@jahia/agentic 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/dist/claude/.claude/rules/jahia.md +3 -1
- package/dist/claude/.claude/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/claude/.claude/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/claude/.claude/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/claude/.claude/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/claude/.claude/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/claude/.claude/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/claude/.claude/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/claude/.claude/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/claude/.claude/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/claude/.claude/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/claude/CLAUDE.md +4 -2
- package/dist/codex/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/codex/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/codex/.agents/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/codex/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/codex/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/codex/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/codex/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/codex/.agents/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/codex/.agents/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/codex/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/codex/AGENTS.md +4 -2
- package/dist/copilot/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/copilot/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/copilot/.agents/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/copilot/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/copilot/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/copilot/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/copilot/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/copilot/.agents/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/copilot/.agents/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/copilot/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/copilot/AGENTS.md +4 -2
- package/dist/cursor/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/cursor/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/cursor/.agents/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/cursor/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/cursor/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/cursor/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/cursor/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/cursor/.agents/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/cursor/.agents/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/cursor/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/cursor/.cursor/rules/jahia.mdc +3 -1
- package/dist/gemini/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/gemini/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/gemini/.agents/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/gemini/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/gemini/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/gemini/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/gemini/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/gemini/.agents/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/gemini/.agents/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/gemini/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/gemini/AGENTS.md +4 -2
- package/dist/index.js +1 -0
- package/dist/opencode/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/opencode/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/opencode/.agents/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/opencode/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/opencode/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/opencode/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/opencode/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/opencode/.agents/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/opencode/.agents/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/opencode/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/opencode/AGENTS.md +4 -2
- package/dist/windsurf/.windsurf/rules/jahia.md +3 -1
- package/dist/windsurf/.windsurf/skills/jahia-dev-build-component/SKILL.md +7 -22
- package/dist/windsurf/.windsurf/skills/jahia-dev-create-view/SKILL.md +58 -0
- package/dist/windsurf/.windsurf/skills/jahia-dev-java/SKILL.md +7 -2
- package/dist/windsurf/.windsurf/skills/jahia-java-concurrency/SKILL.md +308 -0
- package/dist/windsurf/.windsurf/skills/jahia-java-jcr/SKILL.md +153 -0
- package/dist/windsurf/.windsurf/skills/jahia-java-osgi/SKILL.md +134 -0
- package/dist/windsurf/.windsurf/skills/jahia-java-persistence/SKILL.md +177 -0
- package/dist/windsurf/.windsurf/skills/jahia-java-security/SKILL.md +84 -0
- package/dist/windsurf/.windsurf/skills/jahia-review-java/SKILL.md +131 -0
- package/dist/windsurf/.windsurf/skills/jahia-review-java/references/code-review-output.md +121 -0
- package/dist/windsurf/AGENTS.md +4 -2
- package/package.json +9 -1
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: jahia-java-osgi
|
|
3
|
+
description: OSGi component patterns for Jahia Java development — correct usage of @Component lifecycle, @Reference, Export-Package, whiteboard services, and thread safety. Covers both the right approach and the pitfalls that cause NPEs, stale state, or leaked internals. Load when implementing or reviewing any class annotated with @Component, @Reference, or @Activate.
|
|
4
|
+
allowed-tools: Read
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# OSGi Component Patterns for Jahia Java
|
|
8
|
+
|
|
9
|
+
This skill covers how to write OSGi components correctly in a Jahia Java module. Each section states the correct approach first, then the pitfall to avoid. Both developers and reviewers use this skill.
|
|
10
|
+
|
|
11
|
+
For broader Java concurrency patterns (atomic variables, locking, thread-safe collections, `ThreadLocal`, JCR session threading) that apply beyond OSGi components, load `/jahia-java-concurrency`.
|
|
12
|
+
|
|
13
|
+
For a comprehensive OSGi reference (bundle lifecycle, Blueprint XML, Karaf tooling, service registry), load the `jahia-dev-java` skill and read `references/osgi.md`.
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## Component state and configuration reload
|
|
18
|
+
|
|
19
|
+
### Correct approach
|
|
20
|
+
|
|
21
|
+
`@Component` services are singletons. Configuration is delivered via `@Activate` (on first start) and `@Modified` (on config change). `@Modified` runs on a different thread than service consumers.
|
|
22
|
+
|
|
23
|
+
The safe pattern for config reload:
|
|
24
|
+
|
|
25
|
+
```java
|
|
26
|
+
private volatile Config config;
|
|
27
|
+
|
|
28
|
+
record Config(String host, int port) {}
|
|
29
|
+
|
|
30
|
+
@Activate @Modified
|
|
31
|
+
public void activate(MyOsgiConfig cfg) {
|
|
32
|
+
this.config = new Config(cfg.host(), cfg.port());
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
public void doWork() {
|
|
36
|
+
var c = this.config; // snapshot once — atomic read
|
|
37
|
+
// use c.host(), c.port() ...
|
|
38
|
+
}
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
A single `volatile` write (the reference swap) is atomically visible to all readers. Readers snapshot the reference once at method entry and work with the snapshot — they never see a half-updated config.
|
|
42
|
+
|
|
43
|
+
### Pitfalls
|
|
44
|
+
|
|
45
|
+
- **Mutable fields updated in `@Activate`/`@Modified` without `volatile` or synchronization.** A consumer thread can read a field while `@Modified` is updating it — data race. P1 finding.
|
|
46
|
+
- **Multiple fields updated individually without synchronization.** Even with `volatile`, two separate field reads can see values from different config snapshots. Use a single `volatile Config` record, not individual `volatile String host; volatile int port`.
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
|
|
50
|
+
## Service references
|
|
51
|
+
|
|
52
|
+
### Correct approach
|
|
53
|
+
|
|
54
|
+
- `@Reference` fields are set by SCR before `@Activate`. Treat them as effectively final inside the component's methods.
|
|
55
|
+
- For **mandatory** references (`cardinality = MANDATORY`), the component will not activate if the service is absent — null checks are not needed.
|
|
56
|
+
- For **optional** references (`cardinality = OPTIONAL`), the field can be `null` — always guard.
|
|
57
|
+
- For **dynamic** references (`policy = ReferencePolicy.DYNAMIC`), the field can be replaced at runtime. Snapshot it at method entry: `var svc = this.myService;` then use `svc`. Reading the field twice risks NPE if the service is unregistered between reads.
|
|
58
|
+
|
|
59
|
+
### Pitfalls
|
|
60
|
+
|
|
61
|
+
- **Non-mandatory `@Reference` accessed without null guard.** P1 — NPE in production when the referenced bundle is not deployed.
|
|
62
|
+
- **Dynamic reference read twice without snapshot.** Between two reads the SCR may set the field to `null`. P1.
|
|
63
|
+
- **`policyOption = GREEDY`.** SCR rebinds to a higher-ranked service when one appears. Code holding a reference to the old service instance keeps using a deactivated service. Document this if intentional.
|
|
64
|
+
|
|
65
|
+
---
|
|
66
|
+
|
|
67
|
+
## Lifecycle side effects
|
|
68
|
+
|
|
69
|
+
### Correct approach
|
|
70
|
+
|
|
71
|
+
Every side effect created in `@Activate` must be undone in `@Deactivate`. Components can be deactivated and re-activated on config changes (depending on `@Modified` policy). Failing to undo side effects causes them to accumulate across activations.
|
|
72
|
+
|
|
73
|
+
Checklist:
|
|
74
|
+
- Thread started in `@Activate` → stopped in `@Deactivate` (interrupt + join).
|
|
75
|
+
- JCR event listener registered → unregistered.
|
|
76
|
+
- Scheduled task registered → cancelled.
|
|
77
|
+
- External connection opened → closed.
|
|
78
|
+
- Cache populated → cleared or reseeded.
|
|
79
|
+
|
|
80
|
+
### Pitfall
|
|
81
|
+
|
|
82
|
+
A listener registered in `@Activate` but never unregistered in `@Deactivate` survives deactivation, fires events for a component that is no longer active, and duplicates on next activation. P1.
|
|
83
|
+
|
|
84
|
+
---
|
|
85
|
+
|
|
86
|
+
## Export-Package hygiene
|
|
87
|
+
|
|
88
|
+
### Correct approach
|
|
89
|
+
|
|
90
|
+
`Export-Package` in `pom.xml` defines what other bundles can import. It is the module's public API contract.
|
|
91
|
+
|
|
92
|
+
- Export only interfaces and types in a dedicated `api` or `spi` sub-package.
|
|
93
|
+
- Never export `*.impl`, `*.internal`, `*.actions` — the name signals private scope.
|
|
94
|
+
- Never re-export third-party packages.
|
|
95
|
+
- If the module advertises an SPI for external consumers, the SPI should live in a **separate Maven module** (`{name}-api`). Changing the runtime JAR then does not force a version bump on the API.
|
|
96
|
+
|
|
97
|
+
### Pitfall
|
|
98
|
+
|
|
99
|
+
Exporting implementation packages means any other bundle can import your internal classes. A refactor that renames or removes an internal class becomes a breaking change for dependent bundles. P1.
|
|
100
|
+
|
|
101
|
+
---
|
|
102
|
+
|
|
103
|
+
## Whiteboard pattern services
|
|
104
|
+
|
|
105
|
+
Services registered as `@Component` — `Servlet`, `Filter`, `EventHandler`, GraphQL provider — are activated the moment the bundle starts. If the service is reachable over HTTP, it is as exposed as a `web.xml` servlet, with no extra protection by default. Apply the security mapping from `jahia-java-security` for every HTTP-reachable whiteboard service.
|
|
106
|
+
|
|
107
|
+
---
|
|
108
|
+
|
|
109
|
+
## Service locator anti-pattern
|
|
110
|
+
|
|
111
|
+
### Correct approach
|
|
112
|
+
|
|
113
|
+
Declare all dependencies as `@Reference` fields. SCR injects them before `@Activate`. The component's constructor or `@Activate` method has all dependencies available without any lookup.
|
|
114
|
+
|
|
115
|
+
### Pitfall
|
|
116
|
+
|
|
117
|
+
```java
|
|
118
|
+
// anti-pattern — service locator inside a method
|
|
119
|
+
MyService svc = (MyService) SpringContextSingleton.getBean("myService");
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
Service locator calls inside methods: hide the component's real dependencies, make the code impossible to unit-test, bypass SCR lifecycle guarantees, and can return stale or wrong beans after a context refresh. P2 in general code; P1 in a hot path or security-relevant method.
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
## Thread safety summary for reviewers
|
|
127
|
+
|
|
128
|
+
When reviewing an `@Component` service, ask:
|
|
129
|
+
|
|
130
|
+
1. Are there mutable instance fields? If yes — are they `volatile` or synchronized?
|
|
131
|
+
2. Does the component react to `@Modified`? If yes — do consumers snapshot config at method entry?
|
|
132
|
+
3. Are there `DYNAMIC` references? If yes — do callers snapshot the reference?
|
|
133
|
+
4. Does the component start threads, register listeners, or open connections? If yes — does `@Deactivate` undo all of them?
|
|
134
|
+
5. Does the component's Javadoc state its thread-safety contract? If the service is not internally safe, the caller must be told what external serialization is required.
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: jahia-java-persistence
|
|
3
|
+
description: Persistence and data model patterns for Jahia Java backend — correct usage of JPA/Hibernate with JCR, N+1 avoidance, timestamp consistency, entity model decisions, transactional asymmetry between SQL and JCR, and locking/concurrency in write paths. Load when implementing or reviewing any class that interacts with a relational database alongside JCR.
|
|
4
|
+
allowed-tools: Read
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Persistence Patterns for Jahia Java Backend
|
|
8
|
+
|
|
9
|
+
This skill covers how to design and implement the persistence layer correctly when combining SQL (JPA/Hibernate) with JCR in a Jahia Java module. Each section states the correct approach first, then the pitfall. Both developers and reviewers use this skill.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Sequence and counter columns
|
|
14
|
+
|
|
15
|
+
### Correct approach
|
|
16
|
+
|
|
17
|
+
Use the database's native mechanisms for generating ordered identifiers:
|
|
18
|
+
- `IDENTITY` / `AUTO_INCREMENT` on the primary key for insertion order.
|
|
19
|
+
- A `SEQUENCE` object (reserved inside a serialized transaction) if you need a stable ordering column separate from the PK.
|
|
20
|
+
|
|
21
|
+
### Pitfall
|
|
22
|
+
|
|
23
|
+
```java
|
|
24
|
+
// anti-pattern — read-then-act race
|
|
25
|
+
int max = repository.selectMaxNumber(contentId, locale); // SELECT MAX(...)
|
|
26
|
+
entity.setNumber(max + 1);
|
|
27
|
+
session.persist(entity);
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
Two concurrent inserts for the same `(contentId, locale)` read the same `MAX`, produce duplicate numbers, and either hit a unique constraint violation or silently corrupt ordering. Application-managed counters are never safe without explicit row-level locking. The counter column is also redundant if the primary key already provides insertion order.
|
|
31
|
+
|
|
32
|
+
**Finding level:** P1 for concurrent write paths; P2 if access is serialised by a documented higher-level lock, but that invariant must be documented.
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## N+1 query patterns
|
|
37
|
+
|
|
38
|
+
### Correct approach
|
|
39
|
+
|
|
40
|
+
Load parent and child data in one round-trip:
|
|
41
|
+
- SQL: `JOIN` or a `WHERE id IN (...)` batch query.
|
|
42
|
+
- JPA: `JOIN FETCH` in JPQL or `@EntityGraph`.
|
|
43
|
+
|
|
44
|
+
### Pitfall
|
|
45
|
+
|
|
46
|
+
```java
|
|
47
|
+
// anti-pattern
|
|
48
|
+
List<Group> groups = repo.listGroups(contentId); // 1 query
|
|
49
|
+
for (Group g : groups) {
|
|
50
|
+
g.setVersions(repo.loadVersionsForGroup(g.getId())); // N queries
|
|
51
|
+
}
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
N+1 patterns are invisible in low-volume testing but degrade linearly under real content volumes. For unbounded lists (version history, publication logs) this becomes a UI performance cliff.
|
|
55
|
+
|
|
56
|
+
**Finding level:** P2 for capped lists; P1 for unbounded lists in hot paths.
|
|
57
|
+
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
## Timestamp consistency in batch operations
|
|
61
|
+
|
|
62
|
+
### Correct approach
|
|
63
|
+
|
|
64
|
+
Compute the timestamp **once** at the start of a logical operation and pass it to every entity created by that operation:
|
|
65
|
+
|
|
66
|
+
```java
|
|
67
|
+
Instant now = Instant.now(); // computed once
|
|
68
|
+
groupEntity.setCreatedAt(now);
|
|
69
|
+
for (var version : versions) {
|
|
70
|
+
versionEntity.setCreatedAt(now); // same value for all
|
|
71
|
+
}
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
This makes "all entities from this operation" a trivial equality predicate: `WHERE operationId = ? AND createdAt = ?`. It also makes the audit trail semantically correct — these are one logical event, not N sequential events.
|
|
75
|
+
|
|
76
|
+
### Pitfall
|
|
77
|
+
|
|
78
|
+
Multiple independent `Instant.now()` calls within the same logical operation produce timestamp drift. Even millisecond drift means "show me all versions from this publish event" requires a range query with fuzzy bounds instead of equality. It also implies false ordering between things that are the same event.
|
|
79
|
+
|
|
80
|
+
**Finding level:** P2 — correctness and query simplicity. Elevate to P1 if the drift creates misleading audit trails.
|
|
81
|
+
|
|
82
|
+
---
|
|
83
|
+
|
|
84
|
+
## Entity model: when a separate table earns its keep
|
|
85
|
+
|
|
86
|
+
### Correct approach
|
|
87
|
+
|
|
88
|
+
A separate table/entity is justified when it carries state that would be annoyingly denormalised across every member row: operation type, author, workflow status, retry counters, approval metadata, referential integrity constraints.
|
|
89
|
+
|
|
90
|
+
If the only purpose of the separate table is to group rows (no meaningful payload of its own), a plain `operationId` UUID column on the member table is sufficient:
|
|
91
|
+
- "All operations for a content": `SELECT DISTINCT operationId, createdAt FROM NodeVersion WHERE contentId = ? ORDER BY createdAt DESC`
|
|
92
|
+
- "All versions of one operation": `SELECT * FROM NodeVersion WHERE operationId = ?`
|
|
93
|
+
|
|
94
|
+
Rule of thumb: defer extraction to a separate entity until the denormalised columns exceed 3–4 fields, or you need referential integrity on the operation itself (cascading, per-operation locks). The refactor is straightforward later — `INSERT ... SELECT DISTINCT` into the new table, add the FK, drop the denormalised columns.
|
|
95
|
+
|
|
96
|
+
### Pitfall
|
|
97
|
+
|
|
98
|
+
```java
|
|
99
|
+
// separate table with no meaningful payload — not justified yet
|
|
100
|
+
@Entity class NodeVersionGroupEntity {
|
|
101
|
+
UUID id;
|
|
102
|
+
UUID nodeUuid; // duplicated from every member row
|
|
103
|
+
Instant createdAt; // drifts from member rows (see above)
|
|
104
|
+
// nothing else
|
|
105
|
+
}
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
A correlation-only entity adds a table, a JOIN on every group query, a separate Hibernate lifecycle, and the risk of timestamp drift — for zero domain benefit until the group gains real state.
|
|
109
|
+
|
|
110
|
+
**Finding level:** P2 — surface as a design decision for the team, not a demand for immediate refactoring. Ask: does the group entity carry any state today? What is the expected evolution?
|
|
111
|
+
|
|
112
|
+
---
|
|
113
|
+
|
|
114
|
+
## Transactional asymmetry — mixed SQL + JCR stores
|
|
115
|
+
|
|
116
|
+
### Correct approach
|
|
117
|
+
|
|
118
|
+
SQL (Hibernate) and JCR do not share a transaction. Treat every mixed write path as requiring explicit reasoning about failure modes.
|
|
119
|
+
|
|
120
|
+
Options in order of preference:
|
|
121
|
+
1. **JCR as system of record:** write to JCR first; only commit to SQL after a successful `session.save()`. If the SQL commit fails, log the orphaned JCR state and add it to a retry or cleanup queue.
|
|
122
|
+
2. **Outbox pattern:** write to SQL only (including a status/outbox column); a separate process reads and applies the JCR write idempotently.
|
|
123
|
+
3. **Accept the asymmetry:** document the inconsistency window explicitly, add a compensating cleanup path, and add monitoring to detect orphaned rows.
|
|
124
|
+
|
|
125
|
+
### Pitfall
|
|
126
|
+
|
|
127
|
+
```java
|
|
128
|
+
repository.insertVersion(entity); // SQL committed inside Hibernate session
|
|
129
|
+
jcrNode.setProperty("...", value); // if this fails, SQL is already committed
|
|
130
|
+
session.save();
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
A failure in the JCR write leaves the SQL committed and the JCR unchanged — silent data inconsistency. Symptoms: rows in the DB with no corresponding JCR node, or vice versa.
|
|
134
|
+
|
|
135
|
+
**Finding level:** P1 — silent data inconsistency. Elevate to P0 if the inconsistency is user-visible or hard to detect.
|
|
136
|
+
|
|
137
|
+
---
|
|
138
|
+
|
|
139
|
+
## Locking and write paths
|
|
140
|
+
|
|
141
|
+
### Correct approach
|
|
142
|
+
|
|
143
|
+
Document the thread-safety contract of every write path that involves locking, restoration, or multi-step state transitions:
|
|
144
|
+
- Is the path safe to call concurrently? If not, what external lock must the caller hold?
|
|
145
|
+
- Does the path clear existing locks? If yes, whose lock? Under what conditions is clearing safe?
|
|
146
|
+
|
|
147
|
+
Before clearing a JCR lock in a write path:
|
|
148
|
+
1. Verify the lock is not owned by an unrelated operation (active publication job, workflow, concurrent editor).
|
|
149
|
+
2. If the lock is external, fail with a clear error — do not continue.
|
|
150
|
+
|
|
151
|
+
### Pitfall
|
|
152
|
+
|
|
153
|
+
```java
|
|
154
|
+
// dangerous — clears all locks unconditionally, continues even if clearing fails
|
|
155
|
+
JCRContentUtils.clearAllLocks(node);
|
|
156
|
+
restoreContent(node, version);
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
This pattern is dangerous in any path that is not the sole writer. A publication job in progress may have locked the node for a reason; clearing the lock and continuing the restore corrupts the publication. See also `jahia-java-jcr` locking section.
|
|
160
|
+
|
|
161
|
+
**Finding level:** P0 if active in production code; P1 if guarded by a feature flag off by default — but must appear in known-limitations/next-steps regardless.
|
|
162
|
+
|
|
163
|
+
---
|
|
164
|
+
|
|
165
|
+
## Schema documentation
|
|
166
|
+
|
|
167
|
+
### Correct approach
|
|
168
|
+
|
|
169
|
+
For any module that introduces relational tables, include a schema summary in `docs/` or a README section covering:
|
|
170
|
+
- Table names and purpose.
|
|
171
|
+
- Key column types and constraints (primary keys, foreign keys, unique constraints, indexed columns).
|
|
172
|
+
- How SQL tables relate to JCR nodes (which JCR property or node UUID maps to which SQL column).
|
|
173
|
+
- Any migration strategy for schema changes.
|
|
174
|
+
|
|
175
|
+
### Pitfall
|
|
176
|
+
|
|
177
|
+
Undocumented tables discovered by reviewing Hibernate entity classes alone — reviewers and future maintainers cannot verify the full schema from code without running the application and inspecting the DB. This is a P2 documentation finding.
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: jahia-java-security
|
|
3
|
+
description: Jahia security model for Java backend development — the four protection mechanisms (Security Filter, CSRF Guard, ACLs, captcha), when each applies, and how to audit or implement each correctly. Load when implementing or reviewing any HTTP-reachable surface in a Jahia Java module.
|
|
4
|
+
allowed-tools: Read
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Jahia Security Model for Java Backend
|
|
8
|
+
|
|
9
|
+
This skill covers how to correctly protect HTTP-reachable surfaces in a Jahia Java module. Each mechanism is described with its correct use, its limits, and the common mistakes that create vulnerabilities. Both developers and reviewers use this skill.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## The four protection mechanisms
|
|
14
|
+
|
|
15
|
+
Every reachable surface in a Jahia module is protected by zero, one, or several of these. Map each one explicitly for any surface you implement or review.
|
|
16
|
+
|
|
17
|
+
### 1. Jahia Security Filter (API scopes)
|
|
18
|
+
|
|
19
|
+
- **What:** OSGi-configurable filter that gates URL patterns by `Origin`/`Referer` and required permissions/scopes.
|
|
20
|
+
- **Config:** YAML under `META-INF/configurations/org.jahia.modules.api.permissions-*.yaml`.
|
|
21
|
+
- **Origin gating:** `auto_apply: - origin: hosted` ensures requests come from the same domain. Works for guests and authenticated users. Does not break CDN caching.
|
|
22
|
+
- **Permission gating:** `grants: - api: <name>; node: <selector>` enforces a Jahia permission.
|
|
23
|
+
- **When to use:** default protection for any module-exposed servlet or GraphQL endpoint reachable over HTTP. This is the first line of defense — apply it before considering CSRF Guard or inline checks.
|
|
24
|
+
|
|
25
|
+
### 2. CSRF Guard
|
|
26
|
+
|
|
27
|
+
- **What:** Jahia-wide servlet filter injecting a token into XHR/fetch and validating it server-side.
|
|
28
|
+
- **Critical limitation:** `jahia.csrf-guard.bypassForGuest = true` by default. CSRF Guard **does not protect guest submissions** out of the box. Enabling it for guests breaks CDN caching of public pages.
|
|
29
|
+
- **When to use:** authenticated-only operations where you can verify the URL pattern is in the guard's `resolvedUrlPatterns` config.
|
|
30
|
+
- **Common mistake:** assuming CSRF Guard protects a guest-reachable form. It does not — a guest submitting a public form bypasses CSRF Guard entirely.
|
|
31
|
+
|
|
32
|
+
### 3. Jahia permissions and ACLs
|
|
33
|
+
|
|
34
|
+
- **What:** JCR-based ACLs + named permissions declared in `permissions.xml` or `*.cnd`.
|
|
35
|
+
- **Enforcement:** `JCRSessionWrapper` (user session — permissions apply) vs `JCRSessionFactory.getCurrentSystemSession()` / `JCRTemplate.doExecuteWithSystemSession` (system session — permissions bypassed).
