build: Update libraries to latest version

.gitea/workflows/build-and-push.yaml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 env:
-  HARBOR_REGISTRY: 192.168.1.72
+  HARBOR_REGISTRY: kcr.kollect.biz
   HARBOR_PROJECT: kollect-tools
 
 jobs:

CLAUDE.md

@@ -13,7 +13,7 @@ This repo holds CI Docker images for KollectAI infrastructure. Each subdirectory
 
 ## Registries
 
-- **Harbor**: `192.168.1.72/kollect-tools/<image-name>` — production image store (project: `kollect-tools`)
+- **Harbor**: `kcr.kollect.biz/kollect-tools/<image-name>` — production image store (project: `kollect-tools`)
 - Images are tagged three ways: `latest`, short commit SHA, and `YYYYMMDD` date
 
 ## CI Workflow
@@ -34,5 +34,5 @@ Required Gitea secrets: `HARBOR_USERNAME`, `HARBOR_PASSWORD`
 ## Building Locally
 
 ```bash
-docker build -t 192.168.1.72/kollect-tools/<image-name>:latest ci/<image-name>/
+docker build -t kcr.kollect.biz/kollect-tools/<image-name>:latest ci/<image-name>/
 ```

ci/frontend-builder/Dockerfile

@@ -7,33 +7,20 @@
 # (chromium browser binary + system deps), ORAS CLI, common build tools.
 #
 # Build:
-#   docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/
+#   docker build -t kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/
 #
 # Usage in CI:
 #   container:
-#     image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest
+#     image: kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest
+#
+# RUN order is cache-optimised. Playwright (~170MB chromium download) is
+# the heaviest layer, so it sits high — right after pnpm — to protect it
+# from being invalidated by bumps to ORAS / buf / protoc-gen-es. The
+# cheap, low-volatility layers trail behind.
 
 ARG NODE_MAJOR=24
 FROM node:${NODE_MAJOR}-bookworm-slim
 
-ARG PNPM_VERSION=10.15.0
-ARG BUF_VERSION=1.55.0
-# Pin protoc-gen-es to a known-good version. The KollectAI-ETL CI
-# workflow doesn't actually use this global install (it does
-# `pnpm install` from proto/ to pick up the lockfile-pinned version)
-# but we still bake it for ad-hoc use inside the container.
-ARG PROTOC_GEN_ES_VERSION=2.12.0
-ARG ORAS_VERSION=1.2.2
-# Pin Playwright in lockstep with frontend/svelte/package.json's
-# @playwright/test version. If the project uses a different patch level,
-# Playwright re-downloads the right browser at runtime; matching here
-# means CI hits the prebaked browser cache and skips the download.
-ARG PLAYWRIGHT_VERSION=1.59.1
-
-# Install Playwright browsers under a known global path so they survive
-# across containers and so `pnpm exec playwright install` reuses them.
-ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
-
 # ─────────────────────────────────────────────────────────────────────
 # System dependencies
 #
@@ -76,7 +63,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # ─────────────────────────────────────────────────────────────────────
 # pnpm via corepack (ships with Node.js)
+#
+# Needed by Playwright (`pnpm dlx`) and protoc-gen-es (`pnpm add -g`),
+# so it must land before both.
 # ─────────────────────────────────────────────────────────────────────
+ARG PNPM_VERSION=11.0.1
+
 RUN corepack enable \
     && corepack prepare "pnpm@${PNPM_VERSION}" --activate
 
@@ -87,30 +79,15 @@ RUN corepack enable \
 ENV PNPM_HOME=/root/.local/share/pnpm
 ENV PATH="${PNPM_HOME}:${PATH}"
 
