@booklib/skills 1.3.2 → 1.5.0

package/skills/spring-boot-in-action/SKILL.md

@@ -0,0 +1,312 @@
+---
+name: spring-boot-in-action
+description: >
+  Write and review Spring Boot applications using practices from "Spring Boot in Action"
+  by Craig Walls. Covers auto-configuration, starter dependencies, externalizing
+  configuration with properties and profiles, Spring Security, testing with MockMvc
+  and @SpringBootTest, Spring Actuator for production observability, and deployment
+  strategies (JAR, WAR, Cloud Foundry). Use when building Spring Boot apps, configuring
+  beans, writing integration tests, setting up health checks, or deploying to production.
+  Trigger on: "Spring Boot", "Spring", "@SpringBootApplication", "auto-configuration",
+  "application.properties", "application.yml", "@RestController", "@Service",
+  "@Repository", "SpringBootTest", "Actuator", "starter", ".java files", "Maven", "Gradle".
+---
+
+# Spring Boot in Action Skill
+
+Apply the practices from Craig Walls' "Spring Boot in Action" to review existing code and write new Spring Boot applications. This skill operates in two modes: **Review Mode** (analyze code for violations of Spring Boot idioms) and **Write Mode** (produce clean, idiomatic Spring Boot from scratch).
+
+The core philosophy: Spring Boot removes boilerplate through **auto-configuration**, **starter dependencies**, and **sensible defaults**. Fight the framework only when necessary — and when you do, prefer `application.properties` over code.
+
+## Reference Files
+
+- `practices-catalog.md` — Before/after examples for auto-configuration, starters, properties, profiles, security, testing, Actuator, and deployment
+
+## How to Use This Skill
+
+**Before responding**, read `practices-catalog.md` for the topic at hand. For configuration issues read the properties/profiles section. For test code read the testing section. For a full review, read all sections.
+
+---
+
+## Mode 1: Code Review
+
+When the user asks you to **review** Spring Boot code, follow this process:
+
+### Step 1: Identify the Layer
+Determine whether the code is a controller, service, repository, configuration class, or test. Review focus shifts by layer.
+
+### Step 2: Analyze the Code
+
+Check these areas in order of severity:
+
+1. **Auto-Configuration** (Ch 2, 3): Is auto-configuration being fought manually? Look for `@Bean` definitions that replicate what Spring Boot already provides (DataSource, Jackson, Security, etc.). Remove manual config where auto-config suffices.
+
+2. **Starter Dependencies** (Ch 2): Are dependencies declared individually instead of using starters? `spring-boot-starter-web`, `spring-boot-starter-data-jpa`, `spring-boot-starter-security` etc. bundle correct transitive dependencies and version-manage them.
+
+3. **Externalized Configuration** (Ch 3): Are values hardcoded that belong in `application.properties`? Ports, URLs, credentials, timeouts should all be externalized. Use `@ConfigurationProperties` for type-safe config objects; use `@Value` only for single values.
+
+4. **Profiles** (Ch 3): Is environment-specific config (dev DB vs prod DB) handled with `if` statements or system properties? Use `@Profile` and `application-{profile}.properties` instead.
+
+5. **Security** (Ch 3): Is `WebSecurityConfigurerAdapter` extended when simple property-based config would suffice? Is HTTP Basic enabled in production? Are actuator endpoints exposed without auth?
+
+6. **Testing** (Ch 4):
+   - Use `@SpringBootTest` for full integration tests, not raw `new MyService()`
+   - Use `@WebMvcTest` for controller-only tests (no full context)
+   - Use `@DataJpaTest` for repository tests (in-memory DB, no web layer)
+   - Use `MockMvc` for controller assertions without starting a server
+   - Use `@MockBean` to replace real beans with mocks in slice tests
+   - Avoid `@SpringBootTest(webEnvironment = RANDOM_PORT)` unless testing the full HTTP stack
+
+7. **Actuator** (Ch 7): Is the application missing health/metrics endpoints? Is `/actuator` fully exposed without security? Are custom health indicators implemented for critical dependencies?
+
+8. **Deployment** (Ch 8): Is `spring.profiles.active` set for production? Is database migration (Flyway/Liquibase) configured? Is the app packaged as a self-contained JAR (preferred) or WAR?
+
+9. **General Idioms**:
+   - Constructor injection over field injection (`@Autowired` on fields)
+   - `@RestController` = `@Controller` + `@ResponseBody` — use it for REST APIs
+   - Return `ResponseEntity<T>` from controllers when status codes matter
+   - `Optional<T>` from repository methods, never `null`
+
+### Step 3: Report Findings
+For each issue, report:
+- **Chapter reference** (e.g., "Ch 3: Externalized Configuration")
+- **Location** in the code
+- **What's wrong** (the anti-pattern)
+- **How to fix it** (the Spring Boot idiomatic way)
+- **Priority**: Critical (security/bugs), Important (maintainability), Suggestion (polish)
+
+### Step 4: Provide Fixed Code
+Offer a corrected version with comments explaining each change.
+
+---
+
+## Mode 2: Writing New Code
+
+When the user asks you to **write** new Spring Boot code, apply these core principles:
+
+### Project Bootstrap (Ch 1, 2)
+
+1. **Start with Spring Initializr** (Ch 1). Use `start.spring.io` or `spring init` CLI. Select starters upfront — don't add raw dependencies manually.
+
+2. **Use starters, not individual dependencies** (Ch 2). `spring-boot-starter-web` includes Tomcat, Spring MVC, Jackson, and logging at compatible versions. Never declare `spring-webmvc` + `jackson-databind` + `tomcat-embed-core` separately.
+
+3. **The main class is the only required boilerplate** (Ch 2):
+   ```java
+   @SpringBootApplication
+   public class MyApp {
+       public static void main(String[] args) {
+           SpringApplication.run(MyApp.class, args);
+       }
+   }
+   ```
+   `@SpringBootApplication` = `@Configuration` + `@EnableAutoConfiguration` + `@ComponentScan`.
+
+### Configuration (Ch 3)
+
+4. **Externalize all environment-specific values** (Ch 3). Nothing deployment-specific belongs in code. Use `application.properties` / `application.yml` for defaults.
+
+5. **Use `@ConfigurationProperties` for grouped config** (Ch 3). Bind a prefix to a POJO — type-safe, IDE-friendly, testable:
+   ```java
+   @ConfigurationProperties(prefix = "app.mail")
+   @Component
+   public class MailProperties {
+       private String host;
+       private int port = 25;
+       // getters + setters
+   }
+   ```
+
+6. **Use profiles for environment differences** (Ch 3). `application-dev.properties` overrides `application.properties` when `spring.profiles.active=dev`. Never use `if (env.equals("production"))` in code.
+
+7. **Override auto-configuration surgically** (Ch 3). Use `spring.*` properties first. Only define a `@Bean` when properties are insufficient. Annotate with `@ConditionalOnMissingBean` if providing a fallback.
+
+8. **Customize error pages declaratively** (Ch 3). Place `error/404.html`, `error/500.html` in `src/main/resources/templates/error/`. No custom `ErrorController` needed for basic cases.
+
+### Security (Ch 3)
+
+9. **Extend `WebSecurityConfigurerAdapter` only for custom rules** (Ch 3). For simple HTTP Basic with custom users, `spring.security.user.name` / `spring.security.user.password` properties suffice.
+
+10. **Always secure Actuator endpoints in production** (Ch 7). Expose only `health` and `info` publicly; require authentication for `env`, `beans`, `mappings`, `shutdown`.
+
+### REST Controllers (Ch 2)
+
+11. **Use `@RestController` for API endpoints** (Ch 2). Eliminates `@ResponseBody` on every method.
+
+12. **Return `ResponseEntity<T>` when HTTP status matters** (Ch 2). `ResponseEntity.ok(body)`, `ResponseEntity.notFound().build()`, `ResponseEntity.status(201).body(created)`.
+
+13. **Use constructor injection, not field injection** (Ch 2). Constructor injection makes dependencies explicit and enables testing without Spring context:
+    ```java
+    // Prefer this:
+    @RestController
+    public class BookController {
+        private final BookRepository repo;
+        public BookController(BookRepository repo) { this.repo = repo; }
+    }
+    ```
+
+14. **Use `Optional` from repository queries** (Ch 2). `repo.findById(id).orElseThrow(() -> new ResponseStatusException(NOT_FOUND))`.
