From d5693a6804aa220339e29512fc74ce4423492da8 Mon Sep 17 00:00:00 2001
From: Julien Bureau <jbureau@aubay.com>
Date: Wed, 20 May 2026 09:55:00 +0200
Subject: [PATCH 1/3] fix: Refactor project guidelines and scripts for
 integration tests

- Updated project structure and checklist in copilot.instructions.md for clarity and consistency.
- Modified review_pr.bat and review_pr.sh to provide clearer instructions for running integration tests.
- Introduced new run_it.bat and run_it.sh scripts to streamline the execution of integration tests with options for rule filtering and build skipping.
- Enhanced error handling and reporting in the new scripts to improve user experience and debugging.

Co-authored-by: Copilot <copilot@github.com>
---
 .../agents/creedengo-java-reviewer.agent.md   | 608 +++++++++++++
 .github/instructions/copilot.instructions.md  |  41 +
 .github/scripts/review_pr.bat                 | 598 +++++++++++++
 .github/scripts/review_pr.sh                  | 840 ++++++++++++++++++
 .github/scripts/run_it.bat                    | 195 ++++
 .github/scripts/run_it.sh                     | 237 +++++
 6 files changed, 2519 insertions(+)
 create mode 100644 .github/agents/creedengo-java-reviewer.agent.md
 create mode 100644 .github/instructions/copilot.instructions.md
 create mode 100644 .github/scripts/review_pr.bat
 create mode 100644 .github/scripts/review_pr.sh
 create mode 100644 .github/scripts/run_it.bat
 create mode 100644 .github/scripts/run_it.sh

diff --git a/.github/agents/creedengo-java-reviewer.agent.md b/.github/agents/creedengo-java-reviewer.agent.md
new file mode 100644
index 00000000..b3778bed
--- /dev/null
+++ b/.github/agents/creedengo-java-reviewer.agent.md
@@ -0,0 +1,608 @@
+---
+description: "Specialized agent for in-depth Pull Request reviews on the creedengo-java repository. Used to analyze the quality, compliance and completeness of PRs adding or modifying SonarQube rules for sustainable software development. Generates a structured Markdown report."
+tools: [read, search, web, agent, todo, execute, edit]
+argument-hint: "GitHub PR URL or description of the changes to analyze"
+---
+
+# Agent creedengo-java PR Reviewer
+
+You are an expert reviewer specialized in Pull Requests for the **creedengo-java** project, a SonarQube plugin of eco-design rules for Java.
+
+## Project context
+
+- Package: `org.greencodeinitiative.creedengo.java.checks`
+- Each rule extends `IssuableSubscriptionVisitor`, annotated with `@Rule(key = "GCI{N}")`
+- Registration: `JavaCheckRegistrar.ANNOTATED_RULE_CLASSES` + `creedengo_way_profile.json`
+- Unit tests: `CheckVerifier` with `// Noncompliant {{message}}` markers
+- Integration tests: `GCIRulesIT.java` (format `"creedengo-java:GCI{N}"`)
+- Test files: `src/it/test-projects/.../checks/GCI{N}/` (NOT `src/test/files/`)
+- Specifications: https://github.com/green-code-initiative/creedengo-rules-specifications/blob/main/RULES.md
+- Definition of done: https://github.com/green-code-initiative/ecoCode-common/blob/main/doc/starter-pack.md#check-definition-of-done-for-new-rule-implementation
+- PR is not necessarily linked to an issue (can be upgrade of documentation, refactoring, rule check improvement...), but if it is, the issue must be mentioned in the description and closed by the PR (e.g. "Closes #123")
+
+## Review methodology
+
+### Phase 0: Preparation
+
+```bash
+git clone https://github.com/green-code-initiative/creedengo-java.git pr-{N}-workdir
+cd pr-{N}-workdir
+git fetch origin pull/{N}/head:pr-{N}
+git checkout pr-{N}
+```
+
+> **Important — git diff**: Always use the three-dot syntax `git diff origin/main...pr-{N}` (or equivalently `git diff $(git merge-base origin/main pr-{N})..pr-{N}`) to compare the PR against its divergence point from `main`. The two-dot syntax `origin/main..pr-{N}` would include changes made on `main` after the branch diverged and surface them as deletions, producing a misleading diff.
+
+> **Important — definition of done**: You MUST read the official and up to date definition of done before reviewing the PR.
+
+### Phase 1: Automated checks (script)
+
+#### Maven invocation strategy (important for performance)
+
+The review process uses two scripts sequentially, with a single Maven build:
+
+1. **`review_pr.{sh|bat}`** — runs `mvnw verify -DskipITs=true`:
+   - Compiles the project
+   - Runs unit tests (Surefire)
+   - Packages the plugin JAR (shade)
+   - Generates JaCoCo coverage report
+   - Skips integration tests (ITs require SonarQube download, ~5min)
+   - Output: `target/` directory with JAR + coverage + test reports
+
+2. **`run_it.{sh|bat} --skip-build`** — runs `mvnw verify -DskipTests=true`:
+   - Detects that classes are already compiled (incremental, ~1s)
+   - Repackages the JAR (shade, ~3s)
+   - Runs integration tests via Failsafe (downloads SonarQube if not cached)
+   - The `--skip-build` flag skips the `clean` phase so target/ is reused
+
+**Why two separate invocations?**
+- Unit tests are fast (~5s) and give quick feedback on compilation + logic errors
+- IT tests are slow (~3-5min) because they download/start SonarQube
+- If unit tests fail, there's no point running ITs
+- The agent can start Phase 2 analysis while ITs run in background
+
+**Why NOT use standalone Maven goals?**
+- `failsafe:integration-test` and `failsafe:verify` as standalone goals do NOT inject the `systemPropertyVariables` from the pom.xml `<execution>` configuration
+- This causes errors like "System property `test-it.orchestrator.artifactory.url` must be defined"
+- Always use the lifecycle (`verify`) to ensure proper property injection
+
+#### Step 1.1: Run the automated review script
+
+**Linux/macOS/WSL:**
+```bash
+bash .github/scripts/review_pr.sh --pr-number {N} --base-branch main
+```
+
+**Windows (CMD — NOT PowerShell directly):**
+```cmd
+cmd /c "cd /d <workdir> && .github\scripts\review_pr.bat --pr-number {N} --base-branch main"
+```
+
+> **IMPORTANT — Windows execution**: All `.bat` scripts MUST be invoked through `cmd /c "..."` when the agent runs in PowerShell. PowerShell does not correctly parse batch `if/else` blocks, `for /f` loops, and delayed expansion (`!var!`). Always wrap in `cmd /c "cd /d <path> && .github\scripts\<script>.bat ..."`.
+
+The script performs automated checks AND the Maven build:
+- GPL v3 license headers
+- CHANGELOG.md modified with correct format (PR links, GCI mention)
+- Registration in `JavaCheckRegistrar` + `creedengo_way_profile.json`
+- Unit and integration tests present
+- Code conventions (no `var`, line ≤120 chars, @Override)
+- ClassCastException risks (explicit casts without instanceof)
+- Error message consistency code ↔ test annotations
+- Correct imports in IT files
+- `@DeprecatedRuleKey` for renamed rules (GCI < 100)
+- Test files in the correct location
+- Rule ID consistency across all files
+- Package and class name in IT files
+- Reference to creedengo-rules-specifications
+- Unused imports
+- Merge conflict markers
+- Branch up to date with main
+- **Maven build (`mvnw verify -DskipITs=true`) + unit test execution**
+
+Results:
+- `pr_review_report.txt`: text report of the checks
+- `build_output.log`: full Maven build output
+- Return code: `0` (OK), `1` (critical), `2` (warnings)
+
+> **Note**: The review script does NOT run integration tests (IT). These are handled separately in Step 1.3 below.
+
+#### Step 1.2: Metrics extraction
+
+After running the script, the agent MUST read the results and extract the following metrics:
+
+1. **Build result**: read `build_output.log` — look for `BUILD SUCCESS` or `BUILD FAILURE`
+2. **Unit tests**: look for `Tests run:` in `build_output.log`
+3. **JaCoCo coverage**: read `target/site/jacoco/jacoco.csv`
+
+Coverage extraction (bash):
+```bash
+if [ -f target/site/jacoco/jacoco.csv ]; then
+  grep -i "GCI{N}\|{ClassName}" target/site/jacoco/jacoco.csv
+fi
+```
+
+On Windows (PowerShell):
+```powershell
+if (Test-Path target/site/jacoco/jacoco.csv) {
+  Import-Csv target/site/jacoco/jacoco.csv |
+    Where-Object { $_.CLASS -match "GCI|{ClassName}" } |
+    Format-Table GROUP, CLASS, INSTRUCTION_MISSED, INSTRUCTION_COVERED, BRANCH_MISSED, BRANCH_COVERED
+}
+```
+
+**Success criteria:**
+- Compilation without error
+- 0 failing tests
+- Coverage ≥ 80% on new classes
+
+#### Fallback: if the script crashed
+
+If the script itself fails (syntax error, crash, interruption) without producing a usable build result, the agent runs the build manually **as a last resort**:
+
+```bash
+./mvnw clean verify -DskipITs=true 2>&1 | tee build_output.log
+```
+
+On Windows (always through cmd /c):
+```powershell
+cmd /c "cd /d <workdir> && mvnw.cmd clean verify -DskipITs=true > build_output.log 2>&1"
+```
+
+#### Step 1.3: Integration tests (SonarQube Orchestrator)
+
+**MANDATORY.** The agent MUST run integration tests to verify that the rule is correctly loaded and behaves as expected within a real SonarQube instance.
+
+The IT runner script uses Maven's `verify` lifecycle phase with `-DskipTests=true`. This is critical because the `maven-failsafe-plugin` configuration in the pom.xml injects required `systemPropertyVariables` (orchestrator URL, SonarQube version, plugin JAR path, etc.) only when invoked through the lifecycle — NOT when using standalone goals like `failsafe:integration-test`.
+
+The script:
+1. Builds/repackages the plugin JAR (skippable with `--skip-build`)
+2. Downloads the configured SonarQube version (cached in `~/.sonar/orchestrator`)
+3. Starts a temporary SonarQube instance with the plugin installed
+4. Analyses the test project (`src/it/test-projects/creedengo-java-plugin-test-project/`)
+5. Asserts that the expected issues are raised at the correct locations
+
+**Execution (from the PR workdir root):**
+
+Linux/macOS/WSL:
+```bash
+bash .github/scripts/run_it.sh --rule GCI{N} --skip-build
+```
+
+Windows (CMD — NOT PowerShell directly):
+```cmd
+cmd /c ".github\scripts\run_it.bat --rule GCI{N} --skip-build"
+```
+
+> **IMPORTANT — Windows execution**: The `.bat` script MUST be invoked through `cmd /c "..."` when running from PowerShell. Running it directly in PowerShell (`& .github\scripts\run_it.bat`) will fail because PowerShell does not correctly interpret batch `if/else` blocks and variable expansion. Always use `cmd /c "cd /d <path> && .github\scripts\run_it.bat ..."`.
+
+> Use `--skip-build` because Step 1.1 already built the JAR (in `target/`). The script skips `clean` and Maven detects classes are up-to-date — only the shade step and IT run execute (~5s overhead). Use `--rule GCI{N}` to run only the tests relevant to the PR's rule. Omit `--rule` to run all IT tests.
+
+> **IMPORTANT — Do NOT use standalone Maven goals**: Never run `mvnw failsafe:integration-test failsafe:verify` directly. This bypasses the pom.xml configuration and will fail with errors like "System property `test-it.orchestrator.artifactory.url` must be defined."
+
+**Results:**
+- `it_report.txt`: structured report with pass/fail per test method
+- `it_build_output.log`: full Maven Failsafe output (includes SonarQube startup logs)
+
+**Reading results:**
+
+After execution, the agent MUST read `it_report.txt` and extract:
+1. **Overall result**: `RESULT=SUCCESS` or `RESULT=FAILURE`
+2. **Per-test detail**: which test methods passed/failed
+3. **Failure messages**: for any failed test, search `it_build_output.log` for `<<< FAILURE` or `AssertionError` to get the assertion details (expected vs actual issues, line numbers)
+
+If a test fails, the agent should:
+- Read the failure details in `it_build_output.log` (search for `<<< FAILURE` or `AssertionError`)
+- Check the failsafe reports in `target/failsafe-reports/*.txt` for the full stack trace
+- Determine whether the issue is in the rule implementation (wrong lines detected, missing detection) or in the IT test itself (wrong expected values in `GCIRulesIT.java`)
+- Report this clearly in the review
+
+**Success criteria:**
+- All IT tests for the PR's rule(s) pass
+- If the PR adds a new rule: a corresponding IT test method exists in `GCIRulesIT.java` AND passes
+- If the PR modifies a rule: existing IT tests still pass (no regression)
+
+**Fallback — if Orchestrator fails to start:**
+
+If the IT script exits with code 2 (infrastructure error — e.g., port conflict, download timeout, insufficient memory):
+1. Note the error in the report as "IT NOT EXECUTABLE" with the reason
+2. Do NOT mark this as a blocking issue for the PR author (it's not their fault)
+3. Recommend manual verification in the review comments
+
+### Phase 2: Intelligent analysis (agent)
+
+The agent performs checks requiring semantic understanding of the code. Each check below must be systematically executed.
+
+#### 2.1 Runtime safety — ClassCastException
+
+**BLOCKING.** A crash in production leads to users uninstalling the plugin.
+
+Verify that:
+- Every downcast is guarded by an `instanceof` check or `.is(Tree.Kind.XXX)` before the cast
+- Calls to `.thenStatement()`, `.elseStatement()`, `.body()` are NEVER directly cast to `BlockTree` — an `if` without braces returns a `ReturnStatementTreeImpl` or `ExpressionStatementTreeImpl`
+- Typical dangerous pattern:
+  ```java
+  BlockTree block = (BlockTree) ifStmt.thenStatement(); // CRASH if return without braces
+  ```
+  Fix: `if (ifStmt.thenStatement().is(Tree.Kind.BLOCK)) { BlockTree block = (BlockTree) ifStmt.thenStatement(); }`
+
+#### 2.2 Runtime safety — NullPointerException
+
+**BLOCKING.** Same impact as a ClassCastException.
+
+Verify that every chained call on a potentially null object is guarded:
+- `tree.parent()` → can be null at the root
+- `Deque.peek()`, `Deque.poll()` → null if empty
+- `symbol.declaration()`, `tree.symbolType()`, `getSymbol()` → can be null
+- Dangerous pattern: `while (tree.parent().is(Kind.MEMBER_SELECT))` → NPE if parent() is null
+- Fix: `while (tree.parent() != null && tree.parent().is(...))`
+
+#### 2.3 False positive detection
+
+Analyze the detection logic and imagine Java code cases that would be incorrectly flagged:
+- Does the rule detect a legitimate pattern as problematic?
+- Are edge cases handled? (lambda, inner classes, generics, annotations, streams, try-with-resources)
+- Are the exclusion conditions sufficient?
+
+#### 2.4 Test quality and diversity
+
+Evaluate that the tests systematically cover:
+- **Noncompliant** cases (must trigger the rule)
+- **Compliant** cases (must NOT trigger)
+- **Edge cases**: expression as a method argument, in an assignment, in a return, in a lambda, with inheritance, in a try/catch
+- If tests cover only one type of case, suggest explicit additional cases
+- IT files must be clean code (no unused variables, complete imports)
+
+#### 2.5 Correspondence with creedengo-rules-specifications
+
+- Verify that the specs PR exists (search in `creedengo-rules-specifications` for open/merged PRs mentioning the same GCI ID)
+- If the specs PR is merged, verify that the ID used in the Java code matches exactly (temporary IDs GCI1000-1500 must be replaced by the definitive ID)
+- Verify that the error message in the code matches the ASCIIDOC description
+
+#### 2.6 Duplicate PRs
+
+Check whether other open PRs on the same repository target the same GCI rule. If so, flag the risk of duplicate work.
+
+#### 2.7 Implementation quality
+
+- The class properly extends `IssuableSubscriptionVisitor`
+- `nodesToVisit()` returns the **minimal** list of `Tree.Kind` needed (performance)
+- The error message is stored as `protected static final String`, clear and in correct English
+- K&R brace style, `CONSTANT_CASE` for constants, `this.field` for fields
+- No duplication of logic with an existing rule
+
+#### 2.8 Coverage Quality Gate
+
+SonarCloud requires > 80% coverage on new code. Verify that all condition branches are tested. Run tests locally to verify coverage.
+
+### Phase 3: Verdict
+
+Summarize the result of the script + build + IT tests + intelligent analysis into a **Definition of Done**:
+- [ ] Implementation with `@Rule(key = "GCI{N}")`
+- [ ] Registration (Registrar + profile.json)
+- [ ] Maven compilation without error
+- [ ] All unit tests passed (0 failures)
+- [ ] Coverage ≥ 80% on added/modified classes
+- [ ] Integration tests passed (`it_report.txt` shows `RESULT=SUCCESS`)
+- [ ] Rule correctly detected in SonarQube (IT verifies issue count + line positions)
+- [ ] CHANGELOG.md updated (format `[#N](url) GCIXXX - description`)
+- [ ] GPL v3 license header
+- [ ] Correspondence with creedengo-rules-specifications
+- [ ] No unguarded ClassCastException or NPE risk
+
+## Verdict constraints
+
+- **REQUEST_CHANGES** mandatory if:
+  - Compilation failure or unit test failures
+  - Integration tests failed (rule not properly detected in SonarQube)
+  - Coverage < 80% on added/modified classes
+  - Uncontrolled ClassCastException or NPE risk
+  - Unit tests absent
+  - IT test method absent for a new rule
+  - CHANGELOG not updated
+  - Rule ID inconsistent with specifications
+
+- **APPROVE** only if:
+  - All DoD items are satisfied
+  - Integration tests passed (or marked NOT EXECUTABLE with infrastructure justification)
+  - No obvious false positive identified
+  - IT file code compiles
+  - Error message is consistent between code and annotations
+
+### Phase 4: GitHub review preparation
+
+After analysis and verdict, the agent prepares a **draft GitHub review** ready to be submitted by the user. The goal is to minimize manual work: the user only needs to validate/complete and submit.
+
+#### 4.1 Review structure
+
+The GitHub review consists of:
+1. **The verdict**: `APPROVE`, `REQUEST_CHANGES`, or `COMMENT`
+2. **The review body**: main comment summarizing key points
+3. **Inline comments**: attached to specific files/lines in the diff
+   - With a **code suggestion** (when a precise fix can be proposed)
+   - Or a **plain comment** (when only a remark is needed)
+
+#### 4.2 Review body
+
+The body must be concise, professional, and actionable. Format:
+
+```markdown
+Thank you for this PR! {Positive summary in 1 sentence.}
+
+{Main remarks as a bullet list}
+
+• {Critical point 1}
+• {Critical point 2}
+• Nice to have: {non-blocking suggestion}
+```
+
+Rules:
+- Always start with a thank-you
+- Critical (blocking) points first
+- Suggestions (non-blocking) prefixed with "Nice to have:"
+- Language: **English** (the project is international)
+- Do NOT include the full technical report — only the requested actions
+
+#### 4.3 Inline comments with code suggestions
+
+When the agent can propose a precise fix, it prepares an inline comment with a GitHub `suggestion` block.
+
+**Output format for each suggestion:**
+
+````markdown
+📍 **File**: `{relative file path}`
+**Line(s)**: {line number(s) in the source file (not the diff)}
+**Comment**: {short explanation}
+
+```suggestion
+{fixed code — only the lines covered by the suggestion block}
+```
+````
+
+**Rules for suggestions:**
+- The `suggestion` block replaces exactly the selected lines (from the start line to the end line of the inline comment)
+- Include only the replacement code, no context beyond the targeted lines
+- If the replacement concerns a single line, the suggestion block contains a single line
+- If the replacement adds lines (e.g. a wildcard import → 5 explicit imports), the block contains all new lines
+- If the replacement removes lines, the suggestion block is empty (deletion)
+
+**Examples of automatically proposable suggestions:**
+
+| Detected issue | Suggestion |
+|----------------|------------|
+| Wildcard import `import org.xxx.*` | Replace with the explicit imports used |
+| Missing blank line between methods | Add `}` + blank line before the next method |
+| `// Noncompliant` without message | Add `// Noncompliant {{message}}` |
+| Formatting (indentation, spaces) | Propose the correctly formatted code |
+| Missing license header | Propose the complete header |
+| Unused import | Remove the line |
+
+#### 4.4 Inline comments without suggestion
+
+When no precise fix can be proposed (the change requires the developer's judgment), the agent prepares a descriptive inline comment.
+
+**Output format:**
+
+````markdown
+📍 **File**: `{relative file path}`
+**Line(s)**: {line number(s)}
+**Comment**:
+{Explanation of the problem and/or question to the developer}
+````
+
+**Examples of comments without suggestion:**
+- Risk of false positive/negative in the business logic
+- Question about an implementation choice
+- Missing test case (the exact code cannot be guessed)
+- NPE/ClassCast risk requiring restructuring
+
+#### 4.5 General (non-inline) comments
+
+For remarks not related to a specific file/line (missing CHANGELOG, branch behind, unrelated issue), include them in the review body.
+
+#### 4.6 Presentation to the user
+
+The agent presents the review draft in a clearly delimited structured block:
+
+````markdown
+---
+
+## 📋 GitHub Review Draft
+
+**Verdict**: `REQUEST_CHANGES` / `APPROVE` / `COMMENT`
+
+### Review body
+
+> {review body text to copy-paste}
+
+### Inline comments
+
+{Numbered list of inline comments, each with file/line/suggestion}
+
+---
+````
+
+**Concrete example (PR #183):**
+
+````markdown
+---
+
+## 📋 GitHub Review Draft
+
+**Verdict**: `REQUEST_CHANGES`
+
+### Review body
+
+> Thank you for this PR! The optimization logic to reduce false positives on GCI94 is sound.
+>
+> • CHANGELOG should be updated, I suggest adding: `#183 GCI94 - reduce false positives by not flagging orElse with already-defined values (literals, constants, identifiers)`
+> • Issue #119 can be automatically closed by adding "Closes #119" in description.
+> • Nice to have: You should add tests about concatenation, ternary, casts and arrays with `// Noncompliant`, to confirm these usecases are non compliant.
+
+### Inline comments
+
+**1.**
+📍 **File**: `src/main/java/org/greencodeinitiative/creedengo/java/checks/UseOptionalOrElseGetVsOrElse.java`
+**Line(s)**: 22
+**Comment**: Wildcard imports should be replaced by explicit imports per project conventions.
+
+```suggestion
+import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.java.api.tree.ExpressionTree;
+import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
+import org.sonar.plugins.java.api.tree.MethodInvocationTree;
+import org.sonar.plugins.java.api.tree.Tree;
+```
+
+**2.**
+📍 **File**: `src/main/java/org/greencodeinitiative/creedengo/java/checks/UseOptionalOrElseGetVsOrElse.java`
+**Line(s)**: 64
+**Comment**: Missing blank line between methods (code style convention).
+
+```suggestion
+        }
+
+```
+
+---
+````
+
+After presenting, the agent asks the user via `askQuestions`:
+- "Would you like me to apply the fixes locally (on the PR branch)?" → Phase 5
+- "Would you like to edit the review draft?"
+- "Would you like me to submit it directly?" (if a GitHub tool is available)
+
+#### 4.7 Determining line numbers
+
+To identify the correct lines:
+1. Use `git diff origin/main...pr-{N}` (three dots) to view the diff — this shows only the changes introduced by the PR relative to its divergence point from `main`, not changes that occurred on `main` in the meantime
+2. Line numbers in suggestions correspond to lines **in the source file on the PR branch** (not the diff line numbers)
+3. Read the source file to confirm the exact lines before preparing the suggestion
+4. For multi-line suggestions, specify the exact line range to replace
+
+## Review report format
+
+```markdown
+# 🔍 PR Review Report - creedengo-java
+
+## General information
+
+| Field | Value |
+|-------|-------|
+| PR | #{number} - {title} |
+| Author | @{author} |
+| Type | {New rule / Improvement / Refactoring / Dependencies / Doc} |
+| Rule(s) | GCI{N} - {description} |
+| Date | {date} |
+
+## Summary
+
+{2-3 sentences summarizing the PR}
+
+---
+
+## Phase 1: Automated checks
+
+- **Script**: `.github/scripts/review_pr.{sh|bat}`
+- **Return code**: {0/1/2}
+
+{Full content of pr_review_report.txt}
+
+### Build and Tests
+
+| Metric | Result |
+|--------|--------|
+| Compilation | ✅ Success / ❌ Failure |
+| Unit tests | {N} run, {N} passed, {N} failed, {N} skipped |
+| Overall coverage (instructions) | {X}% |
+| Overall coverage (branches) | {X}% |
+| Modified class coverage | {X}% instructions, {X}% branches |
+| Integration tests | ✅ {N} passed / ❌ {N} failed / ⚠️ Not executable |
+
+### Integration tests detail
+
+| Test method | Result | Detail |
+|-------------|--------|--------|
+| testGCI{N} | ✅ PASS / ❌ FAIL | {failure message if applicable} |
+| testGCI{N}_{variant} | ✅ PASS / ❌ FAIL | {failure message if applicable} |
+
+> Source: `it_report.txt` — generated by `.github/scripts/run_it.{sh|bat}`
+
+### PR class coverage detail
+
+| Class | Instructions | Branches | Lines |
+|-------|-------------|----------|-------|
+| {ClassName} | {covered}/{total} ({X}%) | {covered}/{total} ({X}%) | {covered}/{total} |
+
+---
+
+## Phase 2: Intelligent analysis
+
+### Definition of Done
+
+| Criterion | Status | Comment |
+|-----------|--------|---------|
+| @Rule implementation | ✅/❌/⚠️ | {detail} |
+| Registration | ✅/❌/⚠️ | {detail} |
+| Unit tests | ✅/❌/⚠️ | {detail} |
+| Integration tests | ✅/❌/⚠️ | {detail} |
+| CHANGELOG | ✅/❌/⚠️ | {detail} |
+| License header | ✅/❌/⚠️ | {detail} |
+| Specs correspondence | ✅/❌/⚠️ | {detail} |
+| Runtime safety | ✅/❌/⚠️ | {detail} |
+
+### Critical issues 🚨
+{Blocking issues, with fix suggestion}
+
+### Important issues ⚠️
+{Require a change}
+
+### Suggestions 💡
+{Non-blocking}
+
+### Test analysis
+
+| Case type | Present | Comment |
+|-----------|---------|-------- |
+| Compliant | ✅/❌ | |
+| Noncompliant | ✅/❌ | |
+| Edge cases | ✅/❌ | |
+| False positives covered | ✅/❌ | |
+
+---
+
+## Verdict
+
+Create a structured `review_report.md` report with the following content.
+
+| Verdict | {APPROVE / REQUEST_CHANGES / COMMENT} |
+|---------|----------------------------------------|
+| Reason | {justification} |
+
+### Required actions
+1. {blocking action}
+
+### Recommendations
+1. {non-blocking suggestion}
+```
+
+> **Important**: After presenting this report, always proceed to **Phase 4** (GitHub review draft) then propose **Phase 5** (optional local fixes).
+
+## References
+
+- Organisation: `green-code-initiative`
+- Plugin key: `creedengo-java`
+- Package: `org.greencodeinitiative.creedengo.java`
+- API: `IssuableSubscriptionVisitor`, `BaseTreeVisitor`, `CheckVerifier`
+- Quality profile: `creedengo way`
+- Specs repo: `creedengo-rules-specifications`
+
+## Phase 5: Local fixes (optional)
+
+If the user wants to apply fixes directly on the PR branch (rather than leaving them to the contributor), the agent proposes automatic corrections.
+
+### Constraints
+
+- NEVER apply a fix without explicit user validation
+- After applying, re-run impacted checks if possible (e.g. recompile)
+- Fixes do NOT modify the business logic of the rule (formatting, metadata only)
+- Clean up all temporary files created during the review; keep the script execution report and the final report.
diff --git a/.github/instructions/copilot.instructions.md b/.github/instructions/copilot.instructions.md
new file mode 100644
index 00000000..ed15e2a0
--- /dev/null
+++ b/.github/instructions/copilot.instructions.md
@@ -0,0 +1,41 @@
+# creedengo-java — Conventions and key guidelines
+
+## Project structure
+
+- Main package: `org.greencodeinitiative.creedengo.java.checks`
+- Each rule extends `IssuableSubscriptionVisitor`, annotated with `@Rule(key = "GCI{N}")`
+- Test files: `src/it/test-projects/.../checks/GCI{N}/` (never `src/test/files/`)
+- Rule specifications: separate repository `creedengo-rules-specifications`
+
+## Checklist for any change
+
+1. **CHANGELOG.md** — Always add an entry under `[Unreleased]` → `### Changed` with format: `- [#PR](url) GCIXXX - description`
+2. **Registration** — Any new rule must be added to `JavaCheckRegistrar.ANNOTATED_RULE_CLASSES` AND `creedengo_way_profile.json`
+3. **License header** — GPL v3 required on all `.java` files
+4. **Unit tests** — `CheckVerifier` with `// Noncompliant {{exact message}}` markers; cover compliant, noncompliant and edge cases
+5. **Integration tests** — IT file in `src/it/test-projects/.../GCI{N}/` + entry in `GCIRulesIT.java`
+6. **Coverage** — ≥ 80% on added/modified classes (instructions + branches)
+
+## Code style
+
+- Explicit imports (no wildcard `import org.xxx.*`)
+- Blank line between each method
+- No `var` (explicit typed declarations)
+- Lines ≤ 120 characters
+- K&R brace style, constants in `CONSTANT_CASE`
+- `@Override` on every overridden method
+- Error message as `protected static final String`, in correct English
+
+## Runtime safety (blocking)
+
+- **ClassCastException** — Every downcast must be guarded by `instanceof` or `.is(Tree.Kind.XXX)` before the cast
+- **NullPointerException** — Guard chained calls on `tree.parent()`, `symbol.declaration()`, `Deque.peek()` etc.
+- Never cast `.thenStatement()` / `.elseStatement()` directly to `BlockTree` without a check
+
+## Best practices
+
+- Avoid at all costs patterns that cause false positives.
+- `nodesToVisit()` must return the **minimal** list of `Tree.Kind` needed
+- Do not duplicate logic from an existing rule
+- IT files must compile cleanly (full imports, no unused variables)
+- Consistency between the error message in the code and the `// Noncompliant {{...}}` annotations in tests
\ No newline at end of file
diff --git a/.github/scripts/review_pr.bat b/.github/scripts/review_pr.bat
new file mode 100644
index 00000000..39a44d2c
--- /dev/null
+++ b/.github/scripts/review_pr.bat
@@ -0,0 +1,598 @@
+@echo off
+REM =============================================================================
+REM creedengo-java PR Review - Automated Checks Script (Windows)
+REM =============================================================================
+REM This script performs deterministic checks on a creedengo-java PR branch.
+REM It expects to be run from the root of the creedengo-java repository,
+REM on the branch of the PR to review.
+REM
+REM Usage: review_pr.bat [--skip-build] [--pr-number N] [--base-branch branch]
+REM
+REM Options:
+REM   --skip-build      [DEBUG ONLY] Skip Maven build and tests (for script debugging)
+REM   --pr-number N     PR number (for report metadata)
+REM   --base-branch b   Base branch to diff against (default: main)
+REM
+REM Exit codes:
+REM   0 = All checks passed
+REM   1 = Critical issues found
+REM   2 = Warnings found (non-blocking)
+REM =============================================================================
+
+setlocal enabledelayedexpansion
+
+REM --- Configuration ---
+set "REPORT_FILE=pr_review_report.txt"
+set "BASE_BRANCH=main"
+set "SKIP_BUILD=false"
+set "PR_NUMBER="
+set "CRITICAL_COUNT=0"
+set "WARNING_COUNT=0"
+set "INFO_COUNT=0"
+
+REM --- Parse arguments ---
+:parse_args
+if "%~1"=="" goto :end_parse
+if "%~1"=="--skip-build" (set "SKIP_BUILD=true" & shift & goto :parse_args)
+if "%~1"=="--pr-number" (set "PR_NUMBER=%~2" & shift & shift & goto :parse_args)
+if "%~1"=="--base-branch" (set "BASE_BRANCH=%~2" & shift & shift & goto :parse_args)
+shift
+goto :parse_args
+:end_parse
+
+REM --- Initialize report ---
+echo. > "%REPORT_FILE%"
+echo ============================================================>> "%REPORT_FILE%"
+echo   CREEDENGO-JAVA PR AUTOMATED REVIEW REPORT>> "%REPORT_FILE%"
+echo   Date: %date% %time%>> "%REPORT_FILE%"
+echo   PR: %PR_NUMBER%>> "%REPORT_FILE%"
+echo   Base branch: %BASE_BRANCH%>> "%REPORT_FILE%"
+echo ============================================================>> "%REPORT_FILE%"
+echo.>> "%REPORT_FILE%"
+
+REM --- Verify we're in the right repository ---
+if not exist "pom.xml" (
+    echo [CRITICAL] Not in creedengo-java root directory ^(pom.xml not found^)
+    echo [CRITICAL] Not in creedengo-java root directory>> "%REPORT_FILE%"
+    set /a CRITICAL_COUNT+=1
+    goto :summary
+)
+
+findstr /c:"creedengo-java-plugin" pom.xml >nul 2>&1
+if errorlevel 1 (
+    echo [CRITICAL] pom.xml does not appear to be creedengo-java
+    echo [CRITICAL] pom.xml does not appear to be creedengo-java>> "%REPORT_FILE%"
+    set /a CRITICAL_COUNT+=1
+    goto :summary
+)
+
+REM =============================================================================
+REM CHANGED FILES DETECTION
+REM =============================================================================
+echo.
+echo === CHANGED FILES DETECTION ===
+echo.>> "%REPORT_FILE%"
+echo === CHANGED FILES DETECTION ===>> "%REPORT_FILE%"
+
+git diff --name-only "%BASE_BRANCH%"...HEAD > changed_files.tmp 2>nul
+if errorlevel 1 (
+    git diff --name-only "origin/%BASE_BRANCH%"...HEAD > changed_files.tmp 2>nul
+)
+
+REM --- Sanitize line endings in changed_files.tmp (git may output LF-only) ---
+if exist changed_files.tmp (
+    move /y changed_files.tmp changed_files_raw.tmp >nul 2>&1
+    for /f "tokens=*" %%L in (changed_files_raw.tmp) do (
+        echo %%L>> changed_files.tmp
+    )
+    del changed_files_raw.tmp >nul 2>&1
+)
+
+REM --- Identify changed Java source files and rule IDs ---
+set "RULE_IDS="
+set "NEW_CHECK_FILES="
+set "HAS_CHANGELOG=false"
+
+for /f "tokens=*" %%f in (changed_files.tmp) do (
+    echo   - %%f>> "%REPORT_FILE%"
+    
+    REM Check if CHANGELOG is modified
+    echo %%f | findstr /c:"CHANGELOG.md" >nul 2>&1 && set "HAS_CHANGELOG=true"
+    
+    REM Check if it's a source Java file
+    echo %%f | findstr /b /c:"src/main/java/" | findstr /c:".java" >nul 2>&1
+    if not errorlevel 1 (
+        if exist "%%f" (
+            findstr /c:"@Rule" "%%f" >nul 2>&1
+            if not errorlevel 1 (
+                set "NEW_CHECK_FILES=!NEW_CHECK_FILES! %%f"
+                for /f "tokens=2 delims==" %%r in ('findstr /r /c:"@Rule(key.*GCI" "%%f" 2^>nul') do (
+                    for /f "tokens=1 delims=^)" %%i in ("%%r") do (
+                        set "RULE_ID=%%i"
+                        set "RULE_ID=!RULE_ID:"=!"
+                        set "RULE_IDS=!RULE_IDS! !RULE_ID!"
+                    )
+                )
+            )
+        )
+    )
+)
+
+echo Detected rules: %RULE_IDS%
+echo Detected rules: %RULE_IDS%>> "%REPORT_FILE%"
+
+REM =============================================================================
+REM CHECK 1: LICENSE HEADER
+REM =============================================================================
+echo.
+echo === CHECK 1: LICENSE HEADERS ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 1: LICENSE HEADERS ===>> "%REPORT_FILE%"
+
+set "LICENSE_ISSUES=0"
+for /f "tokens=*" %%f in ('findstr /b /c:"src/main/java/" changed_files.tmp 2^>nul') do (
+    REM Convert forward slashes to backslashes (type command requires backslashes)
+    set "LFILE=%%f"
+    set "LFILE=!LFILE:/=\!"
+    if exist "!LFILE!" (
+        type "!LFILE!" 2>nul | findstr /c:"creedengo - Java language" >nul 2>&1
+        if errorlevel 1 (
+            echo [CRITICAL] Missing license header: %%f
+            echo [CRITICAL] Missing license header: %%f>> "%REPORT_FILE%"
+            set /a CRITICAL_COUNT+=1
+            set /a LICENSE_ISSUES+=1
+        )
+    )
+)
+if %LICENSE_ISSUES% equ 0 (
+    echo [OK] All source files have correct license headers
+    echo [OK] All source files have correct license headers>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 2: CHANGELOG.md UPDATED
+REM =============================================================================
+echo.
+echo === CHECK 2: CHANGELOG.md ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 2: CHANGELOG.md ===>> "%REPORT_FILE%"
+
+if "%HAS_CHANGELOG%"=="true" (
+    echo [OK] CHANGELOG.md has been modified
+    echo [OK] CHANGELOG.md has been modified>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+) else (
+    echo [CRITICAL] CHANGELOG.md has NOT been modified
+    echo [CRITICAL] CHANGELOG.md has NOT been modified>> "%REPORT_FILE%"
+    set /a CRITICAL_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 3: RULE REGISTRATION (JavaCheckRegistrar)
+REM =============================================================================
+echo.
+echo === CHECK 3: RULE REGISTRATION ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 3: RULE REGISTRATION ===>> "%REPORT_FILE%"
+
+set "REGISTRAR_FILE=src\main\java\org\greencodeinitiative\creedengo\java\JavaCheckRegistrar.java"
+
+if defined NEW_CHECK_FILES (
+    for %%f in (%NEW_CHECK_FILES%) do (
+        for %%n in (%%~nf) do (
+            findstr /c:"%%n" "%REGISTRAR_FILE%" >nul 2>&1
+            if errorlevel 1 (
+                echo [CRITICAL] Rule class '%%n' is NOT registered in JavaCheckRegistrar
+                echo [CRITICAL] Rule class '%%n' is NOT registered in JavaCheckRegistrar>> "%REPORT_FILE%"
+                set /a CRITICAL_COUNT+=1
+            ) else (
+                echo [OK] Rule class '%%n' is registered in JavaCheckRegistrar
+                echo [OK] Rule class '%%n' is registered in JavaCheckRegistrar>> "%REPORT_FILE%"
+                set /a INFO_COUNT+=1
+            )
+        )
+    )
+) else (
+    echo [OK] No new rule classes detected ^(registration check skipped^)
+    echo [OK] No new rule classes detected>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 4: QUALITY PROFILE (creedengo_way_profile.json)
+REM =============================================================================
+echo.
+echo === CHECK 4: QUALITY PROFILE ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 4: QUALITY PROFILE ===>> "%REPORT_FILE%"
+
+set "PROFILE_FILE="
+for /f "tokens=*" %%p in ('dir /b /s src\main\resources\*creedengo_way_profile.json 2^>nul') do set "PROFILE_FILE=%%p"
+
+if defined PROFILE_FILE (
+    for %%r in (%RULE_IDS%) do (
+        findstr /c:"\"%%r\"" "%PROFILE_FILE%" >nul 2>&1
+        if errorlevel 1 (
+            echo [CRITICAL] Rule '%%r' is NOT in creedengo_way_profile.json
+            echo [CRITICAL] Rule '%%r' is NOT in creedengo_way_profile.json>> "%REPORT_FILE%"
+            set /a CRITICAL_COUNT+=1
+        ) else (
+            echo [OK] Rule '%%r' is listed in creedengo_way_profile.json
+            echo [OK] Rule '%%r' is listed in creedengo_way_profile.json>> "%REPORT_FILE%"
+            set /a INFO_COUNT+=1
+        )
+    )
+)
+
+REM =============================================================================
+REM CHECK 5: UNIT TESTS PRESENT
+REM =============================================================================
+echo.
+echo === CHECK 5: UNIT TESTS ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 5: UNIT TESTS ===>> "%REPORT_FILE%"
+
+for %%r in (%RULE_IDS%) do (
+    set "TEST_FOUND=false"
+    for /f "tokens=*" %%t in ('dir /b /s "src\test\java\*%%r*" 2^>nul') do set "TEST_FOUND=true"
+    if "!TEST_FOUND!"=="true" (
+        echo [OK] Unit test directory/file found for %%r
+        echo [OK] Unit test found for %%r>> "%REPORT_FILE%"
+        set /a INFO_COUNT+=1
+    ) else (
+        echo [CRITICAL] No unit test found for rule %%r
+        echo [CRITICAL] No unit test found for %%r>> "%REPORT_FILE%"
+        set /a CRITICAL_COUNT+=1
+    )
+)
+
+REM =============================================================================
+REM CHECK 6: INTEGRATION TEST (GCIRulesIT)
+REM =============================================================================
+echo.
+echo === CHECK 6: INTEGRATION TEST ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 6: INTEGRATION TEST ===>> "%REPORT_FILE%"
+
+set "IT_FILE="
+for /f "tokens=*" %%p in ('dir /b /s "src\it\*GCIRulesIT.java" 2^>nul') do set "IT_FILE=%%p"
+
+if defined IT_FILE (
+    for %%r in (%RULE_IDS%) do (
+        findstr /c:"creedengo-java:%%r" "%IT_FILE%" >nul 2>&1
+        if errorlevel 1 (
+            echo [CRITICAL] No integration test for %%r in GCIRulesIT.java
+            echo [CRITICAL] No integration test for %%r in GCIRulesIT.java>> "%REPORT_FILE%"
+            set /a CRITICAL_COUNT+=1
+        ) else (
+            echo [OK] Integration test found for %%r
+            echo [OK] Integration test found for %%r>> "%REPORT_FILE%"
+            set /a INFO_COUNT+=1
+        )
+    )
+) else (
+    if defined RULE_IDS (
+        echo [WARNING] GCIRulesIT.java not found
+        echo [WARNING] GCIRulesIT.java not found>> "%REPORT_FILE%"
+        set /a WARNING_COUNT+=1
+    )
+)
+
+REM =============================================================================
+REM CHECK 7: CODE STYLE - var usage
+REM =============================================================================
+echo.
+echo === CHECK 7: CODE STYLE ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 7: CODE STYLE ===>> "%REPORT_FILE%"
+
+set "STYLE_ISSUES=0"
+for /f "tokens=*" %%f in ('findstr /b /c:"src/main/java/" changed_files.tmp 2^>nul') do (
+    if exist "%%f" (
+        REM Check for 'var' usage
+        findstr /n /r "^\s*var " "%%f" >nul 2>&1
+        if not errorlevel 1 (
+            echo [WARNING] Usage of 'var' detected in %%f ^(forbidden by CODE_STYLE^)
+            echo [WARNING] var usage in %%f>> "%REPORT_FILE%"
+            set /a WARNING_COUNT+=1
+            set /a STYLE_ISSUES+=1
+        )
+
+        REM Check extends IssuableSubscriptionVisitor for @Rule files
+        findstr /c:"@Rule" "%%f" >nul 2>&1
+        if not errorlevel 1 (
+            findstr /c:"extends IssuableSubscriptionVisitor" "%%f" >nul 2>&1
+            if errorlevel 1 (
+                echo [WARNING] %%f does not extend IssuableSubscriptionVisitor
+                echo [WARNING] %%f does not extend IssuableSubscriptionVisitor>> "%REPORT_FILE%"
+                set /a WARNING_COUNT+=1
+                set /a STYLE_ISSUES+=1
+            )
+        )
+    )
+)
+
+if %STYLE_ISSUES% equ 0 (
+    echo [OK] No code style violations detected
+    echo [OK] No code style violations detected>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 8: TEST FILES IN CORRECT LOCATION (not old src/test/files/)
+REM =============================================================================
+echo.
+echo === CHECK 8: TEST FILES LOCATION ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 8: TEST FILES LOCATION ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #103, #106): test files should be in the NEW location
+set "OLD_LOCATION_ISSUES=0"
+findstr /b /c:"src/test/files/" changed_files.tmp >nul 2>&1
+if not errorlevel 1 (
+    echo [CRITICAL] Test files added in DEPRECATED location 'src/test/files/'
+    echo [CRITICAL] Test files in deprecated src/test/files/ location>> "%REPORT_FILE%"
+    echo   Move to src/it/test-projects/.../checks/GCI{N}/ instead>> "%REPORT_FILE%"
+    set /a CRITICAL_COUNT+=1
+    set /a OLD_LOCATION_ISSUES+=1
+)
+if %OLD_LOCATION_ISSUES% equ 0 (
+    echo [OK] No test files in deprecated location
+    echo [OK] No test files in deprecated location>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 9: RULE ID CONSISTENCY ACROSS FILES
+REM =============================================================================
+echo.
+echo === CHECK 9: RULE ID CONSISTENCY ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 9: RULE ID CONSISTENCY ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #106): Rule ID must be consistent everywhere
+for %%r in (%RULE_IDS%) do (
+    REM Check CHANGELOG mentions the rule
+    if "%HAS_CHANGELOG%"=="true" (
+        findstr /c:"%%r" CHANGELOG.md >nul 2>&1
+        if errorlevel 1 (
+            echo [WARNING] CHANGELOG.md does not mention rule %%r
+            echo [WARNING] CHANGELOG.md does not mention rule %%r>> "%REPORT_FILE%"
+            set /a WARNING_COUNT+=1
+        ) else (
+            echo [OK] Rule %%r mentioned in CHANGELOG.md
+            echo [OK] Rule %%r mentioned in CHANGELOG.md>> "%REPORT_FILE%"
+            set /a INFO_COUNT+=1
+        )
+    )
+)
+
+REM =============================================================================
+REM CHECK 10: TEST FILE PACKAGES
+REM =============================================================================
+echo.
+echo === CHECK 10: TEST FILE PACKAGES ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 10: TEST FILE PACKAGES ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #103): compile errors due to wrong/missing packages
+REM Note: IT test files intentionally may use a parent package (omitting GCI{N} subdir)
+set "PKG_ISSUES=0"
+for /f "tokens=*" %%f in ('findstr /b /c:"src/it/test-projects/" changed_files.tmp 2^>nul ^| findstr /c:".java"') do (
+    set "ITFILE=%%f"
+    set "ITFILE=!ITFILE:/=\!"
+    if exist "!ITFILE!" (
+        type "!ITFILE!" 2>nul | findstr /b /c:"package " >nul 2>&1
+        if errorlevel 1 (
+            echo [WARNING] Missing package declaration in %%f
+            echo [WARNING] Missing package declaration in %%f>> "%REPORT_FILE%"
+            set /a WARNING_COUNT+=1
+            set /a PKG_ISSUES+=1
+        )
+        REM Check class name matches filename using a flag
+        set "CLASS_FOUND=0"
+        for %%n in (%%~nf) do (
+            type "!ITFILE!" 2>nul | findstr /c:"class %%n" >nul 2>&1
+            if not errorlevel 1 set "CLASS_FOUND=1"
+            if "!CLASS_FOUND!"=="0" (
+                type "!ITFILE!" 2>nul | findstr /c:"interface %%n" >nul 2>&1
+                if not errorlevel 1 set "CLASS_FOUND=1"
+            )
+            if "!CLASS_FOUND!"=="0" (
+                type "!ITFILE!" 2>nul | findstr /c:"enum %%n" >nul 2>&1
+                if not errorlevel 1 set "CLASS_FOUND=1"
+            )
+            if "!CLASS_FOUND!"=="0" (
+                echo [WARNING] Class name does not match filename in %%f
+                echo [WARNING] Class/filename mismatch in %%f>> "%REPORT_FILE%"
+                set /a WARNING_COUNT+=1
+                set /a PKG_ISSUES+=1
+            )
+        )
+    )
+)
+if %PKG_ISSUES% equ 0 (
+    echo [OK] All test file packages and class names correct
+    echo [OK] All test file packages and class names correct>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 11: RULES-SPECIFICATIONS REFERENCE
+REM =============================================================================
+echo.
+echo === CHECK 11: RULES-SPECS REFERENCE ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 11: RULES-SPECS REFERENCE ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #103, #106): always reference rules-specifications
+if defined RULE_IDS (
+    git log "%BASE_BRANCH%"..HEAD --oneline 2>nul | findstr /i "rules-spec creedengo-rules-spec" >nul 2>&1
+    if errorlevel 1 (
+        echo [WARNING] No reference to creedengo-rules-specifications in commits
+        echo [WARNING] No creedengo-rules-specifications reference in commits>> "%REPORT_FILE%"
+        set /a WARNING_COUNT+=1
+    ) else (
+        echo [OK] Reference to creedengo-rules-specifications found
+        echo [OK] creedengo-rules-specifications reference found>> "%REPORT_FILE%"
+        set /a INFO_COUNT+=1
+    )
+)
+
+REM =============================================================================
+REM CHECK 12: MERGE CONFLICT MARKERS
+REM =============================================================================
+echo.
+echo === CHECK 12: MERGE CONFLICT MARKERS ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 12: MERGE CONFLICT MARKERS ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #105): utarwyn asked "Can you correct the conflict in the CHANGELOG file?"
+set "CONFLICT_ISSUES=0"
+for /f "tokens=*" %%f in (changed_files.tmp) do (
+    if exist "%%f" (
+        findstr /b /c:"<<<<<<< " "%%f" >nul 2>&1
+        if not errorlevel 1 (
+            echo [CRITICAL] Merge conflict markers found in %%f
+            echo [CRITICAL] Merge conflict markers found in %%f>> "%REPORT_FILE%"
+            set /a CRITICAL_COUNT+=1
+            set /a CONFLICT_ISSUES+=1
+        )
+    )
+)
+if %CONFLICT_ISSUES% equ 0 (
+    echo [OK] No merge conflict markers found
+    echo [OK] No merge conflict markers found>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 13: BRANCH UP-TO-DATE
+REM =============================================================================
+echo.
+echo === CHECK 13: BRANCH UP-TO-DATE ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 13: BRANCH UP-TO-DATE ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #44): utarwyn asked "Can you rebase your branch on the main branch?"
+set "BEHIND_COUNT=0"
+for /f %%c in ('git rev-list --count "HEAD..%BASE_BRANCH%" 2^>nul') do set "BEHIND_COUNT=%%c"
+if %BEHIND_COUNT% equ 0 (
+    for /f %%c in ('git rev-list --count "HEAD..origin/%BASE_BRANCH%" 2^>nul') do set "BEHIND_COUNT=%%c"
+)
+if %BEHIND_COUNT% gtr 0 (
+    echo [WARNING] Branch is %BEHIND_COUNT% commit^(s^) behind %BASE_BRANCH% ^(rebase may be needed^)
+    echo [WARNING] Branch is %BEHIND_COUNT% commit^(s^) behind %BASE_BRANCH%>> "%REPORT_FILE%"
+    set /a WARNING_COUNT+=1
+) else (
+    echo [OK] Branch is up-to-date with %BASE_BRANCH%
+    echo [OK] Branch is up-to-date with %BASE_BRANCH%>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+)
+
+REM =============================================================================
+REM CHECK 14: @DeprecatedRuleKey FOR RENAMES
+REM =============================================================================
+echo.
+echo === CHECK 14: @DeprecatedRuleKey ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 14: @DeprecatedRuleKey ===>> "%REPORT_FILE%"
+
+REM Real reviewer feedback (PR #75): @DeprecatedRuleKey mandatory when renaming ECXXX to GCIXXX
+for %%f in (%NEW_CHECK_FILES%) do (
+    if exist "%%f" (
+        for /f "tokens=*" %%k in ('findstr /r "Rule.*key.*GCI" "%%f" 2^>nul') do (
+            findstr /c:"@DeprecatedRuleKey" "%%f" >nul 2>&1
+            if errorlevel 1 (
+                echo [WARNING] %%f has @Rule with GCI key but no @DeprecatedRuleKey ^(check if EC predecessor existed^)
+                echo [WARNING] %%f missing @DeprecatedRuleKey>> "%REPORT_FILE%"
+                set /a WARNING_COUNT+=1
+            ) else (
+                echo [OK] %%f has @DeprecatedRuleKey for backward compatibility
+                echo [OK] %%f has @DeprecatedRuleKey>> "%REPORT_FILE%"
+                set /a INFO_COUNT+=1
+            )
+        )
+    )
+)
+
+REM =============================================================================
+REM CHECK 15: BUILD AND TESTS
+REM =============================================================================
+echo.
+echo === CHECK 15: BUILD AND TESTS ===
+echo.>> "%REPORT_FILE%"
+echo === CHECK 15: BUILD AND TESTS ===>> "%REPORT_FILE%"
+
+if "%SKIP_BUILD%"=="true" (
+    echo [WARNING] Build skipped ^(--skip-build flag^)
+    echo [WARNING] Build skipped>> "%REPORT_FILE%"
+    set /a WARNING_COUNT+=1
+    goto :summary
+)
+
+echo Running Maven build (this may take a few minutes)...
+call mvnw.cmd -e -B verify -DskipITs=true > build_output.log 2>&1
+set "BUILD_RESULT=!errorlevel!"
+
+if !BUILD_RESULT! neq 0 (
+    echo [CRITICAL] Maven build FAILED
+    echo [CRITICAL] Maven build FAILED>> "%REPORT_FILE%"
+    set /a CRITICAL_COUNT+=1
+    echo   See build_output.log for details>> "%REPORT_FILE%"
+    REM Extract error lines for the report
+    findstr /c:"[ERROR]" build_output.log >> "%REPORT_FILE%" 2>nul
+) else (
+    echo [OK] Maven build SUCCESS ^(unit tests passed^)
+    echo [OK] Maven build SUCCESS>> "%REPORT_FILE%"
+    set /a INFO_COUNT+=1
+    REM Extract test summary
+    for /f "tokens=*" %%s in ('findstr /c:"Tests run:" build_output.log 2^>nul') do (
+        echo   %%s
+        echo   %%s>> "%REPORT_FILE%"
+    )
+)
+
+REM --- Integration tests (skip if unit build failed) ---
+if !BUILD_RESULT! neq 0 goto :summary
+echo.
+echo NOTE: Integration tests are NOT run by this script ^(require SonarQube Orchestrator^).
+echo NOTE: IT tests skipped ^(require SonarQube env^)>> "%REPORT_FILE%"
+echo To run IT tests: .github\scripts\run_it.bat --skip-build [--rule GCIXXX]>> "%REPORT_FILE%"
+
+REM =============================================================================
+REM SUMMARY
+REM =============================================================================
+:summary
+echo.
+echo.>> "%REPORT_FILE%"
+echo === SUMMARY ===>> "%REPORT_FILE%"
+echo Critical issues: %CRITICAL_COUNT%>> "%REPORT_FILE%"
+echo Warnings: %WARNING_COUNT%>> "%REPORT_FILE%"
+echo Passed checks: %INFO_COUNT%>> "%REPORT_FILE%"
+
+echo.
+echo =====================================
+echo   Review complete.
+echo   Critical: %CRITICAL_COUNT%
+echo   Warnings: %WARNING_COUNT%
+echo   Passed:   %INFO_COUNT%
+echo =====================================
+echo.
+echo Full report saved to: %REPORT_FILE%
+
+REM --- Cleanup ---
+if exist changed_files.tmp del changed_files.tmp
+
+REM --- Exit code ---
+if %CRITICAL_COUNT% gtr 0 (
+    echo RESULT: CRITICAL ISSUES FOUND - PR should NOT be merged>> "%REPORT_FILE%"
+    exit /b 1
+)
+if %WARNING_COUNT% gtr 0 (
+    echo RESULT: WARNINGS FOUND - Review needed>> "%REPORT_FILE%"
+    exit /b 2
+)
+echo RESULT: ALL AUTOMATED CHECKS PASSED>> "%REPORT_FILE%"
+exit /b 0
diff --git a/.github/scripts/review_pr.sh b/.github/scripts/review_pr.sh
new file mode 100644
index 00000000..28909286
--- /dev/null
+++ b/.github/scripts/review_pr.sh
@@ -0,0 +1,840 @@
+#!/bin/bash
+# =============================================================================
+# creedengo-java PR Review - Automated Checks Script
+# =============================================================================
+# This script performs deterministic checks on a creedengo-java PR branch.
+# It expects to be run from the root of the creedengo-java repository,
+# on the branch of the PR to review.
+#
+# Usage: ./review_pr.sh [--skip-build] [--pr-number <N>] [--base-branch <branch>]
+#
+# Options:
+#   --skip-build      [DEBUG ONLY] Skip Maven build (for script debugging only)
+#   --pr-number <N>   PR number (for report metadata)
+#   --base-branch <b> Base branch to diff against (default: main)
+#
+# Exit codes:
+#   0 = All checks passed
+#   1 = Critical issues found
+#   2 = Warnings found (non-blocking)
+# =============================================================================
+
+set -euo pipefail
+
+# --- Configuration ---
+REPORT_FILE="pr_review_report.txt"
+BASE_BRANCH="main"
+SKIP_BUILD=false
+PR_NUMBER=""
+CRITICAL_COUNT=0
+WARNING_COUNT=0
+INFO_COUNT=0
+
+# --- Colors (for terminal output) ---
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# --- Parse arguments ---
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --skip-build) SKIP_BUILD=true; shift ;;
+        --pr-number) PR_NUMBER="$2"; shift 2 ;;
+        --base-branch) BASE_BRANCH="$2"; shift 2 ;;
+        *) echo "Unknown option: $1"; exit 1 ;;
+    esac
+done
+
+# --- Helper functions ---
+report() {
+    echo "$1" >> "$REPORT_FILE"
+}
+
+critical() {
+    echo -e "${RED}[CRITICAL]${NC} $1"
+    report "[CRITICAL] $1"
+    CRITICAL_COUNT=$((CRITICAL_COUNT + 1))
+}
+
+warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+    report "[WARNING] $1"
+    WARNING_COUNT=$((WARNING_COUNT + 1))
+}
+
+info() {
+    echo -e "${GREEN}[OK]${NC} $1"
+    report "[OK] $1"
+    INFO_COUNT=$((INFO_COUNT + 1))
+}
+
+section() {
+    echo ""
+    echo -e "${BLUE}=== $1 ===${NC}"
+    echo ""
+    report ""
+    report "=== $1 ==="
+    report ""
+}
+
+# --- Initialize report ---
+echo "" > "$REPORT_FILE"
+report "============================================================"
+report "  CREEDENGO-JAVA PR AUTOMATED REVIEW REPORT"
+report "  Date: $(date '+%Y-%m-%d %H:%M:%S')"
+report "  PR: ${PR_NUMBER:-N/A}"
+report "  Base branch: $BASE_BRANCH"
+report "============================================================"
+report ""
+
+# --- Verify we're in the right repository ---
+if [[ ! -f "pom.xml" ]]; then
+    critical "Not in creedengo-java root directory (pom.xml not found)"
+    exit 1
+fi
+
+if ! grep -q "creedengo-java-plugin" pom.xml 2>/dev/null; then
+    critical "pom.xml does not appear to be creedengo-java (artifactId mismatch)"
+    exit 1
+fi
+
+# --- Get list of changed files ---
+section "CHANGED FILES DETECTION"
+
+if git rev-parse --verify "$BASE_BRANCH" >/dev/null 2>&1; then
+    CHANGED_FILES=$(git diff --name-only "$BASE_BRANCH"...HEAD 2>/dev/null || git diff --name-only "$BASE_BRANCH" HEAD 2>/dev/null || echo "")
+else
+    # If base branch doesn't exist locally, try origin
+    CHANGED_FILES=$(git diff --name-only "origin/$BASE_BRANCH"...HEAD 2>/dev/null || echo "")
+fi
+
+if [[ -z "$CHANGED_FILES" ]]; then
+    warning "Could not determine changed files. Will analyze all source files."
+    CHANGED_FILES=$(find src -name "*.java" -type f 2>/dev/null || echo "")
+fi
+
+report "Changed files:"
+echo "$CHANGED_FILES" | while read -r f; do report "  - $f"; done
+
+# --- Extract rule IDs from changed files ---
+RULE_IDS=""
+NEW_CHECK_FILES=""
+CHANGED_JAVA_SRC=$(echo "$CHANGED_FILES" | grep "^src/main/java/.*\.java$" || true)
+CHANGED_TEST_FILES=$(echo "$CHANGED_FILES" | grep "^src/test/\|^src/it/" || true)
+
+# Find @Rule annotations in changed files
+for f in $CHANGED_JAVA_SRC; do
+    if [[ -f "$f" ]] && grep -q '@Rule' "$f" 2>/dev/null; then
+        NEW_CHECK_FILES="$NEW_CHECK_FILES $f"
+        RULE_ID=$(grep -oP '@Rule\(key\s*=\s*"(GCI\d+)"' "$f" | grep -oP 'GCI\d+' || true)
+        if [[ -n "$RULE_ID" ]]; then
+            RULE_IDS="$RULE_IDS $RULE_ID"
+        fi
+    fi
+done
+
+RULE_IDS=$(echo "$RULE_IDS" | tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
+report "Detected rule IDs: ${RULE_IDS:-none}"
+report "New/modified check files: ${NEW_CHECK_FILES:-none}"
+
+# =============================================================================
+# CHECK 1: LICENSE HEADER
+# =============================================================================
+section "CHECK 1: LICENSE HEADERS"
+
+LICENSE_PATTERN="creedengo - Java language"
+LICENSE_ISSUES=0
+
+for f in $CHANGED_JAVA_SRC; do
+    if [[ -f "$f" ]]; then
+        # Only check src/main/java files (not test-projects)
+        if [[ "$f" == src/main/java/* ]]; then
+            if ! head -20 "$f" | grep -q "$LICENSE_PATTERN" 2>/dev/null; then
+                critical "Missing license header: $f"
+                LICENSE_ISSUES=$((LICENSE_ISSUES + 1))
+            fi
+        fi
+    fi
+done
+
+if [[ $LICENSE_ISSUES -eq 0 ]]; then
+    info "All source files have correct license headers"
+fi
+
+# =============================================================================
+# CHECK 2: CHANGELOG.md UPDATED
+# =============================================================================
+section "CHECK 2: CHANGELOG.md"
+
+if echo "$CHANGED_FILES" | grep -q "^CHANGELOG.md$"; then
+    # Check if it's in the Unreleased section
+    if grep -q "\[Unreleased\]" CHANGELOG.md 2>/dev/null; then
+        # Check for PR link
+        if [[ -n "$PR_NUMBER" ]]; then
+            if grep -q "#$PR_NUMBER\|pull/$PR_NUMBER" CHANGELOG.md 2>/dev/null; then
+                info "CHANGELOG.md updated with PR link (#$PR_NUMBER)"
+            else
+                warning "CHANGELOG.md updated but PR link #$PR_NUMBER not found"
+            fi
+        else
+            info "CHANGELOG.md has been modified"
+        fi
+    else
+        warning "CHANGELOG.md modified but no [Unreleased] section found"
+    fi
+else
+    critical "CHANGELOG.md has NOT been modified"
+fi
+
+# =============================================================================
+# CHECK 3: RULE REGISTRATION (JavaCheckRegistrar)
+# =============================================================================
+section "CHECK 3: RULE REGISTRATION"
+
+REGISTRAR_FILE="src/main/java/org/greencodeinitiative/creedengo/java/JavaCheckRegistrar.java"
+
+if [[ -n "$NEW_CHECK_FILES" ]]; then
+    for f in $NEW_CHECK_FILES; do
+        CLASS_NAME=$(basename "$f" .java)
+        if [[ -f "$REGISTRAR_FILE" ]]; then
+            if grep -q "$CLASS_NAME" "$REGISTRAR_FILE" 2>/dev/null; then
+                info "Rule class '$CLASS_NAME' is registered in JavaCheckRegistrar"
+            else
+                critical "Rule class '$CLASS_NAME' is NOT registered in JavaCheckRegistrar"
+            fi
+        fi
+    done
+else
+    info "No new rule classes detected (registration check skipped)"
+fi
+
+# =============================================================================
+# CHECK 4: QUALITY PROFILE (creedengo_way_profile.json)
+# =============================================================================
+section "CHECK 4: QUALITY PROFILE"
+
+PROFILE_FILE=$(find src/main/resources -name "creedengo_way_profile.json" 2>/dev/null | head -1)
+
+if [[ -n "$PROFILE_FILE" && -f "$PROFILE_FILE" ]]; then
+    for rule_id in $RULE_IDS; do
+        if grep -q "\"$rule_id\"" "$PROFILE_FILE" 2>/dev/null; then
+            info "Rule '$rule_id' is listed in creedengo_way_profile.json"
+        else
+            critical "Rule '$rule_id' is NOT listed in creedengo_way_profile.json"
+        fi
+    done
+else
+    if [[ -n "$RULE_IDS" ]]; then
+        warning "Could not find creedengo_way_profile.json"
+    fi
+fi
+
+# =============================================================================
+# CHECK 5: UNIT TESTS PRESENT
+# =============================================================================
+section "CHECK 5: UNIT TESTS"
+
+TEST_DIR="src/test/java"
+IT_TEST_PROJECT_DIR="src/it/test-projects"
+
+for rule_id in $RULE_IDS; do
+    # Check for test class
+    TEST_FOUND=$(find "$TEST_DIR" -path "*/$rule_id/*" -name "*Test*.java" 2>/dev/null | head -1)
+    if [[ -n "$TEST_FOUND" ]]; then
+        info "Unit test found for $rule_id: $TEST_FOUND"
+    else
+        # Search more broadly
+        TEST_FOUND=$(find "$TEST_DIR" -name "*Test*.java" -exec grep -l "$rule_id\|$(echo "$NEW_CHECK_FILES" | xargs -n1 basename 2>/dev/null | sed 's/\.java//')" {} \; 2>/dev/null | head -1)
+        if [[ -n "$TEST_FOUND" ]]; then
+            info "Unit test found for $rule_id: $TEST_FOUND"
+        else
+            critical "No unit test found for rule $rule_id"
+        fi
+    fi
+
+    # Check for test resource files (compliant and noncompliant)
+    TEST_RESOURCES=$(find "$IT_TEST_PROJECT_DIR" -path "*/$rule_id/*" -name "*.java" 2>/dev/null || true)
+    if [[ -n "$TEST_RESOURCES" ]]; then
+        NONCOMPLIANT_FOUND=false
+        COMPLIANT_POSSIBLE=false
+        while IFS= read -r res_file; do
+            if grep -q "// Noncompliant" "$res_file" 2>/dev/null; then
+                NONCOMPLIANT_FOUND=true
+            fi
+            # A file without Noncompliant markers is likely a compliant test
+            if ! grep -q "// Noncompliant" "$res_file" 2>/dev/null; then
+                COMPLIANT_POSSIBLE=true
+            fi
+        done <<< "$TEST_RESOURCES"
+
+        if $NONCOMPLIANT_FOUND; then
+            info "Noncompliant test cases found for $rule_id"
+        else
+            warning "No '// Noncompliant' markers found in test files for $rule_id"
+        fi
+    else
+        warning "No test resource files found in $IT_TEST_PROJECT_DIR for $rule_id"
+    fi
+done
+
+# =============================================================================
+# CHECK 6: INTEGRATION TEST (GCIRulesIT)
+# =============================================================================
+section "CHECK 6: INTEGRATION TEST"
+
+IT_FILE=$(find src/it -name "GCIRulesIT.java" 2>/dev/null | head -1)
+
+if [[ -n "$IT_FILE" && -f "$IT_FILE" ]]; then
+    for rule_id in $RULE_IDS; do
+        RULE_NUM=$(echo "$rule_id" | grep -oP '\d+')
+        if grep -q "testGCI${RULE_NUM}\|test${rule_id}\|\"creedengo-java:${rule_id}\"" "$IT_FILE" 2>/dev/null; then
+            info "Integration test found for $rule_id in GCIRulesIT.java"
+        else
+            critical "No integration test found for $rule_id in GCIRulesIT.java"
+        fi
+    done
+else
+    if [[ -n "$RULE_IDS" ]]; then
+        warning "GCIRulesIT.java not found"
+    fi
+fi
+
+# =============================================================================
+# CHECK 7: CODE STYLE VIOLATIONS
+# =============================================================================
+section "CHECK 7: CODE STYLE"
+
+STYLE_ISSUES=0
+
+for f in $CHANGED_JAVA_SRC; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Check for 'var' usage (local variable type inference forbidden)
+    VAR_LINES=$(grep -n '^\s*var\s\|[\s(]var\s' "$f" 2>/dev/null | grep -v '//\|/\*\|\*' || true)
+    if [[ -n "$VAR_LINES" ]]; then
+        warning "Usage of 'var' detected in $f (forbidden by CODE_STYLE):"
+        echo "$VAR_LINES" | while read -r line; do report "    $line"; done
+        STYLE_ISSUES=$((STYLE_ISSUES + 1))
+    fi
+
+    # Check for lines > 120 characters
+    LONG_LINES=$(awk 'length > 120 {print NR": "$0}' "$f" 2>/dev/null | grep -v '^\s*//' | head -5 || true)
+    if [[ -n "$LONG_LINES" ]]; then
+        warning "Lines exceeding 120 chars in $f:"
+        echo "$LONG_LINES" | while read -r line; do report "    $line"; done
+        STYLE_ISSUES=$((STYLE_ISSUES + 1))
+    fi
+
+    # Check for single-character variable names (excluding loop counters i, j, k)
+    SINGLE_CHAR=$(grep -nP '(^|\s)(int|long|String|Object|boolean|double|float|char|byte|short)\s+[a-hlo-zA-Z]\s*[=;,)]' "$f" 2>/dev/null | grep -v '//\|/\*' || true)
+    if [[ -n "$SINGLE_CHAR" ]]; then
+        warning "Single-character variable names in $f (discouraged):"
+        echo "$SINGLE_CHAR" | head -3 | while read -r line; do report "    $line"; done
+        STYLE_ISSUES=$((STYLE_ISSUES + 1))
+    fi
+done
+
+# Check @Rule annotated files for specific patterns
+for f in $NEW_CHECK_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Check for @Override on visitNode/leaveNode
+    if grep -q "public void visitNode\|public List.*nodesToVisit\|public void leaveNode" "$f" 2>/dev/null; then
+        METHODS_WITHOUT_OVERRIDE=$(grep -B1 "public void visitNode\|public List.*nodesToVisit\|public void leaveNode" "$f" 2>/dev/null | grep -v "@Override" | grep "public" || true)
+        if [[ -n "$METHODS_WITHOUT_OVERRIDE" ]]; then
+            warning "Missing @Override annotation in $f:"
+            echo "$METHODS_WITHOUT_OVERRIDE" | while read -r line; do report "    $line"; done
+            STYLE_ISSUES=$((STYLE_ISSUES + 1))
+        fi
+    fi
+
+    # Check extends IssuableSubscriptionVisitor
+    if ! grep -q "extends IssuableSubscriptionVisitor" "$f" 2>/dev/null; then
+        warning "$f does not extend IssuableSubscriptionVisitor (unusual for a rule class)"
+        STYLE_ISSUES=$((STYLE_ISSUES + 1))
+    fi
+
+    # Check for protected static final String message constant
+    if ! grep -qP 'protected static final String\s+(MESSAGERULE|RULE_MESSAGE|MESSAGE)' "$f" 2>/dev/null; then
+        if ! grep -q 'protected static final String' "$f" 2>/dev/null; then
+            warning "$f has no 'protected static final String' message constant"
+            STYLE_ISSUES=$((STYLE_ISSUES + 1))
+        fi
+    fi
+done
+
+if [[ $STYLE_ISSUES -eq 0 ]]; then
+    info "No code style violations detected"
+fi
+
+# =============================================================================
+# CHECK 8: POTENTIAL ClassCastException RISKS
+# =============================================================================
+section "CHECK 8: ClassCastException RISKS"
+
+CAST_RISKS=0
+
+for f in $CHANGED_JAVA_SRC; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Look for unchecked casts without instanceof
+    CASTS=$(grep -nP '\(\s*([\w.]+Tree|[\w.]+Expression|[\w.]+Statement)\s*\)' "$f" 2>/dev/null || true)
+    if [[ -n "$CASTS" ]]; then
+        while IFS= read -r cast_line; do
+            LINE_NUM=$(echo "$cast_line" | cut -d: -f1)
+            # Check if there's an instanceof check nearby (within 5 lines before)
+            START_LINE=$((LINE_NUM > 5 ? LINE_NUM - 5 : 1))
+            CONTEXT=$(sed -n "${START_LINE},${LINE_NUM}p" "$f" 2>/dev/null)
+            CAST_TYPE=$(echo "$cast_line" | grep -oP '\(\s*([\w.]+)\s*\)' | head -1 | tr -d '() ')
+            if [[ -n "$CAST_TYPE" ]] && ! echo "$CONTEXT" | grep -q "instanceof.*$CAST_TYPE\|\.is(\|\.isKind(" 2>/dev/null; then
+                warning "Potential unchecked cast at $f:$LINE_NUM - verify instanceof guard exists"
+                report "    $cast_line"
+                CAST_RISKS=$((CAST_RISKS + 1))
+            fi
+        done <<< "$CASTS"
+    fi
+done
+
+if [[ $CAST_RISKS -eq 0 ]]; then
+    info "No obvious ClassCastException risks detected"
+else
+    warning "$CAST_RISKS potential cast risk(s) found - requires manual verification"
+fi
+
+# =============================================================================
+# CHECK 9: NONCOMPLIANT MESSAGE CONSISTENCY
+# =============================================================================
+section "CHECK 9: MESSAGE CONSISTENCY"
+
+for f in $NEW_CHECK_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Extract the error message from the rule class
+    RULE_MSG=$(grep -oP 'protected static final String\s+\w+\s*=\s*"([^"]+)"' "$f" 2>/dev/null | grep -oP '"[^"]+"' | tr -d '"' | head -1)
+
+    if [[ -n "$RULE_MSG" ]]; then
+        report "  Rule message in $(basename "$f"): \"$RULE_MSG\""
+
+        # Find corresponding test files
+        RULE_ID=$(grep -oP '@Rule\(key\s*=\s*"(GCI\d+)"' "$f" | grep -oP 'GCI\d+' || true)
+        if [[ -n "$RULE_ID" ]]; then
+            TEST_RESOURCES=$(find "$IT_TEST_PROJECT_DIR" -path "*/$RULE_ID/*" -name "*.java" 2>/dev/null || true)
+            if [[ -n "$TEST_RESOURCES" ]]; then
+                while IFS= read -r test_file; do
+                    NONCOMPLIANT_MSGS=$(grep -oP '// Noncompliant \{\{([^}]+)\}\}' "$test_file" 2>/dev/null | grep -oP '\{\{[^}]+\}\}' | tr -d '{}' || true)
+                    if [[ -n "$NONCOMPLIANT_MSGS" ]]; then
+                        while IFS= read -r msg; do
+                            if [[ "$msg" != "$RULE_MSG" ]]; then
+                                warning "Message mismatch in $test_file:"
+                                report "    Expected: \"$RULE_MSG\""
+                                report "    Found:    \"$msg\""
+                            fi
+                        done <<< "$NONCOMPLIANT_MSGS"
+                    fi
+                done <<< "$TEST_RESOURCES"
+            fi
+        fi
+    fi
+done
+
+# =============================================================================
+# CHECK 10: TEST FILES COMPILATION (basic import check)
+# =============================================================================
+section "CHECK 10: TEST FILES IMPORT CHECK"
+
+IMPORT_ISSUES=0
+CHANGED_IT_FILES=$(echo "$CHANGED_FILES" | grep "^src/it/test-projects/.*\.java$" || true)
+
+for f in $CHANGED_IT_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Check if file uses classes without imports
+    USED_TYPES=$(grep -oP '(?<!\w)(List|Map|Set|ArrayList|HashMap|HashSet|Optional|Stream|Arrays|Collections)\s*[<(]' "$f" 2>/dev/null | grep -oP '^\w+' | sort -u || true)
+    IMPORTS=$(grep "^import " "$f" 2>/dev/null || true)
+
+    for type in $USED_TYPES; do
+        if ! echo "$IMPORTS" | grep -q "$type" 2>/dev/null; then
+            # Check if it's not in java.lang (implicit import)
+            if [[ "$type" != "String" && "$type" != "Object" && "$type" != "System" && "$type" != "Integer" ]]; then
+                warning "Potentially missing import for '$type' in $f"
+                IMPORT_ISSUES=$((IMPORT_ISSUES + 1))
+            fi
+        fi
+    done
+done
+
+if [[ $IMPORT_ISSUES -eq 0 ]]; then
+    info "No obvious import issues in test files"
+fi
+
+# =============================================================================
+# CHECK 11: @DeprecatedRuleKey usage
+# =============================================================================
+section "CHECK 11: @DeprecatedRuleKey USAGE"
+
+for f in $NEW_CHECK_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+    if grep -q "@DeprecatedRuleKey" "$f" 2>/dev/null; then
+        # Check if this is actually a new file (not existing)
+        IS_NEW=$(git diff --name-only --diff-filter=A "$BASE_BRANCH"...HEAD 2>/dev/null | grep "$(basename "$f")" || \
+                 git diff --name-only --diff-filter=A "origin/$BASE_BRANCH"...HEAD 2>/dev/null | grep "$(basename "$f")" || true)
+        if [[ -n "$IS_NEW" ]]; then
+            warning "@DeprecatedRuleKey found on new file $f - verify this is intentional"
+        else
+            info "@DeprecatedRuleKey in $f (existing file modification - OK)"
+        fi
+    fi
+done
+
+# =============================================================================
+# CHECK 12: TEST FILES IN CORRECT LOCATION (not old src/test/files/)
+# =============================================================================
+section "CHECK 12: TEST FILES LOCATION"
+
+# Real reviewer feedback (PR #103, #106): test files should be in the NEW location
+# src/it/test-projects/.../checks/GCI{N}/ and NOT in the old src/test/files/
+OLD_TEST_LOCATION="src/test/files"
+NEW_FILES_IN_OLD_LOCATION=$(echo "$CHANGED_FILES" | grep "^${OLD_TEST_LOCATION}/" || true)
+
+if [[ -n "$NEW_FILES_IN_OLD_LOCATION" ]]; then
+    critical "Test files added in DEPRECATED location '$OLD_TEST_LOCATION/':"
+    echo "$NEW_FILES_IN_OLD_LOCATION" | while read -r f; do
+        report "    $f"
+        critical "  -> Move to src/it/test-projects/.../checks/GCI{N}/ instead"
+    done
+
+    # Check for duplication (same file in both old and new location) - PR #110 pattern
+    while IFS= read -r old_file; do
+        OLD_BASENAME=$(basename "$old_file")
+        DUPLICATE=$(echo "$CHANGED_FILES" | grep "^src/it/test-projects/.*${OLD_BASENAME}$" || true)
+        if [[ -n "$DUPLICATE" ]]; then
+            warning "Test file '$OLD_BASENAME' exists in BOTH old and new locations (remove from src/test/files/)"
+        fi
+    done <<< "$NEW_FILES_IN_OLD_LOCATION"
+else
+    info "No test files in deprecated location (src/test/files/)"
+fi
+
+# Check for missing trailing newline (PR #110 pattern)
+NEWLINE_ISSUES=0
+for f in $CHANGED_JAVA_SRC $CHANGED_IT_FILES; do
+    if [[ -f "$f" ]]; then
+        if [[ -n "$(tail -c 1 "$f" 2>/dev/null)" ]]; then
+            warning "Missing trailing newline in $f"
+            NEWLINE_ISSUES=$((NEWLINE_ISSUES + 1))
+        fi
+    fi
+done
+
+if [[ $NEWLINE_ISSUES -eq 0 ]]; then
+    info "All changed files have proper trailing newline"
+fi
+
+# =============================================================================
+# CHECK 13: RULE ID CONSISTENCY ACROSS FILES
+# =============================================================================
+section "CHECK 13: RULE ID CONSISTENCY"
+
+# Real reviewer feedback (PR #106): Rule ID must be consistent across ALL files
+# (CHANGELOG, registrar, profile, test, IT, rule class)
+for rule_id in $RULE_IDS; do
+    INCONSISTENCIES=0
+
+    # Check CHANGELOG mentions the same rule ID
+    if echo "$CHANGED_FILES" | grep -q "^CHANGELOG.md$"; then
+        if ! grep -q "$rule_id" CHANGELOG.md 2>/dev/null; then
+            warning "CHANGELOG.md does not mention rule $rule_id"
+            INCONSISTENCIES=$((INCONSISTENCIES + 1))
+        fi
+    fi
+
+    # Check IT test uses the correct rule ID format "creedengo-java:{RULE_ID}"
+    IT_FILE=$(find src/it -name "GCIRulesIT.java" 2>/dev/null | head -1)
+    if [[ -n "$IT_FILE" && -f "$IT_FILE" ]]; then
+        if echo "$CHANGED_FILES" | grep -q "GCIRulesIT"; then
+            RULE_ID_IN_IT=$(grep -oP '"creedengo-java:(GCI\d+)"' "$IT_FILE" 2>/dev/null | grep "$rule_id" || true)
+            if [[ -z "$RULE_ID_IN_IT" ]]; then
+                warning "GCIRulesIT.java does not reference \"creedengo-java:$rule_id\""
+                INCONSISTENCIES=$((INCONSISTENCIES + 1))
+            fi
+        fi
+    fi
+
+    # Check that the rule ID in the @Rule annotation matches everywhere
+    for f in $NEW_CHECK_FILES; do
+        FILE_RULE_ID=$(grep -oP '@Rule\(key\s*=\s*"(GCI\d+)"' "$f" 2>/dev/null | grep -oP 'GCI\d+' || true)
+        if [[ -n "$FILE_RULE_ID" && "$FILE_RULE_ID" != "$rule_id" ]]; then
+            critical "Rule ID mismatch: $f has @Rule(key=\"$FILE_RULE_ID\") but expected $rule_id"
+            INCONSISTENCIES=$((INCONSISTENCIES + 1))
+        fi
+    done
+
+    if [[ $INCONSISTENCIES -eq 0 ]]; then
+        info "Rule ID $rule_id is consistent across all files"
+    fi
+done
+
+# =============================================================================
+# CHECK 14: TEST FILE PACKAGE DECLARATION
+# =============================================================================
+section "CHECK 14: TEST FILE PACKAGES"
+
+# Real reviewer feedback (PR #103): compile errors due to wrong/missing packages
+PACKAGE_ISSUES=0
+ALL_IT_TEST_FILES=$(echo "$CHANGED_FILES" | grep "^src/it/test-projects/.*\.java$" || true)
+
+for f in $ALL_IT_TEST_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Check package declaration exists
+    PACKAGE_DECL=$(grep "^package " "$f" 2>/dev/null || true)
+    if [[ -z "$PACKAGE_DECL" ]]; then
+        warning "Missing package declaration in $f"
+        PACKAGE_ISSUES=$((PACKAGE_ISSUES + 1))
+    else
+        # Verify package matches directory structure
+        # Note: IT test files are in GCI{N}/ subdirectories but intentionally
+        # use the parent package (without GCI{N}) for CheckVerifier compatibility.
+        # We check that the declared package is a valid prefix of the dir structure.
+        EXPECTED_PKG=$(echo "$f" | sed 's|src/it/test-projects/[^/]*/src/main/java/||' | sed 's|/[^/]*\.java$||' | tr '/' '.')
+        ACTUAL_PKG=$(echo "$PACKAGE_DECL" | grep -oP 'package\s+([^;]+)' | sed 's/package\s*//' || true)
+        # Allow the actual package to be a prefix of expected (e.g., omitting GCI{N} subdir)
+        if [[ -n "$EXPECTED_PKG" && -n "$ACTUAL_PKG" && "$EXPECTED_PKG" != "$ACTUAL_PKG" ]]; then
+            # Check if actual is a valid prefix of expected (IT files in GCI{N}/ subdir)
+            if [[ "$EXPECTED_PKG" != "$ACTUAL_PKG."* ]]; then
+                warning "Package mismatch in $f:"
+                report "    Expected: $EXPECTED_PKG"
+                report "    Found:    $ACTUAL_PKG"
+                PACKAGE_ISSUES=$((PACKAGE_ISSUES + 1))
+            fi
+        fi
+    fi
+
+    # Check for class declaration matching filename
+    CLASS_NAME=$(basename "$f" .java)
+    if ! grep -q "class $CLASS_NAME\|interface $CLASS_NAME\|enum $CLASS_NAME" "$f" 2>/dev/null; then
+        warning "Class name does not match filename in $f (expected 'class $CLASS_NAME')"
+        PACKAGE_ISSUES=$((PACKAGE_ISSUES + 1))
+    fi
+done
+
+if [[ $PACKAGE_ISSUES -eq 0 ]]; then
+    info "All test file packages and class names are correct"
+fi
+
+# =============================================================================
+# CHECK 15: RULES-SPECIFICATIONS REFERENCE
+# =============================================================================
+section "CHECK 15: RULES-SPECIFICATIONS REFERENCE"
+
+# Real reviewer feedback (PR #103, #106): always link to creedengo-rules-specifications PR
+if [[ -n "$RULE_IDS" ]]; then
+    # Check if PR description or commits mention creedengo-rules-specifications
+    SPECS_REF=$(git log "$BASE_BRANCH"..HEAD --oneline 2>/dev/null | grep -i "rules-spec\|creedengo-rules-spec" || \
+                git log "origin/$BASE_BRANCH"..HEAD --oneline 2>/dev/null | grep -i "rules-spec\|creedengo-rules-spec" || true)
+    if [[ -n "$SPECS_REF" ]]; then
+        info "Reference to creedengo-rules-specifications found in commits"
+    else
+        warning "No reference to creedengo-rules-specifications PR in commits (reviewer will ask for it)"
+    fi
+fi
+
+# =============================================================================
+# CHECK 16: UNUSED IMPORTS IN SOURCE FILES
+# =============================================================================
+section "CHECK 16: UNUSED IMPORTS"
+
+# Real reviewer feedback (PR #175): github-code-quality detects unused code
+UNUSED_IMPORT_ISSUES=0
+
+for f in $CHANGED_JAVA_SRC; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Get all imports
+    IMPORTS=$(grep "^import " "$f" 2>/dev/null | grep -v "^import static" | sed 's/import //; s/;//' || true)
+
+    for imp in $IMPORTS; do
+        # Get the simple class name (last part after .)
+        SIMPLE_NAME=$(echo "$imp" | grep -oP '[^.]+$')
+        # Skip wildcard imports
+        if [[ "$SIMPLE_NAME" == "*" ]]; then continue; fi
+        # Check if the class name is used anywhere else in the file (excluding the import line itself)
+        USAGE=$(grep -c "\b$SIMPLE_NAME\b" "$f" 2>/dev/null || echo "0")
+        # It should appear at least twice (import + usage)
+        if [[ "$USAGE" -lt 2 ]]; then
+            warning "Potentially unused import '$imp' in $f"
+            UNUSED_IMPORT_ISSUES=$((UNUSED_IMPORT_ISSUES + 1))
+        fi
+    done
+done
+
+if [[ $UNUSED_IMPORT_ISSUES -eq 0 ]]; then
+    info "No obviously unused imports detected"
+fi
+
+# =============================================================================
+# CHECK 17: MERGE CONFLICT MARKERS
+# =============================================================================
+section "CHECK 17: MERGE CONFLICT MARKERS"
+
+# Real reviewer feedback (PR #105): utarwyn asked "Can you correct the conflict in the CHANGELOG file?"
+CONFLICT_ISSUES=0
+for f in $CHANGED_FILES; do
+    if [[ -f "$f" ]]; then
+        CONFLICTS=$(grep -n "^<<<<<<< \|^=======$\|^>>>>>>> " "$f" 2>/dev/null || true)
+        if [[ -n "$CONFLICTS" ]]; then
+            critical "Merge conflict markers found in $f:"
+            echo "$CONFLICTS" | head -5 | while read -r line; do report "    $line"; done
+            CONFLICT_ISSUES=$((CONFLICT_ISSUES + 1))
+        fi
+    fi
+done
+
+if [[ $CONFLICT_ISSUES -eq 0 ]]; then
+    info "No merge conflict markers found"
+fi
+
+# =============================================================================
+# CHECK 18: BRANCH UP-TO-DATE WITH BASE
+# =============================================================================
+section "CHECK 18: BRANCH UP-TO-DATE"
+
+# Real reviewer feedback (PR #44): utarwyn asked "Can you rebase your branch on the main branch?"
+BEHIND_COUNT=$(git rev-list --count HEAD.."$BASE_BRANCH" 2>/dev/null || git rev-list --count HEAD.."origin/$BASE_BRANCH" 2>/dev/null || echo "0")
+if [[ "$BEHIND_COUNT" -gt 0 ]]; then
+    warning "Branch is $BEHIND_COUNT commit(s) behind $BASE_BRANCH (rebase may be needed)"
+else
+    info "Branch is up-to-date with $BASE_BRANCH"
+fi
+
+# =============================================================================
+# CHECK 19: CHANGELOG FORMAT VALIDATION
+# =============================================================================
+section "CHECK 19: CHANGELOG FORMAT"
+
+# Real reviewer feedback (PR #42, #105, #110): CHANGELOG format is very specific
+if echo "$CHANGED_FILES" | grep -q "^CHANGELOG.md$"; then
+    CHANGELOG_ISSUES=0
+
+    # Check entry format: - [#N](url) GCIXXX - description
+    UNRELEASED_SECTION=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md 2>/dev/null | head -30)
+
+    # Check for entries without PR link format [#N](url)
+    ENTRIES_WITHOUT_LINK=$(echo "$UNRELEASED_SECTION" | grep "^- " | grep -v "\[#[0-9]" || true)
+    if [[ -n "$ENTRIES_WITHOUT_LINK" ]]; then
+        warning "CHANGELOG entries without PR link format '[#N](url)':"
+        echo "$ENTRIES_WITHOUT_LINK" | head -3 | while read -r line; do report "    $line"; done
+        CHANGELOG_ISSUES=$((CHANGELOG_ISSUES + 1))
+    fi
+
+    # Check for entries without rule ID (GCI) for rule-related PRs
+    if [[ -n "$RULE_IDS" ]]; then
+        for rule_id in $RULE_IDS; do
+            if ! echo "$UNRELEASED_SECTION" | grep -q "$rule_id" 2>/dev/null; then
+                warning "CHANGELOG [Unreleased] section does not mention $rule_id"
+                CHANGELOG_ISSUES=$((CHANGELOG_ISSUES + 1))
+            fi
+        done
+    fi
+
+    if [[ $CHANGELOG_ISSUES -eq 0 ]]; then
+        info "CHANGELOG format looks correct"
+    fi
+fi
+
+# =============================================================================
+# CHECK 20: @DeprecatedRuleKey FOR RENAMED RULES
