dependabot[bot] opened a new pull request, #3084: URL: https://github.com/apache/cxf/pull/3084
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.42. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.42</h2> <h3>Added</h3> <ul> <li>atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), <a href="https://github.com/Sink";><code>@Sink</code></a> + <a href="https://github.com/RequiresCapability";><code>@RequiresCapability</code></a> scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.</li> </ul> <h3>Fixed</h3> <ul> <li>fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.</li> </ul> <h3>Changed</h3> <ul> <li>drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.</li> <li>bump version to 4.0.41</li> <li>prepare for next development iteration 4.0.42-SNAPSHOT</li> </ul> <h2>Atmosphere 4.0.41</h2> <h3>Changed — A2A v1.0.0 alignment (wire-breaking)</h3> <ul> <li><strong><code>atmosphere-a2a</code> retracked to A2A v1.0.0</strong> (<code>a2aproject/[email protected]</code>, released 2026-03-12). The pre-1.0 wire surface was the slash-style method names (<code>message/send</code>, <code>tasks/get</code>, …) and a polymorphic <code>Part</code> envelope; both are gone in v1.0.0.</li> <li><strong>JSON-RPC method names switched to PascalCase</strong> per spec §9.4 — <code>SendMessage</code>, <code>SendStreamingMessage</code>, <code>GetTask</code>, <code>ListTasks</code>, <code>CancelTask</code>, <code>SubscribeToTask</code>, the four <code>{Create,Get,List,Delete}TaskPushNotificationConfig</code> operations, and <code>GetExtendedAgentCard</code>. The pre-1.0 slash names and the old <code>tasks/pushNotification/*</code> path are aliased to their v1.0.0 equivalents at handler entry, with a one-time WARN per legacy method seen — existing Atmosphere clients keep working through the transition.</li> <li><strong>HTTP+JSON / REST binding added</strong> — colon-verb endpoints (<code>POST /tasks/{id}:cancel</code>, <code>POST /tasks/{id}:subscribe</code>, <code>POST /message:send</code> / <code>:stream</code>), <code>pushNotificationConfigs</code> CRUD URLs, and <code>GET /extendedAgentCard</code> are recognized by <code>A2aHandler</code>. REST requests are translated to JSON-RPC envelopes and dispatched through the same handler so the two bindings agree by construction (Mode Parity invariant <a href="https://redirect.github.com/Atmosphere/atmosphere/issues/7";>#7</a>).</li> <li><strong>Type schema rewrite under <code>org.atmosphere.a2a.types</code></strong>: <ul> <li><code>Part</code> collapses three legacy subtypes (<code>TextPart</code> / <code>FilePart</code> / <code>DataPart</code>) into a single record carrying a <code>text | raw | url | data</code> oneof plus shared <code>metadata</code>, <code>filename</code>, <code>mediaType</code>. The deserializer continues to accept the pre-1.0 <code>{"type":"text",…}</code> / <code>{"kind":"text",…}</code> envelopes for migration.</li> <li><code>Message.role</code> is now the <code>Role</code> enum (<code>ROLE_USER</code> / <code>ROLE_AGENT</code> per ADR-001 ProtoJSON). Lower-case legacy forms parse for back-compat.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's changelog</a>.</em></p> <blockquote> <h2>[4.0.42] - 2026-05-01</h2> <h3>Added</h3> <ul> <li>atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), <a href="https://github.com/Sink";><code>@Sink</code></a> + <a href="https://github.com/RequiresCapability";><code>@RequiresCapability</code></a> scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.</li> </ul> <h3>Fixed</h3> <ul> <li>fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.</li> </ul> <h3>Changed</h3> <ul> <li>drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.</li> <li>bump version to 4.0.41</li> <li>prepare for next development iteration 4.0.42-SNAPSHOT</li> </ul> <h2>[4.0.41] - 2026-04-29</h2> <h3>Changed — A2A v1.0.0 alignment (wire-breaking)</h3> <ul> <li><strong><code>atmosphere-a2a</code> retracked to A2A v1.0.0</strong> (<code>a2aproject/[email protected]</code>, released 2026-03-12). The pre-1.0 wire surface was the slash-style method names (<code>message/send</code>, <code>tasks/get</code>, …) and a polymorphic <code>Part</code> envelope; both are gone in v1.0.0.</li> <li><strong>JSON-RPC method names switched to PascalCase</strong> per spec §9.4 — <code>SendMessage</code>, <code>SendStreamingMessage</code>, <code>GetTask</code>, <code>ListTasks</code>, <code>CancelTask</code>, <code>SubscribeToTask</code>, the four <code>{Create,Get,List,Delete}TaskPushNotificationConfig</code> operations, and <code>GetExtendedAgentCard</code>. The pre-1.0 slash names and the old <code>tasks/pushNotification/*</code> path are aliased to their v1.0.0 equivalents at handler entry, with a one-time WARN per legacy method seen — existing Atmosphere clients keep working through the transition.</li> <li><strong>HTTP+JSON / REST binding added</strong> — colon-verb endpoints (<code>POST /tasks/{id}:cancel</code>, <code>POST /tasks/{id}:subscribe</code>, <code>POST /message:send</code> / <code>:stream</code>), <code>pushNotificationConfigs</code> CRUD URLs, and <code>GET /extendedAgentCard</code> are recognized by <code>A2aHandler</code>. REST requests are translated to JSON-RPC envelopes and dispatched through the same handler so the two bindings agree by construction (Mode Parity invariant <a href="https://redirect.github.com/Atmosphere/atmosphere/issues/7";>#7</a>).</li> <li><strong>Type schema rewrite under <code>org.atmosphere.a2a.types</code></strong>: <ul> <li><code>Part</code> collapses three legacy subtypes (<code>TextPart</code> / <code>FilePart</code> / <code>DataPart</code>) into a single record carrying a <code>text | raw | url | data</code> oneof plus shared <code>metadata</code>, <code>filename</code>, <code>mediaType</code>. The deserializer continues to accept the pre-1.0 <code>{"type":"text",…}</code> / <code>{"kind":"text",…}</code> envelopes for migration.</li> <li><code>Message.role</code> is now the <code>Role</code> enum (<code>ROLE_USER</code> / <code>ROLE_AGENT</code> per ADR-001 ProtoJSON). Lower-case legacy forms parse for back-compat.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/0c1878d5471c688ff2d0b1a6c5a2b4ba945626a7";><code>0c1878d</code></a> release: Atmosphere 4.0.42</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/4f40968d4d6aa7fee66fbc31f0ad44a303621394";><code>4f40968</code></a> chore(cpr): drop org.json:json — Jackson 3 only (CVE hygiene)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/d1d971cdd5a8f5015b869737c0cc638696755e9a";><code>d1d971c</code></a> fix: fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/db2312d7ddfacccff198cddc4d2273c518865330";><code>db2312d</code></a> feat(verifier): atmosphere-verifier — plan-and-verify (Meijer "Guardians of t...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/a680d3fe6d7947b807b3ea03fe8b812b0c260a34";><code>a680d3f</code></a> chore(cli): bump version to 4.0.41</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/b19beebf799580ba890c08c681d8e707c9f2c7b2";><code>b19beeb</code></a> chore: prepare for next development iteration 4.0.42-SNAPSHOT</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/1cd8fa65cec3de3a6e39be202193f961a1ccfab8";><code>1cd8fa6</code></a> release: Atmosphere 4.0.41</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f4f81d6d1c5c5d0b6fd15e678fa25f5779ef8ee8";><code>f4f81d6</code></a> ci(cli): rename overlay-e2e step to "(7 runtimes)" — matrix is now complete</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/1e8bac16df930a3065dd954c7dc5707408148f62";><code>1e8bac1</code></a> test(cli): boot all 7 runtimes via overlay e2e (was 4 of 7)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f5ee2eb7d5777974ebfcaced19d2ee5c1a1ed09c";><code>f5ee2eb</code></a> test(cli): add semantic-kernel to overlay e2e matrix</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.42";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