-# ─────────────────────────────────────────────────────────────────────
-# buf CLI - single static binary, used for `buf lint` and `buf generate`
-# ─────────────────────────────────────────────────────────────────────
-RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
-        -o /usr/local/bin/buf \
-    && chmod +x /usr/local/bin/buf
-
-# ─────────────────────────────────────────────────────────────────────
-# protoc-gen-es - TypeScript codegen plugin for buf 'local:' references.
-# Installed via pnpm into $PNPM_HOME so the binary lands on PATH; buf v2
-# resolves `local: protoc-gen-es` via PATH lookup.
-# ─────────────────────────────────────────────────────────────────────
-RUN pnpm add -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}"
-
-# ─────────────────────────────────────────────────────────────────────
-# ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor
-# ─────────────────────────────────────────────────────────────────────
-RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
-    | tar -xz -C /usr/local/bin oras
-
 # ─────────────────────────────────────────────────────────────────────
 # Playwright + chromium browser binary
 #
-# Browsers go to /ms-playwright (PLAYWRIGHT_BROWSERS_PATH set above) so
+# Pin Playwright in lockstep with frontend/svelte/package.json's
+# @playwright/test version. If the project uses a different patch level,
+# Playwright re-downloads the right browser at runtime; matching here
+# means CI hits the prebaked browser cache and skips the download.
+#
+# Browsers go to /ms-playwright (PLAYWRIGHT_BROWSERS_PATH set below) so
 # CI's `pnpm exec playwright install chromium` finds the prebaked binary
 # and skips the ~170MB download. System libs are already installed at
 # the top of the file, so we use bare `playwright install chromium`
@@ -120,9 +97,48 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V
 # executes the install command, and cleans up. The browser binary
 # itself persists at PLAYWRIGHT_BROWSERS_PATH, which is the only piece
 # we actually need at runtime.
+#
+# Placed high (right after pnpm) so a bump to any cheap downstream pin
+# (oras, buf, protoc-gen-es) doesn't force a chromium re-download.
 # ─────────────────────────────────────────────────────────────────────
+ARG PLAYWRIGHT_VERSION=1.59.1
+ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
+
 RUN pnpm dlx "playwright@${PLAYWRIGHT_VERSION}" install chromium
 
+# ─────────────────────────────────────────────────────────────────────
+# ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor.
+# Low-volatility static binary; ahead of buf/protoc-gen-es so a bump
+# here (rare) doesn't cascade into them.
+# ─────────────────────────────────────────────────────────────────────
+ARG ORAS_VERSION=1.3.2
+
+RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
+    | tar -xz -C /usr/local/bin oras
+
+# ─────────────────────────────────────────────────────────────────────
+# buf CLI - single static binary, used for `buf lint` and `buf generate`
+# ─────────────────────────────────────────────────────────────────────
+ARG BUF_VERSION=1.69.0
+
+RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
+        -o /usr/local/bin/buf \
+    && chmod +x /usr/local/bin/buf
+
+# ─────────────────────────────────────────────────────────────────────
+# protoc-gen-es - TypeScript codegen plugin for buf 'local:' references.
+# Installed via pnpm into $PNPM_HOME so the binary lands on PATH; buf v2
+# resolves `local: protoc-gen-es` via PATH lookup.
+#
+# Last because the KollectAI-ETL CI workflow doesn't actually use this
+# global install (it does `pnpm install` from proto/ to pick up the
+# lockfile-pinned version) — we only bake it for ad-hoc use inside the
+# container, so its volatility doesn't matter for downstream cache.
+# ─────────────────────────────────────────────────────────────────────
+ARG PROTOC_GEN_ES_VERSION=2.12.0
+
+RUN pnpm add -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}"
+
 WORKDIR /workspace
 
 # Verify installation. Font count guards against silently shipping an image

ci/frontend-builder/README.md

@@ -5,7 +5,7 @@ Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and p
 ## What's included
 
 - Node.js 24 (`node:24-bookworm-slim`)
-- pnpm 10 (via corepack)
+- pnpm 11 (via corepack)
 - [buf](https://buf.build) CLI — for `buf lint` and `buf generate`
 - [`@bufbuild/protoc-gen-es`](https://www.npmjs.com/package/@bufbuild/protoc-gen-es) — installed globally so `buf` v2 `local: protoc-gen-es` resolves via PATH (no BSR remote-plugin calls)
 - Playwright chromium runtime libraries pre-installed (`libnss3`, `libgbm1`, `libasound2`, etc.)
@@ -16,8 +16,8 @@ Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and p
 ## Build
 
 ```bash
-docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/
+docker build -t kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/
-docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest
+docker push kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest
 ```
 
 ### Build args
@@ -25,11 +25,11 @@ docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest
 | Arg | Default | Description |
 |-----|---------|-------------|
 | `NODE_MAJOR` | `24` | Node.js major version (matches Node base image) |
-| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) |
+| `PNPM_VERSION` | `11.0.1` | pnpm version (corepack-activated) |
-| `BUF_VERSION` | `1.55.0` | buf CLI version |
+| `BUF_VERSION` | `1.69.0` | buf CLI version |
 | `PROTOC_GEN_ES_VERSION` | `2.12.0` | `@bufbuild/protoc-gen-es` version (ad-hoc use only — KollectAI-ETL CI uses the version pinned in `proto/pnpm-lock.yaml`) |
 | `PLAYWRIGHT_VERSION` | `1.59.1` | Playwright version. Must match `frontend/svelte/package.json` `@playwright/test`; mismatch causes runtime browser re-download |
-| `ORAS_VERSION` | `1.2.2` | ORAS CLI version |
+| `ORAS_VERSION` | `1.3.2` | ORAS CLI version |
 
 ## Usage in CI
 
@@ -38,7 +38,7 @@ jobs:
   test-unit:
     runs-on: ubuntu-latest
     container:
-      image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest
+      image: kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest
     steps:
       - uses: actions/checkout@v6
       - run: pnpm install --frozen-lockfile

ci/java-builder/Dockerfile

@@ -1,24 +1,27 @@
 # KollectAI CI — Java Builder Image
 #
 # Pre-baked build environment for backend + plugin CI jobs.
-# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD
+# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD
 # database, ORAS CLI, common dependencies.
 #
 # Build:
-#   docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
+#   docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
 #
 # Usage in CI:
 #   container:
-#     image: 192.168.1.72/kollect-tools/ci/java-builder:latest
+#     image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
+#
+# RUN order is cache-optimised: most stable / most expensive layers come
+# first, most volatile / cheapest layers come last. Bumping a version
+# only invalidates that layer and everything below it, so volatile pins
+# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
+# downloads to re-run.
 
 ARG JAVA_VERSION=25
 FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy
 
-ARG MAVEN_VERSION=3.9.14
-ARG OWASP_DC_VERSION=12.1.1
-ARG NVD_API_KEY=""
 # ─────────────────────────────────────────────────────────────────────
-# System dependencies
+# System dependencies + Node.js
 # ─────────────────────────────────────────────────────────────────────
 ARG NODE_MAJOR=24
 
@@ -40,6 +43,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # ─────────────────────────────────────────────────────────────────────
 # Maven
 # ─────────────────────────────────────────────────────────────────────
+ARG MAVEN_VERSION=3.9.15
 ENV MAVEN_HOME=/opt/maven
 ENV PATH="${MAVEN_HOME}/bin:${PATH}"
 
@@ -56,6 +60,8 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 #
 # Rebuild this image weekly to keep the NVD database fresh.
 # ─────────────────────────────────────────────────────────────────────
+ARG OWASP_DC_VERSION=12.2.1
+ARG NVD_API_KEY=""
 ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
 
 RUN mkdir -p "${OWASP_DATA_DIR}" \
@@ -65,17 +71,11 @@ RUN mkdir -p "${OWASP_DATA_DIR}" \
         -q || true
 
 # ─────────────────────────────────────────────────────────────────────
-# pnpm — via corepack (ships with Node.js)
+# ORAS CLI — for uploading artifacts to Harbor.
+# Low-volatility static binary; placed before buf/pnpm so a bump here
+# (rare) doesn't invalidate them.
 # ─────────────────────────────────────────────────────────────────────
-ARG PNPM_VERSION=10.15.0
+ARG ORAS_VERSION=1.3.2
-
-RUN corepack enable \
-    && corepack prepare "pnpm@${PNPM_VERSION}" --activate
-
-# ─────────────────────────────────────────────────────────────────────
-# ORAS CLI — for uploading artifacts to Harbor
-# ─────────────────────────────────────────────────────────────────────
-ARG ORAS_VERSION=1.2.2
 
 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
     | tar -xz -C /usr/local/bin oras
@@ -85,12 +85,22 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V
 # parity. Backend Java codegen lives in the Maven build (protobuf-maven-
 # plugin), not buf, so no protoc plugins are needed in this image.
 # ─────────────────────────────────────────────────────────────────────
-ARG BUF_VERSION=1.55.0
+ARG BUF_VERSION=1.69.0
 
 RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
     -o /usr/local/bin/buf \
     && chmod +x /usr/local/bin/buf
 
+# ─────────────────────────────────────────────────────────────────────
+# pnpm — via corepack (ships with Node.js).
+# Last because it's the most volatile pin and corepack prepare is the
+# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
+# ─────────────────────────────────────────────────────────────────────
+ARG PNPM_VERSION=11.0.1
+
+RUN corepack enable \
+    && corepack prepare "pnpm@${PNPM_VERSION}" --activate
+
 WORKDIR /workspace
 
 # Verify installation

ci/java-builder/README.md

@@ -4,12 +4,12 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs.
 
