build: add frontend-builder image and bake buf into java-builder

ci/frontend-builder (new): Node 24 + pnpm 10 + buf 1.55 + global
@bufbuild/protoc-gen-es 2.4 + Playwright chromium runtime libs +
ORAS. Used by KollectAI-ETL frontend CI to run TS proto codegen
locally (buf.gen.yaml uses `local: protoc-gen-es`) instead of the
rate-limited BSR remote-plugin path.

ci/java-builder: added the standalone buf binary so `buf lint` runs
in CI without an inline curl install. Backend Java codegen stays in
the Maven build (protobuf-maven-plugin), so no protoc plugins are
added to this image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ci/java-builder/Dockerfile

@@ -1,7 +1,8 @@
 # KollectAI CI — Java Builder Image
 #
 # Pre-baked build environment for backend + plugin CI jobs.
-# Contains: Java 21, Maven 3.9.9, common dependencies, OWASP NVD database.
+# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD
+# database, ORAS CLI, common dependencies.
 #
 # Build:
 #   docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
@@ -79,7 +80,24 @@ ARG ORAS_VERSION=1.2.2
 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
     | tar -xz -C /usr/local/bin oras
 
+# ─────────────────────────────────────────────────────────────────────
+# buf CLI — single static binary used for `buf lint` in CI and pre-push
+# parity. Backend Java codegen lives in the Maven build (protobuf-maven-
+# plugin), not buf, so no protoc plugins are needed in this image.
+# ─────────────────────────────────────────────────────────────────────
+ARG BUF_VERSION=1.55.0
+
+RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
+    -o /usr/local/bin/buf \
+    && chmod +x /usr/local/bin/buf
+
 WORKDIR /workspace
 
 # Verify installation
-RUN java -version && mvn -version && node --version && pnpm --version && oras version && jq --version
+RUN java -version \
+    && mvn -version \
+    && node --version \
+    && pnpm --version \
+    && buf --version \
+    && oras version \
+    && jq --version

ci/java-builder/README.md

@@ -9,9 +9,16 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs.
 - Pre-cached Maven dependencies (Spring Boot, Flink, MyBatis, etc.)
 - Pre-installed `plugin-api` in local Maven repo
 - OWASP NVD database snapshot
+- Node.js + pnpm (via corepack)
+- [buf](https://buf.build) CLI — for `buf lint` parity with pre-push
 - ORAS CLI (Harbor artifact uploads)
 - git, jq, curl
 
+> **Note**: Backend Java protobuf codegen lives in the Maven build via
+> `protobuf-maven-plugin`, not buf — so this image deliberately omits
+> protoc plugins. For TypeScript proto codegen and frontend CI jobs use
+> the [`frontend-builder`](../frontend-builder/) image.
+
 ## Build
 
 ```bash
@@ -23,10 +30,14 @@ docker push 192.168.1.72/kollect-tools/ci/java-builder:latest
 
 | Arg | Default | Description |
 |-----|---------|-------------|
-| `MAVEN_VERSION` | `3.9.9` | Maven version |
+| `JAVA_VERSION` | `25` | Eclipse Temurin JDK version |
+| `MAVEN_VERSION` | `3.9.14` | Maven version |
 | `OWASP_DC_VERSION` | `12.1.1` | OWASP Dependency-Check version |
-| `ETL_BRANCH` | `001-ai-etl-platform` | Branch to fetch pom.xml files from |
+| `NODE_MAJOR` | `24` | Node.js major version |
+| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) |
+| `BUF_VERSION` | `1.55.0` | buf CLI version |
 | `ORAS_VERSION` | `1.2.2` | ORAS CLI version |
+| `NVD_API_KEY` | (empty) | Optional NVD API key — speeds up the OWASP database update during image build |
 
 ## Usage in CI