Stability checkpoint — security (4 CVEs fixed) + scope-out integration-tests + iris-common SHA bump + CI templates rolled out - fix(deps): bump gitpython 3.1.47→3.1.50, mako 1.3.11→1.3.12, python-multipart 0.0.26→0.0.27 (4 CVEs) - fix(ci): switch bitnami/kafka → bitnamilegacy/* (Bitnami archived non-paying images early 2026) - fix(ml): train_churn parents[2] → parents[3] + onnxscript dep - fix(format): apply ruff format on test_tools_churn (1 file) - ci(scope-out): integration-tests skipped until runner dind migration (TODO 2026-05-16) - ci: include shellcheck + adr-drift + conv-commits universal templates from iris-common - ci(test): wire mutmut as manual GitLab CI job (auth slice) - chore(submodule): bump iris-common SHA → 8e8eabd (gcc shellcheck format, conv-commits 100-char limit, skip merge commits) CI : - ✅ Main pipeline #309 green (post-promote dev → main) - ✅ Main pipeline #308 green - ✅ shellcheck job (with --format=gcc fix) - ✅ adr-drift / conventional-commits jobs - ✅ unit-tests, ruff:lint, mypy, import-linter, pip-audit, docs:check Local test pass : - ✅ uv run pip-audit → No known vulnerabilities found - ✅ uv lock --upgrade-package gitpython mako python-multipart resolved cleanly - ⏭ integration-tests — N/A (scope-out per docs/audit/runner-dind-migration-2026-05-09.md) Regression check vs previous tag : - ✅ pip-audit clean (no CVEs); previous tag had 4 unflagged CVEs in transitive deps - 🆕 integration-tests scope-out documented (was already broken with no audit doc) - ⏭ N/A — no AI/ML code change in this rev (existing churn ML stays) - 4 CVEs resolved : gitpython 3.1.49+/3.1.50 (CVE-2026-44244, GHSA-mv93-w799-cj2w), mako 1.3.12+ (CVE-2026-44307), python-multipart 0.0.27+ (CVE-2026-42561) - pip-audit job in CI (validate stage) — green - Renovate continues to track upstream - ⏭ N/A — no new domain feature in this rev (CI/security focus) - ⏭ N/A — no infra change in this rev - ⏭ N/A — no observability change in this rev - ruff:lint + ruff format gates : green - mypy strict : green - import-linter : green - docs:check : green - pip-audit : 0 CVEs - bitnami/kafka 404 fix : switch to bitnamilegacy/* - conv-commits 72 → 100 char limit (multi-package bump messages no longer rejected) - conv-commits skip merge commits (parent count > 1) — GitLab default subjects no longer fail check - shellcheck --format=gcc bypasses v0.10.0 UTF-8 encoding bug - Templates from iris-common : shellcheck, adr-drift, conv-commits (auto-update on bump) - iris-common SHA bump → 8e8eabd (3 fixes propagated via flat α submodule pattern, ADR-0060) - 5 iris-7 repos now uniformly use dev → main workflow - ⏭ N/A — backend repo - Auto-merge dev → main template available in iris-common (`ci-templates/auto-merge-dev-to-main.yml`) — requires AUTOMERGE_TOKEN setup - 110 stale local branches cleaned across 5 iris repos - **Docker image alpine** : 412 MB → ~280 MB possible. Blocked: pydantic_core / cryptography / bcrypt have no musl wheels. - **integration-tests scope-out** until runner dind migration. TODO exit ticket 2026-05-16. Tracked in docs/audit/runner-dind-migration-2026-05-09.md. - runner dind migration → re-enable integration-tests gate - AUTOMERGE_TOKEN setup → activate auto-merge dev→main on the 4 consumers