Chainguard Repository for Java (#3316)

[ ] Check if this is a typo or other quick fix and ignore the rest :)

## Type of change
Update existing docs for Chainguard Repository support for Java
libraries

### What should this PR do?
Add content about Java to Chainguard Repository content:
- Move general fallback/policy content into the Libraries overview and
link to it from other pages
- Update the chainguard-repository/overview page to include Java
- Mention Chainguard Repository in the Java overview and in Build Config
- Reframe the Java Global Config page to say Chainguard Repository is
the recommended config

### Why are we making this change?
Product update to support Chainguard Repository for Java

### What are the acceptance criteria? 
Java should be mentioned in content about Chainguard Repository, content
should be clear and accurate

### How should this PR be tested?
Review the deploy preview to ensure that content appears as expected

---------

Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev>
Signed-off-by: s-stumbo <100295939+s-stumbo@users.noreply.github.com>

Author: s-stumbo

content/chainguard/chainguard-repository/overview.md

@@ -21,14 +21,16 @@ As of this writing, the Chainguard Repository contains the following artifact ty
 | Artifact type | Description |
 | ----- | ----- |
 | [Chainguard Libraries for JavaScript](/chainguard/libraries/javascript/overview/) | Open source language dependencies rebuilt from source for JavaScript (npm). |
+| [Chainguard Libraries for Java](/chainguard/libraries/java/overview/) | Open source language dependencies rebuilt from source for Java (Maven). |
 
 ## Endpoints
 
 Each artifact type is accessible via its own endpoint:
 
 | Artifact type | Endpoint |
 | ----- | ----- |
-| Libraries for JavaScript | `libraries.cgr.dev/javascript` |
+| Libraries for [JavaScript](/chainguard/libraries/javascript/overview/) | `https://libraries.cgr.dev/javascript/` |
+| Libraries for [Java](/chainguard/libraries/java/overview/) | `https://libraries.cgr.dev/java/` |
 
 See each artifact type's documentation for authentication and configuration details.
 
@@ -74,5 +76,6 @@ Access the Console at [console.chainguard.dev](https://console.chainguard.dev).
 
 ## Learn more
 
-* [Chainguard Repository for JavaScript Libraries](/chainguard/libraries/chainguard-repository/)  
+* [Chainguard Libraries for JavaScript](/chainguard/libraries/javascript/overview/)  
+* [Chainguard Libraries for Java](/chainguard/libraries/java/overview/)
 

content/chainguard/libraries/access.md

@@ -24,9 +24,7 @@ system. This guide explains how to access (download) Chainguard library artifact
 
 - Ensure you have access to Chainguard Libraries. 
     - If you are not a Chainguard user yet, a new Chainguard account must be
-created and configured for access to Chainguard Libraries.
-    - If you are already a Chainguard user, the Chainguard account owner in your
-organization can grant access to Chainguard Libraries.
+created and you must [add an entitlement to Chainguard Libraries](/chainguard/libraries/access/#manage-library-entitlements).
 - Confirm the name of your organization so you can use it with the `--parent`
 parameter to specify your organization when running commands with `chainctl`.
 

content/chainguard/libraries/browse.md

@@ -50,7 +50,9 @@ The list includes the following columns:
 
 At the bottom of the page, see a total count of available libraries.
 
-As a part of Chainguard Repository, [upstream fallback and policy controls](/chainguard/libraries/javascript/overview/#upstream-fallback-policy-and-controls) are available for Chainguard Libraries for JavaScript. When fallback is configured for your organization, you will see all packages including those built by Chainguard and those that are mirrored from upstream npm. For a given package, you can see whether it is being served from Chainguard's rebuilt artifacts or proxied from upstream npm.
+As a part of Chainguard Repository, [upstream fallback and policy controls](/chainguard/libraries/overview/#upstream-fallback-and-controls) are available for Chainguard Libraries and can be enabled via `chainctl` commands. For JavaScript, you can also enable upstream fallback in the Chainguard Console. 
+
+When fallback is configured for your organization, you will see all JavaScript packages -- including those built by Chainguard and those that are mirrored from upstream npm -- in the Console. For a given package, you can see whether it is being served from Chainguard's rebuilt artifacts or proxied from upstream npm. For Java and Python, you cannot currently view upstream vs. Chainguard-built packages via the Chainguard Console.
 
 <a id="search"></a>
 

content/chainguard/libraries/java/build-configuration.md

@@ -35,6 +35,8 @@ other engineers running relevant application builds. They must also be performed
 on any build server such as Jenkins, TeamCity, GitHub or other infrastructure
 that builds the applications or otherwise downloads and uses relevant libraries.
 
+The `https://libraries.cgr.dev/java/` endpoint is also the [Chainguard Repository](/chainguard/chainguard-repository/overview/) endpoint for Java. By default, it serves only Chainguard-built artifacts. When [upstream fallback](/chainguard/libraries/overview/#upstream-fallback-and-controls) is enabled for your organization, the same endpoint can also serve requested versions from Maven Central under Chainguard security controls.
+
 ## Library access approaches 
 
