Tags

Tags give the ability to mark specific points in history as being important

  • stable-v1.0.23

    0fe3d104 · Merge branch 'dev' into 'main' · 
    Stability checkpoint stable-v1.0.23 (svc) — Phase 4.2 wave continued: 7 more AuthController tests covering refresh + logout flows. Refresh: token rotation pinned (old deleted = single-use replay protection), 401 on invalid token, role picked from CURRENT DB state (not old token). Logout: blacklists access token + deletes refresh tokens, robust to missing Authorization header / null principal / non-Bearer scheme. Cumulative svc Phase 4.2 across v1.0.21-23: 154 new tests across 16 test files. Post-merge main pipeline #699 SUCCESS.

  • stable-v1.0.22

    2bff6ac9 · Merge branch 'dev' into 'main' · 
    Stability checkpoint stable-v1.0.22 (svc) — Phase 4.2 wave continued: 13 unit tests for OwaspReportParser cleanCveId + cleanCveDescription helpers (Markdown stripping, GHSA extraction, truncation). Post-merge main pipeline #697 SUCCESS on 2bff6ac.

  • stable-v1.0.21

    f997ceec · Merge branch 'dev' into 'main' · 
    Stability checkpoint stable-v1.0.21 (svc) — Phase 4.2 coverage wave: 134 new tests across 14 files (CustomerEnrichmentController, CustomerDiagnosticsController, SecurityDemoController, ApiKeyAuthenticationFilter, AppUserDetailsService, CustomerEnrichHandler, CustomerEventListener, ReportParsers, MaintenanceEndpoint, DataInitializer, CreateCustomerRequest, PatchCustomerRequest, StartupTimingsController, AuthController, JwtAuthenticationFilter). Includes production bug fix: SecurityDemoController.corsInfo() NPE on missing Origin header (curl/same-origin probes were 500'ing — coalesced to placeholder string). Post-merge main pipeline #695 SUCCESS on f997cee.

  • stable-v1.0.20

    2fe87aa6 · Merge branch 'dev' into 'main' · 
    Stability checkpoint stable-v1.0.20 (svc) — B-7 wave documentation: TASKS.md reflects 14 UI file splits + 3-way CustomerController split. Plus critical fix: _preamble.sh had stray '/usr/bin/env bash' (missing #!) that spawned an orphan bash interpreter every time any bin/run/*.sh sourced it, hanging all git push + tag pushes silently for 10+ min each. Bug present since Phase B-7-8 landed (MR !143). Post-merge main pipeline #682 SUCCESS.

  • stable-v1.0.19

    f0587627 · Merge branch 'dev' into 'main' · 
    Stability checkpoint stable-v1.0.19 — CustomerEnrichmentController (Phase B-7-7 complete). CustomerController split 782→535 LOC (-32%) with 3 endpoints each: main CRUD + diagnostics (stream/slow/export) + enrichment (bio/todos/enrich). Post-merge main pipeline #680 SUCCESS on f058762.

  • stable-v1.0.18

    8fde55cf · Merge branch 'dev' into 'main' · 
    Stability checkpoint — GKE demo observability stack: install scripts (kube-prom + GitLab Agent + GMP frontend), Grafana datasource, port-forward tunnels, runbook. bin/ship/gitlab-release.sh + bin/admin/gitlab-housekeeping.sh.

  • stable-v1.0.17

    f1f618ed · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase B-7-7 (CustomerDiagnosticsController) + B-7-8 (run.sh split 31 sub-scripts) + TASKS.md update

  • stable-v1.0.16

    e4be4a33 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase B-2 CI modularisation (svc .gitlab-ci.yml 2609→173 LOC + 9 includes)

  • stable-v1.0.15

    57927355 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Q-2b MetricsSectionProvider closes ADR-0052 (MR !141)

  • stable-v1.0.14

    d3277cab · Merge branch 'dev' into 'main' · 
    Stability checkpoint — release-please disabled (GitHub-only tool) + Phase Q-2 + Phase B-3

Post-merge main pipeline #662 green (2026-04-22 ~14:55).

MR !140: diagnose + disable release-please CI job (googleapis tool is GitHub-API-only, 401 with GitLab PAT). CHANGELOG.md stays hand-rolled. Token CI var still provisioned (harmless).

  • stable-v1.0.13

    8030c9b0 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase Q-1 (ADR-0052): backend decoupled from Sonar+GitLab REST. Validated by main pipeline on 8030c9b09df046e085b0fad99a737cf7b21cb0fe.

  • stable-v1.0.12

    bd8f0736 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase A quality + B-1 QualityReportEndpoint split

Validated by svc main pipeline #647 on bd8f073 (green 2026-04-22 ~12:10).
Corresponds to MR !135 merge: Phase B-1 (7 parsers) + bin/cluster
resplit + Clean Code audit follow-ups + ArchUnit invariants + CI
pre-poll fix.

See CHANGELOG.md + docs/audit/clean-code-architecture-2026-04-22.md
for details.

  • stable-v1.0.11

    5e9100c6 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase A closed + shields retired + docs polish

Post-stable-v1.0.10 session. First REAL post-Phase-A checkpoint where
the file-length gate + PMD/Checkstyle/ESLint tuning land alongside
actual user actions being taken (VM raise + signed commits + branch
protection). Two MRs merged: !130 (TASKS refresh) + !131 (shields +
docs). 10+ commits shipped.

Major deliveries:

1. Shields retired (314012f) — user raised Docker Desktop VM to 16 GB,
   both test:k8s-apply + test:k8s-apply-prom re-armed as BLOCKING.
   First successful exit of the ADR-0049 'dated exit ticket' pattern
   (18h lead time vs 30d ceiling).

2. Signed commits end-to-end (314012f+ was the first SSH-signed commit).
   GitHub required_signatures active on svc + UI main branches.

3. Phase A follow-ups:
   - Checkstyle custom config swapping google_checks (a17b7b4)
   - gitleaks Auth0 allowlist fix (e03f58f) — mirrors UI dac848b

4. Docs polish (several commits):
   - ADR-0049 'CI shields with dated exit tickets' + retirement log
   - ADR-0050 'CI YAML modularisation plan' (Proposed)
   - docs/api/auth0-current-tenant-state.md — live tenant snapshot
   - docs/audit/session-2026-04-22-user-actions-closed.md — flow audit
   - docs/audit/clean-code-architecture-2026-04-22.md — 80%/70% posture
   - TASKS.md refreshed, user-actions section closed to ✅ DONE
   - 3 user-action runbooks shipped (docker-vm-cap + setup-signed-commits.sh
     + required-signed-commits-github)

5. Jargon vulgarisation fix — 'cost-bearing' glossed (ab5e910)

UI side unchanged since stable-v1.0.10 apart from path-filter dedupe
(b9734ea → merged in MR !70). UI tag stable-v1.0.11 posted in parallel
for alignment.

What's next (Phase B): QualityReportEndpoint 1934→7 parsers,
CI YAML modularisation, component splits. All tracked in TASKS.md.

  • stable-v1.0.10

    e1c53cb4 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase A quality enforcement (audit + thresholds)

Phase A quality-tools pass complete. Signal layer first; failOnViolation
flip + ESLint warn→error deferred to Phase C after Phase B refactors.

Shipped this cycle (svc):
- fbc92d4: docs/audit/quality-thresholds-2026-04-21.md (40+ rules tabulated
           industry vs current), section_file_length in stability-check.sh
           (≥1500 BLOCK gate, 11 documented exemptions), PMD industry
           thresholds (NcssCount class 1500→750, TooManyMethods 10→25,
           ExcessiveParameterList 10→7, etc.), printFailingErrors=true
- a17b7b4: config/checkstyle.xml (custom config replacing google_checks.xml,
           adds FileLength 1000, MethodLength 100, LineLength 120,
           ParameterNumber 7, ExecutableStatementCount 30), consoleOutput=true
- f24c56a: fix XML comment '---' violation

Shipped this cycle (UI):
- b126205: 6 ESLint rules at WARN (max-lines 400, max-lines-per-function 80,
           complexity 10, max-params 5, max-depth 4, max-nested-callbacks 4)
- b9734ea: workflow path filter — added eslint.config.mjs + .gitleaks.toml
           (closes the silent-merge gap that let !68 land without lint
           re-validation)

MRs merged: svc !129 (3 commits), UI !68 (direct), UI !69 (1 commit).
Post-merge main pipelines green: svc #618 + UI #324.

Phase B/C backlog in TASKS.md / CLAUDE.md File-length-hygiene.

  • stable-v1.0.9

    7cd60e46 · Merge branch 'dev' into 'main' · 
    Stability checkpoint — Phase 2 complete + Phase 3 (O2+T2+DEMO1+DEMO2) + CI hygiene hardening

Phase 2 (UI) : OpenAPI→TS types (D1), axe-core a11y (T1), guided tour (DEMO3)
Phase 2 (svc): cosign re-verify (S1), Grafana exemplars→Tempo (O1), jqwik
               parallelism (T3), Hurl smoke collection (D3), ADR supersession
               graph (DOC3)

Phase 3 (svc): PrometheusRule + 6 runbooks + ADR-0048 + promtool CI (O2),
               k6 nightly load test (T2)
Phase 3 (UI) : /find-the-bug interactive (DEMO1), /incident-anatomy
               scripted walkthrough (DEMO2)

CI hygiene: k8s-apply + k8s-apply-prom shields (Docker VM cap, revisit
            2026-05-21), openapi-lint agents disabled + 600s budget,
            promtool-check-rules validates alert YAML.

