@booklib/skills 1.4.0 → 1.5.1

package/CLAUDE.md

@@ -1,6 +1,6 @@
 # booklib-ai/skills
 
-21 AI agent skills grounded in canonical programming books. Each skill packages expert practices from a specific book into reusable instructions that Claude and other AI agents can apply to code generation, code review, and design decisions.
+22 AI agent skills grounded in canonical programming books. Each skill packages expert practices from a specific book into reusable instructions that Claude and other AI agents can apply to code generation, code review, and design decisions.
 
 ## Quick Install
 
@@ -25,6 +25,7 @@ npx skills add booklib-ai/skills --all -g
 | `kotlin-in-action` | Kotlin in Action |
 | `programming-with-rust` | Programming with Rust — Donis Marshall |
 | `rust-in-action` | Rust in Action — Tim McNamara |
+| `spring-boot-in-action` | Spring Boot in Action — Craig Walls |
 | `lean-startup` | The Lean Startup — Eric Ries |
 | `microservices-patterns` | Microservices Patterns — Chris Richardson |
 | `refactoring-ui` | Refactoring UI — Adam Wathan & Steve Schoger |
@@ -54,4 +55,4 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for how to add a new skill. Each skill
 npx @booklib/skills check <skill-name>
 ```
 
-All 21 existing skills are at Platinum (13/13 checks).
+All 22 existing skills are at Platinum (13/13 checks).

package/README.md

@@ -134,6 +134,7 @@ This means skills compose: `skill-router` acts as an orchestrator that picks the
 | 🔷 [effective-typescript](./skills/effective-typescript/) | TypeScript best practices from Dan Vanderkam's *Effective TypeScript* — type system, type design, avoiding any, type declarations, and migration |
 | 🦀 [programming-with-rust](./skills/programming-with-rust/) | Rust practices from Donis Marshall's *Programming with Rust* — ownership, borrowing, lifetimes, error handling, traits, and fearless concurrency |
 | ⚙️ [rust-in-action](./skills/rust-in-action/) | Systems programming from Tim McNamara's *Rust in Action* — smart pointers, endianness, memory, file formats, TCP networking, concurrency, and OS fundamentals |
+| 🌱 [spring-boot-in-action](./skills/spring-boot-in-action/) | Spring Boot best practices from Craig Walls' *Spring Boot in Action* — auto-configuration, starters, externalized config, profiles, testing with MockMvc, Actuator, and deployment |
 | ⚡ [kotlin-in-action](./skills/kotlin-in-action/) | Practices from *Kotlin in Action* (2nd Ed) — functions, classes, lambdas, nullability, and coroutines |
 | 🚀 [lean-startup](./skills/lean-startup/) | Practices from Eric Ries' *The Lean Startup* — MVP testing, validated learning, Build-Measure-Learn loop, and pivots |
 | 🔧 [microservices-patterns](./skills/microservices-patterns/) | Expert guidance on microservices patterns from Chris Richardson's *Microservices Patterns* — decomposition, sagas, API gateways, event sourcing, CQRS, and service mesh |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@booklib/skills",
-  "version": "1.4.0",
+  "version": "1.5.1",
   "description": "Book knowledge distilled into structured AI skills for Claude Code and other AI assistants",
   "bin": {
     "skills": "bin/skills.js"

package/skills/effective-typescript/evals/evals.json

@@ -29,6 +29,7 @@
         "Recognize that this code is already applying Effective TypeScript principles correctly",
         "Acknowledge Item 37 (branded OrderId), Item 33 (OrderStatus literal union), Item 28/32 (tagged union OrderResult), Item 17 (readonly fields), Item 42 (unknown from JSON), Item 40 (assertion inside well-typed function), Item 25 (async/await), Item 48 (TSDoc)",
         "Do NOT manufacture issues — the code is well-typed",
+        "At most note: raw as Order on the last line is a narrowly scoped assertion (Item 40) — acceptable inside a well-typed wrapper, but mention that a runtime validator (e.g. zod) would catch malformed API responses that TypeScript cannot",
         "At most offer minor suggestions, clearly marked as optional polish"
       ]
     }

package/skills/effective-typescript/scripts/review.py

@@ -0,0 +1,169 @@
+#!/usr/bin/env python3
+"""
+review.py — Pre-analysis script for Effective TypeScript reviews.
