From b0cbbfc3da9789380c7c6bff968a853e06deccb5 Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 10:17:00 +0000
Subject: [PATCH 1/5] build(spotbugs): add exclude filter for generated parsers
 and known noise rules

Reduces SpotBugs findings 1,492 -> 51 (96.6%) by excluding:
- ANTLR-generated parser/lexer/listener/visitor classes (regenerated from .g4)
- NM_METHOD_NAMING_CONVENTION (noise from generated code and ANTLR hooks)
- SF_SWITCH_NO_DEFAULT (stylistic; SF_SWITCH_FALLTHROUGH still enforced)
- EI_EXPOSE_REP / EI_EXPOSE_REP2 (internal DTOs, no trust boundary crossed)
- MS_PKGPROTECT / MS_FINAL_PKGPROTECT (no same-package attacker model)

Each exclusion carries a rationale comment in spotbugs-exclude.xml.
---
 pom.xml              |  3 ++
 spotbugs-exclude.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 spotbugs-exclude.xml

diff --git a/pom.xml b/pom.xml
index 436a1d62..c193d8ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -323,6 +323,9 @@
                 <groupId>com.github.spotbugs</groupId>
                 <artifactId>spotbugs-maven-plugin</artifactId>
                 <version>${spotbugs.version}</version>
+                <configuration>
+                    <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
+                </configuration>
             </plugin>
 
             <plugin>
diff --git a/spotbugs-exclude.xml b/spotbugs-exclude.xml
new file mode 100644
index 00000000..71b8d595
--- /dev/null
+++ b/spotbugs-exclude.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  SpotBugs exclude filter for code-iq.
+
+  Philosophy: fail CI on real bugs, not on stylistic or generated-code noise.
+  Each entry MUST have a rationale comment. If a rule here ever catches a
+  genuine bug in new code, narrow or remove it — never silently live with it.
+
+  Docs: https://spotbugs.readthedocs.io/en/latest/filter.html
+-->
+<FindBugsFilter>
+
+    <!--
+      ANTLR-generated parser sources.
+      Regenerated on every `mvn generate-sources` from .g4 files in
+      src/main/antlr4/. Fixing findings here is futile. Hand-written ANTLR
+      support classes (name ends in `Base`, e.g. CSharpParserBase) are NOT
+      excluded — those are ours to fix.
+    -->
+    <Match>
+        <Class name="~io\.github\.randomcodespace\.iq\.grammar\..*(Parser|Lexer|Listener|Visitor)$"/>
+    </Match>
+
+    <!--
+      NM_METHOD_NAMING_CONVENTION — camelCase/PascalCase warnings.
+      730 findings, nearly all from generated parsers and overridden ANTLR
+      hooks (e.g. `OnPreprocessorExpressionConditionalEq`). Not actionable
+      for new hand-written code; the compiler + review catch real typos.
+    -->
+    <Match>
+        <Bug pattern="NM_METHOD_NAMING_CONVENTION"/>
+    </Match>
+
+    <!--
+      SF_SWITCH_NO_DEFAULT — stylistic.
+      448 findings, dominated by generated ANTLR rule dispatch. Real
+      fall-through/dead-store bugs are caught separately by
+      SF_SWITCH_FALLTHROUGH and SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH,
+      which we DO enforce.
+    -->
+    <Match>
+        <Bug pattern="SF_SWITCH_NO_DEFAULT"/>
+    </Match>
+
+    <!--
+      EI_EXPOSE_REP / EI_EXPOSE_REP2 — "constructor/getter stores or returns
+      internal mutable state". 123 findings across detector result DTOs and
+      graph-model records. No trust boundary is crossed here: these objects
+      live inside a single JVM and are consumed by trusted pipeline code.
+      Defensive copies would add GC cost for no security benefit. If we ever
+      expose these across a security boundary, tighten here.
+    -->
+    <Match>
+        <Bug pattern="EI_EXPOSE_REP"/>
+    </Match>
+    <Match>
+        <Bug pattern="EI_EXPOSE_REP2"/>
+    </Match>
+
+    <!--
+      MS_PKGPROTECT / MS_FINAL_PKGPROTECT — "mutable non-final static field
+      could be overwritten by a malicious subclass in the same package".
+      80 findings. This JVM runs no untrusted bytecode; there is no
+      same-package attacker model. Pure noise.
+    -->
+    <Match>
+        <Bug pattern="MS_PKGPROTECT"/>
+    </Match>
+    <Match>
+        <Bug pattern="MS_FINAL_PKGPROTECT"/>
+    </Match>
+
+</FindBugsFilter>

From 5ebf7b07f997cc96962fbaa0522bd3064d887ea9 Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 10:18:48 +0000
Subject: [PATCH 2/5] fix(spotbugs): address 4 priority-1 findings in core code

- Analyzer.getGitHead: decode `git rev-parse HEAD` bytes as UTF-8
  instead of platform default (DM_DEFAULT_ENCODING).
- IndexCommand.call: narrow the cache-delete catch from blanket
  `Exception ignored` to `IOException` with a debug log line so
  silent data-loss is traceable (DE_MIGHT_IGNORE).
- PluginsCommand.categoryDescription: remove dead `Set<String>
  frameworks` local that was assigned and never read
  (DLS_DEAD_LOCAL_STORE).
- AntlrParserFactory.parse: replace identity-compare (`==`) of cache
  key with `.equals()`; cache behavior is unchanged because the
  parse tree is a deterministic function of content, so equal
  content yields an equivalent tree (ES_COMPARING_PARAMETER_STRING_WITH_EQ).

Verified `mvn compile` clean on phase-a/fixups-spotbugs.
---
 .../io/github/randomcodespace/iq/analyzer/Analyzer.java  | 3 ++-
 .../io/github/randomcodespace/iq/cli/IndexCommand.java   | 9 ++++++++-
 .../io/github/randomcodespace/iq/cli/PluginsCommand.java | 2 --
 .../randomcodespace/iq/grammar/AntlrParserFactory.java   | 6 ++++--
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/main/java/io/github/randomcodespace/iq/analyzer/Analyzer.java b/src/main/java/io/github/randomcodespace/iq/analyzer/Analyzer.java
index a3faa8a4..dab92dd2 100644
--- a/src/main/java/io/github/randomcodespace/iq/analyzer/Analyzer.java
+++ b/src/main/java/io/github/randomcodespace/iq/analyzer/Analyzer.java
@@ -1,5 +1,6 @@
 package io.github.randomcodespace.iq.analyzer;
 
+import java.nio.charset.StandardCharsets;
 import io.github.randomcodespace.iq.analyzer.linker.Linker;
 import io.github.randomcodespace.iq.cache.AnalysisCache;
 import io.github.randomcodespace.iq.cache.FileHasher;
@@ -1608,7 +1609,7 @@ private String getGitHead(Path repoPath) {
                     .directory(repoPath.toFile())
                     .redirectErrorStream(true);
             Process proc = pb.start();
-            String sha = new String(proc.getInputStream().readAllBytes()).trim();
+            String sha = new String(proc.getInputStream().readAllBytes(), StandardCharsets.UTF_8).trim();
             int exitCode = proc.waitFor();
             if (exitCode == 0 && sha.length() >= 7) {
                 return sha;
diff --git a/src/main/java/io/github/randomcodespace/iq/cli/IndexCommand.java b/src/main/java/io/github/randomcodespace/iq/cli/IndexCommand.java
index bb8a30b4..9ead0fa7 100644
--- a/src/main/java/io/github/randomcodespace/iq/cli/IndexCommand.java
+++ b/src/main/java/io/github/randomcodespace/iq/cli/IndexCommand.java
@@ -85,8 +85,15 @@ public Integer call() {
             if (java.nio.file.Files.exists(cacheDir)) {
                 try {
                     try (var walk = java.nio.file.Files.walk(cacheDir)) {
+                        var logger = org.slf4j.LoggerFactory.getLogger(IndexCommand.class);
                         walk.sorted(java.util.Comparator.reverseOrder())
-                                .forEach(p -> { try { java.nio.file.Files.deleteIfExists(p); } catch (Exception ignored) {} });
+                                .forEach(p -> {
+                                    try {
+                                        java.nio.file.Files.deleteIfExists(p);
+                                    } catch (java.io.IOException ex) {
+                                        logger.debug("Could not delete cache entry {}: {}", p, ex.getMessage());
+                                    }
+                                });
                     }
                     CliOutput.info("  Deleted existing cache at " + cacheDir);
                 } catch (Exception e) {
diff --git a/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java b/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
index ea0b1d30..28d7deb3 100644
--- a/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
+++ b/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
@@ -100,8 +100,6 @@ public Integer call() {
          * or falls back to a sensible default.
          */
         static String categoryDescription(String category, List<Detector> detectors) {
-            // Collect unique frameworks from DetectorInfo if available
-            Set<String> frameworks = new TreeSet<>();
             for (Detector d : detectors) {
                 DetectorInfo info = d.getClass().getAnnotation(DetectorInfo.class);
                 if (info != null && info.description() != null && !info.description().isEmpty()) {
diff --git a/src/main/java/io/github/randomcodespace/iq/grammar/AntlrParserFactory.java b/src/main/java/io/github/randomcodespace/iq/grammar/AntlrParserFactory.java
index 5559bff0..2765d193 100644
--- a/src/main/java/io/github/randomcodespace/iq/grammar/AntlrParserFactory.java
+++ b/src/main/java/io/github/randomcodespace/iq/grammar/AntlrParserFactory.java
@@ -113,9 +113,11 @@ public static ParseTree parse(String language, String content) {
             return null;
         }
 
-        // Check thread-local cache — same content object means same file
+        // Check thread-local cache. Using .equals() is correct because the parse tree
+        // is a deterministic function of content — equal content yields an equivalent tree.
+        // (Previously used == for identity fast-path; SpotBugs ES_COMPARING_PARAMETER_STRING_WITH_EQ.)
         var cached = PARSE_CACHE.get();
-        if (cached != null && cached.getKey() == content) {
+        if (cached != null && content.equals(cached.getKey())) {
             return cached.getValue();
         }
 

From be679d39894ab9bd2ec9f182772b39718dee6c96 Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 10:21:25 +0000
Subject: [PATCH 3/5] fix(spotbugs): concurrency and correctness priority-2
 findings

- AnalysisCache.removeFile: guarantee rwLock.writeLock().unlock() on all
  exception paths by wrapping the finally's conn.setAutoCommit(true) in its
  own try-finally. Previously, a non-SQLException thrown by setAutoCommit
  (RuntimeException/Error) would escape the finally block before unlock ran,
  leaking the write lock. (UL_UNRELEASED_LOCK_EXCEPTION_PATH)

  Note: the same setAutoCommit-in-finally-then-unlock pattern appears in two
  other methods in this class; SpotBugs only flagged removeFile, but they
  likely share the same risk. Out of scope for this PR; file a follow-up.

- CodeIqApplication.main: collapse three identical else-if branches (isIndex /
  isEnrich / default) into one else with a combined rationale comment.
  (DB_DUPLICATE_BRANCHES)

- BundleCommand: remove unused private 4-arg writeEntry(zos, name, content,
  lineEnding) that delegated to the 3-arg overload and silently discarded
  lineEnding. (UPM_UNCALLED_PRIVATE_METHOD)

- PluginsCommand.SuggestSubcommand: iterate languageCounts.entrySet() instead
  of keySet() + get(). (WMI_WRONG_MAP_ITERATOR)

- GitLabCiDetector.detect: iterate data.entrySet() instead of keySet() + get().
  (WMI_WRONG_MAP_ITERATOR)

- CSharpPreprocessorParserBase: replace reference-compare (== / !=) on
  expression values with Objects.equals(). The compared values are String
  literals 'true'/'false' produced by sibling methods, so logical equality is
  the intended semantic; using == only worked coincidentally via string
  interning. (ES_COMPARING_STRINGS_WITH_EQ x2)

- VersionCommand.resolveVersion: narrow the outer catch from Exception to
  IOException since that is the only checked exception props.load can throw.
  Updated comment to document that the branch is an intentional fallthrough
  to the manifest-based lookup. (REC_CATCH_EXCEPTION)

Verified mvn compile clean.
---
 .../randomcodespace/iq/CodeIqApplication.java       | 13 ++++---------
 .../randomcodespace/iq/cache/AnalysisCache.java     | 12 +++++++++---
 .../randomcodespace/iq/cli/BundleCommand.java       |  5 -----
 .../randomcodespace/iq/cli/PluginsCommand.java      |  5 +++--
 .../randomcodespace/iq/cli/VersionCommand.java      |  4 ++--
 .../iq/detector/config/GitLabCiDetector.java        |  5 +++--
 .../csharp/CSharpPreprocessorParserBase.java        |  4 ++--
 7 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/src/main/java/io/github/randomcodespace/iq/CodeIqApplication.java b/src/main/java/io/github/randomcodespace/iq/CodeIqApplication.java
index 9ed17454..4b831488 100644
--- a/src/main/java/io/github/randomcodespace/iq/CodeIqApplication.java
+++ b/src/main/java/io/github/randomcodespace/iq/CodeIqApplication.java
@@ -96,17 +96,12 @@ public static void main(String[] args) {
             // Point Neo4j config to the graph path (enriched or new empty db).
             // GraphBootstrapper will auto-load from H2 cache if no enriched graph exists.
             System.setProperty("codeiq.graph.path", graphDbPath.toString());
-        } else if (isIndex) {
-            app.setAdditionalProfiles("indexing");
-            // Index command: no web server, no Neo4j
-            app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
-        } else if (isEnrich) {
-            // Enrich command: no web server, Neo4j started programmatically
-            app.setAdditionalProfiles("indexing");
-            app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
         } else {
+            // All non-serve commands (index, enrich, analyze, stats, ...) share the same
+            // Spring setup: "indexing" profile, no web server. index/enrich open Neo4j
+            // programmatically when needed. Previously split into three identical
+            // branches — SpotBugs DB_DUPLICATE_BRANCHES.
             app.setAdditionalProfiles("indexing");
-            // Disable web server for non-serve commands
             app.setWebApplicationType(org.springframework.boot.WebApplicationType.NONE);
         }
 
diff --git a/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java b/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
index 7002b352..2971a0d6 100644
--- a/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
+++ b/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
@@ -453,10 +453,16 @@ public void removeFile(String contentHash) {
             log.warn("Failed to remove cached file {}", contentHash, e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the DELETEs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }
 
diff --git a/src/main/java/io/github/randomcodespace/iq/cli/BundleCommand.java b/src/main/java/io/github/randomcodespace/iq/cli/BundleCommand.java
index bb24ac4c..f8f928ea 100644
--- a/src/main/java/io/github/randomcodespace/iq/cli/BundleCommand.java
+++ b/src/main/java/io/github/randomcodespace/iq/cli/BundleCommand.java
@@ -464,9 +464,4 @@ private void writeEntry(ZipOutputStream zos, String name, String content) throws
         zos.closeEntry();
     }
 
-    private void writeEntry(ZipOutputStream zos, String name, String content, String lineEnding)
-            throws IOException {
-        writeEntry(zos, name, content);
-    }
-
 }
diff --git a/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java b/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
index 28d7deb3..b56c7f45 100644
--- a/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
+++ b/src/main/java/io/github/randomcodespace/iq/cli/PluginsCommand.java
@@ -404,8 +404,9 @@ public FileVisitResult visitFileFailed(Path file, IOException exc) {
             yaml.append("# Optimized for this project's detected languages\n\n");
 
             yaml.append("languages:\n");
-            for (String lang : languageCounts.keySet()) {
-                yaml.append("  - ").append(lang).append("  # ").append(languageCounts.get(lang)).append(" files\n");
+            for (Map.Entry<String, Integer> entry : languageCounts.entrySet()) {
+                yaml.append("  - ").append(entry.getKey())
+                        .append("  # ").append(entry.getValue()).append(" files\n");
             }
 
             yaml.append("\ndetectors:\n");
diff --git a/src/main/java/io/github/randomcodespace/iq/cli/VersionCommand.java b/src/main/java/io/github/randomcodespace/iq/cli/VersionCommand.java
index aed2f24c..c660acb4 100644
--- a/src/main/java/io/github/randomcodespace/iq/cli/VersionCommand.java
+++ b/src/main/java/io/github/randomcodespace/iq/cli/VersionCommand.java
@@ -38,8 +38,8 @@ private static String resolveVersion() {
                 String v = props.getProperty("build.version");
                 if (v != null && !v.isBlank()) return v;
             }
-        } catch (Exception ignored) {
-            // intentionally empty
+        } catch (java.io.IOException ignored) {
+            // build-info.properties is optional; fall through to manifest lookup.
         }
         // Fallback: Implementation-Version from JAR manifest
         String v = VersionCommand.class.getPackage().getImplementationVersion();
diff --git a/src/main/java/io/github/randomcodespace/iq/detector/config/GitLabCiDetector.java b/src/main/java/io/github/randomcodespace/iq/detector/config/GitLabCiDetector.java
index d040f9a6..eff1b011 100644
--- a/src/main/java/io/github/randomcodespace/iq/detector/config/GitLabCiDetector.java
+++ b/src/main/java/io/github/randomcodespace/iq/detector/config/GitLabCiDetector.java
@@ -135,9 +135,10 @@ public DetectorResult detect(DetectorContext ctx) {
 
         // Collect job names
         List<String> jobNames = new ArrayList<>();
-        for (String key : data.keySet()) {
+        for (Map.Entry<String, Object> entry : data.entrySet()) {
+            String key = entry.getKey();
             if (GITLAB_CI_KEYWORDS.contains(key)) continue;
-            if (data.get(key) instanceof Map<?, ?>) {
+            if (entry.getValue() instanceof Map<?, ?>) {
                 jobNames.add(key);
             }
         }
diff --git a/src/main/java/io/github/randomcodespace/iq/grammar/csharp/CSharpPreprocessorParserBase.java b/src/main/java/io/github/randomcodespace/iq/grammar/csharp/CSharpPreprocessorParserBase.java
index 538f0614..1e8a2dd2 100644
--- a/src/main/java/io/github/randomcodespace/iq/grammar/csharp/CSharpPreprocessorParserBase.java
+++ b/src/main/java/io/github/randomcodespace/iq/grammar/csharp/CSharpPreprocessorParserBase.java
@@ -179,14 +179,14 @@ protected void OnPreprocessorExpressionConditionalEq()
     {
         ParserRuleContext c = this._ctx;
         CSharpPreprocessorParser.Preprocessor_expressionContext d = (CSharpPreprocessorParser.Preprocessor_expressionContext)c;
-        d.value = (d.expr1.value == d.expr2.value ? "true" : "false");
+        d.value = (java.util.Objects.equals(d.expr1.value, d.expr2.value) ? "true" : "false");
     }
 
     protected void OnPreprocessorExpressionConditionalNe()
     {
         ParserRuleContext c = this._ctx;
         CSharpPreprocessorParser.Preprocessor_expressionContext d = (CSharpPreprocessorParser.Preprocessor_expressionContext)c;
-        d.value = (d.expr1.value != d.expr2.value ? "true" : "false");
+        d.value = (!java.util.Objects.equals(d.expr1.value, d.expr2.value) ? "true" : "false");
     }
 
     protected void OnPreprocessorExpressionConditionalAnd()

From 7038bd9cba9bb9de3e8c4c720aa0c22e0a662f30 Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 10:23:56 +0000
Subject: [PATCH 4/5] build(spotbugs): narrow-suppress 2 parser-base RCN + 1 BX
 finding, record triage result
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added narrow exclude rules (class + pattern pair, not global) for:
- RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in CSharpParserBase and
  GoParserBase — hand-written ANTLR parser support classes carried over
  from antlr/grammars-v4. Defensive null checks are harmless; touching
  them risks divergence if we re-sync upstream.
- BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase —
  same origin, micro-perf, not correctness.

Updated BASELINE.md to mark the SpotBugs gap as RESOLVED with final
counts (1,492 -> 38; priority-1: 8 -> 0) and a pointer to the
post-triage summary JSON.
---
 .../baselines/2026-04-17/BASELINE.md          |  1 +
 spotbugs-exclude.xml                          | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/docs/superpowers/baselines/2026-04-17/BASELINE.md b/docs/superpowers/baselines/2026-04-17/BASELINE.md
index f2beb9fc..cfa4cc3b 100644
--- a/docs/superpowers/baselines/2026-04-17/BASELINE.md
+++ b/docs/superpowers/baselines/2026-04-17/BASELINE.md
@@ -230,6 +230,7 @@ Ordered by severity. Each item cites the raw artifact it was derived from.
 
 - **SpotBugs: 8 HIGH-priority findings (priority=1) + 1,484 at priority=2.** Total 1,492. HIGH findings must be triaged individually (read `raw/spotbugs.xml`). Noise-dominant rules (`NM_METHOD_NAMING_CONVENTION`=730, `SF_SWITCH_NO_DEFAULT`=448) should be filtered via a SpotBugs exclude file so real signal surfaces; real-concern patterns that deserve review now: `NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE` (26), `BC_UNCONFIRMED_CAST` (55), `UL_UNRELEASED_LOCK_EXCEPTION_PATH` (1), `WMI_WRONG_MAP_ITERATOR` (2), `ES_COMPARING_STRINGS_WITH_EQ` (2), `MT_CORRECTNESS` category (1).
   - Raw: `raw/spotbugs.xml`, `raw/spotbugs-summary.json`.
+  - **RESOLVED (2026-04-17, branch `phase-a/fixups-spotbugs`)**: Added `spotbugs-exclude.xml` covering ANTLR-generated parsers and global noise rules (`NM_METHOD_NAMING_CONVENTION`, `SF_SWITCH_NO_DEFAULT`, `EI_EXPOSE_REP`/`EI_EXPOSE_REP2`, `MS_PKGPROTECT`/`MS_FINAL_PKGPROTECT`), wired via `pom.xml`. Fixed all 8 priority-1 findings in codeiq code (UTF-8 in `Analyzer.getGitHead`, narrowed catch in `IndexCommand`, dead-store removed in `PluginsCommand`, `.equals()` in `AntlrParserFactory` + `CSharpPreprocessorParserBase`, try-finally unlock in `AnalysisCache.removeFile`, merged duplicate branches in `CodeIqApplication`, removed dead `BundleCommand.writeEntry` overload, `entrySet()` iteration in `PluginsCommand` + `GitLabCiDetector`, narrowed `VersionCommand` catch). **Final: 1,492 → 38 (-97.5%); priority-1: 8 → 0.** Remaining 38 are priority-2 STYLE/BAD_PRACTICE; no CORRECTNESS/MT_CORRECTNESS/SECURITY left. Next-pass candidates: 26 `NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE`. Post-triage summary: `raw/spotbugs-summary-after-triage.json`.
 
 ### Medium
 
diff --git a/spotbugs-exclude.xml b/spotbugs-exclude.xml
index 71b8d595..019922f6 100644
--- a/spotbugs-exclude.xml
+++ b/spotbugs-exclude.xml
@@ -70,4 +70,24 @@
         <Bug pattern="MS_FINAL_PKGPROTECT"/>
     </Match>
 
+    <!--
+      RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in hand-written ANTLR parser
+      support classes (CSharpParserBase, GoParserBase). Defensive null checks
+      carried over verbatim from antlr/grammars-v4 grammar action files. Harmless;
+      divergence risk if we "fix" them because upstream may re-sync.
+    -->
+    <Match>
+        <Class name="~io\.github\.randomcodespace\.iq\.grammar\.(csharp\.CSharpParserBase|golang\.GoParserBase)"/>
+        <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
+    </Match>
+
+    <!--
+      BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase: grammar
+      action code adapted from upstream. Micro-perf, not a correctness issue.
+    -->
+    <Match>
+        <Class name="io.github.randomcodespace.iq.grammar.csharp.CSharpPreprocessorParserBase"/>
+        <Bug pattern="BX_UNBOXING_IMMEDIATELY_REBOXED"/>
+    </Match>
+
 </FindBugsFilter>

From 942ca98c5d9f125031b0caf2283e26ef16b30fed Mon Sep 17 00:00:00 2001
From: Amit Kumar <ak.nitrr13@gmail.com>
Date: Fri, 17 Apr 2026 10:29:58 +0000
Subject: [PATCH 5/5] fix(cache): extend nested-try-finally lock release to
 remaining AnalysisCache methods
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow-up to 798bccf. That commit fixed UL_UNRELEASED_LOCK_EXCEPTION_PATH
in AnalysisCache.removeFile and flagged the same lock-leak pattern in
two other methods that SpotBugs did not surface (likely because they
differ subtly in what's inside the outer try body).

Both methods — storeResults (the INSERT nodes/edges path) and the
replace-with-enriched-data path — had:

    } finally {
        try { conn.setAutoCommit(true); } catch (SQLException ignored) {}
        rwLock.writeLock().unlock();
    }

If conn.setAutoCommit(true) throws anything other than SQLException
(RuntimeException or Error), execution exits the finally before
rwLock.writeLock().unlock() runs, leaving the write lock held and
freezing all subsequent cache writers.

Wrap setAutoCommit in a nested try-finally so unlock is always reached:

    } finally {
        try {
            try { conn.setAutoCommit(true); } catch (SQLException ignored) {}
        } finally {
            rwLock.writeLock().unlock();
        }
    }

All three lock-holding paths (removeFile, storeResults, replace-with-
enriched) now share the same exception-safe pattern. mvn test -Dtest=
AnalysisCacheTest passes.
---
 .../iq/cache/AnalysisCache.java               | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java b/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
index 2971a0d6..81c6722b 100644
--- a/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
+++ b/src/main/java/io/github/randomcodespace/iq/cache/AnalysisCache.java
@@ -372,10 +372,16 @@ public void storeResults(String contentHash, String filePath, String language,
             log.warn("Failed to store cached results for hash {}", contentHash, e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the INSERTs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }
 
@@ -605,10 +611,16 @@ public void replaceAll(List<CodeNode> nodes, List<CodeEdge> edges) {
             log.warn("Failed to replace cache with enriched data", e);
         } finally {
             try {
-                conn.setAutoCommit(true);
-            } catch (SQLException ignored) {
+                try {
+                    conn.setAutoCommit(true);
+                } catch (SQLException ignored) {
+                    // best-effort restore; the INSERTs have already been committed or rolled back.
+                }
+            } finally {
+                // Guarantee unlock even if conn.setAutoCommit throws a non-SQLException
+                // (RuntimeException / Error). Fixes SpotBugs UL_UNRELEASED_LOCK_EXCEPTION_PATH.
+                rwLock.writeLock().unlock();
             }
-            rwLock.writeLock().unlock();
         }
     }