Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.39

[dependabot]

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.39.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.39

✨ Added

• serve /favicon.ico from both starters to kill the default 404 AtmosphereFaviconAutoConfiguration returns the Atmosphere logo PNG on /favicon.ico and /favicon.png for every app using the starter; opt out with atmosphere.favicon.enabled=false.
• reattach e2e — harness sample + direct-writer replay + CI job RunReattachSupport now writes the joined buffer straight to response.getWriter() (U+001E between events); broadcaster routing fed the payload back into the @​Prompt dispatcher. New spring-boot-reattach-harness plus a SyntheticRunController give Playwright a deterministic HTTP surface — foundation-e2e.yml runs the spec on every push so the reattach wire is proven end-to-end, not just in unit tests.
• TokenUsage → CostCeilingGuardrail.addCost bridge + ownership fix CostAccountingSession wraps every @​Prompt session when a CostAccountant is installed; built-in CostCeilingAccountant(guardrail, pricing) closes the observability→enforcement loop. Spring Boot auto-configuration installs it and a DisposableBean resets the holder on shutdown, which also fixes broadcaster listener ownership symmetry on the PII installer.
• cpr-core moat — broadcaster PII, tenant drift, cost ceiling, reattach test PiiRedactionFilter auto-installs on every broadcaster (present + future) so response-path PII is rewritten in-flight — framework owns the transport. OutputLengthZScoreGuardrail partitions its rolling window by business.tenant.id MDC so one tenant cannot poison another's baseline. New CostCeilingGuardrail blocks outbound @​Prompt per tenant once cumulative cost hits budget (observability→enforcement). writeEnabled resolved per-call in both starters for runtime lockdown. RunReattachSupport extracts the replay-on-reconnect path with 5 regression tests. Operator docs split Spring + Quarkus setup with principal-chain paragraphs.
• wire Flow tab into the admin console — SVG graph over /api/admin/flow New tab renders the coordination journal as a circle-layout SVG: nodes = agents, edges = dispatch count + success/failure/avg-duration, red on failure, arrowheads for direction. Optional coordination-id drilldown and lookback-minutes filter. Zero external graph library — plain SVG, adequate for fleet sizes Atmosphere runs. Mirrored across spring-boot-starter and spring-boot3-starter admin assets.
• observability + guardrails + admin auth + flow viewer Observability layer (BusinessMetadata → SLF4J MDC, FactResolver), default guardrails (PII redaction, drift z-score), admin-write auth triple-gate (feature flag → Principal → ControlAuthorizer), agent-to-agent flow viewer (/api/admin/flow), run reattach consumer, gateway admission on handle-based paths, framework-scoped resolution for all v0.8 primitives. Samples boot via spring-boot:run + actuator health; foundation-e2e gates merges including Docker sandbox.
• foundation hardening — primitive wire-in, Sandbox gate, PermissionMode
• AI Agent Foundation — 8 primitives, 2 proof samples, strict OpenAI-compat tool round-trip

