dependabot[bot] opened a new pull request, #3058: URL: https://github.com/apache/cxf/pull/3058
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.39. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.39</h2> <h2>✨ Added</h2> <ul> <li><strong>serve /favicon.ico from both starters to kill the default 404 AtmosphereFaviconAutoConfiguration returns the Atmosphere logo PNG on /favicon.ico and /favicon.png for every app using the starter; opt out with atmosphere.favicon.enabled=false.</strong></li> <li><strong>reattach e2e — harness sample + direct-writer replay + CI job RunReattachSupport now writes the joined buffer straight to response.getWriter() (U+001E between events); broadcaster routing fed the payload back into the <a href="https://github.com/Prompt";><code>@Prompt</code></a> dispatcher. New spring-boot-reattach-harness plus a SyntheticRunController give Playwright a deterministic HTTP surface — foundation-e2e.yml runs the spec on every push so the reattach wire is proven end-to-end, not just in unit tests.</strong></li> <li><strong>TokenUsage → CostCeilingGuardrail.addCost bridge + ownership fix CostAccountingSession wraps every <a href="https://github.com/Prompt";><code>@Prompt</code></a> session when a CostAccountant is installed; built-in CostCeilingAccountant(guardrail, pricing) closes the observability→enforcement loop. Spring Boot auto-configuration installs it and a DisposableBean resets the holder on shutdown, which also fixes broadcaster listener ownership symmetry on the PII installer.</strong></li> <li><strong>cpr-core moat — broadcaster PII, tenant drift, cost ceiling, reattach test PiiRedactionFilter auto-installs on every broadcaster (present + future) so response-path PII is rewritten in-flight — framework owns the transport. OutputLengthZScoreGuardrail partitions its rolling window by business.tenant.id MDC so one tenant cannot poison another's baseline. New CostCeilingGuardrail blocks outbound <a href="https://github.com/Prompt";><code>@Prompt</code></a> per tenant once cumulative cost hits budget (observability→enforcement). writeEnabled resolved per-call in both starters for runtime lockdown. RunReattachSupport extracts the replay-on-reconnect path with 5 regression tests. Operator docs split Spring + Quarkus setup with principal-chain paragraphs.</strong></li> <li><strong>wire Flow tab into the admin console — SVG graph over /api/admin/flow New tab renders the coordination journal as a circle-layout SVG: nodes = agents, edges = dispatch count + success/failure/avg-duration, red on failure, arrowheads for direction. Optional coordination-id drilldown and lookback-minutes filter. Zero external graph library — plain SVG, adequate for fleet sizes Atmosphere runs. Mirrored across spring-boot-starter and spring-boot3-starter admin assets.</strong></li> <li><strong>observability + guardrails + admin auth + flow viewer Observability layer (BusinessMetadata → SLF4J MDC, FactResolver), default guardrails (PII redaction, drift z-score), admin-write auth triple-gate (feature flag → Principal → ControlAuthorizer), agent-to-agent flow viewer (/api/admin/flow), run reattach consumer, gateway admission on handle-based paths, framework-scoped resolution for all v0.8 primitives. Samples boot via spring-boot:run + actuator health; foundation-e2e gates merges including Docker sandbox.</strong></li> <li><strong>foundation hardening — primitive wire-in, Sandbox gate, PermissionMode</strong></li> <li><strong>AI Agent Foundation — 8 primitives, 2 proof samples, strict OpenAI-compat tool round-trip</strong></li> </ul> <h2>🐛 Fixed</h2> <ul> <li>remove orphan javadoc that broke JDK 26 / native-image builds Stray /** ... */ block had no declaration attached; compiler -Xdoclint was fine under -Pfastinstall but strict under Core / Native Image. Reattaches the doc to captureFeedsReattachWithErrorEnvelopeWhenHandlerThrows where it belongs. Also explains why I missed it locally — I was running --fast, which skips the doclint phase; pattern now flagged in my self-review checklist.</li> <li>favicon dual-registration + opt-in admin read-auth gate (P1) Drops the <a href="https://github.com/Bean";><code>@Bean</code></a> method in AtmosphereFaviconAutoConfiguration — the nested <a href="https://github.com/RestController";><code>@RestController</code></a> already registers under a stereotype-derived bean name and the <a href="https://github.com/Bean";><code>@Bean</code></a> factory was producing a second bean mapped to the same /favicon.ico route, triggering "Ambiguous mapping" at startup for any app pulling the starter. Adds atmosphere.admin.http-read-auth-required opt-in flag: when true, Spring's AdminApiAuthFilter and a new Quarkus AdminReadAuthFilter (JAX-RS <a href="https://github.com/Provider";><code>@Provider</code></a>) reject anonymous GET/HEAD/OPTIONS on /api/admin with 401 matching the existing write-side chain (X-Atmosphere-Auth + principal attribute sources). Default off so demo consoles keep working; multi-tenant operators flip one fl ag.</li> <li>pin Bouncy Castle >= 1.84 — closes transitive 1.82 advisories docker-java-core 3.7.0 pulls bcpkix/bcprov/bcutil 1.82 (GHSA LDAP injection + risky-crypto). DependencyManagement pin forces 1.84 into the resolved tree so Dependabot alerts 187/188 close on next scan. Provided-scope only (DockerSandboxProvider path); no runtime fat-jar drift.</li> <li>malformed journal timestamp returns 400 (Spring parity) Previously returned 200 with an error-item array, masking client errors from caller and breaking Spring/Quarkus API parity. Now returns 400 with the error body, matching AtmosphereAdminEndpoint and Correctness Invariant <a href="https://redirect.github.com/Atmosphere/atmosphere/issues/4";>#4</a>.</li> <li>P0 reattach — enforce run ownership + route replay through filter chain Replay now refuses when the reconnecting caller's resolved userId does not match the run's registered userId (bearer-token cross-user leak); anonymous runs keep the open-mode carve-out so demo deployments still work. Every replay frame is routed through the broadcaster's BroadcastFilter chain so PiiRedactionFilter / ContentSafetyFilter apply identically to replay and live frames — a direct writer write previously bypassed them.</li> <li>reattach wire fidelity + terminal capture + MDC snapshot Replay now emits AiStreamMessage JSON frames matching the live path (frontend parser can handle replay and live identically); AiEndpointHandler routes timeout/exception terminals through capturingSession so buffered replay ends with an error envelope; CostAccountingSession snapshots tenant MDC at construction so Reactor-thread usage events don't collapse into <strong>default</strong>. Adds handoff-forwarding regression, strengthens Playwright assertions to pin JSON schema + error envelope.</li> <li>RunEventCapturingSession must forward handoff() to delegate The default StreamingSession.handoff throws UnsupportedOperationException, which the reattach capturing wrapper inherited — breaking orchestration-primitives handoff() calls that previously reached AiStreamingSession's agent-backed implementation.</li> <li>survive resteasy-reactive UT000048 on servlet proxy resteasy-reactive dispatches on Vert.x, so <a href="https://github.com/Context";><code>@Context</code></a> HttpServletRequest throws IllegalStateException: UT000048 on the admin write path. Swallow the exception (attributes cannot fire on Vert.x anyway) and read X-Atmosphere-Auth via <a href="https://github.com/Context";><code>@Context</code></a> HttpHeaders, which works on both transports.</li> <li>wire reattach producer — capture <a href="https://github.com/Prompt";><code>@Prompt</code></a> events into replay buffer RunEventCapturingSession mirrors every session.send / complete / error into the run's RunEventReplayBuffer; AiEndpointHandler installs it after registering the run so X-Atmosphere-Run-Id reconnects actually have events to replay. Closes the half-shipped reattach primitive — producer was missing even though the consumer (RunReattachSupport) was already wired.</li> <li>admin X-Atmosphere-Auth principal path + quarkus-chat fixture Fourth principal source validates the header against atmosphere.admin.auth.token via constant-time compare so Quarkus admin writes work without standing up Jakarta Security; sample fixture sets the env vars and Playwright now authenticates matching the Spring spec pattern.