graphql-java
diff --git a/‎.claude/commands/jspecify-annotate.md‎
Lines changed: 0 additions & 126 deletions b/‎.claude/commands/jspecify-annotate.md‎
Lines changed: 0 additions & 126 deletions
diff --git a/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions b/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.githooks/pre-commit‎
Lines changed: 43 additions & 1 deletion b/‎.githooks/pre-commit‎
Lines changed: 43 additions & 1 deletion
diff --git a/‎.github/aw/actions-lock.json‎
Lines changed: 14 additions & 0 deletions b/‎.github/aw/actions-lock.json‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/dependabot.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/scripts/parse-jacoco.js‎
Lines changed: 103 additions & 0 deletions b/‎.github/scripts/parse-jacoco.js‎
Lines changed: 103 additions & 0 deletions
@@ -0,0 +1 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
@@ -1,11 +1,14 @@
 #!/bin/bash
 
-# Pre-commit hook to enforce Windows compatibility and file size limits
+# Pre-commit hook to enforce Windows compatibility, file size limits,
+# and dangerous Unicode character detection.
 #
 # 1. Windows filenames: prevents characters that are reserved on Windows (< > : " | ? * \)
 #    so the repo can be cloned on Windows systems.
 # 2. File size: rejects files larger than 10 MB. Many enterprise users mirror graphql-java
 #    into internal repositories that enforce file size limits.
+# 3. Dangerous Unicode: detects invisible/control characters that can be used for
+#    "Trojan Source" (BiDi override), homoglyph, or glassworm-style attacks.
 
 # ANSI color codes for better output readability
 RED='\033[0;31m'
@@ -75,6 +78,45 @@ if [ -n "$LARGE_FILES" ]; then
     ERRORS_FOUND=1
 fi
 
+# Check 3: Dangerous Unicode characters (Trojan Source / glassworm attacks)
+# Detects: C0/C1 control chars (except TAB, LF, CR), zero-width characters,
+# BiDi override/embedding/isolate chars.
+# Uses perl for macOS compatibility (grep -P is not available on macOS).
+echo "  Checking for dangerous Unicode characters..."
+
+UNICODE_FILES=""
+if [ -n "$STAGED_FILES" ]; then
+    while IFS= read -r file; do
+        if [ ! -f "$file" ]; then
+            continue
+        fi
+        # Skip binary files
+        if file --mime-type "$file" 2>/dev/null | grep -qv 'text/'; then
+            continue
+        fi
+        MATCHES=$(perl -CSD -ne '
+            if (/[\x{0000}-\x{0008}\x{000B}\x{000C}\x{000E}-\x{001F}\x{007F}-\x{009F}\x{200B}-\x{200D}\x{FEFF}\x{202A}-\x{202E}\x{2066}-\x{2069}]/) {
+                print "    line $.: $_";
+            }
+        ' "$file" 2>/dev/null || true)
+        if [ -n "$MATCHES" ]; then
+            UNICODE_FILES="${UNICODE_FILES}  - ${file}\n${MATCHES}\n"
+        fi
+    done <<< "$STAGED_FILES"
+fi
+
+if [ -n "$UNICODE_FILES" ]; then
+    echo -e "${RED}Error: The following files contain dangerous Unicode characters:${NC}"
+    echo -e "$UNICODE_FILES"
+    echo -e "${YELLOW}These characters are invisible or alter text rendering and can be used for${NC}"
+    echo -e "${YELLOW}Trojan Source or glassworm-style attacks. Detected character categories:${NC}"
+    echo -e "${YELLOW}  - C0/C1 control characters (U+0000-001F, U+007F-009F, except TAB/LF/CR)${NC}"
+    echo -e "${YELLOW}  - Zero-width characters (U+200B-200D, U+FEFF)${NC}"
+    echo -e "${YELLOW}  - BiDi override/isolate (U+202A-202E, U+2066-2069)${NC}"
+    echo -e "${YELLOW}Please remove these characters from the affected files.${NC}"
+    ERRORS_FOUND=1
+fi
+
 # Exit with error if any checks failed
 if [ "$ERRORS_FOUND" -eq 1 ]; then
     echo -e "${RED}Pre-commit checks failed. Please fix the issues above and try again.${NC}"
 
