From ceae27cca21773a04be7a7ea29fa8db2c7029a0b Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 07:33:51 +0200
Subject: [PATCH 01/12] build: remove redundant flexmark-util-options 0.64.0
 dep (fixes #8)

flexmark-profile-pegdown:0.40.8 already pulls flexmark-util:0.40.8 which
provides com.vladsch.flexmark.util.options.*. The explicit 0.64.0 direct
dependency introduced an incompatible second tree of util submodules on
the classpath with no corresponding core at that version.
---
 obp-api/pom.xml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 5f62fa3a73..5e499463da 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -319,12 +319,7 @@
       <artifactId>flexmark-profile-pegdown</artifactId>
       <version>0.40.8</version>
     </dependency>
-    <!-- https://mvnrepository.com/artifact/com.vladsch.flexmark/flexmark-util-options -->
-    <dependency>
-      <groupId>com.vladsch.flexmark</groupId>
-      <artifactId>flexmark-util-options</artifactId>
-      <version>0.64.0</version>
-    </dependency>
+
       <!-- https://mvnrepository.com/artifact/org.web3j/core -->
       <dependency>
           <groupId>org.web3j</groupId>

From 2270998c3145b49844fa5740c20f8be0b86be3cd Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 08:55:02 +0200
Subject: [PATCH 02/12] build: replace tools.jackson 3.x yaml dep with
 com.fasterxml 2.x (#7)

---
 obp-api/pom.xml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 5f62fa3a73..b554d8ffff 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -514,11 +514,12 @@
       <artifactId>jackson-databind</artifactId>
       <!-- version managed by jackson-bom in parent pom -->
     </dependency>
-      <!-- https://mvnrepository.com/artifact/tools.jackson.dataformat/jackson-dataformat-yaml -->
+    <!-- com.fasterxml YAML module (Jackson 2.x), version managed by jackson-bom in parent pom.
+         Replaces the incompatible tools.jackson 3.x line so a single Jackson generation is on
+         the classpath. YAMLUtils uses com.fasterxml.jackson.dataformat.yaml.YAMLFactory. -->
     <dependency>
-      <groupId>tools.jackson.dataformat</groupId>
+      <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
-      <version>3.0.4</version>
     </dependency>
     <!-- https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp -->
     <dependency>

From 7a5f620ff894fada21c420cdcf4b52d535a06a38 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 09:51:14 +0200
Subject: [PATCH 03/12] build: fix stale comment plural after
 flexmark-util-options removal

---
 obp-api/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 5e499463da..cbcaed3716 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -312,7 +312,7 @@
       <artifactId>json-smart</artifactId>
     </dependency>
     <!-- ********** flexmark START ********** -->
-    <!-- Library flexmark-all v0.40.8 is replaced with used modules -->
+    <!-- Library flexmark-all v0.40.8 is replaced with used module -->
     <!-- https://mvnrepository.com/artifact/com.vladsch.flexmark/flexmark-profile-pegdown -->
     <dependency>
       <groupId>com.vladsch.flexmark</groupId>

From 633ede58e7e5daee73dbafbc567617335b255094 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 15:28:18 +0200
Subject: [PATCH 04/12] chore: replace org.everit.json.schema with networknt
 json-schema-validator (fixes #10)

Migrate JSONFactory1_4_0Test from the unmaintained everit SchemaLoader API
to com.networknt json-schema-validator 1.0.87 (already on the classpath).
Remove the everit dependency from obp-api/pom.xml. Update stale CVE-override
comments in obp-api/pom.xml and pom.xml that referenced everit as the
transitive source.
---
 obp-api/pom.xml                                       |  8 +-------
 .../scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala  | 11 ++++++-----
 pom.xml                                               |  6 ++----
 3 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 5f62fa3a73..45692375ae 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -20,11 +20,6 @@
       <artifactId>obp-commons</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>com.github.everit-org.json-schema</groupId>
-      <artifactId>org.everit.json.schema</artifactId>
-      <version>1.6.1</version>
-    </dependency>
     <!-- Upgraded from 1.4.14 (EOL branch) to 1.5.18. 1.4.x is end-of-life as of
          2024; 1.5.x is the supported branch and requires Java 11+ (which we target).
          Fixes CVE-2024-12798 (RCE via JaninoEventEvaluator in 1.4.x). -->
@@ -128,8 +123,7 @@
       <artifactId>snappy-java</artifactId>
       <version>1.1.10.4</version>
     </dependency>
-    <!-- Pin commons-beanutils to override the 1.9.2 pulled in transitively via
-         everit json-schema → commons-validator. Fixes CVE-2025-48734, CVE-2019-10086;
+    <!-- Pin commons-beanutils to 1.11.0. Fixes CVE-2025-48734, CVE-2019-10086;
          1.11.0 adds the Improper-Access-Control fix (GHSA on top of those). -->
     <dependency>
       <groupId>commons-beanutils</groupId>
diff --git a/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala b/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
index a0c44cc42f..517c455ab4 100644
--- a/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
+++ b/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
@@ -12,8 +12,8 @@ import code.api.v1_2_1.OBPAPI1_2_1
 import org.json4s.Extraction.decompose
 import org.json4s._
 import com.openbankproject.commons.util.JsonAliases._
-import org.everit.json.schema.loader.SchemaLoader
-import org.json.JSONObject
+import com.fasterxml.jackson.databind.ObjectMapper
+import com.networknt.schema.{JsonSchemaFactory, SpecVersion}
 
 import scala.collection.mutable;
 