|
|
36
|
+
- **GraphQL:** `@GraphQLField` operations should declare `@RequirePermission` annotations. An admin operation without `@RequirePermission` is a finding.
|
|
37
|
+
- **When to use:** any operation that reads/writes JCR content with content-level access rules — jContent admin screens, content workflows, operations that respect site/node permissions.
|
|
38
|
+
- **Audit rule:** when code uses a system session, the security boundary is whatever check happened *before* the `doExecuteWithSystemSession` call. Find that check explicitly. If there is none, the operation is anonymous-privileged — P0 for writes, P1 for reads.
|
|
39
|
+
|
|
40
|
+
### 4. Captcha and one-time tokens
|
|
41
|
+
|
|
42
|
+
- **What:** non-replayable credentials tied to the rendering page.
|
|
43
|
+
- **When to use:** defense-in-depth against bots and as partial CSRF mitigation for guest forms.
|
|
44
|
+
- **Not a primary CSRF control.** Captcha protects a specific form when enabled, but it is not origin verification. Do not let a code path rely on captcha alone.
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## Decision matrix
|
|
49
|
+
|
|
50
|
+
For each surface you implement or review, fill this in:
|
|
51
|
+
|
|
52
|
+
| Surface | Guests? | Auth users? | Side effects? | Required protection |
|
|
53
|
+
|---|---|---|---|---|
|
|
54
|
+
| Public form submit | Yes | Yes | Email, JCR write | Security Filter `origin: hosted` (primary) + captcha (defense-in-depth) |
|
|
55
|
+
| Admin GraphQL query | No | Yes (with permission) | Read JCR | Security Filter `origin: hosted` + `@RequirePermission(...)` |
|
|
56
|
+
| Admin GraphQL mutation | No | Yes (with permission) | Write JCR | Same + verify ACL when system session is used |
|
|
57
|
+
| OSGi servlet at `/modules/...` | Depends | Depends | Depends | At minimum: `origin: hosted` |
|
|
58
|
+
| Choicelist initializer | Indirect (editor UI) | Yes (editor) | Read config | Inherits editor auth — verify it does not leak cross-tenant data |
|
|
59
|
+
|
|
60
|
+
---
|
|
61
|
+
|
|
62
|
+
## Implementing a secure surface — checklist
|
|
63
|
+
|
|
64
|
+
When adding a new servlet, GraphQL operation, or filter:
|
|
65
|
+
|
|
66
|
+
1. **Declare the Security Filter scope** in `org.jahia.modules.api.permissions-*.yaml`.
|
|
67
|
+
2. **Classify the surface** in the decision matrix above.
|
|
68
|
+
3. **If writing JCR with a system session:** document the prior permission check in a Javadoc comment on the method.
|
|
69
|
+
4. **If the surface is public (guest-reachable):** do not rely on CSRF Guard alone. Use `origin: hosted` + captcha if the action has side effects.
|
|
70
|
+
5. **If the surface is admin-only:** add `@RequirePermission` to the GraphQL field or inline `JCRTemplate` ACL check.
|
|
71
|
+
6. **Document the intent.** A deliberate "this endpoint is public because X" must be in a Javadoc on the class or in `docs/security.md`. An undocumented gap is a finding even if intentional — the next maintainer cannot tell intent from accident.
|
|
72
|
+
|
|
73
|
+
---
|
|
74
|
+
|
|
75
|
+
## Findings to surface during review
|
|
76
|
+
|
|
77
|
+
1. **Unprotected endpoint.** Any servlet/GraphQL operation without a Security Filter scope **and** without `@RequirePermission` **and** without an inline auth check. P0 unless explicitly documented as intentionally public.
|
|
78
|
+
2. **CSRF Guard guest bypass misunderstood.** Code or docs claiming CSRF Guard protects guests. P0 — foundational misunderstanding.
|
|
79
|
+
3. **System session without prior permission check.** P0 for writes, P1 for reads.
|
|
80
|
+
4. **Captcha presented as primary CSRF defense.** P1 — it is defense-in-depth, not primary.
|
|
81
|
+
5. **Missing `@RequirePermission` on admin GraphQL.** P0 for mutations, P1 for sensitive-data queries.
|
|
82
|
+
6. **Permission referenced but not declared.** A permission name used in code or config that is not declared in any module resource. P1.
|
|
83
|
+
7. **Email recipients from user input.** Any `to:` address derived from a submitted field without an allowlist. P1 — open relay vector.
|
|
84
|
+
8. **Outbound HTTP without timeouts.** `HttpClient.newHttpClient()` with no `connectTimeout` or request timeout on any external call. P0 — trivial DoS.
|
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: jahia-review-java
|
|
3
|
+
description: Reviews a Jahia Java/backend module (or PoC) across 6 passes — security, code health, build/packaging, documentation drift, tests, and consolidation. Produces a prioritised finding report with concrete next steps. Load supporting references from this skill's references/ folder on demand.
|
|
4
|
+
allowed-tools: Bash, Read
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Skill: jahia-review-java
|
|
8
|
+
|
|
9
|
+
You are a senior Java/Jahia reviewer. Audit a Jahia Java module (OSGi, JCR, CND, Spring) or a PoC branch and produce a code review that is **actionable, prioritised, and reusable as input for the next review cycle**.
|
|
10
|
+
|
|
11
|
+
## What "good" looks like
|
|
12
|
+
|
|
13
|
+
1. **Security-first.** Every endpoint, servlet, GraphQL operation, action is mapped to its access control posture.
|
|
14
|
+
2. **Concise with a path forward.** Each finding names the problem, names the fix, names the effort. No hedging.
|
|
15
|
+
3. **No noise.** Style, formatting — out. Findings must survive "why does this matter for production?"
|
|
16
|
+
4. **Honest about uncertainty.** When you cannot verify a claim, say so and flag for the author.
|
|
17
|
+
5. **Reusable next cycle.** Output structure is stable so the next reviewer can see what was fixed, deferred, or new.
|
|
18
|
+
|
|
19
|
+
## Operating modes
|
|
20
|
+
|
|
21
|
+
Detect from context. Ask once if genuinely ambiguous.
|
|
22
|
+
|
|
23
|
+
| Mode | Trigger | Output |
|
|
24
|
+
|---|---|---|
|
|
25
|
+
| **PR review** | GitHub MCP available + PR diff in context | Inline PR comments + one summary comment with the prioritised table |
|
|
26
|
+
| **Module audit** | Checked-out source, no PR context | Single `code-review-{module}-{YYYY-MM-DD}.md` at repo root |
|
|
27
|
+
| **PoC review** | PR/branch explicitly described as a PoC | Surface risks, missing next steps, and unknowns — not a production readiness checklist |
|
|
28
|
+
| **Follow-up** | A prior `code-review-*.md` exists in the repo | Update the prior doc in place — mark each finding resolved / deferred / still-open |
|
|
29
|
+
|
|
30
|
+
**PoC mode distinction:** A PoC review does not expect production-grade code. Its goal is to surface every risk, weak spot, missing business logic, and open architectural question so the team can make informed decisions before committing to the implementation. Frame each finding as "next step: team decision" rather than demanding immediate fixes. The PoC owner is not expected to have all the answers.
|
|
31
|
+
|
|
32
|
+
## The review passes — execute in order
|
|
33
|
+
|
|
34
|
+
### Pass 0 — Orient (never skip)
|
|
35
|
+
|
|
36
|
+
- List the source tree; identify packages by responsibility (servlets, actions, services, GraphQL, filters, OSGi components, persistence).
|
|
37
|
+
- Read `pom.xml`, `AGENTS.md` (if present), `README.md`, all files under `docs/` and `.harness/`.
|
|
38
|
+
- Read every CND file; note declared node types, mixins, namespace.
|
|
39
|
+
- Identify SPI surface: `Export-Package` in `pom.xml`, public interfaces, `@ProviderType` annotations.
|
|
40
|
+
- Note prior reviews. If one exists, switch to follow-up mode.
|
|
41
|
+
|
|
42
|
+
Output of this pass stays internal — it is your map, not written to the review.
|
|
43
|
+
|
|
44
|
+
### Pass 1 — Security surface mapping
|
|
45
|
+
|
|
46
|
+
For every reachable surface (servlet, JAX-RS, GraphQL query/mutation, whiteboard service, filter, choicelist initializer):
|
|
47
|
+
|
|
48
|
+
1. **Who can reach it?** Guest / authenticated / role-gated / permission-gated / internal-only.
|
|
49
|
+
2. **What does it do?** Read, write, side-effect (email, HTTP, file I/O), admin operation.
|
|
50
|
+
3. **How is access enforced?** Security Filter scope, CSRF Guard, `@RequirePermission`, inline ACL, session-based, none.
|
|
51
|
+
4. **Is the posture documented?** A deliberate "unprotected because X" is acceptable. An undocumented gap is a finding.
|
|
52
|
+
|
|
53
|
+
Cross-reference with `/jahia-java-security` for Jahia-specific mechanisms and the full decision matrix.
|
|
54
|
+
|
|
55
|
+
### Pass 2 — Code health
|
|
56
|
+
|
|
57
|
+
Walk the implementation. Look for:
|
|
58
|
+
|
|
59
|
+
- **Layering violations.** Business logic in servlets. JCR access bypassing services. Presentation in the service layer.
|
|
60
|
+
- **Oversized classes.** One class doing 5+ jobs. Each responsibility is a candidate for extraction.
|
|
61
|
+
- **Reinvention.** Hand-rolled encoding, escaping, date parsing where `java.time`, Commons Lang, or Guava would do it.
|
|
62
|
+
- **Overdesign.** Premature abstraction with one implementation. SPI hooks no consumer exists for. Factory+builder+strategy for a 30-line operation. Flag P3 unless it blocks understanding.
|
|
63
|
+
- **Concurrency.** Mutable fields in `@Component` services without `volatile`. Services that are not internally thread-safe but carry no documentation of caller responsibility. Read-then-act DB patterns (`SELECT MAX` + `INSERT` without serialisation). Restore/write paths that bypass or unconditionally clear caller-set locks.
|
|
64
|
+
- **Persistence anti-patterns.** N+1 queries. Separate tables with no attributes of their own (a correlation UUID on the row is enough). Application-managed counters instead of DB-native auto-increment. Multiple independent `Instant.now()` calls in the same logical operation (timestamp drift). Transactional asymmetry between SQL and JCR commits.
|
|
65
|
+
- **Error handling.** Swallowed exceptions. Fail-open on infrastructure errors. Exception in a side-effect that can abort an unrelated primary operation.
|
|
66
|
+
- **TODOs and leftovers.** `TODO`, `FIXME`, `XXX`, commented-out code. Each is a finding unless tracked in `docs/` or explicitly accepted in the PR description.
|
|
67
|
+
- **Dead payload fields.** Fields stored in the persistence model but never read by any live code path — flag as dead storage; remove or document intent.
|
|
68
|
+
- **Diff/delta engine gaps.** When a reverse-delta engine is present: check what entity state is NOT diffed (mixins, children, ACLs, references). Verify empty-diff short-circuits to avoid phantom versions. Verify old-value storage is actually consumed by the apply path.
|
|
69
|
+
- **Service locator anti-pattern.** `SpringContextSingleton.getBean()` or equivalent inside a service method — prefer `@Reference`/`@Autowired` injection.
|
|
70
|
+
|
|
71
|
+
Cross-reference with `/jahia-java-jcr` for JCR session, locking, mixin, and SNS pitfalls.
|
|
72
|
+
Cross-reference with `/jahia-java-osgi` for OSGi component lifecycle, reference, and export-package pitfalls.
|
|
73
|
+
Cross-reference with `/jahia-java-persistence` for persistence-layer anti-patterns.
|
|
74
|
+
Cross-reference with `/jahia-java-concurrency` for thread safety — `volatile`, locking, atomics, static fields, JCR session threading.
|
|
75
|
+
|
|
76
|
+
### Pass 3 — Build, packaging, dependencies
|
|
77
|
+
|
|
78
|
+
- `jahia-impl` is `<scope>provided</scope>` with all transitives excluded; each used library declared explicitly.
|
|
79
|
+
- `Export-Package` lists only SPI surface, not implementation packages.
|
|
80
|
+
- Embedded libraries are commented in the POM with a *why*.
|
|
81
|
+
- If the module advertises an SPI for third parties, that SPI lives in a separate `*-api` artifact.