+# =============================================================================
+section "CHECK 20: @DeprecatedRuleKey FOR RENAMES"
+
+# Real reviewer feedback (PR #75): when renaming ECXXX to GCIXXX, @DeprecatedRuleKey is mandatory
+for f in $NEW_CHECK_FILES; do
+    if [[ ! -f "$f" ]]; then continue; fi
+
+    # Check if the file has a @Rule annotation with GCI ID
+    RULE_KEY=$(grep -oP '@Rule\(key\s*=\s*"(GCI\d+)"' "$f" 2>/dev/null | grep -oP 'GCI\d+' || true)
+    if [[ -n "$RULE_KEY" ]]; then
+        # Extract the numeric part
+        RULE_NUM=$(echo "$RULE_KEY" | grep -oP '\d+')
+
+        # Rules below GCI100 had an ECXXX predecessor - they SHOULD have @DeprecatedRuleKey
+        if [[ "$RULE_NUM" -lt 100 ]]; then
+            if ! grep -q "@DeprecatedRuleKey" "$f" 2>/dev/null; then
+                warning "$f has $RULE_KEY (< GCI100) but no @DeprecatedRuleKey for backward compatibility (EC$RULE_NUM)"
+            else
+                info "$f has @DeprecatedRuleKey for backward compatibility"
+            fi
+        fi
+    fi
+done
+
+# =============================================================================
+# CHECK 21: BUILD AND TESTS
+# =============================================================================
+section "CHECK 21: BUILD AND TESTS"
+
+if [[ "$SKIP_BUILD" == "true" ]]; then
+    warning "Build skipped (--skip-build flag)"
+else
+    report "Running Maven build..."
+    echo -e "${BLUE}Running Maven build (this may take a few minutes)...${NC}"
+
+    BUILD_OUTPUT_FILE="build_output.log"
+
+    if ./mvnw -e -B verify -DskipITs=true > "$BUILD_OUTPUT_FILE" 2>&1; then
+        info "Maven build SUCCESS (unit tests passed)"
+        # Extract test summary
+        TEST_SUMMARY=$(grep "Tests run:" "$BUILD_OUTPUT_FILE" | grep -v "Time elapsed" | tail -1 || true)
+        if [[ -n "$TEST_SUMMARY" ]]; then
+            report "  Test summary: $TEST_SUMMARY"
+        fi
+        # Extract total test count
+        TOTAL_TESTS=$(grep -oP 'Tests run: \d+' "$BUILD_OUTPUT_FILE" | tail -1 || true)
+        report "  $TOTAL_TESTS"
+    else
+        critical "Maven build FAILED"
+        # Extract error info
+        ERRORS=$(grep -A5 "\[ERROR\]" "$BUILD_OUTPUT_FILE" | head -30 || true)
+        report "  Build errors (first 30 lines):"
+        echo "$ERRORS" | while read -r line; do report "    $line"; done
+    fi
+
+    # Note: Integration tests require SonarQube Orchestrator and are NOT run by this script
+    report ""
+    report "NOTE: Integration tests (IT) require a SonarQube Orchestrator environment."
+    report "They are NOT run by this script. To run IT tests:"
+    report "  .github/scripts/run_it.sh --skip-build [--rule GCIXXX]"
+fi
+
+# =============================================================================
+# SUMMARY
+# =============================================================================
+section "SUMMARY"
+
+report "Critical issues: $CRITICAL_COUNT"
+report "Warnings: $WARNING_COUNT"
+report "Passed checks: $INFO_COUNT"
+report ""
+
+echo ""
+echo -e "${BLUE}=====================================${NC}"
+echo -e "  Review complete."
+echo -e "  ${RED}Critical: $CRITICAL_COUNT${NC}"
+echo -e "  ${YELLOW}Warnings: $WARNING_COUNT${NC}"
+echo -e "  ${GREEN}Passed:   $INFO_COUNT${NC}"
+echo -e "${BLUE}=====================================${NC}"
+echo ""
+echo "Full report saved to: $REPORT_FILE"
+
+if [[ $CRITICAL_COUNT -gt 0 ]]; then
+    report "RESULT: CRITICAL ISSUES FOUND - PR should NOT be merged"
+    exit 1
+elif [[ $WARNING_COUNT -gt 0 ]]; then
+    report "RESULT: WARNINGS FOUND - Review needed"
+    exit 2
+else
+    report "RESULT: ALL AUTOMATED CHECKS PASSED"
+    exit 0
+fi
diff --git a/.github/scripts/run_it.bat b/.github/scripts/run_it.bat
new file mode 100644
index 00000000..2c1ba94d
--- /dev/null
+++ b/.github/scripts/run_it.bat
@@ -0,0 +1,195 @@
+@echo off
+REM =============================================================================
+REM creedengo-java Integration Tests Runner (Windows)
+REM =============================================================================
+REM This script runs the SonarQube integration tests using the Maven Failsafe
+REM plugin and the SonarQube Orchestrator. It downloads SonarQube automatically,
+REM installs the built plugin, analyses a test project, and verifies detected issues.
+REM
+REM Prerequisites:
+REM   - JDK 17+ (JDK 21 required for SonarQube >= 26.x)
+REM   - Maven wrapper (mvnw.cmd) available at project root
+REM   - Internet access (to download SonarQube on first run; cached in ~/.sonar/orchestrator)
+REM
+REM Usage: run_it.bat [--rule GCIXXX] [--keep-running] [--skip-build]
+REM
+REM Options:
+REM   --rule GCIXXX     Run only IT tests matching the given rule ID (e.g. GCI27)
+REM   --keep-running    Keep SonarQube running after tests (for manual inspection on port 33333)
+REM   --skip-build      Skip the clean+compile step (reuse existing target/ from a previous build)
+REM
+REM How it works:
+REM   This script uses the Maven lifecycle phase "verify" with -DskipTests=true.
+REM   This ensures that all systemPropertyVariables defined in the pom.xml for
+REM   the maven-failsafe-plugin are correctly injected (orchestrator URL,
+REM   SonarQube version, plugin paths, etc.). Using standalone goals like
+REM   "failsafe:integration-test" would NOT inject those properties.
+REM
+REM   - Without --skip-build: runs "mvnw clean verify -DskipTests=true"
+REM     (full clean build + IT)
+REM   - With --skip-build: runs "mvnw verify -DskipTests=true" (no clean;
+REM     Maven detects compiled classes are up-to-date, repackages quickly, runs IT)
+REM
+REM   If review_pr.bat was already run, the target/ directory contains the JAR.
+REM   Using --skip-build avoids a full recompile (only shade+IT run, ~5s overhead).
+REM
+REM Outputs:
+REM   - it_report.txt          Structured text report with pass/fail per test
+REM   - it_build_output.log    Full Maven output of the IT run
+REM
+REM Exit codes:
+REM   0 = All IT tests passed
+REM   1 = One or more IT tests failed
+REM   2 = Build/infrastructure error (could not run tests)
+REM =============================================================================
+
+setlocal enabledelayedexpansion
+
+REM --- Configuration ---
+set "REPORT_FILE=it_report.txt"
+set "LOG_FILE=it_build_output.log"
+set "RULE_FILTER="
+set "KEEP_RUNNING=false"
+set "SKIP_BUILD=false"
+set "FAILSAFE_REPORTS_DIR=target\failsafe-reports"
+
+REM --- Parse arguments ---
+:parse_args
+if "%~1"=="" goto :end_parse
+if "%~1"=="--rule" (set "RULE_FILTER=%~2" & shift & shift & goto :parse_args)
+if "%~1"=="--keep-running" (set "KEEP_RUNNING=true" & shift & goto :parse_args)
+if "%~1"=="--skip-build" (set "SKIP_BUILD=true" & shift & goto :parse_args)
+shift
+goto :parse_args
+:end_parse
+
+REM --- Validate environment ---
+where java >nul 2>&1
+if errorlevel 1 (
+    echo [IT-Runner] ERROR: Java not found. JDK 17+ is required.
+    exit /b 2
+)
+
+if not exist "mvnw.cmd" (
+    echo [IT-Runner] ERROR: Maven wrapper not found. Run from project root.
+    exit /b 2
+)
+
+REM --- Check for existing JAR when --skip-build ---
+if "%SKIP_BUILD%"=="true" (
+    dir /b target\creedengo-*.jar >nul 2>&1
+    if errorlevel 1 (
+        echo [IT-Runner] ERROR: No plugin JAR found in target\. Run without --skip-build first.
+        exit /b 2
+    )
+    echo [IT-Runner] Reusing existing JAR from target\.
+)
+
+REM --- Compose Maven command ---
+REM Use the Maven lifecycle "verify" so that all pom.xml systemPropertyVariables
+REM are correctly injected into the failsafe plugin execution.
+set "MVN_CMD=verify -DskipTests=true"
+
+if "%SKIP_BUILD%"=="false" set "MVN_CMD=clean %MVN_CMD%"
+
+if "%KEEP_RUNNING%"=="true" (
+    set "MVN_CMD=!MVN_CMD! -Dtest-it.sonarqube.keepRunning=true"
+    echo [IT-Runner] SonarQube will remain running after tests.
+)
+
+if not "%RULE_FILTER%"=="" (
+    set "MVN_CMD=!MVN_CMD! -Dit.test=GCIRulesIT#test%RULE_FILTER%*"
+    echo [IT-Runner] Filtering tests for rule: %RULE_FILTER%
+)
+
+REM --- Run integration tests ---
+echo [IT-Runner] Running integration tests...
+echo [IT-Runner] Command: mvnw.cmd %MVN_CMD%
+
+call mvnw.cmd %MVN_CMD% > "%LOG_FILE%" 2>&1
+set "MVN_EXIT=%errorlevel%"
+
+REM --- Parse results ---
+echo [IT-Runner] Parsing test results...
+
+REM Initialize report
+echo ============================================================> "%REPORT_FILE%"
+echo   CREEDENGO-JAVA INTEGRATION TESTS REPORT>> "%REPORT_FILE%"
+echo   Date: %date% %time%>> "%REPORT_FILE%"
+echo   Rule filter: %RULE_FILTER%>> "%REPORT_FILE%"
+echo   Maven exit code: !MVN_EXIT!>> "%REPORT_FILE%"
+echo ============================================================>> "%REPORT_FILE%"
+echo.>> "%REPORT_FILE%"
+
+REM Parse Failsafe summary from Maven output
+set "TOTAL_TESTS=0"
+set "TOTAL_FAILURES=0"
+set "TOTAL_ERRORS=0"
+set "TOTAL_SKIPPED=0"
+
+REM Parse from failsafe-summary.xml if it exists (most reliable source)
+if exist "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml" (
+    for /f "tokens=2 delims=<>" %%a in ('findstr "completed" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_TESTS=%%a"
+    for /f "tokens=2 delims=<>" %%a in ('findstr "failures" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_FAILURES=%%a"
+    for /f "tokens=2 delims=<>" %%a in ('findstr "errors" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_ERRORS=%%a"
+    for /f "tokens=2 delims=<>" %%a in ('findstr "skipped" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_SKIPPED=%%a"
+)
+
+set /a "TOTAL_PASSED=TOTAL_TESTS - TOTAL_FAILURES - TOTAL_ERRORS - TOTAL_SKIPPED"
+
+echo --- SUMMARY --->> "%REPORT_FILE%"
+echo Total tests:   !TOTAL_TESTS!>> "%REPORT_FILE%"
+echo Passed:        !TOTAL_PASSED!>> "%REPORT_FILE%"
+echo Failed:        !TOTAL_FAILURES!>> "%REPORT_FILE%"
+echo Errors:        !TOTAL_ERRORS!>> "%REPORT_FILE%"
+echo Skipped:       !TOTAL_SKIPPED!>> "%REPORT_FILE%"
+echo.>> "%REPORT_FILE%"
+
+REM --- Extract individual test results from text reports ---
+echo --- DETAIL PER TEST --->> "%REPORT_FILE%"
+if exist "%FAILSAFE_REPORTS_DIR%" (
+    for %%f in (%FAILSAFE_REPORTS_DIR%\*.txt) do (
+        findstr /c:"FAILED" "%%f" >nul 2>&1
+        if not errorlevel 1 (
+            echo   FAIL  %%~nf>> "%REPORT_FILE%"
+            findstr /c:"FAILED" "%%f" >> "%REPORT_FILE%"
+        ) else (
+            findstr /c:"Tests run:" "%%f" >nul 2>&1
+            if not errorlevel 1 (
+                echo   PASS  %%~nf>> "%REPORT_FILE%"
+            )
+        )
+    )
+)
+
+REM --- Final verdict ---
+echo.>> "%REPORT_FILE%"
+echo --- VERDICT --->> "%REPORT_FILE%"
+
+if !MVN_EXIT! equ 0 if !TOTAL_FAILURES! equ 0 if !TOTAL_ERRORS! equ 0 (
+    echo RESULT=SUCCESS>> "%REPORT_FILE%"
+    echo All integration tests passed.>> "%REPORT_FILE%"
+    goto :display
+)
+
+echo RESULT=FAILURE>> "%REPORT_FILE%"
+if !MVN_EXIT! neq 0 echo Maven exited with code !MVN_EXIT!.>> "%REPORT_FILE%"
+if !TOTAL_FAILURES! gtr 0 echo !TOTAL_FAILURES! test failure^(s^) detected.>> "%REPORT_FILE%"
+if !TOTAL_ERRORS! gtr 0 echo !TOTAL_ERRORS! error^(s^) detected.>> "%REPORT_FILE%"
+echo One or more rules did not behave as expected in SonarQube.>> "%REPORT_FILE%"
+
+:display
+REM --- Output summary to stdout ---
+echo.
+echo ========================================
+type "%REPORT_FILE%"
+echo ========================================
+echo.
+echo [IT-Runner] Full Maven output: %LOG_FILE%
+echo [IT-Runner] Report: %REPORT_FILE%
+
+REM --- Exit ---
+if !TOTAL_FAILURES! gtr 0 exit /b 1
+if !TOTAL_ERRORS! gtr 0 exit /b 1
+if !MVN_EXIT! neq 0 exit /b 1
+exit /b 0
diff --git a/.github/scripts/run_it.sh b/.github/scripts/run_it.sh
new file mode 100644
index 00000000..5d3e69ad
--- /dev/null
+++ b/.github/scripts/run_it.sh
@@ -0,0 +1,237 @@
+#!/bin/bash
+# =============================================================================
+# creedengo-java Integration Tests Runner
+# =============================================================================
+# This script runs the SonarQube integration tests using the Maven Failsafe
+# plugin and the SonarQube Orchestrator. It downloads SonarQube automatically,
+# installs the built plugin, analyses a test project, and verifies detected issues.
+#
+# Prerequisites:
+#   - JDK 17+ (JDK 21 required for SonarQube >= 26.x)
+#   - Maven wrapper (mvnw) available at project root
+#   - Internet access (to download SonarQube on first run; cached in ~/.sonar/orchestrator)
+#
+# Usage: ./run_it.sh [--rule GCIXXX] [--keep-running] [--skip-build]
+#
+# Options:
+#   --rule GCIXXX     Run only IT tests matching the given rule ID (e.g. GCI27)
+#   --keep-running    Keep SonarQube running after tests (for manual inspection on port 33333)
+#   --skip-build      Skip the clean+compile step (reuse existing target/ from a previous build)
+#
+# How it works:
+#   This script uses the Maven lifecycle phase "verify" with -DskipTests=true.
+#   This ensures that all systemPropertyVariables defined in the pom.xml for
+#   the maven-failsafe-plugin are correctly injected (orchestrator URL,
+#   SonarQube version, plugin paths, etc.). Using standalone goals like
+#   "failsafe:integration-test" would NOT inject those properties.
+#
+#   - Without --skip-build: runs "mvnw clean verify -DskipTests=true"
+#     (full clean build + IT)
+#   - With --skip-build: runs "mvnw verify -DskipTests=true" (no clean;
+#     Maven detects compiled classes are up-to-date, repackages quickly, runs IT)
+#
+#   If review_pr.sh was already run, the target/ directory contains the JAR.
+#   Using --skip-build avoids a full recompile (only shade+IT run, ~5s overhead).
+#
+# Outputs:
+#   - it_report.txt          Structured text report with pass/fail per test
+#   - it_build_output.log    Full Maven output of the IT run
+#
+# Exit codes:
+#   0 = All IT tests passed
+#   1 = One or more IT tests failed
+#   2 = Build/infrastructure error (could not run tests)
+# =============================================================================
+
+set -uo pipefail
+
+# --- Configuration ---
+REPORT_FILE="it_report.txt"
+LOG_FILE="it_build_output.log"
+RULE_FILTER=""
+KEEP_RUNNING=false
+SKIP_BUILD=false
+FAILSAFE_REPORTS_DIR="target/failsafe-reports"
+
+# --- Parse arguments ---
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --rule) RULE_FILTER="$2"; shift 2 ;;
+        --keep-running) KEEP_RUNNING=true; shift ;;
+        --skip-build) SKIP_BUILD=true; shift ;;
+        *) echo "Unknown option: $1"; exit 2 ;;
+    esac
+done
+
+# --- Helper functions ---
+log() { echo "[IT-Runner] $*"; }
+error() { echo "[IT-Runner] ERROR: $*" >&2; }
+
+# --- Validate environment ---
+if ! command -v java &> /dev/null; then
+    error "Java not found. JDK 17+ is required."
+    exit 2
+fi
+
+JAVA_VERSION=$(java -version 2>&1 | head -1 | sed 's/.*"\([0-9]*\).*/\1/')
+if [[ "$JAVA_VERSION" -lt 17 ]]; then
+    error "JDK 17+ required, found JDK $JAVA_VERSION"
+    exit 2
+fi
+
+if [[ ! -f "./mvnw" ]]; then
+    error "Maven wrapper (mvnw) not found. Run from project root."
+    exit 2
+fi
+
+# --- Check for existing JAR when --skip-build ---
+if [[ "$SKIP_BUILD" == "true" ]]; then
+    if ! ls target/creedengo-*.jar &> /dev/null; then
+        error "No plugin JAR found in target/. Run without --skip-build first."
+        exit 2
+    fi
+    log "Reusing existing JAR from target/."
+fi
+
+# --- Compose Maven command ---
+# Use the Maven lifecycle "verify" so that all pom.xml systemPropertyVariables
+# are correctly injected into the failsafe plugin execution.
+MVN_CMD="verify -DskipTests=true"
+
+if [[ "$SKIP_BUILD" == "false" ]]; then
+    MVN_CMD="clean $MVN_CMD"
+fi
+
+if [[ "$KEEP_RUNNING" == "true" ]]; then
+    MVN_CMD="$MVN_CMD -Dtest-it.sonarqube.keepRunning=true"
+    log "SonarQube will remain running after tests."
+fi
+
+if [[ -n "$RULE_FILTER" ]]; then
+    MVN_CMD="$MVN_CMD -Dit.test=GCIRulesIT#test${RULE_FILTER}*"
+    log "Filtering tests for rule: $RULE_FILTER"
+fi
+
+# --- Run integration tests ---
+log "Running integration tests..."
+log "Command: ./mvnw $MVN_CMD"
+
+./mvnw $MVN_CMD 2>&1 | tee "$LOG_FILE"
+MVN_EXIT=${PIPESTATUS[0]}
+
+# --- Step 4: Parse results ---
+log "Parsing test results..."
+
+# Initialize report
+{
+    echo "============================================================"
+    echo "  CREEDENGO-JAVA INTEGRATION TESTS REPORT"
+    echo "  Date: $(date '+%Y-%m-%d %H:%M:%S')"
+    echo "  Rule filter: ${RULE_FILTER:-none (all rules)}"
+    echo "  SonarQube version: $(grep -m1 'test-it.sonarqube.version' pom.xml | grep -v '<!--' | sed 's/.*>\(.*\)<.*/\1/' || echo 'unknown')"
+    echo "============================================================"
+    echo ""
+} > "$REPORT_FILE"
+
+# Parse Failsafe XML reports
+TOTAL_TESTS=0
+TOTAL_FAILURES=0
+TOTAL_ERRORS=0
+TOTAL_SKIPPED=0
+
+if [[ -d "$FAILSAFE_REPORTS_DIR" ]]; then
+    # Find all XML test result files
+    for xml_file in "$FAILSAFE_REPORTS_DIR"/TEST-*.xml; do
+        [[ -f "$xml_file" ]] || continue
+
+        # Extract summary from XML attributes
+        tests=$(grep -oP 'tests="\K[0-9]+' "$xml_file" | head -1 || echo 0)
+        failures=$(grep -oP 'failures="\K[0-9]+' "$xml_file" | head -1 || echo 0)
+        errors=$(grep -oP 'errors="\K[0-9]+' "$xml_file" | head -1 || echo 0)
+        skipped=$(grep -oP 'skipped="\K[0-9]+' "$xml_file" | head -1 || echo 0)
+
+        TOTAL_TESTS=$((TOTAL_TESTS + tests))
+        TOTAL_FAILURES=$((TOTAL_FAILURES + failures))
+        TOTAL_ERRORS=$((TOTAL_ERRORS + errors))
+        TOTAL_SKIPPED=$((TOTAL_SKIPPED + skipped))
+    done
+
+    # Extract individual test results
+    {
+        echo "--- SUMMARY ---"
+        echo "Total tests:   $TOTAL_TESTS"
+        echo "Passed:        $((TOTAL_TESTS - TOTAL_FAILURES - TOTAL_ERRORS - TOTAL_SKIPPED))"
+        echo "Failed:        $TOTAL_FAILURES"
+        echo "Errors:        $TOTAL_ERRORS"
+        echo "Skipped:       $TOTAL_SKIPPED"
+        echo ""
+        echo "--- DETAIL PER TEST ---"
+    } >> "$REPORT_FILE"
+
+    # Parse individual testcase results from XML
+    for xml_file in "$FAILSAFE_REPORTS_DIR"/TEST-*.xml; do
+        [[ -f "$xml_file" ]] || continue
+
+        # Extract test method names and their status
+        while IFS= read -r line; do
+            if echo "$line" | grep -q '<testcase '; then
+                test_name=$(echo "$line" | grep -oP 'name="\K[^"]+')
+                test_class=$(echo "$line" | grep -oP 'classname="\K[^"]+')
+                # Check if this testcase has a failure/error child
+                if echo "$line" | grep -q '/>'; then
+                    # Self-closing = passed
+                    echo "  PASS  ${test_class}#${test_name}" >> "$REPORT_FILE"
+                fi
+            elif echo "$line" | grep -q '</testcase>'; then
+                # Has children — check what came before
+                :
+            elif echo "$line" | grep -q '<failure'; then
+                failure_msg=$(echo "$line" | grep -oP 'message="\K[^"]*' | head -1)
+                echo "  FAIL  ${test_class}#${test_name} — ${failure_msg}" >> "$REPORT_FILE"
+            elif echo "$line" | grep -q '<error'; then
+                error_msg=$(echo "$line" | grep -oP 'message="\K[^"]*' | head -1)
+                echo "  ERROR ${test_class}#${test_name} — ${error_msg}" >> "$REPORT_FILE"
+            fi
+        done < "$xml_file"
+    done
+else
+    {
+        echo "--- SUMMARY ---"
+        echo "ERROR: No failsafe reports found in $FAILSAFE_REPORTS_DIR"
+        echo "The integration tests may not have run at all."
+    } >> "$REPORT_FILE"
+fi
+
+# --- Step 5: Final verdict ---
+{
+    echo ""
+    echo "--- VERDICT ---"
+    if [[ $MVN_EXIT -eq 0 && $TOTAL_FAILURES -eq 0 && $TOTAL_ERRORS -eq 0 ]]; then
+        echo "RESULT=SUCCESS"
+        echo "All integration tests passed. The rule(s) are correctly integrated in SonarQube."
+    else
+        echo "RESULT=FAILURE"
+        if [[ $MVN_EXIT -ne 0 ]]; then
+            echo "Maven exited with code $MVN_EXIT."
+        fi
+        if [[ $TOTAL_FAILURES -gt 0 || $TOTAL_ERRORS -gt 0 ]]; then
+            echo "$TOTAL_FAILURES failure(s), $TOTAL_ERRORS error(s) detected."
+            echo "One or more rules did not behave as expected in SonarQube."
+        fi
+    fi
+} >> "$REPORT_FILE"
+
+# --- Output summary to stdout ---
+echo ""
+echo "========================================"
+cat "$REPORT_FILE"
+echo "========================================"
+echo ""
+log "Full Maven output: $LOG_FILE"
+log "Report: $REPORT_FILE"
+
+# --- Exit ---
+if [[ $TOTAL_FAILURES -gt 0 || $TOTAL_ERRORS -gt 0 || $MVN_EXIT -ne 0 ]]; then
+    exit 1
+fi
+exit 0

