feat: Add reset() method, gRPC keep-alive, and transport resilience (#40)

* fix: Use gRPC DnsNameResolver for periodic DNS re-resolution

Arrow Flight's default FlightClient.Builder uses
NettyChannelBuilder.forAddress(SocketAddress), which calls
Location.toSocketAddress() -> new InetSocketAddress(host, port).
This eagerly resolves DNS once at construction time and registers a
DirectAddressNameResolverProvider that never re-resolves.

For long-lived clients connecting to load-balanced endpoints (e.g.
AWS ALBs) where backend IPs can change, this causes the gRPC channel
to get stuck on stale IPs indefinitely. If the old IP is recycled to
a different service, the client sees TLS certificate mismatches and
cannot recover without being fully reconstructed.

This change builds the gRPC ManagedChannel directly using
NettyChannelBuilder.forTarget("dns:///host:port") instead of going
through Arrow's FlightClient.Builder. The "dns:///" target scheme
activates gRPC's DnsNameResolver, which periodically re-resolves the
hostname (default 30s cache TTL) and triggers re-resolution on
transient failures via its refresh() method.

The FlightClient is then created via FlightGrpcUtils.createFlightClient()
with the custom channel.

* feat: Add reset() method, gRPC keep-alive, and transport resilience

- Add public reset() method to SpiceClient for recovering from
  unrecoverable transport failures (SSL cert mismatch, persistent
  UNAVAILABLE errors, stale connections pinned to wrong backend IPs)
- Extract buildFlightClient() for reuse during construction and reset
- Configure HTTP/2 keep-alive (30s interval, 10s timeout) on the
  gRPC channel to detect dead/idle connections behind load balancers
- Add ensureFlightClient() guard in queryInternal() for safety
- Handle null flightClient in close() after reset
- Add ResetTest.java with 20 unit tests covering happy path, edge
  cases, concurrency, construction variants, and integration
- Document transport resilience and reset() usage in README

* fix: Resolve merge conflicts and fix TimeUnit ambiguity

- Resolve merge conflicts from trunk merge (buildFlightClient extraction)
- Fix TimeUnit import ambiguity: fully qualify java.util.concurrent.TimeUnit
  at keepAlive call sites to avoid conflict with Arrow's TimeUnit
- Add closed guard to reset() — throws IllegalStateException after close()
- Make close() idempotent with early return on already-closed client
- Update testResetAfterClose to expect IllegalStateException

* fix: Ensure FlightStream is closed after query in ResetTest

* chore: Add CI quality checks, address PR review comments

- Add SpotBugs, OWASP dependency-check, JaCoCo, Enforcer, Checkstyle plugins
- Add 'quality' CI job running static analysis and dependency scanning
- Add JaCoCo coverage reporting to build_multi_os CI job
- Make 'closed' field volatile for thread-safety
- Synchronize close() to prevent race with reset()/buildFlightClient()
- Add channel cleanup (shutdownNow) on buildFlightClient() failure
- Remove unused VectorSchemaRoot import in ResetTest
- Fix stale/misleading comments in ResetTest

* chore: Add permissions block to quality CI job

Address CodeQL finding: restrict GITHUB_TOKEN to contents:read.

* fix: Add SpotBugs exclusion filter and synchronize queryInternal method

* perf: Use snapshot-under-lock in queryInternal for concurrent query throughput

Instead of synchronizing the entire queryInternal() method (which would
serialize all gRPC RPCs), snapshot flightClient and authCallOptions under
a short synchronized block, then execute RPCs without holding the lock.
This allows concurrent queries to run in parallel while still being safe
against concurrent reset() calls.

* perf: Add HTTP connect timeout and double-checked locking for ADBC init

- Set 10s connect timeout on the static HttpClient used for dataset
  refresh, preventing threads from blocking indefinitely on unreachable
  endpoints.

- Replace synchronized initADBCIfNeeded() with double-checked locking
  using a volatile adbcInitialized flag. After warmup, parameterized
  queries skip the monitor entirely (volatile read only), eliminating
  contention at high concurrency.

* chore: Cap gRPC inbound message size at ~2 GiB and metadata at 16 MiB

Extract named constants MAX_INBOUND_MESSAGE_SIZE (Integer.MAX_VALUE ≈ 2 GiB)
and MAX_INBOUND_METADATA_SIZE (16 MiB) to make the caps explicit and prevent
unbounded metadata from consuming heap on large dataset transfers.

* perf: Fix medium-priority performance issues (#5-#8)

- #5: Eliminate intermediate Object[] and ArrowType[] arrays in parameter
  binding; build schema fields directly in a single pass and read values
  from the original params array during vector population.

- #6: Close AdbcStatement eagerly after executeQuery() returns the reader.
  The ArrowReader holds its own Flight stream and no longer needs the
  statement, freeing server-side resources immediately instead of waiting
  for slow consumers.

- #7: Create auth middleware once per RPC in HeaderAuthMiddlewareFactory
  instead of re-creating it in each callback (onBeforeSendingHeaders,
  onHeadersReceived, onCallCompleted). Eliminates 2 redundant allocations
  per RPC.

- #8: Replace message.contains() string scanning in ADBC retry logic with
  AdbcException.getStatus() switch on AdbcStatusCode enum (IO, UNKNOWN,
  TIMEOUT, INTERNAL). Avoids string allocation and scanning on the
  exception hot path.

* fix: Address PR review comments (round 3)

- Add closed guard to ensureFlightClient() to prevent rebuilding
  transport after client is closed.

- Use local temporaries in initADBCIfNeeded() to avoid leaking
  partially created AdbcDatabase/AdbcConnection on failure.

- Wrap FlightStream and ArrowReader in try-with-resources in
  ResetTest to prevent resource leaks during integration runs.

- Add bounded 30s timeout to CountDownLatch.await() in concurrent
  tests to prevent indefinite hangs on regression.

- Scope SpotBugs exclusions: limit example package exclusion to
  DLS_DEAD_LOCAL_STORE, scope CT_CONSTRUCTOR_THROW to specific
  classes (SpiceClient, SpiceClientBuilder).

- Fix README example to use try-with-resources for FlightStream.

- Add OWASP Dependency-Check data caching and NVD API key support
  in CI to improve reliability and speed.

* fix: Remove outdated commit message template

* fix: Address PR review comments (round 4)

- Close allocator in SpiceClient constructor if buildFlightClient() or
  initRetryers() throws, preventing off-heap memory leaks on failed
  client construction.

- Replace raw Thread usage in concurrent tests with ExecutorService
  and proper shutdownNow() cleanup, preventing thread leaks and JVM
  hangs on test timeout.

- Refactor integration tests to probe server availability in setUp()
  and gate with a boolean flag (matching TpchIntegrationTest pattern)
  instead of brittle exception message substring matching.

- Clarify README example: add comment explaining isTransportFailure()
  is application-defined and suggest which exception types to check.

* fix: Fix CI failures - SpotBugs exclusion, integration test tables, remove stale .commitmsg

- Add CNT_ROUGH_CONSTANT_VALUE SpotBugs exclusion for example code
  (3.14/3.14159265359 are intentional demo values for float params)
- Change ResetTest integration tests to use taxi_trips table (available
  in CI quickstart dataset) instead of tpch.customer (not available)
- Remove .commitmsg that was accidentally re-added

* fix: Address Copilot review comments

- Make server availability probe static/one-time in ResetTest (avoids
  redundant client+query per test method)
- Use CopyOnWriteArrayList in concurrent reset+query test for thread safety
- Add closed guard in queryWithParams() for consistent IllegalStateException
  instead of confusing NPE after close()

---------

Co-authored-by: Phillip LeBlanc <phillip@leblanc.tech>

Author: lukekim

.github/workflows/build.yaml

@@ -97,6 +97,14 @@ jobs:
           path: target/surefire-reports/
           retention-days: 7
 
