fix: address code review issues across frontend, backend, and tests

Fix security, correctness, and robustness issues identified by deep code
review, plus expand test coverage and fix OSGi test version mismatch.

Frontend: track rAF IDs with disconnect cleanup, fix collaboration listener
leak, replace isApiChange boolean with counter, sanitize editorId/CSS values,
convert O(n*m) plugin filter to Set-based O(n), normalize URL check.

Backend: sync ContentManager on setHtmlSanitizer, remove duplicate
ValueChangeEvent, fix mixed CJK word count, add defensive copies for
ToolbarStyle/StyleDefinition/toolbar array, allow relative upload URLs,
add builder build-once guard, reject null MentionFeed, block full 127.x
loopback range, remove dead code in PremiumPlugin.

Tests: fix wrong default expectations, fix flaky upload test with
CountDownLatch, add ~35 new tests for config round-trips, premium
dependencies, autosave boundaries, word count, and build-once guard.
Use dynamic project.version in OSGi test to prevent version mismatch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jet-pang

src/main/java/com/wontlost/ckeditor/CKEditorConfig.java

@@ -436,8 +436,9 @@ private void validateUploadUrl(String uploadUrl) {
             URI uri = new URI(uploadUrl);
             String scheme = uri.getScheme();
 
+            // Allow relative URLs (no scheme) - common in Vaadin apps (e.g. "/api/upload")
             if (scheme == null) {
-                throw new IllegalArgumentException("Upload URL must have a protocol scheme");
+                return;
             }
 
             String protocol = scheme.toLowerCase(Locale.ROOT);
@@ -474,7 +475,7 @@ private boolean isPrivateNetworkAddress(String host) {
         String lowerHost = host.toLowerCase(Locale.ROOT);
 
         // IPv4 localhost and private addresses
-        if (lowerHost.equals("localhost") || lowerHost.equals("127.0.0.1") ||
+        if (lowerHost.equals("localhost") || lowerHost.startsWith("127.") ||
             lowerHost.startsWith("192.168.") || lowerHost.startsWith("10.") ||
             isPrivateClassBAddress(lowerHost) ||
             lowerHost.endsWith(".local") || lowerHost.endsWith(".internal")) {
@@ -588,7 +589,7 @@ private boolean isSIITIPv6PrivateAddress(String host) {
      * Extracts common logic to avoid duplication.
      */
     private boolean isPrivateIPv4String(String ipv4) {
-        return ipv4.equals("127.0.0.1") ||
+        return ipv4.startsWith("127.") ||
                ipv4.startsWith("192.168.") ||
                ipv4.startsWith("10.") ||
                isPrivateClassBAddress(ipv4) ||
@@ -1337,7 +1338,7 @@ public static class MentionFeed {
 
         public MentionFeed(String marker, String[] feed, int minimumCharacters) {
             this.marker = marker;
-            this.feed = feed;
+            this.feed = java.util.Objects.requireNonNull(feed, "Mention feed items must not be null");
             this.minimumCharacters = minimumCharacters;
         }
 
@@ -1448,7 +1449,7 @@ public String getElement() {
          * Get the CSS classes
          */
         public String[] getClasses() {
-            return classes;
+            return classes != null ? classes.clone() : null;
         }
 
         /**
@@ -1575,7 +1576,9 @@ private ToolbarStyle(Builder builder) {
             this.buttonOnBackground = builder.buttonOnBackground;
             this.buttonOnColor = builder.buttonOnColor;
             this.iconColor = builder.iconColor;
-            this.buttonStyles = builder.buttonStyles;
+            this.buttonStyles = builder.buttonStyles != null
+                ? java.util.Collections.unmodifiableMap(new java.util.LinkedHashMap<>(builder.buttonStyles))
+                : null;
         }
 
         public static Builder builder() {
@@ -1619,7 +1622,7 @@ public String getIconColor() {
         }
 
         public Map<String, ButtonStyle> getButtonStyles() {
-            return buttonStyles;
+            return buttonStyles != null ? buttonStyles : java.util.Collections.emptyMap();
         }
 
         /**

src/main/java/com/wontlost/ckeditor/VaadinCKEditor.java

@@ -307,13 +307,14 @@ public void setValue(String value) {
     protected void setModelValue(String value, boolean fromClient) {
         String oldValue = this.editorData;
         String newValue = value != null ? value : "";
-        // Only fire event when value actually changes
+        // Only update when value actually changes
         if (java.util.Objects.equals(oldValue, newValue)) {
             return;
         }
+        // super.setModelValue already fires ValueChangeEvent via Vaadin's AbstractField,
+        // so we must not call fireEvent again to avoid duplicate events
         super.setModelValue(newValue, fromClient);
         this.editorData = newValue;
-        fireEvent(new ComponentValueChangeEvent<>(this, this, oldValue, fromClient));
     }
 
     @ClientCallable
@@ -657,6 +658,8 @@ public ErrorHandler getErrorHandler() {
      */
     public void setHtmlSanitizer(HtmlSanitizer sanitizer) {
         this.htmlSanitizer = sanitizer;
+        // Update ContentManager so getSanitizedValue() uses the new sanitizer
+        this.contentManager = new com.wontlost.ckeditor.internal.ContentManager(sanitizer);
     }
 
     /**
@@ -850,7 +853,7 @@ private void cancelUploadFromClient(String uploadId) {
     void setEditorDataInternal(String data) { this.editorData = data != null ? data : ""; }
     void setReadOnlyInternal(boolean readOnly) { this.readOnly = readOnly; }
     void setLicenseKeyInternal(String licenseKey) { this.licenseKey = licenseKey; }
-    void setToolbarInternal(String[] toolbar) { this.toolbar = toolbar; }
+    void setToolbarInternal(String[] toolbar) { this.toolbar = toolbar != null ? toolbar.clone() : null; }
     void setConfigInternal(CKEditorConfig config) { this.config = config; }
     CKEditorConfig getConfigInternal() { return this.config; }
 

src/main/java/com/wontlost/ckeditor/VaadinCKEditorBuilder.java

@@ -97,6 +97,7 @@ public class VaadinCKEditorBuilder {
     private static final String TOOLBAR_SEPARATOR = "|";
 
     private final VaadinCKEditor editor;
+    private boolean built = false;
     private CKEditorPreset preset;
     private final Set<CKEditorPlugin> additionalPlugins = new LinkedHashSet<>();
     private final Set<CKEditorPlugin> removedPlugins = new HashSet<>();
@@ -539,6 +540,11 @@ public VaadinCKEditorBuilder withLicenseKey(String licenseKey) {
      *         and plugin dependencies are not satisfied
      */
     public VaadinCKEditor build() {
+        if (built) {
+            throw new IllegalStateException("Builder has already been used. Create a new builder for additional editors.");
+        }
+        built = true;
+
         // Collect initial plugins
         Set<CKEditorPlugin> initialPlugins = new LinkedHashSet<>();
         if (preset != null && !editor.hasPlugins()) {

src/main/java/com/wontlost/ckeditor/VaadinCKEditorPremium.java

@@ -249,7 +249,7 @@ public enum PremiumPlugin {
 
         PremiumPlugin(String pluginName, String... toolbarItems) {
             this.pluginName = pluginName;
-            this.toolbarItems = toolbarItems != null ? toolbarItems : new String[0];
+            this.toolbarItems = toolbarItems;
         }
 
         /**

src/main/java/com/wontlost/ckeditor/internal/ContentManager.java

@@ -143,7 +143,13 @@ public int getWordCount(String html) {
                         cjkChars++;
                     }
                 }
-                count += cjkChars > 0 ? cjkChars : 1;
+                if (cjkChars > 0) {
+                    // CJK chars each count as 1 word, plus 1 for any non-CJK portion
+                    boolean hasNonCjk = word.length() > cjkChars;
+                    count += cjkChars + (hasNonCjk ? 1 : 0);
+                } else {
+                    count += 1;
+                }
             }
         }
         return count;

src/main/resources/META-INF/frontend/vaadin-ckeditor/plugin-resolver.ts

@@ -531,15 +531,16 @@ export class PluginResolver {
             this.logger.debug(`Removed ${removed.length} conflicting/unavailable plugins:`, removed);
         }
 
-        // Separate plugins by type
+        // Separate plugins by type (use Set for O(1) lookup)
+        const filteredSet = new Set(filtered);
         const standardPluginsToLoad = pluginConfigs.filter(
-            p => filtered.includes(p.name) && !p.premium && !p.importPath
+            p => filteredSet.has(p.name) && !p.premium && !p.importPath
         );
         const premiumPluginsToLoad = pluginConfigs.filter(
-            p => filtered.includes(p.name) && p.premium && !p.importPath
+            p => filteredSet.has(p.name) && p.premium && !p.importPath
         );
         const customPluginsToLoad = pluginConfigs.filter(
-            p => filtered.includes(p.name) && p.importPath
+            p => filteredSet.has(p.name) && p.importPath
         );
 
         // Load standard plugins from registry