(#66) M5-1~M5-3 품질게이트 및 런타임 안전성 강화

* docs: M5 품질 자동화 로드맵과 실행 계획 추가

- Harness roadmap/playbook에 M5 단계 및 task 시퀀스 추가

- M5 active plan 문서 생성 및 검증 계획 기록

- AGENTS/testing runbook/PR 템플릿을 coverage 검증 흐름에 맞게 갱신

* ci: 커버리지 품질 게이트와 배포 헬스체크 강화

- JaCoCo 라인 커버리지 최소 기준(45%) 검증 태스크 추가

- PR용 quality-gate 워크플로우 추가 및 리포트 아티팩트 업로드

- 배포 후 HTTP 200 + status=UP 조건으로 헬스체크를 엄격화

- prod profile actuator 노출 범위를 최소화

* refactor: username 로그를 기본 마스킹하도록 정렬

- LogSanitizer 도입 및 LogContext username/target_username 자동 마스킹 적용

- 주요 plain logger 경로에서 raw username 출력을 마스킹 값으로 교체

- LogContext/LogSanitizer 테스트 추가와 logging contract 문서 동기화

* fix: M5 PR 리뷰 지적사항 반영

- deploy health check를 단일 curl+timeout 방식으로 보강

- prod actuator 노출/보안 정책을 health 중심으로 축소

- 예외 메시지 username은 hash 기반으로 전환

- short username 마스킹 및 로그 테스트 검증 강화

* fix: prod Prometheus 스크레이프 경로를 재노출

- application-prod에서 actuator 노출에 prometheus를 복원

- SecurityConfig에 /actuator/prometheus permit 경로를 추가

- health 강화는 유지하고 info 노출은 계속 비활성화

Author: alexization

.github/ISSUE_TEMPLATE/harness_epic.yml

@@ -13,7 +13,7 @@ body:
     id: phase
     attributes:
       label: Phase
-      description: 예) M1 Legibility / M2 Observability / M3 System of Record / M4 Feedback Loop
+      description: 예) M1 Legibility / M2 Observability / M3 System of Record / M4 Feedback Loop / M5 Quality Automation
       placeholder: "M1 Legibility"
     validations:
       required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -26,6 +26,7 @@
 | Build | `./gradlew build -x test` | |
 | Unit | `./gradlew test` | |
 | Integration | `./gradlew integrationTest` 또는 `미실행(사유)` | |
+| Quality (Coverage) | `./gradlew test jacocoTestCoverageVerification` 또는 `미실행(사유)` | |
 
 ## 7) 관측성 확인
 - 확인한 로그:

.github/workflows/deploy.yml

@@ -89,15 +89,26 @@ jobs:
           echo "Waiting for application to start..."
           sleep 45
 
+          HEALTH_URL="${{ secrets.BACKEND_HEALTH_URL }}"
+          if [ -z "$HEALTH_URL" ]; then
+            echo "BACKEND_HEALTH_URL secret is required."
+            exit 1
+          fi
+          echo "Health URL: $HEALTH_URL"
+
           for i in {1..5}; do
-            HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "${{ secrets.BACKEND_URL }}" || echo "000")
-            if [ "$HTTP_STATUS" != "000" ]; then
-              echo "Health check passed! (HTTP $HTTP_STATUS)"
+            RESPONSE=$(curl -sS --connect-timeout 5 --max-time 10 -w $'\n%{http_code}' "$HEALTH_URL" || true)
+            HTTP_STATUS=$(printf '%s' "$RESPONSE" | tail -n1)
+            RESPONSE_BODY=$(printf '%s' "$RESPONSE" | sed '$d')
+
+            if [ "$HTTP_STATUS" = "200" ] && echo "$RESPONSE_BODY" | grep -Eq '"status"[[:space:]]*:[[:space:]]*"UP"'; then
+              echo "Health check passed! (HTTP 200, status=UP)"
               exit 0
             fi
-            echo "Attempt $i/5 failed, retrying in 15s..."
+            echo "Attempt $i/5 failed. HTTP=$HTTP_STATUS, body=$RESPONSE_BODY"
+            echo "Retrying in 15s..."
             sleep 15
           done
 
-          echo "Health check failed! Server not responding."
+          echo "Health check failed! Expected HTTP 200 with status=UP."
           exit 1