New CLAUDE.md rules: file length hygiene (≥1000 split plan, ≥1500 split
now), Docker cleanup 4 triggers, subdirectory threshold tightened 10/15.

MRs merged: !128 (34 commits), !67 (24 commits). Both post-merge main
pipelines green on #615 (svc) + #322 (UI).

  • stable-v1.0.8

    bffb5f18 · Merge branch 'dev' into 'main' · 
    stable-v1.0.8 — full backlog batch (5 svc MRs since stable-v1.0.7)

Stability checkpoint covering 5 svc MRs after stable-v1.0.7. UI
unchanged.

ci:
- !120 — 6 Spectral warnings cleared (3× operation-description on
  GET /customers/{id}, /customers/summary, /scheduled/jobs;
  1× operation-tag-defined via @Tag on ScheduledJobController;
  2× no-script-tags-in-markdown via <script> entity escapes
  on SecurityDemoController xss-vulnerable + xss-safe). Spectral
  now reports 0 errors AND 0 warnings on /v3/api-docs.
- !120 — CLAUDE.md tag-on-green rule mirror (svc + UI !65) — wait
  for post-merge main pipeline GREEN before tagging stable.
- !121 — test:k8s-apply-prom CI job (path-filtered local-prom +
  gke-prom + base + scripts/ci-k8s-test.sh) — kind validates
  Prometheus Operator + 4 chart pods (Prometheus StatefulSet,
  node-exporter DaemonSet, ksm + operator Deployments). Same
  shield window as parent test:k8s-apply (2026-05-21).
- !123 — terraform-plan scope-out (TF_STATE_BUCKET == null →
  when: never; same anti-pattern fix as sonar-only-main earlier
  this session — was failing 5/5 main + 5/5 MR with "bucket
  doesn't exist", silently tolerated by allow_failure: true).
- !124 — terraform-apply needs:optional fix — post-!123 main
  pipeline #592 failed with 0 jobs ("'terraform-apply' job needs
  'terraform-plan' job, but 'terraform-plan' does not exist"). Fix:
  add `optional: true` so the apply job silently skips when the
  plan job is rule-skipped, and mirror the same TF_STATE_BUCKET
  gate on apply rules to hide the manual ▶ button when the
  prerequisite isn't met. The new tag-on-green rule SAVED the day:
  without it stable-v1.0.8 would have been tagged on the failed
  #592 commit.

stability:
- !122 — section_mermaid_lint (new section, awk + regex on
  diagram-type keyword, lite — no mmdc/Chromium dependency) +
  section_lighthouse extended with absolute thresholds for
  a11y/bp/seo (perf already had its own).

decisions:
- !123 — kubelet CA injection on GKE — DECIDED not to pursue. The
  existing values comment lines 219-236 documents the rationale:
  GKE Autopilot signs kubelet serving certs with a separate
  non-SA-token-visible root, no stable Secret reference at
  kustomize time, residual MITM surface = cluster L3 isolation
  already enforced by GKE network policy.
- !123 — allow_failure: true shields 2nd pass: 0 safe removals
  this round (audit confirmed remaining 7 unconditional shields
  protect legit flakes or manual-trigger jobs). Counts unchanged:
  svc 25, UI 14.

This batch closes the entire SonarCloud-config / shield-cleanup /
ADR-0039-followups column except the manual UI clicks (hotspot
reviews) and tests-to-write (svc/UI new_coverage).

  • stable-v1.0.7

    95c6bf8e · Merge branch 'dev' into 'main' · 
    stable-v1.0.7 — doc batch (6 MRs since stable-v1.0.6)

Stability checkpoint covering 6 svc docs MRs after stable-v1.0.6.
UI unchanged.

