feat(lint): centralize clippy::collapsible_if allowance in Cargo.toml and remove redundant file-level declarations

tests/fixtures/real_world/java/taint/cmdi_ternary_const_safe.expect.json

@@ -0,0 +1,19 @@
+{
+  "description": "Constant-condition ternary (OWASP Benchmark cmdi non-vulnerable shape). `(7*18) + num > 200` with num=106 is 232 > 200 — always true — so `bar` is the constant string and the `: param` arm is statically dead. Extending the ternary-RHS diamond split to Java (src/cfg/mod.rs) routes `bar = cond ? const : param` through a real branch+phi CFG; build_ternary_diamond stamps the CondArith tree so fold_constant_branches prunes the dead tainted arm and neutralises its block, exactly as the if-form does. Result: `r.exec(cmd + bar)` carries no taint. Asserts NO taint finding fires.",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "runtime",
+    "ternary",
+    "const-fold",
+    "precision"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": []
+}

tests/fixtures/real_world/java/taint/cmdi_ternary_const_safe.java

@@ -0,0 +1,21 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+// Constant-condition ternary (OWASP Benchmark cmdi non-vulnerable shape).
+// `(7*18) + num` is `126 + 106 = 232 > 200` — ALWAYS true — so `bar` is the
+// constant string and the `: param` arm is statically dead. Routing the Java
+// ternary through the branch+phi diamond lets `fold_constant_branches` prune
+// the dead tainted arm exactly as it does for the if-form — NO finding.
+public class TernaryConstSafe extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getHeader("vector");
+
+        int num = 106;
+        String bar = (7 * 18) + num > 200 ? "This_should_always_happen" : param;
+
+        String cmd = "echo ";
+        Runtime r = Runtime.getRuntime();
+        Process p = r.exec(cmd + bar);
+    }
+}

tests/fixtures/real_world/java/taint/cmdi_ternary_param_vuln.expect.json

@@ -0,0 +1,32 @@
+{
+  "description": "Constant-condition ternary with VULNERABLE polarity. `(500/42) + num > 200` is `11 + 196 = 207 > 200` (integer division) — always true — and the TRUE arm assigns the tainted `param`, so the reachable arm carries taint and only the `: \"...\"` const arm is dead. The Java ternary diamond split + fold must prune the DEAD const arm while keeping the live `bar = param`, so the command-injection finding at `r.exec(cmd + bar)` MUST still fire. Zero-false-negative guard: proves the diamond/fold never prunes the reachable tainted arm.",
+  "tags": [
+    "taint",
+    "cmdi",
+    "servlet",
+    "runtime",
+    "ternary",
+    "const-fold",
+    "no-false-negative"
+  ],
+  "modes": [
+    "full"
+  ],
+  "strict_unexpected": [
+    "taint-unsanitised-flow"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": "HIGH",
+      "must_match": true,
+      "line_range": [
+        19,
+        19
+      ],
+      "evidence_contains": [],
+      "notes": "request.getHeader (line 12) flows into bar on the always-taken true arm (line 15), then into r.exec at line 19. Exactly one finding survives.",
+      "max_count": 1
+    }
+  ]
+}

tests/fixtures/real_world/java/taint/cmdi_ternary_param_vuln.java

@@ -0,0 +1,21 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+// Constant-condition ternary, VULNERABLE polarity. `(500/42) + num` is
+// `11 + 196 = 207 > 200` (integer division) — ALWAYS true — and the TRUE arm
+// selects the tainted `param`, so the reachable arm carries taint and only the
+// `: "..."` const arm is dead. The fold must prune the dead const arm while
+// keeping the live `param`, so the cmdi finding at `r.exec` MUST still fire.
+public class TernaryParamVuln extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String param = request.getHeader("vector");
+
+        int num = 196;
+        String bar = (500 / 42) + num > 200 ? param : "This_should_never_happen";
+
+        String cmd = "echo ";
+        Runtime r = Runtime.getRuntime();
+        Process p = r.exec(cmd + bar);
+    }
+}