@booklib/core 2.0.0

package/skills/skill-router/scripts/route.py

@@ -0,0 +1,266 @@
+#!/usr/bin/env python3
+"""
+route.py — CLI for skill-router
+
+Usage:
+    python route.py --task "review my Python class for code quality"
+    python route.py --file path/to/file.py --task "review for correctness"
+    python route.py --task "design a saga for order processing"
+    python route.py --task "decompose my monolith into microservices"
+
+Prints the recommended skill(s) with rationale.
+"""
+
+import argparse
+import os
+
+# Skill routing rules
+SKILL_CATALOG = {
+    "animation-at-work": {
+        "domain": "Web animation, UI motion",
+        "languages": [],  # language-agnostic but frontend
+        "keywords": ["animation", "motion", "transition", "keyframe", "easing", "css animation", "web animation"],
+        "anti_keywords": ["backend", "data processing", "api"],
+    },
+    "clean-code-reviewer": {
+        "domain": "Code quality, readability (any language)",
+        "languages": ["py", "java", "kt", "js", "ts", "go", "rs", "cpp", "cs"],
+        "keywords": ["review", "code quality", "readable", "clean", "refactor", "naming", "smell", "heuristic"],
+        "anti_keywords": ["architecture", "system design"],
+    },
+    "data-intensive-patterns": {
+        "domain": "Storage internals, distributed data",
+        "languages": [],
+        "keywords": ["replication", "partitioning", "consistency", "cap theorem", "storage engine", "lsm", "b-tree", "acid", "base", "linearizability"],
+        "anti_keywords": ["ui", "frontend", "domain model"],
+    },
+    "data-pipelines": {
+        "domain": "ETL, data ingestion, orchestration",
+        "languages": ["py", "sql"],
+        "keywords": ["data pipeline", "etl", "elt", "ingestion", "airflow", "dbt", "spark", "streaming", "batch", "warehouse"],
+        "anti_keywords": ["microservice", "ui"],
+    },
+    "design-patterns": {
+        "domain": "GoF OO design patterns",
+        "languages": ["java", "py", "kt", "cs"],
+        "keywords": ["design pattern", "factory", "singleton", "observer", "strategy", "decorator", "facade", "command", "template method", "composite"],
+        "anti_keywords": ["functional", "microservice decomposition"],
+    },
+    "domain-driven-design": {
+        "domain": "Domain modeling, DDD tactical and strategic patterns",
+        "languages": [],
+        "keywords": ["ddd", "domain model", "aggregate", "value object", "bounded context", "ubiquitous language", "repository", "domain service", "anticorruption", "entity", "anemic"],
+        "anti_keywords": ["simple crud", "ui", "code quality"],
+    },
+    "effective-java": {
+        "domain": "Java best practices",
+        "languages": ["java"],
+        "keywords": ["java", "generics", "enum", "lambda", "stream", "builder pattern", "serialization", "checked exception"],
+        "anti_keywords": [],
+    },
+    "effective-kotlin": {
+        "domain": "Kotlin best practices",
+        "languages": ["kt"],
+        "keywords": ["kotlin", "kotlin best practices", "kotlin safety", "null safety", "kotlin idioms", "effective kotlin", "best practices"],
+        "anti_keywords": ["learning kotlin"],
+    },
+    "effective-python": {
+        "domain": "Python idioms and best practices",
+        "languages": ["py"],
+        "keywords": ["pythonic", "python best practices", "comprehension", "generator", "decorator", "metaclass"],
+        "anti_keywords": ["async", "asyncio", "web scraping"],
+    },
+    "kotlin-in-action": {
+        "domain": "Kotlin language features",
+        "languages": ["kt"],
+        "keywords": ["learn kotlin", "kotlin coroutines", "kotlin lambdas", "kotlin classes", "how does kotlin"],
+        "anti_keywords": ["best practices"],
+    },
+    "lean-startup": {
+        "domain": "Startup strategy, MVP, validated learning",
+        "languages": [],
+        "keywords": ["mvp", "validated learning", "pivot", "build-measure-learn", "lean startup", "hypothesis", "product market fit"],
+        "anti_keywords": ["code", "review", "architecture", "api"],
+    },
+    "microservices-patterns": {
+        "domain": "Service decomposition, sagas, CQRS, event sourcing",
+        "languages": [],
+        "keywords": ["microservice", "services", "saga", "cqrs", "event sourcing", "api gateway", "decompose monolith", "circuit breaker", "distributed transaction", "choreography", "service coordination", "inter-service", "strangle", "strangler"],
+        "anti_keywords": ["monolith only", "simple crud"],
+    },
+    "refactoring-ui": {
+        "domain": "UI design, visual hierarchy, typography",
+        "languages": ["css", "html", "jsx", "tsx", "svelte"],
+        "keywords": ["ui design", "visual hierarchy", "typography", "color", "spacing", "layout", "design system"],
+        "anti_keywords": ["backend", "api", "animation"],
+    },
+    "storytelling-with-data": {
+        "domain": "Data visualization, charts, narrative",
+        "languages": [],
+        "keywords": ["data visualization", "chart", "graph", "dashboard", "storytelling", "declutter", "bar chart", "scatter plot"],
+        "anti_keywords": ["backend", "api", "code quality"],
+    },
+    "system-design-interview": {
+        "domain": "System scalability, high-level architecture",
+        "languages": [],
+        "keywords": ["system design", "scale", "scalability", "rate limiting", "cdn", "load balancer", "cache", "sharding", "high availability"],
+        "anti_keywords": ["code review", "domain model"],
+    },
+    "using-asyncio-python": {
+        "domain": "Python asyncio, concurrency",
+        "languages": ["py"],
+        "keywords": ["asyncio", "async def", "await", "coroutine", "event loop", "aiohttp", "async python", "concurrent python"],
+        "anti_keywords": [],
+    },
+    "web-scraping-python": {
+        "domain": "Web scraping, crawling",
+        "languages": ["py"],
+        "keywords": ["web scraping", "beautifulsoup", "scrapy", "crawl", "parse html", "selenium scraping"],
+        "anti_keywords": [],
+    },
+}
+
+CONFLICT_RULES = [
+    ("effective-python", "using-asyncio-python", "using-asyncio-python wins for async topics"),
+    ("kotlin-in-action", "effective-kotlin", "effective-kotlin wins for best practice advice"),
+    ("clean-code-reviewer", "effective-java", "effective-java wins for Java-specific items; use both for comprehensive review"),
+]
+
+
+def detect_language(file_path: str | None) -> str | None:
+    """Detect language from file extension."""
+    if not file_path:
+        return None
+    ext = os.path.splitext(file_path)[1].lstrip(".")
+    return ext.lower() if ext else None
+
+
+def score_skill(skill_name: str, skill_info: dict, task: str, language: str | None) -> float:
+    """Score a skill's relevance for a task. Higher = more relevant."""
+    task_lower = task.lower()
+    score = 0.0
+
+    # Keyword matching
+    for keyword in skill_info["keywords"]:
+        if keyword in task_lower:
+            score += 2.0
+
+    # Anti-keyword penalty
+    for anti_keyword in skill_info["anti_keywords"]:
+        if anti_keyword in task_lower:
+            score -= 3.0
+
+    # Language match bonus
+    if language and language in skill_info["languages"]:
+        score += 3.0
+    elif skill_info["languages"] and language and language not in skill_info["languages"]:
+        score -= 5.0  # Strong penalty for language mismatch
+
+    return score
+
+
+def route(task: str, file_path: str | None = None) -> dict:
+    """Route a task to the best skill(s)."""
+    language = detect_language(file_path)
+    task_lower = task.lower()
+
+    scores = {}
+    keyword_hits = {}
+    for skill_name, skill_info in SKILL_CATALOG.items():
+        scores[skill_name] = score_skill(skill_name, skill_info, task, language)
+        keyword_hits[skill_name] = any(kw in task_lower for kw in skill_info["keywords"])
+
+    # Sort by score, descending
+    ranked = sorted(scores.items(), key=lambda x: x[1], reverse=True)
+
+    # Require positive score AND at least one keyword hit to prevent
+    # language-match-only false positives (e.g. data-pipelines for any .py file)
+    candidates = [(name, score) for name, score in ranked if score > 0 and keyword_hits[name]]
+
+    if not candidates:
+        return {
+            "primary": None,
+            "secondary": None,
+            "dont_apply": None,
+            "conflict_note": None,
+            "language_detected": language,
+            "rationale": "No skill matched. Try describing the task with more domain keywords, or browse the skill catalog.",
+        }
+
+    primary_name, _ = candidates[0]
+    secondary = candidates[1] if len(candidates) > 1 else None
+    dont_apply = candidates[2] if len(candidates) > 2 else None
+
+    # Apply conflict resolution
+    conflict_note = None
+    if secondary:
+        for skill_a, skill_b, note in CONFLICT_RULES:
+            if (primary_name == skill_a and secondary[0] == skill_b) or \
+               (primary_name == skill_b and secondary[0] == skill_a):
+                conflict_note = note
+                break
+
+    return {
+        "primary": primary_name,
+        "primary_domain": SKILL_CATALOG[primary_name]["domain"],
+        "secondary": secondary[0] if secondary else None,
+        "secondary_domain": SKILL_CATALOG[secondary[0]]["domain"] if secondary else None,
+        "dont_apply": dont_apply[0] if dont_apply else None,
+        "dont_apply_domain": SKILL_CATALOG[dont_apply[0]]["domain"] if dont_apply else None,
+        "conflict_note": conflict_note,
+        "language_detected": language,
+    }
+
+
+def format_output(result: dict) -> str:
+    """Format routing result for CLI output."""
