stable-v1.0.8 — full backlog batch (5 svc MRs since stable-v1.0.7)
Stability checkpoint covering 5 svc MRs after stable-v1.0.7. UI
unchanged.
ci:
- !120 — 6 Spectral warnings cleared (3× operation-description on
GET /customers/{id}, /customers/summary, /scheduled/jobs;
1× operation-tag-defined via @Tag on ScheduledJobController;
2× no-script-tags-in-markdown via <script> entity escapes
on SecurityDemoController xss-vulnerable + xss-safe). Spectral
now reports 0 errors AND 0 warnings on /v3/api-docs.
- !120 — CLAUDE.md tag-on-green rule mirror (svc + UI !65) — wait
for post-merge main pipeline GREEN before tagging stable.
- !121 — test:k8s-apply-prom CI job (path-filtered local-prom +
gke-prom + base + scripts/ci-k8s-test.sh) — kind validates
Prometheus Operator + 4 chart pods (Prometheus StatefulSet,
node-exporter DaemonSet, ksm + operator Deployments). Same
shield window as parent test:k8s-apply (2026-05-21).
- !123 — terraform-plan scope-out (TF_STATE_BUCKET == null →
when: never; same anti-pattern fix as sonar-only-main earlier
this session — was failing 5/5 main + 5/5 MR with "bucket
doesn't exist", silently tolerated by allow_failure: true).
- !124 — terraform-apply needs:optional fix — post-!123 main
pipeline #592 failed with 0 jobs ("'terraform-apply' job needs
'terraform-plan' job, but 'terraform-plan' does not exist"). Fix:
add `optional: true` so the apply job silently skips when the
plan job is rule-skipped, and mirror the same TF_STATE_BUCKET
gate on apply rules to hide the manual ▶ button when the
prerequisite isn't met. The new tag-on-green rule SAVED the day:
without it stable-v1.0.8 would have been tagged on the failed
#592 commit.
stability:
- !122 — section_mermaid_lint (new section, awk + regex on
diagram-type keyword, lite — no mmdc/Chromium dependency) +
section_lighthouse extended with absolute thresholds for
a11y/bp/seo (perf already had its own).
decisions:
- !123 — kubelet CA injection on GKE — DECIDED not to pursue. The
existing values comment lines 219-236 documents the rationale:
GKE Autopilot signs kubelet serving certs with a separate
non-SA-token-visible root, no stable Secret reference at
kustomize time, residual MITM surface = cluster L3 isolation
already enforced by GKE network policy.
- !123 — allow_failure: true shields 2nd pass: 0 safe removals
this round (audit confirmed remaining 7 unconditional shields
protect legit flakes or manual-trigger jobs). Counts unchanged:
svc 25, UI 14.
This batch closes the entire SonarCloud-config / shield-cleanup /
ADR-0039-followups column except the manual UI clicks (hotspot
reviews) and tests-to-write (svc/UI new_coverage).