+
+### Testing (Ch 4)
+
+15. **Match test slice to the layer being tested** (Ch 4):
+    - Web layer only → `@WebMvcTest(MyController.class)` + `MockMvc`
+    - Repository only → `@DataJpaTest`
+    - Full app → `@SpringBootTest`
+    - External service → `@MockBean` to replace
+
+16. **Use `MockMvc` for controller assertions without starting a server** (Ch 4):
+    ```java
+    mockMvc.perform(get("/books/1"))
+           .andExpect(status().isOk())
+           .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    ```
+
+17. **Use `@MockBean` to isolate the unit under test** (Ch 4). Replaces the real bean in the Spring context with a Mockito mock — cleaner than manual wiring.
+
+18. **Test security explicitly** (Ch 4). Use `.with(user("admin").roles("ADMIN"))` or `@WithMockUser` to assert secured endpoints reject unauthenticated requests.
+
+### Actuator (Ch 7)
+
+19. **Enable Actuator in every production app** (Ch 7). Add `spring-boot-starter-actuator`. At minimum expose `health` and `info`.
+
+20. **Write custom `HealthIndicator` for critical dependencies** (Ch 7):
+    ```java
+    @Component
+    public class DatabaseHealthIndicator implements HealthIndicator {
+        @Override
+        public Health health() {
+            return canConnect() ? Health.up().build()
+                                : Health.down().withDetail("reason", "timeout").build();
+        }
+    }
+    ```
+
+21. **Add custom metrics via `MeterRegistry`** (Ch 7). Counter, gauge, timer — gives Prometheus/Grafana visibility into business events.
+
+22. **Restrict Actuator exposure in production** (Ch 7):
+    ```properties
+    management.endpoints.web.exposure.include=health,info
+    management.endpoint.health.show-details=when-authorized
+    ```
+
+### Deployment (Ch 8)
+
+23. **Package as an executable JAR by default** (Ch 8). `mvn package` produces a fat JAR with embedded Tomcat. Run with `java -jar app.jar`. No application server needed.
+
+24. **Create a production profile** (Ch 8). `application-production.properties` sets `spring.datasource.url`, disables dev tools, sets log levels to WARN.
+
+25. **Use Flyway or Liquibase for database migrations** (Ch 8). Add `spring-boot-starter-flyway`; place scripts in `classpath:db/migration/V1__init.sql`. Never use `spring.jpa.hibernate.ddl-auto=create` in production.
+
+---
+
+## Starter Cheat Sheet (Ch 2, Appendix B)
+
+| Need | Starter |
+|------|---------|
+| REST API | `spring-boot-starter-web` |
+| JPA / Hibernate | `spring-boot-starter-data-jpa` |
+| Security | `spring-boot-starter-security` |
+| Observability | `spring-boot-starter-actuator` |
+| Testing | `spring-boot-starter-test` |
+| Thymeleaf views | `spring-boot-starter-thymeleaf` |
+| Redis cache | `spring-boot-starter-data-redis` |
+| Messaging | `spring-boot-starter-amqp` |
+| DB migration | `flyway-core` |
+
+---
+
+## Code Structure Template
+
+```java
+// Main class (Ch 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Entity (Ch 2)
+@Entity
+public class Book {
+    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    private String title;
+    private String isbn;
+    // constructors, getters, setters
+}
+
+// Repository (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Service (Ch 2) — constructor injection
+@Service
+public class BookService {
+    private final BookRepository repo;
+    public BookService(BookRepository repo) { this.repo = repo; }
+
+    public Book findById(Long id) {
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+    }
+}
+
+// Controller (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+    public BookController(BookService service) { this.service = service; }
+
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+}
+
+// application.properties (Ch 3)
+// spring.datasource.url=jdbc:postgresql://localhost/library
+// spring.datasource.username=${DB_USER}
+// spring.datasource.password=${DB_PASS}
+// spring.jpa.hibernate.ddl-auto=validate
+// management.endpoints.web.exposure.include=health,info
+
+// application-dev.properties (Ch 3)
+// spring.datasource.url=jdbc:h2:mem:library
+// spring.jpa.hibernate.ddl-auto=create-drop
+// logging.level.org.springframework=DEBUG
+```
+
+---