From f992ffe318a3c6790c0c8fa2be5209a3a6bc7957 Mon Sep 17 00:00:00 2001
From: Julien Bureau <jbureau@aubay.com>
Date: Wed, 20 May 2026 15:56:40 +0200
Subject: [PATCH 2/3] fix: Update review phases and clean up process in
 reviewer agent documentation

---
 .../agents/creedengo-java-reviewer.agent.md   | 24 +++++++------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/.github/agents/creedengo-java-reviewer.agent.md b/.github/agents/creedengo-java-reviewer.agent.md
index b3778bed..fb5907f3 100644
--- a/.github/agents/creedengo-java-reviewer.agent.md
+++ b/.github/agents/creedengo-java-reviewer.agent.md
@@ -152,8 +152,6 @@ cmd /c "cd /d <workdir> && mvnw.cmd clean verify -DskipITs=true > build_output.l
 
 **MANDATORY.** The agent MUST run integration tests to verify that the rule is correctly loaded and behaves as expected within a real SonarQube instance.
 
-The IT runner script uses Maven's `verify` lifecycle phase with `-DskipTests=true`. This is critical because the `maven-failsafe-plugin` configuration in the pom.xml injects required `systemPropertyVariables` (orchestrator URL, SonarQube version, plugin JAR path, etc.) only when invoked through the lifecycle — NOT when using standalone goals like `failsafe:integration-test`.
-
 The script:
 1. Builds/repackages the plugin JAR (skippable with `--skip-build`)
 2. Downloads the configured SonarQube version (cached in `~/.sonar/orchestrator`)
@@ -568,9 +566,16 @@ To identify the correct lines:
 | Edge cases | ✅/❌ | |
 | False positives covered | ✅/❌ | |
 
