feat(skills): add validation and security skills for Spring Boot, Quarkus, and Micronaut (#688)

* feat(skills): add framework validation and security skills

Add six new framework skills for Spring Boot, Quarkus, and Micronaut to cover validation and security separately, and register them in the skills inventory for generation.

Made-with: Cursor

* feat(skills): regenerate generated skills for new framework rules

Publish generated skill outputs for the six new framework validation/security definitions so the skills/ tree stays in sync with skills-generator sources.

Made-with: Cursor

* feat(skills): expand framework validation and security reference examples

Add exhaustive good/bad examples across Spring Boot, Quarkus, and Micronaut validation and security skill references; regenerate published reference markdown under skills/.

Made-with: Cursor

* feat(skills): improve examples in validation and security reference files

- 303: expand error handler for ConstraintViolationException and
  HandlerMethodValidationException (Spring 6.1+); use .toList()
- 304: add SecurityFilterChain oauth2ResourceServer wiring; add
  AccessDeniedHandler (403) alongside AuthenticationEntryPoint (401)
- 403: use .toList(); note Quarkus built-in validation response
- 404: add ForbiddenException mapper (403) alongside NotAuthorizedException
- 503: add comment to nested-validation bad-example; use
  HttpResponse.badRequest() and .toList() in exception handler
- 504: update to HttpRequestAuthenticationProvider for Micronaut 4;
  distinguish 401 vs 403 via isForbidden() in AuthorizationException handler
- Regenerate skills/ markdown

Made-with: Cursor

* feat(skills): refine framework validation and security examples

Tighten validation and security examples across Spring Boot, Quarkus, and Micronaut so the guidance is more framework-accurate and copy-paste friendly.

Made-with: Cursor

* refactor(skills): update Spring Boot references to version 4

Made-with: Cursor

* feat(skills): add validation and security skills to inventory template

Made-with: Cursor

* feat(agents): sync framework coders with new validation and security skills

Made-with: Cursor

* feat(skills): expand framework validation and security triggers

Update the six new framework skills with richer descriptions and additional trigger phrases, then regenerate SKILL.md outputs to keep generated artifacts aligned.

Made-with: Cursor

* docs(readme): add spring cloud vs kubernetes reference link

Add an additional reference URL in the Further Reading section to compare Spring Cloud microservices and Kubernetes.

Made-with: Cursor

* docs(agents): add framework version baseline guidance

Document default supported major versions for Spring Boot, Quarkus, and Micronaut, and require confirmation before applying legacy major-version patterns.

Made-with: Cursor

Author: jabrena

.cursor/agents/robot-micronaut-coder.md

@@ -25,6 +25,8 @@ Apply guidance from these Skills when relevant:
 
 - `@501-frameworks-micronaut-core`: Micronaut core (bootstrap, DI, config, scheduling, shutdown)
 - `@502-frameworks-micronaut-rest`: Micronaut REST APIs
+- `@503-frameworks-micronaut-validation`: Micronaut validation (Bean Validation, custom constraints, error payloads)
+- `@504-frameworks-micronaut-security`: Micronaut security (authn/authz, endpoint protection, secure defaults)
 - `@511-frameworks-micronaut-jdbc`: programmatic JDBC (DataSource, SQL, transactions)
 - `@512-frameworks-micronaut-data`: Micronaut Data (repositories, entities, generated SQL)
 - `@513-frameworks-micronaut-db-migrations-flyway`: Micronaut DB migrations (Flyway)

.cursor/agents/robot-quarkus-coder.md

@@ -24,6 +24,8 @@ Apply guidance from these Skills when relevant:
 
 - `@401-frameworks-quarkus-core`: Quarkus core
 - `@402-frameworks-quarkus-rest`: Quarkus REST APIs
+- `@403-frameworks-quarkus-validation`: Quarkus validation (Bean Validation, custom constraints, error mapping)
+- `@404-frameworks-quarkus-security`: Quarkus security (authn/authz annotations, endpoint protection, secure defaults)
 - `@411-frameworks-quarkus-jdbc`: Quarkus JDBC
 - `@412-frameworks-quarkus-panache`: Quarkus Panache
 - `@413-frameworks-quarkus-db-migrations-flyway`: Quarkus DB migrations (Flyway)

.cursor/agents/robot-spring-boot-coder.md

@@ -24,16 +24,14 @@ Apply guidance from these Skills when relevant:
 
 - `@301-frameworks-spring-boot-core`: Spring Boot core
 - `@302-frameworks-spring-boot-rest`: Spring Boot REST APIs
+- `@303-frameworks-spring-boot-validation`: Spring Boot validation (Bean Validation, groups, custom validators, error responses)
+- `@304-frameworks-spring-boot-security`: Spring Boot security (SecurityFilterChain, authn/authz, secure defaults)
+- `@311-frameworks-spring-jdbc`: Spring JDBC
 - `@312-frameworks-spring-data-jdbc`: Spring Data JDBC
 - `@313-frameworks-spring-db-migrations-flyway`: Flyway database migrations
 - `@142-java-functional-programming`: Functional programming patterns
 - `@143-java-functional-exception-handling`: Exception handling patterns
-- `@130-java-testing-strategies`: Testing Strategies
-- `@301-frameworks-spring-boot-core`: Spring Boot Core
-- `@302-frameworks-spring-boot-rest`: Spring Boot REST
-- `@311-frameworks-spring-jdbc`: Spring Boot JDBC
-- `@312-frameworks-spring-data-jdbc`; Spring Boot Data JDBC
-- `@313-frameworks-spring-db-migrations-flyway`; Spring Boot DB migrations (Flyway)
+- `@130-java-testing-strategies`: Testing strategies
 - `@321-frameworks-spring-boot-testing-unit-tests`: Spring Boot unit testing
 - `@322-frameworks-spring-boot-testing-integration-tests`: Spring Boot integration testing
 - `@323-frameworks-spring-boot-testing-acceptance-tests`: Spring Boot acceptance testing

AGENTS.md

@@ -16,6 +16,12 @@ You are an expert Java developer and technical writer for this project.
 - **Rule pipeline:** XML → XInclude → XSLT → Markdown cursor rules
 - **Site generator:** JBake 2.7.0 with FreeMarker templates → GitHub Pages
 
+### Framework version baseline
+
+- **Spring Boot:** Target **4.0.x** by default;
+- **Quarkus:** Target the current **3.x** line by default;
+- **Micronaut:** Target the current **4.x** line by default;
+
 ## Change workflow
 
 This project uses **OpenSpec** for structured change management and planning:

README.md

@@ -135,6 +135,7 @@ Java uses JEPs (JDK Enhancement Proposals) to describe new language and platform
 - [https://github.com/vercel-labs/skills/issues](https://github.com/vercel-labs/skills/issues)
 - [https://openjdk.org/jeps/0](https://openjdk.org/jeps/0)
 - [https://jbake.org/docs/latest/](https://jbake.org/docs/latest/)
+- https://developers.redhat.com/blog/2016/12/09/spring-cloud-for-microservices-compared-to-kubernetes
 
