oh-my-customcode 0.10.0 → 0.10.1

package/dist/cli/index.js

@@ -12301,8 +12301,38 @@ var $visitAsync = visit.visitAsync;
 import { join as join2 } from "node:path";
 
 // src/utils/fs.ts
-import { dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { dirname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
 import { fileURLToPath } from "node:url";
+function validatePreserveFilePath(filePath, projectRoot) {
+  if (!filePath || filePath.trim() === "") {
+    return {
+      valid: false,
+      reason: "Path cannot be empty"
+    };
+  }
+  if (isAbsolute(filePath)) {
+    return {
+      valid: false,
+      reason: "Absolute paths are not allowed"
+    };
+  }
+  const normalizedPath = normalize(filePath);
+  if (normalizedPath.startsWith("..")) {
+    return {
+      valid: false,
+      reason: "Path cannot traverse outside project root"
+    };
+  }
+  const resolvedPath = resolve(projectRoot, normalizedPath);
+  const relativePath = relative(projectRoot, resolvedPath);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    return {
+      valid: false,
+      reason: "Resolved path escapes project root"
+    };
+  }
+  return { valid: true };
+}
 async function fileExists(path) {
   const fs = await import("node:fs/promises");
   try {
@@ -12691,7 +12721,7 @@ async function loadConfig(targetDir) {
   if (await fileExists(configPath)) {
     try {
       const config = await readJsonFile(configPath);
-      const merged = mergeConfig(getDefaultConfig(), config);
+      const merged = mergeConfig(getDefaultConfig(), config, targetDir);
       if (merged.configVersion < CURRENT_CONFIG_VERSION) {
         const migrated = migrateConfig(merged);
         await saveConfig(targetDir, migrated);
@@ -12720,7 +12750,30 @@ function deduplicateCustomComponents(components) {
   }
   return [...seen.values()];
 }
-function mergeConfig(defaults, overrides) {
+function mergeConfig(defaults, overrides, targetDir) {
+  let mergedPreserveFiles;
+  if (overrides.preserveFiles) {
+    const allFiles = [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])];
+    if (targetDir) {
+      const validatedFiles = [];
+      for (const filePath of allFiles) {
+        const validation = validatePreserveFilePath(filePath, targetDir);
+        if (validation.valid) {
+          validatedFiles.push(filePath);
+        } else {
+          warn("config.invalid_preserve_path", {
+            path: filePath,
+            reason: validation.reason ?? "Invalid path"
+          });
+        }
+      }
+      mergedPreserveFiles = validatedFiles;
+    } else {
+      mergedPreserveFiles = allFiles;
+    }
+  } else {
+    mergedPreserveFiles = defaults.preserveFiles;
+  }
   return {
     ...defaults,
     ...overrides,
@@ -12734,7 +12787,7 @@ function mergeConfig(defaults, overrides) {
       ...defaults.agents,
       ...overrides.agents
     },
-    preserveFiles: overrides.preserveFiles ? [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])] : defaults.preserveFiles,
+    preserveFiles: mergedPreserveFiles,
     customComponents: overrides.customComponents ? deduplicateCustomComponents([
       ...defaults.customComponents || [],
       ...overrides.customComponents
@@ -14362,27 +14415,63 @@ function resolveConfigPreserveFiles(options, config) {
   if (options.forceOverwriteAll) {
     return [];