🐛 Fixed

• remove orphan javadoc that broke JDK 26 / native-image builds Stray /** ... */ block had no declaration attached; compiler -Xdoclint was fine under -Pfastinstall but strict under Core / Native Image. Reattaches the doc to captureFeedsReattachWithErrorEnvelopeWhenHandlerThrows where it belongs. Also explains why I missed it locally — I was running --fast, which skips the doclint phase; pattern now flagged in my self-review checklist.
• favicon dual-registration + opt-in admin read-auth gate (P1) Drops the @​Bean method in AtmosphereFaviconAutoConfiguration — the nested @​RestController already registers under a stereotype-derived bean name and the @​Bean factory was producing a second bean mapped to the same /favicon.ico route, triggering "Ambiguous mapping" at startup for any app pulling the starter. Adds atmosphere.admin.http-read-auth-required opt-in flag: when true, Spring's AdminApiAuthFilter and a new Quarkus AdminReadAuthFilter (JAX-RS @​Provider) reject anonymous GET/HEAD/OPTIONS on /api/admin with 401 matching the existing write-side chain (X-Atmosphere-Auth + principal attribute sources). Default off so demo consoles keep working; multi-tenant operators flip one flag.
• pin Bouncy Castle >= 1.84 — closes transitive 1.82 advisories docker-java-core 3.7.0 pulls bcpkix/bcprov/bcutil 1.82 (GHSA LDAP injection + risky-crypto). DependencyManagement pin forces 1.84 into the resolved tree so Dependabot alerts 187/188 close on next scan. Provided-scope only (DockerSandboxProvider path); no runtime fat-jar drift.
• malformed journal timestamp returns 400 (Spring parity) Previously returned 200 with an error-item array, masking client errors from caller and breaking Spring/Quarkus API parity. Now returns 400 with the error body, matching AtmosphereAdminEndpoint and Correctness Invariant #4.
• P0 reattach — enforce run ownership + route replay through filter chain Replay now refuses when the reconnecting caller's resolved userId does not match the run's registered userId (bearer-token cross-user leak); anonymous runs keep the open-mode carve-out so demo deployments still work. Every replay frame is routed through the broadcaster's BroadcastFilter chain so PiiRedactionFilter / ContentSafetyFilter apply identically to replay and live frames — a direct writer write previously bypassed them.
• reattach wire fidelity + terminal capture + MDC snapshot Replay now emits AiStreamMessage JSON frames matching the live path (frontend parser can handle replay and live identically); AiEndpointHandler routes timeout/exception terminals through capturingSession so buffered replay ends with an error envelope; CostAccountingSession snapshots tenant MDC at construction so Reactor-thread usage events don't collapse into default. Adds handoff-forwarding regression, strengthens Playwright assertions to pin JSON schema + error envelope.
• RunEventCapturingSession must forward handoff() to delegate The default StreamingSession.handoff throws UnsupportedOperationException, which the reattach capturing wrapper inherited — breaking orchestration-primitives handoff() calls that previously reached AiStreamingSession's agent-backed implementation.
• survive resteasy-reactive UT000048 on servlet proxy resteasy-reactive dispatches on Vert.x, so @​Context HttpServletRequest throws IllegalStateException: UT000048 on the admin write path. Swallow the exception (attributes cannot fire on Vert.x anyway) and read X-Atmosphere-Auth via @​Context HttpHeaders, which works on both transports.
• wire reattach producer — capture @​Prompt events into replay buffer RunEventCapturingSession mirrors every session.send / complete / error into the run's RunEventReplayBuffer; AiEndpointHandler installs it after registering the run so X-Atmosphere-Run-Id reconnects actually have events to replay. Closes the half-shipped reattach primitive — producer was missing even though the consumer (RunReattachSupport) was already wired.
• admin X-Atmosphere-Auth principal path + quarkus-chat fixture Fourth principal source validates the header against atmosphere.admin.auth.token via constant-time compare so Quarkus admin writes work without standing up Jakarta Security; sample fixture sets the env vars and Playwright now authenticates matching the Spring spec pattern.
• review pass 3 — parity delegation, PII hook accuracy, BOM-managed resteasy, ai.userId test Parity test pins delegation shape (doExecute → doExecuteWithHandle for SpringAI/LC4j/ADK) so a refactor to independent dispatch fails without restored admit. PII Javadoc points at the real PiiRedactionFilter / AiStreamBroadcastFilter — previously referenced a fictional per-token hook. resteasy-core at test scope drops its pin to inherit the quarkus-bom version. New ai.userId case rounds AdminResourceAuthzTest to 7 — all three principal sources covered. Non-blocking nits: dropped parity-test change-history Javadoc, explicit stubs instead of RETURNS_DEEP_STUBS, /* package */ marker on writeEnabled.
• v0.9 review second pass — parity-test teeth, quarkus auth chain, PII docs Parity test now scans specific method bodies (doExecute / doExecuteWithHandle / execute / executeWithHandle) with brace-balanced extraction, not file-level grep — dead helper references no longer satisfy. Quarkus guardWrite widened to the 3-source principal chain (SecurityContext → Atmosphere AuthInterceptor attribute → ai.userId). AdminProducer looks up a user-supplied ControlAuthorizer via CDI before falling back to REQUIRE_PRINCIPAL. New AdminResourceAuthzTest (6 cases) pins the gate across starters. PII class Javadoc split into Request (redact via Modify) vs Response (early termination via Block). FactRequest.agentId documents that custom @​AiEndpoint paths produce null.
• close v0.9-review findings — auth gap, dead SPI, parity test, javadoc drift Quarkus /api/admin/* now enforces the same triple-gate (feature flag → Principal → ControlAuthorizer) as Spring; default DENY_ALL via REQUIRE_PRINCIPAL. FactResolver.cacheHint removed (no consumer). FactRequest.agentId derived from the endpoint path template. RuntimeGatewayAdmissionParityTest verifies all 7 runtimes call admitThroughGateway at source level. FactResolver javadoc corrected (NoopFactResolver → DefaultFactResolver). PII response-path Block documented as early termination, not retroactive redaction.
• register HtmlEncoder as CodeQL XSS sanitizer Resolves 4 false-positive java/xss code-scanning alerts.
• bump Jetty 12.0.33, Tomcat 11.0.21, Kafka 3.9.2 Address 13 Dependabot security alerts (1 critical, 5 high, 3 medium).

