spring-kotlin-code-review
Spring Kotlin Code Review
Source mapping: Tier 1 critical skill derived from Kotlin_Spring_Developer_Pipeline.md (SK-21).
Mission
Review changes the way a strong Kotlin plus Spring teammate would review them: behavior first, risk first, evidence first. Optimize for catching bugs, regressions, and missing tests, not for polishing style.
Read In This Order
- Diff or changed files.
- Related tests.
- Configuration or build file changes.
- Impacted controllers, services, repositories, security config, and migrations.
- Project conventions from
project-context-ingestionif available.
Review Dimensions
Check every relevant change for:
- transaction boundaries and rollback behavior
- proxy compatibility and self-invocation traps
- bean wiring and configuration safety
- API contract, validation, and serialization correctness
- JPA or repository correctness and performance
- security exposure and authorization drift
- concurrency, retries, and idempotency risks
- observability regressions
- test adequacy and missing failure-path coverage
- Kotlin-specific problems such as
!!, unsafe platform types, and misuse oflateinit
Output Contract
Return findings first and order them by severity. Use this structure:
Findings: each finding should name the risk, explain the consequence, and point to the relevant file and line when available.Open questions or assumptions: only where uncertainty changes the review outcome.Summary: only after findings, and only briefly.
If no material findings exist, say so explicitly and still note residual risk or testing gaps.
What Counts As A Real Finding
- A correctness bug.
- A production-risking design choice.
- A likely regression.
- A security or data-consistency hole.
- Missing coverage for a meaningful failure path.
Minor style suggestions are secondary and should never drown out real risk.
Review Heuristics
- Prefer a smaller number of well-supported findings over a long list of weak suspicions.
- Tie every finding to behavior, not only to taste.
- Verify whether the repository's existing conventions intentionally justify an unusual pattern before flagging it.
- Distinguish
must fixconcerns fromconsider improvingconcerns.
Advanced Review Checklist
- Check deploy-order safety. A code change, config change, and migration may each be correct alone but unsafe in rolling deployment order.
- Check backward compatibility of JSON contracts, event schemas, database writes, and feature flags. Additive changes are safer than semantic changes hidden behind the same shape.
- Check cache invalidation, deduplication, retry semantics, and idempotency whenever writes or integrations change.
- Check whether observability changed with the behavior. A new critical path without metrics, logs, or trace propagation is a real operational regression.
- Check whether new repository queries need supporting indexes or whether an innocuous loop creates N+1 behavior.
- Check whether any new async, scheduled, or concurrent path changes transaction scope, MDC propagation, or security context.
- Check build and dependency changes for BOM drift, plugin mismatches, or silent classpath changes.
- Check what was removed, not only what was added. Missing validation, logging, or authorization is often the real regression.
Expert Heuristics
- Read the change as a workflow, not as isolated files. Many Spring bugs live in the seam between controller, service, repository, and config.
- If a finding depends on an assumption, state the assumption and the fastest way to confirm it.
- Prefer findings that are expensive for the team to rediscover in production.
- Use style comments only when they prevent future correctness bugs or materially improve maintainability.
Guardrails
- Do not nitpick naming or formatting when the change contains higher-severity risk.
- Do not invent risks without code evidence.
- Do not praise or summarize before surfacing findings.
- Do not ignore missing tests just because the code "looks straightforward."
- Do not apply generic Java advice without checking Kotlin and Spring specifics.
Quality Bar
A good run of this skill gives the author a short list of concrete, high-signal risks to address. A bad run reads like a generic lint pass and misses the transactional, proxy, security, or persistence behavior that actually matters.
More from jetbrains/skills
dependency-conflict-resolver
Diagnose and resolve Gradle and Spring classpath conflicts, version drift, and binary incompatibilities in Kotlin applications. Use when `NoSuchMethodError`, `ClassNotFoundException`, linkage errors, duplicate logging bindings, Jackson or Hibernate mismatches, or BOM-versus-explicit-version conflicts appear, and the fix must respect the repository's real version authorities.
3doc
Use when the task involves reading, creating, or editing `.docx` documents, especially when formatting or layout fidelity matters; prefer `python-docx` plus the bundled `scripts/render_docx.py` for visual checks.
3kotlin-spring-proxy-compatibility
Diagnose and prevent Kotlin plus Spring proxy failures around `@Transactional`, `@Cacheable`, `@Async`, method security, retry, configuration proxies, and JPA entity requirements. Use when AOP annotations appear to do nothing, transactional or cache behavior is inconsistent, compiler plugins may be missing, self-invocation is suspected, or Kotlin final-by-default semantics may break Spring behavior.
3ci-cd-containerization-advisor
Design reproducible build, image, and deployment pipelines for Kotlin plus Spring applications, including CI verification, layered containers, rollout safety, and deployment-time migration coordination. Use when creating or improving Dockerfiles, CI workflows, image hardening, Kubernetes manifests, release gates, or deployment strategies for Spring Boot services, especially where build reproducibility and operational safety matter.
3kotlin-idiomatic-refactorer-spring-aware
Refactor Kotlin code toward clearer, more idiomatic design without breaking Spring behavior, serialization, persistence, or public contracts. Use when Java-flavored Kotlin needs cleanup, domain modeling should become more expressive, or boilerplate should be reduced, but the refactoring must remain safe for proxies, Jackson, JPA, configuration binding, and existing tests.
3configuration-properties-profiles-kotlin-safe
Design and diagnose Spring configuration, profiles, and `@ConfigurationProperties` binding for Kotlin applications. Use when property binding fails, environment-specific overrides behave unexpectedly, profile layering is confusing, secrets or defaults are modeled unsafely, or Kotlin nullability and constructor binding semantics make configuration errors hard to detect.
3