stable-v1.0.6 — clickable URLs rule, security/quality cleanup, CI hardening Stability checkpoint covering 5 svc MRs and 2 UI MRs. svc batch: - !112 — clickable URLs rule + bearerAuth `.name(...)` removal + openapi-lint allow_failure shield drop. Spectral errors 0/0 on rendered /v3/api-docs. - !113 — scorecard.yml `permissions: read-all` narrowed to `contents: read` (Sonar `githubactions:S8234` cleared) + workflow allowlist widened (`bin/**`, `.github/**`, `.spectral.yaml`, README.fr.md, CLAUDE.md) + 4 stable allow_failure shields removed (sonar-analysis, code-quality, trivy:scan, dockle, release-please) + sonar-analysis scoped to main only (free-tier has no PR analysis, the previous shield was hiding 4 consecutive MR failures) + 2 new stability-check sections (ADR Proposed status, Helm-lint). UI batch: - !63 — clickable URLs rule mirrored to UI CLAUDE.md. - !64 — npm overrides forcing @compodoc/compodoc's pinned @angular-devkit subtree to 21.2.7 (matches workspace). Closes 5 npm audit CVEs (1 HIGH picomatch ReDoS + 4 moderate). 0 vulns. Documentation: - ~/.claude/CLAUDE.md got a new "Reference pipelines, MRs and config files as clickable URLs" rule, mirrored to both project CLAUDE.md.