phase a/fixups spotbugs (#43)

* build(spotbugs): add exclude filter for generated parsers and known noise rules

Reduces SpotBugs findings 1,492 -> 51 (96.6%) by excluding:
- ANTLR-generated parser/lexer/listener/visitor classes (regenerated from .g4)
- NM_METHOD_NAMING_CONVENTION (noise from generated code and ANTLR hooks)
- SF_SWITCH_NO_DEFAULT (stylistic; SF_SWITCH_FALLTHROUGH still enforced)
- EI_EXPOSE_REP / EI_EXPOSE_REP2 (internal DTOs, no trust boundary crossed)
- MS_PKGPROTECT / MS_FINAL_PKGPROTECT (no same-package attacker model)

Each exclusion carries a rationale comment in spotbugs-exclude.xml.

* fix(spotbugs): address 4 priority-1 findings in core code

- Analyzer.getGitHead: decode `git rev-parse HEAD` bytes as UTF-8
  instead of platform default (DM_DEFAULT_ENCODING).
- IndexCommand.call: narrow the cache-delete catch from blanket
  `Exception ignored` to `IOException` with a debug log line so
  silent data-loss is traceable (DE_MIGHT_IGNORE).
- PluginsCommand.categoryDescription: remove dead `Set<String>
  frameworks` local that was assigned and never read
  (DLS_DEAD_LOCAL_STORE).
- AntlrParserFactory.parse: replace identity-compare (`==`) of cache
  key with `.equals()`; cache behavior is unchanged because the
  parse tree is a deterministic function of content, so equal
  content yields an equivalent tree (ES_COMPARING_PARAMETER_STRING_WITH_EQ).

Verified `mvn compile` clean on phase-a/fixups-spotbugs.

* fix(spotbugs): concurrency and correctness priority-2 findings

- AnalysisCache.removeFile: guarantee rwLock.writeLock().unlock() on all
  exception paths by wrapping the finally's conn.setAutoCommit(true) in its
  own try-finally. Previously, a non-SQLException thrown by setAutoCommit
  (RuntimeException/Error) would escape the finally block before unlock ran,
  leaking the write lock. (UL_UNRELEASED_LOCK_EXCEPTION_PATH)

  Note: the same setAutoCommit-in-finally-then-unlock pattern appears in two
  other methods in this class; SpotBugs only flagged removeFile, but they
  likely share the same risk. Out of scope for this PR; file a follow-up.

- CodeIqApplication.main: collapse three identical else-if branches (isIndex /
  isEnrich / default) into one else with a combined rationale comment.
  (DB_DUPLICATE_BRANCHES)

- BundleCommand: remove unused private 4-arg writeEntry(zos, name, content,
  lineEnding) that delegated to the 3-arg overload and silently discarded
  lineEnding. (UPM_UNCALLED_PRIVATE_METHOD)

- PluginsCommand.SuggestSubcommand: iterate languageCounts.entrySet() instead
  of keySet() + get(). (WMI_WRONG_MAP_ITERATOR)

- GitLabCiDetector.detect: iterate data.entrySet() instead of keySet() + get().
  (WMI_WRONG_MAP_ITERATOR)

- CSharpPreprocessorParserBase: replace reference-compare (== / !=) on
  expression values with Objects.equals(). The compared values are String
  literals 'true'/'false' produced by sibling methods, so logical equality is
  the intended semantic; using == only worked coincidentally via string
  interning. (ES_COMPARING_STRINGS_WITH_EQ x2)

- VersionCommand.resolveVersion: narrow the outer catch from Exception to
  IOException since that is the only checked exception props.load can throw.
  Updated comment to document that the branch is an intentional fallthrough
  to the manifest-based lookup. (REC_CATCH_EXCEPTION)

Verified mvn compile clean.

* build(spotbugs): narrow-suppress 2 parser-base RCN + 1 BX finding, record triage result

Added narrow exclude rules (class + pattern pair, not global) for:
- RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in CSharpParserBase and
  GoParserBase — hand-written ANTLR parser support classes carried over
  from antlr/grammars-v4. Defensive null checks are harmless; touching
  them risks divergence if we re-sync upstream.
- BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase —
  same origin, micro-perf, not correctness.

Updated BASELINE.md to mark the SpotBugs gap as RESOLVED with final
counts (1,492 -> 38; priority-1: 8 -> 0) and a pointer to the
post-triage summary JSON.

