v3.0.0.M2

✨ Highlights

This milestone focuses on usability improvements and code cleanup, preparing the framework for broader adoption.

Usability Improvements

• Shell completion for Bash and Zsh (#551) - New shell-completion command generates tab-completion scripts with type-aware completions for files, URLs, and enum values. Run metaschema-cli shell-completion bash to get started.
• Better validation error messages (#597, #593) - Error messages now include file location (line/column), document path, and format-appropriate terminology (XML attributes vs JSON properties).
• Experimental parallel validation (#560) - New --threads N option enables concurrent validation on multi-core systems for improved performance on large documents.

Code Cleanup

• Major dependency removal (#607, #566, #567) - Removed Saxon-HE, JDOM2, jaxen, and XMLBeans dependencies—reducing the dependency footprint by ~30% and eliminating automodule warnings.
• Java 21+ compatibility (#611) - Migrated from Jansi to JLine, eliminating native access warnings on modern JDKs.
• Warning cleanup (#634, #605) - Removed 142 obsolete PMD suppressions and addressed Eclipse warnings across the codebase.

⚠️ Breaking Changes

Java Package Rename

All Java packages have been renamed from gov.nist.secauto.metaschema.* to dev.metaschema.* to align with the Maven groupId.

Migration: Update all imports in downstream projects from gov.nist.secauto.metaschema to dev.metaschema.

(#618) by @david-waltermire

✨ New Features

• Shell completion command - Generate Bash/Zsh tab-completion scripts (#551) by @david-waltermire
• Improved validation error messages - Location info, format-appropriate names, and path context (#597) by @david-waltermire
• Parser validation for required fields - Validation during parsing for required fields and collection types (#593) by @david-waltermire
• Parallel constraint validation - Experimental --threads N CLI option for concurrent validation (#560) by @david-waltermire
• Metapath context functions - Complete fn:position(), fn:last(), fn:default-language() per XPath 3.1 spec (#559) by @david-waltermire
• XPath and JSON Pointer formatters - New path formatters for document locations (#550) by @david-waltermire
• Typed collection support for choice groups - List<? extends CommonInterface> instead of List<Object> (#589, #586) by @david-waltermire
• Collection class override in binding configuration - Configure collection types via binding XML (#584) by @david-waltermire
• TargetedReportConstraint support - Constraint processing for targeted report constraints (#598) by @david-waltermire
• JLine migration - Replace Jansi with JLine to resolve Java 21+ native access warnings (#611) by @david-waltermire
• SARIF security scan summaries - Detailed findings in security scan output (#631) by @david-waltermire
• Enhanced code generator Javadoc - Improved documentation and null-safety annotations (#577, #601) by @david-waltermire

🐛 Bug Fixes

• Fix isRequired() returning false for choice block properties (#608) by @david-waltermire
• Make CommandService.getCommands() thread-safe (#632) by @david-waltermire
• Resolve document cache race condition and add cache configuration (#590) by @david-waltermire
• Escape ampersands in generated Javadoc formal names (#621) by @david-waltermire
• Fix YAML/JSON module loading with missing typeAdapter and discriminatorValue (#557) by @david-waltermire
• Exclude submodules from Trivy and CodeQL security scans (#630) by @david-waltermire
• Add test scope to junit-jupiter dependency (#612) by @david-waltermire
• Skip container build for fork PRs (#585) by @david-waltermire

📚 Documentation

• Expand website documentation with guides and architecture (#633) by @david-waltermire
• Add Metaschema authoring skills and Metapath reference (#576) by @david-waltermire

🔧 Build & CI

• Remove Saxon-HE, JDOM2, and jaxen dependencies from schemagen (#607) by @david-waltermire
• Remove XMLBeans dependency from databind and metaschema-testing modules (#566, #567) by @david-waltermire
• Remove 142 unnecessary PMD warning suppressions (#634) by @david-waltermire
• Add Trivy security scanning and Docker dependabot (#606) by @david-waltermire
• Address Eclipse warnings and improve null safety (#605) by @david-waltermire
• Publish OCI image (#562) by @aj-stein
• GHA workflow for image cleanup (#578) by @aj-stein
• Rename databind-metaschema module to databind-modules (#617) by @david-waltermire
• Extract scheduled build into separate workflow (#620) by @david-waltermire
• Expand Trivy scanners to include secret and misconfig detection (#623) by @david-waltermire
• Exclude generated binding classes from PMD and CPD checks (#622) by @david-waltermire

🧪 Test Coverage

• Add regression test for choice validation (#614) by @david-waltermire

📦 Dependency Updates

Java Libraries

• org.eclipse.persistence:org.eclipse.persistence.moxy: 4.0.8 → 4.0.9 (#615)
• com.xmlcalabash:xmlcalabash: 3.0.31 → 3.0.34 (#602, #554)
• org.json:json: 20250517 → 20251224 (#574)
• org.apache.logging.log4j:log4j-bom: 2.25.2 → 2.25.3 (#556)
• org.assertj:assertj-core: 3.27.3 → 3.27.6 (#553)
• org.apache.commons:commons-text: 1.13.1 → 1.15.0 (#552)

Maven Plugins

• org.sonatype.central:central-publishing-maven-plugin: 0.9.0 → 0.10.0 (#627)
• org.codehaus.mojo:license-maven-plugin: 2.7.0 → 2.7.1 (#619)

GitHub Actions

• docker/build-push-action: Various updates (#628, #580)
• docker/login-action: Various updates (#625, #587)
• docker/setup-buildx-action: 3.6.1 → 3.12.0 (#581)
• docker/setup-qemu-action: 3.2.0 → 3.7.0 (#582)
• docker/metadata-action: 5.5.1 → 5.10.0 (#579)
• aquasecurity/trivy-action: 0.28.0 → 0.33.1 (#610)
• actions/attest-build-provenance: 1.4.3 → 3.1.0 (#583)
• github/codeql-action: 4.31.8 → 4.31.9 (#555)