   }
-  return config.preserveFiles || [];
+  const preserveFiles = config.preserveFiles || [];
+  const validatedPaths = [];
+  for (const filePath of preserveFiles) {
+    const validation = validatePreserveFilePath(filePath, options.targetDir);
+    if (validation.valid) {
+      validatedPaths.push(filePath);
+    } else {
+      warn("preserve_files.invalid_path", {
+        path: filePath,
+        reason: validation.reason ?? "Invalid path"
+      });
+    }
+  }
+  return validatedPaths;
 }
-function resolveCustomizations(customizations, configPreserveFiles) {
-  if (!customizations && configPreserveFiles.length === 0) {
-    return null;
+function resolveCustomizations(customizations, configPreserveFiles, targetDir) {
+  const validatedManifestFiles = [];
+  if (customizations && customizations.preserveFiles.length > 0) {
+    for (const filePath of customizations.preserveFiles) {
+      const validation = validatePreserveFilePath(filePath, targetDir);
+      if (validation.valid) {
+        validatedManifestFiles.push(filePath);
+      } else {
+        warn("preserve_files.invalid_path", {
+          path: filePath,
+          reason: validation.reason ?? "Invalid path",
+          source: "manifest"
+        });
+      }
+    }
   }
-  if (customizations && configPreserveFiles.length > 0) {
-    customizations.preserveFiles = [
-      ...new Set([...customizations.preserveFiles, ...configPreserveFiles])
-    ];
-    return customizations;
+  if (validatedManifestFiles.length === 0 && configPreserveFiles.length === 0) {
+    return customizations && customizations.modifiedFiles.length > 0 ? customizations : null;
+  }
+  if (validatedManifestFiles.length > 0 && configPreserveFiles.length > 0) {
+    const merged = customizations || {
+      modifiedFiles: [],
+      preserveFiles: [],
+      customComponents: [],
+      lastUpdated: new Date().toISOString()
+    };
+    merged.preserveFiles = [...new Set([...validatedManifestFiles, ...configPreserveFiles])];
+    return merged;
   }
   if (configPreserveFiles.length > 0) {
     return {
-      modifiedFiles: [],
+      modifiedFiles: customizations?.modifiedFiles || [],
       preserveFiles: configPreserveFiles,
-      customComponents: [],
+      customComponents: customizations?.customComponents || [],
       lastUpdated: new Date().toISOString()
     };
   }
-  return customizations;
+  if (customizations) {
+    customizations.preserveFiles = validatedManifestFiles;
+    return customizations;
+  }
+  return null;
 }
 async function updateEntryDoc(targetDir, provider, config, options) {
   const layout = getProviderLayout(provider);
@@ -14437,7 +14526,7 @@ async function update(options) {
     await handleBackupIfRequested(options.targetDir, provider, !!options.backup, result);
     const manifestCustomizations = await resolveManifestCustomizations(options, options.targetDir);
     const configPreserveFiles = resolveConfigPreserveFiles(options, config);
-    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles);
+    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles, options.targetDir);
     const components = options.components || getAllUpdateComponents();
     await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result, config);
     if (!options.components || options.components.length === 0) {

package/dist/index.js

@@ -5,8 +5,38 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 import { join as join2 } from "node:path";
 
 // src/utils/fs.ts
-import { dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { dirname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
 import { fileURLToPath } from "node:url";
+function validatePreserveFilePath(filePath, projectRoot) {
+  if (!filePath || filePath.trim() === "") {
+    return {
+      valid: false,
+      reason: "Path cannot be empty"
+    };
+  }
+  if (isAbsolute(filePath)) {
+    return {
+      valid: false,
+      reason: "Absolute paths are not allowed"
+    };
+  }
+  const normalizedPath = normalize(filePath);
+  if (normalizedPath.startsWith("..")) {
+    return {
+      valid: false,
+      reason: "Path cannot traverse outside project root"
+    };
+  }
+  const resolvedPath = resolve(projectRoot, normalizedPath);
+  const relativePath = relative(projectRoot, resolvedPath);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    return {
+      valid: false,
+      reason: "Resolved path escapes project root"
+    };
+  }
+  return { valid: true };
+}
 async function fileExists(path) {
   const fs = await import("node:fs/promises");
   try {
@@ -386,7 +416,7 @@ async function loadConfig(targetDir) {
   if (await fileExists(configPath)) {
     try {
       const config = await readJsonFile(configPath);
-      const merged = mergeConfig(getDefaultConfig(), config);
+      const merged = mergeConfig(getDefaultConfig(), config, targetDir);
       if (merged.configVersion < CURRENT_CONFIG_VERSION) {
         const migrated = migrateConfig(merged);
         await saveConfig(targetDir, migrated);
@@ -415,7 +445,30 @@ function deduplicateCustomComponents(components) {
   }
   return [...seen.values()];
 }
-function mergeConfig(defaults, overrides) {
+function mergeConfig(defaults, overrides, targetDir) {
+  let mergedPreserveFiles;
+  if (overrides.preserveFiles) {
+    const allFiles = [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])];
+    if (targetDir) {
+      const validatedFiles = [];
+      for (const filePath of allFiles) {
+        const validation = validatePreserveFilePath(filePath, targetDir);
+        if (validation.valid) {
+          validatedFiles.push(filePath);
+        } else {
+          warn("config.invalid_preserve_path", {
+            path: filePath,
+            reason: validation.reason ?? "Invalid path"
+          });
+        }
+      }
+      mergedPreserveFiles = validatedFiles;
+    } else {
+      mergedPreserveFiles = allFiles;
+    }
+  } else {
+    mergedPreserveFiles = defaults.preserveFiles;
+  }
   return {
     ...defaults,
     ...overrides,
@@ -429,7 +482,7 @@ function mergeConfig(defaults, overrides) {
       ...defaults.agents,
       ...overrides.agents
     },
-    preserveFiles: overrides.preserveFiles ? [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])] : defaults.preserveFiles,
+    preserveFiles: mergedPreserveFiles,
     customComponents: overrides.customComponents ? deduplicateCustomComponents([
       ...defaults.customComponents || [],
       ...overrides.customComponents
@@ -1075,27 +1128,63 @@ function resolveConfigPreserveFiles(options, config) {
   if (options.forceOverwriteAll) {
     return [];
   }
-  return config.preserveFiles || [];
+  const preserveFiles = config.preserveFiles || [];
+  const validatedPaths = [];
+  for (const filePath of preserveFiles) {
+    const validation = validatePreserveFilePath(filePath, options.targetDir);
+    if (validation.valid) {
+      validatedPaths.push(filePath);
+    } else {
+      warn("preserve_files.invalid_path", {
+        path: filePath,
+        reason: validation.reason ?? "Invalid path"
+      });
+    }
+  }
+  return validatedPaths;
 }
-function resolveCustomizations(customizations, configPreserveFiles) {
-  if (!customizations && configPreserveFiles.length === 0) {
-    return null;
+function resolveCustomizations(customizations, configPreserveFiles, targetDir) {
+  const validatedManifestFiles = [];
+  if (customizations && customizations.preserveFiles.length > 0) {
+    for (const filePath of customizations.preserveFiles) {
+      const validation = validatePreserveFilePath(filePath, targetDir);
+      if (validation.valid) {
+        validatedManifestFiles.push(filePath);
+      } else {
+        warn("preserve_files.invalid_path", {
+          path: filePath,
+          reason: validation.reason ?? "Invalid path",
+          source: "manifest"
+        });
+      }
+    }
   }
-  if (customizations && configPreserveFiles.length > 0) {
-    customizations.preserveFiles = [
-      ...new Set([...customizations.preserveFiles, ...configPreserveFiles])
-    ];
-    return customizations;
+  if (validatedManifestFiles.length === 0 && configPreserveFiles.length === 0) {
+    return customizations && customizations.modifiedFiles.length > 0 ? customizations : null;
+  }
+  if (validatedManifestFiles.length > 0 && configPreserveFiles.length > 0) {
+    const merged = customizations || {
+      modifiedFiles: [],
+      preserveFiles: [],
+      customComponents: [],
+      lastUpdated: new Date().toISOString()
+    };
+    merged.preserveFiles = [...new Set([...validatedManifestFiles, ...configPreserveFiles])];
+    return merged;
   }
   if (configPreserveFiles.length > 0) {
     return {
-      modifiedFiles: [],
+      modifiedFiles: customizations?.modifiedFiles || [],
       preserveFiles: configPreserveFiles,
-      customComponents: [],
+      customComponents: customizations?.customComponents || [],
       lastUpdated: new Date().toISOString()
     };
   }
-  return customizations;
+  if (customizations) {
+    customizations.preserveFiles = validatedManifestFiles;
+    return customizations;
+  }
+  return null;
 }
 async function updateEntryDoc(targetDir, provider, config, options) {
   const layout = getProviderLayout(provider);
@@ -1150,7 +1239,7 @@ async function update(options) {
     await handleBackupIfRequested(options.targetDir, provider, !!options.backup, result);
     const manifestCustomizations = await resolveManifestCustomizations(options, options.targetDir);
     const configPreserveFiles = resolveConfigPreserveFiles(options, config);
-    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles);
+    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles, options.targetDir);
     const components = options.components || getAllUpdateComponents();
     await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result, config);
     if (!options.components || options.components.length === 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-customcode",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "description": "Batteries-included agent harness for Claude Code",
   "type": "module",
   "bin": {