* fix(cache): extend nested-try-finally lock release to remaining AnalysisCache methods

Follow-up to 798bccf. That commit fixed UL_UNRELEASED_LOCK_EXCEPTION_PATH
in AnalysisCache.removeFile and flagged the same lock-leak pattern in
two other methods that SpotBugs did not surface (likely because they
differ subtly in what's inside the outer try body).

Both methods — storeResults (the INSERT nodes/edges path) and the
replace-with-enriched-data path — had:

    } finally {
        try { conn.setAutoCommit(true); } catch (SQLException ignored) {}
        rwLock.writeLock().unlock();
    }

If conn.setAutoCommit(true) throws anything other than SQLException
(RuntimeException or Error), execution exits the finally before
rwLock.writeLock().unlock() runs, leaving the write lock held and
freezing all subsequent cache writers.

Wrap setAutoCommit in a nested try-finally so unlock is always reached:

    } finally {
        try {
            try { conn.setAutoCommit(true); } catch (SQLException ignored) {}
        } finally {
            rwLock.writeLock().unlock();
        }
    }

All three lock-holding paths (removeFile, storeResults, replace-with-
enriched) now share the same exception-safe pattern. mvn test -Dtest=
AnalysisCacheTest passes.

Author: aksOps

docs/superpowers/baselines/2026-04-17/BASELINE.md

@@ -230,6 +230,7 @@ Ordered by severity. Each item cites the raw artifact it was derived from.
 
 - **SpotBugs: 8 HIGH-priority findings (priority=1) + 1,484 at priority=2.** Total 1,492. HIGH findings must be triaged individually (read `raw/spotbugs.xml`). Noise-dominant rules (`NM_METHOD_NAMING_CONVENTION`=730, `SF_SWITCH_NO_DEFAULT`=448) should be filtered via a SpotBugs exclude file so real signal surfaces; real-concern patterns that deserve review now: `NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE` (26), `BC_UNCONFIRMED_CAST` (55), `UL_UNRELEASED_LOCK_EXCEPTION_PATH` (1), `WMI_WRONG_MAP_ITERATOR` (2), `ES_COMPARING_STRINGS_WITH_EQ` (2), `MT_CORRECTNESS` category (1).
   - Raw: `raw/spotbugs.xml`, `raw/spotbugs-summary.json`.
+  - **RESOLVED (2026-04-17, branch `phase-a/fixups-spotbugs`)**: Added `spotbugs-exclude.xml` covering ANTLR-generated parsers and global noise rules (`NM_METHOD_NAMING_CONVENTION`, `SF_SWITCH_NO_DEFAULT`, `EI_EXPOSE_REP`/`EI_EXPOSE_REP2`, `MS_PKGPROTECT`/`MS_FINAL_PKGPROTECT`), wired via `pom.xml`. Fixed all 8 priority-1 findings in codeiq code (UTF-8 in `Analyzer.getGitHead`, narrowed catch in `IndexCommand`, dead-store removed in `PluginsCommand`, `.equals()` in `AntlrParserFactory` + `CSharpPreprocessorParserBase`, try-finally unlock in `AnalysisCache.removeFile`, merged duplicate branches in `CodeIqApplication`, removed dead `BundleCommand.writeEntry` overload, `entrySet()` iteration in `PluginsCommand` + `GitLabCiDetector`, narrowed `VersionCommand` catch). **Final: 1,492 → 38 (-97.5%); priority-1: 8 → 0.** Remaining 38 are priority-2 STYLE/BAD_PRACTICE; no CORRECTNESS/MT_CORRECTNESS/SECURITY left. Next-pass candidates: 26 `NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE`. Post-triage summary: `raw/spotbugs-summary-after-triage.json`.
 
 ### Medium
 

pom.xml

@@ -323,6 +323,9 @@
                 <groupId>com.github.spotbugs</groupId>
                 <artifactId>spotbugs-maven-plugin</artifactId>
                 <version>${spotbugs.version}</version>
+                <configuration>
+                    <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
+                </configuration>
             </plugin>
 