.github/workflows/quality-gate.yml

@@ -0,0 +1,45 @@
+name: Quality Gate
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  coverage:
+    name: Coverage Verification
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'gradle'
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Run unit tests with coverage verification
+        run: ./gradlew test jacocoTestReport jacocoTestCoverageVerification
+
+      - name: Upload JaCoCo HTML report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: jacoco-html-report
+          path: build/reports/jacoco/test/html/
+          retention-days: 7
+
+      - name: Upload JaCoCo XML report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: jacoco-xml-report
+          path: build/reports/jacoco/test/jacocoTestReport.xml
+          retention-days: 7

AGENTS.md

@@ -39,6 +39,7 @@ Operating guide for humans and AI agents in `git-ranker`.
 - Build: `./gradlew build -x test`
 - Unit test: `./gradlew test`
 - Integration test: `./gradlew integrationTest`
+- Coverage verify: `./gradlew test jacocoTestCoverageVerification`
 - Single unit class: `./gradlew test --tests "com.gitranker.api.domain.user.service.UserRegistrationServiceTest"`
 - Single integration class: `./gradlew integrationTest --tests "com.gitranker.api.domain.user.UserRepositoryIT"`
 - Local run: `./gradlew bootRun`

build.gradle

@@ -2,6 +2,7 @@ plugins {
 	id 'java'
 	id 'org.springframework.boot' version '3.4.0'
 	id 'io.spring.dependency-management' version '1.1.6'
+	id 'jacoco'
 }
 
 group = 'com.gitranker'
@@ -75,3 +76,30 @@ tasks.register('integrationTest', Test) {
 	// Docker 29+는 최소 API 1.44를 요구하지만 docker-java 3.4.0은 기본값 1.32로 요청함
 	systemProperty 'api.version', '1.44'
 }
+
+jacoco {
+	toolVersion = '0.8.12'
+}
+
+tasks.named('jacocoTestReport') {
+	dependsOn tasks.named('test')
+	reports {
+		xml.required = true
+		html.required = true
+		csv.required = false
+	}
+}
+
+tasks.named('jacocoTestCoverageVerification') {
+	dependsOn tasks.named('test')
+	violationRules {
+		rule {
+			element = 'BUNDLE'
+			limit {
+				counter = 'LINE'
+				value = 'COVEREDRATIO'
+				minimum = 0.45
+			}
+		}
+	}
+}

docs/harness/issue-pr-playbook.md

@@ -15,6 +15,9 @@ Use this playbook to execute harness phases with consistent granularity.
 - `harness/m4-1-pr-guardrail`
 - `harness/m4-2-archunit-guardrail`
 - `harness/m4-3-weekly-scorecard`
+- `harness/m5-1-coverage-quality-gate`
+- `harness/m5-2-deploy-health-hardening`
+- `harness/m5-3-pii-safe-logging-defaults`
 
 ## Commit Rule
 1. One commit = one intent.
@@ -41,6 +44,7 @@ Use this playbook to execute harness phases with consistent granularity.
 2. M2-1 -> M2-2 -> M2-3
 3. M3-1 -> M3-2 -> M3-3
 4. M4-1 -> M4-2 -> M4-3
+5. M5-1 -> M5-2 -> M5-3
 
 ## Ready-to-Create Issue Titles
 1. `[Harness Epic]: M1 Increase Application Legibility`
@@ -59,3 +63,7 @@ Use this playbook to execute harness phases with consistent granularity.
 14. `[Harness Task]: M4-1 Enforce PR contract in CI`
 15. `[Harness Task]: M4-2 Add architecture guardrail tests`
 16. `[Harness Task]: M4-3 Add weekly scorecard and drift review`
+17. `[Harness Epic]: M5 Raise Verification Confidence`
+18. `[Harness Task]: M5-1 Add coverage quality gate`
+19. `[Harness Task]: M5-2 Harden deployment health checks`
+20. `[Harness Task]: M5-3 Enforce PII-safe logging defaults`

docs/harness/roadmap.md

@@ -97,6 +97,31 @@ Execution unit is always small, reviewable PRs with explicit intent and evidence
 - Suggested commits:
   - `docs(scorecard): add measurement template`
 
