Skip to content
Merged
Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
5841bf6
build(pom): collect dep versions in properties, bump dep/plugin versi…
claude May 27, 2026
7ca790d
docs(javadoc): add missing comments and tags so strict doclint passes
claude May 27, 2026
d5a9e25
build(pom): collect all plugin versions in <pluginManagement> for cro…
claude May 27, 2026
8ad6232
build(pom): wire up spotless + palantir java format (opt-in, no auto-…
claude May 27, 2026
81d0dda
build(pom): enforce spotless format via verify-phase check
claude May 27, 2026
db9491b
style: apply spotless / palantir-java-format
claude May 27, 2026
331bb68
build: exclude vendored OSInfo class from spotbugs analysis
claude May 27, 2026
cff9d67
fix: close 4 spotbugs findings (DM_DEFAULT_ENCODING, COMMAND_INJECTIO…
claude May 27, 2026
306d24d
build: ignore .jqwik-database
claude May 27, 2026
bcef47d
build: align .jqwik-database ignore with streambuffer convention
claude May 27, 2026
f8c11b0
fix: chain exception cause in 3 LlamaModel re-throw sites
claude May 27, 2026
3d0ad9f
style: use char-literal append over single-char String literals
claude May 27, 2026
414ec36
fix: drop bogus 'throws UnsatisfiedLinkError' from LlamaLoader.initia…
claude May 27, 2026
be59e8a
perf: presize collections in CliParameters.toArray + LlamaModel.rerank
claude May 27, 2026
266c328
build: suppress 3 EXS findings on LlamaModel JSON-boundary methods
claude May 27, 2026
f613124
refactor: drop unused worker field + unused addUuid parameter
claude May 27, 2026
1db8e76
fix: close 2 EI_EXPOSE findings (ChatMessage.getParts, Session ctor)
claude May 27, 2026
8426af6
fix: defeat finalizer attack on LlamaModel constructors
claude May 27, 2026
caddbc7
Guard against null Path.getFileName() in image MIME inference and nat…
claude May 27, 2026
dff1e50
Suppress STT_TOSTRING_STORED_IN_FIELD on Inference/ModelParameters
claude May 27, 2026
c7b1f32
Replace Object monitor with ReentrantLock + Condition in LlamaPublisher
claude May 27, 2026
4f3197c
Return null on native-lib write-verification mismatch instead of thro…
claude May 27, 2026
4b017c1
Widen private ChatMessage.concatText parameter from List to Iterable
claude May 27, 2026
8fcea49
Suppress OCP_OVERLY_CONCRETE_PARAMETER on ModelParameters enum setters
claude May 27, 2026
4705a7e
Widen LlamaModel.{completeBatch,completeBatchWithStats,chatBatch} par…
claude May 27, 2026
e89e535
Suppress PATH_TRAVERSAL_IN on LlamaLoader path resolution
claude May 27, 2026
819e097
Suppress FCCD_FIND_CLASS_CIRCULAR_DEPENDENCY on LlamaIterator/LlamaModel
claude May 27, 2026
a8296c9
Document spotbugs-exclude.xml maintenance contract in CLAUDE.md
claude May 27, 2026
4ace716
Add Open TODOs section to CLAUDE.md
claude May 27, 2026
ff28191
Pin charsets to UTF-8 in two test sites uncovered by charset audit
claude May 28, 2026
1f11a46
docs: add VisibleForTesting design-fit + package hierarchy TODOs
claude May 29, 2026
3595a01
docs: add naming review TODO (pair with package hierarchy work)
claude May 29, 2026
a0b1813
docs: TODO to abstract Java guidelines + skill to workspace-level
claude May 29, 2026
f7288f3
build: move jcstress to opt-in -Pjcstress profile
claude May 30, 2026
01665cd
Upgrade llama.cpp from b9354 to b9437
claude May 30, 2026
d1a8953
docs: split llama.cpp breaking-changes table into docs/history/
claude May 30, 2026
161e5f9
build(pom): gate GPU/OpenCL-Android compile passes behind -Pcuda / -P…
claude May 30, 2026
a6b567b
docs(CLAUDE.md): document jqwik prompt-injection in test output
claude May 30, 2026
a6dd74b
docs(CLAUDE.md): add jqwik 1.10.1 reference + URGENT replace-jqwik TODO
claude May 30, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,7 @@ src/test/resources/**/*.gbnf

**/*.etag
**/*.lastModified
src/main/cpp/llama.cpp/
src/main/cpp/llama.cpp/

# jcstress / jqwik test outputs (generated in repo root)
/.jqwik-database
15 changes: 15 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -921,3 +921,18 @@ In Javadoc comments, never use bare Unicode characters for operators and symbols
| `≠` | `&#x2260;` |

Use numeric hex entities (`&#xNNNN;`) for any Unicode symbol outside ASCII. Named entities (`&lt;`, `&gt;`) are acceptable for `<` and `>`.

