@jahia/agentic 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (174) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/README.md +28 -0
  3. package/dist/claude/.claude/rules/jahia.md +3 -1
  4. package/dist/claude/.claude/skills/jahia/SKILL.md +18 -10
  5. package/dist/claude/.claude/skills/jahia-content/SKILL.md +102 -84
  6. package/dist/claude/.claude/skills/jahia-content-create-content/SKILL.md +255 -280
  7. package/dist/claude/.claude/skills/jahia-content-explore-structure/SKILL.md +187 -96
  8. package/dist/claude/.claude/skills/jahia-content-media-upload/SKILL.md +197 -0
  9. package/dist/claude/.claude/skills/jahia-content-move-content/SKILL.md +160 -165
  10. package/dist/claude/.claude/skills/jahia-content-organize/SKILL.md +209 -0
  11. package/dist/claude/.claude/skills/jahia-content-publish/SKILL.md +181 -0
  12. package/dist/claude/.claude/skills/jahia-content-query-content/SKILL.md +122 -92
  13. package/dist/claude/.claude/skills/jahia-content-translate-content/SKILL.md +154 -225
  14. package/dist/claude/.claude/skills/jahia-dev-build-component/SKILL.md +7 -22
  15. package/dist/claude/.claude/skills/jahia-dev-create-view/SKILL.md +58 -0
  16. package/dist/claude/.claude/skills/jahia-dev-cypress/SKILL.md +150 -330
  17. package/dist/claude/.claude/skills/jahia-dev-java/SKILL.md +7 -2
  18. package/dist/claude/.claude/skills/jahia-dev-query-content/SKILL.md +93 -296
  19. package/dist/claude/.claude/skills/jahia-java-concurrency/SKILL.md +308 -0
  20. package/dist/claude/.claude/skills/jahia-java-jcr/SKILL.md +153 -0
  21. package/dist/claude/.claude/skills/jahia-java-osgi/SKILL.md +134 -0
  22. package/dist/claude/.claude/skills/jahia-java-persistence/SKILL.md +177 -0
  23. package/dist/claude/.claude/skills/jahia-java-security/SKILL.md +84 -0
  24. package/dist/claude/.claude/skills/jahia-jcr-sql2/SKILL.md +258 -0
  25. package/dist/claude/.claude/skills/jahia-review-java/SKILL.md +131 -0
  26. package/dist/claude/.claude/skills/jahia-review-java/references/code-review-output.md +121 -0
  27. package/dist/claude/CLAUDE.md +4 -8
  28. package/dist/codex/.agents/skills/jahia/SKILL.md +18 -10
  29. package/dist/codex/.agents/skills/jahia-content/SKILL.md +102 -84
  30. package/dist/codex/.agents/skills/jahia-content-create-content/SKILL.md +255 -280
  31. package/dist/codex/.agents/skills/jahia-content-explore-structure/SKILL.md +187 -96
  32. package/dist/codex/.agents/skills/jahia-content-media-upload/SKILL.md +197 -0
  33. package/dist/codex/.agents/skills/jahia-content-move-content/SKILL.md +160 -165
  34. package/dist/codex/.agents/skills/jahia-content-organize/SKILL.md +209 -0
  35. package/dist/codex/.agents/skills/jahia-content-publish/SKILL.md +181 -0
  36. package/dist/codex/.agents/skills/jahia-content-query-content/SKILL.md +122 -92
  37. package/dist/codex/.agents/skills/jahia-content-translate-content/SKILL.md +154 -225
  38. package/dist/codex/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
  39. package/dist/codex/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
  40. package/dist/codex/.agents/skills/jahia-dev-cypress/SKILL.md +150 -330
  41. package/dist/codex/.agents/skills/jahia-dev-java/SKILL.md +7 -2
  42. package/dist/codex/.agents/skills/jahia-dev-query-content/SKILL.md +93 -296
  43. package/dist/codex/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
  44. package/dist/codex/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
  45. package/dist/codex/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
  46. package/dist/codex/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
  47. package/dist/codex/.agents/skills/jahia-java-security/SKILL.md +84 -0
  48. package/dist/codex/.agents/skills/jahia-jcr-sql2/SKILL.md +258 -0
  49. package/dist/codex/.agents/skills/jahia-review-java/SKILL.md +131 -0
  50. package/dist/codex/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
  51. package/dist/codex/AGENTS.md +5 -5
  52. package/dist/copilot/.agents/skills/jahia/SKILL.md +18 -10
  53. package/dist/copilot/.agents/skills/jahia-content/SKILL.md +102 -84
  54. package/dist/copilot/.agents/skills/jahia-content-create-content/SKILL.md +255 -280
  55. package/dist/copilot/.agents/skills/jahia-content-explore-structure/SKILL.md +187 -96
  56. package/dist/copilot/.agents/skills/jahia-content-media-upload/SKILL.md +197 -0
  57. package/dist/copilot/.agents/skills/jahia-content-move-content/SKILL.md +160 -165
  58. package/dist/copilot/.agents/skills/jahia-content-organize/SKILL.md +209 -0
  59. package/dist/copilot/.agents/skills/jahia-content-publish/SKILL.md +181 -0
  60. package/dist/copilot/.agents/skills/jahia-content-query-content/SKILL.md +122 -92
  61. package/dist/copilot/.agents/skills/jahia-content-translate-content/SKILL.md +154 -225
  62. package/dist/copilot/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
  63. package/dist/copilot/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
  64. package/dist/copilot/.agents/skills/jahia-dev-cypress/SKILL.md +150 -330
  65. package/dist/copilot/.agents/skills/jahia-dev-java/SKILL.md +7 -2
  66. package/dist/copilot/.agents/skills/jahia-dev-query-content/SKILL.md +93 -296
  67. package/dist/copilot/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
  68. package/dist/copilot/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
  69. package/dist/copilot/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
  70. package/dist/copilot/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
  71. package/dist/copilot/.agents/skills/jahia-java-security/SKILL.md +84 -0
  72. package/dist/copilot/.agents/skills/jahia-jcr-sql2/SKILL.md +258 -0
  73. package/dist/copilot/.agents/skills/jahia-review-java/SKILL.md +131 -0
