NB-076
2f61ad7f1a
- 项目级 skill: .claude/skills/code-review/ (398行SKILL.md + 参考文件) - 自动触发: AI修改.py/.cbl/.cpy/.lark后自动review - CLAUDE.md: 定义触发规则、review流程、严重级别 - .code-review.yaml: tier=standard, 高风险模块配置 效果: clone即用, 每次代码变更后自动审查, 防止低质量代码入库 Co-Authored-By: Claude <noreply@anthropic.com>
49 lines
2.0 KiB
Markdown
49 lines
2.0 KiB
Markdown
# Java Spring Boot Review Checklist
|
|
|
|
Extends the generic checklist with Java/Spring-specific items.
|
|
|
|
## Interface Layer (Spring MVC)
|
|
|
|
- [ ] `@RestController` methods have `@Valid` on request bodies
|
|
- [ ] Custom validators implement `ConstraintValidator` correctly
|
|
- [ ] `@ExceptionHandler` or `@ControllerAdvice` for global error handling
|
|
- [ ] `@ResponseStatus` used appropriately on custom exceptions
|
|
- [ ] DTOs use records or Lombok `@Data` — not exposing entities directly
|
|
- [ ] `@RequestMapping` produces/consumes specified
|
|
|
|
## Business Layer (Spring Service)
|
|
|
|
- [ ] `@Transactional` on service methods that modify multiple tables
|
|
- [ ] `@Transactional(rollbackFor = Exception.class)` — not just RuntimeException
|
|
- [ ] Transaction propagation set correctly (REQUIRED vs REQUIRES_NEW)
|
|
- [ ] No `@Transactional` on private methods (proxy limitation)
|
|
|
|
## Data Layer (Spring Data JPA / MyBatis)
|
|
|
|
- [ ] JPA: `@Entity` classes have proper `equals()` and `hashCode()`
|
|
- [ ] JPA: No eager fetching on `@ManyToOne` without explicit need
|
|
- [ ] JPA: `@Query` with nativeQuery=false by default (prevent SQL injection)
|
|
- [ ] MyBatis: All SQL uses `#{}` not `${}` for user input
|
|
- [ ] Connection pool settings reviewed (HikariCP defaults usually fine)
|
|
|
|
## Error Handling
|
|
|
|
- [ ] Checked exceptions either handled or declared
|
|
- [ ] `try-with-resources` for AutoCloseable resources
|
|
- [ ] No `catch (Exception e) { e.printStackTrace(); }` — use logger instead
|
|
|
|
## Security (Spring Security)
|
|
|
|
- [ ] `SecurityFilterChain` configured correctly
|
|
- [ ] CSRF protection enabled for state-changing endpoints
|
|
- [ ] `@PreAuthorize` or `@Secured` on protected methods
|
|
- [ ] Password encoding uses `BCryptPasswordEncoder` or better
|
|
- [ ] No secrets in `application.properties` — use env vars or vault
|
|
|
|
## Performance
|
|
|
|
- [ ] `@Async` used for non-blocking operations with proper thread pool config
|
|
- [ ] `@Cacheable` with TTL and eviction strategy
|
|
- [ ] JPA: `@BatchSize` or batch insert for bulk operations
|
|
- [ ] RestTemplate/WebClient timeouts configured
|