 ### Repo manager
@@ -284,25 +286,27 @@ Java.
 #### Configure direct access
 
 If you are not using a repository manager at your organization, you can
-configure access to the Chainguard Libraries for Java repository directly.
-Ensure that the Chainguard repository is located above the necessary override
-for the built-in `central` repository and any other repositories. If you are participating in the beta for CVE remediation, include the `https://libraries.cgr.dev/java-remediated/` repository first.
+configure access to the Chainguard Libraries for Java repository directly. If [upstream fallback](/chainguard/libraries/overview/#upstream-fallback-and-controls) is enabled for your organization, the `https://libraries.cgr.dev/java/` repository can serve both Chainguard-built artifacts and eligible upstream Maven Central artifacts through the same endpoint. If upstream fallback is not enabled, continue to configure Maven Central or your Maven Central proxy after the Chainguard repository, as shown in the following example.
+
+If you are participating in the beta for CVE remediation, include the `https://libraries.cgr.dev/java-remediated/` repository first.
+
+If you are using direct access with the Chainguard Repository and you want Chainguard policy controls to apply consistently, configure Chainguard as a global Maven mirror. Without a global mirror, Maven can fall back to its built-in Maven Central definition when Chainguard reports a dependency as unavailable, bypassing the policy and malware scanning controls provided by Chainguard.
 
 The following `~/.m2/settings.xml` configures direct access with Chainguard's remediated Java repository as
-the primary repository, falling back to the standard Chainguard Libraries repository when a remediated version is not available, and then to Maven Central as a fallback for transitive
-dependencies not available from Chainguard. It uses placeholder values
-`CG_PULLTOKEN_USERNAME` and `CG_PULLTOKEN_PASSWORD` or [environment
+the primary repository, falling back to the standard Chainguard Libraries repository when a remediated version is not available. If a library is not yet built by Chainguard and you have enabled upstream fallback, then upstream packages will be subject to malware scanning and any cooldown policies you have configured. This settings file uses [environment
 variables](/chainguard/libraries/access/#env) for the pull token detailed in
-[Chainguard Libraries access](/chainguard/libraries/access/):
+[Chainguard Libraries access](/chainguard/libraries/access/). 
 
 ```xml
 <settings>
   <activeProfiles>
-    <activeProfile>no-repo-manager</activeProfile>
+    <activeProfile>chainguard</activeProfile>
   </activeProfiles>
+
   <profiles>
     <profile>
-      <id>no-repo-manager</id>
+      <id>chainguard</id>
+
       <repositories>
         <repository>
           <id>chainguard-remediated</id>
@@ -311,7 +315,7 @@ variables](/chainguard/libraries/access/#env) for the pull token detailed in
           <snapshots><enabled>false</enabled></snapshots>
         </repository>
         <repository>
-          <id>chainguard</id>
+          <id>chainguard-java</id>
           <url>https://libraries.cgr.dev/java/</url>
           <releases>
             <enabled>true</enabled>
@@ -322,39 +326,45 @@ variables](/chainguard/libraries/access/#env) for the pull token detailed in
         </repository>
         <repository>
           <id>central</id>
-          <url>https://repo1.maven.org/maven2/</url>
-          <releases>
-            <enabled>true</enabled>
-          </releases>
-          <snapshots>
-            <enabled>false</enabled>
-          </snapshots>
+          <url>invalid</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>false</enabled></snapshots>
         </repository>
       </repositories>
+
       <pluginRepositories>
         <pluginRepository>
-          <id>chainguard</id>
+          <id>chainguard-java-remediated</id>
+          <url>https://libraries.cgr.dev/java-remediated/</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>false</enabled></snapshots>
+        </pluginRepository>
+        <pluginRepository>
+          <id>chainguard-java</id>
           <url>https://libraries.cgr.dev/java/</url>
-          <releases>
-            <enabled>true</enabled>
-          </releases>
-          <snapshots>
-            <enabled>false</enabled>
-          </snapshots>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>false</enabled></snapshots>
         </pluginRepository>
         <pluginRepository>
           <id>central</id>
-          <url>https://repo1.maven.org/maven2/</url>
-          <releases>
-            <enabled>true</enabled>
-          </releases>
-          <snapshots>
-            <enabled>false</enabled>
-          </snapshots>
+          <url>invalid</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>false</enabled></snapshots>
         </pluginRepository>
+
       </pluginRepositories>
     </profile>
   </profiles>
+
+    <mirrors>
+    <mirror>
+      <id>chainguard</id>
+      <name>Chainguard Mirror</name>
+      <url>https://libraries.cgr.dev/java/</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+  </mirrors>
+
   <servers>
     <server>
       <id>chainguard-remediated</id>
@@ -364,7 +374,7 @@ variables](/chainguard/libraries/access/#env) for the pull token detailed in
       <!-- <username>YOUR_IDENTITY_ID</username> -->
       <!-- <password>YOUR_TOKEN</password> -->
     </server>
-      <id>chainguard</id>
+      <id>chainguard-java</id>
       <!-- Use environment variables -->
       <username>${env.CHAINGUARD_JAVA_IDENTITY_ID}</username>
       <password>${env.CHAINGUARD_JAVA_TOKEN}</password>
@@ -380,6 +390,8 @@ is configured. Alternatively you can add the `repositories` and
 `pluginRepositories` to individual project `pom.xml` files. Authentication
 details must remain within the settings file.
 
+If your `settings.xml` is using credentials set as environment variables, ensure the variables are exported.
+
 ### Minimal example project
 
 Use the following steps to create a minimal example project for Maven with Chainguard Libraries for Java. For testing purposes, you can use direct access and environment variables as

content/chainguard/libraries/java/global-configuration.md

@@ -445,3 +445,4 @@ Use the URL of the repository group, such as
 configuration](/chainguard/libraries/java/build-configuration/) and build a 
 first test project. In a working setup the `java-chainguard` proxy repository contains
 all libraries retrieved from Chainguard.
+