             <plugin>

spotbugs-exclude.xml

@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  SpotBugs exclude filter for code-iq.
+
+  Philosophy: fail CI on real bugs, not on stylistic or generated-code noise.
+  Each entry MUST have a rationale comment. If a rule here ever catches a
+  genuine bug in new code, narrow or remove it — never silently live with it.
+
+  Docs: https://spotbugs.readthedocs.io/en/latest/filter.html
+-->
+<FindBugsFilter>
+
+    <!--
+      ANTLR-generated parser sources.
+      Regenerated on every `mvn generate-sources` from .g4 files in
+      src/main/antlr4/. Fixing findings here is futile. Hand-written ANTLR
+      support classes (name ends in `Base`, e.g. CSharpParserBase) are NOT
+      excluded — those are ours to fix.
+    -->
+    <Match>
+        <Class name="~io\.github\.randomcodespace\.iq\.grammar\..*(Parser|Lexer|Listener|Visitor)$"/>
+    </Match>
+
+    <!--
+      NM_METHOD_NAMING_CONVENTION — camelCase/PascalCase warnings.
+      730 findings, nearly all from generated parsers and overridden ANTLR
+      hooks (e.g. `OnPreprocessorExpressionConditionalEq`). Not actionable
+      for new hand-written code; the compiler + review catch real typos.
+    -->
+    <Match>
+        <Bug pattern="NM_METHOD_NAMING_CONVENTION"/>
+    </Match>
+
+    <!--
+      SF_SWITCH_NO_DEFAULT — stylistic.
+      448 findings, dominated by generated ANTLR rule dispatch. Real
+      fall-through/dead-store bugs are caught separately by
+      SF_SWITCH_FALLTHROUGH and SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH,
+      which we DO enforce.
+    -->
+    <Match>
+        <Bug pattern="SF_SWITCH_NO_DEFAULT"/>
+    </Match>
+
+    <!--
+      EI_EXPOSE_REP / EI_EXPOSE_REP2 — "constructor/getter stores or returns
+      internal mutable state". 123 findings across detector result DTOs and
+      graph-model records. No trust boundary is crossed here: these objects
+      live inside a single JVM and are consumed by trusted pipeline code.
+      Defensive copies would add GC cost for no security benefit. If we ever
+      expose these across a security boundary, tighten here.
+    -->
+    <Match>
+        <Bug pattern="EI_EXPOSE_REP"/>
+    </Match>
+    <Match>
+        <Bug pattern="EI_EXPOSE_REP2"/>
+    </Match>
+
+    <!--
+      MS_PKGPROTECT / MS_FINAL_PKGPROTECT — "mutable non-final static field
+      could be overwritten by a malicious subclass in the same package".
+      80 findings. This JVM runs no untrusted bytecode; there is no
+      same-package attacker model. Pure noise.
+    -->
+    <Match>
+        <Bug pattern="MS_PKGPROTECT"/>
+    </Match>
+    <Match>
+        <Bug pattern="MS_FINAL_PKGPROTECT"/>
+    </Match>
+
+    <!--
+      RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in hand-written ANTLR parser
+      support classes (CSharpParserBase, GoParserBase). Defensive null checks
+      carried over verbatim from antlr/grammars-v4 grammar action files. Harmless;
+      divergence risk if we "fix" them because upstream may re-sync.
+    -->
+    <Match>
+        <Class name="~io\.github\.randomcodespace\.iq\.grammar\.(csharp\.CSharpParserBase|golang\.GoParserBase)"/>
+        <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
+    </Match>
+
+    <!--
+      BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase: grammar
+      action code adapted from upstream. Micro-perf, not a correctness issue.
+    -->
+    <Match>
+        <Class name="io.github.randomcodespace.iq.grammar.csharp.CSharpPreprocessorParserBase"/>
+        <Bug pattern="BX_UNBOXING_IMMEDIATELY_REBOXED"/>
+    </Match>
+
+</FindBugsFilter>

src/main/java/io/github/randomcodespace/iq/CodeIqApplication.java

@@ -96,17 +96,12 @@ public static void main(String[] args) {
             // Point Neo4j config to the graph path (enriched or new empty db).
             // GraphBootstrapper will auto-load from H2 cache if no enriched graph exists.
             System.setProperty("codeiq.graph.path", graphDbPath.toString());
-        } else if (isIndex) {
-            app.setAdditionalProfiles("indexing");
-            // Index command: no web server, no Neo4j
-            app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
-        } else if (isEnrich) {
-            // Enrich command: no web server, Neo4j started programmatically
-            app.setAdditionalProfiles("indexing");
-            app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
         } else {
+            // All non-serve commands (index, enrich, analyze, stats, ...) share the same
+            // Spring setup: "indexing" profile, no web server. index/enrich open Neo4j
+            // programmatically when needed. Previously split into three identical
+            // branches — SpotBugs DB_DUPLICATE_BRANCHES.
             app.setAdditionalProfiles("indexing");
-            // Disable web server for non-serve commands
             app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
         }
 

src/main/java/io/github/randomcodespace/iq/analyzer/Analyzer.java

@@ -1,5 +1,6 @@
 package io.github.randomcodespace.iq.analyzer;
 