</li> <li>review pass 3 — parity delegation, PII hook accuracy, BOM-managed resteasy, ai.userId test Parity test pins delegation shape (doExecute → doExecuteWithHandle for SpringAI/LC4j/ADK) so a refactor to independent dispatch fails without restored admit. PII Javadoc points at the real PiiRedactionFilter / AiStreamBroadcastFilter — previously referenced a fictional per-token hook. resteasy-core at test scope drops its pin to inherit the quarkus-bom version. New ai.userId case rounds AdminResourceAuthzTest to 7 — all three principal sources covered. Non-blocking nits: dropped parity-test change-history Javadoc, explicit stubs instead of RETURNS_DEEP_STUBS, /* package */ marker on writeEnabled.</li> <li>v0.9 review second pass — parity-test teeth, quarkus auth chain, PII docs Parity test now scans specific method bodies (doExecute / doExecuteWithHandle / execute / executeWithHandle) with brace-balanced extraction, not file-level grep — dead helper references no longer satisfy. Quarkus guardWrite widened to the 3-source principal chain (SecurityContext → Atmosphere AuthInterceptor attribute → ai.userId). AdminProducer looks up a user-supplied ControlAuthorizer via CDI before falling back to REQUIRE_PRINCIPAL. New AdminResourceAuthzTest (6 cases) pins the gate across starters. PII class Javadoc split into Request (redact via Modify) vs Response (early termination via Block). FactRequest.agentId documents that custom <a href="https://github.com/AiEndpoint";><code>@AiEndpoint</code></a> paths produce null.</li> <li>close v0.9-review findings — auth gap, dead SPI, parity test, javadoc drift Quarkus /api/admin/* now enforces the same triple-gate (feature flag → Principal → ControlAuthorizer) as Spring; default DENY_ALL via REQUIRE_PRINCIPAL. FactResolver.cacheHint removed (no consumer). FactRequest.agentId derived from the endpoint path template. RuntimeGatewayAdmissionParityTest verifies all 7 runtimes call admitThroughGateway at source level. FactResolver javadoc corrected (NoopFactResolver → DefaultFactResolver). PII response-path Block documented as early termination, not retroactive redaction.</li> <li>register HtmlEncoder as CodeQL XSS sanitizer Resolves 4 false-positive java/xss code-scanning alerts.</li> <li>bump Jetty 12.0.33, Tomcat 11.0.21, Kafka 3.9.2 Address 13 Dependabot security alerts (1 critical, 5 high, 3 medium).</li> </ul> <h2>🔧 Changed</h2> <ul> <li>fix parallelInterruptsSiblings race on slow CI runners</li> <li>trigger on modules/ai + wasync + add workflow_dispatch</li> <li>CHANGELOG backfill for post-squash work + fix stale versions + read-auth docs CHANGELOG adds 11 Added and 3 Fixed subsections covering PII filter, cost-ceiling wire, reattach closure, admin read-auth, Quarkus parity, favicon, Flow tab, correctness coverage, e2e harness, JMH, security bumps. README adds DENY_ALL to PermissionMode. Four module READMEs had wrong third-party dep versions (4.0.38 copy-paste); corrected against root pom. Admin README documents the fourth principal source and the new http-read-auth-required flag.</li> <li>DelegatingStreamingSession base — kills decorator-regression class Every StreamingSession decorator now extends the base and overrides only what it intercepts; unknown methods are forwarded automatically. DelegatingStreamingSessionContractTest reflects over the interface and fails the build when a method is added without a forwarder — the handoff() shadow bug that shipped in RunEventCapturingSession cannot recur. Seven decorators migrated (RunEventCapturing, CostAccounting, Memory, Metrics, Guardrail, StructuredOutput, Tracing, Caching).</li> <li>rewrite hero + modules table — capability/module/types grid Surfaces stream-level PII rewrite, cost-ceiling enforcement, tenant-partitioned drift; fixes PermissionMode mode count and drops the hardcoded version claim.</li> <li>bump GrpcWasyncTransportTest status-poll to 5s for JDK 26 wAsync updates Socket.status() on its dispatch thread after the CLOSE callback returns; the 2s polling cap was too tight on JDK 26 where scheduler latency between callback and CAS is observably longer.</li> <li>update reattach spec — producer wire is live after 8156842fd4 RunEventCapturingSession now populates the replay buffer on every <a href="https://github.com/Prompt";><code>@Prompt</code></a> session.send / complete / error — cross-reference the commit so a future auditor can verify the "half-shipped" note in earlier reviews is resolved. Spec stays skip-gated pending a dedicated slow-emitter harness sample.