Summary

First of ~5 PRs that close the v1.0.0 audit blockers/highs/mediums. This one is mechanical: dep bumps, ArchUnit fix, LICENSE, pom metadata, version bump. No behaviour change in production code.

Closes audit BLOCKERs B1, B2, B3, B4 and HIGH H4.

Why this matters

ArchUnit 1.3.0 + JDK 25 class-file v69 = ArchUnit drops every production class at import time and the no-delete invariant is unenforced. I confirmed this by running mvn test -Dtest=ArchitectureTest locally: 117 Couldn't import class from ... warnings, all 5 rules trivially pass against an empty set. The headline safety guarantee of the project was a no-op for the entire v0.3.x line. Bump fixes it.

Plus: Logback 1.5.12 has CVE-2024-12798 (HIGH). LICENSE was missing → all-rights-reserved by default. pom said 0.1.0-SNAPSHOT while latest tag is v0.3.3. Etc.

Changes

Build / packaging

• Bump archunit 1.3.0 → 1.4.1 (Java 25 support).
• Bump logback 1.5.12 → 1.5.13 (CVE-2024-12798).
• Bump javalin 6.4.0 → 6.7.0 (latest 6.x — Javalin 7 / Jetty 12 unreleased; staying on Jetty 11.0.25, its latest patch).

ArchUnit hardening

• New sanity assert archUnitImportedProductionClasses fails the build if fewer than 50 classes were imported — catches future bytecode-vs-archunit drift before rules silently no-op again.
• Whitelist FileSidecarStore (sparse pre-allocation via setLength, never shrinks; would now fail B2 since B1 unblocked the import).
• New rule: ban FileChannel.truncate outside the whitelist (NIO twin of RandomAccessFile.setLength).
• New rule: ban access to StandardOpenOption.TRUNCATE_EXISTING outside the whitelist.

License / metadata

• LICENSE (Apache-2.0) and NOTICE listing bundled third-party deps at repo root.
• pom.xml gains <licenses>, <scm>, <url>, <developers>, <inceptionYear>; description drops the "Debian" remnant.
• Container image labels: licenses="NOASSERTION" → "Apache-2.0" (Dockerfile + release.yml).

Version + misc

• pom.xml version 0.1.0-SNAPSHOT → 0.4.0-SNAPSHOT.
• .dockerignore so local docker build doesn't ship the entire worktree (.git, target/, .worktrees/, src/, …).
• ci.yml: concurrency group cancels superseded runs on the same ref.
• README.md: full ArchUnit whitelist (now 4 classes, not "one path"); list new banned APIs.
• CHANGELOG.md seeded with the v0.4.0 entry.

Test plan

• Local mvn test -Dtest=ArchitectureTest → 8 tests pass (5 original + sanity + 2 new bans). Pre-bump: silent no-op.
• Local mvn test → 361 tests, 0 failures, 56 errors — all in the known Windows-env Jetty-loopback category, none new.
• CI green on Linux (the only env where Jetty server-tier tests run).
• Manual: ./mvnw verify produces target/netcopy.jar whose --version prints netcopy 0.4.0-SNAPSHOT.

Follow-ups (separate PRs in this v0.4.0 train)

• PR-B: security hardening (NOFOLLOW_LINKS, manifest/register validation, acknowledgeOverwrite, hashHex rename, token scope, browse-stats fix)
• PR-C: resource limits (ManifestRegistry cleanup, SO_TIMEOUT, conn caps, WS sub cap, body size, posix perms, shared HttpClient)
• PR-D: state schema + Docker (schemaVersion, HEALTHCHECK, multi-arch, :latest conditional, SHA-pin, gosu checksum)
• PR-E: docs alignment (README endpoint table, XXH3/SHA-256, data-formats.md proto v2)

🤖 Generated with Claude Code