feat(manifest): generate JVM Socket facts natively + single-run reachability sidecar (1.1.132, Coana 15.6.3)

[Jeppe Fredsgaard Blaabjerg (jfblaa)]

Summary

Moves JVM build-tool resolution (Gradle, sbt, Maven) into socket-cli, so socket manifest and --auto-manifest generate Socket facts natively. On socket scan create --reach --auto-manifest, the build tool runs once and produces both the SBOM and a resolved-paths sidecar for coana's reachability — instead of coana re-resolving the build at reach time, which diverged for dynamically-versioned projects (git versions, CI build numbers, timestamps) and surfaced as spurious "failed to install" / stale-manifest failures.

Related

• https://linear.app/socketdev/issue/REA-613
• https://linear.app/socketdev/issue/REA-607 — original reported issue
• https://github.com/coana-tech/coana-package-manager/pull/2292 — coana side

Release gating

⚠️ Draft — do not merge yet. Gated on the coana release that ships coana run --compute-artifacts-sidecar. Before merge: bump @coana-tech/cli to that version and fill the CHANGELOG.md placeholder (coana version + date).

Test plan

• pnpm check (lint + tsc) and unit tests green.
• Validated on Gradle (including a dynamic git-version build) and a multi-module Maven project; full --reach --auto-manifest end-to-end is pending the coana release.

---

Note

Medium Risk
Large new surface area (build-tool scripts, graph assembly, publish-time Maven jar) affects manifest and reachability correctness; behavior changes for all Gradle/sbt/Maven users but is covered by unit tests and on-demand compat matrices.

Overview
Gradle, sbt, and Maven Socket facts are generated inside socket-cli instead of delegating to coana manifest. Bundled Gradle init script, sbt plugin, and a Maven core extension emit tab-separated records; TypeScript (runManifestScript → assembleFacts) assembles .socket.facts.json and handles resolution failure reporting per ecosystem.

For --auto-manifest / reachability, the same build run can use --with-files to collect resolved jar paths and module source/output dirs into a ResolvedPathsSidecar (merged across JVM roots), so reachability reuses one resolution instead of Coana re-running the build (fixes dynamic-version / install-error mismatches).

Defaults: resolveBuildToolBin prefers ./gradlew / ./mvnw when present, else gradle / mvn on PATH (manifest commands and auto-manifest updated).

Shipping & CI: Dist build copies manifest assets into dist/manifest-scripts; Maven extension jar is built via build:maven-extension (provenance publish step). Label-gated manifest-gradle / manifest-sbt / manifest-maven workflows run version-matrix smoke tests. Release 1.1.132, @coana-tech/cli 15.6.3.

^{Reviewed by Cursor Bugbot for commit 5054196. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​coana-tech/​cli@​15.6.3

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​coana-tech/​cli@​15.6.3

View full report

[socket-security-staging]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Empty components skip valid facts
  • Updated the early-return guard to skip only when both components and projects are absent, preserving project-only facts and sidecar accumulation.

Or push these changes by commenting:

@cursor push 6d99852be8

Preview (6d99852be8)

diff --git a/src/commands/manifest/run-manifest-facts.mts b/src/commands/manifest/run-manifest-facts.mts
--- a/src/commands/manifest/run-manifest-facts.mts
+++ b/src/commands/manifest/run-manifest-facts.mts
@@ -78,10 +78,10 @@
     logger.log(rendered.details)
   }
 
-  // No resolvable dependencies → nothing to upload.
-  if (!facts.components.length) {
+  // No resolvable dependencies or projects; nothing to upload.
+  if (!facts.components.length && !facts.projects?.length) {
     logger.warn(
-      `No resolvable ${ecosystem} dependencies found; nothing to upload.`,
+      `No resolvable ${ecosystem} dependencies or projects found; nothing to upload.`,
     )
     return
   }

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 5054196. Configure here.}

[Martin Torp (mtorp)]

Approving. Reviewed the full TypeScript assembly/sidecar layer plus the three producers (Gradle init script, sbt plugin, Maven core extension); the records contract — field escaping, coordId keying, and field ordering — is consistent across all four, and the typecheck and new unit tests pass. The single-run sidecar approach is a clean way to kill the re-resolution divergence.

Two higher-severity, silent-failure items left as inline comments to address before this leaves draft / merges (not blockers for the approval itself, given merge is already gated on the Coana release):

• Ignored build-tool exit code → a catastrophic build failure can degrade to a silent empty SBOM rather than failing closed.
• Gradle records file is written in the JVM default charset instead of UTF-8 (the Maven and sbt producers already write UTF-8).