| Finding | Fix here |
| CRITICAL: registryBaseUrl+version rejected by ValidateOCI | canonical untagged identifier + publish-time tag stamping |
| CRITICAL: release-please jsonpath targets forbidden field | extra-file entry removed |
| HIGH: first GHCR push is born private โ publish fails | image pre-seeded multi-arch (8.36.2+latest) + preflight anonymous-pull check with actionable error |
| MED: jsonpath silent no-op risk | tests/manifests/test-server-json.sh (pre-merge invariants) |
| MED: amd64-only image | buildx linux/amd64+arm64 in release job |
| MED: /api-policy.md missing from SERVED_EXACT | added + filesystem drift-guard test |
| LOW: :latest can move backwards | sort -V guard, :latest only on highest tag |
| LOW: repo-sized build context | .dockerignore (src/mcp-server only) |
| LOW: tag-time Dockerfile discovery | docker-smoke.yml on PR (build + label check) |
| LOW: relative link + generated header in api-policy.md | both fixed |