Stability checkpoint — security (8 CVEs fixed) + iris-common SHA bumps + CI templates + dev workflow uniformised - fix(deps): bump spring-boot 4.0.5 → 4.0.6 (Critical GHSA-8v8j-3hxp-93wr + High GHSA-wwpq-f5c3-7hvx + spring-security 7.0.4→7.0.5 via BOM cascade with 2x High) - fix(deps): pin netty 4.2.13.Final + postgresql 42.7.11 (6 High CVEs across netty/codec, /codec-dns, /codec-http, /codec-http2 + GHSA-98qh-xjc8-98pq pgsql) - ci: include shellcheck + adr-drift universal templates from iris-common - chore(banner): per-repo banner with 7 ROYGBIV axes specific to repo content - chore(submodule): bump iris-common SHA → 8e8eabd (gcc shellcheck format, conv-commits skip merge commits, conv-commits 100-char limit) - build(pom): dedup maven-antrun-plugin + record PIT 91% on e-commerce - workflow:rules : add `infra/common` (gitlink) + `infra/shared` (gitlink) for submodule SHA bumps to trigger pipelines CI : - ✅ Main pipeline #2513437880 green (post-CVE-fix promote dev → main) - ✅ grype:scan : 0 CVEs (was 8 High/Critical pre-fix) - ✅ shellcheck (--format=gcc), adr-drift, conv-commits, code-quality, sonar-analysis, integration-test, unit-test, docker-build, build-jar - ✅ owasp-dependency-check + secret-scan Local test pass : - ⏭ ./mvnw verify -q : not re-validated this rev (CI gate confirms) - ⏭ ./mvnw verify -Dcompat -Djava21 : not run this rev (compat matrix manual) - ⏭ bin/dev/api-smoke.sh : not re-run Regression check vs previous tag : - ✅ All previous CVE-suppressions still valid in .grype.yaml (no false positive cascade from BOM bumps) - 🆕 SB 4.0.6 BOM brings spring-security 7.0.5 transitively — confirmed in dependency tree - ⏭ N/A — no AI/ML code change in this rev (existing Spring AI 1.1.4 + Ollama + 14 in-process MCP tools stay) - 8 CVEs resolved (was main-RED for 11+ days) : - spring-boot Critical GHSA-8v8j-3hxp-93wr - spring-boot High GHSA-wwpq-f5c3-7hvx - spring-security-config 2x High - netty 5x High (codec/dns/http/http2) - postgresql JDBC High GHSA-98qh-xjc8-98pq - grype:scan job : green - owasp-dependency-check : green - secret-scan : green - ⏭ N/A — no domain feature in this rev (CI/security focus) - ⏭ N/A — no infra delta in this rev - ⏭ N/A — no observability change in this rev (existing OTel + 3 SLOs + multi-burn-rate alerting stay) - JaCoCo gate : green - PIT mutations 91% e-commerce : passed - SonarCloud quality gate : green - ESLint flat config : green - Spectral OpenAPI lint : green - shellcheck + adr-drift + conv-commits universal templates from iris-common (auto-update on bump) - workflow:rules now matches `infra/common` + `infra/shared` gitlink (bump-only MRs trigger pipelines) - conv-commits 100-char limit (multi-package bump messages no longer rejected) - conv-commits skip merge commits (parent count > 1) - Compat matrix SB3/SB4 × Java17/21/25 : manual jobs available - iris-common SHA bumped → 8e8eabd (flat α submodule per ADR-0060) - 5 iris-7 repos uniformly use dev → main workflow - Hexagonal Lite (ADR-0044) + Feature-slicing (ADR-0008) preserved - ⏭ N/A — backend repo - 47 stale local branches deleted post-merge (cleanup across 5 iris repos session-wide) - Auto-merge dev → main template available in iris-common (ci-templates/auto-merge-dev-to-main.yml) — pending AUTOMERGE_TOKEN setup - 110 branches mergées cleaned across the 5 iris repos session-wide - netty 4.2.13.Final + postgresql 42.7.11 pinned via <properties> override — revert to BOM defaults once SB 4.0.7+ catches up - Compat matrix manual (SB3+J17/21/25) — not run this rev - AUTOMERGE_TOKEN setup → activate auto-merge dev→main on java - runner dind migration → re-enable python integration-tests gate