feat: Stabilisation (#9)

* Add OPA permission calls to all applicable coprocessor hooks with test coverage for most of them

* add claude.md to gitignore and reduce log level to trace for high frequency calls

* bump to hbase 2.6.4

* check default namespace permissions on namespace actions

* added reflection test to confirm coverage

* renamed ctx variable consistently and refactored requirePermission

* introduce OpType to add granularity

* implement Filter-based preCheckAndPut/preCheckAndDelete overloads

* add mutation checks

* pass families to permission checker

* pass map of key + families to permission checker

* check pass-throughs and no-ops

* fix 2 warnings

* Add OPA policy testing layer design doc

Describes a fast intermediate test layer that captures unit-test WireMock
payloads, remaps usernames to Rego-compatible principals, and validates the
Rego policy logic using the opa test CLI — without integration test overhead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add OPA policy testing implementation plan

Five tasks: OpaFixtureWriter class, test wiring, Rego files,
Maven plugins (download-maven-plugin + exec-maven-plugin), and
end-to-end verification.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add OpaFixtureWriter for capturing WireMock OPA fixtures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix OpaFixtureWriter concurrency: single monitor, plain int counters

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Wire OpaFixtureWriter into test teardown and WireMock listener

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Filter system-user fixtures; fix listener registration in Variants test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Use @before for listener registration; document fixture filter

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add Rego policy file and OPA test suite

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add download-maven-plugin and exec-maven-plugin for OPA policy testing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Move OPA fixtures to target/, add print counts, untrack plan docs

- OpaFixtureWriter writes to target/test-rego/fixtures.json (was
  src/test/rego/fixtures.json) so test runs no longer dirty the working tree
- pom.xml opa-policy-test execution updated to match new path
- hbase_test.rego: add print() calls so --explain notes reports fixture counts
- .gitignore: add /docs/plans/ (plan docs are local-only, not committed)
- Remove stale design doc and completed implementation plan from git

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add unit tests for bulk load and lock hooks

prePrepareBulkLoad, preCleanupBulkLoad, preBulkLoadHFile (region-level),
preLockHeartbeat, and preRequestLock (table, namespace, and region-scope
branches) were implemented but had no unit tests. Brings coverage from
83 to 90 passing tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* add final

* clarified comment

* updated interface check test

* make casing consistent with rego rules in integration tests

* added readonly tests to match integration test coverage

* replace lambda with a more readable loop

* bind exec to skip tests so it only runs when the prerequisite files are created

* bump maven plugins

* google-format, error-prone etc. plugins

* bumped opa to 1.12.3

* bump caffeine

* consolidate private method with public one

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adwk67

.gitignore

@@ -1,2 +1,6 @@
 /target/
-/dependency-reduced-pom.xml
+/dependency-reduced-pom.xml
+/CLAUDE.md
+.claude/
+/target/opa
+/docs/plans/

pom.xml

@@ -37,24 +37,25 @@
     <maven.compiler.release>${java.version}</maven.compiler.release>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <cleanthat.version>2.17</cleanthat.version>
-    <error-prone.version>2.27.1</error-prone.version>
-    <google-java-format.version>1.19.2</google-java-format.version>
+    <cleanthat.version>2.25</cleanthat.version>
+    <error-prone.version>2.31.0</error-prone.version>
+    <google-java-format.version>1.24.0</google-java-format.version>
 
-    <maven-clean-plugin.version>3.3.2</maven-clean-plugin.version>
-    <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
-    <maven-deploy-plugin.version>3.1.2</maven-deploy-plugin.version>
-    <maven-enforcer-plugin.version>3.4.1</maven-enforcer-plugin.version>
-    <maven-install-plugin.version>3.1.2</maven-install-plugin.version>
-    <maven-jar-plugin.version>3.4.1</maven-jar-plugin.version>
-    <maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
-    <maven-site-plugin.version>3.12.1</maven-site-plugin.version>
-    <maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-    <spotless-maven-plugin.version>2.43.0</spotless-maven-plugin.version>
+    <maven-clean-plugin.version>3.5.0</maven-clean-plugin.version>
+    <maven-compiler-plugin.version>3.15.0</maven-compiler-plugin.version>
+    <maven-deploy-plugin.version>3.1.4</maven-deploy-plugin.version>
+    <maven-enforcer-plugin.version>3.6.2</maven-enforcer-plugin.version>
+    <maven-install-plugin.version>3.1.4</maven-install-plugin.version>
+    <maven-jar-plugin.version>3.5.0</maven-jar-plugin.version>
+    <maven-resources-plugin.version>3.5.0</maven-resources-plugin.version>
+    <maven-site-plugin.version>3.21.0</maven-site-plugin.version>
+    <maven-surefire-plugin.version>3.5.5</maven-surefire-plugin.version>
+    <spotless-maven-plugin.version>2.44.5</spotless-maven-plugin.version>
 
-    <hbase.version>2.6.0</hbase.version>
+    <hbase.version>2.6.4</hbase.version>
     <hbase.protobuf.version>2.5.0</hbase.protobuf.version>
-    <caffeine.version>2.8.1</caffeine.version>
+    <caffeine.version>3.2.0</caffeine.version>
+    <opa.version>1.12.3</opa.version>
   </properties>
 
   <dependencies>
@@ -106,6 +107,12 @@
       <artifactId>hbase-testing-util</artifactId>
       <version>${hbase.version}</version>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.apache.directory.jdbm</groupId>
+          <artifactId>apacheds-jdbm1</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
@@ -133,6 +140,30 @@
     </dependency>
   </dependencies>
 
+  <profiles>
+    <profile>
+      <id>opa-linux-amd64</id>
+      <activation>
+        <os><name>Linux</name><arch>amd64</arch></os>
+      </activation>
+      <properties><opa.classifier>linux_amd64_static</opa.classifier></properties>
+    </profile>
+    <profile>
+      <id>opa-mac-amd64</id>
+      <activation>
+        <os><name>Mac OS X</name><arch>x86_64</arch></os>
+      </activation>
+      <properties><opa.classifier>darwin_amd64</opa.classifier></properties>
+    </profile>
+    <profile>
+      <id>opa-mac-arm64</id>
+      <activation>
+        <os><name>Mac OS X</name><arch>aarch64</arch></os>
+      </activation>
+      <properties><opa.classifier>darwin_arm64</opa.classifier></properties>
+    </profile>
+  </profiles>
+
   <build>
     <plugins>
       <plugin>
@@ -234,6 +265,62 @@
         <artifactId>maven-surefire-plugin</artifactId>
         <version>${maven-surefire-plugin.version}</version>
       </plugin>
+      <plugin>
+        <groupId>com.googlecode.maven-download-plugin</groupId>
+        <artifactId>download-maven-plugin</artifactId>
+        <version>1.8.1</version>
+        <executions>
+          <execution>
+            <id>download-opa</id>
+            <phase>process-test-resources</phase>
+            <goals><goal>wget</goal></goals>
+            <configuration>
+              <url>https://github.com/open-policy-agent/opa/releases/download/v${opa.version}/opa_${opa.classifier}</url>
+              <outputDirectory>${project.build.directory}</outputDirectory>
+              <outputFileName>opa</outputFileName>
+              <skipCache>false</skipCache>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <id>chmod-opa</id>
+            <phase>process-test-resources</phase>
+            <goals><goal>exec</goal></goals>
+            <configuration>
+              <executable>chmod</executable>
+              <arguments>
+                <argument>+x</argument>
+                <argument>${project.build.directory}/opa</argument>
+              </arguments>
+            </configuration>
+          </execution>
+          <execution>
+            <id>opa-policy-test</id>
+            <phase>verify</phase>
+            <goals><goal>exec</goal></goals>
+            <configuration>
+              <executable>${project.build.directory}/opa</executable>
+              <workingDirectory>${project.basedir}</workingDirectory>
+              <arguments>
+                <argument>test</argument>
+                <argument>src/test/rego/hbase.rego</argument>
+                <argument>src/test/rego/hbase_test.rego</argument>
+                <argument>target/test-rego/fixtures.json</argument>
+                <argument>--explain</argument>
+                <argument>notes</argument>
+                <argument>-v</argument>
+              </arguments>
+              <skip>${skipTests}</skip>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>