v0.4.0

Added

• MIME-focused detectBytes, detectPath, and detectStream APIs returning
  DetectedContentType.
• Allowlist verification APIs via ExpectedContentTypes, VerificationResult, and
  VerificationReason.
• Optional dev.jcputney:magika-java-tika artifact with an embedded-ONNX Apache Tika
  Detector adapter and service-loader registration.
• GitHub CodeQL static analysis workflow (.github/workflows/codeql.yml) running on
  push, pull request, and weekly cron with the security-and-quality query suite.
• OWASP Dependency-Check SCA scan (.github/workflows/dependency-check.yml) running
  on push to main, weekly cron, and workflow_dispatch. Uses the
  dependency-check/Dependency-Check_Action Docker wrapper (pre-warmed NVD dataset),
  scans only the consumer-facing runtime closure assembled via
  dependency:copy-dependencies, and fails the build on CVSS ≥ 7. SARIF uploaded to
  the GitHub Security tab.
• PR-time dependency review via actions/dependency-review-action
  (.github/workflows/dependency-review.yml) — fast GHSA-backed check on every pull
  request, complements the deeper scheduled OWASP scan.
• Dependabot auto-merge workflow (.github/workflows/dependabot-auto-merge.yml) that
  queues patch and minor Dependabot bumps for --auto --squash once required checks
  pass.
• Release workflow now attaches per-module CycloneDX SBOMs (JSON + XML) to the GitHub
  Release and generates Sigstore-backed actions/attest-build-provenance attestations
  for the published JARs plus actions/attest-sbom attestations linking each SBOM to
  its JAR.

Changed

• Project converted to a Maven reactor while preserving the core artifact coordinates
  dev.jcputney:magika-java.
• Runtime dependency bumps: jackson-databind 2.21.2 → 2.21.3, slf4j-api 2.0.17 →
  2.0.18, onnxruntime 1.25.0 → 1.26.0.

---

Commit-level Changes

New Features

• feat(perf): add JMH benchmarks under perf profile
• feat: add Tika-compatible detection APIs

Bug Fixes

• fix: harden lifecycle and stream handling per dg/codex review
• fix(build): sync child pom parent refs to 0.4.0-SNAPSHOT

Dependency Updates

• deps(maven): bump com.microsoft.onnxruntime:onnxruntime (#9)
• deps(maven): bump com.fasterxml.jackson.core:jackson-databind (#5)
• deps(maven): bump com.diffplug.spotless:spotless-maven-plugin (#11)
• deps(maven): bump version.slf4j from 2.0.17 to 2.0.18 (#10)
• deps(maven): bump org.apache.maven.plugins:maven-invoker-plugin (#8)

Other Changes

• ci(release): rewrite SSH URL to HTTPS for release:prepare push (#16)
• ci(release): push via RELEASE_TOKEN PAT instead of deploy-key SSH (#15)
• docs: prep CHANGELOG + README for v0.4.0 release (#14)
• ci(depcheck): narrow scan to runtime closure, drop plugin-transitive noise (#13)
• ci(depcheck): switch to Dependency-Check_Action wrapper (#12)
• ci: add CodeQL + OWASP Dependency-Check, attach SBOM and attestations to releases (#7)
• Add tip for code audits in README
• Adding personal CTA
• Delete CLAUDE.md
• ci: version bump
• docs(changelog): backfill 0.3.0 publish date (2026-04-27)

v0.3.0

Added

• First artifact published to Maven Central as dev.jcputney:magika-java:0.3.0.
• GPG-signed jar / sources / javadoc artifacts (REL-10).
• CycloneDX SBOM attached to the published bundle in JSON + XML format, schema 1.6 (REL-13).
• Sonatype Central Portal publishing pipeline via central-publishing-maven-plugin 0.10.0 (REL-11).
• maven-release-plugin 3.3.1 tag + version-bump flow, triggered manually via the release.yml
  GitHub Actions workflow (workflow_dispatch) gated by a 3-OS verify matrix (REL-12).
• Snapshot publishing to GitHub Packages on every push to main, GPG-signed for signature
  continuity with the Central artifacts.
• README.md Maven Central badge + Maven/Gradle install snippet (REL-16).

Changed

• GitHub Actions workflow versions bumped to actions/checkout@v6 and actions/setup-java@v5
  to match the release pipeline and align with the Node 24 runner runtime.

Notes

• This is the first artifact published to Maven Central. Pre-v0.3 versions (v0.1, v0.2)
  shipped as local-install only and are captured in git tag annotations (v0.1, v0.2)
  and in the .planning/milestones/ archives. No ## [0.1.0] / ## [0.2.0] sections
  appear here by design — see README.md ## Breaking changes in v0.2 for the v0.1→v0.2
  source-break that landed in pre-Central history.

---

Commit-level Changes

New Features

• refactor(api): rename MagikaPrediction.label to type; drop pre-release breaking-changes note
• Increase builder build time limit to 100ms
• Add Dependabot config for Maven and Actions
• ci(release): add pre-flight job — fast bash checks before 3-OS verify matrix
• docs(readme): expand Quickstart into a full Getting started section
• test(05-03): add CentralPublishVerificationTest — Layer (d) post-publish probe
• test(05-03): add ReleasePreFlightTest — Layer (b) v0.3.0 publish gate
• ci(05-01): add snapshot.yml — workflow_call verify + signed deploy on push to main
• ci(05-01): add release.yml — workflow_dispatch + 3-OS verify gate + Central deploy
• ci(05-01): refactor ci.yml to workflow_call shape, bump action versions
• feat(05-01): add release profiles + pluginManagement to pom.xml
• test(04-02): add DocConsistencyLintTest with 12 inline @tempdir + canary tests (PROC-01)
• test(04-02): add DocConsistencyLint scanner (PROC-01)
• test(04-02): add SummaryFrontmatter typed Jackson record (PROC-01)
• test(03-03): add negative JPMS consumer IT — must-fail compile on internal-class reference (REF-03 D-22)
• test(03-03): wire maven-invoker-plugin + add positive JPMS consumer IT (REF-03 D-22)
• feat(03-03): add module-info.java with single export dev.jcputney.magika (REF-03 / D-03 / D-21)
• test(03-02): add ConcurrentLazyInitIT for SC-6 (REF-02 + REF-04 paired contract)
• test(03-02): add BatchIdentifyIT for SC-2 (REF-02)
• test(03-02): add BuilderLazyInitTest for SC-4 + SC-5 (REF-04)
• feat(03-02): defer OrtSession.create() to first identify* via synchronized lazy-init (REF-04)
• feat(03-01): introduce Status enum + extend MagikaResult to 4-component record (REF-01)
• test(02-02): add 5 oracle-pinned fixtures for TEST-11/12/13
• test(02-02): wire UpstreamParityIT for three prediction modes (TEST-11/12/13 harness)
• test(02-01): scaffold Wave-0 RED tests for DEBT-01/02/03 + 7th ArchUnit rule
• feat(01-05): add Magika facade + MagikaBuilder + MagikaResult/MagikaPrediction records
• feat(1-04): OnnxInferenceEngine + OnnxModelLoader + loader unit test
• feat(1-03): LabelResolver + FallbackLogic + ByteWindowExtractor + TEST-10 smoke
• feat(1-03): Jackson config parsing — ThresholdConfig + ContentTypeRegistry + loader (CFG-01..05)
• feat(1-03): enums + InferenceEngine seam + Utf8Validator + ArchUnit rules
• feat(1-02): exception hierarchy + sealed InputSource + ByteStrip (API-09, IO-01, IO-03)

Bug Fixes

• fix(ci): add .gitattributes to prevent CRLF mangling on Windows checkouts
• fix(jpms): promote ContentTypeLabel + OverwriteReason; open config to Jackson
• fix(release): peer-review fixes — branch guard, GH Packages auth, README accuracy
• fix(01-07): drop silent long->int narrowing in identifyPath (WR-03)
• fix(01-07): throw on argmax out of label space (WR-02)
• fix(01-07): restore D-11 three-event log contract (WR-01)
• fix(01-07): add post-token "stripped content too short" branch (CR-02)
• fix