Fix all review issues: security, determinism, infra, docs, frontend

Security:
- Cypher injection: replace startsWith blocklist with contains-based check,
  add REMOVE/FOREACH/LOAD CSV, no tx.commit() (read-only defense-in-depth)
- POST /api/analyze: add AtomicBoolean concurrency guard (409 Conflict)

Determinism:
- TopicLinker/ModuleContainmentLinker/EntityLinker: HashMap → TreeMap
- GraphBuilder: track droppedEdgeCount, getEdgeCount() excludes dropped edges

Robustness:
- AbstractAntlrDetector + Analyzer: catch Throwable (not just Exception)
  to handle ANTLR StackOverflowError on adversarial input
- Analyzer: executor created once before batch loop, not per-batch

Infrastructure:
- Dockerfile: install curl for HEALTHCHECK
- Helm: PVC for graph data (replaces emptyDir), configurable persistence
- application.yml: enable K8s liveness/readiness health probes

Documentation:
- CLAUDE.md: fix 7 SQLite→H2 refs, detector count 106→97, CLI 12→14,
  NodeKind 31→32, EdgeKind 26→27
- README.md: fix SonarCloud badge project key
- CI workflows: remove deleted java branch from triggers
- pom.xml: SCM URL tree/java → tree/main

Frontend:
- DOMPurify 3.2.7→3.3.3 (fixes 2 XSS vulnerabilities), 0 audit issues
- SpaController: add /dashboard route + catch-all for React Router

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aksOps

.github/workflows/ci-java.yml

@@ -1,10 +1,10 @@
 name: Java CI
 on:
   push:
-    branches: [main, java]
+    branches: [main]
     paths: ['src/**', 'pom.xml']
   pull_request:
-    branches: [main, java]
+    branches: [main]
 
 jobs:
   build:

.github/workflows/sonarcloud-java.yml

@@ -1,10 +1,10 @@
 name: SonarCloud Java
 on:
   push:
-    branches: [main, java]
+    branches: [main]
     paths: ['src/**', 'pom.xml']
   pull_request:
-    branches: [main, java]
+    branches: [main]
 
 jobs:
   sonar:

CLAUDE.md

@@ -2,13 +2,13 @@
 
 ## What This Project Is
 
-**OSSCodeIQ** -- a CLI tool + server that scans codebases to build a deterministic code knowledge graph. No AI, no external APIs -- pure static analysis. 106 detectors, 35+ languages, Neo4j Embedded graph database, Hazelcast distributed cache, Spring AI MCP server, REST API, web UI.
+**OSSCodeIQ** -- a CLI tool + server that scans codebases to build a deterministic code knowledge graph. No AI, no external APIs -- pure static analysis. 97 detectors, 35+ languages, Neo4j Embedded graph database, Hazelcast distributed cache, Spring AI MCP server, REST API, web UI.
 
 - **Maven coordinates:** `io.github.randomcodespace.iq:code-iq`
 - **CLI command:** `code-iq` (via `java -jar`)
 - **Java package:** `io.github.randomcodespace.iq` (under `src/main/java/`)
 - **GitHub repo:** `RandomCodeSpace/code-iq` (branch: `java`)
-- **Cache directory on disk:** `.code-intelligence` (SQLite analysis cache)
+- **Cache directory on disk:** `.code-intelligence` (H2 analysis cache)
 - **Config file:** `.osscodeiq.yml` (project-level overrides)
 
 ## Tech Stack
@@ -22,7 +22,7 @@
 - ANTLR 4.13.2 (TypeScript/JavaScript, Python, Go, C#, Rust, C++ grammars)
 - Picocli 4.7.7 (CLI framework, integrated with Spring Boot)
 - Thymeleaf + HTMX (web UI)
-- SQLite JDBC (incremental analysis cache)
+- H2 (incremental analysis cache)
 
 ## Architecture
 
@@ -43,7 +43,7 @@ FileDiscovery --> Parsers --> Detectors (virtual threads) --> GraphBuilder (buff
 - **Linkers** -- run after all detectors: `TopicLinker`, `EntityLinker`, `ModuleContainmentLinker`
 - **LayerClassifier** -- sets `layer` property on every node: `frontend | backend | infra | shared | unknown`
 - **GraphStore** -- facade over Neo4j, delegates Cypher operations
-- **AnalysisCache** -- SQLite-backed file hash cache for incremental analysis
+- **AnalysisCache** -- H2-backed file hash cache for incremental analysis
 
