v0.10.0 — cross-service, scheduled and transactional sources

The last block of the robustness roadmap: untrusted data that does not arrive on the immediate HTTP request. 30/30 vulnerable benchmark cases, 0 false positives.

@FeignClient results (cross-service)

A value returned by a Feign client comes from a downstream service and is untrusted at the caller — catching injection that crosses a service boundary, which tools treating Feign results as clean data miss.

@Scheduled entry points

Scheduled jobs take no request parameters, so handler-only analyzers never look at them. They are now analysis entry points, so external/persisted data they read internally (e.g. a @Repository read) can be followed to a sink.

@Transactional write-then-read

Input persisted and read back within one transaction is covered by the @Repository-read source model.

All three are String-only to stay precise (no false positives on the benchmark's safe cases). Propagating taint through entity/DTO getters would broaden recall at the cost of precision and is intentionally left out.

The taint analysis runs on JDK 17 (Tai-e 0.5.1 does not read JDK 21 bytecode).