Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.13

[dependabot]

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.13.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.13

🐛 Fixed

• stash unstaged changes before rebase in release workflow
• use recursive docs/ path in release commit step
• adapt GrpcProcessor to Action record API
• sync version constant with package.json and eliminate hardcoded version
• fix contract violations in Response, Request, and diagnostics

🔧 Changed

• fix doc version drift and automate version updates in release pipeline
• extract shared hook lifecycle and expose manual controls
• extract NoOpsRequest and stream adapters from AtmosphereRequestImpl
• isolate container patching into ContainerPatcher with opt-out
• centralize reflective type registry for Spring AOT and Quarkus native
• use Duration for time-based configuration properties
• decompose AtmosphereResponseImpl into ResponseWriter and metadata
• replace boolean soup with LifecycleState in AtmosphereResourceImpl
• extract lifecycle and membership from DefaultBroadcaster
• extract init pipeline into FrameworkBootstrap
• centralize annotation metadata into AtmosphereAnnotations registry
• use Duration for time-based configuration properties
• convert Body to sealed interface with StringBody, BytesBody, EmptyBody records
• remove redundant method re-declarations from Request/Response interfaces
• convert configureTransport to switch expression

Full Changelog: Atmosphere/atmosphere@atmosphere-4.0.11...atmosphere-4.0.13

Atmosphere 4.0.11

Fixed

• WebSocket XSS sanitization bypass. Disabled HTML sanitization for WebSocket transport — HTML-encoding JSON in WebSocket frames broke the AI streaming wire protocol.
• XSS and insecure cookie hardening. Sanitize HTML output in write methods and set the Secure flag on cookies over HTTPS.

Changed

• Token → Streaming Text rename. All AI module APIs, javadoc, and the atmosphere.js client now use "streaming text" instead of "token" to describe LLM output chunks. This affects method names (onToken → onStreamingText, totalTokens → totalStreamingTexts), field names, and the wire protocol message type ("token" → "streaming-text"). This is a breaking change for atmosphere.js consumers and custom AiStreamBroadcastFilter implementations.
• Javadoc published to GitHub Pages. API docs for atmosphere-runtime are now deployed automatically to async-io.org/apidocs.

... (truncated)

Commits

• 5e4093a release: Atmosphere 4.0.13
• e4796fd fix(ci): stash unstaged changes before rebase in release workflow
• 3b499e9 fix(ci): use recursive docs/ path in release commit step
• 993cd5c chore: fix doc version drift and automate version updates in release pipeline
• 2c06edb fix(grpc): adapt GrpcProcessor to Action record API
• ff562d6 refactor(js): extract shared hook lifecycle and expose manual controls
• 61fae08 fix(js): sync version constant with package.json and eliminate hardcoded version
• b5d1cbb refactor(cpr): extract NoOpsRequest and stream adapters from AtmosphereReques...
• b8fdd8a refactor(cpr): isolate container patching into ContainerPatcher with opt-out
• f34e61e refactor(cpr): centralize reflective type registry for Spring AOT and Quarkus...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #2981.