fix: Address review feedback from jongyoul, tbonelee, and voidmatcha

Critical fixes:
- Revert all unrelated tsconfig changes (noImplicitAny, skipLibCheck, as-any casts)
- Fix deleteNoteIndex prefix collision (2A123 vs 2A1234)
- Debounced saveIndex with 5s flush interval instead of writing on every mutation
- Bootstrap index when embedding_index.bin is missing
- Preserve Lucene <B> keyword highlighting (convert to <mark> tags)

Security fixes:
- Restrict index directory (0700) and file (0600) permissions
- Warn when index path is under /tmp
- Add SHA256 verification to install-search-model.sh
- Add runtime SHA256 verification of model.onnx at startup
- Add sanity bound (10M) to loadIndex deserialization
- Serialize index to buffer under lock, write to disk outside lock

Other fixes:
- Fix OnnxTensor leak on partial allocation failure
- Fix detectInterpreter: check %prefix first, fall back to heuristics
- Replace emoji delimiter with structured [TABLES] prefix
- Update LICENSE file for ONNX Runtime (MIT) and DJL (Apache 2.0)
- Improve test assertions for semantic search behavior

JIRA: https://issues.apache.org/jira/browse/ZEPPELIN-6411

Author: Kalyan Kanuri

LICENSE

@@ -277,3 +277,21 @@ Eclipse Public License - v 1.0
 The following components are provided under the Eclipse Public License, version 1.0.  See file headers and project links for details.
 
   (Eclipse Public License) pty4j - http://www.eclipse.org/legal/epl-v10.html
+
+========================================================================
+MIT License
+========================================================================
+The following components are provided under the MIT License.  See file headers and project links for details.
+
+  (MIT License) ONNX Runtime (https://github.com/microsoft/onnxruntime)
+    Licensed under the MIT License.
+    https://github.com/microsoft/onnxruntime/blob/main/LICENSE
+
+========================================================================
+Apache License 2.0 (bundled dependencies)
+========================================================================
+The following components are provided under the Apache License 2.0.  See file headers and project links for details.
+
+  (Apache License 2.0) DJL - Deep Java Library Tokenizers (https://github.com/deepjavalibrary/djl)
+    Licensed under the Apache License, Version 2.0.
+    https://github.com/deepjavalibrary/djl/blob/master/LICENSE

bin/install-search-model.sh

@@ -26,24 +26,53 @@ MODEL_NAME="all-MiniLM-L6-v2"
 MODEL_REVISION="c9745ed1d9f207416be6d2e6f8de32d1f16199bf"
 BASE_URL="https://huggingface.co/sentence-transformers/${MODEL_NAME}/resolve/${MODEL_REVISION}"
 
+# Expected SHA256 checksums for integrity verification
+MODEL_SHA256="6fd5d72fe4589f189f8ebc006442dbb529bb7ce38f8082112682524616046452"
+TOKENIZER_SHA256="be50c3628f2bf5bb5e3a7f17b1f74611b2561a3a27eeab05e5aa30f411572037"
+
 INDEX_PATH="${1:-/tmp/zeppelin-index}"
 MODEL_DIR="${INDEX_PATH}/models/${MODEL_NAME}"
 
 mkdir -p "${MODEL_DIR}"
 
+verify_sha256() {
+  local file="$1" expected="$2"
+  local actual
+  if command -v sha256sum >/dev/null 2>&1; then
+    actual=$(sha256sum "${file}" | cut -d' ' -f1)
+  elif command -v shasum >/dev/null 2>&1; then
+    actual=$(shasum -a 256 "${file}" | cut -d' ' -f1)
+  else
+    echo "WARNING: Neither sha256sum nor shasum found, skipping integrity check for ${file}"
+    return 0
+  fi
+  if [ "${actual}" != "${expected}" ]; then
+    echo "ERROR: SHA256 mismatch for ${file}"
+    echo "  Expected: ${expected}"
+    echo "  Actual:   ${actual}"
+    rm -f "${file}"
+    return 1
+  fi
+  echo "SHA256 verified: ${file}"
+}
+
 download() {
-  local url="$1" dest="$2"
+  local url="$1" dest="$2" expected_sha="$3"
   if [ -f "${dest}" ]; then
-    echo "Already exists: ${dest}"
-    return
+    if verify_sha256 "${dest}" "${expected_sha}"; then
+      echo "Already exists and verified: ${dest}"
+      return
+    fi
+    echo "Existing file failed verification, re-downloading..."
   fi
   echo "Downloading ${url} ..."
   curl -fSL --connect-timeout 30 --max-time 300 -o "${dest}.tmp" "${url}"
   mv "${dest}.tmp" "${dest}"
+  verify_sha256 "${dest}" "${expected_sha}"
   echo "Saved: ${dest}"
 }
 
-download "${BASE_URL}/onnx/model.onnx" "${MODEL_DIR}/model.onnx"
-download "${BASE_URL}/tokenizer.json" "${MODEL_DIR}/tokenizer.json"
+download "${BASE_URL}/onnx/model.onnx" "${MODEL_DIR}/model.onnx" "${MODEL_SHA256}"
+download "${BASE_URL}/tokenizer.json" "${MODEL_DIR}/tokenizer.json" "${TOKENIZER_SHA256}"
 
 echo "Model installed to ${MODEL_DIR}"

zeppelin-web-angular/projects/zeppelin-sdk/tsconfig.json

@@ -5,8 +5,6 @@
     "target": "es2015",
     "declaration": true,
     "inlineSources": true,
-    "skipLibCheck": true,
-    "noImplicitAny": false,
     "types": [],
     "lib": ["dom", "es2018"]
   },

zeppelin-web-angular/src/app/pages/workspace/credential/credential.component.ts

@@ -146,7 +146,7 @@ export class CredentialComponent {
     this.credentialService.getCredentials().subscribe(data => {
       const controls = [...Object.entries(data.userCredentials)].map(e => {
         const entity = e[0];
-        const { username, password } = e[1] as any;
+        const { username, password } = e[1];
         return this.fb.group({
           entity: [entity, [Validators.required]],
           username: [username, [Validators.required]],

zeppelin-web-angular/src/app/pages/workspace/notebook-search/result-item/result-item.component.html

