@booklib/skills 1.4.0 → 1.5.0

package/CLAUDE.md

@@ -1,6 +1,6 @@
 # booklib-ai/skills
 
-21 AI agent skills grounded in canonical programming books. Each skill packages expert practices from a specific book into reusable instructions that Claude and other AI agents can apply to code generation, code review, and design decisions.
+22 AI agent skills grounded in canonical programming books. Each skill packages expert practices from a specific book into reusable instructions that Claude and other AI agents can apply to code generation, code review, and design decisions.
 
 ## Quick Install
 
@@ -25,6 +25,7 @@ npx skills add booklib-ai/skills --all -g
 | `kotlin-in-action` | Kotlin in Action |
 | `programming-with-rust` | Programming with Rust — Donis Marshall |
 | `rust-in-action` | Rust in Action — Tim McNamara |
+| `spring-boot-in-action` | Spring Boot in Action — Craig Walls |
 | `lean-startup` | The Lean Startup — Eric Ries |
 | `microservices-patterns` | Microservices Patterns — Chris Richardson |
 | `refactoring-ui` | Refactoring UI — Adam Wathan & Steve Schoger |
@@ -54,4 +55,4 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for how to add a new skill. Each skill
 npx @booklib/skills check <skill-name>
 ```
 
-All 21 existing skills are at Platinum (13/13 checks).
+All 22 existing skills are at Platinum (13/13 checks).

package/README.md

@@ -134,6 +134,7 @@ This means skills compose: `skill-router` acts as an orchestrator that picks the
 | 🔷 [effective-typescript](./skills/effective-typescript/) | TypeScript best practices from Dan Vanderkam's *Effective TypeScript* — type system, type design, avoiding any, type declarations, and migration |
 | 🦀 [programming-with-rust](./skills/programming-with-rust/) | Rust practices from Donis Marshall's *Programming with Rust* — ownership, borrowing, lifetimes, error handling, traits, and fearless concurrency |
 | ⚙️ [rust-in-action](./skills/rust-in-action/) | Systems programming from Tim McNamara's *Rust in Action* — smart pointers, endianness, memory, file formats, TCP networking, concurrency, and OS fundamentals |
+| 🌱 [spring-boot-in-action](./skills/spring-boot-in-action/) | Spring Boot best practices from Craig Walls' *Spring Boot in Action* — auto-configuration, starters, externalized config, profiles, testing with MockMvc, Actuator, and deployment |
 | ⚡ [kotlin-in-action](./skills/kotlin-in-action/) | Practices from *Kotlin in Action* (2nd Ed) — functions, classes, lambdas, nullability, and coroutines |
 | 🚀 [lean-startup](./skills/lean-startup/) | Practices from Eric Ries' *The Lean Startup* — MVP testing, validated learning, Build-Measure-Learn loop, and pivots |
 | 🔧 [microservices-patterns](./skills/microservices-patterns/) | Expert guidance on microservices patterns from Chris Richardson's *Microservices Patterns* — decomposition, sagas, API gateways, event sourcing, CQRS, and service mesh |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@booklib/skills",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Book knowledge distilled into structured AI skills for Claude Code and other AI assistants",
   "bin": {
     "skills": "bin/skills.js"

package/skills/spring-boot-in-action/SKILL.md

@@ -0,0 +1,312 @@
+---
+name: spring-boot-in-action
+description: >
+  Write and review Spring Boot applications using practices from "Spring Boot in Action"
+  by Craig Walls. Covers auto-configuration, starter dependencies, externalizing
+  configuration with properties and profiles, Spring Security, testing with MockMvc
+  and @SpringBootTest, Spring Actuator for production observability, and deployment
+  strategies (JAR, WAR, Cloud Foundry). Use when building Spring Boot apps, configuring
+  beans, writing integration tests, setting up health checks, or deploying to production.
+  Trigger on: "Spring Boot", "Spring", "@SpringBootApplication", "auto-configuration",
+  "application.properties", "application.yml", "@RestController", "@Service",
+  "@Repository", "SpringBootTest", "Actuator", "starter", ".java files", "Maven", "Gradle".
+---
+
+# Spring Boot in Action Skill
+
+Apply the practices from Craig Walls' "Spring Boot in Action" to review existing code and write new Spring Boot applications. This skill operates in two modes: **Review Mode** (analyze code for violations of Spring Boot idioms) and **Write Mode** (produce clean, idiomatic Spring Boot from scratch).
+
+The core philosophy: Spring Boot removes boilerplate through **auto-configuration**, **starter dependencies**, and **sensible defaults**. Fight the framework only when necessary — and when you do, prefer `application.properties` over code.
+
+## Reference Files
+
+- `practices-catalog.md` — Before/after examples for auto-configuration, starters, properties, profiles, security, testing, Actuator, and deployment
+
+## How to Use This Skill
+
+**Before responding**, read `practices-catalog.md` for the topic at hand. For configuration issues read the properties/profiles section. For test code read the testing section. For a full review, read all sections.
+
+---
+
+## Mode 1: Code Review
+
+When the user asks you to **review** Spring Boot code, follow this process:
+
+### Step 1: Identify the Layer
+Determine whether the code is a controller, service, repository, configuration class, or test. Review focus shifts by layer.
+
+### Step 2: Analyze the Code
+
+Check these areas in order of severity:
+
+1. **Auto-Configuration** (Ch 2, 3): Is auto-configuration being fought manually? Look for `@Bean` definitions that replicate what Spring Boot already provides (DataSource, Jackson, Security, etc.). Remove manual config where auto-config suffices.
+
+2. **Starter Dependencies** (Ch 2): Are dependencies declared individually instead of using starters? `spring-boot-starter-web`, `spring-boot-starter-data-jpa`, `spring-boot-starter-security` etc. bundle correct transitive dependencies and version-manage them.
+
+3. **Externalized Configuration** (Ch 3): Are values hardcoded that belong in `application.properties`? Ports, URLs, credentials, timeouts should all be externalized. Use `@ConfigurationProperties` for type-safe config objects; use `@Value` only for single values.
+
+4. **Profiles** (Ch 3): Is environment-specific config (dev DB vs prod DB) handled with `if` statements or system properties? Use `@Profile` and `application-{profile}.properties` instead.
+
+5. **Security** (Ch 3): Is `WebSecurityConfigurerAdapter` extended when simple property-based config would suffice? Is HTTP Basic enabled in production? Are actuator endpoints exposed without auth?
+
+6. **Testing** (Ch 4):
+   - Use `@SpringBootTest` for full integration tests, not raw `new MyService()`
+   - Use `@WebMvcTest` for controller-only tests (no full context)
+   - Use `@DataJpaTest` for repository tests (in-memory DB, no web layer)
+   - Use `MockMvc` for controller assertions without starting a server
+   - Use `@MockBean` to replace real beans with mocks in slice tests
+   - Avoid `@SpringBootTest(webEnvironment = RANDOM_PORT)` unless testing the full HTTP stack
+
+7. **Actuator** (Ch 7): Is the application missing health/metrics endpoints? Is `/actuator` fully exposed without security? Are custom health indicators implemented for critical dependencies?
+
+8. **Deployment** (Ch 8): Is `spring.profiles.active` set for production? Is database migration (Flyway/Liquibase) configured? Is the app packaged as a self-contained JAR (preferred) or WAR?
+
+9. **General Idioms**:
+   - Constructor injection over field injection (`@Autowired` on fields)
+   - `@RestController` = `@Controller` + `@ResponseBody` — use it for REST APIs
+   - Return `ResponseEntity<T>` from controllers when status codes matter
+   - `Optional<T>` from repository methods, never `null`
+
+### Step 3: Report Findings
+For each issue, report:
+- **Chapter reference** (e.g., "Ch 3: Externalized Configuration")
+- **Location** in the code
+- **What's wrong** (the anti-pattern)
+- **How to fix it** (the Spring Boot idiomatic way)
+- **Priority**: Critical (security/bugs), Important (maintainability), Suggestion (polish)
+
+### Step 4: Provide Fixed Code
+Offer a corrected version with comments explaining each change.
+
+---
+
+## Mode 2: Writing New Code
+
+When the user asks you to **write** new Spring Boot code, apply these core principles:
+
+### Project Bootstrap (Ch 1, 2)
+
+1. **Start with Spring Initializr** (Ch 1). Use `start.spring.io` or `spring init` CLI. Select starters upfront — don't add raw dependencies manually.
+
+2. **Use starters, not individual dependencies** (Ch 2). `spring-boot-starter-web` includes Tomcat, Spring MVC, Jackson, and logging at compatible versions. Never declare `spring-webmvc` + `jackson-databind` + `tomcat-embed-core` separately.
+
+3. **The main class is the only required boilerplate** (Ch 2):
+   ```java
+   @SpringBootApplication
+   public class MyApp {
+       public static void main(String[] args) {
+           SpringApplication.run(MyApp.class, args);
+       }
+   }
+   ```
+   `@SpringBootApplication` = `@Configuration` + `@EnableAutoConfiguration` + `@ComponentScan`.
+
+### Configuration (Ch 3)
+
+4. **Externalize all environment-specific values** (Ch 3). Nothing deployment-specific belongs in code. Use `application.properties` / `application.yml` for defaults.
+
+5. **Use `@ConfigurationProperties` for grouped config** (Ch 3). Bind a prefix to a POJO — type-safe, IDE-friendly, testable:
+   ```java
+   @ConfigurationProperties(prefix = "app.mail")
+   @Component
+   public class MailProperties {
+       private String host;
+       private int port = 25;
+       // getters + setters
+   }
+   ```
+
+6. **Use profiles for environment differences** (Ch 3). `application-dev.properties` overrides `application.properties` when `spring.profiles.active=dev`. Never use `if (env.equals("production"))` in code.
+
+7. **Override auto-configuration surgically** (Ch 3). Use `spring.*` properties first. Only define a `@Bean` when properties are insufficient. Annotate with `@ConditionalOnMissingBean` if providing a fallback.
+
+8. **Customize error pages declaratively** (Ch 3). Place `error/404.html`, `error/500.html` in `src/main/resources/templates/error/`. No custom `ErrorController` needed for basic cases.
+
+### Security (Ch 3)
+
+9. **Extend `WebSecurityConfigurerAdapter` only for custom rules** (Ch 3). For simple HTTP Basic with custom users, `spring.security.user.name` / `spring.security.user.password` properties suffice.
+
+10. **Always secure Actuator endpoints in production** (Ch 7). Expose only `health` and `info` publicly; require authentication for `env`, `beans`, `mappings`, `shutdown`.
+
+### REST Controllers (Ch 2)
+
+11. **Use `@RestController` for API endpoints** (Ch 2). Eliminates `@ResponseBody` on every method.
+
+12. **Return `ResponseEntity<T>` when HTTP status matters** (Ch 2). `ResponseEntity.ok(body)`, `ResponseEntity.notFound().build()`, `ResponseEntity.status(201).body(created)`.
+
+13. **Use constructor injection, not field injection** (Ch 2). Constructor injection makes dependencies explicit and enables testing without Spring context:
+    ```java
+    // Prefer this:
+    @RestController
+    public class BookController {
+        private final BookRepository repo;
+        public BookController(BookRepository repo) { this.repo = repo; }
+    }
+    ```
+
+14. **Use `Optional` from repository queries** (Ch 2). `repo.findById(id).orElseThrow(() -> new ResponseStatusException(NOT_FOUND))`.
+
+### Testing (Ch 4)
+
+15. **Match test slice to the layer being tested** (Ch 4):
+    - Web layer only → `@WebMvcTest(MyController.class)` + `MockMvc`
+    - Repository only → `@DataJpaTest`
+    - Full app → `@SpringBootTest`
+    - External service → `@MockBean` to replace
+
+16. **Use `MockMvc` for controller assertions without starting a server** (Ch 4):
+    ```java
+    mockMvc.perform(get("/books/1"))
+           .andExpect(status().isOk())
+           .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    ```
+
+17. **Use `@MockBean` to isolate the unit under test** (Ch 4). Replaces the real bean in the Spring context with a Mockito mock — cleaner than manual wiring.
+
+18. **Test security explicitly** (Ch 4). Use `.with(user("admin").roles("ADMIN"))` or `@WithMockUser` to assert secured endpoints reject unauthenticated requests.
+
+### Actuator (Ch 7)
+
+19. **Enable Actuator in every production app** (Ch 7). Add `spring-boot-starter-actuator`. At minimum expose `health` and `info`.