 ## Other developments
 

skills-generator/src/main/resources/skill-indexes/303-skill.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<prompt xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:noNamespaceSchemaLocation="https://jabrena.github.io/pml/schemas/0.7.0/pml.xsd"
+      id="303-frameworks-spring-boot-validation">
+  <metadata>
+    <author>Juan Antonio Breña Moral</author>
+    <version>0.15.0-SNAPSHOT</version>
+    <license>Apache-2.0</license>
+    <description>Use when you need to design, review, or improve validation in Spring Boot applications — including Bean Validation on request DTOs, @Valid/@Validated at API boundaries, constraint groups, custom constraints, @ConfigurationProperties validation, nested DTO validation, and consistent validation error handling. This should trigger for requests such as Add validation support in Spring Boot; Review Spring Boot validation rules; Improve request validation in Spring Boot REST APIs; Add custom Bean Validation constraints in Spring Boot; Validate configuration properties in Spring Boot.</description>
+  </metadata>
+
+  <title>Spring Boot Validation Guidelines</title>
+  <goal><![CDATA[
+Apply Spring Boot validation best practices at API boundaries.
+
+**What is covered in this Skill?**
+
+- Bean Validation annotations on DTOs and command models
+- @Valid / @Validated on controllers and method parameters
+- Validation groups for create/update workflows
+- Custom constraint annotations and validators
+- Consistent 400 error responses for validation failures
+
+**Scope:** Apply recommendations based on the reference rules and good/bad examples.
+]]></goal>
+
+  <constraints>
+    <constraints-description>Before applying validation changes, ensure the project compiles. After improvements, run full verification.</constraints-description>
+    <constraint-list>
+      <constraint>**MANDATORY**: Run `./mvnw compile` or `mvn compile` before applying any change</constraint>
+      <constraint>**SAFETY**: If compilation fails, stop immediately</constraint>
+      <constraint>**VERIFY**: Run `./mvnw clean verify` or `mvn clean verify` after applying improvements</constraint>
+      <constraint>**BEFORE APPLYING**: Read the reference for detailed rules and examples</constraint>
+    </constraint-list>
+  </constraints>
+
+  <triggers>
+    <trigger-list>
+        <trigger>Add validation support in Spring Boot</trigger>
+        <trigger>Review Spring Boot validation rules</trigger>
+        <trigger>Improve request validation in Spring Boot REST APIs</trigger>
+        <trigger>Add custom Bean Validation constraints in Spring Boot</trigger>
+        <trigger>Validate configuration properties in Spring Boot</trigger>
+        <trigger>Improve nested DTO validation in Spring Boot</trigger>
+    </trigger-list>
+  </triggers>
+
+  <steps>
+    <step number="1"><step-title>Read reference and assess project context</step-title><step-content>Read `references/303-frameworks-spring-boot-validation.md` and inspect the current project setup before proposing changes.</step-content></step>
+    <step number="2"><step-title>Gather scope and decide target improvements</step-title><step-content>Identify requested outcomes, constraints, and the minimum safe set of changes to apply.</step-content></step>
+    <step number="3"><step-title>Apply framework-aligned changes</step-title><step-content>Implement or refactor validation-related configuration/code following the reference patterns and project conventions.</step-content></step>
+    <step number="4"><step-title>Run verification and report results</step-title><step-content>Execute appropriate build/tests and summarize what changed, what was verified, and any follow-up actions.</step-content></step>
+  </steps>
+</prompt>

