stable-v1.0.6 — CLAUDE.md clickable URLs rule + compodoc CVE fix Stability checkpoint covering 2 UI MRs. quality: - !63 — mirror new CLAUDE.md "reference as clickable URLs" rule added to ~/.claude/CLAUDE.md so any session opening this repo follows it (markdown links for MR/pipeline/tag/file refs). - !64 — npm overrides forcing @compodoc/compodoc's pinned @angular-devkit subtree to 21.2.7 (matches workspace). Closes 5 npm audit CVEs (1 HIGH picomatch ReDoS via extglob quantifiers + 1 MODERATE picomatch + 1 MODERATE ajv ReDoS via $data + 2 transitive devkit). `npm audit`: 5 → 0 vulnerabilities. Production build still passes (3.838s). Aligned with svc stable-v1.0.6 (scorecard perms + 5 shields dropped + sonar-analysis scoped to main + workflow allowlist widening + 2 new stability-check sections + bearerAuth fix + openapi-lint shield drop).