</li> <li>CHANGELOG claim tests + two-resolution-pattern guidance ChangelogClaimsTest pins AgentState OpenClaw layout + RunEventReplayBuffer bound so doc-to-code drift breaks the build; README documents when to pick framework-scoped property vs process-wide holder so new SPIs don't reinvent the wheel.</li> <li>reattach spec documents the X-Atmosphere-Run-Id replay contract Skipped by default until a harness sample with deliberately-slow <a href="https://github.com/Prompt";><code>@Prompt</code></a> dispatch is wired; the contract (connect → disconnect → reconnect with run id → replayed events) is pinned so future harness work plugs in without re-deriving it. Unit coverage remains in RunReattachSupportTest.</li> <li>exec-level gateway admission tests — LC4j, ADK, Koog, Embabel, SK One test per runtime; each installs a counting exporter and drives runtime.execute() so an admission entry with the correct provider label is captured. Closes the exec-level parity gap flagged in the v0.9 review — all 7 runtimes now prove admit, not just source-level grep.</li> <li>exec-level gateway admission test — drive runtime.execute Counting exporter replaces AiGatewayHolder and one execute() call lands exactly one entry with provider=spring-ai; closes the parity grep gap the v0.9 review flagged. Template for LC4j/ADK/Koog/Embabel/SK follow-ups.</li> <li>bump org.apache.maven.plugins:maven-resources-plugin (<a href="https://redirect.github.com/Atmosphere/atmosphere/issues/2610";>#2610</a>)</li> <li>bump react and react-dom to 19.2.5 in lockstep React requires exact version match between react and react-dom packages; bumping only react (as Dependabot PR <a href="https://redirect.github.com/Atmosphere/atmosphere/issues/2612";>#2612</a> proposed) fails all jsdom-backed tests with ensureCorrectIsomorphicReactVersion.</li> <li>bump protobuf to 4.34.1 and pin runtime to protoc version grpc-protobuf 1.80.0 still pulls protobuf-java 3.25.8 transitively, so protoc 4.x-generated sources fail to compile; dependencyManagement now pins protobuf-java/protobuf-java-util to ${protobuf.version}.</li> <li>bump protobufjs (<a href="https://redirect.github.com/Atmosphere/atmosphere/issues/2608";>#2608</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-4.0.38...atmosphere-4.0.39";>https://github.com/Atmosphere/atmosphere/compare/atmosphere-4.0.38...atmosphere-4.0.39</a></p> <h2>Atmosphere 4.0.38</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/2df3e7ab84e45f369b88c93c418b5451f5949852";><code>2df3e7a</code></a> release: Atmosphere 4.0.39</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/96e6e6b55b5f5e5950f48dfbe4f09b0b6517e409";><code>96e6e6b</code></a> test(coordinator): fix parallelInterruptsSiblings race on slow CI runners</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/cc7d4083c1954840dc02589becf15d0c764cca44";><code>cc7d408</code></a> ci(native-image): trigger on modules/ai + wasync + add workflow_dispatch</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/def0661789a95409235c83582c84b9501f030b93";><code>def0661</code></a> docs: CHANGELOG backfill for post-squash work + fix stale versions + read-aut...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/0dc77965d6e07566d1ef7ca0691309028891bd8a";><code>0dc7796</code></a> build: remove --fast from pre-push + architectural validation</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/ddc13af49af44b0c1b9367b2be87d255db9aa4c3";><code>ddc13af</code></a> fix(ai): remove orphan javadoc that broke JDK 26 / native-image builds</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/bd3da2649f0d087deb5385a0e0e7b0cd622e82f2";><code>bd3da26</code></a> refactor(ai): DelegatingStreamingSession base — kills decorator-regression class</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/2d3ee5afc3dffd60886134d427f9c54ae19849d2";><code>2d3ee5a</code></a> fix: favicon dual-registration + opt-in admin read-auth gate (P1)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/98c6ae408b749a6ce4422dc55a9dbc6477c14a2b";><code>98c6ae4</code></a> feat(spring-boot): serve /favicon.ico from both starters to kill the default 404</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/246c29bc752fc70da11e8b331cf309e60b19b4d5";><code>246c29b</code></a> fix(deps): pin Bouncy Castle >= 1.84 — closes transitive 1.82 advisories</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.39";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