skills-generator/src/main/resources/skill-indexes/304-skill.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<prompt xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:noNamespaceSchemaLocation="https://jabrena.github.io/pml/schemas/0.7.0/pml.xsd"
+      id="304-frameworks-spring-boot-security">
+  <metadata>
+    <author>Juan Antonio Breña Moral</author>
+    <version>0.15.0-SNAPSHOT</version>
+    <license>Apache-2.0</license>
+    <description>Use when you need to design, review, or improve security in Spring Boot applications — including SecurityFilterChain, OAuth2/JWT resource server patterns, form login basics, method security (@PreAuthorize), CSRF and CORS for APIs, session fixation, security headers, exception handling, password encoding, and sensitive-data-safe logging. This should trigger for requests such as Add Spring Boot security support; Review Spring Boot security configuration; Improve API authorization in Spring Boot; Add JWT resource server security in Spring Boot; Harden Spring Boot security headers and CSRF settings.</description>
+  </metadata>
+
+  <title>Spring Boot Security Guidelines</title>
+  <goal><![CDATA[
+Apply Spring Boot security best practices with secure-by-default API boundaries.
+
+**What is covered in this Skill?**
+
+- Spring Security configuration and SecurityFilterChain setup
+- Authentication and authorization policies for endpoints
+- Method-level security (@PreAuthorize / @Secured)
+- Principle of least privilege for roles and scopes
+- Secure error handling and denial responses
+- Sensitive data handling in logs and responses
+
+**Scope:** Apply recommendations based on the reference rules and good/bad examples.
+]]></goal>
+
+  <constraints>
+    <constraints-description>Before applying security changes, ensure the project compiles. After improvements, run full verification.</constraints-description>
+    <constraint-list>
+      <constraint>**MANDATORY**: Run `./mvnw compile` or `mvn compile` before applying any change</constraint>
+      <constraint>**SAFETY**: If compilation fails, stop immediately</constraint>
+      <constraint>**VERIFY**: Run `./mvnw clean verify` or `mvn clean verify` after applying improvements</constraint>
+      <constraint>**BEFORE APPLYING**: Read the reference for detailed rules and examples</constraint>
+    </constraint-list>
+  </constraints>
+
+  <triggers>
+    <trigger-list>
+        <trigger>Add Spring Boot security support</trigger>
+        <trigger>Review Spring Boot security configuration</trigger>
+        <trigger>Improve API authorization in Spring Boot</trigger>
+        <trigger>Add JWT resource server security in Spring Boot</trigger>
+        <trigger>Harden Spring Boot security headers and CSRF settings</trigger>
+        <trigger>Implement method security with @PreAuthorize in Spring Boot</trigger>
+    </trigger-list>
+  </triggers>
+
+  <steps>
+    <step number="1"><step-title>Read reference and assess project context</step-title><step-content>Read `references/304-frameworks-spring-boot-security.md` and inspect the current project setup before proposing changes.</step-content></step>
+    <step number="2"><step-title>Gather scope and decide target improvements</step-title><step-content>Identify requested outcomes, constraints, and the minimum safe set of changes to apply.</step-content></step>
+    <step number="3"><step-title>Apply framework-aligned changes</step-title><step-content>Implement or refactor security-related configuration/code following the reference patterns and project conventions.</step-content></step>
+    <step number="4"><step-title>Run verification and report results</step-title><step-content>Execute appropriate build/tests and summarize what changed, what was verified, and any follow-up actions.</step-content></step>
+  </steps>
+</prompt>

skills-generator/src/main/resources/skill-indexes/311-skill.xml

@@ -6,17 +6,17 @@
     <author>Juan Antonio Breña Moral</author>
     <version>0.15.0-SNAPSHOT</version>
     <license>Apache-2.0</license>
-    <description>Use when you need to write or review programmatic JDBC with Spring — including JdbcClient (Spring Framework 6.1+) as the default API, JdbcTemplate only where batch/streaming APIs require JdbcOperations, NamedParameterJdbcTemplate for legacy named-param code, parameterized SQL, RowMapper mapping to records, batch operations, transactions, safe handling of generated keys, DataAccessException handling, read-only transactions, streaming large result sets, and @JdbcTest slice testing. This should trigger for requests such as Review Java code for Spring JDBC (JdbcTemplate, JdbcClient, NamedParameterJdbcTemplate); Apply best practices for Spring JDBC data access in Java code; Detect and fix SQL injection risks in JDBC code; Improve transaction boundaries or exception handling for JDBC operations.</description>
+    <description>Use when you need to write or review programmatic JDBC with Spring — including JdbcClient (Spring Framework 7+) as the default API, JdbcTemplate only where batch/streaming APIs require JdbcOperations, NamedParameterJdbcTemplate for legacy named-param code, parameterized SQL, RowMapper mapping to records, batch operations, transactions, safe handling of generated keys, DataAccessException handling, read-only transactions, streaming large result sets, and @JdbcTest slice testing. This should trigger for requests such as Review Java code for Spring JDBC (JdbcTemplate, JdbcClient, NamedParameterJdbcTemplate); Apply best practices for Spring JDBC data access in Java code; Detect and fix SQL injection risks in JDBC code; Improve transaction boundaries or exception handling for JDBC operations.</description>
   </metadata>
 
-  <title>Spring JDBC — JdbcClient (Spring Framework 6.1+)</title>
+  <title>Spring JDBC — JdbcClient (Spring Framework 7+)</title>
   <goal><![CDATA[
 Apply Spring JDBC guidelines with JdbcClient as the default; use JdbcTemplate / NamedParameterJdbcTemplate only for legacy code or APIs not covered by JdbcClient (batch updates, KeyHolder, RowCallbackHandler streaming).
 