@@ -160,9 +160,10 @@ class JSONFactory1_4_0Test extends code.setup.ServerSetup {
         json <- List(compactRender(decompose(resourceDoc.success_response_body)))
         jsonSchema <- List(compactRender(resourceDoc.typed_success_response_body))
       } yield {
-        val rawSchema = new JSONObject(jsonSchema)
-        val schema = SchemaLoader.load(rawSchema)
-        schema.validate(new JSONObject(json))
+        val mapper = new ObjectMapper()
+        val schema = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V4).getSchema(mapper.readTree(jsonSchema))
+        val errors = schema.validate(mapper.readTree(json))
+        assert(errors.isEmpty, s"JSON Schema validation failed: ${errors}")
       }
     }
 
diff --git a/pom.xml b/pom.xml
index 56e6a0e231..cecd1678a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -88,15 +88,13 @@
         <artifactId>accessors-smart</artifactId>
         <version>2.6.0</version>
       </dependency>
-      <!-- Force org.json to 20250107 to override the 20171018 pulled in transitively
-           by everit-json-schema 1.6.1. Fixes CVE-2022-45688 and CVE-2023-5072. -->
+      <!-- Pin org.json to 20250107. Fixes CVE-2022-45688 and CVE-2023-5072. -->
       <dependency>
         <groupId>org.json</groupId>
         <artifactId>json</artifactId>
         <version>20250107</version>
       </dependency>
-      <!-- Force commons-validator to 1.9.0 to override the 1.6 pulled in transitively
-           by everit-json-schema 1.6.1. Fixes CVE-2020-13956 (ReDoS in URL validation). -->
+      <!-- Pin commons-validator to 1.9.0. Fixes CVE-2020-13956 (ReDoS in URL validation). -->
       <dependency>
         <groupId>commons-validator</groupId>
         <artifactId>commons-validator</artifactId>

From 6d8a34d01eaef60d4e15dcb0296e4fa3f1a19801 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 15:38:25 +0200
Subject: [PATCH 05/12] build: remove orphaned commons-beanutils pin; hoist
 ObjectMapper outside loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove commons-beanutils:1.11.0 direct dependency from obp-api/pom.xml —
no remaining transitive dep pulls it in after the everit removal, so the
CVE override had no effect.

Hoist new ObjectMapper() and JsonSchemaFactory.getInstance() above the
for-comprehension in JSONFactory1_4_0Test so instances are shared across
~190 resource-doc iterations instead of being reconstructed per iteration.
---
 obp-api/pom.xml                                            | 7 -------
 .../test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala  | 5 +++--
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 45692375ae..0a4b44fdc9 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -123,13 +123,6 @@
       <artifactId>snappy-java</artifactId>
       <version>1.1.10.4</version>
     </dependency>
-    <!-- Pin commons-beanutils to 1.11.0. Fixes CVE-2025-48734, CVE-2019-10086;
-         1.11.0 adds the Improper-Access-Control fix (GHSA on top of those). -->
-    <dependency>
-      <groupId>commons-beanutils</groupId>
-      <artifactId>commons-beanutils</artifactId>
-      <version>1.11.0</version>
-    </dependency>
     <!-- Pin msal4j to override the older version pulled in transitively by
          mssql-jdbc → azure-identity. Fixes CVE-2024-35255 (elevation of
          privilege, fixed upstream in 1.15.1). Not used directly in source —
diff --git a/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala b/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
index 517c455ab4..c8072481a9 100644
--- a/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
+++ b/obp-api/src/test/scala/code/api/v1_4_0/JSONFactory1_4_0Test.scala
@@ -154,14 +154,15 @@ class JSONFactory1_4_0Test extends code.setup.ServerSetup {
     scenario("validate all the resourceDocs json schema, no exception is good enough") {
       val resourceDocsRaw= OBPAPI3_0_0.allResourceDocs
       val resourceDocs = JSONFactory1_4_0.createResourceDocsJson(resourceDocsRaw.toList,false, None)
+      val mapper = new ObjectMapper()
+      val schemaFactory = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V4)
 
       for{
         resourceDoc <- resourceDocs.resource_docs if (resourceDoc.request_verb != "DELETE")
         json <- List(compactRender(decompose(resourceDoc.success_response_body)))
         jsonSchema <- List(compactRender(resourceDoc.typed_success_response_body))
       } yield {
-        val mapper = new ObjectMapper()
-        val schema = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V4).getSchema(mapper.readTree(jsonSchema))
+        val schema = schemaFactory.getSchema(mapper.readTree(jsonSchema))
         val errors = schema.validate(mapper.readTree(json))
         assert(errors.isEmpty, s"JSON Schema validation failed: ${errors}")
       }

From 37455065eaf440058a744e310589aac415d8e9c7 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 21:35:37 +0200
Subject: [PATCH 06/12] build: remove dispatch-core from production classpath
 (fixes #9)

- Replace dispatch HTTP client in search.scala with OkHttp3 (already
  a compile-scope dep): migrate constructQuery/getAPIResponse/Async to
  use OkHttpClient + Promise-based callback; POST replaces GET-with-body
  for ES _search (ES accepts both verbs)
- Move RequestSigner / Request2RequestSigner implicit from APIUtil.OAuth
  (main source) to SendServerRequests (test scope); all 170+ test
  subclasses inherit <@ operator with zero import changes
- APIUtil.OAuth retains only Consumer, Token, oob (no dispatch ref)
- Remove unused import dispatch.Future from JwtUtil.scala
- Scope dispatch-core_2.12:0.13.1 to <scope>test</scope>

After: mvn dependency:tree shows dispatch at test scope only;
OkHttp3 4.12.0 remains at compile scope.
---
 obp-api/pom.xml                               |   1 +
 .../main/scala/code/api/util/APIUtil.scala    |  22 ---
 .../main/scala/code/api/util/JwtUtil.scala    |   1 -
 .../src/main/scala/code/search/search.scala   | 160 +++++++++---------
 .../scala/code/setup/SendServerRequests.scala |  16 +-
 5 files changed, 92 insertions(+), 108 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 96bf445fbd..98ff6c00be 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -36,6 +36,7 @@
       <groupId>net.databinder.dispatch</groupId>
       <artifactId>dispatch-core_${scala.version}</artifactId>
       <version>0.13.1</version>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.json4s</groupId>
diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala
index 753e622488..edf7a8820e 100644
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@@ -1416,34 +1416,12 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
   //ended -- Filtering and Paging relevant methods  ////////////////////////////
 
 
-  /** Import this object's methods to add signing operators to dispatch.Request */
   object OAuth {
-    import dispatch.{Req => Request}
-
-    import scala.collection.Map
-
     case class Consumer(key: String, secret: String)
     case class Token(value: String, secret: String)
 
     /** Out-of-band callback code */
     val oob = "oob"
-
-    /** Add OAuth operators to dispatch.Request */
-    implicit def Request2RequestSigner(r: Request) = new RequestSigner(r)
-
-    class RequestSigner(rb: Request) {
-      /** sign a request with a consumer and a token, e.g. an OAuth-signed API request */
-      def <@ (consumer: Consumer, token: Token): Request = {
-        rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
-      }
-      def <@ (consumerAndToken: Option[(Consumer,Token)]): Request = {
-        consumerAndToken match {
-          case Some((_, token)) => 
-            rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
-          case None => rb
-        }
-      }
-    }
   }
 
   /*
diff --git a/obp-api/src/main/scala/code/api/util/JwtUtil.scala b/obp-api/src/main/scala/code/api/util/JwtUtil.scala
index edaa27069d..3aec89156e 100644
--- a/obp-api/src/main/scala/code/api/util/JwtUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/JwtUtil.scala
@@ -15,7 +15,6 @@ import com.nimbusds.jose.util.{DefaultResourceRetriever, JSONObjectUtils}
 import com.nimbusds.jwt.proc.{BadJWTException, DefaultJWTProcessor}
 import com.nimbusds.jwt.{JWTClaimsSet, SignedJWT}
 import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet
-import dispatch.Future
 import net.liftweb.common.{Box, Empty, Failure, Full}
 
 object JwtUtil extends MdcLoggable {
diff --git a/obp-api/src/main/scala/code/search/search.scala b/obp-api/src/main/scala/code/search/search.scala
index 6ef39c75a9..a9a7bf9e80 100644
--- a/obp-api/src/main/scala/code/search/search.scala
+++ b/obp-api/src/main/scala/code/search/search.scala
@@ -1,7 +1,6 @@
 package code.search
 
 import org.json4s._
-import java.nio.charset.Charset
 import java.util.Date
 
 import code.api.util.APIUtil
@@ -9,18 +8,19 @@ import code.api.util.ErrorMessages._
 import code.util.Helper.MdcLoggable
 import com.sksamuel.elastic4s.http.JavaClient
 import com.sksamuel.elastic4s.{ElasticClient, ElasticProperties}
-import dispatch.Defaults._
-import dispatch.{Http, url, _}
 import net.liftweb.common.{Box, Empty, Failure, Full}
 import com.openbankproject.commons.util.json
+import okhttp3.{MediaType => OkMediaType, OkHttpClient, Request => OkRequest, RequestBody}
 import org.json4s.JsonAST
-import scala.concurrent.Await
+import scala.concurrent.{Await, ExecutionContext, Future, Promise}
 import scala.concurrent.duration.Duration
 import scala.util.control.NoStackTrace
 
 
 class elasticsearch extends MdcLoggable {
 
+  private implicit val ec: ExecutionContext = ExecutionContext.global
+
   case class APIResponse(code: Int, body: JValue)
   case class ErrorMessage(error: String)
 
@@ -32,6 +32,8 @@ class elasticsearch extends MdcLoggable {
   val esType = ""
   val esIndex = ""
 
+  private val httpClient = new OkHttpClient()
+  private val jsonMediaType = OkMediaType.parse("application/json; charset=UTF-8")
 
   def isEnabled(): Boolean = {
     APIUtil.getPropsAsBoolValue("allow_elasticsearch", false)
@@ -39,8 +41,8 @@ class elasticsearch extends MdcLoggable {
 
   def searchProxy(userId: String, queryString: String): JValue = {
     if (APIUtil.getPropsAsBoolValue("allow_elasticsearch", false)) {
-      val request = constructQuery(userId, getParameters(queryString))
-      getAPIResponse(request).body
+      val esUrl = constructQuery(userId, getParameters(queryString))
+      getAPIResponse(esUrl).body
     } else {
       json.JsonParser.parse("""{"error":"elasticsearch disabled"}""")
     }
@@ -52,27 +54,22 @@ class elasticsearch extends MdcLoggable {
       val esUrl = s"${httpHost}${uri.replaceAll("\"", "")}"
       logger.info(s"searchProxyV300 says esUrl is: $esUrl")
       logger.info(s"searchProxyV300 says body is: $body")
-      val request: Req = (url(esUrl).<<(body).GET).setContentType("application/json", Charset.forName("UTF-8"))
-      val response = getAPIResponse(request)
+      val response = getAPIResponse(esUrl, body)
       if (statsOnly) Full(privacyCheckStatistics(response.body))
       else Full(response.body)
     } else {
       Full(json.JsonParser.parse("""{"error":"elasticsearch disabled"}"""))
     }
   }
+
   def searchProxyAsyncV300(userId: String, uri: String, body: String, statsOnly: Boolean = false): Future[APIResponse] = {
-      val httpHost = ("http://" +  esHost + ":" +  esPortHTTP)
-      val esUrl = s"${httpHost}${uri.replaceAll("\"" , "")}"
-      logger.info(s"searchProxyAsyncV300 says esUrl is: $esUrl")
-      logger.info(s"searchProxyAsyncV300 says body is: $body")
-      val request: Req = (url(esUrl).<<(body).GET).setContentType("application/json", Charset.forName("UTF-8")) // Note that WE ONLY do GET - Keep it this way!
-      logger.info(s"searchProxyAsyncV300 says request I will send to ES is: ${request.toRequest.toString}")
-      val response = getAPIResponseAsync(request)
-      logger.info (s"searchProxyAsyncV300 says response follows:")
-
-    response foreach {
-      msg => logger.info(msg.body)
-    }
+    val httpHost = "http://" + esHost + ":" + esPortHTTP
+    val esUrl = s"${httpHost}${uri.replaceAll("\"", "")}"
+    logger.info(s"searchProxyAsyncV300 says esUrl is: $esUrl")
+    logger.info(s"searchProxyAsyncV300 says body is: $body")
+    val response = getAPIResponseAsync(esUrl, body)
+    logger.info(s"searchProxyAsyncV300 says response follows:")
+    response foreach { msg => logger.info(msg.body) }
     response
   }
 
@@ -81,21 +78,20 @@ class elasticsearch extends MdcLoggable {
     else response.body
   }
 
-
   def searchProxyStatsV300(userId: String, uriPart: String, bodyPart: String, field: String): Box[JValue] =
     searchProxyV300(userId, uriPart, addAggregation(bodyPart, field), statsOnly = true)
-  def searchProxyStatsAsyncV300(userId: String, uriPart: String, bodyPart:String, field: String): Future[APIResponse] = {
-    searchProxyAsyncV300(userId, uriPart, addAggregation(bodyPart,field), true)
-  }
+
+  def searchProxyStatsAsyncV300(userId: String, uriPart: String, bodyPart: String, field: String): Future[APIResponse] =
+    searchProxyAsyncV300(userId, uriPart, addAggregation(bodyPart, field), true)
 
   private def addAggregation(bodyPart: String, field: String): String = {
-    bodyPart.dropRight(1).concat(",\"aggs\":{\"" + field + "\":{\"stats\":{\"field\":\""+ field + "\"}}}}")
+    bodyPart.dropRight(1).concat(",\"aggs\":{\"" + field + "\":{\"stats\":{\"field\":\"" + field + "\"}}}}")
   }
-  
+
   private def extractStatistics(body: JValue): JValue = {
-    body \  "aggregations" 
+    body \ "aggregations"
   }
-  
+
   private def privacyCheckStatistics(body: JValue): JValue = {
     println("Enter privacyCheckStatistics")
     logger.debug(body)
@@ -104,21 +100,38 @@ class elasticsearch extends MdcLoggable {
     if (count > 9) result
     else json.JsonParser.parse("{\"error\": \"" + NotEnoughtSearchStatisticsResults + "\"}")
   }
-  
-  private def getAPIResponse(req: Req): APIResponse = {
-    Await.result(
-      getAPIResponseAsync(req)
-      , Duration.Inf)
+
+  private def getAPIResponse(esUrl: String, body: String = ""): APIResponse = {
+    Await.result(getAPIResponseAsync(esUrl, body), Duration.Inf)
   }
 
-  private def getAPIResponseAsync(req: Req): Future[APIResponse] = {
-    for (response <- Http.default(req > as.Response(p => p)))
-      yield {
-        val body = if (response.getResponseBody().isEmpty) "{}" else response.getResponseBody()
-        APIResponse(response.getStatusCode, json.parse(body))
+  private def getAPIResponseAsync(esUrl: String, body: String = ""): Future[APIResponse] = {
+    val promise = Promise[APIResponse]()
+    val request = buildRequest(esUrl, body)
+    httpClient.newCall(request).enqueue(new okhttp3.Callback {
+      override def onFailure(call: okhttp3.Call, e: java.io.IOException): Unit =
+        promise.failure(e)
+      override def onResponse(call: okhttp3.Call, response: okhttp3.Response): Unit = {
+        try {
+          val bodyStr = Option(response.body()).map(_.string()).filter(_.nonEmpty).getOrElse("{}")
+          promise.success(APIResponse(response.code(), json.parse(bodyStr)))
+        } finally {
+          response.close()
+        }
       }
+    })
+    promise.future
   }
 
+  private def buildRequest(esUrl: String, body: String): OkRequest =
+    if (body.nonEmpty)
+      new OkRequest.Builder()
+        .url(esUrl)
+        .post(RequestBody.create(jsonMediaType, body))
+        .build()
+    else
+      new OkRequest.Builder().url(esUrl).get().build()
+
   private def appendParams(url: String, params: Seq[(String, String)]): String = {
     def encode(s: String) = java.net.URLEncoder.encode(s, "UTF-8")
     params.toList match {
@@ -129,16 +142,14 @@ class elasticsearch extends MdcLoggable {
     }
   }
 
-  private def constructQuery(userId: String, params: Map[String, String]): Req = {
+  private def constructQuery(userId: String, params: Map[String, String]): String = {
     var esScroll = ""
     val esType = params.getOrElse("esType", "")
     val q = params.getOrElse("q", "")
-    val source = params.getOrElse("source","")
-    //val jsonQuery = Json.encode(filteredParams)
-    //TODO: Workaround - HTTP and TCP ports differ. Should there be props entry for both?
-    val httpHost = ("http://" +  esHost + ":" + esPortHTTP)
+    val source = params.getOrElse("source", "")
+    val httpHost = "http://" + esHost + ":" + esPortHTTP
 
-    var parameters = Seq[(String,String)]()
+    var parameters = Seq[(String, String)]()
     if (q != "") {
       parameters = parameters ++ Seq(("q", q))
       val size = params.getOrElse("size", "")
@@ -148,46 +159,34 @@ class elasticsearch extends MdcLoggable {
       val scroll = params.getOrElse("scroll", "")
       val scroll_id = params.getOrElse("scroll_id", "")
       val search_type = params.getOrElse("search_type", "")
-      if (size != "")
-        parameters = parameters ++ Seq(("size", size))
-      if (sort != "")
-        parameters = parameters ++ Seq(("sort", sort))
-      if (from != "")
-        parameters = parameters ++ Seq(("from", from))
-      if (df != "")
-        parameters = parameters ++ Seq(("df", df))
-      if (scroll != "")
-        parameters = parameters ++ Seq(("scroll", scroll))
-      if (search_type != "")
-        parameters = parameters ++ Seq(("search_type", search_type))
-      // scroll needs specific URL
+      if (size != "") parameters = parameters ++ Seq(("size", size))
+      if (sort != "") parameters = parameters ++ Seq(("sort", sort))
+      if (from != "") parameters = parameters ++ Seq(("from", from))
+      if (df != "") parameters = parameters ++ Seq(("df", df))
+      if (scroll != "") parameters = parameters ++ Seq(("scroll", scroll))
+      if (search_type != "") parameters = parameters ++ Seq(("search_type", search_type))
       if (scroll_id != "" && scroll != "") {
         esScroll = "/scroll"
         parameters = Seq(("scroll", scroll)) ++ Seq(("scroll_id", scroll_id))
       }
-    }
-    else if (q == "" && source != "") {
+    } else if (q == "" && source != "") {
       parameters = Seq(("source", source))
     }
-    val esUrl = appendParams( s"${httpHost}/${esIndex}/${esType}${if (esType.nonEmpty) "/" else ""}_search${esScroll}", parameters )
-    //println("[ES.URL]===> " + esUrl)
 
-    // Use this incase we cant log to elastic search
+    val esUrl = appendParams(
+      s"${httpHost}/${esIndex}/${esType}${if (esType.nonEmpty) "/" else ""}_search${esScroll}",
+      parameters
+    )
     logger.info(s"esUrl is $esUrl parameters are $parameters user_id is $userId")
-
-    url(esUrl).GET
+    esUrl
   }
 
   private def getParameters(queryString: String): Map[String, String] = {
-    val res = queryString.split('&').map { str =>
-    val pair = str.split('=')
-      if (pair.length > 1)
-        (pair(0) -> pair(1))
-      else
-        (pair(0) -> "")
+    queryString.split('&').map { str =>
+      val pair = str.split('=')
+      if (pair.length > 1) (pair(0) -> pair(1))
+      else (pair(0) -> "")
     }.toMap
-
-    res
   }
 
   def createElasticSearchUriPart(index: String, topic: String): String = {
@@ -195,15 +194,14 @@ class elasticsearch extends MdcLoggable {
     val realIndex =
       if (index == "" || index == "ALL") APIUtil.getPropsValue("es.warehouse.allowed.indices").getOrElse(throw new RuntimeException)
       else index
-    if (! realIndex.split(",").toSet.subsetOf(validIndices)) throw new RuntimeException() with NoStackTrace
+    if (!realIndex.split(",").toSet.subsetOf(validIndices)) throw new RuntimeException() with NoStackTrace
     val addTopic = if (topic == "ALL") "" else "/" + topic
     "/" + realIndex + addTopic + "/_search"
   }
 
   def getElasticSearchUri(indexString: String): Box[String] = {
     val validIndices: List[String] = APIUtil.getPropsValue("es.warehouse.allowed.indices").getOrElse(
-      throw new RuntimeException(NoValidElasticsearchIndicesConfigured) with NoStackTrace).split(",").toList match
-    {
+      throw new RuntimeException(NoValidElasticsearchIndicesConfigured) with NoStackTrace).split(",").toList match {
       case List("ALL") => List("")
       case x => x
     }
@@ -214,12 +212,12 @@ class elasticsearch extends MdcLoggable {
     }
   }
 
-  def checkIndicesValidity(indexString: String, validIndices: List[String]): Box[String] ={
+  def checkIndicesValidity(indexString: String, validIndices: List[String]): Box[String] = {
     indexString match {
       case "ALL" => Empty
       case x => x match {
         case y if !y.split(",").toSet.subsetOf(validIndices.toSet) => Failure("")
-        case y   => Full(y)
+        case y => Full(y)
       }
     }
   }
@@ -237,9 +235,8 @@ class elasticsearchMetrics extends elasticsearch {
 
   val props = ElasticProperties(s"http://$esHost:${esPortTCP.toInt}")
   lazy val client = ElasticClient(JavaClient(props))
-  // we must import the dsl
   import com.sksamuel.elastic4s.ElasticDsl._
-  
+
   if (APIUtil.getPropsAsBoolValue("allow_elasticsearch", false) && APIUtil.getPropsAsBoolValue("allow_elasticsearch_metrics", false) ) {
     try {
       client.execute {
@@ -264,7 +261,6 @@ class elasticsearchMetrics extends elasticsearch {
   def indexMetric(userId: String, url: String, date: Date, duration: Long, userName: String, appName: String, developerEmail: String, correlationId: String, apiInstanceId: String) {
     if (APIUtil.getPropsAsBoolValue("allow_elasticsearch", false) && APIUtil.getPropsAsBoolValue("allow_elasticsearch_metrics", false) ) {
       try {
-        // we must import the dsl
         import com.sksamuel.elastic4s.ElasticDsl._
         client.execute {
           indexInto(s"$esIndex/request") fields (
@@ -296,10 +292,6 @@ class elasticsearchWarehouse extends elasticsearch {
   val props = ElasticProperties(s"http://$esHost:${esPortTCP.toInt}")
   var client: ElasticClient = null
   if (APIUtil.getPropsAsBoolValue("allow_elasticsearch", false) && APIUtil.getPropsAsBoolValue("allow_elasticsearch_warehouse", false) ) {
-    //this is not used in the current code, first comment to solve the vulnerability issue 
-    // val settings = Settings.builder().put("cluster.name", APIUtil.getPropsValue("es.cluster.name", "elasticsearch")).build()
     client = ElasticClient(JavaClient(props))
   }
 }
-
-
diff --git a/obp-api/src/test/scala/code/setup/SendServerRequests.scala b/obp-api/src/test/scala/code/setup/SendServerRequests.scala
index 1cac46e50e..7b8d5b30c4 100644
--- a/obp-api/src/test/scala/code/setup/SendServerRequests.scala
+++ b/obp-api/src/test/scala/code/setup/SendServerRequests.scala
@@ -57,7 +57,21 @@ case class APIResponse(code: Int, body: JValue, headers: Option[HttpHeaders])
 trait SendServerRequests {
 
   TimeZone.setDefault(TimeZone.getTimeZone("UTC"))
-  
+
+  import code.api.util.APIUtil.OAuth.{Consumer, Token}
+
+  implicit def Request2RequestSigner(r: Req): RequestSigner = new RequestSigner(r)
+
+  class RequestSigner(rb: Req) {
+    def <@(consumer: Consumer, token: Token): Req =
+      rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
+    def <@(consumerAndToken: Option[(Consumer, Token)]): Req =
+      consumerAndToken match {
+        case Some((_, token)) => rb <:< Map("Authorization" -> s"""DirectLogin token="${token.value}"""")
+        case None => rb
+      }
+  }
+
   case class ReqData (
                       url: String,
                       method: String,

From c018fcf40f781feb073915ab4782051f1244bf75 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Mon, 22 Jun 2026 21:43:38 +0200
Subject: [PATCH 07/12] fix: handle parse exceptions in OkHttp onResponse to
 prevent Promise leak

---
 obp-api/src/main/scala/code/search/search.scala | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/obp-api/src/main/scala/code/search/search.scala b/obp-api/src/main/scala/code/search/search.scala
index a9a7bf9e80..6849ac71ae 100644
--- a/obp-api/src/main/scala/code/search/search.scala
+++ b/obp-api/src/main/scala/code/search/search.scala
@@ -115,6 +115,8 @@ class elasticsearch extends MdcLoggable {
         try {
           val bodyStr = Option(response.body()).map(_.string()).filter(_.nonEmpty).getOrElse("{}")
           promise.success(APIResponse(response.code(), json.parse(bodyStr)))
+        } catch {
+          case e: Throwable => promise.failure(e)
         } finally {
           response.close()
         }

From 463a100bc8da2f5b4a9a5405cb65e821d3315059 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Tue, 23 Jun 2026 11:42:19 +0200
Subject: [PATCH 08/12] build: upgrade avro4s to 4.1.2 and pin avro to 1.11.4
 (fixes #17)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2024-47561 (CVSS 9.8 RCE) in Apache Avro < 1.11.4 allows arbitrary
code execution via crafted schema payloads during deserialization.

- Upgrade avro4s-core 1.8.2 → 4.1.2 in parent pom
- Pin org.apache.avro:avro to 1.11.4 explicitly (avro4s 4.1.2 only
  brings avro 1.9.2 transitively, which is still vulnerable)
- Migrate AvroSerializer to avro4s 4.x API:
    ToRecord → Encoder, FromRecord → Decoder,
    AvroOutputStream.json[T](baos) → AvroOutputStream.json[T].to(baos).build(),
    AvroInputStream.json[T](stream).singleEntity →
      AvroInputStream.json[T].from(stream).build(schema).tryIterator
- Remove avro4s SchemaFor[T] usage from AkkaConnector_vDec2018
  (documentation-only fields; avro4s 4.x Magnolia derivation cannot
  auto-derive SchemaFor for complex OBP DTO type hierarchies)
---
 obp-api/pom.xml                               |  9 +++++-
 .../code/bankconnectors/AvroSerializer.scala  | 29 +++++++++----------
 .../akka/AkkaConnector_vDec2018.scala         | 13 ++++-----
 pom.xml                                       |  2 +-
 4 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 98ff6c00be..0c52835986 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -117,7 +117,14 @@
       <artifactId>protobuf-java</artifactId>
       <version>3.25.5</version>
     </dependency>
-    <!-- Pin snappy-java to override the 1.1.1.3 pulled in transitively by avro 1.8.2.
+    <!-- Pin org.apache.avro:avro to 1.11.4 to override the 1.9.2 pulled in transitively
+         by avro4s 4.1.2. Fixes CVE-2024-47561 (CVSS 9.8 — RCE via schema parsing). -->
+    <dependency>
+      <groupId>org.apache.avro</groupId>
+      <artifactId>avro</artifactId>
+      <version>1.11.4</version>
+    </dependency>
+    <!-- Pin snappy-java to override older versions pulled in transitively by avro.
          Fixes CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642. -->
     <dependency>
       <groupId>org.xerial.snappy</groupId>
diff --git a/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala b/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
index 8dec75f379..d6406bb793 100644
--- a/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
+++ b/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
@@ -5,33 +5,30 @@ import java.io.{ByteArrayOutputStream, InputStream}
 import com.sksamuel.avro4s._
 
 import scala.concurrent.{ExecutionContext, Future}
-import scala.util.Try
+import scala.util.Success
 
-/**
-  * Provides generic serialization/deserialization
-  */
 trait AvroSerializer {
 
-  def serialize[T: SchemaFor : ToRecord](event: T)(implicit executionContext: ExecutionContext): String = {
+  def serialize[T: Encoder](event: T)(implicit executionContext: ExecutionContext): String = {
     val baos = new ByteArrayOutputStream()
-    val output = AvroOutputStream.json[T](baos)
+    val output = AvroOutputStream.json[T].to(baos).build()
     output.write(event)
     output.close()
-    val r = baos.toString("UTF-8")
-    r
+    baos.toString("UTF-8")
   }
 
-  def serializeFuture[T: SchemaFor : ToRecord](event: T)(implicit executionContext: ExecutionContext): Future[String] =
+  def serializeFuture[T: Encoder](event: T)(implicit executionContext: ExecutionContext): Future[String] =
     Future(serialize(event))
 
-  def deserializeFuture[T >: Null : SchemaFor : FromRecord](data: String)(implicit executionContext: ExecutionContext): Future[Option[T]] =
+  def deserializeFuture[T >: Null : Decoder](data: String)(implicit executionContext: ExecutionContext): Future[Option[T]] =
     Future(deserialize[T](data))
 
-  def deserialize[T >: Null : SchemaFor : FromRecord](data: String)(implicit executionContext: ExecutionContext): Option[T] = {
-
-    val input = AvroInputStream.json[T](new StringInputStream(data))
-    val result: Try[T] = input.singleEntity
-    result.toOption
+  def deserialize[T >: Null : Decoder](data: String)(implicit executionContext: ExecutionContext): Option[T] = {
+    val schema = implicitly[Decoder[T]].schema
+    val input = AvroInputStream.json[T].from(new StringInputStream(data)).build(schema)
+    val result = input.tryIterator.collectFirst { case Success(v) => v }
+    input.close()
+    result
   }
 
   class StringInputStream(s: String) extends InputStream {
@@ -47,4 +44,4 @@ trait AvroSerializer {
       r.toInt
     }
   }
-}
\ No newline at end of file
+}
diff --git a/obp-api/src/main/scala/code/bankconnectors/akka/AkkaConnector_vDec2018.scala b/obp-api/src/main/scala/code/bankconnectors/akka/AkkaConnector_vDec2018.scala
index 0443a26d75..89c163e8c1 100644
--- a/obp-api/src/main/scala/code/bankconnectors/akka/AkkaConnector_vDec2018.scala
+++ b/obp-api/src/main/scala/code/bankconnectors/akka/AkkaConnector_vDec2018.scala
@@ -18,7 +18,6 @@ import com.openbankproject.commons.dto._
 import com.openbankproject.commons.model._
 import com.openbankproject.commons.model.enums.StrongCustomerAuthenticationStatus.SCAStatus
 import com.openbankproject.commons.model.enums.{AccountAttributeType, CardAttributeType, ChallengeType, CustomerAttributeType, ProductAttributeType, StrongCustomerAuthentication, TransactionAttributeType, TransactionRequestStatus}
-import com.sksamuel.avro4s.SchemaFor
 import net.liftweb.common.{Box, Full}
 import com.openbankproject.commons.util.JsonAliases.parse
 
@@ -55,8 +54,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         inboundStatus,
         inboundAdapterInfoInternal)
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetAdapterInfo]().toString(true))),
-    inboundAvroSchema = Some(parse(SchemaFor[InBoundGetAdapterInfo]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 1))
   )
   override def getAdapterInfo(callContext: Option[CallContext]): Future[Box[(InboundAdapterInfoInternal, Option[CallContext])]] = {
@@ -81,8 +80,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         List(bankCommons)
       )
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetBanks]().toString(true))),
-    inboundAvroSchema =  Some(parse(SchemaFor[InBoundGetBanks]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 2))
   )
 
@@ -110,8 +109,8 @@ object AkkaConnector_vDec2018 extends Connector with AkkaConnectorActorInit {
         bankCommons
       )
       ),
-    outboundAvroSchema = Some(parse(SchemaFor[OutBoundGetBank]().toString(true))),
-    inboundAvroSchema = Some(parse(SchemaFor[InBoundGetBank]().toString(true))),
+    outboundAvroSchema = None,
+    inboundAvroSchema = None,
     adapterImplementation = Some(AdapterImplementation("- Core", 5))
   )
   override def getBank(bankId : BankId, callContext: Option[CallContext]): Future[Box[(Bank, Option[CallContext])]] = {
diff --git a/pom.xml b/pom.xml
index cecd1678a7..92993c243d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,7 +14,7 @@
     <scala.compiler>2.12.20</scala.compiler>
     <pekko.version>1.1.5</pekko.version>
     <pekko-http.version>1.1.0</pekko-http.version>
-    <avro.version>1.8.2</avro.version>
+    <avro.version>4.1.2</avro.version>
     <lift.version>v1.0.4</lift.version>
     <http4s.version>0.23.30</http4s.version>
     <!-- Common plugin settings -->

From abe0f663a23e83f77bc389862d79c68c99f77fd7 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Tue, 23 Jun 2026 11:57:41 +0200
Subject: [PATCH 09/12] fix: correct byte sign-extension in StringInputStream
 and clarify avro property names

- Fix StringInputStream.read(): r.toInt & 0xFF to zero-extend bytes 0x80-0xFF
  instead of sign-extending; signed Byte.toInt returns -1 for 0xFF which JSON
  parser interprets as EOF, silently truncating any non-ASCII Avro payload
- Fix StringInputStream.getBytes: explicit UTF-8 charset to match the UTF-8
  used in baos.toString("UTF-8") on the serialize side
- Rename <avro.version> to <avro4s.version> and introduce <apache.avro.version>
  in parent pom so both versions are visible and independently bumpable
---
 obp-api/pom.xml                                               | 4 ++--
 .../src/main/scala/code/bankconnectors/AvroSerializer.scala   | 4 ++--
 pom.xml                                                       | 3 ++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 0c52835986..7a789094c9 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -122,7 +122,7 @@
     <dependency>
       <groupId>org.apache.avro</groupId>
       <artifactId>avro</artifactId>
-      <version>1.11.4</version>
+      <version>${apache.avro.version}</version>
     </dependency>
     <!-- Pin snappy-java to override older versions pulled in transitively by avro.
          Fixes CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642. -->
@@ -236,7 +236,7 @@
     <dependency>
       <groupId>com.sksamuel.avro4s</groupId>
       <artifactId>avro4s-core_${scala.version}</artifactId>
-      <version>${avro.version}</version>
+      <version>${avro4s.version}</version>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
diff --git a/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala b/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
index d6406bb793..9d75703790 100644
--- a/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
+++ b/obp-api/src/main/scala/code/bankconnectors/AvroSerializer.scala
@@ -32,7 +32,7 @@ trait AvroSerializer {
   }
 
   class StringInputStream(s: String) extends InputStream {
-    private val bytes = s.getBytes
+    private val bytes = s.getBytes("UTF-8")
 
     private var pos = 0
 
@@ -41,7 +41,7 @@ trait AvroSerializer {
     } else {
       val r = bytes(pos)
       pos += 1
-      r.toInt
+      r.toInt & 0xFF
     }
   }
 }
diff --git a/pom.xml b/pom.xml
index 92993c243d..6ecae876c8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,7 +14,8 @@
     <scala.compiler>2.12.20</scala.compiler>
     <pekko.version>1.1.5</pekko.version>
     <pekko-http.version>1.1.0</pekko-http.version>
-    <avro.version>4.1.2</avro.version>
+    <avro4s.version>4.1.2</avro4s.version>
+    <apache.avro.version>1.11.4</apache.avro.version>
     <lift.version>v1.0.4</lift.version>
     <http4s.version>0.23.30</http4s.version>
     <!-- Common plugin settings -->

From df13d40b822fe290fef42ddc9ae30b09590478b9 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Tue, 23 Jun 2026 12:59:57 +0200
Subject: [PATCH 10/12] chore: remove httpclient direct dep and scope AHC to
 test (fixes #18)

- Remove explicit org.apache.httpcomponents:httpclient:4.5.14 declaration;
  the artifact was only referenced by an unused import in OBPAPIDynamicEndpoint
  (import only appeared in a comment). It remains available transitively via
  elasticsearch-rest-client for Elasticsearch's internal use.
- Drop unused import org.apache.http.HttpStatus from OBPAPIDynamicEndpoint
  (the one call site using it was already commented out).
- Move org.asynchttpclient:async-http-client to <scope>test</scope>; the sole
  direct usage is OPTIONSTest.scala (test class), not production code.
---
 obp-api/pom.xml                                             | 6 +-----
 .../code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala   | 1 -
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/obp-api/pom.xml b/obp-api/pom.xml
index 7a789094c9..66bf746e62 100644
--- a/obp-api/pom.xml
+++ b/obp-api/pom.xml
@@ -172,11 +172,6 @@
       <artifactId>cglib</artifactId>
       <version>3.3.0</version>
     </dependency>
-    <dependency>
-      <groupId>org.apache.httpcomponents</groupId>
-      <artifactId>httpclient</artifactId>
-      <version>4.5.14</version>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-pool2</artifactId>
@@ -412,6 +407,7 @@
       <groupId>org.asynchttpclient</groupId>
       <artifactId>async-http-client</artifactId>
       <version>2.15.0</version>
+      <scope>test</scope>
         <exclusions>
             <exclusion>
                 <artifactId>javax.activation</artifactId>
diff --git a/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala b/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
index d3dd7b4700..9713e4cff4 100644
--- a/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
+++ b/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
@@ -33,7 +33,6 @@ import code.api.util.{APIUtil, VersionedOBPApis}
 import code.util.Helper.MdcLoggable
 import com.openbankproject.commons.util.{ApiVersion,ApiVersionStatus}
 import net.liftweb.common.{Box, Full}
-import org.apache.http.HttpStatus
 
 /*
 This file defines which endpoints from all the versions are available in v4.0.0

From 4f5a85a36c1cdb01387b0930f3fea6f15d5a3298 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Tue, 23 Jun 2026 13:24:15 +0200
Subject: [PATCH 11/12] chore: remove dead imports from OBPAPIDynamicEndpoint

Remove imports that were only used in the commented-out Lift CORS block:
- net.liftweb.common.{Box, Full}
- code.api.dynamic.endpoint.helper.DynamicEndpoints (unused entirely)
- code.api.util.APIUtil (no live usages; keep VersionedOBPApis for extends clause)
---
 .../code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala     | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala b/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
index 9713e4cff4..cf2ce89f8e 100644
--- a/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
+++ b/obp-api/src/main/scala/code/api/dynamic/endpoint/OBPAPIDynamicEndpoint.scala
@@ -28,11 +28,9 @@ package code.api.dynamic.endpoint
 
 import APIMethodsDynamicEndpoint.ImplementationsDynamicEndpoint
 import code.api.OBPRestHelper
-import code.api.dynamic.endpoint.helper.DynamicEndpoints
-import code.api.util.{APIUtil, VersionedOBPApis}
+import code.api.util.VersionedOBPApis
 import code.util.Helper.MdcLoggable
 import com.openbankproject.commons.util.{ApiVersion,ApiVersionStatus}
-import net.liftweb.common.{Box, Full}
 
 /*
 This file defines which endpoints from all the versions are available in v4.0.0

From ea098f43d0aed17b5ce89ee64702c28d9258e694 Mon Sep 17 00:00:00 2001
From: Hongwei <hongwei@tesobe.com>
Date: Wed, 24 Jun 2026 21:13:37 +0200
Subject: [PATCH 12/12] fix: use runUpdate in ProjectionDualWrite so projection
 rows commit

Dynamic-entity POST handlers run without withBusinessDBTransaction, so
the TTL-based request-scope proxy is never set. DoobieUtil.runQuery uses
Strategy.void on its fallback transactor, which means INSERT runs on a
HikariCP connection (autoCommit=false) and is silently rolled back when
the connection returns to the pool.

Switch to DoobieUtil.runUpdate, which commits via fallbackUpdateTransactor
(Strategy.default) when no proxy is present, and still reuses the request
transaction via transactorFromConnection when a proxy is available.

This makes obp_exists[parcel_on_chain] and obp_not_exists[parcel_on_chain]
return correct results for the OGCR parcel/parcel_on_chain join queries.
---
 .../entity/projection/ProjectionDualWrite.scala     | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/dynamic/entity/projection/ProjectionDualWrite.scala b/obp-api/src/main/scala/code/api/dynamic/entity/projection/ProjectionDualWrite.scala
index d59fb43ab9..b9420802ed 100644
--- a/obp-api/src/main/scala/code/api/dynamic/entity/projection/ProjectionDualWrite.scala
+++ b/obp-api/src/main/scala/code/api/dynamic/entity/projection/ProjectionDualWrite.scala
@@ -9,13 +9,13 @@ import org.json4s.JsonAST.JObject
 /**
  * Keeps a record's projection row in sync on the write path (DE_indexing, Phase 3). Guarded by
  * `projectionEnabled` and a no-op unless the entity has a `ready` projection — so it changes nothing
- * by default. Uses `DoobieUtil.runQuery`, which reuses Lift's request connection, so the projection
- * upsert/delete participates in the SAME transaction as the canonical blob write (commit/rollback
- * together). Scalar fields only (spatial dual-write is Phase 4).
+ * by default. Uses `DoobieUtil.runUpdate` so the INSERT is committed even when called outside an
+ * explicit request-scope transaction (e.g. dynamic-entity POST handlers that don't wrap in
+ * `withBusinessDBTransaction`). When a request-scope proxy IS present, `runUpdate` still reuses it
+ * via `transactorFromConnection`. Scalar fields only (spatial dual-write is Phase 4).
  */
 object ProjectionDualWrite extends MdcLoggable {
 
-  /** Upsert the record's ready indexed scalar columns into the projection (called after the blob save). */
   def onSave(bankId: Option[String], entityName: String, dataId: String, body: JObject): Unit =
     withReadyScalarFields(bankId, entityName) { (safeTable, fields) =>
       val cols = fields.map { case (f, spec) =>
@@ -24,13 +24,12 @@ object ProjectionDualWrite extends MdcLoggable {
           ProjectionDDL.sqlColumnType(spec.fieldType.toString),
           ProjectionCoerce.toColumnValue(body \ f, spec.fieldType))
       }
-      DoobieUtil.runQuery(ProjectionStore.upsert(safeTable, dataId, cols))
+      DoobieUtil.runUpdate(ProjectionStore.upsert(safeTable, dataId, cols))
     }
 
-  /** Delete the record's projection row (called after the blob delete; FK cascade is a backstop). */
   def onDelete(bankId: Option[String], entityName: String, dataId: String): Unit =
     withReadyScalarFields(bankId, entityName) { (safeTable, _) =>
-      DoobieUtil.runQuery(ProjectionStore.delete(safeTable, dataId))
+      DoobieUtil.runUpdate(ProjectionStore.delete(safeTable, dataId))
     }
 
   private def withReadyScalarFields(bankId: Option[String], entityName: String)