+    lines = []
+
+    if result.get("language_detected"):
+        lines.append(f"Detected language: .{result['language_detected']}")
+        lines.append("")
+
+    if not result["primary"]:
+        lines.append("No matching skill found.")
+        lines.append(result.get("rationale", ""))
+        return "\n".join(lines)
+
+    lines.append(f"**Primary skill:** `{result['primary']}`")
+    lines.append(f"**Why:** {result['primary_domain']}")
+
+    if result["secondary"]:
+        lines.append(f"**Secondary (optional):** `{result['secondary']}` — {result['secondary_domain']}")
+    else:
+        lines.append("**Secondary (optional):** none")
+
+    if result.get("dont_apply"):
+        lines.append(f"**Don't apply:** `{result['dont_apply']}` — {result['dont_apply_domain']} (lower relevance for this task)")
+
+    if result.get("conflict_note"):
+        lines.append(f"**Conflict resolution:** {result['conflict_note']}")
+
+    return "\n".join(lines)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Route a task to the best @booklib/skills skill",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""examples:
+  python route.py --task "review my Python class for code quality"
+  python route.py --file app/orders.py --task "review for correctness"
+  python route.py --task "design a saga for order processing"
+  python route.py --task "decompose my monolith into microservices"
+  python route.py --task "my bar chart is too cluttered"
+        """,
+    )
+    parser.add_argument("--file", help="Path to the file being reviewed (used for language detection)")
+    parser.add_argument("--task", required=True, help="Description of the task or question")
+    args = parser.parse_args()
+
+    result = route(task=args.task, file_path=args.file)
+    print(format_output(result))
+
+
+if __name__ == "__main__":
+    main()

package/skills/spring-boot-in-action/SKILL.md

@@ -0,0 +1,340 @@
+---
+name: spring-boot-in-action
+version: "1.0"
+license: MIT
+tags: [java, spring, backend]
+description: >
+  Write and review Spring Boot applications using practices from "Spring Boot in Action"
+  by Craig Walls. Covers auto-configuration, starter dependencies, externalizing
+  configuration with properties and profiles, Spring Security, testing with MockMvc
+  and @SpringBootTest, Spring Actuator for production observability, and deployment
+  strategies (JAR, WAR, Cloud Foundry). Use when building Spring Boot apps, configuring
+  beans, writing integration tests, setting up health checks, or deploying to production.
+  Trigger on: "Spring Boot", "Spring", "@SpringBootApplication", "auto-configuration",
+  "application.properties", "application.yml", "@RestController", "@Service",
+  "@Repository", "SpringBootTest", "Actuator", "starter", ".java files", "Maven", "Gradle".
+---
+
+# Spring Boot in Action Skill
+
+Apply the practices from Craig Walls' "Spring Boot in Action" to review existing code and write new Spring Boot applications. This skill operates in two modes: **Review Mode** (analyze code for violations of Spring Boot idioms) and **Write Mode** (produce clean, idiomatic Spring Boot from scratch).
+
+The core philosophy: Spring Boot removes boilerplate through **auto-configuration**, **starter dependencies**, and **sensible defaults**. Fight the framework only when necessary — and when you do, prefer `application.properties` over code.
+
+## Reference Files
+
+- `practices-catalog.md` — Before/after examples for auto-configuration, starters, properties, profiles, security, testing, Actuator, and deployment
+
+## How to Use This Skill
+
+**Before responding**, read `practices-catalog.md` for the topic at hand. For configuration issues read the properties/profiles section. For test code read the testing section. For a full review, read all sections.
+
+---
+
+## Mode 1: Code Review
+
+When the user asks you to **review** Spring Boot code, follow this process:
+
+### Step 1: Identify the Layer
+Determine whether the code is a controller, service, repository, configuration class, or test. Review focus shifts by layer.
+
+### Step 2: Analyze the Code
+
+Check these areas in order of severity:
+
+1. **Auto-Configuration** (Ch 2, 3): Is auto-configuration being fought manually? Look for `@Bean` definitions that replicate what Spring Boot already provides (DataSource, Jackson, Security, etc.). Remove manual config where auto-config suffices.
+
+2. **Starter Dependencies** (Ch 2): Are dependencies declared individually instead of using starters? `spring-boot-starter-web`, `spring-boot-starter-data-jpa`, `spring-boot-starter-security` etc. bundle correct transitive dependencies and version-manage them.
+
+3. **Externalized Configuration** (Ch 3): Are values hardcoded that belong in `application.properties`? Ports, URLs, credentials, timeouts should all be externalized. Use `@ConfigurationProperties` for type-safe config objects; use `@Value` only for single values.
+
+4. **Profiles** (Ch 3): Is environment-specific config (dev DB vs prod DB) handled with `if` statements or system properties? Use `@Profile` and `application-{profile}.properties` instead.
+
+5. **Security** (Ch 3): Is `WebSecurityConfigurerAdapter` extended when simple property-based config would suffice? Is HTTP Basic enabled in production? Are actuator endpoints exposed without auth?
+
+6. **Testing** (Ch 4):
+   - Use `@SpringBootTest` for full integration tests, not raw `new MyService()`
+   - Use `@WebMvcTest` for controller-only tests (no full context)
+   - Use `@DataJpaTest` for repository tests (in-memory DB, no web layer)
+   - Use `MockMvc` for controller assertions without starting a server
+   - Use `@MockBean` to replace real beans with mocks in slice tests
+   - Avoid `@SpringBootTest(webEnvironment = RANDOM_PORT)` unless testing the full HTTP stack
+   - Flag missing negative test cases: if there is no test for "not found" (expecting 404), or no test verifying a POST returns 201 with a Location header, call these out explicitly as missing coverage
+
+7. **Actuator** (Ch 7): Is the application missing health/metrics endpoints? Is `/actuator` fully exposed without security? Are custom health indicators implemented for critical dependencies?
+
+8. **Deployment** (Ch 8): Is `spring.profiles.active` set for production? Is database migration (Flyway/Liquibase) configured? Is the app packaged as a self-contained JAR (preferred) or WAR?
+
+9. **General Idioms**:
+   - Constructor injection over field injection (`@Autowired` on fields)
+   - `@RestController` = `@Controller` + `@ResponseBody` — use it for REST APIs
+   - Return `ResponseEntity<T>` from controllers when status codes matter
+   - `Optional<T>` from repository methods, never `null`
+
+### Step 3: Calibrate Before Reporting
+
+**Do NOT manufacture issues.** If the code already follows idiomatic Spring Boot practices, say so explicitly and acknowledge what is correct. Do not invent problems to fill a review.
+
+**Rule: Only flag what is actually wrong in the code shown. Do not raise issues about code or configuration files that are NOT present in the review.**
+- Missing test files are not an issue in a review of production code unless the prompt asks about test coverage.
+- Missing Flyway/Liquibase is not an issue unless `spring.jpa.hibernate.ddl-auto=create` is used in a production context.
+- `spring.jpa.hibernate.ddl-auto=validate` combined with H2 or any datasource is NOT a conflict — validate is a safe, correct choice.
+- Missing `spring.application.name` is NOT an issue unless service discovery is involved.