 ### Spring Profiles
 - **`indexing`** -- active during CLI analyze/stats/graph/query/find/flow/bundle/cache/plugins commands. Starts Neo4j Embedded, runs analysis pipeline.
@@ -57,8 +57,8 @@ io.github.randomcodespace.iq
   |-- analyzer/                    # Pipeline: Analyzer, FileDiscovery, GraphBuilder, LayerClassifier
   |   |-- linker/                  # Cross-file linkers: TopicLinker, EntityLinker, ModuleContainmentLinker
   |-- api/                         # REST controllers: GraphController, FlowController
-  |-- cache/                       # AnalysisCache (SQLite), FileHasher
-  |-- cli/                         # Picocli commands (12 commands + CodeIqCli parent + CliOutput helper)
+  |-- cache/                       # AnalysisCache (H2), FileHasher
+  |-- cli/                         # Picocli commands (14 commands + CodeIqCli parent + CliOutput helper)
   |-- config/                      # Spring config: Neo4jConfig, HazelcastConfig, CodeIqConfig, JacksonConfig
   |-- detector/                    # Detector interface + 97 concrete detectors
   |   |-- auth/                    # LDAP, certificate, session/header auth
@@ -84,7 +84,7 @@ io.github.randomcodespace.iq
   |-- graph/                       # GraphStore (facade), GraphRepository (Spring Data Neo4j)
   |-- health/                      # GraphHealthIndicator (Spring Actuator)
   |-- mcp/                         # McpTools (21 Spring AI @Tool methods)
-  |-- model/                       # CodeNode, CodeEdge, NodeKind (31), EdgeKind (26)
+  |-- model/                       # CodeNode, CodeEdge, NodeKind (32), EdgeKind (27)
   |-- query/                       # QueryService (graph queries), StatsService (categorized stats)
   |-- web/                         # ExplorerController (Thymeleaf web UI)
 ```
@@ -104,7 +104,7 @@ io.github.randomcodespace.iq
 
 ### Virtual Thread Safety
 - All file I/O and Neo4j operations run on virtual threads
-- The SQLite analysis cache uses `synchronized` blocks for thread safety
+- The H2 analysis cache uses `synchronized` blocks for thread safety
 - Hazelcast cache operations are thread-safe by design
 - Detectors MUST be stateless -- Spring `@Component` beans are singletons
 
@@ -239,8 +239,8 @@ mvn checkstyle:check
 | `detector/AbstractRegexDetector.java` | Base class for regex detectors |
 | `detector/AbstractJavaParserDetector.java` | Base class for JavaParser-based detectors |
 | `detector/AbstractAntlrDetector.java` | Base class for ANTLR-based detectors |
-| `model/NodeKind.java` | 31 node types enum |
-| `model/EdgeKind.java` | 26 edge types enum |
+| `model/NodeKind.java` | 32 node types enum |
+| `model/EdgeKind.java` | 27 edge types enum |
 | `model/CodeNode.java` | Graph node entity (Spring Data Neo4j) |
 | `model/CodeEdge.java` | Graph edge entity (Spring Data Neo4j) |
 | `graph/GraphStore.java` | Neo4j facade |
@@ -249,7 +249,7 @@ mvn checkstyle:check
 | `config/HazelcastConfig.java` | Hazelcast cache configuration |
 | `config/CodeIqConfig.java` | Application configuration properties |
 | `config/ProjectConfigLoader.java` | Loads .osscodeiq.yml overrides |
-| `cache/AnalysisCache.java` | SQLite incremental cache |
+| `cache/AnalysisCache.java` | H2 incremental cache |
 | `api/GraphController.java` | REST API endpoints |
 | `api/FlowController.java` | Flow diagram endpoints |
 | `mcp/McpTools.java` | 21 MCP tool definitions (Spring AI @Tool) |
@@ -291,7 +291,7 @@ Placed in the codebase root, loaded by `ProjectConfigLoader` before analysis.
 - **Neo4j deprecation warnings**: `CodeEdge` uses Long IDs (deprecated). Plan to migrate to external IDs.
 - **MCP warnings in CLI mode**: "No tool/resource/prompt/complete methods found" -- expected when not in `serving` profile.
 - **XML DOCTYPE warnings**: Non-fatal stderr from XML parser encountering DOCTYPE declarations.
