPATIBILITY_MATRIX.md follow-up.