+
+These patterns are **correct** and must NOT be flagged as issues:
+- `@SpringBootApplication` on the main class — correct (Ch 1)
+- Constructor injection without `@Autowired` — correct; Spring auto-wires single-constructor beans (Ch 2)
+- `ResponseEntity.created(URI.create("/api/resource/" + id)).body(saved)` — correct; relative URIs are standard practice here (Ch 2)
+- `repo.findById(id).orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND))` — correct pattern (Ch 2); at most suggest adding a descriptive message string, do NOT recommend replacing it with a domain exception + `@RestControllerAdvice`
+- `SLF4J` logger via `LoggerFactory.getLogger(...)` — correct (Ch 3)
+- `${ENV_VAR:default}` syntax in `application.properties` — correct externalization (Ch 3)
+- `management.endpoints.web.exposure.include=health,info` — correct Actuator lockdown (Ch 7)
+
+**When the code is idiomatic, the only acceptable suggestions are:**
+1. Add a descriptive message to `ResponseStatusException` if one is missing (minor suggestion only)
+2. Add `spring-boot-starter-actuator` dependency if the `management.*` properties are present but the starter might not be (minor suggestion only)
+Do not suggest Flyway, `@Valid`, test classes, or `@RestControllerAdvice` unless the code has a concrete problem that requires them.
+
+### Step 4: Report Findings
+For each genuine issue, report:
+- **Chapter reference** (e.g., "Ch 3: Externalized Configuration")
+- **Location** in the code
+- **What's wrong** (the anti-pattern)
+- **How to fix it** (the Spring Boot idiomatic way)
+- **Priority**: Critical (security/bugs), Important (maintainability), Suggestion (polish)
+
+### Step 5: Provide Fixed Code
+Offer a corrected version with comments explaining each change.
+
+---
+
+## Mode 2: Writing New Code
+
+When the user asks you to **write** new Spring Boot code, apply these core principles:
+
+### Project Bootstrap (Ch 1, 2)
+
+1. **Start with Spring Initializr** (Ch 1). Use `start.spring.io` or `spring init` CLI. Select starters upfront — don't add raw dependencies manually.
+
+2. **Use starters, not individual dependencies** (Ch 2). `spring-boot-starter-web` includes Tomcat, Spring MVC, Jackson, and logging at compatible versions. Never declare `spring-webmvc` + `jackson-databind` + `tomcat-embed-core` separately.
+
+3. **The main class is the only required boilerplate** (Ch 2):
+   ```java
+   @SpringBootApplication
+   public class MyApp {
+       public static void main(String[] args) {
+           SpringApplication.run(MyApp.class, args);
+       }
+   }
+   ```
+   `@SpringBootApplication` = `@Configuration` + `@EnableAutoConfiguration` + `@ComponentScan`.
+
+### Configuration (Ch 3)
+
+4. **Externalize all environment-specific values** (Ch 3). Nothing deployment-specific belongs in code. Use `application.properties` / `application.yml` for defaults.
+
+5. **Use `@ConfigurationProperties` for grouped config** (Ch 3). Bind a prefix to a POJO — type-safe, IDE-friendly, testable:
+   ```java
+   @ConfigurationProperties(prefix = "app.mail")
+   @Component
+   public class MailProperties {
+       private String host;
+       private int port = 25;
+       // getters + setters
+   }
+   ```
+
+6. **Use profiles for environment differences** (Ch 3). `application-dev.properties` overrides `application.properties` when `spring.profiles.active=dev`. Never use `if (env.equals("production"))` in code.
+
+7. **Override auto-configuration surgically** (Ch 3). Use `spring.*` properties first. Only define a `@Bean` when properties are insufficient. Annotate with `@ConditionalOnMissingBean` if providing a fallback.
+
+8. **Customize error pages declaratively** (Ch 3). Place `error/404.html`, `error/500.html` in `src/main/resources/templates/error/`. No custom `ErrorController` needed for basic cases.
+
+### Security (Ch 3)
+
+9. **Extend `WebSecurityConfigurerAdapter` only for custom rules** (Ch 3). For simple HTTP Basic with custom users, `spring.security.user.name` / `spring.security.user.password` properties suffice.
+
+10. **Always secure Actuator endpoints in production** (Ch 7). Expose only `health` and `info` publicly; require authentication for `env`, `beans`, `mappings`, `shutdown`.
+
+### REST Controllers (Ch 2)
+
+11. **Use `@RestController` for API endpoints** (Ch 2). Eliminates `@ResponseBody` on every method.
+
+12. **Return `ResponseEntity<T>` when HTTP status matters** (Ch 2). `ResponseEntity.ok(body)`, `ResponseEntity.notFound().build()`, `ResponseEntity.status(201).body(created)`.