package/templates/.claude/skills/springboot-best-practices/SKILL.md

@@ -25,104 +25,22 @@ public class UserService {
 ### 3. REST API Design
 @RestController + @RequestMapping. Use @Validated for input, ResponseEntity for responses, proper HTTP status codes.
 
-```java
-@RestController
-@RequestMapping("/api/v1/users")
-@RequiredArgsConstructor
-public class UserController {
-    private final UserService userService;
-
-    @GetMapping("/{id}")
-    public ResponseEntity<UserResponse> getUser(@PathVariable Long id) {
-        return ResponseEntity.ok(userService.findById(id));
-    }
-
-    @PostMapping
-    @ResponseStatus(HttpStatus.CREATED)
-    public UserResponse createUser(@Valid @RequestBody UserRequest request) {
-        return userService.create(request);
-    }
-}
-```
+See `examples/controller-example.java` for reference implementation.
 
 ### 4. Service Layer
 Business logic in services. @Transactional boundaries at service level. Interface + implementation pattern.
 
-```java
-@Service
-@Transactional(readOnly = true)
-@RequiredArgsConstructor
-public class UserServiceImpl implements UserService {
-    private final UserRepository userRepository;
-
-    @Override
-    public UserResponse findById(Long id) {
-        User user = userRepository.findById(id)
-            .orElseThrow(() -> new UserNotFoundException(id));
-        return userMapper.toResponse(user);
-    }
-
-    @Override
-    @Transactional
-    public UserResponse create(UserRequest request) {
-        User user = userMapper.toEntity(request);
-        return userMapper.toResponse(userRepository.save(user));
-    }
-}
-```
+See `examples/service-example.java` for reference implementation.
 
 ### 5. Data Access
 Spring Data JPA. @Query or method naming for custom queries. @Entity with proper JPA annotations.
 
-```java
-public interface UserRepository extends JpaRepository<User, Long> {
-    Optional<User> findByEmail(String email);
-
-    @Query("SELECT u FROM User u WHERE u.status = :status")
-    List<User> findByStatus(@Param("status") UserStatus status);
-}
-
-@Entity
-@Table(name = "users")
-@Getter
-@NoArgsConstructor(access = AccessLevel.PROTECTED)
-public class User {
-    @Id
-    @GeneratedValue(strategy = GenerationType.IDENTITY)
-    private Long id;
-
-    @Column(nullable = false, unique = true)
-    private String email;
-
-    @Enumerated(EnumType.STRING)
-    private UserStatus status;
-}
-```
+See `examples/repository-example.java` and `examples/entity-example.java` for reference implementations.
 
 ### 6. Exception Handling
 @RestControllerAdvice for global handling. Domain-specific exceptions with proper HTTP status mapping.
 
-```java
-@RestControllerAdvice
-public class GlobalExceptionHandler {
-    @ExceptionHandler(UserNotFoundException.class)
-    @ResponseStatus(HttpStatus.NOT_FOUND)
-    public ErrorResponse handleUserNotFound(UserNotFoundException ex) {
-        return new ErrorResponse("USER_NOT_FOUND", ex.getMessage());
-    }
-
-    @ExceptionHandler(MethodArgumentNotValidException.class)
-    @ResponseStatus(HttpStatus.BAD_REQUEST)
-    public ErrorResponse handleValidation(MethodArgumentNotValidException ex) {
-        List<String> errors = ex.getBindingResult()
-            .getFieldErrors()
-            .stream()
-            .map(e -> e.getField() + ": " + e.getDefaultMessage())
-            .toList();
-        return new ErrorResponse("VALIDATION_ERROR", errors);
-    }
-}
-```
+See `examples/exception-handler-example.java` for reference implementation.
 
 ### 7. Configuration
 Profile-based: application-{profile}.yml. @ConfigurationProperties for type-safe config. Externalize sensitive values.
@@ -138,80 +56,17 @@ spring:
     password: ${DATABASE_PASSWORD}
 ```
 
-```java
-@Configuration
-@ConfigurationProperties(prefix = "app")
-@Validated
-public class AppProperties {
-    @NotBlank
-    private String name;
-
-    @Min(1)
-    private int maxConnections;
-}
-```
+See `examples/config-properties-example.java` for type-safe configuration properties.
 
 ### 8. Security
 Spring Security with SecurityFilterChain. Externalize secrets. Proper authentication/authorization patterns.
 
-```java
-@Configuration
-@EnableWebSecurity
-@RequiredArgsConstructor
-public class SecurityConfig {
-    @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        return http
-            .csrf(csrf -> csrf.disable())
-            .sessionManagement(session ->
-                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .authorizeHttpRequests(auth -> auth
-                .requestMatchers("/api/v1/auth/**").permitAll()
-                .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
-                .anyRequest().authenticated())
-            .build();
-    }
-}
-```
+See `examples/security-config-example.java` for reference implementation.
 
 ### 9. Testing
 @WebMvcTest (controller), @DataJpaTest (repository), @SpringBootTest (integration), @MockBean for mocking.
 
-```java
-// Controller test
-@WebMvcTest(UserController.class)
-class UserControllerTest {
-    @Autowired
-    private MockMvc mockMvc;
-
-    @MockBean
-    private UserService userService;
-
-    @Test
-    void getUser_shouldReturnUser() throws Exception {
-        given(userService.findById(1L))
-            .willReturn(new UserResponse(1L, "test@example.com"));
-
-        mockMvc.perform(get("/api/v1/users/1"))
-            .andExpect(status().isOk())
-            .andExpect(jsonPath("$.email").value("test@example.com"));
-    }
-}
-
-// Repository test
-@DataJpaTest
-class UserRepositoryTest {
-    @Autowired
-    private UserRepository userRepository;
-
-    @Test
-    void findByEmail_shouldReturnUser() {
-        User user = userRepository.save(new User("test@example.com"));
-        Optional<User> found = userRepository.findByEmail("test@example.com");
-        assertThat(found).isPresent();
-    }
-}
-```
+See `examples/controller-test-example.java` and `examples/repository-test-example.java` for reference implementations.
 
 ## Application
 

package/templates/.claude/skills/springboot-best-practices/examples/config-properties-example.java

@@ -0,0 +1,22 @@
+package com.example.demo.config;
+
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotBlank;
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.validation.annotation.Validated;
+
+@Configuration
+@ConfigurationProperties(prefix = "app")
+@Validated
+@Getter
+@Setter
+public class AppProperties {
+    @NotBlank
+    private String name;
+
+    @Min(1)
+    private int maxConnections;
+}

package/templates/.claude/skills/springboot-best-practices/examples/controller-example.java

@@ -0,0 +1,28 @@
+package com.example.demo.controller;
+
+import com.example.demo.dto.UserRequest;
+import com.example.demo.dto.UserResponse;
+import com.example.demo.service.UserService;
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/v1/users")
+@RequiredArgsConstructor
+public class UserController {
+    private final UserService userService;
+
+    @GetMapping("/{id}")
+    public ResponseEntity<UserResponse> getUser(@PathVariable Long id) {
+        return ResponseEntity.ok(userService.findById(id));
+    }
+
+    @PostMapping
+    @ResponseStatus(HttpStatus.CREATED)
+    public UserResponse createUser(@Valid @RequestBody UserRequest request) {
+        return userService.create(request);
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/controller-test-example.java

@@ -0,0 +1,33 @@
+package com.example.demo.controller;
+
+import com.example.demo.dto.UserResponse;
+import com.example.demo.service.UserService;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.mockito.BDDMockito.given;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@WebMvcTest(UserController.class)
+class UserControllerTest {
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private UserService userService;
+
+    @Test
+    void getUser_shouldReturnUser() throws Exception {
+        given(userService.findById(1L))
+            .willReturn(new UserResponse(1L, "test@example.com"));
+
+        mockMvc.perform(get("/api/v1/users/1"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.email").value("test@example.com"));
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/entity-example.java

@@ -0,0 +1,22 @@
+package com.example.demo.entity;
+
+import jakarta.persistence.*;
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Table(name = "users")
+@Getter
+@NoArgsConstructor(access = AccessLevel.PROTECTED)
+public class User {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(nullable = false, unique = true)
+    private String email;
+
+    @Enumerated(EnumType.STRING)
+    private UserStatus status;
+}

package/templates/.claude/skills/springboot-best-practices/examples/exception-handler-example.java

@@ -0,0 +1,30 @@
+package com.example.demo.exception;
+
+import com.example.demo.dto.ErrorResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.MethodArgumentNotValidException;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+import java.util.List;
+
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+    @ExceptionHandler(UserNotFoundException.class)
+    @ResponseStatus(HttpStatus.NOT_FOUND)
+    public ErrorResponse handleUserNotFound(UserNotFoundException ex) {
+        return new ErrorResponse("USER_NOT_FOUND", ex.getMessage());
+    }
+
+    @ExceptionHandler(MethodArgumentNotValidException.class)
+    @ResponseStatus(HttpStatus.BAD_REQUEST)
+    public ErrorResponse handleValidation(MethodArgumentNotValidException ex) {
+        List<String> errors = ex.getBindingResult()
+            .getFieldErrors()
+            .stream()
+            .map(e -> e.getField() + ": " + e.getDefaultMessage())
+            .toList();
+        return new ErrorResponse("VALIDATION_ERROR", errors);
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/repository-example.java

@@ -0,0 +1,17 @@
+package com.example.demo.repository;
+
+import com.example.demo.entity.User;
+import com.example.demo.entity.UserStatus;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+
+import java.util.List;
+import java.util.Optional;
+
+public interface UserRepository extends JpaRepository<User, Long> {
+    Optional<User> findByEmail(String email);
+
+    @Query("SELECT u FROM User u WHERE u.status = :status")
+    List<User> findByStatus(@Param("status") UserStatus status);
+}

package/templates/.claude/skills/springboot-best-practices/examples/repository-test-example.java

@@ -0,0 +1,23 @@
+package com.example.demo.repository;
+
+import com.example.demo.entity.User;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
+
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@DataJpaTest
+class UserRepositoryTest {
+    @Autowired
+    private UserRepository userRepository;
+
+    @Test
+    void findByEmail_shouldReturnUser() {
+        User user = userRepository.save(new User("test@example.com"));
+        Optional<User> found = userRepository.findByEmail("test@example.com");
+        assertThat(found).isPresent();
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/security-config-example.java

@@ -0,0 +1,27 @@
+package com.example.demo.config;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        return http
+            .csrf(csrf -> csrf.disable())
+            .sessionManagement(session ->
+                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/api/v1/auth/**").permitAll()
+                .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
+                .anyRequest().authenticated())
+            .build();
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/service-example.java

@@ -0,0 +1,33 @@
+package com.example.demo.service;
+
+import com.example.demo.dto.UserRequest;
+import com.example.demo.dto.UserResponse;
+import com.example.demo.entity.User;
+import com.example.demo.exception.UserNotFoundException;
+import com.example.demo.mapper.UserMapper;
+import com.example.demo.repository.UserRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+@Transactional(readOnly = true)
+@RequiredArgsConstructor
+public class UserServiceImpl implements UserService {
+    private final UserRepository userRepository;
+    private final UserMapper userMapper;
+
+    @Override
+    public UserResponse findById(Long id) {
+        User user = userRepository.findById(id)
+            .orElseThrow(() -> new UserNotFoundException(id));
+        return userMapper.toResponse(user);
+    }
+
+    @Override
+    @Transactional
+    public UserResponse create(UserRequest request) {
+        User user = userMapper.toEntity(request);
+        return userMapper.toResponse(userRepository.save(user));
+    }
+}