Fix repository resolution order, add plugin diagnostics, and clean up dependencies (2026-06 audit)

[alexander-yevsyukov]

What this PR does

This PR began as the 2026-06 repository audit and its follow-up plan, and has
grown to execute the highest-leverage findings the repository owns. The audit
documents are included for traceability, but the substance of the PR is the fixes
below. Finding IDs (S2, Q2, A1, …) refer to docs/audit-2026-06.md.

Improvements

Correctness & hygiene (audit Milestone 1):

• Repository resolution order (S2). Reordered both pluginManagement and
  dependencyResolutionManagement in settings.gradle.kts so gradlePluginPortal()
  is first and mavenLocal() is no longer the first repository, aligning with
  core-jvm-compiler. Removes the footgun of a stale mavenLocal artifact shadowing
  a released one during resolution, while keeping the sibling-repo -SNAPSHOT
  workflow intact (verified via :params:dependencies).
• Actionable plugin diagnostics (Q2). Replaced the bare protobufExtension!!
  dereferences in the Gradle plugin with a shared Project.protobufExtensionOrFail()
  helper (gradle-plugin/.../plugin/Plugin.kt, Paths.kt). A missing
  com.google.protobuf plugin now fails with a message that names the missing plugin
  id and the offending project path and tells the user how to fix it, instead of an
  opaque NullPointerException.

Pre-GA API surface (audit Milestone 2):

• :jvm → :backend api edge documented (A1). The api(project(":backend"))
  edge in jvm/build.gradle.kts is intentional — downstream consumers program against
  the engine's Pipeline and CodeGenerationContext. Rather than narrow it to
  implementation, the edge now carries a because(...) rationale, closing A1 via the
  audit's sanctioned "record why it must" path and answering audit open question 3.

Cleanup:

• Removed an outdated backend test (CodeGenerationContextSpec) that no longer
  matched current CompilerEvents behavior, along with the imports it left dead.
• Removed the outdated ProtoData dependency declaration and refreshed the local
  Spine dependency versions.

Audit & plan (origin)

• docs/audit-2026-06.md — read-only audit of this repository and core-jvm-compiler
  (architecture, code quality, security, testing, performance, dependencies, DevEx,
  docs), every finding cited as file:line and labeled FACT vs JUDGMENT.
  Health grade: B+, no Critical findings. The snapshot describes master
  @ 3fe9dcb (2026-06-10).
• .agents/tasks/improvement-plan.md — tracks which findings are done (S2, Q2, A1),
  delegated to config (config#691:
  S1 scrambled PAT, Q3 silent npm-audit catch, coverage policy, workflow
  concurrency + SHA-pinned actions), and still open (T1 params specs, P1 engine
  perf smoke, Doc1 getting-started, A4 process-exit contract).

Open questions for a human before the remaining items start — PAT ownership, GA
timeline, perf budget — are listed in audit §6.

[Copilot]

Pull request overview

Adds a repository audit report and a follow-up improvement plan, while bumping the compiler snapshot version and updating the generated dependency-report self-version labels accordingly.

Changes:

• Bump compiler snapshot version 2.0.0-SNAPSHOT.046 → 2.0.0-SNAPSHOT.047.
• Update dependency report artifacts/headers to reflect the new snapshot version.
• Add a technical audit report (docs/audit-2026-06.md) and a draft improvement plan (.agents/tasks/improvement-plan.md) to track follow-up work.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
version.gradle.kts	Snapshot version bump for the build/publishing version.
docs/dependencies/pom.xml	Updates the dependency report POM’s self <version> to the new snapshot.
docs/dependencies/dependencies.md	Updates dependency report headers to the new snapshot version.
docs/audit-2026-06.md	Adds the audit report documenting findings and rationale.
.agents/tasks/improvement-plan.md	Adds a draft plan for addressing the audit findings (tracking/tasks).

[codecov]

Codecov Report

❌ Patch coverage is 20.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.55%. Comparing base (6235d20) to head (79d7cf2).

Additional details and impacted files

@@             Coverage Diff              @@
##             master      #69      +/-   ##
============================================
+ Coverage     75.34%   75.55%   +0.20%     
- Complexity      672      677       +5     
============================================
  Files           202      202              
  Lines          3947     3943       -4     
  Branches        393      390       -3     
============================================
+ Hits           2974     2979       +5     
+ Misses          855      846       -9     
  Partials        118      118              

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated 1 comment.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c437fa21bd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[armiol]

@claude @alexander-yevsyukov please see my comment.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 37 out of 38 changed files in this pull request and generated 1 comment.