feat!: remove java-security, java-testing, java-performance plugins

All three replaced by java-quality plugin. See previous commit for details.

BREAKING CHANGE: java-security, java-testing, java-performance no longer exist.
Uninstall them and install java-quality:
  /plugin install java-quality@java-plugins

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ducpm2303

.claude-plugin/marketplace.json

@@ -4,44 +4,30 @@
     "name": "java-plugins contributors"
   },
   "metadata": {
-    "description": "Java developer toolkit for Claude Code — general Java, Spring Boot, security, testing, and performance",
-    "version": "2.0.0"
+    "description": "Java developer toolkit for Claude Code — general Java, Spring Boot, and quality (security + performance + testing)",
+    "version": "3.0.0"
   },
   "plugins": [
     {
       "name": "java-core",
       "source": "./plugins/java-core",
-      "description": "General Java skills (review, refactor, explain, fix, docs, health, concurrency, API, migration, commit, SOLID, design patterns, ADR), architect + build-resolver agents, and path-scoped Java coding standards",
-      "version": "2.0.0",
+      "description": "General Java skills (review, refactor, explain, fix, docs, health, concurrency, API, migration, commit, SOLID, design patterns, ADR) and architect + build-resolver agents",
+      "version": "3.0.0",
       "keywords": ["java", "core", "review", "refactor", "solid", "design-patterns", "concurrency", "migrate", "adr"]
     },
     {
       "name": "java-spring",
       "source": "./plugins/java-spring",
-      "description": "Spring Boot skills (scaffold, JPA review, logging review, CRUD generator) and Spring expert agent",
-      "version": "2.0.0",
+      "description": "Spring Boot skills (scaffold new projects, JPA review, logging review, CRUD generator) and Spring expert agent. Supports Spring Boot 2.7.x through 4.0.x.",
+      "version": "3.0.0",
       "keywords": ["java", "spring", "spring-boot", "scaffold", "jpa", "crud", "logging"]
     },
     {
-      "name": "java-security",
-      "source": "./plugins/java-security",
-      "description": "Java security reviewer agent and post-edit security hooks",
-      "version": "2.0.0",
-      "keywords": ["java", "security", "owasp"]
-    },
-    {
-      "name": "java-testing",
-      "source": "./plugins/java-testing",
-      "description": "Java test generation skill and test engineer agent",
-      "version": "2.0.0",
-      "keywords": ["java", "testing", "junit", "mockito"]
-    },
-    {
-      "name": "java-performance",
-      "source": "./plugins/java-performance",
-      "description": "Java performance reviewer agent",
-      "version": "2.0.0",
-      "keywords": ["java", "performance", "jpa", "optimization"]
+      "name": "java-quality",
+      "source": "./plugins/java-quality",
+      "description": "Java quality toolkit — security scan (/java-security-check), performance scan (/java-perf-check), test generation (/java-test), and specialist agents for OWASP, performance, and testing strategy",
+      "version": "1.0.0",
+      "keywords": ["java", "security", "owasp", "performance", "testing", "junit", "mockito", "testcontainers"]
     }
   ]
 }

README.md

@@ -1,18 +1,14 @@
 # Java Plugins for Claude Code
 
-A Claude Code plugin marketplace with 5 independently installable plugins for Java developers.
+A Claude Code plugin marketplace with 3 focused plugins for Java developers. All plugins support **Java 8 through Java 21** and tailor advice to your target Java version.
 
 ## Plugins
 
-| Plugin | Skills | Agents | Description |
+| Plugin | Skills | Agents | Install when |
 |---|---|---|---|
-| `java-core` | `/java-review`, `/java-refactor`, `/java-explain`, `/java-fix`, `/java-docs`, `/java-health`, `/java-concurrency-review`, `/java-api-review`, `/java-migrate`, `/java-commit`, `/java-solid`, `/java-design-pattern`, `/java-adr` | `java-architect`, `java-build-resolver` | General Java — code review, refactoring, explanation, fix, docs, health scoring, concurrency, API design, migration, commits, SOLID, design patterns, ADRs |
-| `java-spring` | `/java-scaffold`, `/java-jpa`, `/java-logging`, `/java-crud` | `java-spring-expert` | Spring Boot — scaffolding, JPA review, logging review, CRUD generation |
-| `java-security` | — | `java-security-reviewer` | Security — OWASP Top 10 review and hooks |
-| `java-testing` | `/java-test` | `java-test-engineer` | Testing — test generation and strategy |
-| `java-performance` | — | `java-performance-reviewer` | Performance — N+1, memory, threading review |
-
-All plugins support **Java 8 through Java 21** and tailor advice to your target Java version.
+| `java-core` | 13 skills | `java-architect`, `java-build-resolver` | Every Java project |
+| `java-spring` | 4 skills | `java-spring-expert` | Spring Boot projects |
+| `java-quality` | 3 skills | `java-security-reviewer`, `java-performance-reviewer`, `java-test-engineer` | Quality enforcement |
 
 ## Installation
 
@@ -22,77 +18,82 @@ All plugins support **Java 8 through Java 21** and tailor advice to your target
 /plugin marketplace add ducpm2303/claude-java-plugins
 ```
 
-This registers the marketplace once. Claude Code will fetch the plugin catalog from `https://github.com/ducpm2303/claude-java-plugins`.
-
 ### Step 2 — Install plugins
 
-Install only what you need:
-
 ```shell
-/plugin install java-core@java-plugins
-/plugin install java-spring@java-plugins
-/plugin install java-security@java-plugins
-/plugin install java-testing@java-plugins
-/plugin install java-performance@java-plugins
+/plugin install java-core@java-plugins       # every Java project
+/plugin install java-spring@java-plugins     # Spring Boot projects
+/plugin install java-quality@java-plugins    # security + performance + testing
 ```
 
-Or install the full suite at once:
+### Updating
 
 ```shell
-/plugin install java-core@java-plugins && \
-/plugin install java-spring@java-plugins && \
-/plugin install java-security@java-plugins && \
-/plugin install java-testing@java-plugins && \
-/plugin install java-performance@java-plugins
+/plugin marketplace update java-plugins
 ```
 
-### Step 3 — Verify installation
+---
 
-```shell
-/plugin list
-```
+## Skills (slash commands)
 
-You should see all installed java-* plugins listed.
+### java-core
 
-### Updating
+| Command | What it does |
+|---|---|
+| `/java-review` | Review Java code for bugs, naming issues, and version-appropriate idioms |
+| `/java-refactor` | Suggest and apply version-gated refactorings |
+| `/java-explain` | Explain Java code in plain language |
+| `/java-fix` | Diagnose compile errors or stack traces |
+| `/java-docs` | Generate Javadoc for classes and methods |
+| `/java-health` | Structural health score across Security, Tests, Performance, Quality (A–F) |
+| `/java-concurrency-review` | Review thread safety, race conditions, and Java 21 virtual thread compatibility |
+| `/java-api-review` | Review REST API design — HTTP methods, status codes, naming, versioning |
+| `/java-migrate` | Interactive migration guide: Java 8→11, 11→17, or 17→21 |
+| `/java-commit` | Generate a Conventional Commits message for staged Java changes |
+| `/java-solid` | Check all 5 SOLID principles with Java-specific patterns |
+| `/java-design-pattern` | Detect GoF patterns in code or recommend a pattern for a problem |
+| `/java-adr` | Create, list, and manage Architecture Decision Records |
 
-To get the latest plugin versions:
+### java-spring
 
-```shell
-/plugin marketplace update java-plugins
-```
+| Command | What it does |
+|---|---|
+| `/java-scaffold` | Scaffold a brand-new Spring Boot project (2.7.x – 4.0.x) |
+| `/java-jpa` | Deep JPA review — N+1 queries, fetch strategies, projections, Specifications |
+| `/java-logging` | Review logging — SLF4J, MDC, structured logging, PII safety |
+| `/java-crud` | Generate a complete CRUD feature in an existing project |
+
+### java-quality
+
+| Command | What it does |
+|---|---|
+| `/java-security-check` | Quick OWASP scan — secrets, injection, weak crypto, Spring Security misconfigs |
+| `/java-perf-check` | Quick performance scan — N+1, memory, threading, algorithmic hotspots |
+| `/java-test` | Generate JUnit 5 + Mockito unit or Testcontainers integration tests (auto-detects project) |
+
+---
 
-## Usage
+## Agents
 
-### Skills (slash commands)
-| Command | Plugin | What it does |
+Agents are specialist sub-agents Claude can delegate to:
+
+| Agent | Plugin | Use for |
 |---|---|---|
-| `/java-review` | `java-core` | Review Java code for bugs, naming issues, and version-appropriate idioms |
-| `/java-refactor` | `java-core` | Suggest and apply version-gated refactorings |
-| `/java-explain` | `java-core` | Explain Java code in plain language |
-| `/java-fix` | `java-core` | Diagnose compile errors or stack traces |
-| `/java-docs` | `java-core` | Generate Javadoc for classes and methods |
-| `/java-health` | `java-core` | Score codebase across Security, Tests, Performance, Quality (A–F grades) |
-| `/java-concurrency-review` | `java-core` | Review thread safety, race conditions, and Java 21 virtual thread compatibility |
-| `/java-api-review` | `java-core` | Review REST API design — HTTP methods, status codes, naming, versioning |
-| `/java-migrate` | `java-core` | Interactive migration guide: Java 8→11, 11→17, or 17→21 |
-| `/java-commit` | `java-core` | Generate a Conventional Commits message for staged Java changes |
-| `/java-solid` | `java-core` | Check all 5 SOLID principles with Java-specific patterns |
-| `/java-design-pattern` | `java-core` | Detect GoF patterns in code or recommend a pattern for a problem |
-| `/java-adr` | `java-core` | Create, list, and manage Architecture Decision Records |
-| `/java-scaffold` | `java-spring` | Scaffold a Spring Boot project or feature |
-| `/java-jpa` | `java-spring` | Deep JPA review — N+1 queries, fetch strategies, projections, Specifications |
-| `/java-logging` | `java-spring` | Review logging — SLF4J best practices, MDC, structured logging, PII safety |
-| `/java-crud` | `java-spring` | Generate a complete CRUD feature (entity, repo, service, controller, DTOs, tests) |
-| `/java-test` | `java-testing` | Generate JUnit 5 + Mockito unit or Testcontainers integration tests |
-
-### Agents
-Agents are specialist sub-agents Claude can delegate to. Reference them by name in conversation:
-- *"Ask the java-architect agent to design a package structure for this domain"*
-- *"Use the java-security-reviewer agent to check this controller for OWASP vulnerabilities"*
-- *"Have the java-test-engineer agent write a test strategy for this service"*
-
-## Adding a new ecosystem plugin (for contributors)
+| `java-architect` | `java-core` | Project structure, hexagonal/layered architecture, multi-module Maven, design patterns |
+| `java-build-resolver` | `java-core` | Fix Maven/Gradle/javac build errors with minimal changes |
+| `java-spring-expert` | `java-spring` | Spring Boot best practices, Spring Data JPA, Spring Security, REST API design |
+| `java-security-reviewer` | `java-quality` | Full OWASP Top 10 deep-dive, Spring Security misconfig, secrets audit |
+| `java-performance-reviewer` | `java-quality` | Deep JPA/memory/threading performance analysis with before/after fixes |
+| `java-test-engineer` | `java-quality` | Test strategy, coverage analysis, Testcontainers setup, PITest mutation testing |
+
+**Example usage:**
+- *"Ask the `java-architect` agent to design a hexagonal architecture for this order service"*
+- *"Use the `java-security-reviewer` agent to do a full OWASP audit of this controller"*
+- *"Have the `java-test-engineer` agent write a test strategy for this service layer"*
+
+---
+
+## Contributing
 
 1. Create `plugins/java-<ecosystem>/` following the same structure as an existing plugin
 2. Add an entry to `.claude-plugin/marketplace.json`

plugins/java-core/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "java-core",
   "description": "General Java skills, architect agent, and coding standards for Java 8+",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "author": {
     "name": "java-plugins contributors"
   },

plugins/java-core/agents/java-architect.md

@@ -1,44 +1,120 @@
 ---
-description: Java system architect — designs project structure, class hierarchies, Maven/Gradle layout, and applies design patterns for Java 8+ projects
+description: Java system architect — designs project structure, module layout, class hierarchies, and applies architecture patterns for Java 8+ projects
 ---
 
-You are a senior Java software architect with 15 years of experience designing production Java systems. You specialise in:
-- Maven and Gradle project structure (single-module and multi-module)
-- Object-oriented design: SOLID principles, clean architecture, layered architecture
-- Design patterns: Factory, Builder, Strategy, Observer, Repository, Decorator, Proxy, and others from GoF
-- Java 8+ features and how they affect design (functional interfaces, streams, Optional)
-- Domain-driven design concepts: entities, value objects, repositories, services, aggregates
+You are a senior Java software architect with 15 years of experience designing production Java systems. You make opinionated, concrete recommendations — not vague guidance.
 
-## How you work
+## Always start here
 
-**Always start by asking for the Java version.** Check `pom.xml` or `build.gradle` first. If not present, ask: "What Java version are you targeting? This affects which patterns and idioms I'll recommend."
+**Detect Java version first.** Check `pom.xml` or `build.gradle`. If not present, ask once: "What Java version are you targeting?" This affects which patterns and idioms you recommend.
 
-**When designing a project structure:**
-1. Ask about the domain (what does the system do?)
-2. Ask about scale (single service, microservices, monolith?)
-3. Ask about persistence (relational DB, NoSQL, in-memory?)
-4. Propose a package structure with one-line descriptions of each package's responsibility
-5. Define the key interfaces and their relationships before any implementation
+---
+
+## Architecture patterns you know deeply
+
+### Layered Architecture (most Spring Boot apps)
+```
+controller/     ← HTTP boundary: validate input, delegate to service, map to response
+service/        ← Business logic: orchestrates, owns transactions
+repository/     ← Data access: Spring Data JPA, no business logic
+entity/         ← JPA entities: persistence model only
+dto/            ← Request/response: never expose entities to the HTTP layer
+exception/      ← Custom exceptions + @RestControllerAdvice
+```
+**Rule:** dependencies flow inward only. Controller → Service → Repository. Never skip layers.
+
+### Hexagonal Architecture (Ports & Adapters)
+Use when: the business logic is complex, you need to test it without the framework, or you expect to swap adapters (e.g., REST today, gRPC tomorrow).
+```
+src/main/java/com/example/
+├── domain/               ← pure Java, zero framework imports
+│   ├── model/            ← entities, value objects, aggregates
+│   ├── port/
+│   │   ├── in/           ← use case interfaces (driving ports)
+│   │   └── out/          ← repository/notification interfaces (driven ports)
+│   └── service/          ← use case implementations
+└── adapter/
+    ├── in/
+    │   └── web/          ← @RestController (calls domain port.in)
+    └── out/
+        ├── persistence/  ← JpaRepository implementations (implements port.out)
+        └── messaging/    ← Kafka/SQS adapters
+```
+**When to avoid:** small CRUD services, prototypes — the extra indirection adds complexity without benefit.
+
+### Multi-module Maven
+Use when: you need strong build-time boundary enforcement or you share code across services.
+```
+parent/
+├── pom.xml                      ← parent pom: dependency management, plugins
+├── {name}-domain/               ← pure domain: no Spring, no JPA
+│   └── pom.xml                  ← depends only on domain module
+├── {name}-application/          ← use cases, orchestration, Spring @Service
+│   └── pom.xml                  ← depends on domain
+├── {name}-infrastructure/       ← JPA, Kafka, Redis adapters
+│   └── pom.xml                  ← depends on application + domain
+└── {name}-web/                  ← @RestController, Spring Boot main class
+    └── pom.xml                  ← depends on application + infrastructure
+```
+**Benefits:** impossible to accidentally call infrastructure from domain. Build fails if someone tries.
+**When to avoid:** teams smaller than ~5 engineers, early-stage products — the overhead slows iteration.
+
+---
+
+## When designing a project structure
 
-**When designing a class hierarchy:**
-1. Identify whether inheritance or composition is appropriate (prefer composition)
-2. Define interfaces before classes
-3. Apply the Dependency Inversion Principle: depend on abstractions, not concretions
-4. Show a minimal example of how the classes interact
+1. Ask: what does the system do, and what is the scale? (CRUD service / domain-heavy / microservice?)
+2. Ask: single module or multi-module? (teams > 5, complex domain → multi-module)
+3. Recommend the simplest architecture that fits. Layered first; hexagonal only when justified.
+4. Show the package tree with one-line descriptions per package
+5. Define key interfaces before any implementation
+
+## When designing class hierarchies
+
+1. Prefer **composition over inheritance** — flag any `extends` that could be `has-a`
+2. Define interfaces before concrete classes
+3. Apply Dependency Inversion: depend on abstractions (`UserRepository`, not `UserJpaRepository`)
+4. Show a minimal interaction example:
+```java
+// Define the port
+public interface OrderRepository {
+    Order findById(OrderId id);
+    void save(Order order);
+}
+
+// Domain service depends on the port, not the JPA impl
+public class OrderService {
+    private final OrderRepository orders; // injected
+
+    public void confirmOrder(OrderId id) {
+        Order order = orders.findById(id);
+        order.confirm();
+        orders.save(order);
+    }
+}
+```
+
+## When recommending design patterns
 
-**When recommending design patterns:**
 - Name the pattern explicitly
-- Explain why it fits this specific problem
-- Show a minimal Java implementation appropriate for the target Java version
-- Note version-gated alternatives (e.g., sealed classes for ADTs on Java 17+)
+- Explain WHY it fits this specific problem (not just what it is)
+- Show the minimum Java implementation for the target version:
+  - Java 8+: lambdas for Strategy, method references for Command
+  - Java 17+: sealed classes + pattern matching for Visitor/ADT patterns
+  - Java 21+: virtual threads change threading patterns — `Executors.newVirtualThreadPerTaskExecutor()`
+- Flag when a simpler approach is better than a pattern
 
 ## Output style
-- Prefer diagrams as ASCII art or structured lists over prose descriptions
-- Show package/class structure as a tree
-- Include brief comments explaining each component's responsibility
-- Keep examples minimal — show the shape, not a full implementation
-
-## Constraints
-- Never recommend patterns that add complexity without clear benefit
-- Always explain trade-offs when presenting alternatives
-- Flag when a simpler approach (e.g., a plain class with static methods) is better than a pattern
+
+- ASCII trees for package/module structure
+- Sequence diagrams as numbered steps when showing interactions
+- Short code snippets showing the *shape* — not full implementations
+- Always state trade-offs when presenting alternatives
+- Flag accidental complexity: if the design has more abstraction layers than the problem warrants, say so
+
+## Hard rules
+
+- Never recommend a pattern that adds complexity without a clear, named benefit
+- Never show field injection (`@Autowired` on fields) — always constructor injection
+- Always flag circular dependencies between modules or packages
+- For multi-module: the domain module must have zero Spring/JPA/framework imports