feat(cross-repo): link Maven library dependencies

[nvt-pankajsharma]

Summary

Fixes #440

Adds Maven artifact dependency matching to cross-repo-intelligence so independently indexed repos can expose shared-library usage, not only HTTP/async/channel relationships.

This PR adds:

• src/pipeline/pass_cross_repo_maven.[h] for Maven-specific cross-repo matching
• CROSS_LIBRARY_DEPENDS_ON edges in the consumer/source project
• CROSS_LIBRARY_USED_BY edges in the provider/target project
• cross-repo mode result counts for cross_library_edges
• architecture summary support for the new CROSS_LIBRARY_* edge types
• regression coverage for Maven dependency usage, plugin/dependency-management/comment exclusions, generated identity collisions, stale cleanup, allocation-growth failure paths, JSON-safe properties, and test environment isolation

Scope

This is intentionally scoped to direct Maven pom.xml artifact dependency relationships. Gradle, npm, Go modules, Python packages, and source import-to-artifact resolution should be follow-up issues.

Maven plugin classpath dependencies are intentionally not treated as service/library usage. Maven <exclusion> entries are also intentionally ignored because they describe libraries excluded from transitive resolution, not libraries used by the consuming project.

TDD record

• cross_repo_maven_dependency_creates_library_edges
  • Red reason: no Maven library edges were emitted by cross-repo-intelligence; later tightened to prove Maven exclusions do not count as library usage.
• cross_repo_maven_dependency_escapes_library_edge_props
  • Red reason: handwritten JSON properties became malformed when Maven values contained quotes.
• cross_repo_maven_dependency_management_does_not_create_library_edge
  • Red reason: dependency-management declarations were treated as actual usage dependencies.
• cross_repo_maven_commented_dependency_does_not_create_library_edge
  • Red reason: commented-out Maven dependencies were treated as actual usage dependencies.
• cross_repo_maven_plugin_dependency_does_not_create_library_edge
  • Red reason: Maven plugin classpath dependencies were treated as service/library usage.
• cross_repo_maven_cleanup_preserves_unrelated_nodes
  • Red reason: generated library-node cleanup could delete unrelated nodes with reserved-looking qualified names.
• cross_repo_maven_provider_rerun_preserves_incoming_used_by
  • Red reason: rerunning cross-repo matching for a provider deleted valid incoming CROSS_LIBRARY_USED_BY links.
• cross_repo_maven_removed_dependency_clears_provider_used_by
  • Red reason: removing a dependency cleared consumer-side links but left stale provider-side CROSS_LIBRARY_USED_BY links.
• cross_repo_maven_long_coordinates_do_not_collide
  • Red reason: distinct Maven coordinates sharing a long prefix collapsed into one persisted library edge/node.
• cross_repo_maven_fixture_restores_cache_dir
  • Red/review reason: the Maven fixture changed process-global CBM_CACHE_DIR without restoring it for later tests.
• cross_repo_maven_long_references_do_not_collide
  • Red reason: long Maven coordinates and POM paths could truncate generated qualified names and merge distinct library nodes.
• cross_repo_maven_very_long_pom_paths_do_not_truncate
  • Red reason: distinct POM paths sharing the first 512 bytes collapsed into one generated Library node.
• cross_repo_maven_failed_growth_preserves_capacity
  • Red/review reason: failed dependency-list growth mutated capacity before allocation success.
• cross_repo_maven_growth_rejects_byte_overflow_before_realloc
  • Red reason: byte-size overflow could reach realloc and record a larger capacity.
• cross_repo_project_list_initial_alloc_failure_returns_empty
  • Red/review reason: wildcard target-project collection did not handle initial allocation failure before writing to the project array.

Review-fix-loop evidence

Allocation and bounded-growth sweep:

• Class: bounded representation of open-ended counts and byte-size allocation growth.
• Similar patterns checked: Maven dependency-list growth, artifact-list growth, POM path-list growth, and cross-repo project-list initial/growth allocation.
• Fix: capacity and byte-size multiplication are checked before allocation; capacity updates happen only after allocation succeeds; project-list initialization returns an empty result on allocation failure.
• Boundary tests: failed realloc preserves pointer/capacity, byte-size overflow is rejected before allocator invocation, and project-list initial allocation failure clears the output pointer.

Generated identity and cleanup sweep:

• Class: generated identity collision and stale/generated-state cleanup.
• Similar patterns checked: Maven coordinates, POM paths, generated Library and LibraryConsumer node qualified names, source-side cleanup, provider-side reverse cleanup.
• Fix: generated Maven node identities preserve full inputs; source cleanup removes only generated Library nodes and outgoing CROSS_LIBRARY_DEPENDS_ON; reverse CROSS_LIBRARY_USED_BY cleanup is scoped to the source project that created it.
• Boundary tests: long common-prefix Maven coordinates, very long common-prefix POM paths, provider rerun preserving incoming usage, dependency removal clearing provider usage, and unrelated reserved-prefix function preservation.

False-positive sweep:

• Class: unchecked parse scope / false-positive relationship extraction.
• Similar patterns checked: dependency management, XML comments, Maven plugin dependency blocks, and Maven exclusion metadata.
• Fix: only direct Maven dependency declarations outside non-usage blocks produce library usage links; plugin classpath dependencies and exclusions are ignored.
• Boundary tests: dependency-management, commented dependency, plugin dependency, and exclusion-in-dependency cases do not create false usage links.

Verification

• make -f Makefile.cbm test passed with 5619 passed.
• Focused Maven/cross-repo regression stream passed the relevant tests, including dependency usage, exclusion ignored as non-usage, JSON escaping, dependency-management exclusion, commented dependency exclusion, and plugin dependency exclusion.
• make -f Makefile.cbm lint-format CLANG_FORMAT="$(brew --prefix clang-format)/bin/clang-format" passed locally.
• scripts/check-dco.sh origin/main..HEAD passed locally for all six PR commits.
• git diff --check origin/main...HEAD passed locally.
• GitHub DCO, security-static, and license-gate passed on the prior signed head; this push reruns the same gates on the updated head.

[DeusData]

Heads-up: this project now validates every PR automatically — tests, lint, security/license gates, and DCO sign-off (CONTRIBUTING.md). Your branch predates this, so CI will flag the missing Signed-off-by trailers. Fixing it is one command: git rebase --signoff origin/main && git push --force-with-lease. No other action needed — and thanks again for the contribution!