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report-${{ matrix.os }}
+          path: target/site/jacoco/
+          retention-days: 7
+
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 20
@@ -178,3 +186,52 @@ jobs:
           name: test-results-jdk${{ matrix.java.version }}-${{ matrix.java.distribution }}
           path: target/surefire-reports/
           retention-days: 7
+
+  quality:
+    name: Code quality checks
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 17 (Oracle)
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: oracle
+          cache: maven
+
+      - name: Build
+        run: mvn install -DskipTests=true -Dgpg.skip -B -V
+
+      - name: Maven Enforcer
+        run: mvn validate -B
+
+      - name: SpotBugs
+        run: mvn spotbugs:check -B
+
+      - name: Checkstyle
+        run: mvn checkstyle:check -B
+
+      - name: Cache OWASP Dependency-Check data
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data
+          key: dependency-check-data-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            dependency-check-data-${{ runner.os }}-
+
+      - name: OWASP Dependency-Check
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: mvn dependency-check:check -B
+
+      - name: Upload dependency-check report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+          retention-days: 30

README.md

@@ -213,6 +213,44 @@ SpiceClient client = SpiceClient.builder()
     .build();
 ```
 
+### Long-lived Clients and Transport Resilience
+
+The `SpiceClient` is designed for long-lived reuse. The underlying gRPC channel uses `dns:///` resolution, which periodically re-resolves hostnames so clients automatically recover from load-balancer IP rotation (e.g. AWS NLB). HTTP/2 keep-alive is enabled by default (30s interval, 10s timeout) to detect dead connections quickly.
+
+For the rare case where the transport becomes permanently stuck (e.g. TLS handshake to a wrong backend, persistent `UNAVAILABLE` after retries), use `reset()` to discard the bad connection and immediately establish a fresh one:
+
+```java
+SpiceClient client = SpiceClient.builder()
+    .withApiKey(API_KEY)
+    .withSpiceCloud()
+    .build();
+
+// Long-lived usage with transport recovery.
+// isTransportFailure() is application-defined; check for
+// io.grpc.StatusRuntimeException with Status.UNAVAILABLE,
+// SSLHandshakeException, or similar transport-level errors.
+try {
+    try (FlightStream stream = client.query(sql)) {
+        // process results...
+    }
+} catch (ExecutionException e) {
+    if (isTransportFailure(e.getCause())) {
+        client.reset();                     // discard bad transport, reconnect immediately
+        try (FlightStream stream = client.query(sql)) {
+            // process results with fresh connection...
+        }
+    } else {
+        throw e;
+    }
+}
+```
+
+**DNS cache TTL:** The gRPC `DnsNameResolver` respects the JVM's DNS cache TTL. For more aggressive DNS refresh (recommended for cloud-deployed clients), set the JVM property:
+
+```bash
+-Dnetworkaddress.cache.ttl=30
+```
+
 ### Iterating Through Results
 
 For more control over query results, you can iterate through rows and access individual field values:

pom.xml

@@ -89,7 +89,8 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>3.5.4</version>
                 <configuration>
-                    <argLine>--add-opens=java.base/java.nio=ALL-UNNAMED</argLine>
+                    <!-- @{argLine} is set by JaCoCo's prepare-agent goal -->
+                    <argLine>@{argLine} --add-opens=java.base/java.nio=ALL-UNNAMED</argLine>
                 </configuration>
             </plugin>
             <plugin>
@@ -148,6 +149,82 @@
                     <waitUntil>published</waitUntil> -->
                 </configuration>
             </plugin>
+            <!-- P0: Static bug detection — null derefs, concurrency, resource leaks -->
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+                <version>4.9.3.0</version>
+                <configuration>
+                    <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
+                </configuration>
+            </plugin>
+            <!-- P0: CVE scanning for transitive dependencies (Netty, gRPC, Arrow) -->
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>12.1.1</version>
+                <configuration>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                </configuration>
+            </plugin>
+            <!-- P1: Test coverage reporting -->