## SpotBugs Suppressions

`spotbugs-exclude.xml` at the repo root contains documented suppressions for findings that are by-design or false positives. **When refactoring or renaming code referenced in that file, re-check the affected `<Match>` blocks:**

- `<Class>`, `<Method>`, and `<Field>` filters use exact string matches — a rename silently disables the suppression and may either un-suppress a real bug or leave a stale entry behind.
- After refactors, run `mvn -B -ntp -DskipTests -Dgpg.skip=true verify` and confirm the BugInstance count is unchanged. A drop means a suppression is now stale and should be deleted; an increase means a new finding needs its own decision (fix vs. suppress).
- Keep the rationale comment on each `<Match>` accurate — if the original justification no longer applies to the post-refactor code, remove the suppression rather than leave outdated reasoning in place.
- Never use `--` inside `<!-- ... -->` comment bodies in `spotbugs-exclude.xml` — XML forbids it and the entire filter file silently stops loading (every previously suppressed finding reappears).

## Open TODOs

- **`@VisibleForTesting` audit.** No usages currently. Walk the production tree for package-private/protected methods or fields that exist purely so tests can reach them, and either annotate (`com.google.common.annotations.VisibleForTesting`) or move into the test source tree.
- **Strict null-safety with Maven hard-check.** Nullability annotations today are sporadic and from `org.jetbrains.annotations`. Migrate to JSpecify (`org.jspecify:jspecify`) and add Error Prone + NullAway in the compiler plugin so the build fails on potential NPEs (the BitcoinAddressFinder pom.xml already does this and is a working reference).
- **At least one LogCaptor smoke test.** SLF4J + Logback are wired in (`OSInfo` uses an SLF4J logger; `LlamaLoader` deliberately uses `System.err` for bootstrap). Add a `LogCaptor.forClass(OSInfo.class)` test that confirms a known log message actually fires through the configured pipeline, so a future logback misconfiguration is caught at test time rather than silently swallowed.
156 changes: 128 additions & 28 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -50,14 +50,24 @@ SPDX-License-Identifier: MIT

<properties>
<jna.version>5.18.1</jna.version>
<jetbrains-annotations.version>26.1.0</jetbrains-annotations.version>
<jackson.version>2.21.3</jackson.version>
<reactive-streams.version>1.0.4</reactive-streams.version>
<slf4j.version>2.0.18</slf4j.version>
<logback.version>1.5.32</logback.version>
<animal-sniffer.version>1.27</animal-sniffer.version>
<junit.version>6.1.0</junit.version>
<jmh.version>1.37</jmh.version>
<jcstress.version>0.16</jcstress.version>
<lincheck.version>2.39</lincheck.version>
<vmlens.version>1.2.28</vmlens.version>
<jqwik.version>1.9.2</jqwik.version>
<archunit.version>1.3.0</archunit.version>
<spotbugs.version>4.8.6.6</spotbugs.version>
<jqwik.version>1.10.0</jqwik.version>
<archunit.version>1.4.2</archunit.version>
<spotbugs.version>4.9.8.3</spotbugs.version>
<fb-contrib.version>7.6.4</fb-contrib.version>
<findsecbugs.version>1.13.0</findsecbugs.version>
<findsecbugs.version>1.14.0</findsecbugs.version>
<spotless.version>3.5.1</spotless.version>
<palantir-java-format.version>2.66.0</palantir-java-format.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp>
</properties>
Expand All @@ -66,7 +76,7 @@ SPDX-License-Identifier: MIT
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>6.1.0</version>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -84,34 +94,34 @@ SPDX-License-Identifier: MIT
<dependency>
<groupId>org.jetbrains</groupId>
<artifactId>annotations</artifactId>
<version>26.1.0</version>
<version>${jetbrains-annotations.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.21.3</version>
<version>${jackson.version}</version>
</dependency>
<!-- Reactive Streams API used by LlamaPublisher to expose token streams as a
Publisher<LlamaOutput>. Java 8 compatible, ~5 KB, supplies the standard
interfaces that Reactor / RxJava / Kotlin coroutines bridge to. -->
<dependency>
<groupId>org.reactivestreams</groupId>
<artifactId>reactive-streams</artifactId>
<version>1.0.4</version>
<version>${reactive-streams.version}</version>
</dependency>
<!-- Required by OSInfo (vendored from xerial/sqlite-jdbc) for log emission. -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.18</version>
<version>${slf4j.version}</version>
</dependency>
<!-- Default SLF4J binding shipped with this library. Runtime scope: not
required on the compile classpath, only loaded at JVM startup. -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.5.32</version>
<version>${logback.version}</version>
<scope>runtime</scope>
</dependency>
<!-- @IgnoreJRERequirement marker used by OSInfo (vendored from xerial/sqlite-jdbc)
Expand All @@ -120,19 +130,19 @@ SPDX-License-Identifier: MIT
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>animal-sniffer-annotations</artifactId>
<version>1.27</version>
<version>${animal-sniffer.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.openjdk.jmh</groupId>
<artifactId>jmh-core</artifactId>
<version>1.37</version>
<version>${jmh.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.openjdk.jmh</groupId>
<artifactId>jmh-generator-annprocess</artifactId>
<version>1.37</version>
<version>${jmh.version}</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -150,11 +160,84 @@ SPDX-License-Identifier: MIT
</dependencies>

