Open Source · Java · Spring Boot · AI Engineering

Spring AI

AI-first engineering workflows for Java and Spring Boot

The same discipline that powers my Drupal AI system —
now built for the Spring Boot ecosystem.

Architecture enforcement Security-first reviews Repeatable quality at scale

Spring Boot teams don't fail for lack of frameworks.
They fail for lack of discipline at scale.

Inconsistent codebase patterns across PRs

Security gaps that pass code review

Technical debt that compounds with every feature

Spring AI is not a set of prompts.
It's structured AI infrastructure for Spring Boot teams.

🧠

Skills

Deep Spring Boot knowledge — JPA, Security, OpenAPI, testing patterns. 6 skills

🤖

Agents

Specialized reviewers — architecture, security, testing, API design. 4 agents

📋

Rules

Always-on constraints — SOLID, clean code, Spring Boot standards, security. 5 rule files

⚙️

Hooks

Automated quality gates — tests, Checkstyle, OpenAPI validation. automated

❌ "AI copilot"
✅ engineering infrastructure

6 domain knowledge modules

Each skill file encodes deep expertise for one area of the Spring ecosystem. The AI loads only what it needs — no bloated context, no guessed patterns.

🌱Spring BootProject structure, DTOs, constructor injection, exception handling, REST design
🔐Security + JWTSecurityFilterChain, JWT filter, method security, CORS, OAuth2 resource server
🗄️Spring Data JPAEntity design, N+1 prevention, EntityGraph, transactions, pagination
🧪TestingJUnit 5, Mockito, WebMvcTest, SpringBootTest, MockMvc, test builders
🐘PostgreSQL + FlywayMigration naming, index strategy, rollback safety, Docker Compose setup
📋OpenAPISpringdoc setup, @Operation, @Schema, security scheme, disable in production

4 specialized reviewers

Agents are task-specific. Each one knows its domain, loads the right skills, and applies a precise quality bar before returning results.

java-reviewer reviews

General Java/Spring code review — correctness, patterns, N+1 risks, missing null checks, performance.

security-reviewer secures

Deep security audit — JWT implementation, Spring Security config, OWASP Top 10, dependency CVEs.

test-reviewer validates

Test quality review — JUnit 5/Mockito correctness, coverage gaps, missing edge and security cases.

api-reviewer designs

REST API design — endpoint naming, HTTP methods, response codes, OpenAPI documentation completeness.

5 enforcement files

Rules are always-on. They apply to every agent, every task, every output — without being loaded explicitly. No discipline required from the engineer calling the AI.

spring-boot.mdEnforce Controller→Service→Repository. Constructor injection only. No entity exposure in responses. Transaction placement.
clean-code.mdNaming conventions, method length, single responsibility, no magic strings, immutable DTOs.
solid.mdSOLID principles with concrete Spring Boot examples — strategy pattern, interface segregation, DI.
testing.mdCoverage minimums, test type scope, naming convention, what not to test.
security.mdAuth requirements, authorization defaults, input validation, data handling, dependency scanning.
View all rules on GitHub →

Automated quality gates

Hooks are shell scripts that execute automatically on Claude Code events. Tests run. Style is checked. The spec is validated. No manual setup required per-session.

PostToolUse · code changes
run-tests.sh

Runs mvn test (or Gradle) after Java file edits. Build failure blocks the next action.

PostToolUse · code changes
checkstyle.sh

Runs Checkstyle against the project ruleset. Enforces code style without a human in the loop.

PostToolUse · API changes
openapi-validate.sh

Generates the OpenAPI spec and validates it with Redocly. Catches undocumented endpoints and schema errors.

Hooks execute outside the AI context — deterministic, not probabilistic. Configured in .claude/settings.json.

One command. A complete PR review.

review-pr

Run from any Spring Boot project. Reviews the current branch diff against main, or a specific PR by number.

What it reviews

Controller → Service → Repository layering
DTO usage — no entity exposure
Spring Data JPA relationships
Hibernate N+1 query risks
@Transactional placement
JWT / OAuth2 security
JUnit 5 + Mockito test coverage
Flyway / Liquibase migrations
OpenAPI / Swagger documentation
GitHub Actions CI/CD readiness
OWASP security risks
Missing tests and edge cases

Real files. Real reviews. Repeatable results.

These are actual files from the repository. Drop them into your Spring Boot project and they work immediately.

.claude/skills/spring-data-jpa.md
---
name: spring-data-jpa
description: Spring Data JPA patterns — entity design, relationships,
  repositories, N+1 prevention, pagination, and transactions.
---

# N+1 Prevention

## Bad: triggers N+1 when accessing user.getOrders()
List<User> users = userRepository.findAll();

## Good: JOIN FETCH
@Query("SELECT u FROM User u LEFT JOIN FETCH u.orders WHERE u.status = 'ACTIVE'")
List<User> findActiveUsersWithOrders();

## Good: EntityGraph
@EntityGraph(attributePaths = {"orders", "orders.items"})
List<User> findAll();

# Transactions

@Service
@Transactional(readOnly = true)  // default for reads
public class OrderService {

    @Transactional  // override for writes
    public OrderResponse createOrder(CreateOrderRequest request) {
        // all saves here run in one transaction
    }
}
.claude/agents/security-reviewer.md
---
name: security-reviewer
description: Security-focused agent for Spring Boot applications.
  Reviews JWT, Spring Security, input validation, OWASP Top 10.
tools: Read, Bash, Grep, Glob
skills:
  - spring-security-jwt
  - spring-boot
---

## Security checklist

**Authentication**
- [ ] JWT secret loaded from environment variable, not hardcoded
- [ ] Token expiry validated on every request
- [ ] Refresh token rotation implemented

**Authorization**
- [ ] All endpoints explicitly permitted or protected
- [ ] @PreAuthorize used for method-level control
- [ ] No privilege escalation paths

**Input Validation**
- [ ] All request bodies validated with @Valid
- [ ] No string concatenation in JPQL or native SQL
- [ ] File upload size limits enforced

**Data Security**
- [ ] Passwords hashed with BCrypt (strength ≥ 12)
- [ ] PII never logged at any level
- [ ] `password` field excluded from JSON responses
Example /review-pr output
# PR Review — feature/add-order-endpoint

## Summary
Adds the POST /api/v1/orders endpoint and the associated
OrderService and OrderRepository. Architecture is correct.
Two blocking issues must be resolved before merge.

## Risk Level
Medium

## JPA / Database Review
⚠ BLOCKER — OrderService.createOrder() lacks @Transactional.
If the save() fails after the status update, the DB is left
in a partially-written state.

## Architecture Review
⚠ BLOCKER — OrderController.getOrder() returns the Order entity
directly. Expose OrderResponse DTO to decouple the DB schema
from the API contract.

## Testing Review
Missing: createOrder_whenUserNotFound_throwsNotFoundException
Missing: getOrder_whenUnauthenticated_returns401

## Final Recommendation
REQUEST CHANGES

This project reflects how I approach systems.

01 / LAYERINGArchitecture enforced, not suggested
02 / SECURITYSecurity first, not an afterthought
03 / SCALEDesign for teams, not individuals
04 / AITreat AI as infrastructure, not a shortcut

Eduardo Telaya

Senior Software Engineer and international speaker focused on Java, Spring Boot, Drupal, and AI-assisted engineering workflows.

Java & SpringEnterprise backend engineering
Drupal AISame methodology, different platform
AI workflowsBuilt for teams, not one-off scripts
SpeakerInternational conferences

If you build Spring Boot APIs at scale
and want AI to actually raise the quality bar —

Use it. Fork it. Adapt it to your stack. Or use it as a reference to build your own AI engineering system.

Sponsored by heydru!  —  Enterprise backend engineering and AI-assisted development workflows.