@@ -17,13 +17,11 @@
       <span *ngIf="interpreter" class="badge" [ngClass]="interpreter">{{ interpreter }}</span>
     </div>
   </ng-template>
-  <div *ngIf="codeText" class="code-block">
-    <pre>{{ codeText }}</pre>
+  <div *ngIf="codeHtml" class="code-block">
+    <pre [innerHTML]="codeHtml"></pre>
   </div>
   <div *ngIf="outputText" class="output-block">
     <pre>{{ outputText }}</pre>
   </div>
-  <div *ngIf="tablesText" class="tables-block">
-    📊 {{ tablesText }}
-  </div>
+  <div *ngIf="tablesText" class="tables-block">Tables: {{ tablesText }}</div>
 </nz-card>

zeppelin-web-angular/src/app/pages/workspace/notebook-search/result-item/result-item.component.less

@@ -91,3 +91,9 @@
   color: #22863a;
   padding: 4px 0;
 }
+
+mark {
+  background-color: #fff3bf;
+  padding: 0 1px;
+  border-radius: 2px;
+}

zeppelin-web-angular/src/app/pages/workspace/notebook-search/result-item/result-item.component.ts

@@ -26,6 +26,7 @@ export class NotebookSearchResultItemComponent implements OnChanges {
   displayName = '';
   routerLink: string[] = [];
   codeText = '';
+  codeHtml = '';
   outputText = '';
   tablesText = '';
   interpreter = '';
@@ -52,17 +53,20 @@ export class NotebookSearchResultItemComponent implements OnChanges {
     this.displayName = this.result.name ? this.result.name : `Note ${noteId}`;
 
     // snippet = SQL/code, header = tables + output
-    this.codeText = (this.result.snippet || '').replace(/<\/?B>/gi, '');
+    const snippet = this.result.snippet || '';
+    // Preserve Lucene <B> highlighting by converting to <mark>
+    this.codeHtml = snippet.replace(/<B>/gi, '<mark>').replace(/<\/B>/gi, '</mark>');
+    this.codeText = snippet.replace(/<\/?B>/gi, '');
     this.interpreter = this.detectInterpreter(this.codeText);
 
-    // Parse header: lines with 📊 are tables, rest is output
+    // Parse header: lines with [TABLES] prefix are tables, rest is output
     const header = (this.result.header || '').replace(/<\/?B>/gi, '');
     const lines = header.split('\n');
     const tableParts: string[] = [];
     const outputParts: string[] = [];
     for (const line of lines) {
-      if (line.startsWith('📊')) {
-        tableParts.push(line.substring(2).trim());
+      if (line.startsWith('[TABLES]')) {
+        tableParts.push(line.substring(8).trim());
       } else if (line.trim()) {
         outputParts.push(line);
       }
@@ -75,7 +79,8 @@ export class NotebookSearchResultItemComponent implements OnChanges {
     if (!text) {
       return '';
     }
-    if (/select|insert|create|from|where/i.test(text)) {
+    // Check interpreter prefix first — this is reliable
+    if (/^%(\w*\.)?sql/i.test(text)) {
       return 'sql';
     }
     if (/^%(\w*\.)?py/i.test(text)) {
@@ -87,8 +92,14 @@ export class NotebookSearchResultItemComponent implements OnChanges {
     if (/^%sh/i.test(text)) {
       return 'sh';
     }
-    if (/import |def |class /i.test(text)) {
-      return 'python';
+    // Fall back to keyword heuristic only if no prefix
+    if (!text.startsWith('%')) {
+      if (/\b(?:SELECT|INSERT|CREATE|FROM|WHERE)\b/i.test(text) && /\b(?:SELECT|FROM)\b/i.test(text)) {
+        return 'sql';
+      }
+      if (/import |def |class /i.test(text)) {
+        return 'python';
+      }
     }
     return '';
   }

zeppelin-web-angular/src/app/pages/workspace/notebook/notebook.component.ts

@@ -321,7 +321,7 @@ export class NotebookComponent extends MessageListenersManager implements OnInit
     this.securityService.getPermissions(note.id).subscribe(data => {
       this.permissions = data;
       this.isOwner = !(
-        this.permissions?.owners?.length && this.permissions.owners.indexOf(this.ticketService.ticket.principal) < 0
+        this.permissions.owners.length && this.permissions.owners.indexOf(this.ticketService.ticket.principal) < 0
       );
       this.cdr.markForCheck();
     });

zeppelin-web-angular/src/app/pages/workspace/notebook/paragraph/code-editor/code-editor.component.ts

@@ -360,7 +360,7 @@ export class NotebookParagraphCodeEditorComponent
       return;
     }
     const text = model.getValue();
-    const newDecorations: any[] = [];
+    const newDecorations = [];
     let startIndex = 0;
     while (term && text) {
       const idx = text.indexOf(term, startIndex);

zeppelin-web-angular/src/app/services/save-as.service.ts

@@ -19,7 +19,7 @@ export class SaveAsService {
   saveAs(content: string, filename: string, extension: string) {
     const BOM = '\uFEFF';
     const fileName = `${filename}.${extension}`;
-    const binaryData: string[] = [];
+    const binaryData = [];
     binaryData.push(BOM);
     binaryData.push(content);
     const blob = new Blob(binaryData, { type: 'octet/stream' });