code-reviewer
Java 25 and Spring Boot 4 Reviewer
Purpose
Use this skill to run a structured review of Java 25 and Spring Boot 4 code. Keep findings grounded in the actual codebase and use the reference files only for the focus areas that apply.
Critical rules
- Never review without code context. Ask for files, diffs, or the relevant module if none is provided.
- Always cite file paths and line numbers for findings.
- Treat Java 25 and Spring Boot 4 as the target baseline unless the build files show otherwise.
- Analyze workload before recommending virtual threads, reactive rewrites, or architecture changes.
- Use JSpecify as the preferred null-safety baseline for new Boot 4 code, but confirm whether the codebase is still in transition before flagging every legacy annotation.
- Prefer official Spring and Java guidance when a claim depends on framework behavior.
Workflow
Step 1: Confirm scope
Collect the minimum context required to review accurately:
- Scope: single file, module, PR, or full codebase.
- Target versions: confirm Java and Spring Boot versions from the build files when relevant.
- Focus areas: migration, architecture, data access, security, performance, null-safety, or all.
- Testing context: whether the user expects review findings only or also fix suggestions and test impact.
Step 2: Load only the references that match the review
Load references just in time:
| Focus | Read |
|---|---|
| Spring Boot 4 migration patterns and framework deltas | references/spring-boot-4-patterns.md |
| Java 25 language and concurrency adoption | references/java-25-features.md |
| Security review | references/security-checklist.md |
| Performance review | references/performance-patterns.md |
| Architecture boundaries and packaging | references/architecture-patterns.md |
| Domain model shape | references/domain-modeling.md |
| Value-object-heavy designs | references/value-objects-patterns.md |
| Null-safety checks | references/jspecify-null-safety.md |
Escalate to another skill when needed:
- Use
spring-data-jpafor deep repository, query, and relationship work. - Use
springboot-migrationfor phased upgrade planning or upgrade execution.
Step 3: Run the review passes
Run only the passes that match the request. For a full review, use this order.
Pass A: Build and configuration
- Verify Java and Spring Boot versions in
pom.xmlorbuild.gradle. - Check starter names and migration leftovers.
- Scan for Jackson 3 migration issues, outdated test annotations, and version drift.
Pass B: API correctness
- Check controller and service boundaries.
- Check validation and error handling.
- Check nullability in public APIs and method overrides.
Pass C: Architecture and packaging
- Identify the architecture style in use.
- Verify package structure is consistent with that style.
- Flag boundary leaks such as controller-to-repository shortcuts or infrastructure types in domain code.
Pass D: Data access
- Check repository placement and aggregate boundaries.
- Check for N+1 queries, missing pagination, projection mismatches, and transaction misuse.
Pass E: Security
- Check authentication and authorization.
- Check input validation and unsafe query patterns.
- Check secrets handling and sensitive logging.
Pass F: Performance and resilience
- Check caching strategy, unbounded reads, async usage, and remote call behavior.
- Evaluate virtual-thread usage only when the code and workload justify it.
- Check timeouts, retries, and connection-pool assumptions.
Quick triggers for findings
Use these as review prompts, not as a substitute for code evidence.
Spring Boot 4 and migration
- old starter names
- old Mockito test annotations
- Jackson 2 assumptions in a Boot 4 codebase
TestRestTemplateusage instead ofRestTestClient- manual
HttpServiceProxyFactoryboilerplate instead of@ImportHttpServices - custom API versioning instead of native
spring.mvc.apiversion.* @ConcurrencyLimitor native@Retryablewithout@EnableResilientMethods
Null-safety
- missing
package-info.javawhere the project uses JSpecify - lingering
org.springframework.langannotations in code that has already moved to JSpecify - missing copied nullability annotations on overrides
Architecture
- controllers calling repositories directly
- JPA entities exposed in APIs
- modulith boundary leaks
- business logic concentrated in controllers
Performance
- entity traversal in loops
- missing pagination
- projection opportunities ignored on read-heavy paths
- virtual-thread recommendations with no workload evidence
Security
- missing authorization on privileged actions
- SQL or NoSQL injection risk
- secrets in source or logs
- unsafe error exposure
Report format
Order findings by severity and use this template:
## Critical
- **[Category]**: Issue summary
- **File**: `path/to/File.java:123`
- **Impact**: What can fail, leak, or regress
- **Fix**: Specific change to make
## High
- ...
## Medium
- ...
## Low
- ...
If there are no findings, say so explicitly and call out any remaining blind spots such as unreviewed modules, missing tests, or unavailable runtime context.
Common review modes
Quick PR review
- Read the changed files.
- Load
references/spring-boot-4-patterns.mdandreferences/java-25-features.md. - Add
references/security-checklist.mdorreferences/performance-patterns.mdif the diff touches those areas. - Report only concrete findings with file and line references.
Security review
- Read
references/security-checklist.md. - Focus on controllers, service entry points, security configuration, and persistence boundaries.
- Report exploitability and affected entry points, not just the violated rule.
Architecture review
- Read
references/architecture-patterns.md. - Add
references/domain-modeling.mdorreferences/value-objects-patterns.mdif the code suggests a rich-domain approach. - Report boundary mismatches and coupling problems tied to the current architecture style.
Migration review
- Read
references/spring-boot-4-patterns.mdandreferences/java-25-features.md. - Focus on migration leftovers, outdated APIs, and partial adoption problems.
- Use
springboot-migrationif the user wants a phased upgrade plan rather than a review.
When not to use this skill
- Kotlin-first codebases
- Non-Spring Java frameworks such as Micronaut or Quarkus
- Generic review coaching without code context
- Frontend-only changes
More from a-pavithraa/springboot-skills-marketplace
spring-data-jpa
Designs and implements Spring Data JPA repositories, projections, query patterns, custom repositories, CQRS read models, entity relationships, and persistence performance fixes for Java 25 and Spring Boot 4 projects. Use when the task needs repository-boundary decisions or concrete JPA implementation patterns from this skill. Do not use for generic SQL help or project-wide migration work that belongs in another skill.
53springboot-migration
Migrates Spring Boot applications to Boot 4 with Java 25, including related Spring Modulith 2 and Testcontainers 2 upgrade work. Use when the task is a concrete upgrade, dependency transition, starter rename, test-annotation migration, or phased migration plan. Do not use for greenfield project creation or for isolated repository design questions.
46creating-springboot-projects
Creates Java 25 and Spring Boot 4 project structures, scaffolds, and implementation starting points for new services, REST APIs, and modular backends. Use when the task is to initialize a Spring Boot project, choose an architecture, select Spring Boot 4 features, or apply the bundled templates and references in this skill. Do not use for migrating existing projects or for isolated JPA/repository work without broader project-creation context.
36java25-springboot4-reviewer
Comprehensive code review for Java 25 and Spring Boot 4 apps. Use when reviewing, checking, auditing, or analyzing Java/Spring Boot code (files, modules, PRs, or full codebases) for migration risks, Spring Boot 4 best practices, JSpecify null-safety, security vulnerabilities, performance bottlenecks, data access pitfalls, architecture boundaries (DDD/Hexagonal/Spring Modulith), or modern Java 25 usage.
12