code-iq
Used in:
components
- OverviewOverview
- VersionsVersions
- DependentsDependents
- DependenciesDependencies
<dependency>
<groupId>io.github.randomcodespace.iq</groupId>
<artifactId>code-iq</artifactId>
<version>0.2.2</version>
</dependency><?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>4.0.6</version>
<relativePath/>
</parent>
<groupId>io.github.randomcodespace.iq</groupId>
<artifactId>code-iq</artifactId>
<version>0.2.2</version>
<packaging>jar</packaging>
<name>codeiq</name>
<description>CLI tool and server that scans codebases to build a deterministic code knowledge graph</description>
<url>https://github.com/RandomCodeSpace/codeiq</url>
<properties>
<java.version>25</java.version>
<neo4j.version>2026.04.0</neo4j.version>
<spring-ai.version>2.0.0-M4</spring-ai.version>
<picocli.version>4.7.7</picocli.version>
<jacoco.version>0.8.14</jacoco.version>
<spotbugs.version>4.9.8.3</spotbugs.version>
<checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
<!--
Toggle for the frontend-maven-plugin. Defaults to false so
`mvn package` still bundles the React SPA. Backend-only
contributors can bypass the npm build with:
mvn test -Dfrontend.skip=true
-->
<frontend.skip>false</frontend.skip>
<!--
Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
next patch release. Bumping these via the Spring-Boot-managed
properties so all starter-managed artifacts pick up the fix
without a full Spring Boot version change. Revert these when
Spring Boot 4.0.6+ ships with the same or newer versions.
tomcat 11.0.20 -> 11.0.21 (CVE-2026-34483 HIGH,
CVE-2026-34487 HIGH,
CVE-2026-34500 MODERATE)
jackson 3.1.0 -> 3.1.1 (GHSA-2m67-wjpj-xhg9 HIGH)
-->
<tomcat.version>11.0.21</tomcat.version>
<jackson.version>3.1.1</jackson.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-bom</artifactId>
<version>${spring-ai.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!--
Security overrides for transitive CVE-affected dependencies that
Spring Boot's managed-versions machinery does not cover:
log4j-core 2.25.3 -> 2.25.4 (CVE-2026-34477 MOD,
CVE-2026-34478 MOD,
CVE-2026-34480 MOD)
log4j-api 2.25.3 -> 2.25.4 (umbrella-CPE attribution
of log4j-core CVEs;
bumped to keep the dep
tree consistent and to
stop the dep-check
umbrella match)
log4j-layout-template-json 2.25.3 -> 2.25.4 (CVE-2026-34481 MOD)
•all three pulled in transitively by Neo4j 2026.02.3.
shiro-core 2.0.6 -> 2.1.0 (CVE-2026-23901 LOW)
•pulled in by neo4j-security.
mcp-core 1.1.0 -> 1.1.1 (CVE-2026-34237 MOD)
•hardcoded wildcard CORS; pulled in by Spring AI MCP
starter. Directly load-bearing for our read-only MCP
endpoints: fix is non-optional.
Revert overrides once the upstream BOMs ship matching versions.
-->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.25.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.25.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-layout-template-json</artifactId>
<version>2.25.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>io.modelcontextprotocol.sdk</groupId>
<artifactId>mcp-core</artifactId>
<version>1.1.2</version>
</dependency>
<!--
Explicit override for Jackson 3.x (tools.jackson.core). Spring
Boot 4.0.5's managed-versions machinery pins these to 3.1.0 via
its own BOM and the `<jackson.version>` property does not
propagate to the new-API artifacts. Pin to 3.1.1 until Spring
Boot 4.0.6+ ships with the fix (GHSA-2m67-wjpj-xhg9 HIGH,
document length bypass in blocking/async/DataInput parsers).
-->
<dependency>
<groupId>tools.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>tools.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>tools.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>3.1.1</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- Spring Boot Starters -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-neo4j</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-cache</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Bucket4j: in-process token-bucket rate limiter (Apache-2.0).
