Close spec compliance gaps

.editorconfig

@@ -0,0 +1,47 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.java]
+indent_style = space
+indent_size = 4
+max_line_length = 120
+
+[*.xml]
+indent_style = space
+indent_size = 4
+
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[*.properties]
+indent_style = space
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{sh,bash}]
+indent_style = space
+indent_size = 2
+
+[{mvnw,gradlew}]
+end_of_line = lf
+
+[mvnw.cmd]
+end_of_line = crlf
+
+[gradlew.bat]
+end_of_line = crlf
+
+[Makefile]
+indent_style = tab

.github/dependabot.yml

@@ -0,0 +1,49 @@
+version: 2
+updates:
+  # Maven dependencies
+  - package-ecosystem: maven
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 10
+    groups:
+      junit:
+        patterns:
+          - "org.junit*"
+          - "org.assertj*"
+          - "org.mockito*"
+      jackson:
+        patterns:
+          - "com.fasterxml.jackson*"
+      maven-plugins:
+        patterns:
+          - "org.apache.maven.plugins*"
+          - "com.puppycrawl.tools*"
+          - "com.github.spotbugs*"
+          - "org.jacoco*"
+      logging:
+        patterns:
+          - "org.slf4j*"
+          - "ch.qos.logback*"
+
+  # Gradle dependencies
+  - package-ecosystem: gradle
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    groups:
+      gradle-plugins:
+        patterns:
+          - "com.github.spotbugs*"
+          - "com.github.johnrengelman*"
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5

.github/workflows/cache-cleanup.yml

@@ -0,0 +1,74 @@
+name: Cache Cleanup
+
+on:
+  pull_request:
+    types: [closed]
+  schedule:
+    - cron: '0 3 * * 0' # Sundays at 03:00 UTC
+  workflow_dispatch:
+
+permissions:
+  actions: write
+  contents: read
+
+jobs:
+  cleanup-pr-caches:
+    name: Clean Up PR Caches
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Delete caches for closed PR branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
+        run: |
+          echo "Deleting caches for branch: $BRANCH"
+          gh actions-cache list --branch "$BRANCH" --limit 100 | \
+            cut -f1 | \
+            while read -r key; do
+              if [ -n "$key" ]; then
+                echo "Deleting cache: $key"
+                gh actions-cache delete "$key" --branch "$BRANCH" --confirm || true
+              fi
+            done
+
+  cleanup-stale-caches:
+    name: Clean Up Stale Caches
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: List and clean stale caches
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "=== Current cache usage ==="
+          gh actions-cache list --limit 100 --sort last-used --order asc
+
+          # Get all open PR branch refs
+          OPEN_BRANCHES=$(gh pr list --state open --json headRefName --jq '.[].headRefName')
+
+          # Delete caches for branches that no longer have open PRs
+          gh actions-cache list --limit 100 --sort last-used --order asc | while IFS=$'\t' read -r key size branch; do
+            # Skip main branch caches
+            if [ "$branch" = "refs/heads/main" ]; then
+              continue
+            fi
+
+            # Extract branch name from ref
+            branch_name="${branch#refs/heads/}"
+
+            # Check if branch has an open PR
+            if ! echo "$OPEN_BRANCHES" | grep -qx "$branch_name"; then
+              echo "Deleting stale cache: $key (branch: $branch)"
+              gh actions-cache delete "$key" --branch "$branch" --confirm || true
+            fi
+          done
+
+          echo "=== Cache usage after cleanup ==="
+          gh actions-cache list --limit 100 --sort last-used --order desc

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  checks: write
+
+jobs:
+  maven:
+    name: Build (Maven, Java ${{ matrix.java }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        java: ['21', '23']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: temurin
+          cache: maven
+
+      - name: Build & verify
+        run: ./mvnw verify -Pcoverage -B --no-transfer-progress
+
+      - name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: maven-test-reports-java-${{ matrix.java }}
+          path: '**/target/surefire-reports/*.xml'
+          retention-days: 14
+
+      - name: Upload coverage reports
+        if: matrix.java == '21'
+        uses: actions/upload-artifact@v4
+        with:
+          name: maven-coverage-reports
+          path: '**/target/site/jacoco/'
+          retention-days: 14
+
+      - name: Publish test results
+        if: always()
+        uses: dorny/test-reporter@v1
+        with:
+          name: Test Results (Maven, Java ${{ matrix.java }})
+          path: '**/target/surefire-reports/*.xml'
+          reporter: java-junit
+
+  gradle:
+    name: Build (Gradle, Java ${{ matrix.java }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        java: ['21', '23']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: temurin
+          cache: gradle
+
+      - name: Build & verify
+        run: ./gradlew build --no-daemon --warning-mode all
+
+      - name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: gradle-test-reports-java-${{ matrix.java }}
+          path: '**/build/reports/tests/'
+          retention-days: 14
+
+  eval-tests:
+    name: Eval Tests (LLM-backed)
+    needs: maven
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: temurin
+          cache: maven
+
+      - name: Run eval tests
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        run: ./mvnw test -Peval-tests -B --no-transfer-progress

.github/workflows/codeql.yml

@@ -0,0 +1,39 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 6' # Saturdays at 06:00 UTC
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: temurin
+          cache: maven
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java-kotlin
+
+      - name: Build
+        run: ./mvnw compile -B --no-transfer-progress -DskipTests
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3

.github/workflows/dependency-review.yml

@@ -0,0 +1,23 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure