Fully automatic review from Claude Code

Thanks for the contribution — the use case (auto-detecting x86_64-linux-musl-gcc for GraalVM native images) is real and well-motivated. However, I have significant concerns about the current approach, primarily around build reproducibility.

Core concern: environment-dependent profile activation in published POMs

The executable() function makes profile activation depend on the runtime PATH, which is inherently non-reproducible. When a POM containing <condition>executable('x86_64-linux-musl-gcc')</condition> is published to a repository and consumed by other projects, the effective model silently changes depending on what's installed on each consumer's machine.

Today, Maven does not strip <condition> expressions from consumer POMs — they survive as-is into published artifacts (verified by reading DefaultConsumerPomBuilder). This means:

• Two developers building the same project get different dependency trees depending on what's on their PATH
• CI and local builds silently diverge
• There's no audit trail — no logging tells you "profile X activated because executable Y was found at Z"

While existing activation mechanisms (<os>, <jdk>, <property>) are also environment-dependent, they operate on a small set of well-defined, relatively stable values that flow through ProfileActivationContext. executable() is qualitatively different — PATH is per-session, per-user, per-shell, and varies wildly across machines.

Additional technical issues

1. System.getenv("PATH") fallback bypasses the activation context

In ExecutableFinder.getPathValue() (line 130), there's a System.getenv("PATH") fallback when env.PATH isn't in the context. This is the only place in the profile activation code that reaches directly into the OS environment, breaking the abstraction that all other activators respect. Every other activator uses context.getSystemProperty() exclusively.

2. System.getProperty("os.name") bypasses the context for OS detection

ExecutableFinder.isWindows() (line 161) calls System.getProperty("os.name") directly, while the existing OperatingSystemProfileActivator reads os.name through context.getSystemProperty(). This means in test or remote-build scenarios where the context simulates a different OS, the executable finder would still use the real OS.

3. java.io.File usage instead of NIO2

The code uses File.separator, File.pathSeparator, and Paths.get() — the codebase has been migrating to NIO2 Path APIs (see PR #11364). Should use Path.of() and java.nio.file equivalents.

4. Dead code

candidateNames() (lines 134–145) is package-private, exposed for tests, but never used by isExecutableInPath(). The candidate logic is duplicated inline in the main method.

5. Test issues

• returnsFalseWhenFileIsNotExecutable() conditionally skips on Windows via System.getProperty("os.name") instead of @DisabledOnOs(WINDOWS)
• getPathValueFallsBackToSystemEnv() tests System.getenv("PATH") == System.getenv("PATH") — always passes, doesn't prove correctness
• testExecutableWithAbsolutePath() does .replace('\\', '/') which changes path semantics on Windows

Possible ways forward

1. Restrict to build-time only: ensure executable() conditions are stripped from consumer POMs during DefaultConsumerPomBuilder processing, similar to how <build> is stripped from profiles. This would make the function usable for local build decisions without polluting published POMs.

2. Require explicit opt-in: only allow executable() in profiles that are marked as non-publishable or build-local, so users must consciously decide whether the condition should survive into the consumer POM.

3. Add a model validator warning: emit a warning during mvn install/mvn deploy when a consumer POM contains executable() conditions, alerting users that the published POM depends on the consumer's environment.

4. Document as build-local only: if the function is accepted, document clearly that it should only be used in local profiles and not in POMs intended for publication. Though documentation alone doesn't prevent misuse.

Any of options 1–3 (or a combination) would address the reproducibility concern while preserving the useful functionality.

Fully automatic review from Claude Code

Thanks for the quick turnaround. Most of the technical issues from the first review are properly addressed:

• ✅ Removed System.getenv("PATH") fallback
• ✅ OS detection now uses ProfileActivationContext
• ✅ Paths.get() → Path.of()
• ✅ Dead code (candidateNames()) removed
• ✅ @DisabledOnOs(OS.WINDOWS) used correctly
• ✅ Removed trivial fallback test
• ✅ Model validator warning added
• ✅ Javadoc documentation added

A few items remain.

Accidental file: your-database.db

There's a zero-byte your-database.db file committed at the repo root. This is clearly not intended — please remove it from the branch.

.replace('\\', '/') still present in integration test

In ConditionProfileActivatorTest.testExecutableWithAbsolutePath(), the .replace('\\', '/') that was flagged in the first review is still there. It was correctly removed from ExecutableFinderTest.findsExecutableByAbsolutePath(), but the integration test still has it.

Windows code paths have zero test coverage

The contextWithPath() test stub never sets os.name, so isWindows() always returns false in tests. This means the Windows extension probing logic (.exe, .cmd, .bat, .com) is completely untested. Consider adding at least one test that simulates a Windows environment by including os.name set to Windows 10 in the context properties and verifying that e.g. my-tool.exe is found when searching for my-tool.

isExecutableFile() comment is misleading for direct paths

The comment on isExecutableFile() says "we are already filtering by extension in the caller" — but this is only true for the PATH-search branch. When the user provides a direct path (containing a separator), there is no extension filtering. This means executable('C:/path/to/readme.txt') would return true on Windows for any regular file. The comment should be corrected, and you may want to consider whether direct paths on Windows should also require an executable extension.

Regarding reproducibility (Options 3+4)

The warning in DefaultModelValidator and the Javadoc are reasonable first steps. One gap worth noting: the warning fires at build time of the POM that contains the executable() condition, but when a consumer pulls that POM from a repository and builds with it, the condition silently activates (or not) based on the consumer's PATH — with no warning on the consumer side. Stripping executable() conditions from consumer POMs (Option 1 from the first review) would close this gap, but that's a larger change that could come as a follow-up.