Used by RateLimitFilter to throttle /api and /mcp on a per-token /
per-IP key. Single-replica serving = single bucket per key, so no
cluster coordination needed. ~80 KB; pure Java, no native deps. -->
<dependency>
<groupId>com.bucket4j</groupId>
<artifactId>bucket4j_jdk17-core</artifactId>
<version>8.18.0</version>
</dependency>
<!-- Caffeine: bounded in-process cache (Apache-2.0). Required because
CodeIqApplication enables @EnableCaching but Spring Boot defaults
to ConcurrentMapCacheManager (unbounded, no TTL, no eviction) when
no provider is on the classpath. Caffeine + the cache.type=caffeine
configuration in application.yml gives every @Cacheable region a
max-size + write-expiry, capping lifetime-of-process growth on
unique-key caches like node-detail and file-tree. Spring Boot
manages the version via its parent BOM. -->
<dependency>
<groupId>com.github.ben-manes.caffeine</groupId>
<artifactId>caffeine</artifactId>
</dependency>
<!-- Logstash JSON encoder (MIT). Drops a structured JSON line per log
event with timestamp, level, logger, thread, message, MDC entries
(request_id, etc.), and optional stack trace. Used in the serving
profile only — the indexing/CLI profiles keep the human-readable
%msg%n encoder. ~250 KB. -->
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>9.0</version>
</dependency>
<!-- Micrometer Prometheus registry. Exposed at /actuator/prometheus
behind bearer auth. Spring Boot manages the version via its BOM. -->
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<!-- Neo4j Embedded (Community Edition) -->
<dependency>
<groupId>org.neo4j</groupId>
<artifactId>neo4j</artifactId>
<version>${neo4j.version}</version>
<exclusions>
<!-- Exclude neo4j's SLF4J provider to avoid "multiple SLF4J providers" warning -->
<exclusion>
<groupId>org.neo4j</groupId>
<artifactId>neo4j-slf4j-provider</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Spring AI MCP Server (WebMVC, stateless streamable HTTP) -->
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-starter-mcp-server-webmvc</artifactId>
</dependency>
<!-- Picocli CLI framework -->
<dependency>
<groupId>info.picocli</groupId>
<artifactId>picocli-spring-boot-starter</artifactId>
<version>${picocli.version}</version>
</dependency>
<dependency>
<groupId>info.picocli</groupId>
<artifactId>picocli</artifactId>
<version>${picocli.version}</version>
</dependency>
<!-- JavaParser for AST-based Java detection -->
<dependency>
<groupId>com.github.javaparser</groupId>
<artifactId>javaparser-core</artifactId>
<version>3.28.0</version>
</dependency>
<!-- JavaParser symbol solver — JavaSymbolSolver + ReflectionTypeSolver
for the resolver SPI Java backend. Same release train as core. -->
<dependency>
<groupId>com.github.javaparser</groupId>
<artifactId>javaparser-symbol-solver-core</artifactId>
<version>3.28.0</version>
</dependency>
<!-- ANTLR Runtime -->
<dependency>
<groupId>org.antlr</groupId>
<artifactId>antlr4-runtime</artifactId>
<version>4.13.2</version>
</dependency>
<!-- H2 Database for incremental analysis cache (pure Java — no JNI, virtual-thread friendly) -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
</dependency>
<!-- OpenAPI / Swagger UI -->
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>3.0.3</version>
</dependency>
<!-- Testing -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<licenses>
<license>
<name>MIT License</name>
<url>https://opensource.org/licenses/MIT</url>
</license>
</licenses>
<developers>
<developer>
<name>RandomCodeSpace</name>
<url>https://github.com/RandomCodeSpace</url>
</developer>
</developers>
<scm>
<connection>scm:git:git://github.com/RandomCodeSpace/codeiq.git</connection>
<developerConnection>scm:git:ssh://github.com:RandomCodeSpace/codeiq.git</developerConnection>
<url>https://github.com/RandomCodeSpace/codeiq/tree/main</url>
</scm>
<build>
<plugins>
<!-- Frontend build (React + Vite) -->
<plugin>
<groupId>com.github.eirslett</groupId>
<artifactId>frontend-maven-plugin</artifactId>
<version>2.0.0</version>
<configuration>
<workingDirectory>src/main/frontend</workingDirectory>
<!--
Node 22 LTS. Vite 8 (PR #86 brought it in via the vite
group) raised its minimum engine to ^20.19.0 || >=22.12.0,
and v20.11.0 fails immediately at frontend-maven-plugin's
`npm run build` step (`SyntaxError: ... 'styleText'` from
rolldown's use of node:util.styleText, which only lands
in Node 20.18+/22.x). Pinning to v22.12.0 — the minimum
v22 release that satisfies Vite 8 — keeps us on a
currently-supported LTS line.