+
+13. **Use constructor injection, not field injection** (Ch 2). Constructor injection makes dependencies explicit and enables testing without Spring context:
+    ```java
+    // Prefer this:
+    @RestController
+    public class BookController {
+        private final BookRepository repo;
+        public BookController(BookRepository repo) { this.repo = repo; }
+    }
+    ```
+
+14. **Use `Optional` from repository queries** (Ch 2). `repo.findById(id).orElseThrow(() -> new ResponseStatusException(NOT_FOUND))`.
+
+### Testing (Ch 4)
+
+15. **Match test slice to the layer being tested** (Ch 4):
+    - Web layer only → `@WebMvcTest(MyController.class)` + `MockMvc`
+    - Repository only → `@DataJpaTest`
+    - Full app → `@SpringBootTest`
+    - External service → `@MockBean` to replace
+
+16. **Use `MockMvc` for controller assertions without starting a server** (Ch 4):
+    ```java
+    mockMvc.perform(get("/books/1"))
+           .andExpect(status().isOk())
+           .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    ```
+
+17. **Use `@MockBean` to isolate the unit under test** (Ch 4). Replaces the real bean in the Spring context with a Mockito mock — cleaner than manual wiring.
+
+18. **Test security explicitly** (Ch 4). Use `.with(user("admin").roles("ADMIN"))` or `@WithMockUser` to assert secured endpoints reject unauthenticated requests.
+
+### Actuator (Ch 7)
+
+19. **Enable Actuator in every production app** (Ch 7). Add `spring-boot-starter-actuator`. At minimum expose `health` and `info`.
+
+20. **Write custom `HealthIndicator` for critical dependencies** (Ch 7):
+    ```java
+    @Component
+    public class DatabaseHealthIndicator implements HealthIndicator {
+        @Override
+        public Health health() {
+            return canConnect() ? Health.up().build()
+                                : Health.down().withDetail("reason", "timeout").build();
+        }
+    }
+    ```
+
+21. **Add custom metrics via `MeterRegistry`** (Ch 7). Counter, gauge, timer — gives Prometheus/Grafana visibility into business events.
+
+22. **Restrict Actuator exposure in production** (Ch 7):
+    ```properties
+    management.endpoints.web.exposure.include=health,info
+    management.endpoint.health.show-details=when-authorized
+    ```
+
+### Deployment (Ch 8)
+
+23. **Package as an executable JAR by default** (Ch 8). `mvn package` produces a fat JAR with embedded Tomcat. Run with `java -jar app.jar`. No application server needed.
+
+24. **Create a production profile** (Ch 8). `application-production.properties` sets `spring.datasource.url`, disables dev tools, sets log levels to WARN.
+
+25. **Use Flyway or Liquibase for database migrations** (Ch 8). Add `spring-boot-starter-flyway`; place scripts in `classpath:db/migration/V1__init.sql`. Never use `spring.jpa.hibernate.ddl-auto=create` in production.
+
+---
+
+## Starter Cheat Sheet (Ch 2, Appendix B)
+
+| Need | Starter |
+|------|---------|
+| REST API | `spring-boot-starter-web` |
+| JPA / Hibernate | `spring-boot-starter-data-jpa` |
+| Security | `spring-boot-starter-security` |
+| Observability | `spring-boot-starter-actuator` |
+| Testing | `spring-boot-starter-test` |
+| Thymeleaf views | `spring-boot-starter-thymeleaf` |
+| Redis cache | `spring-boot-starter-data-redis` |
+| Messaging | `spring-boot-starter-amqp` |
+| DB migration | `flyway-core` |
+
+---
+
+## Code Structure Template
+
+```java
+// Main class (Ch 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Entity (Ch 2)
+@Entity
+public class Book {
+    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    private String title;
+    private String isbn;
+    // constructors, getters, setters
+}
+
+// Repository (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Service (Ch 2) — constructor injection
+@Service
+public class BookService {
+    private final BookRepository repo;
+    public BookService(BookRepository repo) { this.repo = repo; }
+
+    public Book findById(Long id) {
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+    }
+}
+
+// Controller (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+    public BookController(BookService service) { this.service = service; }
+
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+}
+
+// application.properties (Ch 3)
+// spring.datasource.url=jdbc:postgresql://localhost/library
+// spring.datasource.username=${DB_USER}
