chore: replace unmaintained unix-maven-plugin with jdeb, upgrade Maven to 3.9.14 (#8487)

* Initial plan

* chore: replace unix-maven-plugin with jdeb for .deb packaging

Replace the unmaintained com.stratio.mojo.unix:unix-maven-plugin with
org.vafer:jdeb v1.14 for Debian package creation. This removes the
dependency on Maven 3.9.9 and enables upgrading to Maven 3.9.14.

- Change packaging from 'deb' to 'pom' (jdeb attaches .deb artifact)
- Use maven-dependency-plugin to unpack jetty-home and WAR
- Use maven-antrun-plugin to prepare staging directory
- Use jdeb to assemble the .deb package
- Create src/deb/control/ with control file and maintainer scripts
- Remove unix-maven-plugin from parent-pom plugin management
- Update Maven version from 3.9.9 to 3.9.14 across all workflows,
  devcontainer, and documentation

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/cfec7da8-214e-4e03-8dc5-beff1135cf9d

* chore: update release-drafter Maven version and add overwrite comment

Update .deb filename to match release workflow naming convention.
Add explanatory comment for overwrite attribute on cia.xml copy.
Update release-drafter.yml Maven version reference to 3.9.14.

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/cfec7da8-214e-4e03-8dc5-beff1135cf9d

* fix: move dependency-plugin unpack to process-classes phase to fix javadoc:aggregate

The unpack executions at compile phase caused MDEP-98 error during
javadoc:aggregate because the WAR reactor artifact wasn't packaged yet.
Moving to process-classes prevents this since javadoc:aggregate only
forks lifecycle up to compile, while still running before the antrun
staging at prepare-package phase.

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/9a4ef88b-e273-4e4c-8fd1-06b9eaa27784

* fix: apply review comments - idempotent control scripts, fix MDEP-98 in mvn test

- Make preinst idempotent: check if cia user exists before creating
- Make postinst idempotent: use ln -sf, check file existence, track
  setup_ok for all operations, idempotent properties update
- Make prerm idempotent: use -f flags, check existence before stop
- Replace maven-dependency-plugin unpack with Ant unzip tasks to fix
  MDEP-98 during both javadoc:aggregate AND mvn test reactor builds
  (process-classes phase was still reached by mvn test)

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/19ad2014-94dc-48ba-befc-353f23b94af8

* fix: apply review feedback — fix shebangs, guard postrm purge, clean staging dir

- Fix shebangs in all 4 control scripts: '#! /bin/bash' → '#!/bin/bash'
- Guard postrm destructive cleanup with '$1 = purge' to preserve
  logs/javamelody on upgrade/remove
- Add staging directory cleanup at start of antrun target to prevent
  stale files from prior builds without 'clean'

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/d2c69690-09e1-4709-8b70-4ea468d88ad0

* chore: initial plan for review feedback

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/bc588156-5dfa-401f-acdb-bb07c1116e16

* fix: make cacerts tolerant and use reactor WAR path

- postinst: Missing cacerts is now tolerant (warns but doesn't fail
  setup_ok), allowing installs on systems without ca-certificates-java
- pom.xml: WAR now referenced from reactor build output
  (../citizen-intelligence-agency/target/) instead of local repository,
  so 'mvn clean package' from repo root works without prior 'install'

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/bc588156-5dfa-401f-acdb-bb07c1116e16

* fix: apply review - root:root ownership, nologin shell, jre-headless suggest

- jdeb perm mapper: cia:cia → root:root to prevent privilege escalation
  (postinst still sets cia:cia on runtime dirs via chown)
- preinst: use /usr/sbin/nologin instead of /bin/sh for service account
- control: suggest openjdk-21-jre-headless instead of jdk-headless

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/14b48673-6d83-470f-87ee-950f9069e0c9

* fix: set filemode 644 for general files, 600 for keystore.p12; only remove managed cacerts symlink in prerm

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/a4f86eb6-c74c-40a6-a9f1-025e0b8b38b4

* fix: use readlink without -f in prerm to check immediate symlink target

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Hack23/cia/sessions/a4f86eb6-c74c-40a6-a9f1-025e0b8b38b4

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>

Author: Copilot

.devcontainer/Dockerfile

@@ -69,7 +69,7 @@ RUN chmod +x /usr/local/bin/init-postgresql.sh \
     && dpkg-reconfigure -f noninteractive tzdata
 
 # Use the built-in MAVEN_VERSION argument from the base image
-ARG MAVEN_VERSION=3.9.9
+ARG MAVEN_VERSION=3.9.14
 ENV MAVEN_HOME=/usr/share/maven
 ENV PATH=${PATH}:${MAVEN_HOME}/bin
 ENV MAVEN_OPTS="-Xmx8192m -Xms2048m -XX:+UseG1GC"

.devcontainer/devcontainer.json

@@ -58,7 +58,7 @@
       "version": "21",
       "distribution": "open",
       "installMaven": true,
-      "mavenVersion": "3.9.9",
+      "mavenVersion": "3.9.14",
       "installAnt": true
     },
     "ghcr.io/devcontainers/features/node:1": {

.github/MAVEN_CACHING_STRATEGY.md

@@ -18,10 +18,10 @@ We use GitHub Actions `actions/cache@v5` to cache Maven artifacts across workflo
       ~/.m2/repository
       ~/.m2/wrapper
       ~/.sonar/cache
-    key: ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+    key: ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
     restore-keys: |
-      ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
-      ${{ runner.os }}-maven-3.9.9-
+      ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
+      ${{ runner.os }}-maven-3.9.14-
       ${{ runner.os }}-maven-
 ```
 
@@ -36,12 +36,12 @@ We use GitHub Actions `actions/cache@v5` to cache Maven artifacts across workflo
 ### Primary Cache Key
 