 **What is covered in this Skill?**
 
 - Parameterized SQL (never concatenate user input)
-- JdbcClient fluent API (Spring Framework 6.1+) — preferred for queries and updates
+- JdbcClient fluent API (Spring Framework 7+) — preferred for queries and updates
 - Named parameters via JdbcClient; NamedParameterJdbcTemplate for legacy migration
 - RowMapper, query(Class), and records
 - Batch operations and generated keys (JdbcTemplate / JdbcOperations where needed)

skills-generator/src/main/resources/skill-indexes/403-skill.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<prompt xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:noNamespaceSchemaLocation="https://jabrena.github.io/pml/schemas/0.7.0/pml.xsd"
+      id="403-frameworks-quarkus-validation">
+  <metadata>
+    <author>Juan Antonio Breña Moral</author>
+    <version>0.15.0-SNAPSHOT</version>
+    <license>Apache-2.0</license>
+    <description>Use when you need to design, review, or improve validation in Quarkus applications — including Bean Validation on JAX-RS resources, @Valid on parameters and CDI beans, constraint groups, @ConfigMapping validation, custom constraints, nested DTO validation, and ExceptionMapper-based error mapping. This should trigger for requests such as Add validation support in Quarkus; Review Quarkus validation rules; Improve request validation in Quarkus REST APIs; Add custom validation constraints in Quarkus; Validate Quarkus @ConfigMapping properties.</description>
+  </metadata>
+
+  <title>Quarkus Validation Guidelines</title>
+  <goal><![CDATA[
+Apply Quarkus validation best practices at REST boundaries.
+
+**What is covered in this Skill?**
+
+- Bean Validation annotations on DTOs and command models
+- @Valid and boundary validation in Jakarta REST resources
+- Validation groups and custom constraints
+- Validation error mapping for client-safe responses
+- Consistent handling of invalid inputs across endpoints
+
+**Scope:** Apply recommendations based on the reference rules and good/bad examples.
+]]></goal>
+
+  <constraints>
+    <constraints-description>Before applying validation changes, ensure the project compiles. After improvements, run full verification.</constraints-description>
+    <constraint-list>
+      <constraint>**MANDATORY**: Run `./mvnw compile` or `mvn compile` before applying any change</constraint>
+      <constraint>**SAFETY**: If compilation fails, stop immediately</constraint>
+      <constraint>**VERIFY**: Run `./mvnw clean verify` or `mvn clean verify` after applying improvements</constraint>
+      <constraint>**BEFORE APPLYING**: Read the reference for detailed rules and examples</constraint>
+    </constraint-list>
+  </constraints>
+
+  <triggers>
+    <trigger-list>
+        <trigger>Add validation support in Quarkus</trigger>
+        <trigger>Review Quarkus validation rules</trigger>
+        <trigger>Improve request validation in Quarkus REST APIs</trigger>
+        <trigger>Add custom validation constraints in Quarkus</trigger>
+        <trigger>Validate Quarkus @ConfigMapping properties</trigger>
+        <trigger>Improve validation error mapping with ExceptionMapper in Quarkus</trigger>
+    </trigger-list>
+  </triggers>
+
+  <steps>
+    <step number="1"><step-title>Read reference and assess project context</step-title><step-content>Read `references/403-frameworks-quarkus-validation.md` and inspect the current project setup before proposing changes.</step-content></step>
+    <step number="2"><step-title>Gather scope and decide target improvements</step-title><step-content>Identify requested outcomes, constraints, and the minimum safe set of changes to apply.</step-content></step>
+    <step number="3"><step-title>Apply framework-aligned changes</step-title><step-content>Implement or refactor validation-related configuration/code following the reference patterns and project conventions.</step-content></step>
+    <step number="4"><step-title>Run verification and report results</step-title><step-content>Execute appropriate build/tests and summarize what changed, what was verified, and any follow-up actions.</step-content></step>
+  </steps>
+</prompt>