  74. package/dist/copilot/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
  75. package/dist/copilot/AGENTS.md +5 -5
  76. package/dist/cursor/.agents/skills/jahia/SKILL.md +18 -10
  77. package/dist/cursor/.agents/skills/jahia-content/SKILL.md +102 -84
  78. package/dist/cursor/.agents/skills/jahia-content-create-content/SKILL.md +255 -280
  79. package/dist/cursor/.agents/skills/jahia-content-explore-structure/SKILL.md +187 -96
  80. package/dist/cursor/.agents/skills/jahia-content-media-upload/SKILL.md +197 -0
  81. package/dist/cursor/.agents/skills/jahia-content-move-content/SKILL.md +160 -165
  82. package/dist/cursor/.agents/skills/jahia-content-organize/SKILL.md +209 -0
  83. package/dist/cursor/.agents/skills/jahia-content-publish/SKILL.md +181 -0
  84. package/dist/cursor/.agents/skills/jahia-content-query-content/SKILL.md +122 -92
  85. package/dist/cursor/.agents/skills/jahia-content-translate-content/SKILL.md +154 -225
  86. package/dist/cursor/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
  87. package/dist/cursor/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
  88. package/dist/cursor/.agents/skills/jahia-dev-cypress/SKILL.md +150 -330
  89. package/dist/cursor/.agents/skills/jahia-dev-java/SKILL.md +7 -2
  90. package/dist/cursor/.agents/skills/jahia-dev-query-content/SKILL.md +93 -296
  91. package/dist/cursor/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
  92. package/dist/cursor/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
  93. package/dist/cursor/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
  94. package/dist/cursor/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
  95. package/dist/cursor/.agents/skills/jahia-java-security/SKILL.md +84 -0
  96. package/dist/cursor/.agents/skills/jahia-jcr-sql2/SKILL.md +258 -0
  97. package/dist/cursor/.agents/skills/jahia-review-java/SKILL.md +131 -0
  98. package/dist/cursor/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
  99. package/dist/cursor/.cursor/rules/jahia.mdc +3 -1
  100. package/dist/gemini/.agents/skills/jahia/SKILL.md +18 -10
  101. package/dist/gemini/.agents/skills/jahia-content/SKILL.md +102 -84
  102. package/dist/gemini/.agents/skills/jahia-content-create-content/SKILL.md +255 -280
  103. package/dist/gemini/.agents/skills/jahia-content-explore-structure/SKILL.md +187 -96
  104. package/dist/gemini/.agents/skills/jahia-content-media-upload/SKILL.md +197 -0
  105. package/dist/gemini/.agents/skills/jahia-content-move-content/SKILL.md +160 -165
  106. package/dist/gemini/.agents/skills/jahia-content-organize/SKILL.md +209 -0
  107. package/dist/gemini/.agents/skills/jahia-content-publish/SKILL.md +181 -0
  108. package/dist/gemini/.agents/skills/jahia-content-query-content/SKILL.md +122 -92
  109. package/dist/gemini/.agents/skills/jahia-content-translate-content/SKILL.md +154 -225
  110. package/dist/gemini/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
  111. package/dist/gemini/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
  112. package/dist/gemini/.agents/skills/jahia-dev-cypress/SKILL.md +150 -330
  113. package/dist/gemini/.agents/skills/jahia-dev-java/SKILL.md +7 -2
  114. package/dist/gemini/.agents/skills/jahia-dev-query-content/SKILL.md +93 -296
  115. package/dist/gemini/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
  116. package/dist/gemini/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
  117. package/dist/gemini/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
  118. package/dist/gemini/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
  119. package/dist/gemini/.agents/skills/jahia-java-security/SKILL.md +84 -0
  120. package/dist/gemini/.agents/skills/jahia-jcr-sql2/SKILL.md +258 -0
  121. package/dist/gemini/.agents/skills/jahia-review-java/SKILL.md +131 -0
  122. package/dist/gemini/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
  123. package/dist/gemini/AGENTS.md +5 -5
  124. package/dist/gemini/GEMINI.md +2 -2
  125. package/dist/opencode/.agents/skills/jahia/SKILL.md +18 -10
  126. package/dist/opencode/.agents/skills/jahia-content/SKILL.md +102 -84
  127. package/dist/opencode/.agents/skills/jahia-content-create-content/SKILL.md +255 -280
  128. package/dist/opencode/.agents/skills/jahia-content-explore-structure/SKILL.md +187 -96
  129. package/dist/opencode/.agents/skills/jahia-content-media-upload/SKILL.md +197 -0
  130. package/dist/opencode/.agents/skills/jahia-content-move-content/SKILL.md +160 -165
  131. package/dist/opencode/.agents/skills/jahia-content-organize/SKILL.md +209 -0
  132. package/dist/opencode/.agents/skills/jahia-content-publish/SKILL.md +181 -0
  133. package/dist/opencode/.agents/skills/jahia-content-query-content/SKILL.md +122 -92
  134. package/dist/opencode/.agents/skills/jahia-content-translate-content/SKILL.md +154 -225
  135. package/dist/opencode/.agents/skills/jahia-dev-build-component/SKILL.md +7 -22
  136. package/dist/opencode/.agents/skills/jahia-dev-create-view/SKILL.md +58 -0
  137. package/dist/opencode/.agents/skills/jahia-dev-cypress/SKILL.md +150 -330
  138. package/dist/opencode/.agents/skills/jahia-dev-java/SKILL.md +7 -2
  139. package/dist/opencode/.agents/skills/jahia-dev-query-content/SKILL.md +93 -296
  140. package/dist/opencode/.agents/skills/jahia-java-concurrency/SKILL.md +308 -0
  141. package/dist/opencode/.agents/skills/jahia-java-jcr/SKILL.md +153 -0
  142. package/dist/opencode/.agents/skills/jahia-java-osgi/SKILL.md +134 -0
  143. package/dist/opencode/.agents/skills/jahia-java-persistence/SKILL.md +177 -0
  144. package/dist/opencode/.agents/skills/jahia-java-security/SKILL.md +84 -0
  145. package/dist/opencode/.agents/skills/jahia-jcr-sql2/SKILL.md +258 -0
  146. package/dist/opencode/.agents/skills/jahia-review-java/SKILL.md +131 -0
  147. package/dist/opencode/.agents/skills/jahia-review-java/references/code-review-output.md +121 -0
  148. package/dist/opencode/AGENTS.md +5 -5
  149. package/dist/windsurf/.windsurf/rules/jahia.md +3 -1
  150. package/dist/windsurf/.windsurf/skills/jahia/SKILL.md +18 -10
  151. package/dist/windsurf/.windsurf/skills/jahia-content/SKILL.md +102 -84
  152. package/dist/windsurf/.windsurf/skills/jahia-content-create-content/SKILL.md +255 -280
  153. package/dist/windsurf/.windsurf/skills/jahia-content-explore-structure/SKILL.md +187 -96
  154. package/dist/windsurf/.windsurf/skills/jahia-content-media-upload/SKILL.md +197 -0
  155. package/dist/windsurf/.windsurf/skills/jahia-content-move-content/SKILL.md +160 -165
  156. package/dist/windsurf/.windsurf/skills/jahia-content-organize/SKILL.md +209 -0
  157. package/dist/windsurf/.windsurf/skills/jahia-content-publish/SKILL.md +181 -0
  158. package/dist/windsurf/.windsurf/skills/jahia-content-query-content/SKILL.md +122 -92
  159. package/dist/windsurf/.windsurf/skills/jahia-content-translate-content/SKILL.md +154 -225
  160. package/dist/windsurf/.windsurf/skills/jahia-dev-build-component/SKILL.md +7 -22
  161. package/dist/windsurf/.windsurf/skills/jahia-dev-create-view/SKILL.md +58 -0
  162. package/dist/windsurf/.windsurf/skills/jahia-dev-cypress/SKILL.md +150 -330
  163. package/dist/windsurf/.windsurf/skills/jahia-dev-java/SKILL.md +7 -2
  164. package/dist/windsurf/.windsurf/skills/jahia-dev-query-content/SKILL.md +93 -296
  165. package/dist/windsurf/.windsurf/skills/jahia-java-concurrency/SKILL.md +308 -0
  166. package/dist/windsurf/.windsurf/skills/jahia-java-jcr/SKILL.md +153 -0
  167. package/dist/windsurf/.windsurf/skills/jahia-java-osgi/SKILL.md +134 -0
  168. package/dist/windsurf/.windsurf/skills/jahia-java-persistence/SKILL.md +177 -0
  169. package/dist/windsurf/.windsurf/skills/jahia-java-security/SKILL.md +84 -0
  170. package/dist/windsurf/.windsurf/skills/jahia-jcr-sql2/SKILL.md +258 -0
  171. package/dist/windsurf/.windsurf/skills/jahia-review-java/SKILL.md +131 -0
  172. package/dist/windsurf/.windsurf/skills/jahia-review-java/references/code-review-output.md +121 -0
  173. package/dist/windsurf/AGENTS.md +5 -5
  174. package/package.json +7 -3
@@ -0,0 +1,177 @@
1
+ ---
2
+ name: jahia-java-persistence
3
+ description: Persistence and data model patterns for Jahia Java backend — correct usage of JPA/Hibernate with JCR, N+1 avoidance, timestamp consistency, entity model decisions, transactional asymmetry between SQL and JCR, and locking/concurrency in write paths. Load when implementing or reviewing any class that interacts with a relational database alongside JCR.
4
+ allowed-tools: Read
5
+ ---
6
+
7
+ # Persistence Patterns for Jahia Java Backend
8
+
9
+ This skill covers how to design and implement the persistence layer correctly when combining SQL (JPA/Hibernate) with JCR in a Jahia Java module. Each section states the correct approach first, then the pitfall. Both developers and reviewers use this skill.
10
+
11
+ ---
12
+
13
+ ## Sequence and counter columns
14
+
15
+ ### Correct approach
16
+
17
+ Use the database's native mechanisms for generating ordered identifiers:
18
+ - `IDENTITY` / `AUTO_INCREMENT` on the primary key for insertion order.
19
+ - A `SEQUENCE` object (reserved inside a serialized transaction) if you need a stable ordering column separate from the PK.
20
+
21
+ ### Pitfall
22
+
23
+ ```java
24
+ // anti-pattern — read-then-act race
25
+ int max = repository.selectMaxNumber(contentId, locale); // SELECT MAX(...)
26
+ entity.setNumber(max + 1);
27
+ session.persist(entity);
28
+ ```
29
+
30
+ Two concurrent inserts for the same `(contentId, locale)` read the same `MAX`, produce duplicate numbers, and either hit a unique constraint violation or silently corrupt ordering. Application-managed counters are never safe without explicit row-level locking. The counter column is also redundant if the primary key already provides insertion order.
31
+
32
+ **Finding level:** P1 for concurrent write paths; P2 if access is serialised by a documented higher-level lock, but that invariant must be documented.
33
+
34
+ ---
35
+
36
+ ## N+1 query patterns
37
+
38
+ ### Correct approach
39
+
40
+ Load parent and child data in one round-trip:
41
+ - SQL: `JOIN` or a `WHERE id IN (...)` batch query.
42
+ - JPA: `JOIN FETCH` in JPQL or `@EntityGraph`.
43
+
44
+ ### Pitfall
45
+
46
+ ```java
47
+ // anti-pattern
48
+ List<Group> groups = repo.listGroups(contentId); // 1 query
49
+ for (Group g : groups) {
50
+ g.setVersions(repo.loadVersionsForGroup(g.getId())); // N queries
51
+ }
52
+ ```
53
+
54
+ N+1 patterns are invisible in low-volume testing but degrade linearly under real content volumes. For unbounded lists (version history, publication logs) this becomes a UI performance cliff.
55
+
56
+ **Finding level:** P2 for capped lists; P1 for unbounded lists in hot paths.
57
+
58
+ ---
59
+
60
+ ## Timestamp consistency in batch operations
61
+
62
+ ### Correct approach
63
+
64
+ Compute the timestamp **once** at the start of a logical operation and pass it to every entity created by that operation:
65
+
66
+ ```java
67
+ Instant now = Instant.now(); // computed once
68
+ groupEntity.setCreatedAt(now);
69
+ for (var version : versions) {
70
+ versionEntity.setCreatedAt(now); // same value for all
71
+ }
72
+ ```
73
+
74
+ This makes "all entities from this operation" a trivial equality predicate: `WHERE operationId = ? AND createdAt = ?`. It also makes the audit trail semantically correct — these are one logical event, not N sequential events.
75
+
76
+ ### Pitfall
77
+
78
+ Multiple independent `Instant.now()` calls within the same logical operation produce timestamp drift. Even millisecond drift means "show me all versions from this publish event" requires a range query with fuzzy bounds instead of equality. It also implies false ordering between things that are the same event.
79
+
80
+ **Finding level:** P2 — correctness and query simplicity. Elevate to P1 if the drift creates misleading audit trails.
81
+
82
+ ---
83
+
84
+ ## Entity model: when a separate table earns its keep
85
+
86
+ ### Correct approach
87
+
88
+ A separate table/entity is justified when it carries state that would be annoyingly denormalised across every member row: operation type, author, workflow status, retry counters, approval metadata, referential integrity constraints.
89
+
90
+ If the only purpose of the separate table is to group rows (no meaningful payload of its own), a plain `operationId` UUID column on the member table is sufficient:
91
+ - "All operations for a content": `SELECT DISTINCT operationId, createdAt FROM NodeVersion WHERE contentId = ? ORDER BY createdAt DESC`
92
+ - "All versions of one operation": `SELECT * FROM NodeVersion WHERE operationId = ?`
93
+
94
+ Rule of thumb: defer extraction to a separate entity until the denormalised columns exceed 3–4 fields, or you need referential integrity on the operation itself (cascading, per-operation locks). The refactor is straightforward later — `INSERT ... SELECT DISTINCT` into the new table, add the FK, drop the denormalised columns.
95
+
96
+ ### Pitfall
97
+
98
+ ```java
99
+ // separate table with no meaningful payload — not justified yet
100
+ @Entity class NodeVersionGroupEntity {
101
+ UUID id;
102
+ UUID nodeUuid; // duplicated from every member row
103
+ Instant createdAt; // drifts from member rows (see above)
104
+ // nothing else
105
+ }
106
+ ```
107
+
108
+ A correlation-only entity adds a table, a JOIN on every group query, a separate Hibernate lifecycle, and the risk of timestamp drift — for zero domain benefit until the group gains real state.
109
+
110
+ **Finding level:** P2 — surface as a design decision for the team, not a demand for immediate refactoring. Ask: does the group entity carry any state today? What is the expected evolution?
111
+
112
+ ---
113
+
114
+ ## Transactional asymmetry — mixed SQL + JCR stores
115
+
116
+ ### Correct approach
117
+
118
+ SQL (Hibernate) and JCR do not share a transaction. Treat every mixed write path as requiring explicit reasoning about failure modes.
119
+
120
+ Options in order of preference:
121
+ 1. **JCR as system of record:** write to JCR first; only commit to SQL after a successful `session.save()`. If the SQL commit fails, log the orphaned JCR state and add it to a retry or cleanup queue.
122
+ 2. **Outbox pattern:** write to SQL only (including a status/outbox column); a separate process reads and applies the JCR write idempotently.
123
+ 3. **Accept the asymmetry:** document the inconsistency window explicitly, add a compensating cleanup path, and add monitoring to detect orphaned rows.
124
+
125
+ ### Pitfall
126
+
127
+ ```java
128
+ repository.insertVersion(entity); // SQL committed inside Hibernate session
129
+ jcrNode.setProperty("...", value); // if this fails, SQL is already committed
130
+ session.save();
131
+ ```
132
+
133
+ A failure in the JCR write leaves the SQL committed and the JCR unchanged — silent data inconsistency. Symptoms: rows in the DB with no corresponding JCR node, or vice versa.
134
+
135
+ **Finding level:** P1 — silent data inconsistency. Elevate to P0 if the inconsistency is user-visible or hard to detect.
136
+
137
+ ---
138
+
139
+ ## Locking and write paths
140
+
141
+ ### Correct approach
142
+
143
+ Document the thread-safety contract of every write path that involves locking, restoration, or multi-step state transitions:
144
+ - Is the path safe to call concurrently? If not, what external lock must the caller hold?
145
+ - Does the path clear existing locks? If yes, whose lock? Under what conditions is clearing safe?
146
+
147
+ Before clearing a JCR lock in a write path:
148
+ 1. Verify the lock is not owned by an unrelated operation (active publication job, workflow, concurrent editor).
149
+ 2. If the lock is external, fail with a clear error — do not continue.
150
+
151
+ ### Pitfall
152
+
153
+ ```java
154
+ // dangerous — clears all locks unconditionally, continues even if clearing fails
155
+ JCRContentUtils.clearAllLocks(node);
156
+ restoreContent(node, version);
157
+ ```
158
+
159
+ This pattern is dangerous in any path that is not the sole writer. A publication job in progress may have locked the node for a reason; clearing the lock and continuing the restore corrupts the publication. See also `jahia-java-jcr` locking section.
160
+
161
+ **Finding level:** P0 if active in production code; P1 if guarded by a feature flag off by default — but must appear in known-limitations/next-steps regardless.
162
+
163
+ ---
164
+
165
+ ## Schema documentation
166
+
167
+ ### Correct approach
168
+
169
+ For any module that introduces relational tables, include a schema summary in `docs/` or a README section covering:
170
+ - Table names and purpose.
171
+ - Key column types and constraints (primary keys, foreign keys, unique constraints, indexed columns).
172
+ - How SQL tables relate to JCR nodes (which JCR property or node UUID maps to which SQL column).
173
+ - Any migration strategy for schema changes.
174
+
175
+ ### Pitfall
176
+
177
+ Undocumented tables discovered by reviewing Hibernate entity classes alone — reviewers and future maintainers cannot verify the full schema from code without running the application and inspecting the DB. This is a P2 documentation finding.
@@ -0,0 +1,84 @@
1
+ ---
2
+ name: jahia-java-security
3
+ description: Jahia security model for Java backend development — the four protection mechanisms (Security Filter, CSRF Guard, ACLs, captcha), when each applies, and how to audit or implement each correctly. Load when implementing or reviewing any HTTP-reachable surface in a Jahia Java module.
4
+ allowed-tools: Read
5
+ ---
6
+
7
+ # Jahia Security Model for Java Backend
8
+
9
+ This skill covers how to correctly protect HTTP-reachable surfaces in a Jahia Java module. Each mechanism is described with its correct use, its limits, and the common mistakes that create vulnerabilities. Both developers and reviewers use this skill.
10
+
11
+ ---
12
+
13
+ ## The four protection mechanisms
14
+
15
+ Every reachable surface in a Jahia module is protected by zero, one, or several of these. Map each one explicitly for any surface you implement or review.
16
+
17
+ ### 1. Jahia Security Filter (API scopes)
18
+
19
+ - **What:** OSGi-configurable filter that gates URL patterns by `Origin`/`Referer` and required permissions/scopes.
20
+ - **Config:** YAML under `META-INF/configurations/org.jahia.modules.api.permissions-*.yaml`.
21
+ - **Origin gating:** `auto_apply: - origin: hosted` ensures requests come from the same domain. Works for guests and authenticated users. Does not break CDN caching.
22
+ - **Permission gating:** `grants: - api: <name>; node: <selector>` enforces a Jahia permission.
23
+ - **When to use:** default protection for any module-exposed servlet or GraphQL endpoint reachable over HTTP. This is the first line of defense — apply it before considering CSRF Guard or inline checks.
24
+
25
+ ### 2. CSRF Guard
26
+
27
+ - **What:** Jahia-wide servlet filter injecting a token into XHR/fetch and validating it server-side.
28
+ - **Critical limitation:** `jahia.csrf-guard.bypassForGuest = true` by default. CSRF Guard **does not protect guest submissions** out of the box. Enabling it for guests breaks CDN caching of public pages.
29
+ - **When to use:** authenticated-only operations where you can verify the URL pattern is in the guard's `resolvedUrlPatterns` config.
30
+ - **Common mistake:** assuming CSRF Guard protects a guest-reachable form. It does not — a guest submitting a public form bypasses CSRF Guard entirely.
31
+
32
+ ### 3. Jahia permissions and ACLs
33
+
34
+ - **What:** JCR-based ACLs + named permissions declared in `permissions.xml` or `*.cnd`.
35
+ - **Enforcement:** `JCRSessionWrapper` (user session — permissions apply) vs `JCRSessionFactory.getCurrentSystemSession()` / `JCRTemplate.doExecuteWithSystemSession` (system session — permissions bypassed).
36
+ - **GraphQL:** `@GraphQLField` operations should declare `@RequirePermission` annotations. An admin operation without `@RequirePermission` is a finding.
37
+ - **When to use:** any operation that reads/writes JCR content with content-level access rules — jContent admin screens, content workflows, operations that respect site/node permissions.
38
+ - **Audit rule:** when code uses a system session, the security boundary is whatever check happened *before* the `doExecuteWithSystemSession` call. Find that check explicitly. If there is none, the operation is anonymous-privileged — P0 for writes, P1 for reads.
39
+
40
+ ### 4. Captcha and one-time tokens
41
+
42
+ - **What:** non-replayable credentials tied to the rendering page.
43
+ - **When to use:** defense-in-depth against bots and as partial CSRF mitigation for guest forms.
44
+ - **Not a primary CSRF control.** Captcha protects a specific form when enabled, but it is not origin verification. Do not let a code path rely on captcha alone.
45
+
46
+ ---
47
+
48
+ ## Decision matrix
49
+
50
+ For each surface you implement or review, fill this in:
51
+
52
+ | Surface | Guests? | Auth users? | Side effects? | Required protection |
53
+ |---|---|---|---|---|
54
+ | Public form submit | Yes | Yes | Email, JCR write | Security Filter `origin: hosted` (primary) + captcha (defense-in-depth) |
55
+ | Admin GraphQL query | No | Yes (with permission) | Read JCR | Security Filter `origin: hosted` + `@RequirePermission(...)` |
56
+ | Admin GraphQL mutation | No | Yes (with permission) | Write JCR | Same + verify ACL when system session is used |
57
+ | OSGi servlet at `/modules/...` | Depends | Depends | Depends | At minimum: `origin: hosted` |
58
+ | Choicelist initializer | Indirect (editor UI) | Yes (editor) | Read config | Inherits editor auth — verify it does not leak cross-tenant data |
59
+
60
+ ---
61
+
62
+ ## Implementing a secure surface — checklist
63
+
64
+ When adding a new servlet, GraphQL operation, or filter:
65
+
66
+ 1. **Declare the Security Filter scope** in `org.jahia.modules.api.permissions-*.yaml`.
67
+ 2. **Classify the surface** in the decision matrix above.
68
+ 3. **If writing JCR with a system session:** document the prior permission check in a Javadoc comment on the method.
69
+ 4. **If the surface is public (guest-reachable):** do not rely on CSRF Guard alone. Use `origin: hosted` + captcha if the action has side effects.
70
+ 5. **If the surface is admin-only:** add `@RequirePermission` to the GraphQL field or inline `JCRTemplate` ACL check.
71
+ 6. **Document the intent.** A deliberate "this endpoint is public because X" must be in a Javadoc on the class or in `docs/security.md`. An undocumented gap is a finding even if intentional — the next maintainer cannot tell intent from accident.
72
+
73
+ ---
74
+
75
+ ## Findings to surface during review
76
+
77
+ 1. **Unprotected endpoint.** Any servlet/GraphQL operation without a Security Filter scope **and** without `@RequirePermission` **and** without an inline auth check. P0 unless explicitly documented as intentionally public.
78
+ 2. **CSRF Guard guest bypass misunderstood.** Code or docs claiming CSRF Guard protects guests. P0 — foundational misunderstanding.
79
+ 3. **System session without prior permission check.** P0 for writes, P1 for reads.
80
+ 4. **Captcha presented as primary CSRF defense.** P1 — it is defense-in-depth, not primary.
81
+ 5. **Missing `@RequirePermission` on admin GraphQL.** P0 for mutations, P1 for sensitive-data queries.
82
+ 6. **Permission referenced but not declared.** A permission name used in code or config that is not declared in any module resource. P1.
83
+ 7. **Email recipients from user input.** Any `to:` address derived from a submitted field without an allowlist. P1 — open relay vector.
84
+ 8. **Outbound HTTP without timeouts.** `HttpClient.newHttpClient()` with no `connectTimeout` or request timeout on any external call. P0 — trivial DoS.
@@ -0,0 +1,258 @@
1
+ ---
2
+ name: jahia-jcr-sql2
3
+ description: JCR-SQL2 reference for Jahia queries. Use when building, reviewing, or debugging SQL2 statements for content listings, full-text search, sorting, pagination, or Java back-end query code.
4
+ ---
5
+
6
+ # Skill: jahia-jcr-sql2
7
+
8
+ Use this skill when you need the JCR-SQL2 language itself: selectors, path constraints, filters, ordering, full-text syntax, joins, pagination rules, and performance guardrails.
9
+
10
+ ---
11
+
12
+ ## When to use JCR-SQL2
13
+
14
+ JCR-SQL2 is the standard Jahia query language for:
15
+
16
+ - listing pages or content with filtering and sorting
17
+ - querying a folder subtree
18
+ - searching by property value, date, or reference
19
+ - full-text search across indexed content
20
+ - back-end Java code using `QueryManagerWrapper`
21
+ - template-set listings that use `useJCRQuery` or the Page Builder query component
22
+
23
+ ---
24
+
25
+ ## Basic syntax
26
+
27
+ ### Select by node type
28
+
29
+ ```sql
30
+ SELECT * FROM [jnt:page] AS page
31
+ SELECT * FROM [jnt:content] AS content
32
+ SELECT * FROM [jnt:file] AS file
33
+ ```
34
+
35
+ The selector matches the named type and its subtypes.
36
+
37
+ ### Common node types
38
+
39
+ | Type | Meaning |
40
+ |------|---------|
41
+ | `jnt:page` | pages |
42
+ | `jnt:content` | editorial content |
43
+ | `jnt:file` | files |
44
+ | `jnt:virtualsite` | sites |
45
+ | `jmix:searchable` | general searchable content |
46
+ | `nt:base` | all nodes — avoid unless paired with a strict path |
47
+
48
+ ---
49
+
50
+ ## Path constraints
51
+
52
+ ### Recursive subtree
53
+
54
+ ```sql
55
+ SELECT * FROM [jnt:page] AS page
56
+ WHERE ISDESCENDANTNODE(page, '/sites/luxe/home')
57
+ ```
58
+
59
+ ### Direct children only
60
+
61
+ ```sql
62
+ SELECT * FROM [jnt:page] AS page
63
+ WHERE ISCHILDNODE(page, '/sites/luxe/home')
64
+ ```
65
+
66
+ **Guardrail:** always constrain by path to avoid repository-wide scans.
67
+
68
+ ---
69
+
70
+ ## Property constraints
71
+
72
+ ### Exact match
73
+
74
+ ```sql
75
+ WHERE page.[j:templateName] = 'home'
76
+ WHERE node.[jcr:title] = 'My Title'
77
+ ```
78
+
79
+ ### Pattern match
80
+
81
+ ```sql
82
+ WHERE node.[jcr:title] LIKE '%keyword%'
83
+ WHERE node.[j:nodename] LIKE '%.png'
84
+ ```
85
+
86
+ ### Null checks
87
+
88
+ ```sql
89
+ WHERE page.[jcr:title] IS NOT NULL
90
+ ```
91
+
92
+ ### Boolean
93
+
94
+ ```sql
95
+ WHERE node.[j:published] = CAST('true' AS BOOLEAN)
96
+ ```
97
+
98
+ ### Date comparison
99
+
100
+ ```sql
101
+ WHERE page.[jcr:lastModified] > CAST('2026-01-01T00:00:00.000Z' AS DATE)
102
+ ```
103
+
104
+ Use the millisecond form `yyyy-MM-dd'T'HH:mm:ss.SSSX` for SQL2 date casts.
105
+
106
+ ### Multiple conditions
107
+
108
+ ```sql
109
+ WHERE ISDESCENDANTNODE(page, '/sites/luxe')
110
+ AND page.[jcr:lastModified] > CAST('2026-01-01T00:00:00.000Z' AS DATE)
111
+ ```
112
+
113
+ ### OR conditions
114
+
115
+ ```sql
116
+ WHERE node.[jcr:primaryType] = 'jnt:bigText'
117
+ OR node.[jcr:primaryType] = 'jnt:article'
118
+ ```
119
+
120
+ ---
121
+
122
+ ## Ordering
123
+
124
+ ```sql
125
+ ORDER BY page.[jcr:lastModified] DESC
126
+ ORDER BY page.[jcr:created] ASC
127
+ ORDER BY node.[jcr:title]
128
+ ```
129
+
130
+ Multiple columns:
131
+
132
+ ```sql
133
+ ORDER BY page.[j:templateName] ASC, page.[jcr:lastModified] DESC
134
+ ```
135
+
136
+ ---
137
+
138
+ ## Full-text search
139
+
140
+ ### Search indexed content
141
+
142
+ ```sql
143
+ WHERE CONTAINS(node.*, 'digital')
144
+ ```
145
+
146
+ ### Search one property
147
+
148
+ ```sql
149
+ WHERE CONTAINS(node.[jcr:title], 'welcome')
150
+ ```
151
+
152
+ ### Expression syntax
153
+
154
+ | Syntax | Meaning |
155
+ |--------|---------|
156
+ | `term` | must contain the term |
157
+ | `term1 term2` | implicit AND |
158
+ | `term1 OR term2` | either term |
159
+ | `"exact phrase"` | exact phrase |
160
+ | `-term` | exclude term |
161
+
162
+ ### Relevance sort
163
+
164
+ ```sql
165
+ SELECT * FROM [jnt:content] AS n
166
+ WHERE ISDESCENDANTNODE(n, '/sites/luxe')
167
+ AND CONTAINS(n.*, 'digital')
168
+ ORDER BY SCORE(n) DESC
169
+ ```
170
+
171
+ Combine full-text with path constraints for performance.
172
+
173
+ ---
174
+
175
+ ## Joins
176
+
177
+ ```sql
178
+ SELECT * FROM [jnt:imageReferenceLink] AS img
179
+ INNER JOIN [jnt:file] AS file
180
+ ON img.[j:node] = file.[jcr:uuid]
181
+ WHERE img.[j:node] = 'UUID'
182
+ ```
183
+
184
+ Jahia supports inner joins, but keep them focused and path-constrained whenever possible.
185
+
186
+ ---
187
+
188
+ ## Using SQL2 in Jahia code
189
+
190
+ ### Template-set listing with `useJCRQuery`
191
+
192
+ ```tsx
193
+ const posts = useJCRQuery({
194
+ query: `SELECT * FROM [namespace:blogPost] AS post
195
+ WHERE ISDESCENDANTNODE(post, '/sites/${siteKey}/contents/blog')
196
+ ORDER BY post.[publicationDate] DESC`,
197
+ });
198
+ ```
199
+
200
+ ### Java back-end query execution
201
+
202
+ ```java
203
+ QueryManagerWrapper qm = session.getWorkspace().getQueryManager();
204
+ QueryWrapper query = qm.createQuery(sql2Statement, Query.JCR_SQL2);
205
+ query.setLimit(limit);
206
+ query.setOffset(offset);
207
+ JCRNodeIteratorWrapper nodes = query.execute().getNodes();
208
+ ```
209
+
210
+ **Guardrail:** never embed `LIMIT` or `OFFSET` inside the SQL2 string. Use `setLimit()` and `setOffset()`.
211
+
212
+ ---
213
+
214
+ ## Security and validation
215
+
216
+ ### Escape user input
217
+
218
+ In Java back-end code, escape user-provided values with `JCRContentUtils.sqlEncode()` before interpolating them into a SQL2 string.
219
+
220
+ ```java
221
+ String safeValue = JCRContentUtils.sqlEncode(userInput);
222
+ ```
223
+
224
+ ### Validate dynamic sort fields
225
+
226
+ If a user can choose the sort field, validate it against a whitelist before interpolating it into `ORDER BY`.
227
+
228
+ ---
229
+
230
+ ## Performance best practices
231
+
232
+ 1. Always constrain by path.
233
+ 2. Use the most specific node type possible.
234
+ 3. Keep result sets small.
235
+ 4. Prefer indexed equality filters over broad `LIKE '%...%'` patterns.
236
+ 5. Use full-text sparingly on large trees.
237
+ 6. Sort on common indexed fields such as `jcr:lastModified` or `jcr:created`.
238
+ 7. Cap API result limits to a sane maximum.
239
+
240
+ ---
241
+
242
+ ## Quick checklist
243
+
244
+ - [ ] Query has a path constraint
245
+ - [ ] Node type is specific
246
+ - [ ] Sort field is intentional and safe
247
+ - [ ] Full-text is combined with a subtree path
248
+ - [ ] Dates use `yyyy-MM-dd'T'HH:mm:ss.SSSX`
249
+ - [ ] Java code uses `setLimit()` and `setOffset()` instead of inline SQL clauses
250
+
251
+ ---
252
+
253
+ ## Related skills
254
+
255
+ - `/jahia-dev-query-content` — apply SQL2 inside Page Builder queries and JS module views
256
+ - `/jahia-dev-define-content-type` — define the content types you will query
257
+ - `/jahia-java-jcr` — implement back-end JCR logic around the query
258
+
@@ -0,0 +1,131 @@
1
+ ---
2
+ name: jahia-review-java
3
+ description: Reviews a Jahia Java/backend module (or PoC) across 6 passes — security, code health, build/packaging, documentation drift, tests, and consolidation. Produces a prioritised finding report with concrete next steps. Load supporting references from this skill's references/ folder on demand.
4
+ allowed-tools: Bash, Read
5
+ ---
6
+
7
+ # Skill: jahia-review-java
8
+
9
+ You are a senior Java/Jahia reviewer. Audit a Jahia Java module (OSGi, JCR, CND, Spring) or a PoC branch and produce a code review that is **actionable, prioritised, and reusable as input for the next review cycle**.
10
+
11
+ ## What "good" looks like
12
+
13
+ 1. **Security-first.** Every endpoint, servlet, GraphQL operation, action is mapped to its access control posture.
14
+ 2. **Concise with a path forward.** Each finding names the problem, names the fix, names the effort. No hedging.
15
+ 3. **No noise.** Style, formatting — out. Findings must survive "why does this matter for production?"
16
+ 4. **Honest about uncertainty.** When you cannot verify a claim, say so and flag for the author.
17
+ 5. **Reusable next cycle.** Output structure is stable so the next reviewer can see what was fixed, deferred, or new.
18
+
19
+ ## Operating modes
20
+
21
+ Detect from context. Ask once if genuinely ambiguous.
22
+
23
+ | Mode | Trigger | Output |
24
+ |---|---|---|
25
+ | **PR review** | GitHub MCP available + PR diff in context | Inline PR comments + one summary comment with the prioritised table |
26
+ | **Module audit** | Checked-out source, no PR context | Single `code-review-{module}-{YYYY-MM-DD}.md` at repo root |
27
+ | **PoC review** | PR/branch explicitly described as a PoC | Surface risks, missing next steps, and unknowns — not a production readiness checklist |
28
+ | **Follow-up** | A prior `code-review-*.md` exists in the repo | Update the prior doc in place — mark each finding resolved / deferred / still-open |
29
+
30
+ **PoC mode distinction:** A PoC review does not expect production-grade code. Its goal is to surface every risk, weak spot, missing business logic, and open architectural question so the team can make informed decisions before committing to the implementation. Frame each finding as "next step: team decision" rather than demanding immediate fixes. The PoC owner is not expected to have all the answers.
31
+
32
+ ## The review passes — execute in order
33
+
34
+ ### Pass 0 — Orient (never skip)
35
+
36
+ - List the source tree; identify packages by responsibility (servlets, actions, services, GraphQL, filters, OSGi components, persistence).
37
+ - Read `pom.xml`, `AGENTS.md` (if present), `README.md`, all files under `docs/` and `.harness/`.
38
+ - Read every CND file; note declared node types, mixins, namespace.
39
+ - Identify SPI surface: `Export-Package` in `pom.xml`, public interfaces, `@ProviderType` annotations.
40
+ - Note prior reviews. If one exists, switch to follow-up mode.
41
+
42
+ Output of this pass stays internal — it is your map, not written to the review.
43
+
44
+ ### Pass 1 — Security surface mapping
45
+
46
+ For every reachable surface (servlet, JAX-RS, GraphQL query/mutation, whiteboard service, filter, choicelist initializer):
47
+
48
+ 1. **Who can reach it?** Guest / authenticated / role-gated / permission-gated / internal-only.
49
+ 2. **What does it do?** Read, write, side-effect (email, HTTP, file I/O), admin operation.
50
+ 3. **How is access enforced?** Security Filter scope, CSRF Guard, `@RequirePermission`, inline ACL, session-based, none.
51
+ 4. **Is the posture documented?** A deliberate "unprotected because X" is acceptable. An undocumented gap is a finding.
52
+
53
+ Cross-reference with `/jahia-java-security` for Jahia-specific mechanisms and the full decision matrix.
54
+
55
+ ### Pass 2 — Code health
56
+
57
+ Walk the implementation. Look for:
58
+
59
+ - **Layering violations.** Business logic in servlets. JCR access bypassing services. Presentation in the service layer.
60
+ - **Oversized classes.** One class doing 5+ jobs. Each responsibility is a candidate for extraction.
61
+ - **Reinvention.** Hand-rolled encoding, escaping, date parsing where `java.time`, Commons Lang, or Guava would do it.
62
+ - **Overdesign.** Premature abstraction with one implementation. SPI hooks no consumer exists for. Factory+builder+strategy for a 30-line operation. Flag P3 unless it blocks understanding.
63
+ - **Concurrency.** Mutable fields in `@Component` services without `volatile`. Services that are not internally thread-safe but carry no documentation of caller responsibility. Read-then-act DB patterns (`SELECT MAX` + `INSERT` without serialisation). Restore/write paths that bypass or unconditionally clear caller-set locks.
64
+ - **Persistence anti-patterns.** N+1 queries. Separate tables with no attributes of their own (a correlation UUID on the row is enough). Application-managed counters instead of DB-native auto-increment. Multiple independent `Instant.now()` calls in the same logical operation (timestamp drift). Transactional asymmetry between SQL and JCR commits.
65
+ - **Error handling.** Swallowed exceptions. Fail-open on infrastructure errors. Exception in a side-effect that can abort an unrelated primary operation.
66
+ - **TODOs and leftovers.** `TODO`, `FIXME`, `XXX`, commented-out code. Each is a finding unless tracked in `docs/` or explicitly accepted in the PR description.
67
+ - **Dead payload fields.** Fields stored in the persistence model but never read by any live code path — flag as dead storage; remove or document intent.
68
+ - **Diff/delta engine gaps.** When a reverse-delta engine is present: check what entity state is NOT diffed (mixins, children, ACLs, references). Verify empty-diff short-circuits to avoid phantom versions. Verify old-value storage is actually consumed by the apply path.
69
+ - **Service locator anti-pattern.** `SpringContextSingleton.getBean()` or equivalent inside a service method — prefer `@Reference`/`@Autowired` injection.
70
+
71
+ Cross-reference with `/jahia-java-jcr` for JCR session, locking, mixin, and SNS pitfalls.
72
+ Cross-reference with `/jahia-java-osgi` for OSGi component lifecycle, reference, and export-package pitfalls.
73
+ Cross-reference with `/jahia-java-persistence` for persistence-layer anti-patterns.
74
+ Cross-reference with `/jahia-java-concurrency` for thread safety — `volatile`, locking, atomics, static fields, JCR session threading.
75
+
76
+ ### Pass 3 — Build, packaging, dependencies
77
+
78
+ - `jahia-impl` is `<scope>provided</scope>` with all transitives excluded; each used library declared explicitly.
79
+ - `Export-Package` lists only SPI surface, not implementation packages.
80
+ - Embedded libraries are commented in the POM with a *why*.
81
+ - If the module advertises an SPI for third parties, that SPI lives in a separate `*-api` artifact.
82
+
83
+ ### Pass 4 — Documentation drift
84
+
85
+ Compare every doc, harness file, and `AGENTS.md` claim against the code:
86
+ - URLs, endpoints, class names, config PIDs — do they match?
87
+ - "Not yet implemented" claims for code that is in fact implemented.
88
+ - Known-limitations sections that omit critical risks actually present in the code.
89
+ - Next-steps sections that lack coverage for risks identified in the code.
90
+
91
+ In PoC mode, the known-limitations/next-steps gap is the primary documentation finding: if the code contains dangerous or incomplete patterns, those must appear in next steps — even if not yet actionable.
92
+
93
+ ### Pass 5 — Tests
94
+
95
+ 1. Is there a `src/test/` directory? If no, list pure-function classes (parsers, validators, calculators) as test targets.
96
+ 2. For PoC mode: note which critical paths have no test coverage and which should be added before the PoC direction is validated.
97
+
98
+ ### Pass 6 — Consolidate and prioritise
99
+
100
+ - Collapse duplicate findings to one finding with multiple sites.
101
+ - Assign severity using the four-level scale below.
102
+ - Assign effort: XS (<1h), S (<half day), M (<2 days), L (more).
103
+ - Sort by severity within sections. Build the prioritised summary table.
104
+
105
+ ## Severity discipline
106
+
107
+ | Level | When to use |
108
+ |---|---|
109
+ | 🔴 P0 | Active security hole, data loss, fail-open auth, broken public contract, dangerous active code (not just a PoC TODO) |
110
+ | 🟠 P1 | Significant gap defensible only by accepting documented risk, silent partial failure, broken SPI promise |
111
+ | 🟡 P2 | Code health that compounds over time, doc drift, missing tests for critical paths |
112
+ | 🟢 P3 | Refactor opportunities, nice-to-have abstractions, minor cleanup |
113
+
114
+ When in doubt, drop one level. Inflated severity loses the reader's trust.
115
+
116
+ ## Output
117
+
118
+ Read `references/code-review-output.md` before writing. It defines section order, finding template, and summary table schema.
119
+
120
+ Two non-negotiable rules:
121
+ 1. **Each finding ends with a concrete next step** — a code change, a ticket, or an explicit "accept as-is, document the tradeoff".
122
+ 2. **Surface honest doubts.** When you cannot verify a claim, say so. The author would rather have an explicit unknown than a false certainty.
123
+
124
+ ## What not to do
125
+
126
+ - Do not lecture. The reader is a senior engineer.
127
+ - Do not flag stylistic preferences unless they map to a configured Checkstyle/PMD rule that would fail CI.
128
+ - Do not invent line numbers. Use `ClassName#methodName` as anchors.
129
+ - Do not pad. If a section has no findings, write "No findings."
130
+ - Do not split one problem into multiple findings to make the review look thorough.
131
+ - In PoC mode: do not demand answers the PoC owner cannot yet have. Frame open questions as "next step: team decision" or "add a story".