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>0.8.13</version>
+                <executions>
+                    <execution>
+                        <id>prepare-agent</id>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>report</id>
+                        <phase>test</phase>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <!-- P2: Build hygiene — enforce Maven/JDK versions, dependency convergence -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.5.0</version>
+                <executions>
+                    <execution>
+                        <id>enforce</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireMavenVersion>
+                                    <version>[3.6.0,)</version>
+                                </requireMavenVersion>
+                                <requireJavaVersion>
+                                    <version>[11,)</version>
+                                </requireJavaVersion>
+                                <banDuplicatePomDependencyVersions/>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <!-- P3: Code style consistency (Google Java Style) -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>3.6.0</version>
+                <configuration>
+                    <configLocation>google_checks.xml</configLocation>
+                    <consoleOutput>true</consoleOutput>
+                    <violationSeverity>warning</violationSeverity>
+                    <failOnViolation>false</failOnViolation>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>

spotbugs-exclude.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  SpotBugs exclusion filter for pre-existing findings.
+  These are findings in code that predates the introduction of SpotBugs.
+  They should be addressed in follow-up PRs.
+-->
+<FindBugsFilter>
+    <!-- Example code: dead stores are intentional (demonstrating all param types) -->
+    <Match>
+        <Package name="ai.spice.example"/>
+        <Bug pattern="DLS_DEAD_LOCAL_STORE"/>
+    </Match>
+
+    <!-- Example code: rough constants like 3.14 are intentional demo values for float params -->
+    <Match>
+        <Package name="ai.spice.example"/>
+        <Bug pattern="CNT_ROUGH_CONSTANT_VALUE"/>
+    </Match>
+
+    <!-- Config: dead store in getUserAgent() -->
+    <Match>
+        <Class name="ai.spice.Config"/>
+        <Bug pattern="DLS_DEAD_LOCAL_STORE"/>
+    </Match>
+
+    <!-- HeaderAuthMiddlewareFactory: internal representation exposure (by design, internal class) -->
+    <Match>
+        <Class name="ai.spice.HeaderAuthMiddlewareFactory"/>
+        <Bug pattern="EI_EXPOSE_REP2"/>
+    </Match>
+
+    <!-- RefreshOptions: public fields are part of the public API -->
+    <Match>
+        <Class name="ai.spice.RefreshOptions"/>
+        <Bug pattern="PA_PUBLIC_PRIMITIVE_ATTRIBUTE"/>
+    </Match>
+
+    <!-- Constructor-throw warnings: these constructors intentionally validate/fail early -->
+    <Match>
+        <Class name="ai.spice.SpiceClient"/>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
+    <Match>
+        <Class name="ai.spice.SpiceClientBuilder"/>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
+</FindBugsFilter>

src/main/java/ai/spice/HeaderAuthMiddlewareFactory.java

@@ -21,21 +21,23 @@ public HeaderAuthMiddlewareFactory(ClientIncomingAuthHeaderMiddleware.Factory au
 
     @Override
     public FlightClientMiddleware onCallStarted(CallInfo callInfo) {
+        // Create the auth middleware once per RPC, not once per callback
+        final FlightClientMiddleware authMiddleware = authFactory.onCallStarted(callInfo);
         return new FlightClientMiddleware() {
             @Override
             public void onBeforeSendingHeaders(CallHeaders callHeaders) {
-                authFactory.onCallStarted(callInfo).onBeforeSendingHeaders(callHeaders);
+                authMiddleware.onBeforeSendingHeaders(callHeaders);
                 headers.forEach(callHeaders::insert);
             }
 
             @Override
             public void onHeadersReceived(CallHeaders callHeaders) {
-                authFactory.onCallStarted(callInfo).onHeadersReceived(callHeaders);
+                authMiddleware.onHeadersReceived(callHeaders);
             }
 
             @Override
             public void onCallCompleted(CallStatus callStatus) {
-                authFactory.onCallStarted(callInfo).onCallCompleted(callStatus);
+                authMiddleware.onCallCompleted(callStatus);
             }
         };
     }