# Changelog All notable changes to this project. Generated from Conventional Commits by git-cliff. ## v2026.07.0 — 2026-07-14 ### Architecture - ADR-0005 adopt Stryker.NET for mutation testing (refs #47) - ADR-0006 — provision the ACL integration test against the compose stack (refs #46) - ADR-0007 + runbooks for the OZ→NRC notification wiring (refs #56) - ADR-0009 external-task job-worker pattern (refs #6, #60) - ADR-0010 BFF OIDC validation + downstream boundaries (refs #8, #63) ### Bug Fixes - Pin OpenZaak/NRC image tags; add smoke log capture on failure (refs #30) - Harden oz-db healthcheck and raise compose-up timeout (refs #30) - Bake config into images so compose-smoke passes on CI (refs #30) - Nrc-init runs migrations only, not setup_configuration (refs #30) - Smoke waits on durable services, not the whole project (refs #30) - Portable health poll instead of compose --wait (refs #30) - Pin upload-artifact to @v3 — @v4 refuses to run on Gitea (refs #47) - Buffer the zaak POST body so OpenZaak accepts it (refs #46) - Keep dotnet format green under the shared .editorconfig (refs #65) - Re-export the full Utrecht package from libs/ui (refs #67) - Run checkAuth() at startup to end the login redirect loop (refs #67) - Health-check nginx over IPv4 (127.0.0.1) (refs #68) - Treat the http portal origin as secure so DigiD PKCE login works (refs #68) - Attach the DigiD token to relative BFF calls (refs #68) ### Build - Pin Stryker.NET as a local dotnet tool (refs #47) ### CI - Gitea Actions pipeline + runner runbook (refs #30) (#37) - ACL Dockerfile + full compose stack for smoke test (refs #30) - Switch runner label to ubuntu-latest (refs #30) - Run the mutation ratchet as a parallel CI job (refs #47) - Publish the Stryker HTML report as a CI artifact (refs #47) - Run the ACL integration test as a Gitea Actions job (refs #46) - Keep the integration lane local-only; document the runner gap (refs #46) - Run the ACL integration test in CI inside the compose network (closes #55) (refs #46) - Run the Event Subscriber + projection-api in compose and verify end-to-end (refs #7) - Containerize, wire into compose, and verify end-to-end (refs #6) - Make Stryker report upload best-effort (refs #62) - Retrigger after runner cleanup (refs #6) - Retrigger CI (refs #6) - Retrigger CI after gitea restart (refs #6) - Compose wiring, verify-bff live check, mutation baseline (refs #8) - Nx frontend lane (lint/test/build) (refs #65) - Serve the self-service app in compose (refs #68) - Run Vitest ahead of the production build to stop worker-start timeout (refs #68) - Cache the NuGet package store across the .NET jobs (refs #73) - Run Playwright from the prebuilt image instead of downloading browsers (refs #73) ### Chores - Add idempotent Gitea backlog seeder - Remove bootstrap scripts from main (#35) - Contributor workflow — templates, git-cliff, gitea-workflow doc (closes #31) (#38) ### Documentation - Split S-00 into sub-slices (refs #1) (#33) - MkDocs scaffold + ADR-0001 + README quickstart (closes #32) (#39) - Tighten gitea-actions-gotchas, add local compose (refs #30) - ADR-0008 read projection store + demo note for the event path (refs #7) - Demo note for submitting a registration (S-05) (refs #6) - Demo note for the BFF front door (S-07) (refs #8) - Split S-08 into S-08a-d (refs #65) - Frontend-decisions + demo note for S-08a (refs #65) - Record the orval generator choice (refs #66) - Record NL DS + DigiD decisions and demo note (refs #67) - Serving/e2e decisions + walking-skeleton demo note (refs #68) ### Features - Placeholder BFF + /health endpoint (closes #28) (#34) - Containerize BFF + compose-up smoke (closes #29) (#36) - OpenZaak + Postgres + Redis up in compose (refs #10) (#40) - Seed BIG catalogus + JWT client for OpenZaak (refs #2) (#41) - Open Notificaties up + shared network (closes #2) (#42) - Keycloak with four mock realms (closes #3) (#43) - Flowable + registratie.bpmn external task (closes #4) (#44) - ACL skeleton — OpenZaak default-fill (refs #5) (#45) - Add bind-mount local compose for no-make/Windows dev (refs #30) - Publish the BIG zaaktype on demand via OZ_PUBLISH (refs #46) - Wire OpenZaak → Open Notificaties notifications (refs #56) - Project zaak-created notifications into the read projection (refs #7) - Persist the read projection and expose webhook + read APIs (refs #7) - Enforce the callback bearer before reading the body (refs #7) - Implement the Registration aggregate invariants (refs #6) - Implement SubmitRegistration and OpenZaakWorker (refs #6) - Implement the Flowable Workflow Client and ACL client (refs #6) - Expose POST /registrations and the read endpoint (refs #6) - Implement self-service submit and openbaar lookup (refs #8) - Committed OpenAPI contract + drift guard (refs #8) - Self-service portal placeholder page (refs #65) - Expose the generated BFF client + repeatable generate target (refs #66) - Implement the DigiD registration submit page (refs #67) - Runtime config + nginx serve/proxy image (refs #68) - Surface submit failures with a retryable alert (refs #68) - One citizen reference across self-service and the openbaar register (#79) ### Other - Openbaar Register portal — public lookup (#76) - Approval flow — temp admin endpoint + status transition to projection (#77) ### Refactor - Bake config via dockerfile_inline, drop Dockerfile files (refs #30) - Use upstream images verbatim, seed config via docker cp (refs #30) - One verify-stack stage for all live-stack checks (closes #58) (refs #46 #56) ### Tests - BDD acceptance scenario for opening a zaak (closes #5) (#49) - Kill surviving mutants — assert CRS headers, guards, error paths, JWT claims (refs #47) - Add Stryker config + mutation make target recording the 95% baseline (refs #47) - Integration test opens a real zaak against OpenZaak (refs #46) - Verify-notifications smoke + CI job for the OZ→NRC path (refs #56) - Project zaak-created notifications into the read projection (refs #7) - Ratchet projector mutation baseline to 100% (refs #7) - Registration aggregate invariants (refs #6) - SubmitRegistration + OpenZaakWorker use cases (refs #6) - Workflow Client, ACL client, store and job processor (refs #6) - Acceptance scenario for submitting a registration (refs #6) - Mutation baseline 90 (achieved 97.7%) + CI/Makefile wiring (refs #6) - Endpoints, JWT auth and public-safe projection (refs #8) - Acceptance scenario for BFF access (valid/invalid tokens) (refs #8) - Self-service portal placeholder renders (refs #65) - Generated BFF client is exposed and calls the endpoints (refs #66) - DigiD-guarded registration submit page (refs #67) - Walking-skeleton Playwright happy path + verify-e2e lane (refs #68) - Submit surfaces BFF failures instead of swallowing them (refs #68) - Guard that the DigiD token attaches to relative BFF calls (refs #68)