review(#1318): address PR feedback (findings 1, 2, 3, 4, 6, 8)

Finding 1 — Kotlin Multiplatform fixture: bump
`org.jetbrains.kotlin.multiplatform` from 1.9.25 (officially supports
Gradle 6.8.3-8.6) to 2.1.0 (supports Gradle 9.x). CI installs Gradle
9.2.1 so the old plugin version would fail. Smoke-tested locally.

Finding 2 — `handle-create-new-scan.mts`: rename
`filterToCdxSpdxAndFactsFiles` → `filterToCdxSpdxOnly`. The
"AndFactsFiles" branch in the function was dead at the only call site
because the caller had already stripped `.socket.facts.json` from the
input. Dropped the basename check from the function body; semantics
unchanged.

Finding 3 — Aggregator's `node.children` read now happens under
`synchronized(nodes)` to mirror the writers in each
`socketFactsCollect` doLast. Task dependencies via
`aggregator.dependsOn(collector)` already establish a happens-before
edge, but explicit synchronization makes the contract local and
removes any implicit reliance on Gradle's task-graph memory
visibility semantics. The aggregator snapshots into plain List/Map
values first, then builds the JSON outside the critical section.

Finding 4 — `convert-gradle-to-facts.mts`: replace
`output.stdout.replace(regex, callback)`-for-side-effects pattern
with `Array.from(stdout.matchAll(regex), m => m[1])`. Reads more
directly.

Finding 6 — Cross-reference comments at both
`ext.SOCKET_FACTS_FILENAME` (Groovy) and `DOT_SOCKET_DOT_FACTS_JSON`
(TS) noting that the two values are intentionally duplicated (Groovy
can't import a TS constant) and must be kept in sync.

Finding 8 — When the Gradle script's `components.isEmpty()` branch
fires (no resolvable dependencies in the build), the TS wrapper no
longer prints a bare "Reported exports:" header followed by nothing.
It now suppresses the header when `matchAll` returns zero exports,
and surfaces the `[socket-facts] no resolvable dependencies` skip
message from Gradle stdout if present so the user understands why
the file wasn't written.

Not changed (replies posted separately):
- Finding 5: `.toLowerCase()` IS load-bearing on case-insensitive
  filesystems (macOS HFS+, Windows). The constant is lowercase; the
  input might not be. Keeping the normalization.
- Finding 7: function ordering left to match the existing
  `convert_gradle_to_maven.mts` pattern — consistency with precedent
  wins over the literal CLAUDE.md rule here.

Author: jfblaa

src/commands/manifest/convert-gradle-to-facts.mts

@@ -74,14 +74,27 @@ export async function convertGradleToFacts({
       )
       return
     }
-    logger.log('Reported exports:')
-    output.stdout.replace(
-      /^Socket facts file written to: (.*)/gm,
-      (_all: string, fn: string) => {
-        logger.log('- ', fn)
-        return fn
-      },
+    const exports = Array.from(
+      output.stdout.matchAll(/^Socket facts file written to: (.*)/gm),
+      m => m[1],
     )
+    if (exports.length) {
+      logger.log('Reported exports:')
+      for (const fn of exports) {
+        logger.log('- ', fn)
+      }
+    } else {
+      // Gradle script may have skipped emission when no resolvable
+      // dependencies were found (see the `components.isEmpty()` branch in
+      // socket-facts.init.gradle). Surface the skip reason if present so
+      // the user understands why nothing was written.
+      const skipMatch = output.stdout.match(
+        /^\[socket-facts\] no resolvable dependencies.*/m,
+      )
+      if (skipMatch) {
+        logger.warn(skipMatch[0])
+      }
+    }
     logger.log('')
     logger.log(
       'Next step is to generate a Scan by running the `socket scan create` command on the same directory.',

src/commands/manifest/socket-facts.init.gradle

@@ -33,6 +33,10 @@
 import java.util.Collections
 import groovy.json.JsonOutput
 
+// Must stay in sync with `DOT_SOCKET_DOT_FACTS_JSON` in
+// src/constants.mts (TS side). Groovy can't import the TS constant, so
+// the two strings are intentionally duplicated; if you change one,
+// change the other.
 ext.SOCKET_FACTS_FILENAME = '.socket.facts.json'
 
 // Shared accumulators across all subprojects' contributions. Synchronized
@@ -266,8 +270,23 @@ rootProject {
       def nodes = state.nodes
       def directIds = state.directIds
 