+
+## Priority of Practices by Impact
+
+### Critical (Security & Correctness)
+- Ch 3: Never hardcode credentials — use `${ENV_VAR}` in properties
+- Ch 3: Secure Actuator endpoints — `env`, `beans`, `shutdown` must require auth
+- Ch 4: Test secured endpoints explicitly — assert 401/403 on unauthenticated requests
+- Ch 8: Never use `ddl-auto=create` in production — use Flyway/Liquibase
+
+### Important (Idiom & Maintainability)
+- Ch 2: Constructor injection over `@Autowired` field injection
+- Ch 2: `@RestController` over `@Controller` + `@ResponseBody` for APIs
+- Ch 2: `Optional` from repository, never `null`
+- Ch 3: `@ConfigurationProperties` over scattered `@Value` for grouped config
+- Ch 3: Profiles for environment differences — not `if` statements
+- Ch 4: `@WebMvcTest` for controller tests — not full `@SpringBootTest`
+- Ch 7: Custom `HealthIndicator` for each critical dependency
+
+### Suggestions (Polish)
+- Ch 3: Custom error pages in `templates/error/` — no code needed
+- Ch 7: Custom metrics via `MeterRegistry` for business events
+- Ch 8: Production profile disables dev tools, sets WARN log level
+- Ch 2: Use `spring-boot-devtools` in dev for live reload

package/skills/spring-boot-in-action/evals/evals.json

@@ -0,0 +1,39 @@
+{
+  "evals": [
+    {
+      "id": "eval-01-autoconfig-injection-hardcoding",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@Configuration\npublic class AppConfig {\n    @Bean\n    public DataSource dataSource() {\n        DriverManagerDataSource ds = new DriverManagerDataSource();\n        ds.setUrl(\"jdbc:postgresql://prod-db.internal/orders\");\n        ds.setUsername(\"orders_user\");\n        ds.setPassword(\"S3cr3tP@ss\");\n        return ds;\n    }\n\n    @Bean\n    public ObjectMapper objectMapper() {\n        return new ObjectMapper();\n    }\n}\n\n@RestController\npublic class OrderController {\n    @Autowired\n    private OrderRepository orderRepository;\n\n    @Autowired\n    private OrderService orderService;\n\n    @GetMapping(\"/orders/{id}\")\n    public Order getOrder(@PathVariable Long id) {\n        return orderRepository.findById(id).orElse(null);\n    }\n\n    @PostMapping(\"/orders\")\n    public Order createOrder(@RequestBody Order order) {\n        return orderService.place(order);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 2/3: Manual DataSource @Bean fights Spring Boot auto-configuration — delete AppConfig.dataSource() and move connection details to application.properties using spring.datasource.url/username/password",
+        "Flag Ch 3: Credentials hardcoded in source code — must be externalized to environment variables: spring.datasource.password=${DB_PASS}",
+        "Flag Ch 2: ObjectMapper @Bean is unnecessary — Spring Boot auto-configures Jackson; only define a custom ObjectMapper when you need to change behavior",
+        "Flag Ch 2: @Autowired field injection on OrderRepository and OrderService — replace with constructor injection for testability",
+        "Flag Ch 2: getOrder returns null (200 with null body) when not found — use Optional.map(ResponseEntity::ok).orElse(ResponseEntity.notFound().build()) or throw ResponseStatusException(NOT_FOUND)",
+        "Flag Ch 2: createOrder returns 200 — POST that creates a resource should return 201 Created with a Location header; use ResponseEntity.created(uri).body(saved)"
+      ]
+    },
+    {
+      "id": "eval-02-testing-antipatterns",
+      "prompt": "Review this Spring Boot test code:\n\n```java\n@SpringBootTest\npublic class ProductControllerTest {\n    @Autowired\n    private ProductController controller;\n\n    @Autowired\n    private ProductRepository repo;\n\n    @Test\n    public void testGetProduct() {\n        Product p = new Product(null, \"Widget\", 9.99);\n        repo.save(p);\n        Product result = controller.getProduct(p.getId());\n        assertNotNull(result);\n        assertEquals(\"Widget\", result.getName());\n    }\n\n    @Test\n    public void testCreateProduct() {\n        Product p = new Product(null, \"Gadget\", 19.99);\n        Product result = controller.createProduct(p);\n        assertNotNull(result.getId());\n    }\n\n    @Test\n    public void testAdminEndpoint() {\n        // No auth setup — just calls controller directly\n        String result = controller.adminDashboard();\n        assertNotNull(result);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 4: @SpringBootTest loads the full application context for what are simple controller tests — use @WebMvcTest(ProductController.class) with MockMvc for fast, isolated controller tests",
+        "Flag Ch 4: Directly calling controller.getProduct() bypasses HTTP layer — no status code, content-type, or header assertions are possible; use MockMvc.perform(get(...)).andExpect(status().isOk())",
+        "Flag Ch 4: testAdminEndpoint calls controller directly with no authentication context — use @WithMockUser(roles='ADMIN') and MockMvc to assert 403 for unauthorized and 200 for authorized access",
+        "Flag Ch 4: Tests use a real ProductRepository writing to the database — in a @WebMvcTest test, use @MockBean ProductService to isolate the controller from persistence",
+        "Flag Ch 4: No negative test cases — missing test for product not found (expect 404), and no test verifying createProduct returns 201 with a Location header",
+        "Provide corrected test class using @WebMvcTest, MockMvc, @MockBean, @WithMockUser, and assertions on HTTP status codes and response JSON"
+      ]
+    },
+    {
+      "id": "eval-03-idiomatic-spring-boot",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@SpringBootApplication\npublic class LibraryApp {\n    public static void main(String[] args) {\n        SpringApplication.run(LibraryApp.class, args);\n    }\n}\n\n@RestController\n@RequestMapping(\"/api/books\")\npublic class BookController {\n    private final BookService service;\n\n    public BookController(BookService service) {\n        this.service = service;\n    }\n\n    @GetMapping(\"/{id}\")\n    public ResponseEntity<Book> getBook(@PathVariable Long id) {\n        return ResponseEntity.ok(service.findById(id));\n    }\n\n    @PostMapping\n    public ResponseEntity<Book> createBook(@RequestBody Book book) {\n        Book saved = service.save(book);\n        URI location = URI.create(\"/api/books/\" + saved.getId());\n        return ResponseEntity.created(location).body(saved);\n    }\n}\n\n@Service\npublic class BookService {\n    private static final Logger log = LoggerFactory.getLogger(BookService.class);\n    private final BookRepository repo;\n\n    public BookService(BookRepository repo) { this.repo = repo; }\n\n    public Book findById(Long id) {\n        return repo.findById(id)\n                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));\n    }\n\n    public Book save(Book book) { return repo.save(book); }\n}\n```\n\n```properties\nspring.datasource.url=${DB_URL:jdbc:h2:mem:library}\nspring.datasource.username=${DB_USER:sa}\nspring.datasource.password=${DB_PASS:}\nspring.jpa.hibernate.ddl-auto=validate\nmanagement.endpoints.web.exposure.include=health,info\n```",
+      "expectations": [
+        "Recognize this code is idiomatic Spring Boot — do NOT manufacture issues",
+        "Acknowledge correct patterns: @SpringBootApplication (Ch 1), constructor injection in both controller and service (Ch 2), ResponseEntity with correct 200/201 status codes and Location header (Ch 2), Optional.orElseThrow with ResponseStatusException for clean 404 (Ch 2), SLF4J logger (Ch 3), externalized config with env-var defaults (Ch 3), Actuator locked to health+info (Ch 7)",
+        "At most note: ResponseStatusException could include a descriptive message like 'Book ' + id + ' not found' for better client error messages",
+        "At most suggest: adding spring-boot-starter-actuator dependency if not already present to enable the management.endpoints config",
+        "Do NOT flag the absence of @Autowired — constructor injection is the preferred style and Spring auto-wires single constructors without any annotation"
+      ]
+    }
+  ]
+}

package/skills/spring-boot-in-action/examples/after.md

@@ -0,0 +1,185 @@
+# After: Spring Boot in Action
+
+The same library API rewritten with idiomatic Spring Boot — auto-configuration, constructor injection, externalized config, profiles, proper testing, and Actuator.
+
+```java
+// @SpringBootApplication enables auto-config, component scan, config (Ch 1, 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// No DatabaseConfig class needed — auto-configuration handles DataSource (Ch 2, 3)
+// Credentials externalized to application.properties via environment variables
+
+// Constructor injection — testable without Spring context (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+
+    public BookController(BookService service) {
+        this.service = service;
+    }
+
+    // Returns 404 when not found, not null (Ch 2)
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    // Returns 201 Created with Location header (Ch 2)
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+
+    @GetMapping
+    public List<Book> search(@RequestParam(required = false, defaultValue = "") String q) {
+        return service.search(q);
+    }
+}
+
+// Service with constructor injection and proper logging (Ch 2)
+@Service
+public class BookService {
+    private static final Logger log = LoggerFactory.getLogger(BookService.class);
+    private final BookRepository repo;
+
+    public BookService(BookRepository repo) {
+        this.repo = repo;
+    }
+
+    public Book findById(Long id) {
+        // Optional — 404 automatically surfaced (Ch 2)
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(
+                       HttpStatus.NOT_FOUND, "Book " + id + " not found"));
+    }
+
+    public Book save(Book book) {
+        return repo.save(book);
+    }
+
+    public List<Book> search(String query) {
+        log.debug("Searching for: {}", query);  // proper logger, not println (Ch 3)
+        return query.isBlank()
+                ? repo.findAll()
+                : repo.findByTitleContainingIgnoreCase(query);
+    }
+}
+
+// Repository — Spring Data does the rest (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Type-safe configuration object (Ch 3)
+@ConfigurationProperties(prefix = "app.library")
+@Component
+public class LibraryProperties {
+    private int maxSearchResults = 50;
+    private String defaultSortField = "title";
+    // getters + setters
+}
+
+// Custom health indicator for critical dependency (Ch 7)
+@Component
+public class StorageHealthIndicator implements HealthIndicator {
+    private final BookRepository repo;
+    public StorageHealthIndicator(BookRepository repo) { this.repo = repo; }
+
+    @Override
+    public Health health() {
+        try {
+            long count = repo.count();
+            return Health.up().withDetail("books", count).build();
+        } catch (Exception e) {
+            return Health.down().withDetail("error", e.getMessage()).build();
+        }
+    }
+}
+
+// Controller slice test — no full context, fast (Ch 4)
+@WebMvcTest(BookController.class)
+public class BookControllerTest {
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private BookService service;  // real service replaced with mock (Ch 4)
+
+    @Test
+    void getBook_returnsOk() throws Exception {
+        Book book = new Book(1L, "Spring Boot in Action", "9781617292545");
+        given(service.findById(1L)).willReturn(book);
+
+        mockMvc.perform(get("/api/books/1"))
+               .andExpect(status().isOk())
+               .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    }
+
+    @Test
+    void getBook_returns404WhenNotFound() throws Exception {
+        given(service.findById(99L))
+            .willThrow(new ResponseStatusException(HttpStatus.NOT_FOUND));
+
+        mockMvc.perform(get("/api/books/99"))
+               .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void createBook_returns201() throws Exception {
+        Book book = new Book(null, "New Book", "1234567890");
+        Book saved = new Book(1L, "New Book", "1234567890");
+        given(service.save(any())).willReturn(saved);
+
+        mockMvc.perform(post("/api/books")
+                   .contentType(MediaType.APPLICATION_JSON)
+                   .content("{\"title\":\"New Book\",\"isbn\":\"1234567890\"}"))
+               .andExpect(status().isCreated())
+               .andExpect(header().string("Location", "/api/books/1"));
+    }
+}
+```
+
+```properties
+# application.properties — base config, all env-specific values externalized (Ch 3)
+spring.datasource.url=${DB_URL:jdbc:h2:mem:library}
+spring.datasource.username=${DB_USER:sa}
+spring.datasource.password=${DB_PASS:}
+spring.jpa.hibernate.ddl-auto=validate
+
+# Actuator — health and info only exposed publicly (Ch 7)
+management.endpoints.web.exposure.include=health,info
+management.endpoint.health.show-details=when-authorized
+
+# application-dev.properties — dev overrides (Ch 3)
+# spring.datasource.url=jdbc:h2:mem:library
+# spring.jpa.hibernate.ddl-auto=create-drop
+# logging.level.com.example=DEBUG
+# management.endpoints.web.exposure.include=*
+
+# application-production.properties — production hardening (Ch 8)
+# spring.jpa.hibernate.ddl-auto=validate
+# logging.level.root=WARN
+# management.endpoints.web.exposure.include=health,info
+```
+
+**Key improvements:**
+- `@SpringBootApplication` enables auto-configuration — no manual `DataSource` bean (Ch 2)
+- Credentials externalized to env vars via `${DB_URL}` — never hardcoded (Ch 3)
+- Constructor injection throughout — testable without Spring context (Ch 2)
+- `ResponseEntity` with correct status codes: 200, 201, 404 (Ch 2)
+- `Optional` → `orElseThrow` → `ResponseStatusException` — clean 404 (Ch 2)
+- `@ConfigurationProperties` for grouped app config (Ch 3)
+- `@WebMvcTest` + `@MockBean` — fast, isolated controller tests (Ch 4)
+- `@WithMockUser` — security tested explicitly (Ch 4)
+- Custom `HealthIndicator` — DB health visible in Actuator (Ch 7)
+- Actuator locked down — only `health` and `info` public (Ch 7)
+- Profile-based properties — no env checks in code (Ch 3, 8)

package/skills/spring-boot-in-action/examples/before.md

@@ -0,0 +1,84 @@
+# Before: Spring Boot in Action
+
+A book library REST API with common Spring Boot anti-patterns — manual configuration fighting auto-config, field injection, hardcoded values, missing tests, and no Actuator.
+
+```java
+// Main class missing @SpringBootApplication — won't auto-configure anything
+@Configuration
+@ComponentScan
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Manual DataSource bean — fights auto-configuration (Ch 2, 3)
+@Configuration
+public class DatabaseConfig {
+    @Bean
+    public DataSource dataSource() {
+        DriverManagerDataSource ds = new DriverManagerDataSource();
+        ds.setDriverClassName("org.postgresql.Driver");
+        ds.setUrl("jdbc:postgresql://localhost/library");  // hardcoded (Ch 3)
+        ds.setUsername("admin");                           // hardcoded credential!
+        ds.setPassword("secret123");                       // hardcoded credential!
+        return ds;
+    }
+}
+
+// Field injection — untestable without Spring context (Ch 2)
+@RestController
+public class BookController {
+    @Autowired
+    private BookRepository bookRepository;
+
+    @Autowired
+    private BookService bookService;
+
+    // Returns null instead of 404 when book not found (Ch 2)
+    @GetMapping("/books/{id}")
+    public Book getBook(@PathVariable Long id) {
+        return bookRepository.findById(id).orElse(null);  // null slips to client
+    }
+
+    // No status code — always returns 200 even on create (Ch 2)
+    @PostMapping("/books")
+    @ResponseBody
+    public Book createBook(@RequestBody Book book) {
+        return bookRepository.save(book);
+    }
+}
+
+// Service with field injection and no error handling
+@Service
+public class BookService {
+    @Autowired
+    private BookRepository bookRepository;
+
+    public List<Book> search(String query) {
+        // Environment check in code instead of using profiles (Ch 3)
+        if (System.getProperty("env").equals("dev")) {
+            System.out.println("Searching for: " + query);  // println not logger
+        }
+        return bookRepository.findAll();  // returns everything, ignores query
+    }
+}
+
+// Test that boots full context just to test one controller method (Ch 4)
+@SpringBootTest
+public class BookControllerTest {
+    @Autowired
+    private BookController controller;
+
+    @Test
+    public void testGetBook() {
+        // Direct controller call — no HTTP semantics, no status code testing
+        Book result = controller.getBook(1L);
+        assertNotNull(result);
+    }
+}
+
+// application.properties — missing externalized config
+// (no datasource url, credentials baked into Java code above)
+// spring.jpa.hibernate.ddl-auto=create  // destroys data on restart!
+```