<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>${spotless.version}</version>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${spotbugs.version}</version>
</plugin>
<plugin>
<groupId>com.vmlens</groupId>
<artifactId>vmlens-maven-plugin</artifactId>
<version>${vmlens.version}</version>
</plugin>
<plugin>
<groupId>io.github.git-commit-id</groupId>
<artifactId>git-commit-id-maven-plugin</artifactId>
<version>10.0.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.15.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.8</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.5.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.12.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>3.5.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.4.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.5.5</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.6.3</version>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.14</version>
</plugin>
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>0.10.0</version>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>io.github.git-commit-id</groupId>
<artifactId>git-commit-id-maven-plugin</artifactId>
<version>10.0.0</version>
<executions>
<execution>
<id>get-git-properties</id>
Expand All @@ -174,7 +257,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.15.0</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
Expand All @@ -194,7 +276,7 @@ SPDX-License-Identifier: MIT
<path>
<groupId>org.openjdk.jmh</groupId>
<artifactId>jmh-generator-annprocess</artifactId>
<version>1.37</version>
<version>${jmh.version}</version>
</path>
</annotationProcessorPaths>
</configuration>
Expand Down Expand Up @@ -236,7 +318,6 @@ SPDX-License-Identifier: MIT
</plugin>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.5.0</version>
<executions>
<!-- Copy custom cuda libs to the output directory -->
<execution>
Expand Down Expand Up @@ -285,7 +366,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.4.0</version>
<executions>
<execution>
<id>attach-sources</id>
Expand All @@ -298,9 +378,11 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.12.0</version>
<configuration>
<source>1.8</source>
<failOnError>true</failOnError>
<failOnWarnings>true</failOnWarnings>
<doclint>all</doclint>
</configuration>
<executions>
<execution>
Expand All @@ -314,7 +396,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.14</version>
<executions>
<execution>
<id>prepare-agent</id>
Expand Down Expand Up @@ -346,7 +427,6 @@ SPDX-License-Identifier: MIT
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.5.5</version>
<configuration>
<argLine>@{argLine} -XX:ErrorFile=hs_err_pid%p.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=.</argLine>
<!--
Expand All @@ -360,10 +440,36 @@ SPDX-License-Identifier: MIT
<redirectTestOutputToFile>true</redirectTestOutputToFile>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<configuration>
<java>
<includes>
<include>src/main/java/**/*.java</include>
<include>src/test/java/**/*.java</include>
</includes>
<palantirJavaFormat>
<version>${palantir-java-format.version}</version>
</palantirJavaFormat>
<removeUnusedImports/>
<trimTrailingWhitespace/>
<endWithNewline/>
</java>
</configuration>
<executions>
<execution>
<id>spotless-check</id>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${spotbugs.version}</version>
<configuration>
<effort>Default</effort>
<threshold>Default</threshold>
Expand Down Expand Up @@ -396,7 +502,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>3.6.3</version>
<configuration>
<mainClass>org.openjdk.jmh.Main</mainClass>
<classpathScope>test</classpathScope>
Expand Down Expand Up @@ -433,7 +538,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.8</version>
<executions>
<execution>
<id>sign-artifacts</id>
Expand All @@ -453,7 +557,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>0.10.0</version>
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>
Expand All @@ -472,7 +575,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.5.0</version>
<executions>
<!-- Pick class files AND libs from custom output
directory -->
Expand Down Expand Up @@ -501,7 +603,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.5.0</version>
<executions>
<!-- Pick class files AND libs from custom output
directory -->
Expand Down Expand Up @@ -537,7 +638,6 @@ SPDX-License-Identifier: MIT
<plugin>
<groupId>com.vmlens</groupId>
<artifactId>vmlens-maven-plugin</artifactId>
<version>${vmlens.version}</version>
<configuration>
<!--
Lincheck generates its own TestThreadExecution class on the fly.
Expand Down
Loading
Loading