 ```
-${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
 ```
 
 **Components:**
 - `${{ runner.os }}` - Platform-specific (Linux, macOS, Windows)
-- `maven-3.9.9` - Maven version for isolation
+- `maven-3.9.14` - Maven version for isolation
 - `${{ hashFiles('**/pom.xml', '.mvn/**') }}` - Hash of all POM files and Maven config
 
 **Benefits:**
@@ -55,13 +55,13 @@ Cache restoration follows a hierarchical fallback strategy:
 
 1. **Level 1: Exact POM match**
    ```
-   ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
+   ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
    ```
    Restores cache when most POM files match (excludes .mvn changes)
 
 2. **Level 2: Maven version match**
    ```
-   ${{ runner.os }}-maven-3.9.9-
+   ${{ runner.os }}-maven-3.9.14-
    ```
    Restores any cache from same Maven version (allows POM differences)
 

.github/WORKFLOWS.md

@@ -51,7 +51,7 @@ mvn -B test --file pom.xml -Prelease-site,all-modules \
 
 **Environment**:
 - Java 26 (Temurin)
-- Maven 3.9.9
+- Maven 3.9.14
 - PostgreSQL 18 with pgaudit, pgvector extensions
 - Google Chrome for UI testing
 - Xvfb for headless browser testing

.github/copilot-instructions.md

@@ -32,7 +32,7 @@ The Citizen Intelligence Agency (CIA) is a volunteer-driven, open-source intelli
 
 ### Prerequisites
 - Java 26 JDK
-- Maven 3.9.9 or later
+- Maven 3.9.14 or later
 - PostgreSQL (for full integration testing, review ../service.data.impl/README-SCHEMA-MAINTENANCE.md for task related to any database changes)
 
 ### Build Commands

.github/release-drafter.yml

@@ -121,7 +121,7 @@ template: |
 
   ## 💻 Technology Stack
 
-  **Runtime:** Java 26 (Feature Release) • **Source:** Java 21 (LTS) • **Build:** Maven 3.9.9 • **Database:** PostgreSQL 18
+  **Runtime:** Java 26 (Feature Release) • **Source:** Java 21 (LTS) • **Build:** Maven 3.9.14 • **Database:** PostgreSQL 18
 
   ## 🙏 Contributors
   Thanks to $CONTRIBUTORS for their contributions to this release!

.github/workflows/codeql-analysis.yml

@@ -131,10 +131,10 @@ jobs:
             ~/.m2/wrapper
             ~/.sonar/cache
           # Include Maven version in key for isolation
-          key: ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+          key: ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
           restore-keys: |
-            ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
-            ${{ runner.os }}-maven-3.9.9-
+            ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
+            ${{ runner.os }}-maven-3.9.14-
             ${{ runner.os }}-maven-
 
       - name: Cache APT packages
@@ -301,7 +301,7 @@ jobs:
       - name: Set up Maven
         uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
         with:
-          maven-version: 3.9.9
+          maven-version: 3.9.14
 
       - name: Build with Maven
         run: mvn -B clean install --file pom.xml -Prelease-site,all-modules -DskipTests -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Dspdx.skip=true -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true

.github/workflows/copilot-setup-steps.yml

@@ -166,10 +166,10 @@ jobs:
             ~/.m2/wrapper
             ~/.sonar/cache
           # Include Maven version in key for isolation
-          key: ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+          key: ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
           restore-keys: |
-            ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
-            ${{ runner.os }}-maven-3.9.9-
+            ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
+            ${{ runner.os }}-maven-3.9.14-
             ${{ runner.os }}-maven-
       - name: Cache APT packages
         uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
@@ -402,7 +402,7 @@ jobs:
       - name: Set up Maven
         uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
         with:
-          maven-version: 3.9.9
+          maven-version: 3.9.14
 
       - name: Build with Maven
         run: mvn -B clean install --file pom.xml -Prelease-site,all-modules -DskipTests -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Dspdx.skip=true -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true

.github/workflows/javadoc-generation.yml

@@ -97,10 +97,10 @@ jobs:
             ~/.m2/wrapper
             ~/.sonar/cache
           # Include Maven version in key for isolation
-          key: ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+          key: ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
           restore-keys: |
-            ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
-            ${{ runner.os }}-maven-3.9.9-
+            ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
+            ${{ runner.os }}-maven-3.9.14-
             ${{ runner.os }}-maven-
 
       - name: Cache APT packages
@@ -120,7 +120,7 @@ jobs:
       - name: Set up Maven
         uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
         with:
-          maven-version: 3.9.9
+          maven-version: 3.9.14
 
       - name: Build project (skip tests for faster javadoc generation)
         run: mvn -B clean install -DskipTests -Prelease-site,all-modules -DfailIfNoTests=false -Dspdx.skip=true -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true

.github/workflows/release.yml

@@ -106,10 +106,10 @@ jobs:
           ~/.m2/wrapper
           ~/.sonar/cache
         # Include Maven version in key for isolation
-        key: ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml', '.mvn/**') }}
+        key: ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml', '.mvn/**') }}
         restore-keys: |
-          ${{ runner.os }}-maven-3.9.9-${{ hashFiles('**/pom.xml') }}
-          ${{ runner.os }}-maven-3.9.9-
+          ${{ runner.os }}-maven-3.9.14-${{ hashFiles('**/pom.xml') }}
+          ${{ runner.os }}-maven-3.9.14-
           ${{ runner.os }}-maven-
 
     - name: Add PostgreSQL PGDG repository
@@ -248,7 +248,7 @@ jobs:
     - name: Set up Maven
       uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
-        maven-version: 3.9.9
+        maven-version: 3.9.14
 
     - name: Set Version for release
       run: mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true