doc:
- !114 — README "two windows" metaphor clarified + TASKS.md retire
  stable-v1.0.6 batch + audit refresh.
- !115 — technologies.md: Temurin per-distribution justification
  table (vs Oracle JDK / Corretto / Zulu CE / Liberica / MS Build /
  Semeru / GraalVM CE) + Maven Central duplicate dedup +
  Redis/Caffeine/Kafka stack consolidation (one entry per stack:
  service + Spring integration co-located) + Zipkin ghost cleanup
  (5 dangling refs, 4 pedagogical "not used" mentions kept) +
  README Caffeine vs Redis vs Postgres decision matrix.
- !116 — Trivy + Grype + syft 3-tool sandwich block (replaces 3
  siloed entries with one unified chain explaining DBs differ +
  matchers differ → both run, ~30s each).
- !117 — technologies.md schema: Pairs-with optional 4th field
  documented; Concreteness rule for "Why it's pertinent" (no
  battle-tested / industry-standard filler — measured benefit OR
  named alternative rejected OR failure mode prevented OR ADR);
  Passive voice rule (no "we picked / we did NOT" — "X has been
  rejected because…"). First-pass on 4 entries (Spring Boot 4,
  Spring MVC, HikariCP, Redis). README rewrite: Step-by-step
  (manual) was buggy (port-8080 collision between docker compose
  app + ./run.sh app) + stale (./run.sh obs missing
  --profile observability) — fixed. Running locally bash code block
  → table to fix the "test" syntax-highlighter colour leak.
- !118 — README ADR consolidation: one canonical
  "Architecture Decision Records (ADRs)" subsection (39 ADRs,
  Michael Nygard format, links to glossaries). 5 redundant filler
  mentions trimmed; trade-offs table per-row ADR-NNNN links kept.
  Mirror in README.fr.md.
- !119 — technologies.md cert/PKI regrouping: Fulcio moved from
  Auth → CI/CD next to cosign (new "Image signing chain" block);
  JWKS moved from Networking → Auth next to JWT; new 3-flow Auth
  intro (built-in HS256 / IdP RS256+JWKS / WIF); Pairs-with
  cross-refs across the cert axis (JWT↔JWKS↔JJWT↔OAuth2RS;
  IdP↔JWKS↔OIDC; WIF↔Fulcio parallel pattern; cosign↔Fulcio↔3-tool
  sandwich).

No code changes. No CI changes (the !117 sonar-only-main fix was
already in stable-v1.0.6).

  • stable-v1.0.6

    03ec5e96 · Merge branch 'dev' into 'main' · 
    stable-v1.0.6 — clickable URLs rule, security/quality cleanup, CI hardening

Stability checkpoint covering 5 svc MRs and 2 UI MRs.

svc batch:
- !112 — clickable URLs rule + bearerAuth `.name(...)` removal +
  openapi-lint allow_failure shield drop. Spectral errors 0/0 on
  rendered /v3/api-docs.
- !113 — scorecard.yml `permissions: read-all` narrowed to
  `contents: read` (Sonar `githubactions:S8234` cleared) + workflow
  allowlist widened (`bin/**`, `.github/**`, `.spectral.yaml`,
  README.fr.md, CLAUDE.md) + 4 stable allow_failure shields removed
  (sonar-analysis, code-quality, trivy:scan, dockle, release-please)
  + sonar-analysis scoped to main only (free-tier has no PR analysis,
  the previous shield was hiding 4 consecutive MR failures) + 2 new
  stability-check sections (ADR Proposed status, Helm-lint).

UI batch:
- !63 — clickable URLs rule mirrored to UI CLAUDE.md.
- !64 — npm overrides forcing @compodoc/compodoc's pinned
  @angular-devkit subtree to 21.2.7 (matches workspace). Closes 5
  npm audit CVEs (1 HIGH picomatch ReDoS + 4 moderate). 0 vulns.

Documentation:
- ~/.claude/CLAUDE.md got a new "Reference pipelines, MRs and config
  files as clickable URLs" rule, mirrored to both project CLAUDE.md.

  • stable-v1.0.5

    2525c545 · Merge branch 'dev' into 'main' · 
    stable-v1.0.5 — gke-prom overlay + Path B Spectral re-enable

Stability checkpoint covering:

obs:
- ServiceMonitor for Mirador app in local-prom overlay (#108)
- gke-prom/ overlay: kube-prometheus-stack on GKE Autopilot (#109)
  · 7-day retention, 10Gi PVC on standard-rwo, 1.5Gi mem cap
  · 6 ServiceMonitors (kubelet, apiserver, coreDNS + 3 chart svcs)
  · Coexists with lgtm OTel-native pod (Option B, ADR-0039)
- ADR-0039 GKE deployment section + TASKS follow-ups

openapi:
- OpenApiCustomizer bean (OpenApiConfig#openApiSchemaSanitizer) (#110)
  · Strips springdoc MissingNode/NullNode default tokens
  · Drops empty-string defaults on non-string types and string-format types
  · Normalises parameter examples to schema type (coerce or drop)
- 13 unit tests in OpenApiSchemaSanitizerTest
- .spectral.yaml: re-enables oas3-valid-schema-example +
  oas3-valid-media-example at error severity (24 errors → 0)
- ADR-0037 marked superseded with Path B addendum

  • stable-v1.0.4

    0dc489ff · feat(obs): ServiceMonitor for mirador in local-prom overlay · 
    Stability checkpoint v1.0.4 — section_ci API-based (allow_failure aware) + ServiceMonitor mirador for kube-prom-stack