----
+## Phase 3: Clean up
 
-## Verdict
+Clean up all temporary files created during the review :
+- build_output.log
+- it_build_output.log
+- it_output.log
+- it_report.txt
+- pr_review_output.log
+
+## Phase 4: Verdict
 
 Create a structured `review_report.md` report with the following content.
 
@@ -595,14 +600,3 @@ Create a structured `review_report.md` report with the following content.
 - API: `IssuableSubscriptionVisitor`, `BaseTreeVisitor`, `CheckVerifier`
 - Quality profile: `creedengo way`
 - Specs repo: `creedengo-rules-specifications`
-
-## Phase 5: Local fixes (optional)
-
-If the user wants to apply fixes directly on the PR branch (rather than leaving them to the contributor), the agent proposes automatic corrections.
-
-### Constraints
-
-- NEVER apply a fix without explicit user validation
-- After applying, re-run impacted checks if possible (e.g. recompile)
-- Fixes do NOT modify the business logic of the rule (formatting, metadata only)
-- Clean up all temporary files created during the review; keep the script execution report and the final report.

From 00cc7d6c68d0550a2575717d436a0ccf03e7ac39 Mon Sep 17 00:00:00 2001
From: Julien Bureau <jbureau@aubay.com>
Date: Wed, 20 May 2026 16:35:33 +0200
Subject: [PATCH 3/3] fix: Update integration test scripts

Co-authored-by: Copilot <copilot@github.com>
---
 .../agents/creedengo-java-reviewer.agent.md   |  3 +-
 .github/scripts/run_it.bat                    | 42 ++++++++++++-------
 .github/scripts/run_it.sh                     | 19 ++++++---
 3 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/.github/agents/creedengo-java-reviewer.agent.md b/.github/agents/creedengo-java-reviewer.agent.md
index fb5907f3..25859d81 100644
--- a/.github/agents/creedengo-java-reviewer.agent.md
+++ b/.github/agents/creedengo-java-reviewer.agent.md
@@ -49,11 +49,12 @@ The review process uses two scripts sequentially, with a single Maven build:
    - Skips integration tests (ITs require SonarQube download, ~5min)
    - Output: `target/` directory with JAR + coverage + test reports
 
-2. **`run_it.{sh|bat} --skip-build`** — runs `mvnw verify -DskipTests=true`:
+2. **`run_it.{sh|bat} --skip-build`** — runs `mvnw verify -Dskip.unit.tests=true`:
    - Detects that classes are already compiled (incremental, ~1s)
    - Repackages the JAR (shade, ~3s)
    - Runs integration tests via Failsafe (downloads SonarQube if not cached)
    - The `--skip-build` flag skips the `clean` phase so target/ is reused
+   - Uses `-Dskip.unit.tests=true` (NOT `-DskipTests=true` which also skips Failsafe since 3.x)
 
 **Why two separate invocations?**
 - Unit tests are fast (~5s) and give quick feedback on compilation + logic errors
diff --git a/.github/scripts/run_it.bat b/.github/scripts/run_it.bat
index 2c1ba94d..39865283 100644
--- a/.github/scripts/run_it.bat
+++ b/.github/scripts/run_it.bat
@@ -19,15 +19,21 @@ REM   --keep-running    Keep SonarQube running after tests (for manual inspectio
 REM   --skip-build      Skip the clean+compile step (reuse existing target/ from a previous build)
 REM
 REM How it works:
-REM   This script uses the Maven lifecycle phase "verify" with -DskipTests=true.
-REM   This ensures that all systemPropertyVariables defined in the pom.xml for
-REM   the maven-failsafe-plugin are correctly injected (orchestrator URL,
+REM   This script uses the Maven lifecycle phase "verify" with -Dskip.unit.tests=true.
+REM   This property is defined in pom.xml and wired only to maven-surefire-plugin's
+REM   <skip> configuration, so unit tests (Surefire) are skipped while integration
+REM   tests (Failsafe) still run. All systemPropertyVariables defined in the pom.xml
+REM   for the maven-failsafe-plugin are correctly injected (orchestrator URL,
 REM   SonarQube version, plugin paths, etc.). Using standalone goals like
 REM   "failsafe:integration-test" would NOT inject those properties.
 REM
-REM   - Without --skip-build: runs "mvnw clean verify -DskipTests=true"
+REM   IMPORTANT: Do NOT use -DskipTests=true here. Since Maven Failsafe 3.x,
+REM   -DskipTests=true also skips integration tests, producing 0 tests run.
+REM   Use -Dskip.unit.tests=true instead (custom property wired to surefire only).
+REM
+REM   - Without --skip-build: runs "mvnw clean verify -Dskip.unit.tests=true"
 REM     (full clean build + IT)
-REM   - With --skip-build: runs "mvnw verify -DskipTests=true" (no clean;
+REM   - With --skip-build: runs "mvnw verify -Dskip.unit.tests=true" (no clean;
 REM     Maven detects compiled classes are up-to-date, repackages quickly, runs IT)
 REM
 REM   If review_pr.bat was already run, the target/ directory contains the JAR.
@@ -88,7 +94,8 @@ if "%SKIP_BUILD%"=="true" (
 REM --- Compose Maven command ---
 REM Use the Maven lifecycle "verify" so that all pom.xml systemPropertyVariables
 REM are correctly injected into the failsafe plugin execution.
-set "MVN_CMD=verify -DskipTests=true"
+REM IMPORTANT: Do NOT use -DskipTests=true (skips failsafe too since 3.x).
+set "MVN_CMD=verify -Dskip.unit.tests=true"
 
 if "%SKIP_BUILD%"=="false" set "MVN_CMD=clean %MVN_CMD%"
 
@@ -128,11 +135,12 @@ set "TOTAL_ERRORS=0"
 set "TOTAL_SKIPPED=0"
 
 REM Parse from failsafe-summary.xml if it exists (most reliable source)
+REM XML format: <completed>N</completed> -- with delims=<>, value is at token 3
 if exist "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml" (
-    for /f "tokens=2 delims=<>" %%a in ('findstr "completed" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_TESTS=%%a"
-    for /f "tokens=2 delims=<>" %%a in ('findstr "failures" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_FAILURES=%%a"
-    for /f "tokens=2 delims=<>" %%a in ('findstr "errors" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_ERRORS=%%a"
-    for /f "tokens=2 delims=<>" %%a in ('findstr "skipped" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_SKIPPED=%%a"
+    for /f "tokens=3 delims=<>" %%a in ('findstr "completed" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_TESTS=%%a"
+    for /f "tokens=3 delims=<>" %%a in ('findstr /c:"<failures>" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_FAILURES=%%a"
+    for /f "tokens=3 delims=<>" %%a in ('findstr /c:"<errors>" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_ERRORS=%%a"
+    for /f "tokens=3 delims=<>" %%a in ('findstr /c:"<skipped>" "%FAILSAFE_REPORTS_DIR%\failsafe-summary.xml"') do set /a "TOTAL_SKIPPED=%%a"
 )
 
 set /a "TOTAL_PASSED=TOTAL_TESTS - TOTAL_FAILURES - TOTAL_ERRORS - TOTAL_SKIPPED"
@@ -149,14 +157,20 @@ REM --- Extract individual test results from text reports ---
 echo --- DETAIL PER TEST --->> "%REPORT_FILE%"
 if exist "%FAILSAFE_REPORTS_DIR%" (
     for %%f in (%FAILSAFE_REPORTS_DIR%\*.txt) do (
-        findstr /c:"FAILED" "%%f" >nul 2>&1
+        findstr /c:"<<< FAILURE" "%%f" >nul 2>&1
         if not errorlevel 1 (
             echo   FAIL  %%~nf>> "%REPORT_FILE%"
-            findstr /c:"FAILED" "%%f" >> "%REPORT_FILE%"
+            findstr /c:"<<< FAILURE" "%%f" >> "%REPORT_FILE%"
         ) else (
-            findstr /c:"Tests run:" "%%f" >nul 2>&1
+            findstr /c:"<<< ERROR" "%%f" >nul 2>&1
             if not errorlevel 1 (
-                echo   PASS  %%~nf>> "%REPORT_FILE%"
+                echo   ERROR %%~nf>> "%REPORT_FILE%"
+                findstr /c:"<<< ERROR" "%%f" >> "%REPORT_FILE%"
+            ) else (
+                findstr /c:"Tests run:" "%%f" >nul 2>&1
+                if not errorlevel 1 (
+                    echo   PASS  %%~nf>> "%REPORT_FILE%"
+                )
             )
         )
     )
diff --git a/.github/scripts/run_it.sh b/.github/scripts/run_it.sh
index 5d3e69ad..711dcafe 100644
--- a/.github/scripts/run_it.sh
+++ b/.github/scripts/run_it.sh
@@ -19,15 +19,21 @@
 #   --skip-build      Skip the clean+compile step (reuse existing target/ from a previous build)
 #
 # How it works:
-#   This script uses the Maven lifecycle phase "verify" with -DskipTests=true.
-#   This ensures that all systemPropertyVariables defined in the pom.xml for
-#   the maven-failsafe-plugin are correctly injected (orchestrator URL,
+#   This script uses the Maven lifecycle phase "verify" with -Dskip.unit.tests=true.
+#   This property is defined in pom.xml and wired only to maven-surefire-plugin's
+#   <skip> configuration, so unit tests (Surefire) are skipped while integration
+#   tests (Failsafe) still run. All systemPropertyVariables defined in the pom.xml
+#   for the maven-failsafe-plugin are correctly injected (orchestrator URL,
 #   SonarQube version, plugin paths, etc.). Using standalone goals like
 #   "failsafe:integration-test" would NOT inject those properties.
 #
-#   - Without --skip-build: runs "mvnw clean verify -DskipTests=true"
+#   IMPORTANT: Do NOT use -DskipTests=true here. Since Maven Failsafe 3.x,
+#   -DskipTests=true also skips integration tests, producing 0 tests run.
+#   Use -Dskip.unit.tests=true instead (custom property wired to surefire only).
+#
+#   - Without --skip-build: runs "mvnw clean verify -Dskip.unit.tests=true"
 #     (full clean build + IT)
-#   - With --skip-build: runs "mvnw verify -DskipTests=true" (no clean;
+#   - With --skip-build: runs "mvnw verify -Dskip.unit.tests=true" (no clean;
 #     Maven detects compiled classes are up-to-date, repackages quickly, runs IT)
 #
 #   If review_pr.sh was already run, the target/ directory contains the JAR.
@@ -96,7 +102,8 @@ fi
 # --- Compose Maven command ---
 # Use the Maven lifecycle "verify" so that all pom.xml systemPropertyVariables
 # are correctly injected into the failsafe plugin execution.
-MVN_CMD="verify -DskipTests=true"
+# IMPORTANT: Do NOT use -DskipTests=true (skips failsafe too since 3.x).
+MVN_CMD="verify -Dskip.unit.tests=true"
 
 if [[ "$SKIP_BUILD" == "false" ]]; then
     MVN_CMD="clean $MVN_CMD"