refactor(dynamic): replace Spring annotation stubs with real dependencies, integrate MockMvc-based invocation for Spring controllers, and enhance runtime classpath logic

tests/dynamic_fixtures/java/spring_controller/Autowired.java

@@ -1,13 +0,0 @@
-// Phase 14 fixture stub — minimal `@Autowired` annotation.
-// Lives in the default package so the fixture's @Autowired field
-// compiles under plain javac (no Spring Maven dep required).
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.FIELD, ElementType.METHOD, ElementType.CONSTRUCTOR})
-public @interface Autowired {
-}

tests/dynamic_fixtures/java/spring_controller/Benign.java

@@ -1,15 +1,22 @@
-// Phase 14 — Spring `@RestController`, benign.
+// Spring `@RestController`, benign.
 //
 // Same shape as the vuln but the controller runs a fixed echo and
 // drops `payload`.
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
 @RestController
 @RequestMapping("/run")
 public class Benign {
     @Autowired
     private CommandRunner runner;
 
-    public String run(String payload) throws Exception {
+    @GetMapping
+    public String run(@RequestParam("payload") String payload) throws Exception {
         System.out.print("__NYX_SINK_HIT__\n");
         CommandRunner r = (runner != null) ? runner : new CommandRunner();
         String out = r.run("echo hello");

tests/dynamic_fixtures/java/spring_controller/CommandRunner.java

@@ -1,11 +1,4 @@
-// Phase 14 fixture stub — Spring-injected helper service.
-// The fixture's controller declares `@Autowired CommandRunner runner;`
-// so the harness exercises the Phase 09 import-extraction path
-// (`@Autowired` is the marker that flags `org.springframework` as a
-// transitive dep).  At runtime the harness instantiates the controller
-// via reflection's default ctor — the @Autowired field stays null
-// because there is no Spring container; the controller's handler
-// guards against null and constructs a fresh CommandRunner on demand.
+// Spring-injected helper service used by the controller fixtures.
 
 import java.io.BufferedReader;
 import java.io.InputStreamReader;

tests/dynamic_fixtures/java/spring_controller/RequestMapping.java

@@ -1,12 +0,0 @@
-// Phase 14 fixture stub — minimal Spring `@RequestMapping`.
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.METHOD, ElementType.TYPE})
-public @interface RequestMapping {
-    String value() default "";
-}

tests/dynamic_fixtures/java/spring_controller/RestController.java

@@ -1,11 +0,0 @@
-// Phase 14 fixture stub — minimal Spring `@RestController`.
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target(ElementType.TYPE)
-public @interface RestController {
-}

tests/dynamic_fixtures/java/spring_controller/Vuln.java

@@ -1,10 +1,10 @@
-// Phase 14 — Spring `@RestController`, vulnerable.
-//
-// Controller declares an `@Autowired CommandRunner` field so the
-// Phase 09 Java import-extractor sees the Spring annotation surface.
-// The harness instantiates the controller via reflection and invokes
-// `run(payload)`; the field stays null at runtime (no Spring DI), so
-// the handler constructs the helper on demand.
+// Spring `@RestController`, vulnerable.
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/run")
@@ -12,7 +12,8 @@ public class Vuln {
     @Autowired
     private CommandRunner runner;
 
-    public String run(String payload) throws Exception {
+    @GetMapping
+    public String run(@RequestParam("payload") String payload) throws Exception {
         System.out.print("__NYX_SINK_HIT__\n");
         CommandRunner r = (runner != null) ? runner : new CommandRunner();
         String out = r.run("echo hello " + payload);

tests/dynamic_fixtures/java/spring_controller/pom.xml

@@ -14,10 +14,26 @@
       <artifactId>spring-web</artifactId>
       <version>6.1.5</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-webmvc</artifactId>
+      <version>6.1.5</version>
+    </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
       <version>6.1.5</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <version>6.1.5</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+      <version>6.0.0</version>
+    </dependency>
   </dependencies>
 </project>