@@ -0,0 +1,14 @@
+{
+  "entries": {
+    "actions/github-script@v8": {
+      "repo": "actions/github-script",
+      "version": "v8",
+      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
+    },
+    "github/gh-aw/actions/setup@v0.49.0": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.49.0",
+      "sha": "0eb518a648ba8178f4f42559a4c250d3e513acd1"
+    }
+  }
+}
@@ -3,8 +3,8 @@ updates:
   - package-ecosystem: "gradle"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
@@ -0,0 +1,103 @@
+// Shared JaCoCo XML parser used by CI workflows.
+// Extracts overall and per-class coverage counters from a JaCoCo XML report.
+
+const fs = require('fs');
+
+const zeroCov = { covered: 0, missed: 0 };
+
+function parseJacocoXml(jacocoFile) {
+  const result = { overall: {}, classes: {} };
+
+  if (!fs.existsSync(jacocoFile)) {
+    return null;
+  }
+
+  const xml = fs.readFileSync(jacocoFile, 'utf8');
+
+  // Overall counters (outside <package> tags)
+  const stripped = xml.replace(/<package[\s\S]*?<\/package>/g, '');
+  const re = /<counter type="(\w+)" missed="(\d+)" covered="(\d+)"\/>/g;
+  let m;
+  while ((m = re.exec(stripped)) !== null) {
+    const entry = { covered: parseInt(m[3]), missed: parseInt(m[2]) };
+    if (m[1] === 'LINE') result.overall.line = entry;
+    else if (m[1] === 'BRANCH') result.overall.branch = entry;
+    else if (m[1] === 'METHOD') result.overall.method = entry;
+  }
+
+  // Per-class counters from <package>/<class> elements.
+  // The negative lookbehind (?<!\/) prevents matching self-closing <class .../> tags
+  // (interfaces, annotations) which have no body and would otherwise steal the next
+  // class's counters.
+  const pkgRe = /<package\s+name="([^"]+)">([\s\S]*?)<\/package>/g;
+  let pkgMatch;
+  while ((pkgMatch = pkgRe.exec(xml)) !== null) {
+    const pkgBody = pkgMatch[2];
+    const classRe = /<class\s+name="([^"]+)"[^>]*(?<!\/)>([\s\S]*?)<\/class>/g;
+    let classMatch;
+    while ((classMatch = classRe.exec(pkgBody)) !== null) {
+      const className = classMatch[1].replace(/\//g, '.');
+      const classBody = classMatch[2];
+      const counters = { line: { ...zeroCov }, branch: { ...zeroCov }, method: { ...zeroCov } };
+      const cntRe = /<counter type="(\w+)" missed="(\d+)" covered="(\d+)"\/>/g;
+      let cntMatch;
+      while ((cntMatch = cntRe.exec(classBody)) !== null) {
+        const entry = { covered: parseInt(cntMatch[3]), missed: parseInt(cntMatch[2]) };
+        if (cntMatch[1] === 'LINE') counters.line = entry;
+        else if (cntMatch[1] === 'BRANCH') counters.branch = entry;
+        else if (cntMatch[1] === 'METHOD') counters.method = entry;
+      }
+      // Extract per-method counters within this class.
+      // JaCoCo XML contains <method name="..." desc="..." line="..."> elements
+      // each with their own <counter> children.
+      const methods = [];
+      const methodRe = /<method\s+name="([^"]+)"\s+desc="([^"]+)"(?:\s+line="(\d+)")?[^>]*>([\s\S]*?)<\/method>/g;
+      let methodMatch;
+      while ((methodMatch = methodRe.exec(classBody)) !== null) {
+        const mCounters = { line: { ...zeroCov }, branch: { ...zeroCov }, method: { ...zeroCov } };
+        const mCntRe = /<counter type="(\w+)" missed="(\d+)" covered="(\d+)"\/>/g;
+        let mCntMatch;
+        while ((mCntMatch = mCntRe.exec(methodMatch[4])) !== null) {
+          const entry = { covered: parseInt(mCntMatch[3]), missed: parseInt(mCntMatch[2]) };
+          if (mCntMatch[1] === 'LINE') mCounters.line = entry;
+          else if (mCntMatch[1] === 'BRANCH') mCounters.branch = entry;
+          else if (mCntMatch[1] === 'METHOD') mCounters.method = entry;
+        }
+        const totalLines = mCounters.line.covered + mCounters.line.missed;
+        if (totalLines > 0) {
+          methods.push({
+            name: methodMatch[1],
+            desc: methodMatch[2],
+            line: methodMatch[3] ? parseInt(methodMatch[3]) : null,
+            counters: mCounters,
+          });
+        }
+      }
+
+      // Skip classes with 0 total lines (empty interfaces, annotations)
+      if (counters.line.covered + counters.line.missed > 0) {
+        result.classes[className] = counters;
+        if (methods.length > 0) {
+          result.classes[className].methods = methods;
+        }
+      }
+    }
+  }
+
+  return result;
+}
+
+function pct(covered, missed) {
+  const total = covered + missed;
+  return total === 0 ? 0 : (covered / total * 100);
+}
+
+// A coverage metric is a "real regression" when BOTH the percentage drops
+// beyond the tolerance AND the absolute number of missed items increases.
+// This avoids false positives when well-covered code is extracted/moved out
+// of a class (which lowers the percentage without actually losing coverage).
+function isRegression(currPct, basePct, currMissed, baseMissed, tolerance = 0.05) {
+  return currPct < basePct - tolerance && currMissed > baseMissed;
+}
+
+module.exports = { parseJacocoXml, pct, zeroCov, isRegression };
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+.github/workflows/*.lock.yml linguist-generated=true merge=ours`