+import java.nio.charset.StandardCharsets;
 import io.github.randomcodespace.iq.analyzer.linker.Linker;
 import io.github.randomcodespace.iq.cache.AnalysisCache;
 import io.github.randomcodespace.iq.cache.FileHasher;
@@ -1608,7 +1609,7 @@ private String getGitHead(Path repoPath) {
                     .directory(repoPath.toFile())
                     .redirectErrorStream(true);
             Process proc = pb.start();
-            String sha = new String(proc.getInputStream().readAllBytes()).trim();
+            String sha = new String(proc.getInputStream().readAllBytes(), StandardCharsets.UTF_8).trim();
             int exitCode = proc.waitFor();
             if (exitCode == 0 && sha.length() >= 7) {
                 return sha;

src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java

@@ -372,10 +372,16 @@ public void storeResults(String contentHash, String filePath, String language,
             log.warn("Failed to store cached results for hash {}", contentHash, e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the INSERTs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }
 
@@ -453,10 +459,16 @@ public void removeFile(String contentHash) {
             log.warn("Failed to remove cached file {}", contentHash, e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the DELETEs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }
 
@@ -599,10 +611,16 @@ public void replaceAll(List<CodeNode> nodes, List<CodeEdge> edges) {
             log.warn("Failed to replace cache with enriched data", e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the INSERTs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }
 

src/main/java/io/github/randomcodespace/iq/cli/BundleCommand.java

@@ -464,9 +464,4 @@ private void writeEntry(ZipOutputStream zos, String name, String content) throws
         zos.closeEntry();
     }
 
-    private void writeEntry(ZipOutputStream zos, String name, String content, String lineEnding)
-            throws IOException {
-        writeEntry(zos, name, content);
-    }
-
 }

src/main/java/io/github/randomcodespace/iq/cli/IndexCommand.java

@@ -85,8 +85,15 @@ public Integer call() {
             if (java.nio.file.Files.exists(cacheDir)) {
                 try {
                     try (var walk = java.nio.file.Files.walk(cacheDir)) {
+                        var logger = org.slf4j.LoggerFactory.getLogger(IndexCommand.class);
                         walk.sorted(java.util.Comparator.reverseOrder())
-                                .forEach(p -> { try { java.nio.file.Files.deleteIfExists(p); } catch (Exception ignored) {} });
+                                .forEach(p -> {
+                                    try {
+                                        java.nio.file.Files.deleteIfExists(p);
+                                    } catch (java.io.IOException ex) {
+                                        logger.debug("Could not delete cache entry {}: {}", p, ex.getMessage());
+                                    }
+                                });
                     }
                     CliOutput.info("  Deleted existing cache at " + cacheDir);
                 } catch (Exception e) {

src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java

@@ -100,8 +100,6 @@ public Integer call() {
          * or falls back to a sensible default.
          */
         static String categoryDescription(String category, List<Detector> detectors) {
-            // Collect unique frameworks from DetectorInfo if available
-            Set<String> frameworks = new TreeSet<>();
             for (Detector d : detectors) {
                 DetectorInfo info = d.getClass().getAnnotation(DetectorInfo.class);
                 if (info != null && info.description() != null && !info.description().isEmpty()) {
@@ -406,8 +404,9 @@ public FileVisitResult visitFileFailed(Path file, IOException exc) {
             yaml.append("# Optimized for this project's detected languages\n\n");
 
             yaml.append("languages:\n");
-            for (String lang : languageCounts.keySet()) {
-                yaml.append("  - ").append(lang).append("  # ").append(languageCounts.get(lang)).append(" files\n");
+            for (Map.Entry<String, Integer> entry : languageCounts.entrySet()) {
+                yaml.append("  - ").append(entry.getKey())
+                        .append("  # ").append(entry.getValue()).append(" files\n");
             }
 
             yaml.append("\ndetectors:\n");

src/main/java/io/github/randomcodespace/iq/cli/VersionCommand.java

@@ -38,8 +38,8 @@ private static String resolveVersion() {
                 String v = props.getProperty("build.version");
                 if (v != null && !v.isBlank()) return v;
             }
-        } catch (Exception ignored) {
-            // intentionally empty
+        } catch (java.io.IOException ignored) {
+            // build-info.properties is optional; fall through to manifest lookup.
         }
         // Fallback: Implementation-Version from JAR manifest
         String v = VersionCommand.class.getPackage().getImplementationVersion();