-->
<nodeVersion>v22.12.0</nodeVersion>
<skip>${frontend.skip}</skip>
</configuration>
<executions>
<execution>
<id>install-node-npm</id>
<goals><goal>install-node-and-npm</goal></goals>
</execution>
<execution>
<id>npm-install</id>
<goals><goal>npm</goal></goals>
<configuration>
<arguments>install</arguments>
</configuration>
</execution>
<execution>
<id>npm-build</id>
<goals><goal>npm</goal></goals>
<configuration>
<arguments>run build</arguments>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<classifier>cli</classifier>
</configuration>
<executions>
<execution>
<goals>
<goal>build-info</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<release>${java.version}</release>
</configuration>
</plugin>
<plugin>
<groupId>org.antlr</groupId>
<artifactId>antlr4-maven-plugin</artifactId>
<version>4.13.2</version>
<executions>
<execution>
<goals><goal>antlr4</goal></goals>
</execution>
</executions>
<configuration>
<visitor>true</visitor>
<listener>true</listener>
<treatWarningsAsErrors>false</treatWarningsAsErrors>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-java</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireJavaVersion>
<version>[25,)</version>
<message>Java 25 or later is required.</message>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-XX:+EnableDynamicAgentLoading @{argLine}</argLine>
<excludes>
<exclude>**/benchmark/**</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<argLine>-XX:+EnableDynamicAgentLoading @{argLine}</argLine>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<configuration>
<!-- Exclude ANTLR-generated grammar parsers from coverage -->
<excludes>
<exclude>io/github/randomcodespace/iq/grammar/**</exclude>
</excludes>
</configuration>
<executions>
<execution>
<id>prepare-agent</id>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>test</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
<execution>
<id>check</id>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
<configuration>
<rules>
<rule>
<element>BUNDLE</element>
<limits>
<limit>
<counter>LINE</counter>
<value>COVEREDRATIO</value>
<minimum>0.85</minimum>
</limit>
</limits>
</rule>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${spotbugs.version}</version>
<configuration>
<excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
<!-- Hard gate semantics per engineering-standards.md §1:
"Zero High/Critical findings". Threshold High filters
out Medium/Low findings (so the gate doesn't trip on
non-blocking findings); failOnError is the
spotbugs-maven-plugin default for `check`, made
explicit so a future config edit doesn't silently
relax the gate. -->
<threshold>High</threshold>
<failOnError>true</failOnError>
</configuration>
<executions>
<!-- Reviewer finding fd559a54 (RAN-47, R5-4):
spotbugs-maven-plugin was declared but had no
lifecycle binding, so `mvn verify` (and therefore
CI on every PR) did not actually run SpotBugs.
Bind `check` to the verify phase so the gate
claimed in engineering-standards.md §1 is
actually enforced on every build. -->
<execution>
<id>spotbugs-check-on-verify</id>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${checkstyle-plugin.version}</version>
<configuration>
<configLocation>google_checks.xml</configLocation>
</configuration>
</plugin>
<!-- Source bundle: full project source tree as a distributable ZIP -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<descriptors>
<descriptor>src/assembly/source-bundle.xml</descriptor>
</descriptors>
<finalName>${project.artifactId}-${project.version}</finalName>
<appendAssemblyId>true</appendAssemblyId>
</configuration>
<executions>
<execution>
<id>create-source-bundle</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<profiles>
<!--
Mutation testing profile — Phase 7 Layer 9 (non-gating).
Run: mvn -P mutation org.pitest:pitest-maven:mutationCoverage
-Dfrontend.skip=true -Ddependency-check.skip=true
Targets the resolver SPI surface and Confidence model. Reports under
target/pit-reports/. Apache-2.0 licensed (preferred-license tier).
-->
<profile>
<id>mutation</id>
<build>
<plugins>
<plugin>
<groupId>org.pitest</groupId>
<artifactId>pitest-maven</artifactId>
<version>1.18.0</version>
<configuration>
<targetClasses>
<param>io.github.randomcodespace.iq.intelligence.resolver.*</param>
<param>io.github.randomcodespace.iq.intelligence.resolver.java.*</param>
<param>io.github.randomcodespace.iq.model.Confidence</param>
</targetClasses>
<targetTests>
<param>io.github.randomcodespace.iq.intelligence.resolver.*</param>
<param>io.github.randomcodespace.iq.intelligence.resolver.java.*</param>
<param>io.github.randomcodespace.iq.model.ConfidenceTest</param>
</targetTests>
<outputFormats>
<outputFormat>HTML</outputFormat>
<outputFormat>XML</outputFormat>
</outputFormats>
<timestampedReports>false</timestampedReports>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>release</id>
<build>
<plugins>
<!-- Central Publishing Plugin — only for releases, NOT snapshots -->
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>0.10.0</version>
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>
<autoPublish>true</autoPublish>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar-no-fork</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<doclint>none</doclint>
</configuration>
<executions>
<execution>
<id>attach-javadocs</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.8</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>