|
|
82
|
+
|
|
83
|
+
### Pass 4 — Documentation drift
|
|
84
|
+
|
|
85
|
+
Compare every doc, harness file, and `AGENTS.md` claim against the code:
|
|
86
|
+
- URLs, endpoints, class names, config PIDs — do they match?
|
|
87
|
+
- "Not yet implemented" claims for code that is in fact implemented.
|
|
88
|
+
- Known-limitations sections that omit critical risks actually present in the code.
|
|
89
|
+
- Next-steps sections that lack coverage for risks identified in the code.
|
|
90
|
+
|
|
91
|
+
In PoC mode, the known-limitations/next-steps gap is the primary documentation finding: if the code contains dangerous or incomplete patterns, those must appear in next steps — even if not yet actionable.
|
|
92
|
+
|
|
93
|
+
### Pass 5 — Tests
|
|
94
|
+
|
|
95
|
+
1. Is there a `src/test/` directory? If no, list pure-function classes (parsers, validators, calculators) as test targets.
|
|
96
|
+
2. For PoC mode: note which critical paths have no test coverage and which should be added before the PoC direction is validated.
|
|
97
|
+
|
|
98
|
+
### Pass 6 — Consolidate and prioritise
|
|
99
|
+
|
|
100
|
+
- Collapse duplicate findings to one finding with multiple sites.
|
|
101
|
+
- Assign severity using the four-level scale below.
|
|
102
|
+
- Assign effort: XS (<1h), S (<half day), M (<2 days), L (more).
|
|
103
|
+
- Sort by severity within sections. Build the prioritised summary table.
|
|
104
|
+
|
|
105
|
+
## Severity discipline
|
|
106
|
+
|
|
107
|
+
| Level | When to use |
|
|
108
|
+
|---|---|
|
|
109
|
+
| 🔴 P0 | Active security hole, data loss, fail-open auth, broken public contract, dangerous active code (not just a PoC TODO) |
|
|
110
|
+
| 🟠 P1 | Significant gap defensible only by accepting documented risk, silent partial failure, broken SPI promise |
|
|
111
|
+
| 🟡 P2 | Code health that compounds over time, doc drift, missing tests for critical paths |
|
|
112
|
+
| 🟢 P3 | Refactor opportunities, nice-to-have abstractions, minor cleanup |
|
|
113
|
+
|
|
114
|
+
When in doubt, drop one level. Inflated severity loses the reader's trust.
|
|
115
|
+
|
|
116
|
+
## Output
|
|
117
|
+
|
|
118
|
+
Read `references/code-review-output.md` before writing. It defines section order, finding template, and summary table schema.
|
|
119
|
+
|
|
120
|
+
Two non-negotiable rules:
|
|
121
|
+
1. **Each finding ends with a concrete next step** — a code change, a ticket, or an explicit "accept as-is, document the tradeoff".
|
|
122
|
+
2. **Surface honest doubts.** When you cannot verify a claim, say so. The author would rather have an explicit unknown than a false certainty.
|
|
123
|
+
|
|
124
|
+
## What not to do
|
|
125
|
+
|
|
126
|
+
- Do not lecture. The reader is a senior engineer.
|
|
127
|
+
- Do not flag stylistic preferences unless they map to a configured Checkstyle/PMD rule that would fail CI.
|
|
128
|
+
- Do not invent line numbers. Use `ClassName#methodName` as anchors.
|
|
129
|
+
- Do not pad. If a section has no findings, write "No findings."
|
|
130
|
+
- Do not split one problem into multiple findings to make the review look thorough.
|
|
131
|
+
- In PoC mode: do not demand answers the PoC owner cannot yet have. Frame open questions as "next step: team decision" or "add a story".
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
# Skill: Code Review Output Format
|
|
2
|
+
|
|
3
|
+
Load this skill before writing the review output. It defines the section order, finding template, and summary table schema.
|
|
4
|
+
|
|
5
|
+
## When to load
|
|
6
|
+
|
|
7
|
+
Always, just before writing the deliverable. Do not load during analysis passes.
|
|
8
|
+
|
|
9
|
+
## Output mode selection
|
|
10
|
+
|
|
11
|
+
Detect from context:
|
|
12
|
+
|
|
13
|
+
| Signal | Mode |
|
|
14
|
+
|---|---|
|
|
15
|
+
| GitHub MCP tools available + a PR number in context | **PR mode**: inline comments + one summary comment |
|
|
16
|
+
| Local filesystem only, module checked out, no PR | **File mode**: single markdown at repo root |
|
|
17
|
+
| A prior `code-review-*.md` exists in the repo | **Follow-up mode**: see `skills/review-followup/SKILL.md` |
|
|
18
|
+
|
|
19
|
+
When unclear, default to **File mode**.
|
|
20
|
+
|
|
21
|
+
## File naming (File mode)
|
|
22
|
+
|
|
23
|
+
`code-review-{module-name}-{YYYY-MM-DD}.md` at the module root. The module name comes from `pom.xml` `<artifactId>`.
|
|
24
|
+
|
|
25
|
+
If a review already exists for the same date, append `-v2`, `-v3`, etc. Do not overwrite without explicit instruction.
|
|
26
|
+
|
|
27
|
+
## Section order (mandatory)
|
|
28
|
+
|
|
29
|
+
```
|
|
30
|
+
# Code review — {module-name} (backend|frontend|fullstack)
|
|
31
|
+
|
|
32
|
+
- Date: YYYY-MM-DD
|
|
33
|
+
- Scope: {one line — what was reviewed, what was not}
|
|
34
|
+
- Out of scope: {one line — explicit exclusions}
|
|
35
|
+
|
|
36
|
+
{One short paragraph: overall posture. Lead with what is right; the findings list is for what is wrong. Do not pad.}
|
|
37
|
+
|
|
38
|
+
## 1. Security
|
|
39
|
+
## 2. API and backend design
|
|
40
|
+
## 3. Bugs and rough edges
|
|
41
|
+
## 4. Documentation and harness drift
|
|
42
|
+
## 5. Build, Maven, and OSGi packaging
|
|
43
|
+
## 6. OSGi and concurrency
|
|
44
|
+
## 7. Tests
|
|
45
|
+
## {N}. Prioritised summary
|
|
46
|
+
## {N+1}. Closing note
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
Omit sections with no findings — write "No findings." inline only if the absence itself is worth noting (e.g. "No concurrency findings — all `@Component` services are stateless.").
|
|
50
|
+
|
|
51
|
+
The Closing note is one paragraph. It names the single biggest risk and the single biggest strength. No bullet lists.
|
|
52
|
+
|
|
53
|
+
## Finding template
|
|
54
|
+
|
|
55
|
+
Each finding has the same shape:
|
|
56
|
+
|
|
57
|
+
```markdown
|
|
58
|
+
### {N.M} {Short title} — {severity emoji} P{0|1|2|3}
|
|
59
|
+
|
|
60
|
+
{One sentence: the problem.}
|
|
61
|
+
|
|
62
|
+
{2-6 sentences: why it matters, where it manifests, what triggers it. Code snippet if it clarifies in fewer words than prose.}
|
|
63
|
+
|
|
64
|
+
**Fix:** {Concrete action. Library name + method, or class change, or "accept and document".}
|
|
65
|
+
|
|
66
|
+
**Effort:** {XS | S | M | L}
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Rules:
|
|
70
|
+
|
|
71
|
+
- **Severity emoji + level** in the heading. Never one without the other.
|
|
72
|
+
- **The problem in one sentence.** If you need a paragraph, you have not understood it yet.
|
|
73
|
+
- **Code snippets are quoted, not paraphrased.** If the bug is in three lines of code, show those three lines.
|
|
74
|
+
- **The Fix line is mandatory.** No exceptions. If there is no fix, the finding is "accept and document" — say so explicitly.
|
|
75
|
+
- **Effort is mandatory.** Authors prioritise by effort × severity. Without effort, the table is half-useless.
|
|
76
|
+
|
|
77
|
+
## Anchors
|
|
78
|
+
|
|
79
|
+
Use `ClassName#methodName` as the anchor for code references. Line numbers go stale; method names survive refactors. When a finding spans multiple files, list them under "Affected sites" inline.
|
|
80
|
+
|
|
81
|
+
## Severity rules
|
|
82
|
+
|
|
83
|
+
See the parent `AGENTS.md` severity table. One reminder: **the prioritised summary table is your honesty check**. If P0 has more than 5 items, you have inflated severity. Re-evaluate.
|
|
84
|
+
|
|
85
|
+
## Prioritised summary table
|
|
86
|
+
|
|
87
|
+
The penultimate section. Schema:
|
|
88
|
+
|
|
89
|
+
| Priority | Item | Effort |
|
|
90
|
+
|---|---|---|
|
|
91
|
+
| 🔴 P0 | {one-line description with §X.Y backref} | XS/S/M/L |
|
|
92
|
+
| ... |
|
|
93
|
+
|
|
94
|
+
Sort by priority, then by section number. P3 items can be grouped if numerous.
|
|
95
|
+
|
|
96
|
+
The backref (`§X.Y`) is mandatory — the reader uses the table as an index into the full findings.
|
|
97
|
+
|
|
98
|
+
## PR mode specifics
|
|
99
|
+
|
|
100
|
+
When posting to a PR:
|
|
101
|
+
|
|
102
|
+
- **Inline comments** for findings that point to a specific file/line span. Use the same finding template, condensed.
|
|
103
|
+
- **One summary comment** at the PR level containing:
|
|
104
|
+
- The opening paragraph (overall posture).
|
|
105
|
+
- The prioritised summary table.
|
|
106
|
+
- Links to the inline comments via their permalinks.
|
|
107
|
+
- **No giant markdown dump in the summary comment.** Inline comments carry the body of each finding.
|
|
108
|
+
|
|
109
|
+
If a finding cannot be anchored to a line (e.g. "the module has no tests"), it goes only in the summary comment.
|
|
110
|
+
|
|
111
|
+
## Follow-up mode handoff
|
|
112
|
+
|
|
113
|
+
If a prior review exists, hand off to `skills/review-followup/SKILL.md`. Do not write a fresh review.
|
|
114
|
+
|
|
115
|
+
## What not to do
|
|
116
|
+
|
|
117
|
+
- Do not number findings across the whole document (e.g. "Finding 47"). Number within sections: §1.1, §1.2, §3.1.
|
|
118
|
+
- Do not split a finding into a "problem" finding and a "fix" finding. One finding = one problem + its fix.
|
|
119
|
+
- Do not write a "tl;dr" at the top. The opening paragraph is the tl;dr.
|
|
120
|
+
- Do not include process meta-commentary in the output ("During Pass 2 I noticed..."). The doc is for the author, not a log of your work.
|
|
121
|
+
- Do not write recommendations the author cannot act on alone. If a fix requires a product decision, name the decision; do not pretend it is purely technical.
|
|
@@ -17,7 +17,9 @@ You are helping develop a **Jahia JavaScript Module** — a React-based template
|
|
|
17
17
|
5. **Always verify before creating** — check that content types are deployed, site keys are correct, and area structures exist before attempting GraphQL mutations.
|
|
18
18
|
6. **All props are optional at runtime** — even mandatory CND fields. Always guard against `undefined` in views.
|
|
19
19
|
7. **Always include `-H "Origin: http://localhost:8080"` in every GraphQL curl** — omitting it returns `Permission denied` even with correct credentials.
|
|
20
|
-
8. **
|
|
20
|
+
8. **Build accessible HTML from the start** — every view must use semantic HTML (`<main>`, `<header>`, `<nav>`, `<footer>`, `<section>`, `<article>`), include exactly one `<h1>` per page, use a strict heading hierarchy (h1 → h2 → h3), add `alt` text to every `<img>`, and use sufficient colour contrast (≥ 4.5:1 for body text). Baking this in during authoring is faster than a post-hoc audit.
|
|
21
|
+
9. **Run one accessibility audit at the end** — after all components are built and content is published, invoke `/jahia-dev-accessibility` once to catch any remaining violations. Do not audit after every individual component; it wastes time on pages that are not yet complete.
|
|
22
|
+
10. **Batch builds and deploys** — build all components together, then run `yarn build && yarn jahia-deploy` once rather than after each individual component. Deploy once before populating content.
|
|
21
23
|
|
|
22
24
|
## Skill Map
|
|
23
25
|
|