Security & correctness hardening + zero-regression roadmap sweep (22/23 review items)

[aksOps]

Summary

Security/correctness hardening + a zero-regression sweep of the architecture-review roadmap. 22 of 23 review items addressed across 20 commits. Every change is either purely additive or guarded by a before/after equivalence test.

No regression: the test suite went 358 → 404 (+46) with 0 failures on every gate; a plain mvn verify is behaviorally unchanged; no new runtime dependencies were added (only build/CI plugins).

What's in here (by area)

Security / supply chain

• Bootstrap wrappers SHA-256-verify the dist bundle AND the JDK before extract, fail-closed (SONAR_DIST_SHA256 / SONAR_JDK_SHA256 / SONAR_ALLOW_UNVERIFIED); releases now publish SHA256SUMS + GPG .asc signatures. (refactor(plugin): install via marketplace; skill bundle fetched lazily from Maven Central #1, #14)
• Daemon verifies plugin jars against the manifest (SHA-256) before loading — refuses to start on a tampered/unaccounted jar. (chore(release): prepare v0.1.3 #5)
• git option-injection closed in --diff (reject --prefixed refs + --); XXE + tar-slip guard tests; atomic offline-bundle extraction (stage→verify→move) + owner-only execute clamp. (#17, #18)
• CI dependency CVE gate (osv-scanner, fails High/Critical, offline DB), CycloneDX SBOM, Dependabot, Actions pinned to commit SHAs. (build: enable JaCoCo coverage report generation across all modules #4, #16)

Correctness

• Version-keyed daemon socket — a post-upgrade CLI never adopts a stale daemon (no silently-stale results). (feat(plugin): externalize Maven proxy + JRE source + version pin to config.env #2)
• Correct version reporting in --version, the version subcommand, and SARIF driver.version/informationUri (were 0.1.0 / stale repo URL). (#15, #23)
• EngineLog leak fixed (reset per scan; was unbounded across the daemon's life). (feat(protocol): expose analyzer quick fixes in scan output #9)

Performance / observability

• Rule catalog serialized once and cached (output-identical, less per-scan CPU). (feat: migrate to SonarQube 2026.1 LTA #8)
• --timings flag (stderr-only round-trip timing) + CI warm-scan benchmark. (chore: bump pom to 0.3.1-SNAPSHOT after v0.3.1 release #11)
• Byte-reproducible build (project.build.outputTimestamp, verified identical dist-zip SHA) + hermetic offline-build CI job. (Security & correctness hardening + zero-regression roadmap sweep (22/23 review items) #13)

Reliability / DX

• Daemon-startup failures now surface the child error (tail of daemon.log) instead of an opaque exit code; SONAR_DEBUG. (feat(daemon): classify test vs production files per SonarQube convention #3)
• Real 0.80 line-coverage gate (was documentation-only). (#19)
• Test/job timeouts so a hung daemon test fails fast. (refactor!: collapse to single Maven module; drop skill+plugin concept (0.2.0-SNAPSHOT) #6)
• README/NOTICE reconciled with shipped behavior; Java 21+ floor corrected. (#21, #22)

Maintainability

• Single LanguageMap (was 4 lockstep tables); analyzeLocked split; BaseDirGuard lifted + independently tested; PluginsDir.forEachJar dedup; dead migration code removed; cli↛daemon boundary + manifest-drift + engine-API guard tests. (feat(agents): Copilot scanner agent using the Nexus-bootstrap wrapper #12, #20, #23, refactor!: repackage dev.sonarcli -> io.github.randomcodespace.sonarpredict #7, feat: Nexus-bootstrap CLI wrapper + LTA 2026.1 manifest refresh #10-partial)

Operator heads-up (release notes)

The bootstrap install now fails closed if no checksum is available — air-gapped installs must serve SHA256SUMS/.sha256.txt, set SONAR_DIST_SHA256/SONAR_JDK_SHA256, or opt out with SONAR_ALLOW_UNVERIFIED=1. (#1)

Intentionally deferred (out of zero-regression scope)

• feat: migrate to SonarQube 2026.1 LTA #8 full by-keys RULE_METADATA protocol redesign — a wire-contract change; the output-identical cache stopgap shipped instead.
• feat: Nexus-bootstrap CLI wrapper + LTA 2026.1 manifest refresh #10 forced-sensor-crash test — hard to trigger a real swallowed-sensor crash deterministically offline (and PluginVerifier blocks stub plugins); the engine-API arity guard shipped.

Verify on first CI run

• osv-scanner v2.3.8 --sbom / max_severity field (fails open, so it can't wrongly block).

Test plan

• mvn verify green at 404 tests, 0 failures
• dist-zip byte-reproducibility confirmed (two clean builds → identical SHA-256)
• -Psbom package produces a CycloneDX BOM
• CI: CVE gate, reproducible job, offline-build job behave as expected on the runner

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
87.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud