feat: lock/digest integrity verification (aesh + resolver SPI)

[maxandersen]

This PR adds lock-based integrity + reproducibility checks for JBang refs, ported to the aesh CLI framework and wired into the Maven Resolver trusted-checksums SPI.

Supersedes #2410 (which was picocli-based and predates the aesh migration).

p.s. The IKEA table from last time is holding up great.

What's included

• New command: jbang lock <ref>
• Default lock file behavior:
  • local file refs (app.java) → app.java.lock
  • alias/GAV/URL refs → .jbang.lock
  • override via --lock-file=...
• Run policy flag: --locked=<none|lenient|strict>
  • none: ignore lock checks
  • lenient (default): if lock data exists, enforce it; if lock missing, run normally
  • strict: require lock entry when lock file exists and enforce strict matching
• Lock structure per ref:
  • ref=sha256:... (main resource digest)
  • ref.sources=... (resolved source manifest)
  • ref.deps=... (resolved transitive dependency coordinates)
  • ref.dep.<gav>=sha256:... (per-artifact dependency digests)

Verification behavior

When lock data exists, JBang validates:

1. Main resource digest
2. Source manifest (.sources) consistency
3. Dependency graph (.deps) consistency
4. Per-artifact dependency digests (.dep.<gav>)

Mismatch → fail with explicit error including resolved file path and fix guidance.

Maven Resolver integration

Per discussion with @cstamas, this implements the resolver's TrustedChecksumsSource SPI:

• JBangTrustedChecksumsSource implements TrustedChecksumsSource + Writer backed by .jbang.lock
• Lock command uses the Writer interface to record per-artifact checksums
• DigestUtil delegates to ChecksumAlgorithmHelper.calculate() from maven-resolver-spi instead of custom MessageDigest code
• Algorithm name mapping between lock-file format (sha256) and resolver format (SHA-256)

Today the TC source is used standalone by Lock and Run. When MIMA gains an extension point for custom trusted-checksums sources (no such API exists through 2.4.45 or 3.0.0-alpha-3), the same implementation can be injected directly into the resolver pipeline — at which point the manual dep-digest verification loop in Run can be deleted.

Why this design

• Keeps "just run it" workflow intact when no lock is present.
• Provides stronger guarantees as soon as lock data exists.
• Separates mutation (jbang lock) from execution (jbang run ...).
• Reuses resolver's own checksum infrastructure instead of rolling custom crypto.
• Shared DigestUtil eliminates code duplication between Lock and Run.

Feedback requested

1. Are --locked mode semantics (none|lenient|strict) right?
2. Is <script>.lock the right default for local file refs?
3. Is properties-based lock format acceptable for v1 with these keys?
4. Should strict mode require complete per-artifact digests for every locked dep (current behavior)?
5. Is the TrustedChecksumsSource SPI the right abstraction to build on for the MIMA integration path?

Related issues

Relates to:

• Support script/alias SHA verification #1989 (script/alias SHA verification)
• Support version pinning for aliases/scripts #1979 (pinning behavior for aliases/scripts)

Supersedes / consolidates discussion from:

• lock sha/digest POC #2410 (original picocli-based lock PR)
• Add script checksums to catalogs #938 (catalog checksums)
• check checksum are being verified to avoid inocmplete/invalid data #687 (older checksum/integrity thread)

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)

• ai-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a6f2d2c0-a5c2-4da7-8f44-5ab4afc24e93

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cstamas]

compileOnly: as both are included into standalone-static fat jar below, plus, SPI is already transitive dep of context (it pull api, spi and util, the public APIs).