+Usage: python review.py <file.ts|file.tsx>
+
+Scans a TypeScript source file for anti-patterns from the book's 62 items:
+any usage, type assertions, object wrapper types, non-null assertions,
+missing strict mode, interface-of-unions, plain string types, and more.
+"""
+
+import re
+import sys
+from pathlib import Path
+
+
+CHECKS = [
+    (
+        r":\s*any\b",
+        "Item 5/38: any type annotation",
+        "replace with a specific type, generic parameter, or unknown for truly unknown values",
+    ),
+    (
+        r"\bas\s+any\b",
+        "Item 38/40: 'as any' assertion",
+        "scope 'as any' as narrowly as possible — hide inside a well-typed wrapper function; prefer 'as unknown as T' for safer double assertion",
+    ),
+    (
+        r"\bString\b|\bNumber\b|\bBoolean\b|\bObject\b|\bSymbol\b",
+        "Item 10: Object wrapper type (String/Number/Boolean)",
+        "use primitive types: string, number, boolean — never the wrapper class types",
+    ),
+    (
+        r"!\.",
+        "Item 28/31: Non-null assertion (!).",
+        "non-null assertions are usually a symptom of an imprecise type — fix the type instead; consider optional chaining (?.) or a type guard",
+    ),
+    (
+        r"@ts-ignore|@ts-nocheck",
+        "Item 38: @ts-ignore suppresses type errors",
+        "fix the underlying type issue; if unavoidable use @ts-expect-error with a comment explaining why",
+    ),
+    (
+        r"function\s+\w+[^{]*\{[^}]{0,20}\}",
+        None,  # skip — too noisy
+        None,
+    ),
+    (
+        r"interface\s+\w+\s*\{[^}]*\?[^}]*\?[^}]*\}",
+        "Item 32: Interface with multiple optional fields",
+        "multiple optional fields that have implicit relationships suggest an interface-of-unions — convert to a tagged discriminated union",
+    ),
+    (
+        r"param(?:eter)?\s*:\s*string(?!\s*[|&])",
+        "Item 33: Plain string parameter",
+        "consider a string literal union if the parameter has a finite set of valid values (e.g. 'asc' | 'desc')",
+    ),
+    (
+        r"\.json\(\)\s*as\s+\w",
+        "Item 9/40: Direct type assertion on .json()",
+        "assign to unknown first, then narrow: 'const raw: unknown = await res.json()' — assertion inside a well-typed wrapper is acceptable (Item 40)",
+    ),
+    (
+        r"Promise<any>",
+        "Item 38: Promise<any> return type",
+        "replace with Promise<unknown> or a concrete type — Promise<any> disables type checking on the resolved value",
+    ),
+]
+
+
+def scan(source: str) -> list[dict]:
+    findings = []
+    lines = source.splitlines()
+    for lineno, line in enumerate(lines, start=1):
+        stripped = line.strip()
+        if stripped.startswith("//") or stripped.startswith("*"):
+            continue
+        for pattern, label, advice in CHECKS:
+            if label is None:
+                continue
+            if re.search(pattern, line):
+                findings.append({
+                    "line": lineno,
+                    "text": line.rstrip(),
+                    "label": label,
+                    "advice": advice,
+                })
+    return findings
+
+
+def check_strict(source: str) -> bool:
+    """Returns True if this looks like a tsconfig with strict mode enabled."""
+    return bool(re.search(r'"strict"\s*:\s*true', source))
+
+
+def sep(char="-", width=70) -> str:
+    return char * width
+
+
+def main() -> None:
+    if len(sys.argv) < 2:
+        print("Usage: python review.py <file.ts|file.tsx>")
+        sys.exit(1)
+
+    path = Path(sys.argv[1])
+    if not path.exists():
+        print(f"Error: file not found: {path}")
+        sys.exit(1)
+
+    if path.suffix.lower() not in (".ts", ".tsx", ".json"):
+        print(f"Warning: expected .ts/.tsx, got '{path.suffix}' — continuing anyway")
+
+    source = path.read_text(encoding="utf-8", errors="replace")
+
+    # Special case: tsconfig.json
+    if path.name == "tsconfig.json":
+        print(sep("="))
+        print("EFFECTIVE TYPESCRIPT — TSCONFIG CHECK")
+        print(sep("="))
+        if check_strict(source):
+            print("  [OK] strict: true is enabled (Item 2)")
+        else:
+            print("  [!] strict: true is NOT enabled — Item 2: always enable strict mode")
+            print("       Add: \"strict\": true to compilerOptions")
+        print()
+        print(sep("="))
+        return
+
+    findings = scan(source)
+    groups: dict[str, list] = {}
+    for f in findings:
+        groups.setdefault(f["label"], []).append(f)
+
+    print(sep("="))
+    print("EFFECTIVE TYPESCRIPT — PRE-REVIEW REPORT")
+    print(sep("="))
+    print(f"File   : {path}")
+    print(f"Lines  : {len(source.splitlines())}")
+    print(f"Issues : {len(findings)} potential violations across {len(groups)} categories")
+    print()
+
+    if not findings:
+        print("  [OK] No common Effective TypeScript anti-patterns detected.")
+        print()
+    else:
+        for label, items in groups.items():
+            print(sep())
+            print(f"  {label}  ({len(items)} occurrence{'s' if len(items) != 1 else ''})")
+            print(sep())
+            print(f"  Advice: {items[0]['advice']}")
+            print()
+            for item in items[:5]:
+                print(f"  line {item['line']:>4}:  {item['text'][:100]}")
+            if len(items) > 5:
+                print(f"  ... and {len(items) - 5} more")
+            print()
+
+    severity = (
+        "HIGH" if len(findings) >= 5
+        else "MEDIUM" if len(findings) >= 2
+        else "LOW" if findings
+        else "NONE"
+    )
+    print(sep("="))
+    print(f"SEVERITY: {severity}  |  Key items: Item 2 (strict), Item 5/38 (any/unknown), Item 9 (assertions), Item 28/32 (tagged unions), Item 33 (literal types)")
+    print(sep("="))
+
+
+if __name__ == "__main__":
+    main()

package/skills/programming-with-rust/scripts/review.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env python3
+"""
+review.py — Pre-analysis script for Programming with Rust reviews.
+Usage: python review.py <file.rs>
+
+Scans a Rust source file for anti-patterns from the book:
+unwrap misuse, unnecessary cloning, unsafe shared state, manual index loops,
+missing Result return types, static mut, and more.
+"""
+
+import re
+import sys
+from pathlib import Path
+
+
+CHECKS = [
+    (
+        r"\.unwrap\(\)",
+        "Ch 12: .unwrap()",
+        "panics on failure in production paths — use ?, .expect(\"reason\"), or match",
+    ),
+    (
+        r"\.clone\(\)",
+        "Ch 8: .clone()",
+        "verify cloning is necessary — prefer borrowing (&T or &mut T) to avoid heap allocation",
+    ),
+    (
+        r"static\s+mut\s+\w+",
+        "Ch 19: static mut",
+        "data race risk — replace with Arc<Mutex<T>> or std::sync::atomic types",
+    ),
+    (
+        r"unsafe\s*\{",
+        "Ch 20: unsafe block",
+        "minimize unsafe scope; add a // SAFETY: comment explaining the invariant being upheld",
+    ),
+    (
+        r"for\s+\w+\s+in\s+0\s*\.\.\s*\w+\.len\(\)",
+        "Ch 6: Manual index loop",
+        "use iterator adapters: for item in &collection, or .iter().enumerate() if index is needed",
+    ),
+    (
+        r"\bpanic!\s*\(",
+        "Ch 12: panic!()",
+        "panics should be reserved for unrecoverable programmer errors — use Result<T, E> for recoverable failures",
+    ),
+    (
+        r"Box<dyn\s+\w+>",
+        "Ch 17: dyn Trait (dynamic dispatch)",
+        "prefer impl Trait for static dispatch (zero-cost) unless you need a heterogeneous collection",
+    ),
+    (
+        r"Rc\s*::\s*(new|clone)\b",
+        "Ch 19: Rc usage",
+        "Rc is not Send — if shared across threads, use Arc instead",
+    ),
+    (
+        r"\.expect\s*\(\s*\)",
+        "Ch 12: .expect() with empty string",
+        "add a meaningful reason: .expect(\"invariant: config is always loaded before this point\")",
+    ),
+]
+
+
+def scan(source: str) -> list[dict]:
+    findings = []
+    lines = source.splitlines()
+    for lineno, line in enumerate(lines, start=1):
+        stripped = line.strip()
+        if stripped.startswith("//"):
+            continue
+        for pattern, label, advice in CHECKS:
+            if re.search(pattern, line):
+                findings.append({
+                    "line": lineno,
+                    "text": line.rstrip(),
+                    "label": label,
+                    "advice": advice,
+                })
+    return findings
+
+
+def sep(char="-", width=70) -> str:
+    return char * width
+
+
+def main() -> None:
+    if len(sys.argv) < 2:
+        print("Usage: python review.py <file.rs>")
+        sys.exit(1)
+
+    path = Path(sys.argv[1])
+    if not path.exists():
+        print(f"Error: file not found: {path}")
+        sys.exit(1)
+
+    if path.suffix.lower() != ".rs":
+        print(f"Warning: expected a .rs file, got '{path.suffix}' — continuing anyway")
+
+    source = path.read_text(encoding="utf-8", errors="replace")
+    findings = scan(source)
+    groups: dict[str, list] = {}
+    for f in findings:
+        groups.setdefault(f["label"], []).append(f)
+
+    print(sep("="))
+    print("PROGRAMMING WITH RUST — PRE-REVIEW REPORT")
+    print(sep("="))
+    print(f"File   : {path}")
+    print(f"Lines  : {len(source.splitlines())}")
+    print(f"Issues : {len(findings)} potential anti-patterns across {len(groups)} categories")
+    print()
+
+    if not findings:
+        print("  [OK] No common Rust anti-patterns detected.")
+        print()
+    else:
+        for label, items in groups.items():
+            print(sep())
+            print(f"  {label}  ({len(items)} occurrence{'s' if len(items) != 1 else ''})")
+            print(sep())
+            print(f"  Advice: {items[0]['advice']}")
+            print()
+            for item in items[:5]:
+                print(f"  line {item['line']:>4}:  {item['text'][:100]}")
+            if len(items) > 5:
+                print(f"  ... and {len(items) - 5} more")
+            print()
+
+    severity = (
+        "HIGH" if len(findings) >= 5
+        else "MEDIUM" if len(findings) >= 2
+        else "LOW" if findings
+        else "NONE"
+    )
+    print(sep("="))
+    print(f"SEVERITY: {severity}  |  Key chapters: Ch 8 (ownership), Ch 12 (errors), Ch 17 (traits), Ch 19 (concurrency), Ch 20 (memory)")
+    print(sep("="))
+
+
+if __name__ == "__main__":
+    main()

package/skills/spring-boot-in-action/SKILL.md

@@ -0,0 +1,312 @@
+---
+name: spring-boot-in-action
+description: >
+  Write and review Spring Boot applications using practices from "Spring Boot in Action"
+  by Craig Walls. Covers auto-configuration, starter dependencies, externalizing
+  configuration with properties and profiles, Spring Security, testing with MockMvc
+  and @SpringBootTest, Spring Actuator for production observability, and deployment
+  strategies (JAR, WAR, Cloud Foundry). Use when building Spring Boot apps, configuring
+  beans, writing integration tests, setting up health checks, or deploying to production.
+  Trigger on: "Spring Boot", "Spring", "@SpringBootApplication", "auto-configuration",
+  "application.properties", "application.yml", "@RestController", "@Service",
+  "@Repository", "SpringBootTest", "Actuator", "starter", ".java files", "Maven", "Gradle".
+---
+
+# Spring Boot in Action Skill
+
+Apply the practices from Craig Walls' "Spring Boot in Action" to review existing code and write new Spring Boot applications. This skill operates in two modes: **Review Mode** (analyze code for violations of Spring Boot idioms) and **Write Mode** (produce clean, idiomatic Spring Boot from scratch).
+
+The core philosophy: Spring Boot removes boilerplate through **auto-configuration**, **starter dependencies**, and **sensible defaults**. Fight the framework only when necessary — and when you do, prefer `application.properties` over code.
+
+## Reference Files
+
+- `practices-catalog.md` — Before/after examples for auto-configuration, starters, properties, profiles, security, testing, Actuator, and deployment
+
+## How to Use This Skill
+
+**Before responding**, read `practices-catalog.md` for the topic at hand. For configuration issues read the properties/profiles section. For test code read the testing section. For a full review, read all sections.
+
+---
+
+## Mode 1: Code Review
+
+When the user asks you to **review** Spring Boot code, follow this process:
+
+### Step 1: Identify the Layer
+Determine whether the code is a controller, service, repository, configuration class, or test. Review focus shifts by layer.
+
+### Step 2: Analyze the Code
+
+Check these areas in order of severity:
+
+1. **Auto-Configuration** (Ch 2, 3): Is auto-configuration being fought manually? Look for `@Bean` definitions that replicate what Spring Boot already provides (DataSource, Jackson, Security, etc.). Remove manual config where auto-config suffices.
+
+2. **Starter Dependencies** (Ch 2): Are dependencies declared individually instead of using starters? `spring-boot-starter-web`, `spring-boot-starter-data-jpa`, `spring-boot-starter-security` etc. bundle correct transitive dependencies and version-manage them.
+
+3. **Externalized Configuration** (Ch 3): Are values hardcoded that belong in `application.properties`? Ports, URLs, credentials, timeouts should all be externalized. Use `@ConfigurationProperties` for type-safe config objects; use `@Value` only for single values.
+
+4. **Profiles** (Ch 3): Is environment-specific config (dev DB vs prod DB) handled with `if` statements or system properties? Use `@Profile` and `application-{profile}.properties` instead.
+
+5. **Security** (Ch 3): Is `WebSecurityConfigurerAdapter` extended when simple property-based config would suffice? Is HTTP Basic enabled in production? Are actuator endpoints exposed without auth?
+
+6. **Testing** (Ch 4):
+   - Use `@SpringBootTest` for full integration tests, not raw `new MyService()`
+   - Use `@WebMvcTest` for controller-only tests (no full context)
+   - Use `@DataJpaTest` for repository tests (in-memory DB, no web layer)
+   - Use `MockMvc` for controller assertions without starting a server
+   - Use `@MockBean` to replace real beans with mocks in slice tests
+   - Avoid `@SpringBootTest(webEnvironment = RANDOM_PORT)` unless testing the full HTTP stack
+
+7. **Actuator** (Ch 7): Is the application missing health/metrics endpoints? Is `/actuator` fully exposed without security? Are custom health indicators implemented for critical dependencies?
+
+8. **Deployment** (Ch 8): Is `spring.profiles.active` set for production? Is database migration (Flyway/Liquibase) configured? Is the app packaged as a self-contained JAR (preferred) or WAR?
+
+9. **General Idioms**:
+   - Constructor injection over field injection (`@Autowired` on fields)
+   - `@RestController` = `@Controller` + `@ResponseBody` — use it for REST APIs
+   - Return `ResponseEntity<T>` from controllers when status codes matter
+   - `Optional<T>` from repository methods, never `null`
+
+### Step 3: Report Findings
+For each issue, report:
+- **Chapter reference** (e.g., "Ch 3: Externalized Configuration")
+- **Location** in the code
+- **What's wrong** (the anti-pattern)
+- **How to fix it** (the Spring Boot idiomatic way)
+- **Priority**: Critical (security/bugs), Important (maintainability), Suggestion (polish)
+
+### Step 4: Provide Fixed Code
+Offer a corrected version with comments explaining each change.
+
+---
+
+## Mode 2: Writing New Code
+
+When the user asks you to **write** new Spring Boot code, apply these core principles:
+
+### Project Bootstrap (Ch 1, 2)
+
+1. **Start with Spring Initializr** (Ch 1). Use `start.spring.io` or `spring init` CLI. Select starters upfront — don't add raw dependencies manually.
+
+2. **Use starters, not individual dependencies** (Ch 2). `spring-boot-starter-web` includes Tomcat, Spring MVC, Jackson, and logging at compatible versions. Never declare `spring-webmvc` + `jackson-databind` + `tomcat-embed-core` separately.
+
+3. **The main class is the only required boilerplate** (Ch 2):
+   ```java
+   @SpringBootApplication
+   public class MyApp {
+       public static void main(String[] args) {
+           SpringApplication.run(MyApp.class, args);
+       }
+   }
+   ```
+   `@SpringBootApplication` = `@Configuration` + `@EnableAutoConfiguration` + `@ComponentScan`.
+
+### Configuration (Ch 3)
+
+4. **Externalize all environment-specific values** (Ch 3). Nothing deployment-specific belongs in code. Use `application.properties` / `application.yml` for defaults.
+
+5. **Use `@ConfigurationProperties` for grouped config** (Ch 3). Bind a prefix to a POJO — type-safe, IDE-friendly, testable:
+   ```java
+   @ConfigurationProperties(prefix = "app.mail")
+   @Component
+   public class MailProperties {
+       private String host;
+       private int port = 25;
+       // getters + setters
+   }
+   ```
+
+6. **Use profiles for environment differences** (Ch 3). `application-dev.properties` overrides `application.properties` when `spring.profiles.active=dev`. Never use `if (env.equals("production"))` in code.
+
+7. **Override auto-configuration surgically** (Ch 3). Use `spring.*` properties first. Only define a `@Bean` when properties are insufficient. Annotate with `@ConditionalOnMissingBean` if providing a fallback.
+
+8. **Customize error pages declaratively** (Ch 3). Place `error/404.html`, `error/500.html` in `src/main/resources/templates/error/`. No custom `ErrorController` needed for basic cases.
+
+### Security (Ch 3)
+
+9. **Extend `WebSecurityConfigurerAdapter` only for custom rules** (Ch 3). For simple HTTP Basic with custom users, `spring.security.user.name` / `spring.security.user.password` properties suffice.
+
+10. **Always secure Actuator endpoints in production** (Ch 7). Expose only `health` and `info` publicly; require authentication for `env`, `beans`, `mappings`, `shutdown`.
+
+### REST Controllers (Ch 2)
+
+11. **Use `@RestController` for API endpoints** (Ch 2). Eliminates `@ResponseBody` on every method.
+
+12. **Return `ResponseEntity<T>` when HTTP status matters** (Ch 2). `ResponseEntity.ok(body)`, `ResponseEntity.notFound().build()`, `ResponseEntity.status(201).body(created)`.
+
+13. **Use constructor injection, not field injection** (Ch 2). Constructor injection makes dependencies explicit and enables testing without Spring context:
+    ```java
+    // Prefer this:
+    @RestController
+    public class BookController {
+        private final BookRepository repo;
+        public BookController(BookRepository repo) { this.repo = repo; }
+    }
+    ```
+
+14. **Use `Optional` from repository queries** (Ch 2). `repo.findById(id).orElseThrow(() -> new ResponseStatusException(NOT_FOUND))`.
+
+### Testing (Ch 4)
+
+15. **Match test slice to the layer being tested** (Ch 4):
+    - Web layer only → `@WebMvcTest(MyController.class)` + `MockMvc`
+    - Repository only → `@DataJpaTest`
+    - Full app → `@SpringBootTest`
+    - External service → `@MockBean` to replace
+
+16. **Use `MockMvc` for controller assertions without starting a server** (Ch 4):
+    ```java
+    mockMvc.perform(get("/books/1"))
+           .andExpect(status().isOk())
+           .andExpect(jsonPath("$.title").value("Spring Boot in Action"));
+    ```
+
+17. **Use `@MockBean` to isolate the unit under test** (Ch 4). Replaces the real bean in the Spring context with a Mockito mock — cleaner than manual wiring.
+
+18. **Test security explicitly** (Ch 4). Use `.with(user("admin").roles("ADMIN"))` or `@WithMockUser` to assert secured endpoints reject unauthenticated requests.
+
+### Actuator (Ch 7)
+
+19. **Enable Actuator in every production app** (Ch 7). Add `spring-boot-starter-actuator`. At minimum expose `health` and `info`.
+
+20. **Write custom `HealthIndicator` for critical dependencies** (Ch 7):
+    ```java
+    @Component
+    public class DatabaseHealthIndicator implements HealthIndicator {
+        @Override
+        public Health health() {
+            return canConnect() ? Health.up().build()
+                                : Health.down().withDetail("reason", "timeout").build();
+        }
+    }
+    ```
+
+21. **Add custom metrics via `MeterRegistry`** (Ch 7). Counter, gauge, timer — gives Prometheus/Grafana visibility into business events.
+
+22. **Restrict Actuator exposure in production** (Ch 7):
+    ```properties
+    management.endpoints.web.exposure.include=health,info
+    management.endpoint.health.show-details=when-authorized
+    ```
+
+### Deployment (Ch 8)
+
+23. **Package as an executable JAR by default** (Ch 8). `mvn package` produces a fat JAR with embedded Tomcat. Run with `java -jar app.jar`. No application server needed.
+
+24. **Create a production profile** (Ch 8). `application-production.properties` sets `spring.datasource.url`, disables dev tools, sets log levels to WARN.
+
+25. **Use Flyway or Liquibase for database migrations** (Ch 8). Add `spring-boot-starter-flyway`; place scripts in `classpath:db/migration/V1__init.sql`. Never use `spring.jpa.hibernate.ddl-auto=create` in production.
+
+---
+
+## Starter Cheat Sheet (Ch 2, Appendix B)
+
+| Need | Starter |
+|------|---------|
+| REST API | `spring-boot-starter-web` |
+| JPA / Hibernate | `spring-boot-starter-data-jpa` |
+| Security | `spring-boot-starter-security` |
+| Observability | `spring-boot-starter-actuator` |
+| Testing | `spring-boot-starter-test` |
+| Thymeleaf views | `spring-boot-starter-thymeleaf` |
+| Redis cache | `spring-boot-starter-data-redis` |
+| Messaging | `spring-boot-starter-amqp` |
+| DB migration | `flyway-core` |
+
+---
+
+## Code Structure Template
+
+```java
+// Main class (Ch 2)
+@SpringBootApplication
+public class LibraryApp {
+    public static void main(String[] args) {
+        SpringApplication.run(LibraryApp.class, args);
+    }
+}
+
+// Entity (Ch 2)
+@Entity
+public class Book {
+    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    private String title;
+    private String isbn;
+    // constructors, getters, setters
+}
+
+// Repository (Ch 2)
+public interface BookRepository extends JpaRepository<Book, Long> {
+    List<Book> findByTitleContainingIgnoreCase(String title);
+}
+
+// Service (Ch 2) — constructor injection
+@Service
+public class BookService {
+    private final BookRepository repo;
+    public BookService(BookRepository repo) { this.repo = repo; }
+
+    public Book findById(Long id) {
+        return repo.findById(id)
+                   .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+    }
+}
+
+// Controller (Ch 2)
+@RestController
+@RequestMapping("/api/books")
+public class BookController {
+    private final BookService service;
+    public BookController(BookService service) { this.service = service; }
+
+    @GetMapping("/{id}")
+    public ResponseEntity<Book> getBook(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    @PostMapping
+    public ResponseEntity<Book> createBook(@RequestBody Book book) {
+        Book saved = service.save(book);
+        URI location = URI.create("/api/books/" + saved.getId());
+        return ResponseEntity.created(location).body(saved);
+    }
+}
+
+// application.properties (Ch 3)
+// spring.datasource.url=jdbc:postgresql://localhost/library
+// spring.datasource.username=${DB_USER}
+// spring.datasource.password=${DB_PASS}
+// spring.jpa.hibernate.ddl-auto=validate
+// management.endpoints.web.exposure.include=health,info
+
+// application-dev.properties (Ch 3)
+// spring.datasource.url=jdbc:h2:mem:library
+// spring.jpa.hibernate.ddl-auto=create-drop
+// logging.level.org.springframework=DEBUG
+```
+
+---
+
+## Priority of Practices by Impact
+
+### Critical (Security & Correctness)
+- Ch 3: Never hardcode credentials — use `${ENV_VAR}` in properties
+- Ch 3: Secure Actuator endpoints — `env`, `beans`, `shutdown` must require auth
+- Ch 4: Test secured endpoints explicitly — assert 401/403 on unauthenticated requests
+- Ch 8: Never use `ddl-auto=create` in production — use Flyway/Liquibase
+
+### Important (Idiom & Maintainability)
+- Ch 2: Constructor injection over `@Autowired` field injection
+- Ch 2: `@RestController` over `@Controller` + `@ResponseBody` for APIs
+- Ch 2: `Optional` from repository, never `null`
+- Ch 3: `@ConfigurationProperties` over scattered `@Value` for grouped config
+- Ch 3: Profiles for environment differences — not `if` statements
+- Ch 4: `@WebMvcTest` for controller tests — not full `@SpringBootTest`
+- Ch 7: Custom `HealthIndicator` for each critical dependency
+
+### Suggestions (Polish)
+- Ch 3: Custom error pages in `templates/error/` — no code needed
+- Ch 7: Custom metrics via `MeterRegistry` for business events
+- Ch 8: Production profile disables dev tools, sets WARN log level
+- Ch 2: Use `spring-boot-devtools` in dev for live reload