-      def components = nodes.collect { id, node ->
-        def coord = node.coord
+      // Snapshot the accumulators under the same monitor used by writers in
+      // each subproject's socketFactsCollect doLast. Task dependencies
+      // (`aggregator.dependsOn(collector)`) already guarantee a
+      // happens-before edge between writes and this read, but we
+      // synchronize on `nodes` here so the read path is symmetric with the
+      // write path — no implicit reliance on Gradle's task-graph ordering
+      // semantics for memory visibility of plain HashMap/HashSet fields.
+      def components
+      synchronized (nodes) {
+        components = nodes.collect { id, node ->
+          [id: id, coord: node.coord, prod: node.prod, nonTooling: node.nonTooling, children: (node.children as List).sort()]
+        }
+      }
+
+      components = components.collect { snapshot ->
+        def id = snapshot.id
+        def coord = snapshot.coord
         def component = [
           type     : 'maven',
           namespace: coord.groupId,
@@ -290,14 +309,14 @@ rootProject {
         if (directIds.contains(id)) {
           component.direct = true
         }
-        if (!node.prod) {
+        if (!snapshot.prod) {
           component.dev = true
         }
-        if (!node.nonTooling) {
+        if (!snapshot.nonTooling) {
           component.tooling = true
         }
-        if (!node.children.isEmpty()) {
-          component.dependencies = (node.children as List).sort()
+        if (!snapshot.children.isEmpty()) {
+          component.dependencies = snapshot.children
         }
         component
       }

src/commands/scan/handle-create-new-scan.mts

@@ -47,20 +47,14 @@ function getCdxSpdxPatterns(
   return patterns
 }
 
-function filterToCdxSpdxAndFactsFiles(
+function filterToCdxSpdxOnly(
   filepaths: string[],
   supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
 ): string[] {
   const patterns = getCdxSpdxPatterns(supportedFiles)
-  return filepaths.filter(filepath => {
-    const basename = path.basename(filepath).toLowerCase()
-    // Include .socket.facts.json files.
-    if (basename === constants.DOT_SOCKET_DOT_FACTS_JSON) {
-      return true
-    }
-    // Include CDX and SPDX files.
-    return micromatch.some(filepath, patterns, { nocase: true })
-  })
+  return filepaths.filter(filepath =>
+    micromatch.some(filepath, patterns, { nocase: true }),
+  )
 }
 
 export type HandleCreateNewScanConfig = {
@@ -270,7 +264,7 @@ export async function handleCreateNewScan({
 
     // When using pregenerated SBOMs only, filter to CDX/SPDX files.
     const pathsForScan = reach.reachUseOnlyPregeneratedSboms
-      ? filterToCdxSpdxAndFactsFiles(filteredPackagePaths, supportedFiles)
+      ? filterToCdxSpdxOnly(filteredPackagePaths, supportedFiles)
       : filteredPackagePaths
 
     scanPaths = [

src/constants.mts

@@ -199,6 +199,10 @@ const CONFIG_KEY_API_TOKEN = 'apiToken'
 const CONFIG_KEY_DEFAULT_ORG = 'defaultOrg'
 const CONFIG_KEY_ENFORCED_ORGS = 'enforcedOrgs'
 const CONFIG_KEY_ORG = 'org'
+// Must stay in sync with `ext.SOCKET_FACTS_FILENAME` in
+// src/commands/manifest/socket-facts.init.gradle (Groovy side).
+// Groovy can't import a TS constant, so the two values are intentionally
+// duplicated; change them together.
 const DOT_SOCKET_DOT_FACTS_JSON = `${DOT_SOCKET_DIR}.facts.json`
 const DLX_BINARY_CACHE_TTL = 7 * 24 * 60 * 60 * 1_000 // 7 days in milliseconds.
 const DRY_RUN_LABEL = '[DryRun]'

test/fixtures/commands/manifest/gradle-facts/kotlin-multiplatform/build.gradle

@@ -3,8 +3,10 @@
 // jsTestRuntimeClasspath, etc.) that the Java SourceSetContainer doesn't
 // surface, but which our name-pattern selection (`*CompileClasspath` /
 // `*RuntimeClasspath`) still picks up.
+// Kotlin 2.1.x is required for Gradle 9.x compatibility. KGP 1.9.x
+// officially supports Gradle 6.8.3-8.6 only; CI runs Gradle 9.2.1.
 plugins {
-    id 'org.jetbrains.kotlin.multiplatform' version '1.9.25'
+    id 'org.jetbrains.kotlin.multiplatform' version '2.1.0'
 }
 
 group = 'com.example.socket.kmp'