+
+20. **Write custom `HealthIndicator` for critical dependencies** (Ch 7):
+    ```java
+    @Component
+    public class DatabaseHealthIndicator implements HealthIndicator {
+        @Override
+        public Health health() {
+            return canConnect() ? Health.up().build()
+                                : Health.down().withDetail("reason", "timeout").build();
+        }
+    }
+    ```
+
+21. **Add custom metrics via `MeterRegistry`** (Ch 7). Counter, gauge, timer — gives Prometheus/Grafana visibility into business events.
+
+22. **Restrict Actuator exposure in production** (Ch 7):
+    ```properties
+    management.endpoints.web.exposure.include=health,info
+    management.endpoint.health.show-details=when-authorized
+    ```
+
+### Deployment (Ch 8)
+
+23. **Package as an executable JAR by default** (Ch 8). `mvn package` produces a fat JAR with embedded Tomcat. Run with `java -jar app.jar`. No application server needed.
+
+24. **Create a production profile** (Ch 8). `application-production.properties` sets `spring.datasource.url`, disables dev tools, sets log levels to WARN.
+
+25. **Use Flyway or Liquibase for database migrations** (Ch 8). Add `spring-boot-starter-flyway`; place scripts in `classpath:db/migration/V1__init.sql`. Never use `spring.jpa.hibernate.ddl-auto=create` in production.
+
+---
+
+## Starter Cheat Sheet (Ch 2, Appendix B)
+
+| Need | Starter |
+|------|---------|
+| REST API | `spring-boot-starter-web` |
+| JPA / Hibernate | `spring-boot-starter-data-jpa` |
+| Security | `spring-boot-starter-security` |
+| Observability | `spring-boot-starter-actuator` |
+| Testing | `spring-boot-starter-test` |
+| Thymeleaf views | `spring-boot-starter-thymeleaf` |
+| Redis cache | `spring-boot-starter-data-redis` |
+| Messaging | `spring-boot-starter-amqp` |
+| DB migration | `flyway-core` |
+
+---
+
+## Code Structure Template
+
+```java
+// Main class (Ch 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Entity (Ch 2)
+@Entity
+public class Book {
+    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    private String title;
+    private String isbn;
+    // constructors, getters, setters
+}
+
+// Repository (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Service (Ch 2) — constructor injection
+@Service
+public class BookService {
+    private final BookRepository repo;
+    public BookService(BookRepository repo) { this.repo = repo; }
+
+    public Book findById(Long id) {
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+    }
+}
+
+// Controller (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+    public BookController(BookService service) { this.service = service; }
+
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+}
+
+// application.properties (Ch 3)
+// spring.datasource.url=jdbc:postgresql://localhost/library
+// spring.datasource.username=${DB_USER}
+// spring.datasource.password=${DB_PASS}
+// spring.jpa.hibernate.ddl-auto=validate
+// management.endpoints.web.exposure.include=health,info
+
+// application-dev.properties (Ch 3)
+// spring.datasource.url=jdbc:h2:mem:library
+// spring.jpa.hibernate.ddl-auto=create-drop
+// logging.level.org.springframework=DEBUG
+```
+
+---
+
+## Priority of Practices by Impact
+
+### Critical (Security & Correctness)
+- Ch 3: Never hardcode credentials — use `${ENV_VAR}` in properties
+- Ch 3: Secure Actuator endpoints — `env`, `beans`, `shutdown` must require auth
+- Ch 4: Test secured endpoints explicitly — assert 401/403 on unauthenticated requests
+- Ch 8: Never use `ddl-auto=create` in production — use Flyway/Liquibase
+
+### Important (Idiom & Maintainability)
+- Ch 2: Constructor injection over `@Autowired` field injection
+- Ch 2: `@RestController` over `@Controller` + `@ResponseBody` for APIs
+- Ch 2: `Optional` from repository, never `null`
+- Ch 3: `@ConfigurationProperties` over scattered `@Value` for grouped config
+- Ch 3: Profiles for environment differences — not `if` statements
+- Ch 4: `@WebMvcTest` for controller tests — not full `@SpringBootTest`
+- Ch 7: Custom `HealthIndicator` for each critical dependency
+
+### Suggestions (Polish)
+- Ch 3: Custom error pages in `templates/error/` — no code needed
+- Ch 7: Custom metrics via `MeterRegistry` for business events
+- Ch 8: Production profile disables dev tools, sets WARN log level
+- Ch 2: Use `spring-boot-devtools` in dev for live reload

package/skills/spring-boot-in-action/evals/evals.json

@@ -0,0 +1,39 @@
+{
+  "evals": [
+    {
+      "id": "eval-01-autoconfig-injection-hardcoding",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@Configuration\npublic class AppConfig {\n    @Bean\n    public DataSource dataSource() {\n        DriverManagerDataSource ds = new DriverManagerDataSource();\n        ds.setUrl(\"jdbc:postgresql://prod-db.internal/orders\");\n        ds.setUsername(\"orders_user\");\n        ds.setPassword(\"S3cr3tP@ss\");\n        return ds;\n    }\n\n    @Bean\n    public ObjectMapper objectMapper() {\n        return new ObjectMapper();\n    }\n}\n\n@RestController\npublic class OrderController {\n    @Autowired\n    private OrderRepository orderRepository;\n\n    @Autowired\n    private OrderService orderService;\n\n    @GetMapping(\"/orders/{id}\")\n    public Order getOrder(@PathVariable Long id) {\n        return orderRepository.findById(id).orElse(null);\n    }\n\n    @PostMapping(\"/orders\")\n    public Order createOrder(@RequestBody Order order) {\n        return orderService.place(order);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 2/3: Manual DataSource @Bean fights Spring Boot auto-configuration — delete AppConfig.dataSource() and move connection details to application.properties using spring.datasource.url/username/password",
+        "Flag Ch 3: Credentials hardcoded in source code — must be externalized to environment variables: spring.datasource.password=${DB_PASS}",
+        "Flag Ch 2: ObjectMapper @Bean is unnecessary — Spring Boot auto-configures Jackson; only define a custom ObjectMapper when you need to change behavior",
+        "Flag Ch 2: @Autowired field injection on OrderRepository and OrderService — replace with constructor injection for testability",
+        "Flag Ch 2: getOrder returns null (200 with null body) when not found — use Optional.map(ResponseEntity::ok).orElse(ResponseEntity.notFound().build()) or throw ResponseStatusException(NOT_FOUND)",
+        "Flag Ch 2: createOrder returns 200 — POST that creates a resource should return 201 Created with a Location header; use ResponseEntity.created(uri).body(saved)"
+      ]
+    },
+    {
+      "id": "eval-02-testing-antipatterns",
+      "prompt": "Review this Spring Boot test code:\n\n```java\n@SpringBootTest\npublic class ProductControllerTest {\n    @Autowired\n    private ProductController controller;\n\n    @Autowired\n    private ProductRepository repo;\n\n    @Test\n    public void testGetProduct() {\n        Product p = new Product(null, \"Widget\", 9.99);\n        repo.save(p);\n        Product result = controller.getProduct(p.getId());\n        assertNotNull(result);\n        assertEquals(\"Widget\", result.getName());\n    }\n\n    @Test\n    public void testCreateProduct() {\n        Product p = new Product(null, \"Gadget\", 19.99);\n        Product result = controller.createProduct(p);\n        assertNotNull(result.getId());\n    }\n\n    @Test\n    public void testAdminEndpoint() {\n        // No auth setup — just calls controller directly\n        String result = controller.adminDashboard();\n        assertNotNull(result);\n    }\n}\n```",
+      "expectations": [
+        "Flag Ch 4: @SpringBootTest loads the full application context for what are simple controller tests — use @WebMvcTest(ProductController.class) with MockMvc for fast, isolated controller tests",
+        "Flag Ch 4: Directly calling controller.getProduct() bypasses HTTP layer — no status code, content-type, or header assertions are possible; use MockMvc.perform(get(...)).andExpect(status().isOk())",
+        "Flag Ch 4: testAdminEndpoint calls controller directly with no authentication context — use @WithMockUser(roles='ADMIN') and MockMvc to assert 403 for unauthorized and 200 for authorized access",
+        "Flag Ch 4: Tests use a real ProductRepository writing to the database — in a @WebMvcTest test, use @MockBean ProductService to isolate the controller from persistence",
+        "Flag Ch 4: No negative test cases — missing test for product not found (expect 404), and no test verifying createProduct returns 201 with a Location header",
+        "Provide corrected test class using @WebMvcTest, MockMvc, @MockBean, @WithMockUser, and assertions on HTTP status codes and response JSON"
+      ]
+    },
+    {
+      "id": "eval-03-idiomatic-spring-boot",
+      "prompt": "Review this Spring Boot code:\n\n```java\n@SpringBootApplication\npublic class LibraryApp {\n    public static void main(String[] args) {\n        SpringApplication.run(LibraryApp.class, args);\n    }\n}\n\n@RestController\n@RequestMapping(\"/api/books\")\npublic class BookController {\n    private final BookService service;\n\n    public BookController(BookService service) {\n        this.service = service;\n    }\n\n    @GetMapping(\"/{id}\")\n    public ResponseEntity<Book> getBook(@PathVariable Long id) {\n        return ResponseEntity.ok(service.findById(id));\n    }\n\n    @PostMapping\n    public ResponseEntity<Book> createBook(@RequestBody Book book) {\n        Book saved = service.save(book);\n        URI location = URI.create(\"/api/books/\" + saved.getId());\n        return ResponseEntity.created(location).body(saved);\n    }\n}\n\n@Service\npublic class BookService {\n    private static final Logger log = LoggerFactory.getLogger(BookService.class);\n    private final BookRepository repo;\n\n    public BookService(BookRepository repo) { this.repo = repo; }\n\n    public Book findById(Long id) {\n        return repo.findById(id)\n                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));\n    }\n\n    public Book save(Book book) { return repo.save(book); }\n}\n```\n\n```properties\nspring.datasource.url=${DB_URL:jdbc:h2:mem:library}\nspring.datasource.username=${DB_USER:sa}\nspring.datasource.password=${DB_PASS:}\nspring.jpa.hibernate.ddl-auto=validate\nmanagement.endpoints.web.exposure.include=health,info\n```",
+      "expectations": [
+        "Recognize this code is idiomatic Spring Boot — do NOT manufacture issues",
+        "Acknowledge correct patterns: @SpringBootApplication (Ch 1), constructor injection in both controller and service (Ch 2), ResponseEntity with correct 200/201 status codes and Location header (Ch 2), Optional.orElseThrow with ResponseStatusException for clean 404 (Ch 2), SLF4J logger (Ch 3), externalized config with env-var defaults (Ch 3), Actuator locked to health+info (Ch 7)",
+        "At most note: ResponseStatusException could include a descriptive message like 'Book ' + id + ' not found' for better client error messages",
+        "At most suggest: adding spring-boot-starter-actuator dependency if not already present to enable the management.endpoints config",
+        "Do NOT flag the absence of @Autowired — constructor injection is the preferred style and Spring auto-wires single constructors without any annotation"
+      ]
+    }
+  ]
+}

package/skills/spring-boot-in-action/examples/after.md

@@ -0,0 +1,185 @@
+# After: Spring Boot in Action
+
+The same library API rewritten with idiomatic Spring Boot — auto-configuration, constructor injection, externalized config, profiles, proper testing, and Actuator.
+
+```java
+// @SpringBootApplication enables auto-config, component scan, config (Ch 1, 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// No DatabaseConfig class needed — auto-configuration handles DataSource (Ch 2, 3)
+// Credentials externalized to application.properties via environment variables
+
+// Constructor injection — testable without Spring context (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+
+    public BookController(BookService service) {
+        this.service = service;
+    }
+
+    // Returns 404 when not found, not null (Ch 2)
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    // Returns 201 Created with Location header (Ch 2)
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+
+    @GetMapping
+    public List<Book> search(@RequestParam(required = false, defaultValue = "") String q) {
+        return service.search(q);
+    }
+}
+
+// Service with constructor injection and proper logging (Ch 2)
+@Service
+public class BookService {
+    private static final Logger log = LoggerFactory.getLogger(BookService.class);
+    private final BookRepository repo;
+
+    public BookService(BookRepository repo) {
+        this.repo = repo;
+    }
+
+    public Book findById(Long id) {
+        // Optional — 404 automatically surfaced (Ch 2)
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(
+                       HttpStatus.NOT_FOUND, "Book " + id + " not found"));
+    }
+
+    public Book save(Book book) {
+        return repo.save(book);
+    }
+
+    public List<Book> search(String query) {
+        log.debug("Searching for: {}", query);  // proper logger, not println (Ch 3)
+        return query.isBlank()
+                ? repo.findAll()
+                : repo.findByTitleContainingIgnoreCase(query);
+    }
+}
+
+// Repository — Spring Data does the rest (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Type-safe configuration object (Ch 3)
+@ConfigurationProperties(prefix = "app.library")
+@Component
+public class LibraryProperties {
+    private int maxSearchResults = 50;
+    private String defaultSortField = "title";
+    // getters + setters
+}
+
+// Custom health indicator for critical dependency (Ch 7)
+@Component
+public class StorageHealthIndicator implements HealthIndicator {
+    private final BookRepository repo;
+    public StorageHealthIndicator(BookRepository repo) { this.repo = repo; }
+
+    @Override
+    public Health health() {
+        try {
+            long count = repo.count();
+            return Health.up().withDetail("books", count).build();
+        } catch (Exception e) {
+            return Health.down().withDetail("error", e.getMessage()).build();
+        }
+    }
+}
+
+// Controller slice test — no full context, fast (Ch 4)
+@WebMvcTest(BookController.class)
+public class BookControllerTest {
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private BookService service;  // real service replaced with mock (Ch 4)
+
+    @Test
+    void getBook_returnsOk() throws Exception {
+        Book book = new Book(1L, "Spring Boot in Action", "9781617292545");
+        given(service.findById(1L)).willReturn(book);
+
+        mockMvc.perform(get("/api/books/1"))
+               .andExpect(status().isOk())
+               .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    }
+
+    @Test
+    void getBook_returns404WhenNotFound() throws Exception {
+        given(service.findById(99L))
+            .willThrow(new ResponseStatusException(HttpStatus.NOT_FOUND));
+
+        mockMvc.perform(get("/api/books/99"))
+               .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void createBook_returns201() throws Exception {
+        Book book = new Book(null, "New Book", "1234567890");
+        Book saved = new Book(1L, "New Book", "1234567890");
+        given(service.save(any())).willReturn(saved);
+
+        mockMvc.perform(post("/api/books")
+                   .contentType(MediaType.APPLICATION_JSON)
+                   .content("{\"title\":\"New Book\",\"isbn\":\"1234567890\"}"))
+               .andExpect(status().isCreated())
+               .andExpect(header().string("Location", "/api/books/1"));
+    }
+}
+```
+
+```properties
+# application.properties — base config, all env-specific values externalized (Ch 3)
+spring.datasource.url=${DB_URL:jdbc:h2:mem:library}
+spring.datasource.username=${DB_USER:sa}
+spring.datasource.password=${DB_PASS:}
+spring.jpa.hibernate.ddl-auto=validate
+
+# Actuator — health and info only exposed publicly (Ch 7)
+management.endpoints.web.exposure.include=health,info
+management.endpoint.health.show-details=when-authorized
+
+# application-dev.properties — dev overrides (Ch 3)
+# spring.datasource.url=jdbc:h2:mem:library
+# spring.jpa.hibernate.ddl-auto=create-drop
+# logging.level.com.example=DEBUG
+# management.endpoints.web.exposure.include=*
+
+# application-production.properties — production hardening (Ch 8)
+# spring.jpa.hibernate.ddl-auto=validate
+# logging.level.root=WARN
+# management.endpoints.web.exposure.include=health,info
+```
+
+**Key improvements:**
+- `@SpringBootApplication` enables auto-configuration — no manual `DataSource` bean (Ch 2)
+- Credentials externalized to env vars via `${DB_URL}` — never hardcoded (Ch 3)
+- Constructor injection throughout — testable without Spring context (Ch 2)
+- `ResponseEntity` with correct status codes: 200, 201, 404 (Ch 2)
+- `Optional` → `orElseThrow` → `ResponseStatusException` — clean 404 (Ch 2)
+- `@ConfigurationProperties` for grouped app config (Ch 3)
+- `@WebMvcTest` + `@MockBean` — fast, isolated controller tests (Ch 4)
+- `@WithMockUser` — security tested explicitly (Ch 4)
+- Custom `HealthIndicator` — DB health visible in Actuator (Ch 7)
+- Actuator locked down — only `health` and `info` public (Ch 7)
+- Profile-based properties — no env checks in code (Ch 3, 8)

package/skills/spring-boot-in-action/examples/before.md

@@ -0,0 +1,84 @@
+# Before: Spring Boot in Action
+
+A book library REST API with common Spring Boot anti-patterns — manual configuration fighting auto-config, field injection, hardcoded values, missing tests, and no Actuator.
+
+```java
+// Main class missing @SpringBootApplication — won't auto-configure anything
+@Configuration
+@ComponentScan
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Manual DataSource bean — fights auto-configuration (Ch 2, 3)
+@Configuration
+public class DatabaseConfig {
+    @Bean
+    public DataSource dataSource() {
+        DriverManagerDataSource ds = new DriverManagerDataSource();
+        ds.setDriverClassName("org.postgresql.Driver");
+        ds.setUrl("jdbc:postgresql://localhost/library");  // hardcoded (Ch 3)
+        ds.setUsername("admin");                           // hardcoded credential!
+        ds.setPassword("secret123");                       // hardcoded credential!
+        return ds;
+    }
+}
+
+// Field injection — untestable without Spring context (Ch 2)
+@RestController
+public class BookController {
+    @Autowired
+    private BookRepository bookRepository;
+
+    @Autowired
+    private BookService bookService;
+
+    // Returns null instead of 404 when book not found (Ch 2)
+    @GetMapping("/books/{id}")
+    public Book getBook(@PathVariable Long id) {
+        return bookRepository.findById(id).orElse(null);  // null slips to client
+    }
+
+    // No status code — always returns 200 even on create (Ch 2)
+    @PostMapping("/books")
+    @ResponseBody
+    public Book createBook(@RequestBody Book book) {
+        return bookRepository.save(book);
+    }
+}
+
+// Service with field injection and no error handling
+@Service
+public class BookService {
+    @Autowired
+    private BookRepository bookRepository;
+
+    public List<Book> search(String query) {
+        // Environment check in code instead of using profiles (Ch 3)
+        if (System.getProperty("env").equals("dev")) {
+            System.out.println("Searching for: " + query);  // println not logger
+        }
+        return bookRepository.findAll();  // returns everything, ignores query
+    }
+}
+
+// Test that boots full context just to test one controller method (Ch 4)
+@SpringBootTest
+public class BookControllerTest {
+    @Autowired
+    private BookController controller;
+
+    @Test
+    public void testGetBook() {
+        // Direct controller call — no HTTP semantics, no status code testing
+        Book result = controller.getBook(1L);
+        assertNotNull(result);
+    }
+}
+
+// application.properties — missing externalized config
+// (no datasource url, credentials baked into Java code above)
+// spring.jpa.hibernate.ddl-auto=create  // destroys data on restart!
+```

package/skills/spring-boot-in-action/references/practices-catalog.md

@@ -0,0 +1,403 @@
+# Spring Boot in Action — Practices Catalog
+
+Before/after examples from each chapter group.
+
+---
+
+## Auto-Configuration: Let Boot Do Its Job (Ch 2, 3)
+
+**Before — manual DataSource fighting auto-config:**
+```java
+@Configuration
+public class DatabaseConfig {
+    @Bean
+    public DataSource dataSource() {
+        DriverManagerDataSource ds = new DriverManagerDataSource();
+        ds.setUrl("jdbc:postgresql://localhost/mydb");
+        ds.setUsername("user");
+        ds.setPassword("pass");
+        return ds;
+    }
+}
+```
+**After — delete the class; use properties:**
+```properties
+spring.datasource.url=jdbc:postgresql://localhost/mydb
+spring.datasource.username=${DB_USER}
+spring.datasource.password=${DB_PASS}
+```
+Spring Boot auto-configures a connection pool (HikariCP) from these properties automatically.
+
+---
+
+## Overriding Auto-Configuration Surgically (Ch 3)
+
+**When auto-config is not enough — extend, don't replace:**
+```java
+// Wrong: replaces all security auto-config
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().anyRequest().permitAll();  // disables everything
+    }
+}
+
+// Right: override only what differs (Ch 3)
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .authorizeRequests()
+                .antMatchers("/api/public/**").permitAll()
+                .anyRequest().authenticated()
+            .and()
+            .httpBasic();
+    }
+}
+```
+
+---
+
+## Externalized Configuration (Ch 3)
+
+**Before — hardcoded values:**
+```java
+@Service
+public class MailService {
+    private String host = "smtp.gmail.com";   // hardcoded
+    private int port = 587;                    // hardcoded
+    private int timeout = 5000;               // hardcoded
+}
+```
+**After — `@ConfigurationProperties` (type-safe, testable):**
+```java
+@ConfigurationProperties(prefix = "app.mail")
+@Component
+public class MailProperties {
+    private String host;
+    private int port = 587;
+    private int timeoutMs = 5000;
+    // getters + setters
+}
+```
+```properties
+# application.properties
+app.mail.host=smtp.gmail.com
+app.mail.port=587
+app.mail.timeout-ms=5000
+```
+
+---
+
+## Profiles for Environment Differences (Ch 3)
+
+**Before — environment check in code:**
+```java
+@Bean
+public DataSource dataSource() {
+    if (System.getProperty("env").equals("dev")) {
+        return new EmbeddedDatabaseBuilder().setType(H2).build();
+    }
+    return productionDataSource();  // messy
+}
+```
+**After — profile-specific properties files:**
+```properties
+# application.properties (defaults)
+spring.datasource.url=jdbc:postgresql://${DB_HOST:localhost}/myapp
+
+# application-dev.properties (activated by: spring.profiles.active=dev)
+spring.datasource.url=jdbc:h2:mem:myapp
+spring.jpa.hibernate.ddl-auto=create-drop
+logging.level.org.springframework=DEBUG
+
+# application-production.properties
+spring.jpa.hibernate.ddl-auto=validate
+logging.level.root=WARN
+```
+```java
+// Profile-specific beans (Ch 3)
+@Bean
+@Profile("dev")
+public DataSource devDataSource() { ... }
+
+@Bean
+@Profile("production")
+public DataSource prodDataSource() { ... }
+```
+
+---
+
+## Constructor Injection (Ch 2)
+
+**Before — field injection, untestable:**
+```java
+@Service
+public class OrderService {
+    @Autowired
+    private OrderRepository repo;  // can't test without Spring context
+
+    @Autowired
+    private PaymentGateway gateway;
+}
+```
+**After — constructor injection:**
+```java
+@Service
+public class OrderService {
+    private final OrderRepository repo;
+    private final PaymentGateway gateway;
+
+    public OrderService(OrderRepository repo, PaymentGateway gateway) {
+        this.repo = repo;
+        this.gateway = gateway;
+    }
+    // Now testable: new OrderService(mockRepo, mockGateway)
+}
+```
+
+---
+
+## REST Controllers: Status Codes & ResponseEntity (Ch 2)
+
+**Before — always 200, null on missing:**
+```java
+@GetMapping("/users/{id}")
+public User getUser(@PathVariable Long id) {
+    return repo.findById(id).orElse(null);  // 200 with null body
+}
+
+@PostMapping("/users")
+public User createUser(@RequestBody User user) {
+    return repo.save(user);  // 200, should be 201
+}
+```
+**After — correct HTTP semantics:**
+```java
+@GetMapping("/users/{id}")
+public ResponseEntity<User> getUser(@PathVariable Long id) {
+    return repo.findById(id)
+               .map(ResponseEntity::ok)
+               .orElse(ResponseEntity.notFound().build());  // 404
+}
+
+@PostMapping("/users")
+public ResponseEntity<User> createUser(@RequestBody User user) {
+    User saved = repo.save(user);
+    URI location = URI.create("/users/" + saved.getId());
+    return ResponseEntity.created(location).body(saved);  // 201 + Location
+}
+```
+
+---
+
+## Testing: Match Slice to Layer (Ch 4)
+
+**Before — full context for every test (slow):**
+```java
+@SpringBootTest  // loads ALL beans — overkill for a controller test
+public class ProductControllerTest {
+    @Autowired
+    private ProductController controller;
+
+    @Test
+    public void testGet() {
+        // No HTTP semantics, no status code, no content-type testing
+        assertNotNull(controller.getProduct(1L));
+    }
+}
+```
+**After — slice tests by layer:**
+```java
+// Controller slice — only web layer, MockMvc, no DB (Ch 4)
+@WebMvcTest(ProductController.class)
+public class ProductControllerTest {
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private ProductService service;
+
+    @Test
+    void getProduct_found() throws Exception {
+        given(service.findById(1L)).willReturn(new Product(1L, "Widget", 9.99));
+
+        mockMvc.perform(get("/api/products/1").accept(MediaType.APPLICATION_JSON))
+               .andExpect(status().isOk())
+               .andExpect(jsonPath("$.name").value("Widget"))
+               .andExpect(jsonPath("$.price").value(9.99));
+    }
+
+    @Test
+    void getProduct_notFound() throws Exception {
+        given(service.findById(99L))
+            .willThrow(new ResponseStatusException(HttpStatus.NOT_FOUND));
+
+        mockMvc.perform(get("/api/products/99"))
+               .andExpect(status().isNotFound());
+    }
+}
+
+// Repository slice — real DB (H2 in-memory), no web layer (Ch 4)
+@DataJpaTest
+public class ProductRepositoryTest {
+    @Autowired
+    private ProductRepository repo;
+
+    @Test
+    void findByName_returnsMatches() {
+        repo.save(new Product(null, "Blue Widget", 9.99));
+        List<Product> found = repo.findByNameContaining("Widget");
+        assertThat(found).hasSize(1);
+    }
+}
+
+// Full stack test — only when testing HTTP ↔ DB integration (Ch 4)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+public class ProductIntegrationTest {
+    @Autowired
+    private TestRestTemplate restTemplate;
+
+    @Test
+    void createAndFetch() {
+        ResponseEntity<Product> created = restTemplate
+            .postForEntity("/api/products", new Product(null, "Gadget", 19.99), Product.class);
+        assertThat(created.getStatusCode()).isEqualTo(HttpStatus.CREATED);
+    }
+}
+```
+
+---
+
+## Testing Security (Ch 4)
+
+```java
+@WebMvcTest(AdminController.class)
+public class AdminControllerTest {
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @Test
+    void adminEndpoint_rejectsAnonymous() throws Exception {
+        mockMvc.perform(get("/admin/dashboard"))
+               .andExpect(status().isUnauthorized());  // or 403 depending on config
+    }
+
+    @Test
+    @WithMockUser(roles = "ADMIN")
+    void adminEndpoint_allowsAdmin() throws Exception {
+        mockMvc.perform(get("/admin/dashboard"))
+               .andExpect(status().isOk());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void adminEndpoint_rejectsUser() throws Exception {
+        mockMvc.perform(get("/admin/dashboard"))
+               .andExpect(status().isForbidden());
+    }
+}
+```
+
+---
+
+## Actuator: Health, Metrics, Custom Indicators (Ch 7)
+
+```java
+// Custom HealthIndicator (Ch 7)
+@Component
+public class ExternalApiHealthIndicator implements HealthIndicator {
+    private final RestTemplate restTemplate;
+
+    public ExternalApiHealthIndicator(RestTemplate restTemplate) {
+        this.restTemplate = restTemplate;
+    }
+
+    @Override
+    public Health health() {
+        try {
+            ResponseEntity<String> resp = restTemplate.getForEntity(
+                "https://api.partner.com/health", String.class);
+            if (resp.getStatusCode().is2xxSuccessful()) {
+                return Health.up().withDetail("partner-api", "reachable").build();
+            }
+            return Health.down().withDetail("status", resp.getStatusCode()).build();
+        } catch (Exception e) {
+            return Health.down(e).build();
+        }
+    }
+}
+
+// Custom counter metric (Ch 7)
+@Service
+public class OrderService {
+    private final Counter ordersCreated;
+
+    public OrderService(MeterRegistry registry) {
+        this.ordersCreated = Counter.builder("orders.created")
+            .description("Total orders placed")
+            .register(registry);
+    }
+
+    public Order place(Order order) {
+        Order saved = repo.save(order);
+        ordersCreated.increment();  // visible in /actuator/metrics
+        return saved;
+    }
+}
+```
+
+```properties
+# Secure Actuator — expose only what's needed (Ch 7)
+management.endpoints.web.exposure.include=health,info,metrics
+management.endpoint.health.show-details=when-authorized
+management.endpoint.shutdown.enabled=false
+```
+
+---
+
+## Deployment: JAR, Profiles, Flyway (Ch 8)
+
+```xml
+<!-- pom.xml: flyway for production migrations (Ch 8) -->
+<dependency>
+    <groupId>org.flywaydb</groupId>
+    <artifactId>flyway-core</artifactId>
+</dependency>
+```
+
+```sql
+-- src/main/resources/db/migration/V1__create_books.sql
+CREATE TABLE book (
+    id BIGSERIAL PRIMARY KEY,
+    title VARCHAR(255) NOT NULL,
+    isbn VARCHAR(20) UNIQUE NOT NULL
+);
+```
+
+```properties
+# application-production.properties (Ch 8)
+# Never use create or create-drop in production
+spring.jpa.hibernate.ddl-auto=validate
+spring.flyway.enabled=true
+
+# Disable dev tools
+spring.devtools.restart.enabled=false
+
+# Tighten logging
+logging.level.root=WARN
+logging.level.com.example=INFO
+
+# Actuator: health only
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=never
+```
+
+```bash
+# Build and run (Ch 8)
+mvn clean package -DskipTests
+java -jar target/library-1.0.0.jar --spring.profiles.active=production
+```

package/skills/spring-boot-in-action/scripts/review.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+"""
+review.py — Pre-analysis script for Spring Boot in Action reviews.
+Usage: python review.py <file.java|application.properties|application.yml>
+
+Scans Spring Boot source files for anti-patterns from the book:
+field injection, hardcoded credentials, missing ResponseEntity, auto-config
+fighting, wrong test annotations, missing Actuator security, and ddl-auto=create.
+"""
+
+import re
+import sys
+from pathlib import Path
+
+
+JAVA_CHECKS = [
+    (
+        r"@Autowired\s*\n\s*(private|protected)",
+        "Ch 2: Field injection (@Autowired on field)",
+        "use constructor injection — fields with @Autowired are not testable without Spring context",
+    ),
+    (
+        r"DriverManagerDataSource|BasicDataSource|HikariDataSource",
+        "Ch 2/3: Manual DataSource bean",
+        "delete this bean and set spring.datasource.* in application.properties — Boot auto-configures HikariCP",
+    ),
+    (
+        r"orElse\(null\)",
+        "Ch 2: orElse(null) returns null to client",
+        "use .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND)) or .map(ResponseEntity::ok).orElse(ResponseEntity.notFound().build())",
+    ),
+    (
+        r'setPassword\s*\(\s*"[^"$][^"]*"',
+        "Ch 3: Hardcoded password",
+        "externalize to environment variable: spring.datasource.password=${DB_PASS}",
+    ),
+    (
+        r'setUsername\s*\(\s*"[^"$][^"]*"',
+        "Ch 3: Hardcoded username",
+        "externalize to environment variable: spring.datasource.username=${DB_USER}",
+    ),
+    (
+        r"new ObjectMapper\(\)",
+        "Ch 2: Manual ObjectMapper construction",
+        "Spring Boot auto-configures Jackson — inject ObjectMapper bean or configure via spring.jackson.* properties",
+    ),
+    (
+        r"@SpringBootTest\b(?!.*WebEnvironment)",
+        "Ch 4: @SpringBootTest without WebEnvironment",
+        "for controller tests use @WebMvcTest; for repository tests use @DataJpaTest; full @SpringBootTest only for integration tests",
+    ),
+    (
+        r"System\.out\.println",
+        "Ch 3: System.out.println instead of logger",
+        "use SLF4J: private static final Logger log = LoggerFactory.getLogger(MyClass.class)",
+    ),
+    (
+        r'@Value\s*\(\s*"\$\{[^}]+\}"\s*\)(?:[\s\S]{0,200}@Value\s*\(\s*"\$\{){2}',
+        "Ch 3: Multiple @Value annotations",
+        "group related config values in a @ConfigurationProperties class with a prefix",
+    ),
+]
+
+PROPERTIES_CHECKS = [
+    (
+        r"ddl-auto\s*=\s*(create|create-drop)(?!\s*#.*test)",
+        "Ch 8: ddl-auto=create or create-drop",
+        "destroys data on restart — use 'validate' in production; use Flyway/Liquibase for migrations",
+    ),
+    (
+        r"management\.endpoints\.web\.exposure\.include\s*=\s*\*",
+        "Ch 7: Actuator exposes all endpoints",
+        "restrict to: management.endpoints.web.exposure.include=health,info — never expose env, beans, or shutdown publicly",
+    ),
+    (
+        r"spring\.security\.user\.password\s*=\s*(?!(\$\{|\s*$))",
+        "Ch 3: Hardcoded security password in properties",
+        "use environment variable: spring.security.user.password=${ADMIN_PASS}",
+    ),
+    (
+        r"datasource\.password\s*=\s*(?!\$\{)(\S+)",
+        "Ch 3: Hardcoded datasource password",
+        "use environment variable: spring.datasource.password=${DB_PASS}",
+    ),
+    (
+        r"datasource\.url\s*=\s*jdbc:[a-z]+://(?!(\$\{|localhost|127\.0\.0\.1))\S+",
+        "Ch 3: Hardcoded production datasource URL",
+        "use environment variable: spring.datasource.url=${DB_URL}",
+    ),
+]
+
+
+def scan_java(source: str) -> list[dict]:
+    findings = []
+    lines = source.splitlines()
+    for lineno, line in enumerate(lines, start=1):
+        if line.strip().startswith("//"):
+            continue
+        for pattern, label, advice in JAVA_CHECKS:
+            if re.search(pattern, line):
+                findings.append({"line": lineno, "text": line.rstrip(), "label": label, "advice": advice})
+    return findings
+
+
+def scan_properties(source: str) -> list[dict]:
+    findings = []
+    lines = source.splitlines()
+    for lineno, line in enumerate(lines, start=1):
+        if line.strip().startswith("#"):
+            continue
+        for pattern, label, advice in PROPERTIES_CHECKS:
+            if re.search(pattern, line):
+                findings.append({"line": lineno, "text": line.rstrip(), "label": label, "advice": advice})
+    return findings
+
+
+def sep(char="-", width=70) -> str:
+    return char * width
+
+
+def main() -> None:
+    if len(sys.argv) < 2:
+        print("Usage: python review.py <file.java|application.properties|application.yml>")
+        sys.exit(1)
+
+    path = Path(sys.argv[1])
+    if not path.exists():
+        print(f"Error: file not found: {path}")
+        sys.exit(1)
+
+    source = path.read_text(encoding="utf-8", errors="replace")
+
+    if path.suffix == ".java":
+        findings = scan_java(source)
+        file_type = "Java"
+    elif path.suffix in (".properties", ".yml", ".yaml"):
+        findings = scan_properties(source)
+        file_type = "Properties/YAML"
+    else:
+        print(f"Warning: unsupported extension '{path.suffix}' — scanning as Java")
+        findings = scan_java(source)
+        file_type = "Unknown"
+
+    groups: dict[str, list] = {}
+    for f in findings:
+        groups.setdefault(f["label"], []).append(f)
+
+    print(sep("="))
+    print("SPRING BOOT IN ACTION — PRE-REVIEW REPORT")
+    print(sep("="))
+    print(f"File   : {path}  ({file_type})")
+    print(f"Lines  : {len(source.splitlines())}")
+    print(f"Issues : {len(findings)} potential anti-patterns across {len(groups)} categories")
+    print()
+
+    if not findings:
+        print("  [OK] No common Spring Boot anti-patterns detected.")
+        print()
+    else:
+        for label, items in groups.items():
+            print(sep())
+            print(f"  {label}  ({len(items)} occurrence{'s' if len(items) != 1 else ''})")
+            print(sep())
+            print(f"  Advice: {items[0]['advice']}")
+            print()
+            for item in items[:5]:
+                print(f"  line {item['line']:>4}:  {item['text'][:100]}")
+            if len(items) > 5:
+                print(f"  ... and {len(items) - 5} more")
+            print()
+
+    severity = (
+        "HIGH" if len(findings) >= 5
+        else "MEDIUM" if len(findings) >= 2
+        else "LOW" if findings
+        else "NONE"
+    )
+    print(sep("="))
+    print(f"SEVERITY: {severity}  |  Key chapters: Ch 2 (injection/REST), Ch 3 (config/profiles), Ch 4 (testing), Ch 7 (Actuator), Ch 8 (deployment)")
+    print(sep("="))
+
+
+if __name__ == "__main__":
+    main()