Skip to content

feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132, Coana 15.6.3)#1385

Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 1 commit into
v1.xfrom
jfblaa/rea-613-producer
Jun 30, 2026
Merged

feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132, Coana 15.6.3)#1385
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 1 commit into
v1.xfrom
jfblaa/rea-613-producer

Conversation

@jfblaa

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Moves JVM build-tool resolution (Gradle, sbt, Maven) into socket-cli, so socket manifest and --auto-manifest generate Socket facts natively. On socket scan create --reach --auto-manifest, the build tool runs once and produces both the SBOM and a resolved-paths sidecar for coana's reachability — instead of coana re-resolving the build at reach time, which diverged for dynamically-versioned projects (git versions, CI build numbers, timestamps) and surfaced as spurious "failed to install" / stale-manifest failures.

Related

Release gating

⚠️ Draft — do not merge yet. Gated on the coana release that ships coana run --compute-artifacts-sidecar. Before merge: bump @coana-tech/cli to that version and fill the CHANGELOG.md placeholder (coana version + date).

Test plan

  • pnpm check (lint + tsc) and unit tests green.
  • Validated on Gradle (including a dynamic git-version build) and a multi-module Maven project; full --reach --auto-manifest end-to-end is pending the coana release.

Note

Medium Risk
Large new surface area (build-tool scripts, graph assembly, publish-time Maven jar) affects manifest and reachability correctness; behavior changes for all Gradle/sbt/Maven users but is covered by unit tests and on-demand compat matrices.

Overview
Gradle, sbt, and Maven Socket facts are generated inside socket-cli instead of delegating to coana manifest. Bundled Gradle init script, sbt plugin, and a Maven core extension emit tab-separated records; TypeScript (runManifestScriptassembleFacts) assembles .socket.facts.json and handles resolution failure reporting per ecosystem.

For --auto-manifest / reachability, the same build run can use --with-files to collect resolved jar paths and module source/output dirs into a ResolvedPathsSidecar (merged across JVM roots), so reachability reuses one resolution instead of Coana re-running the build (fixes dynamic-version / install-error mismatches).

Defaults: resolveBuildToolBin prefers ./gradlew / ./mvnw when present, else gradle / mvn on PATH (manifest commands and auto-manifest updated).

Shipping & CI: Dist build copies manifest assets into dist/manifest-scripts; Maven extension jar is built via build:maven-extension (provenance publish step). Label-gated manifest-gradle / manifest-sbt / manifest-maven workflows run version-matrix smoke tests. Release 1.1.132, @coana-tech/cli 15.6.3.

Reviewed by Cursor Bugbot for commit 5054196. Configure here.

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) changed the title feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (REA-613) feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.130) Jun 30, 2026
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) changed the title feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.130) feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132) Jun 30, 2026
@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​coana-tech/​cli@​15.6.3961008098100

View full report

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@socket-security-staging

socket-security-staging Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​coana-tech/​cli@​15.6.3971008098100

View full report

@socket-security-staging

socket-security-staging Bot commented Jun 30, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) force-pushed the jfblaa/rea-613-producer branch 3 times, most recently from 7d25c59 to 5054196 Compare June 30, 2026 15:17
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) changed the title feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132) feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132, Coana 15.6.3) Jun 30, 2026
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) marked this pull request as ready for review June 30, 2026 15:17

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Empty components skip valid facts
    • Updated the early-return guard to skip only when both components and projects are absent, preserving project-only facts and sidecar accumulation.

Create PR

Or push these changes by commenting:

@cursor push 6d99852be8
Preview (6d99852be8)
diff --git a/src/commands/manifest/run-manifest-facts.mts b/src/commands/manifest/run-manifest-facts.mts
--- a/src/commands/manifest/run-manifest-facts.mts
+++ b/src/commands/manifest/run-manifest-facts.mts
@@ -78,10 +78,10 @@
     logger.log(rendered.details)
   }
 
-  // No resolvable dependencies → nothing to upload.
-  if (!facts.components.length) {
+  // No resolvable dependencies or projects; nothing to upload.
+  if (!facts.components.length && !facts.projects?.length) {
     logger.warn(
-      `No resolvable ${ecosystem} dependencies found; nothing to upload.`,
+      `No resolvable ${ecosystem} dependencies or projects found; nothing to upload.`,
     )
     return
   }

You can send follow-ups to the cloud agent here.

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 5054196. Configure here.

Comment thread src/commands/manifest/generate_auto_manifest.mts
Comment thread src/commands/manifest/run-manifest-facts.mts

@mtorp Martin Torp (mtorp) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving. Reviewed the full TypeScript assembly/sidecar layer plus the three producers (Gradle init script, sbt plugin, Maven core extension); the records contract — field escaping, coordId keying, and field ordering — is consistent across all four, and the typecheck and new unit tests pass. The single-run sidecar approach is a clean way to kill the re-resolution divergence.

Two higher-severity, silent-failure items left as inline comments to address before this leaves draft / merges (not blockers for the approval itself, given merge is already gated on the Coana release):

  • Ignored build-tool exit code → a catastrophic build failure can degrade to a silent empty SBOM rather than failing closed.
  • Gradle records file is written in the JVM default charset instead of UTF-8 (the Maven and sbt producers already write UTF-8).

Comment thread src/commands/manifest/run-manifest-facts.mts Outdated
Comment thread src/commands/manifest/scripts/socket-facts.init.gradle Outdated
…ability sidecar (1.1.132, Coana 15.6.3)

Move the JVM build-tool resolution scripts (Gradle init script, sbt plugin, Maven
core extension) and the TypeScript SBOM assembler into socket-cli, so `socket
manifest` and `--auto-manifest` generate `.socket.facts.json` natively instead of
delegating to the Coana CLI's `manifest` command.

On `socket scan create --reach --auto-manifest` the build tool now runs exactly
once and emits both the SBOM and a resolved-paths sidecar, passed to
`coana run --compute-artifacts-sidecar`. Coana no longer re-resolves the build at
reach time, eliminating the divergence that broke dynamically-versioned projects
(git-derived versions, CI build numbers, timestamps).

Build-tool binary selection prefers the project's wrapper (./gradlew, ./mvnw) and
falls back to gradle/mvn on PATH.

Bumps @coana-tech/cli to 15.6.3, which ships `--compute-artifacts-sidecar`.
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) merged commit 68d109f into v1.x Jun 30, 2026
13 checks passed
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) deleted the jfblaa/rea-613-producer branch June 30, 2026 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants