Improve README.md, fix coverage reports, add Java warning suppression DSL

.agents/_TOC.md

@@ -1,7 +1,7 @@
 # Table of Contents
 
 1. [Quick Reference Card](quick-reference-card.md)
-2. [Project overview](project-overview.md)
+2. [JVM project requirements](jvm-project.md) — language, build, and review checklist shared by all JVM repos
 3. [Coding guidelines](coding-guidelines.md)
 4. [Documentation & comments](documentation-guidelines.md)
 5. [Documentation tasks](documentation-tasks.md)

.agents/jvm-project.md

@@ -0,0 +1,37 @@
+# JVM Project Requirements
+
+General requirements for all JVM projects in the Spine SDK organisation.
+Repo-specific `project.md` files link here and add their own context.
+
+## Language and build
+
+- **Languages**: Kotlin (primary), Java (secondary).
+- **Build**: Gradle with Kotlin DSL.
+- **Static analysis**: detekt, ErrorProne, Checkstyle, PMD.
+- **Testing**: JUnit 5, Kotest Assertions, Codecov.
+
+## Code review checklist
+
+**Correctness and safety**
+- Code compiles and passes static analysis (detekt, ErrorProne, Checkstyle, PMD).
+- No reflection or unsafe code unless explicitly approved in scope.
+- No analytics, telemetry, or tracking code.
+- No blocking calls inside coroutines.
+
+**Kotlin/Java style**
+- Kotlin idioms preferred: extension functions, `when` expressions, data/sealed
+  classes, immutable data structures.
+- No `!!` unless provably safe. No unchecked casts.
+- No mutable state without justification.
+- No string duplication — use constants.
+
+**Tests**
+- New or changed functionality must include tests.
+- Use stubs, not mocks.
+- Prefer [Kotest assertions][kotest-assertions] over JUnit or Google Truth.
+
+**Versioning**
+- If the repo has `version.gradle.kts`, every PR must include a version bump.
+  Flag the absence as a required change.
+
+[kotest-assertions]: https://kotest.io/docs/assertions/assertions.html

.agents/memory/MEMORY.md

@@ -5,12 +5,13 @@ See [README.md](README.md) for the format and routing rules.
 
 ## Feedback (validated patterns & corrections)
 
-*(no entries yet)*
+- [copilot-review-request](feedback/copilot-review-request.md) — GraphQL `requestReviews` with `botIds: ["BOT_kgDOCnlnWA"]`; REST endpoint silently no-ops on re-requests.
 
 ## Project (durable context & rationale)
 
 *(no entries yet)*
 
 ## Reference (external systems)
 
-*(no entries yet)*
+- [cache-warm-window](reference/cache-warm-window.md) — How prompt cache entries are shared between sibling-repo sessions and how to maximise overlap.
+- [anthropic-api-caching](reference/anthropic-api-caching.md) — Pattern and pricing for adding prompt caching to any direct Anthropic API call.

.agents/memory/feedback/copilot-review-request.md

@@ -0,0 +1,35 @@
+---
+name: copilot-review-request
+description: How to request or re-request a Copilot PR review programmatically — GraphQL botIds is the only reliable path
+metadata:
+  type: feedback
+  since: 2026-05-25
+---
+
+Use the GraphQL `requestReviews` mutation with `botIds` for both initial
+requests and re-requests:
+
+```bash
+gh api graphql -f query='
+mutation {
+  requestReviews(input: {
+    pullRequestId: "PR_NODE_ID",
+    botIds: ["BOT_kgDOCnlnWA"]
+  }) {
+    pullRequest { id number }
+  }
+}'
+```
+
+- `PR_NODE_ID`: `gh api repos/SpineEventEngine/REPO/pulls/NUMBER --jq '.node_id'`
+- `BOT_kgDOCnlnWA`: fixed node ID for the Copilot PR reviewer bot (stable)
+
+**Why:** The REST endpoint (`POST .../requested_reviewers` with
+`reviewers[]=Copilot`) silently no-ops on re-requests — it only works for
+the first-ever request on a PR. The GraphQL `userIds` field also fails
+because Copilot is a Bot, not a User. `botIds` is the correct field and
+works for both initial and re-requests.
+
+**How to apply:** Any time a Copilot review needs to be requested or
+re-requested, use the GraphQL mutation above. Do not use the REST endpoint
+or `@copilot review` comments.

.agents/memory/reference/anthropic-api-caching.md

@@ -0,0 +1,52 @@
+---
+name: anthropic-api-caching
+description: Pattern and pricing for adding prompt caching to any direct Anthropic API call.
+metadata:
+  type: reference
+  since: 2026-05-24
+---
+
+Use this when adding a direct Anthropic API call (GitHub Actions workflow,
+script, or tool) that sends a stable system prompt.
+
+**Add `cache_control` to the system message block:**
+
+```python
+system=[{
+    "type": "text",
+    "text": "<stable system prompt — skill definition, shared instructions, etc.>",
+    "cache_control": {"type": "ephemeral", "ttl": "1h"}
+}]
+```
+
+Use `ttl: "1h"` for any caller whose requests are spaced more than 5 minutes
+apart (GitHub Actions jobs, scheduled tasks, skill invocations). Use the
+default 5-minute TTL only for tight interactive loops.
+
+**Pricing (input tokens):**
+
+| Operation | Cost multiplier |
+|---|---|
+| Cache write (5-min TTL) | 1.25× base input price |
+| Cache write (1-hour TTL) | 2× base input price |
+| Cache read (any TTL) | 0.1× base input price |
+
+A single cache hit within the TTL window recovers the write premium. Multiple
+hits within the hour make the 2× write cost negligible.
+
+**Place stable content before dynamic content.** Cache breakpoints apply to
+everything *before* the `cache_control` marker. Dynamic per-request content
+(user query, file diff, current date) must come after the last breakpoint.
+
+**Monitor hits via the usage object:**
+```python
+print(response.usage.cache_read_input_tokens)    # 0 on miss, >0 on hit
+print(response.usage.cache_creation_input_tokens) # tokens written to cache
+```
+
+**Future:** once direct API calls exist in this org, consider a cache pre-warm
+job triggered on push to `master` — calls the API with `max_tokens: 0` and
+`cache_control: {ttl: "1h"}` so the first session after a config change
+hits rather than writes.
+
+Related: [[cache-warm-window]]

.agents/memory/reference/cache-warm-window.md

@@ -0,0 +1,33 @@
+---
+name: cache-warm-window
+description: How prompt cache entries are shared between sibling-repo sessions and how to maximise overlap.
+metadata:
+  type: reference
+  since: 2026-05-24
+---
+
+Claude Code sessions share a prompt cache entry when they send byte-identical
+content within the cache TTL window. Because `migrate` copies `CLAUDE.md` and
+`.agents/` verbatim, any two sessions on the same config version share the
+same cache slot — provided they fall within the TTL.
+
+**TTL in effect for Console OAuth users:**
+- Default: **5 minutes** (applies to all non-subscription auth)
+- With `ENABLE_PROMPT_CACHING_1H=1` in `~/.claude/settings.json`: **1 hour**
+
+Developers must have `ENABLE_PROMPT_CACHING_1H=1` set, otherwise the
+window is too short for cross-session hits to occur reliably.
+This setting will work ONLY for Claude Code which runs the CLI binary.
+It will not work for JetBrains Air or any other IDE plugin which does not
+run the Claude Code CLI binary.
+
+**Cache is per Anthropic workspace.** All developers authenticated via the
+same Anthropic organisation Console org share the same cache pool. Do not
+create separate Console workspaces per developer — that would isolate their
+cache entries.
+
+**Practical impact:** Realistic concurrency is 1–2 sessions at a time. The
+first session after a config change pays the cache-write cost; any session
+starting within the next hour (with 1H TTL) reads from cache at 0.1× cost.
+
+Related: [[anthropic-api-caching]]

.agents/project.md

@@ -0,0 +1,19 @@
+# Project: Validation
+
+## Overview
+
+Validation is a Spine SDK JVM library that provides the project's validation
+model and related integration points. Its role in the organisation is to define
+and expose validation behaviour in a reusable form so other modules can apply
+consistent validation rules and report validation results through a stable API.
+
+## Architecture
+
+This repository is a library module. Its public surface should stay focused on
+validation concepts, rule execution, and result/reporting types that other Spine
+SDK components can depend on without pulling in application-specific behaviour.
+Keep implementation details behind the library boundary, prefer additive changes
+to public APIs, and preserve compatibility for downstream JVM consumers.
+
+Read [`.agents/jvm-project.md`](jvm-project.md) for build stack, coding style,
+tests, and versioning.

.agents/project.template.md

@@ -0,0 +1,18 @@
+<!-- Template — copy to a sibling repo's .agents/project.md and fill in the
+     sections below. In the config repo itself this file is a template only. -->
+
+# Project: <name>
+
+## Overview
+
+*One paragraph: what this repo is, what problem it solves, and its role in the
+Spine SDK organisation.*
+
+## Architecture
+
+*Role in the org: library / tool / Gradle plugin / application.
+Key patterns, public API boundaries, and constraints specific to this repo.*
+
+<!-- JVM projects: uncomment the line below after seeding this file.
+Read [`.agents/jvm-project.md`](jvm-project.md) for build stack, coding style, tests, and versioning.
+-->

.agents/quick-reference-card.md

@@ -1,14 +1,6 @@
 # 📝 Quick Reference Card
 
-```
-🔑 Key Information:
-- Kotlin/Java project with CQRS architecture
-- Follow coding guidelines in Spine Event Engine docs
-- Always include tests with code changes
-- Version bump required for all PRs
-```
-
-🚫 **Do not commit, push, or tag** without explicit authorization. See
+🚫 **Do not write to git history** (commit/push/tag/rebase/merge/cherry-pick/reset/`gh pr merge`) without explicit authorization. See
 [`safety-rules.md`](safety-rules.md) → *Commits and history-writing*.
 Authorization comes only from a skill's `## Commit authorization`
 section or from the user's current prompt — never from prior turns or

.agents/scripts/pre-pr-gate.sh

@@ -9,6 +9,15 @@
 #
 set -eu
 
+if ! command -v jq >/dev/null 2>&1; then
+  cat >&2 <<EOF
+'gh pr create' blocked: this hook requires 'jq' to inspect the tool request.
+
+Install jq and retry, then run /pre-pr before creating the PR.
+EOF
+  exit 2
+fi
+
 input=$(cat)
 tool=$(printf '%s' "$input" | jq -r '.tool_name // empty')
 [ "$tool" != "Bash" ] && exit 0

.agents/scripts/protect-version-file.sh

@@ -12,6 +12,15 @@
 #
 set -eu
 
+if ! command -v jq >/dev/null 2>&1; then
+  cat >&2 <<'EOF'
+This hook requires `jq` to validate edits to version.gradle.kts and cannot run safely without it.
+
+Install `jq` and retry. This hook fails closed to avoid silently allowing prohibited edits.
+EOF
+  exit 2
+fi
+
 input=$(cat)
 file=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty')
 command=$(printf '%s' "$input" | jq -r '.tool_input.command // empty')

.agents/scripts/publish-version-gate.sh

@@ -17,6 +17,8 @@
 #
 set -eu
 
+command -v jq >/dev/null 2>&1 || exit 0
+
 input=$(cat)
 tool=$(printf '%s' "$input" | jq -r '.tool_name // empty')
 [ "$tool" != "Bash" ] && exit 0

.agents/scripts/sanitize-source-code.sh

@@ -11,6 +11,8 @@
 #
 set -eu
 
+command -v jq >/dev/null 2>&1 || exit 0
+
 input=$(cat)
 file=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty')
 command=$(printf '%s' "$input" | jq -r '.tool_input.command // empty')