+## Phase 5: Quality Automation and Runtime Safety
+
+### Epic Issue
+- Title: `Harness M5 - Raise Verification Confidence`
+- Goal: turn quality assumptions into automated checks for coverage, runtime safety, and PII-safe logging.
+
+### Child Issues and PR Plan
+1. Issue: `M5-1 Add coverage quality gate`
+- PR: `ci(quality): enforce baseline unit-test coverage with report artifacts`
+- Suggested commits:
+  - `build(quality): add jacoco coverage verification tasks`
+  - `ci(quality): add pull-request quality gate workflow`
+
+2. Issue: `M5-2 Harden deployment health checks`
+- PR: `ci(deploy): require strict health status after deployment`
+- Suggested commits:
+  - `ci(deploy): require HTTP 200 and UP status for health checks`
+  - `config(prod): reduce actuator endpoint exposure`
+
+3. Issue: `M5-3 Enforce PII-safe logging defaults`
+- PR: `refactor(logging): mask username fields by default in log context`
+- Suggested commits:
+  - `refactor(logging): add username masking sanitizer`
+  - `test(logging): add masking behavior tests`
+
 ## Operating Rules
 1. Every child issue must map to one primary PR.
 2. PRs should target one outcome and avoid mixed concerns.

docs/observability/logging-contract.md

@@ -7,6 +7,7 @@
 ## 2) Scope
 - Applies to structured logs emitted through `LogContext.event(...)`.
 - Plain `log.debug(...)` calls should be migrated to `LogContext` incrementally.
+- `username` and `target_username` fields are masked by default through `LogSanitizer`.
 
 ## 3) Required Fields
 
@@ -29,8 +30,8 @@
 | `username` | PII. Masking or anonymization is required (see Section 6.3). Prefer `maskUsername` or `hashUsername` before logging. |
 
 Example (recommended):
-- `log_username_masked = maskUsername(username)` -> `te****r`
-- `log_username_hash = hashUsername(username)` -> `7f0c...`
+- `log_username_masked = maskUsername(username)` -> `te****`
+- `log_username_hash = hashUsername(username)` -> `9bba5c53a054`
 
 Verification checklist:
 1. If `username` appears in a log field, confirm `maskUsername` or `hashUsername` is applied.

docs/plans/active/2026-02-25-m5-1-quality-gates-and-runtime-safety.md

@@ -0,0 +1,51 @@
+# Plan: 2026-02-25-m5-1-quality-gates-and-runtime-safety
+
+## 1) Purpose
+- Problem: workflow/process guardrails exist, but code-level quality confidence is still weak.
+- Intended outcome: add automated coverage verification, stricter deployment health checks, and PII-safe logging defaults.
+- Non-goals: redesign business domain flows or replace deployment architecture.
+
+## 2) Scope
+- In scope:
+  - add JaCoCo verification tasks and PR quality workflow
+  - harden deployment health check condition
+  - reduce production actuator exposure defaults
+  - enforce username masking defaults in logging context and high-risk raw logs
+- Out of scope:
+  - full migration of every plain logger call to structured logging
+  - introducing external quality SaaS (Sonar, Codecov)
+
+## 3) Progress
+- [x] add M5 roadmap/playbook entries
+- [x] add coverage gate in Gradle and CI workflow
+- [x] harden deploy health check and production actuator scope
+- [x] apply username masking defaults and add tests
+- [x] run validation commands and record outcomes
+
+## 4) Design Notes
+- Constraints: keep the existing `build/test/integrationTest` split intact.
+- Tradeoffs: start with a realistic baseline coverage threshold to avoid blocking all PRs.
+- Open questions: final target coverage threshold after two to three weekly scorecards.
+
+## 5) Decision Log
+- 2026-02-25: M5 focuses on automated quality confidence, not process expansion.
+- 2026-02-25: set initial line coverage gate at 45% to enforce a meaningful floor while staying below current baseline.
+
+## 6) Validation Plan
+- Required commands:
+  - `./gradlew test`
+  - `./gradlew test jacocoTestCoverageVerification`
+- Observability checks:
+  - verify logging contract and runtime behavior align for username masking
+
+## 7) Risks and Rollback
+- Risks: baseline threshold may be too strict or too lenient for current suite.
+- Rollback strategy:
+  - lower only the numeric coverage threshold in `build.gradle`
+  - disable strict deploy health check condition in `deploy.yml` if false positives occur
+
+## 8) Result Snapshot
+- `./gradlew build -x test` passed
+- `./gradlew test` passed
+- `./gradlew test jacocoTestReport jacocoTestCoverageVerification` passed
+- `./gradlew integrationTest` is environment-dependent (Docker/Testcontainers required)