+// spring.datasource.password=${DB_PASS}
+// spring.jpa.hibernate.ddl-auto=validate
+// management.endpoints.web.exposure.include=health,info
+
+// application-dev.properties (Ch 3)
+// spring.datasource.url=jdbc:h2:mem:library
+// spring.jpa.hibernate.ddl-auto=create-drop
+// logging.level.org.springframework=DEBUG
+```
+
+---
+
+## Priority of Practices by Impact
+
+### Critical (Security & Correctness)
+- Ch 3: Never hardcode credentials — use `${ENV_VAR}` in properties
+- Ch 3: Secure Actuator endpoints — `env`, `beans`, `shutdown` must require auth
+- Ch 4: Test secured endpoints explicitly — assert 401/403 on unauthenticated requests
+- Ch 8: Never use `ddl-auto=create` in production — use Flyway/Liquibase
+
+### Important (Idiom & Maintainability)
+- Ch 2: Constructor injection over `@Autowired` field injection
+- Ch 2: `@RestController` over `@Controller` + `@ResponseBody` for APIs
+- Ch 2: `Optional` from repository, never `null`
+- Ch 3: `@ConfigurationProperties` over scattered `@Value` for grouped config
+- Ch 3: Profiles for environment differences — not `if` statements
+- Ch 4: `@WebMvcTest` for controller tests — not full `@SpringBootTest`
+- Ch 7: Custom `HealthIndicator` for each critical dependency
+
+### Suggestions (Polish)
+- Ch 3: Custom error pages in `templates/error/` — no code needed
+- Ch 7: Custom metrics via `MeterRegistry` for business events
+- Ch 8: Production profile disables dev tools, sets WARN log level
+- Ch 2: Use `spring-boot-devtools` in dev for live reload

package/skills/spring-boot-in-action/evals/evals.json

@@ -0,0 +1,39 @@
+{
+  "evals": [
+    {
+      "id": "eval-01-autoconfig-injection-hardcoding",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@Configuration\npublic class AppConfig {\n    @Bean\n    public DataSource dataSource() {\n        DriverManagerDataSource ds = new DriverManagerDataSource();\n        ds.setUrl(\"jdbc:postgresql://prod-db.internal/orders\");\n        ds.setUsername(\"orders_user\");\n        ds.setPassword(\"S3cr3tP@ss\");\n        return ds;\n    }\n\n    @Bean\n    public ObjectMapper objectMapper() {\n        return new ObjectMapper();\n    }\n}\n\n@RestController\npublic class OrderController {\n    @Autowired\n    private OrderRepository orderRepository;\n\n    @Autowired\n    private OrderService orderService;\n\n    @GetMapping(\"/orders/{id}\")\n    public Order getOrder(@PathVariable Long id) {\n        return orderRepository.findById(id).orElse(null);\n    }\n\n    @PostMapping(\"/orders\")\n    public Order createOrder(@RequestBody Order order) {\n        return orderService.place(order);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 2/3: Manual DataSource @Bean fights Spring Boot auto-configuration — delete AppConfig.dataSource() and move connection details to application.properties using spring.datasource.url/username/password",
+        "Flag Ch 3: Credentials hardcoded in source code — must be externalized to environment variables: spring.datasource.password=${DB_PASS}",
+        "Flag Ch 2: ObjectMapper @Bean is unnecessary — Spring Boot auto-configures Jackson; only define a custom ObjectMapper when you need to change behavior",
+        "Flag Ch 2: @Autowired field injection on OrderRepository and OrderService — replace with constructor injection for testability",
+        "Flag Ch 2: getOrder returns null (200 with null body) when not found — use Optional.map(ResponseEntity::ok).orElse(ResponseEntity.notFound().build()) or throw ResponseStatusException(NOT_FOUND)",
+        "Flag Ch 2: createOrder returns 200 — POST that creates a resource should return 201 Created with a Location header; use ResponseEntity.created(uri).body(saved)"
+      ]
+    },
+    {
+      "id": "eval-02-testing-antipatterns",
+      "prompt": "Review this Spring Boot test code:\n\n```java\n@SpringBootTest\npublic class ProductControllerTest {\n    @Autowired\n    private ProductController controller;\n\n    @Autowired\n    private ProductRepository repo;\n\n    @Test\n    public void testGetProduct() {\n        Product p = new Product(null, \"Widget\", 9.99);\n        repo.save(p);\n        Product result = controller.getProduct(p.getId());\n        assertNotNull(result);\n        assertEquals(\"Widget\", result.getName());\n    }\n\n    @Test\n    public void testCreateProduct() {\n        Product p = new Product(null, \"Gadget\", 19.99);\n        Product result = controller.createProduct(p);\n        assertNotNull(result.getId());\n    }\n\n    @Test\n    public void testAdminEndpoint() {\n        // No auth setup — just calls controller directly\n        String result = controller.adminDashboard();\n        assertNotNull(result);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 4: @SpringBootTest loads the full application context for what are simple controller tests — use @WebMvcTest(ProductController.class) with MockMvc for fast, isolated controller tests",