 ## What's included
 
-- Java 21 (Eclipse Temurin)
+- Java 25 (Eclipse Temurin)
-- Maven 3.9.9
+- Maven 3.9.15
 - Pre-cached Maven dependencies (Spring Boot, Flink, MyBatis, etc.)
 - Pre-installed `plugin-api` in local Maven repo
 - OWASP NVD database snapshot
-- Node.js + pnpm (via corepack)
+- Node.js 24 + pnpm 11 (via corepack)
 - [buf](https://buf.build) CLI — for `buf lint` parity with pre-push
 - ORAS CLI (Harbor artifact uploads)
 - git, jq, curl
@@ -22,8 +22,8 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs.
 ## Build
 
 ```bash
-docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
+docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
-docker push 192.168.1.72/kollect-tools/ci/java-builder:latest
+docker push kcr.kollect.biz/kollect-tools/ci/java-builder:latest
 ```
 
 ### Build args
@@ -31,12 +31,12 @@ docker push 192.168.1.72/kollect-tools/ci/java-builder:latest
 | Arg | Default | Description |
 |-----|---------|-------------|
 | `JAVA_VERSION` | `25` | Eclipse Temurin JDK version |
-| `MAVEN_VERSION` | `3.9.14` | Maven version |
+| `MAVEN_VERSION` | `3.9.15` | Maven version |
-| `OWASP_DC_VERSION` | `12.1.1` | OWASP Dependency-Check version |
+| `OWASP_DC_VERSION` | `12.2.1` | OWASP Dependency-Check version |
 | `NODE_MAJOR` | `24` | Node.js major version |
-| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) |
+| `PNPM_VERSION` | `11.0.1` | pnpm version (corepack-activated) |
-| `BUF_VERSION` | `1.55.0` | buf CLI version |
+| `BUF_VERSION` | `1.69.0` | buf CLI version |
-| `ORAS_VERSION` | `1.2.2` | ORAS CLI version |
+| `ORAS_VERSION` | `1.3.2` | ORAS CLI version |
 | `NVD_API_KEY` | (empty) | Optional NVD API key — speeds up the OWASP database update during image build |
 
 ## Usage in CI
@@ -46,7 +46,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     container:
-      image: 192.168.1.72/kollect-tools/ci/java-builder:latest
+      image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
     steps:
       - uses: actions/checkout@v6
       - run: ./mvnw -f backend/etl/pom.xml test -Dgroups=unit -q
@@ -57,8 +57,8 @@ jobs:
 Rebuild weekly to keep the OWASP NVD database fresh:
 
 ```bash
-docker build --no-cache -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
+docker build --no-cache -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
-docker push 192.168.1.72/kollect-tools/ci/java-builder:latest
+docker push kcr.kollect.biz/kollect-tools/ci/java-builder:latest
 ```
 
 When `pom.xml` files change (new dependencies), rebuild to update the cached deps layer.

ci/sonar-runner/Dockerfile

@@ -9,7 +9,7 @@
 # workflow, so we don't bake it into the shared java-builder.
 #
 # Build:
-#   docker build -t 192.168.1.72/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
+#   docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
 #
 # Build prerequisite: java-builder:latest must exist in the registry
 # (this image FROMs it). Run `build-and-push.ps1 -Image ci/java-builder`
@@ -17,15 +17,15 @@
 #
 # Usage in CI:
 #   container:
-#     image: 192.168.1.72/kollect-tools/ci/sonar-runner:latest
+#     image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
 
-ARG REGISTRY=192.168.1.72
+ARG REGISTRY=kcr.kollect.biz
 ARG JAVA_BUILDER_TAG=latest
 FROM ${REGISTRY}/kollect-tools/ci/java-builder:${JAVA_BUILDER_TAG}
 
 # Sonar-scanner version. Bump in lockstep with KollectAI-ETL's
 # .gitea/workflows/sonar.yml SONAR_SCANNER_VERSION env.
-ARG SONAR_SCANNER_VERSION=6.2.1.4610
+ARG SONAR_SCANNER_VERSION=8.1.0.6389
 
 # ─────────────────────────────────────────────────────────────────────
 # sonar-scanner CLI

ci/sonar-runner/README.md

@@ -12,17 +12,17 @@ Everything from [`java-builder`](../java-builder/) (Java 25, Maven 3.9.x, Node +
 
 ```bash
 # Prerequisite: java-builder must already exist in the registry.
-docker build -t 192.168.1.72/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
+docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
-docker push 192.168.1.72/kollect-tools/ci/sonar-runner:latest
+docker push kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
 ```
 
 ### Build args
 
 | Arg | Default | Description |
 |-----|---------|-------------|
-| `REGISTRY` | `192.168.1.72` | Registry hostname for the parent `java-builder` pull |
+| `REGISTRY` | `kcr.kollect.biz` | Registry hostname for the parent `java-builder` pull |
 | `JAVA_BUILDER_TAG` | `latest` | Tag of `java-builder` to extend |
-| `SONAR_SCANNER_VERSION` | `6.2.1.4610` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` |
+| `SONAR_SCANNER_VERSION` | `8.1.0.6389` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` |
 
 ## Usage in CI
 
@@ -31,7 +31,7 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     container:
-      image: 192.168.1.72/kollect-tools/ci/sonar-runner:latest
+      image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
     steps:
       - uses: actions/checkout@v6
         with: