Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.42

[dependabot]

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.42.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.42

Added

• atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), @​Sink + @​RequiresCapability scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.

Fixed

• fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.

Changed

• drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.
• bump version to 4.0.41
• prepare for next development iteration 4.0.42-SNAPSHOT

Atmosphere 4.0.41

Changed — A2A v1.0.0 alignment (wire-breaking)

• atmosphere-a2a retracked to A2A v1.0.0 (a2aproject/A2A@v1.0.0, released 2026-03-12). The pre-1.0 wire surface was the slash-style method names (message/send, tasks/get, …) and a polymorphic Part envelope; both are gone in v1.0.0.
• JSON-RPC method names switched to PascalCase per spec §9.4 — SendMessage, SendStreamingMessage, GetTask, ListTasks, CancelTask, SubscribeToTask, the four {Create,Get,List,Delete}TaskPushNotificationConfig operations, and GetExtendedAgentCard. The pre-1.0 slash names and the old tasks/pushNotification/* path are aliased to their v1.0.0 equivalents at handler entry, with a one-time WARN per legacy method seen — existing Atmosphere clients keep working through the transition.
• HTTP+JSON / REST binding added — colon-verb endpoints (POST /tasks/{id}:cancel, POST /tasks/{id}:subscribe, POST /message:send / :stream), pushNotificationConfigs CRUD URLs, and GET /extendedAgentCard are recognized by A2aHandler. REST requests are translated to JSON-RPC envelopes and dispatched through the same handler so the two bindings agree by construction (Mode Parity invariant #7).
• Type schema rewrite under org.atmosphere.a2a.types:
  • Part collapses three legacy subtypes (TextPart / FilePart / DataPart) into a single record carrying a text | raw | url | data oneof plus shared metadata, filename, mediaType. The deserializer continues to accept the pre-1.0 {"type":"text",…} / {"kind":"text",…} envelopes for migration.
  • Message.role is now the Role enum (ROLE_USER / ROLE_AGENT per ADR-001 ProtoJSON). Lower-case legacy forms parse for back-compat.

... (truncated)

Changelog

Sourced from org.atmosphere:atmosphere-runtime's changelog.

[4.0.42] - 2026-05-01

Added

• atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), @​Sink + @​RequiresCapability scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.

Fixed

• fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.

Changed

• drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.
• bump version to 4.0.41
• prepare for next development iteration 4.0.42-SNAPSHOT

[4.0.41] - 2026-04-29

Changed — A2A v1.0.0 alignment (wire-breaking)

• atmosphere-a2a retracked to A2A v1.0.0 (a2aproject/A2A@v1.0.0, released 2026-03-12). The pre-1.0 wire surface was the slash-style method names (message/send, tasks/get, …) and a polymorphic Part envelope; both are gone in v1.0.0.
• JSON-RPC method names switched to PascalCase per spec §9.4 — SendMessage, SendStreamingMessage, GetTask, ListTasks, CancelTask, SubscribeToTask, the four {Create,Get,List,Delete}TaskPushNotificationConfig operations, and GetExtendedAgentCard. The pre-1.0 slash names and the old tasks/pushNotification/* path are aliased to their v1.0.0 equivalents at handler entry, with a one-time WARN per legacy method seen — existing Atmosphere clients keep working through the transition.
• HTTP+JSON / REST binding added — colon-verb endpoints (POST /tasks/{id}:cancel, POST /tasks/{id}:subscribe, POST /message:send / :stream), pushNotificationConfigs CRUD URLs, and GET /extendedAgentCard are recognized by A2aHandler. REST requests are translated to JSON-RPC envelopes and dispatched through the same handler so the two bindings agree by construction (Mode Parity invariant #7).
• Type schema rewrite under org.atmosphere.a2a.types:
  • Part collapses three legacy subtypes (TextPart / FilePart / DataPart) into a single record carrying a text | raw | url | data oneof plus shared metadata, filename, mediaType. The deserializer continues to accept the pre-1.0 {"type":"text",…} / {"kind":"text",…} envelopes for migration.
  • Message.role is now the Role enum (ROLE_USER / ROLE_AGENT per ADR-001 ProtoJSON). Lower-case legacy forms parse for back-compat.

... (truncated)

Commits

• 0c1878d release: Atmosphere 4.0.42
• 4f40968 chore(cpr): drop org.json:json — Jackson 3 only (CVE hygiene)
• d1d971c fix: fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync
• db2312d feat(verifier): atmosphere-verifier — plan-and-verify (Meijer "Guardians of t...
• a680d3f chore(cli): bump version to 4.0.41
• b19beeb chore: prepare for next development iteration 4.0.42-SNAPSHOT
• 1cd8fa6 release: Atmosphere 4.0.41
• f4f81d6 ci(cli): rename overlay-e2e step to "(7 runtimes)" — matrix is now complete
• 1e8bac1 test(cli): boot all 7 runtimes via overlay e2e (was 4 of 7)
• f5ee2eb test(cli): add semantic-kernel to overlay e2e matrix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #3103.