WW-5622 docs: add spec and implementation plan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lukaszlenart

docs/superpowers/plans/2026-04-04-ww5622-proxyutil-hibernate-presence-cache.md

@@ -0,0 +1,113 @@
+# WW-5622: Cache Hibernate Class Presence in ProxyUtil
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Eliminate repeated `NoClassDefFoundError` exceptions in `ProxyUtil` when Hibernate is absent from the classpath, fixing severe performance degradation.
+
+**Architecture:** Add a one-time `Class.forName()` check at class-load time stored in a static `boolean HIBERNATE_AVAILABLE`. Guard all three Hibernate-touching methods with this flag to short-circuit immediately when Hibernate is absent.
+
+**Tech Stack:** Java, JUnit 4
+
+**JIRA:** [WW-5622](https://issues.apache.org/jira/browse/WW-5622)
+**Spec:** `docs/superpowers/specs/2026-04-02-proxyutil-hibernate-presence-cache-design.md`
+
+---
+
+### File Map
+
+- **Modify:** `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java` — add `HIBERNATE_AVAILABLE` field, `detectHibernate()` method, and guard checks in 3 methods
+
+---
+
+### Task 1: Add HIBERNATE_AVAILABLE detection and guard all Hibernate methods
+
+**Files:**
+- Modify: `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java:46-53` (add field after constants)
+- Modify: `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java:155-161` (guard `isHibernateProxy`)
+- Modify: `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java:168-176` (guard `isHibernateProxyMember`)
+- Modify: `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java:305-311` (guard `getHibernateProxyTarget`)
+
+- [ ] **Step 1: Add the static detection field and method**
+
+After line 52 (`private static final int CACHE_INITIAL_CAPACITY = 256;`), add:
+
+```java
+private static final boolean HIBERNATE_AVAILABLE = detectHibernate();
+
+private static boolean detectHibernate() {
+    try {
+        Class.forName("org.hibernate.proxy.HibernateProxy");
+        return true;
+    } catch (ClassNotFoundException e) {
+        return false;
+    }
+}
+```
+
+- [ ] **Step 2: Guard `isHibernateProxy`**
+
+In `isHibernateProxy(Object object)` (line 155), add guard before the try block. The method becomes:
+
+```java
+public static boolean isHibernateProxy(Object object) {
+    if (!HIBERNATE_AVAILABLE) return false;
+    try {
+        return object != null && HibernateProxy.class.isAssignableFrom(object.getClass());
+    } catch (NoClassDefFoundError ignored) {
+        return false;
+    }
+}
+```
+
+- [ ] **Step 3: Guard `isHibernateProxyMember`**
+
+In `isHibernateProxyMember(Member member)` (line 168), add guard before the try block. The method becomes:
+
+```java
+public static boolean isHibernateProxyMember(Member member) {
+    if (!HIBERNATE_AVAILABLE) return false;
+    try {
+        Class<?> clazz = ClassLoaderUtil.loadClass(HIBERNATE_HIBERNATEPROXY_CLASS_NAME, ProxyUtil.class);
+        return hasMember(clazz, member);
+    } catch (ClassNotFoundException ignored) {
+    }
+
+    return false;
+}
+```
+
+- [ ] **Step 4: Guard `getHibernateProxyTarget`**
+
+In `getHibernateProxyTarget(Object object)` (line 305), add guard before the try block. The method becomes:
+
+```java
+public static Object getHibernateProxyTarget(Object object) {
+    if (!HIBERNATE_AVAILABLE) return object;
+    try {
+        return Hibernate.unproxy(object);
+    } catch (NoClassDefFoundError ignored) {
+        return object;
+    }
+}
+```
+
+- [ ] **Step 5: Run existing tests to verify no regression**
+
+Run: `./mvnw -pl core clean test -Dtest=com.opensymphony.xwork2.util.** -DfailIfNoTests=false`
+Expected: All tests PASS. Since Hibernate IS on the test classpath, `HIBERNATE_AVAILABLE` will be `true` and all code paths execute as before.
+
+Run: `./mvnw -pl plugins/spring clean test -Dtest=com.opensymphony.xwork2.spring.SpringProxyUtilTest`
+Expected: All 3 test methods PASS.
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
+git commit -m "WW-5622 perf(core): cache Hibernate class presence to avoid repeated NoClassDefFoundError
+
+Detect Hibernate availability once at class-load time via Class.forName()
+and short-circuit all Hibernate-related methods immediately when absent.
+This eliminates repeated NoClassDefFoundError exceptions that cause
+significant performance degradation in applications without Hibernate
+on the classpath."
+```

docs/superpowers/specs/2026-04-02-proxyutil-hibernate-presence-cache-design.md

@@ -0,0 +1,69 @@
+# ProxyUtil: Cache Hibernate Class Presence to Avoid NoClassDefFoundError Performance Penalty
+
+**Date:** 2026-04-02
+**JIRA:** [WW-5622](https://issues.apache.org/jira/browse/WW-5622)
+**Issue:** CVE-2026-0603 (hibernate-core 5.x), performance degradation from repeated NoClassDefFoundError
+**Scope:** `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java`
+
+## Problem
+
+`ProxyUtil` has compile-time imports of `org.hibernate.proxy.HibernateProxy` and `org.hibernate.Hibernate`. Since `hibernate-core` is an `<optional>` dependency of `struts-core`, most applications don't have it on the classpath.
+
+When Hibernate is absent, every call to `isHibernateProxy()` throws and catches a `NoClassDefFoundError`. Since `isProxy()` and `isProxyMember()` are invoked on every OGNL evaluation, this produces hundreds of thousands of caught errors per request cycle, severely degrading performance.
+
+Note: `isProxy()` results are cached per class, but `isProxyMember()` at line 135 calls `isHibernateProxy()` directly (outside the cache check), so the error is thrown on every unique `(member, object)` pair.
+
+## Solution
+
+Add a static `boolean hibernateAvailable` field to `ProxyUtil`, resolved once at class-load time. All Hibernate-touching methods check this flag first and short-circuit immediately when Hibernate is absent.
+
+### Implementation
+
+Add to `ProxyUtil`:
+
+```java
+private static final boolean HIBERNATE_AVAILABLE = detectHibernate();
+
+private static boolean detectHibernate() {
+    try {
+        Class.forName("org.hibernate.proxy.HibernateProxy");
+        return true;
+    } catch (ClassNotFoundException e) {
+        return false;
+    }
+}
+```
+
+Guard each Hibernate method with the flag:
+
+1. **`isHibernateProxy(Object object)`** (line 155) — add `if (!HIBERNATE_AVAILABLE) return false;` before the try block.
+2. **`isHibernateProxyMember(Member member)`** (line 168) — add `if (!HIBERNATE_AVAILABLE) return false;` before the try block.
+3. **`getHibernateProxyTarget(Object object)`** (line 305) — add `if (!HIBERNATE_AVAILABLE) return object;` before the try block.
+
+### What stays the same
+
+- Compile-time imports of `HibernateProxy` and `Hibernate` remain (JVM won't resolve them unless the guarded code paths execute).
+- Existing `isProxyCache` and `isProxyMemberCache` caching remains.
+- The `catch (NoClassDefFoundError)` blocks remain as defensive safety nets (they just won't fire anymore).
+- Behavior when Hibernate IS present is completely unchanged.
+
+### Difference from Struts 7 PR (#1649)
+
+The Struts 7 PR catches `LinkageError` (broader). We intentionally keep catching only `NoClassDefFoundError` (narrower). If Hibernate jars are on the classpath but have missing transitive dependencies, that's a real deployment problem — the resulting `LinkageError` should propagate to the user rather than being silently swallowed.
+
+## Testing
+
+- Existing `ProxyUtil` tests pass unchanged (Hibernate is on the test classpath via the optional dependency).
+- The class-load-time check is inherently validated by any environment without Hibernate on the classpath.
+
+## User-Facing Advice (for CVE-2026-0603 reporters)
+
+Upgrading `hibernate-core` from 5.6.15 to any later 5.6.x or 5.7.x release is safe with Struts 6.8.0. Struts only uses:
+- `org.hibernate.proxy.HibernateProxy` (interface assignability check)
+- `Hibernate.unproxy()` (static utility method)
+
+Both are stable across Hibernate 5.x. Do NOT upgrade to Hibernate 6.x — the package namespace changed from `org.hibernate` to `org.hibernate.orm`.
+
+## Files Modified
+
+- `core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java` — add static initializer and guard checks