🔧 Changed

• fix parallelInterruptsSiblings race on slow CI runners
• trigger on modules/ai + wasync + add workflow_dispatch
• CHANGELOG backfill for post-squash work + fix stale versions + read-auth docs CHANGELOG adds 11 Added and 3 Fixed subsections covering PII filter, cost-ceiling wire, reattach closure, admin read-auth, Quarkus parity, favicon, Flow tab, correctness coverage, e2e harness, JMH, security bumps. README adds DENY_ALL to PermissionMode. Four module READMEs had wrong third-party dep versions (4.0.38 copy-paste); corrected against root pom. Admin README documents the fourth principal source and the new http-read-auth-required flag.
• DelegatingStreamingSession base — kills decorator-regression class Every StreamingSession decorator now extends the base and overrides only what it intercepts; unknown methods are forwarded automatically. DelegatingStreamingSessionContractTest reflects over the interface and fails the build when a method is added without a forwarder — the handoff() shadow bug that shipped in RunEventCapturingSession cannot recur. Seven decorators migrated (RunEventCapturing, CostAccounting, Memory, Metrics, Guardrail, StructuredOutput, Tracing, Caching).
• rewrite hero + modules table — capability/module/types grid Surfaces stream-level PII rewrite, cost-ceiling enforcement, tenant-partitioned drift; fixes PermissionMode mode count and drops the hardcoded version claim.
• bump GrpcWasyncTransportTest status-poll to 5s for JDK 26 wAsync updates Socket.status() on its dispatch thread after the CLOSE callback returns; the 2s polling cap was too tight on JDK 26 where scheduler latency between callback and CAS is observably longer.
• update reattach spec — producer wire is live after 8156842fd4 RunEventCapturingSession now populates the replay buffer on every @​Prompt session.send / complete / error — cross-reference the commit so a future auditor can verify the "half-shipped" note in earlier reviews is resolved. Spec stays skip-gated pending a dedicated slow-emitter harness sample.
• CHANGELOG claim tests + two-resolution-pattern guidance ChangelogClaimsTest pins AgentState OpenClaw layout + RunEventReplayBuffer bound so doc-to-code drift breaks the build; README documents when to pick framework-scoped property vs process-wide holder so new SPIs don't reinvent the wheel.
• reattach spec documents the X-Atmosphere-Run-Id replay contract Skipped by default until a harness sample with deliberately-slow @​Prompt dispatch is wired; the contract (connect → disconnect → reconnect with run id → replayed events) is pinned so future harness work plugs in without re-deriving it. Unit coverage remains in RunReattachSupportTest.
• exec-level gateway admission tests — LC4j, ADK, Koog, Embabel, SK One test per runtime; each installs a counting exporter and drives runtime.execute() so an admission entry with the correct provider label is captured. Closes the exec-level parity gap flagged in the v0.9 review — all 7 runtimes now prove admit, not just source-level grep.
• exec-level gateway admission test — drive runtime.execute Counting exporter replaces AiGatewayHolder and one execute() call lands exactly one entry with provider=spring-ai; closes the parity grep gap the v0.9 review flagged. Template for LC4j/ADK/Koog/Embabel/SK follow-ups.
• bump org.apache.maven.plugins:maven-resources-plugin (#2610)
• bump react and react-dom to 19.2.5 in lockstep React requires exact version match between react and react-dom packages; bumping only react (as Dependabot PR #2612 proposed) fails all jsdom-backed tests with ensureCorrectIsomorphicReactVersion.
• bump protobuf to 4.34.1 and pin runtime to protoc version grpc-protobuf 1.80.0 still pulls protobuf-java 3.25.8 transitively, so protoc 4.x-generated sources fail to compile; dependencyManagement now pins protobuf-java/protobuf-java-util to ${protobuf.version}.
• bump protobufjs (#2608)

Full Changelog: Atmosphere/atmosphere@atmosphere-4.0.38...atmosphere-4.0.39

Atmosphere 4.0.38

... (truncated)

Commits

• 2df3e7a release: Atmosphere 4.0.39
• 96e6e6b test(coordinator): fix parallelInterruptsSiblings race on slow CI runners
• cc7d408 ci(native-image): trigger on modules/ai + wasync + add workflow_dispatch
• def0661 docs: CHANGELOG backfill for post-squash work + fix stale versions + read-aut...
• 0dc7796 build: remove --fast from pre-push + architectural validation
• ddc13af fix(ai): remove orphan javadoc that broke JDK 26 / native-image builds
• bd3da26 refactor(ai): DelegatingStreamingSession base — kills decorator-regression class
• 2d3ee5a fix: favicon dual-registration + opt-in admin read-auth gate (P1)
• 98c6ae4 feat(spring-boot): serve /favicon.ico from both starters to kill the default 404
• 246c29b fix(deps): pin Bouncy Castle >= 1.84 — closes transitive 1.82 advisories
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #3070.