-- **Virtual thread pinning**: SQLite JDBC operations can pin carrier threads. Use `synchronized` blocks (not `ReentrantLock`) for virtual thread compatibility.
+- **Virtual thread pinning**: H2 JDBC operations can pin carrier threads. Use `synchronized` blocks (not `ReentrantLock`) for virtual thread compatibility.
 - **ANTLR generated sources**: Generated during `mvn generate-sources` from `.g4` files. Do not edit generated code in `grammar/` subdirectories.
 - **Graph builder determinism**: Uses indexed result slots (not append order) to ensure virtual thread completion order does not affect output.
 

Dockerfile

@@ -12,6 +12,8 @@ WORKDIR /app
 
 RUN groupadd -r appuser && useradd -r -g appuser -d /app appuser
 
+RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*
+
 COPY --from=builder /build/target/code-iq-*.jar app.jar
 
 # Training run for AOT cache — fail loudly so broken images are not published

README.md

@@ -10,8 +10,8 @@
   <a href="https://github.com/RandomCodeSpace/code-iq/actions/workflows/ci-java.yml"><img src="https://img.shields.io/github/actions/workflow/status/RandomCodeSpace/code-iq/ci-java.yml?branch=main&style=flat-square&logo=github&label=CI" alt="CI"></a>
   <a href="https://www.oracle.com/java/technologies/downloads/"><img src="https://img.shields.io/badge/Java-25-orange?style=flat-square&logo=openjdk&logoColor=white" alt="Java 25"></a>
   <a href="https://github.com/RandomCodeSpace/code-iq/blob/main/LICENSE"><img src="https://img.shields.io/github/license/RandomCodeSpace/code-iq?style=flat-square&label=License" alt="MIT License"></a>
-  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq&metric=security_rating" alt="Security"></a>
-  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq&metric=reliability_rating" alt="Reliability"></a>
+  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq-java"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq-java&metric=security_rating" alt="Security"></a>
+  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_code-iq-java"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_code-iq-java&metric=reliability_rating" alt="Reliability"></a>
   <a href="https://github.com/RandomCodeSpace/code-iq"><img src="https://img.shields.io/badge/detectors-97-brightgreen?style=flat-square&logo=codefactor&logoColor=white" alt="97 Detectors"></a>
   <a href="https://github.com/RandomCodeSpace/code-iq"><img src="https://img.shields.io/badge/languages-35%2B-blue?style=flat-square&logo=stackblitz&logoColor=white" alt="35+ Languages"></a>
 </p>

helm/code-iq/templates/deployment.yaml

@@ -52,4 +52,9 @@ spec:
               mountPath: /app/data
       volumes:
         - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Release.Name }}-code-iq-data
+          {{- else }}
           emptyDir: {}
+          {{- end }}

helm/code-iq/templates/pvc.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-code-iq-data
+  labels:
+    app: {{ .Release.Name }}-code-iq
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | default "ReadWriteOnce" }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | default "10Gi" }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass }}
+  {{- end }}
+{{- end }}

helm/code-iq/values.yaml

@@ -37,6 +37,12 @@ probes:
     initialDelaySeconds: 30
     periodSeconds: 15
 
+persistence:
+  enabled: true
+  size: 10Gi
+  accessMode: ReadWriteOnce
+  # storageClass: ""
+
 env:
   SPRING_PROFILES_ACTIVE: serving
   CODEIQ_GRAPH_PATH: /app/data/graph.db

pom.xml

@@ -151,7 +151,7 @@
     <scm>
         <connection>scm:git:git://github.com/RandomCodeSpace/code-iq.git</connection>
         <developerConnection>scm:git:ssh://github.com:RandomCodeSpace/code-iq.git</developerConnection>
-        <url>https://github.com/RandomCodeSpace/code-iq/tree/java</url>
+        <url>https://github.com/RandomCodeSpace/code-iq/tree/main</url>
     </scm>
 
     <build>