+        "Flag Ch 4: Directly calling controller.getProduct() bypasses HTTP layer — no status code, content-type, or header assertions are possible; use MockMvc.perform(get(...)).andExpect(status().isOk())",
+        "Flag Ch 4: testAdminEndpoint calls controller directly with no authentication context — use @WithMockUser(roles='ADMIN') and MockMvc to assert 403 for unauthorized and 200 for authorized access",
+        "Flag Ch 4: Tests use a real ProductRepository writing to the database — in a @WebMvcTest test, use @MockBean ProductService to isolate the controller from persistence",
+        "Flag Ch 4: No negative test cases — missing test for product not found (expect 404), and no test verifying createProduct returns 201 with a Location header",
+        "Provide corrected test class using @WebMvcTest, MockMvc, @MockBean, @WithMockUser, and assertions on HTTP status codes and response JSON"
+      ]
+    },
+    {
+      "id": "eval-03-idiomatic-spring-boot",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@SpringBootApplication\npublic class LibraryApp {\n    public static void main(String[] args) {\n        SpringApplication.run(LibraryApp.class, args);\n    }\n}\n\n@RestController\n@RequestMapping(\"/api/books\")\npublic class BookController {\n    private final BookService service;\n\n    public BookController(BookService service) {\n        this.service = service;\n    }\n\n    @GetMapping(\"/{id}\")\n    public ResponseEntity<Book> getBook(@PathVariable Long id) {\n        return ResponseEntity.ok(service.findById(id));\n    }\n\n    @PostMapping\n    public ResponseEntity<Book> createBook(@RequestBody Book book) {\n        Book saved = service.save(book);\n        URI location = URI.create(\"/api/books/\" + saved.getId());\n        return ResponseEntity.created(location).body(saved);\n    }\n}\n\n@Service\npublic class BookService {\n    private static final Logger log = LoggerFactory.getLogger(BookService.class);\n    private final BookRepository repo;\n\n    public BookService(BookRepository repo) { this.repo = repo; }\n\n    public Book findById(Long id) {\n        return repo.findById(id)\n                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));\n    }\n\n    public Book save(Book book) { return repo.save(book); }\n}\n```\n\n```properties\nspring.datasource.url=${DB_URL:jdbc:h2:mem:library}\nspring.datasource.username=${DB_USER:sa}\nspring.datasource.password=${DB_PASS:}\nspring.jpa.hibernate.ddl-auto=validate\nmanagement.endpoints.web.exposure.include=health,info\n```",
+      "expectations": [
+        "Recognize this code is idiomatic Spring Boot — do NOT manufacture issues",
+        "Acknowledge correct patterns: @SpringBootApplication (Ch 1), constructor injection in both controller and service (Ch 2), ResponseEntity with correct 200/201 status codes and Location header (Ch 2), Optional.orElseThrow with ResponseStatusException for clean 404 (Ch 2), SLF4J logger (Ch 3), externalized config with env-var defaults (Ch 3), Actuator locked to health+info (Ch 7)",
+        "At most note: ResponseStatusException could include a descriptive message like 'Book ' + id + ' not found' for better client error messages",
+        "At most suggest: adding spring-boot-starter-actuator dependency if not already present to enable the management.endpoints config",
+        "Do NOT flag the absence of @Autowired — constructor injection is the preferred style and Spring auto-wires single constructors without any annotation"
+      ]
+    }
+  ]
+}

package/skills/spring-boot-in-action/evals/results.json

@@ -0,0 +1,13 @@
+{
+  "pass_rate": 1,
+  "passed": 17,
+  "total": 17,
+  "baseline_pass_rate": 0.647,
+  "baseline_passed": 11,
+  "baseline_total": 17,
+  "delta": 0.353,
+  "model": "default",
+  "evals_run": 3,
+  "date": "2026-03-28",
+  "non_standard_provider": true
+}