roninforge-spring-boot

Cursor plugin for Spring Boot 3.x (3.2 - 3.5, Java 17 minimum, 21 preferred). Teaches the AI to write Boot 3 code that actually compiles: jakarta.* imports, SecurityFilterChain bean, RestClient, requestMatchers, records as DTOs, constructor injection, virtual threads, Testcontainers @ServiceConnection. Catches the dozens of Boot 2.x patterns LLMs still produce.

The Problem

Spring Boot 2.x to 3.x was a hard break. The model has not yet caught up to the rename. LLMs ship:

• import javax.persistence.* (will not compile under Boot 3 - everything is jakarta.*)
• extends WebSecurityConfigurerAdapter (class removed in Spring Security 6)
• antMatchers(...) / mvcMatchers(...) (removed; use requestMatchers)
• @Autowired on fields instead of constructor injection
• @Transactional on private methods (silently does nothing - AOP proxy cannot intercept)
• new RestTemplate() for new code (maintenance mode; use RestClient)
• Returning JPA entities from controllers (lazy-loading + schema leak)
• findAll() without pagination on user-facing endpoints
• @MockBean (deprecated in Boot 3.4; use @MockitoBean)
• @RequestMapping(method = ...) instead of @GetMapping / @PostMapping
• @Data on @Entity (breaks equality on lazy proxies)
• Default-EAGER @ManyToOne associations
• spring.jpa.hibernate.ddl-auto: update (unsafe in any environment past local dev)
• Secrets in application.properties
• @EnableGlobalMethodSecurity (deprecated; use @EnableMethodSecurity)
• @ConfigurationProperties classes never registered with @EnableConfigurationProperties or @ConfigurationPropertiesScan
• Mixing spring-boot-starter-web and spring-boot-starter-webflux in one module
• @ExceptionHandler(Exception.class) catch-all that swallows framework exceptions and breaks ProblemDetail
• @Async returning void (exceptions are silently swallowed)
• Missing @Validated on @Service classes that use method-level @NotBlank / @Positive constraints

Install

git clone https://github.com/RoninForge/roninforge-spring-boot.git ~/.cursor/plugins/local/roninforge-spring-boot

Or copy into your project:

git clone https://github.com/RoninForge/roninforge-spring-boot.git
cp -r roninforge-spring-boot/rules/* your-project/.cursor/rules/
cp -r roninforge-spring-boot/skills/* your-project/.cursor/skills/
cp -r roninforge-spring-boot/agents/* your-project/.cursor/agents/

What's Included

Rules (5 files)

Rule	Scope	What it does
spring-boot-core	Always active	jakarta.* imports, constructor injection, SecurityFilterChain, RestClient, records as DTOs and @ConfigurationProperties, virtual threads, ProblemDetail, slice tests
spring-boot-anti-patterns	Always active	20 Boot 2-era patterns: javax.*, WebSecurityConfigurerAdapter, antMatchers, field injection, new RestTemplate(), @Transactional on private, JPA entities returned from controllers, N+1, findAll() without Pageable, @Data on @Entity, ddl-auto=update, secrets in config, @MockBean
spring-boot-data	**/*.java	Entity design, transaction boundaries, fetch strategies, pagination, projections, JdbcClient, Testcontainers @ServiceConnection
spring-boot-security	Security-related files	SecurityFilterChain bean, JWT resource server, requestMatchers, @EnableMethodSecurity, @PreAuthorize, CORS, CSRF policy, password storage
spring-boot-testing	Agent-requested	Slice tests over @SpringBootTest, @MockitoBean, MockMvc, @RestClientTest, Testcontainers, AssertJ

Skills (4 commands)

Skill	Command	What it does
New REST endpoint	/spring-boot-new-rest-endpoint	Scaffold controller + DTOs + service + ProblemDetail + slice test
Migrate to 3	/spring-boot-migrate-to-3	Boot 2 -> 3 step-by-step: Java 17/21, jakarta rename, SecurityFilterChain, RestClient, @MockitoBean, ddl-auto, virtual threads
Validate	/spring-boot-validate	Scan codebase for the tracked anti-patterns, report by severity
Testcontainers	/spring-boot-testcontainers	Wire @ServiceConnection for Postgres/Redis/Kafka in slice and integration tests

Agent (1 subagent)

Agent	What it does
spring-boot-reviewer	Reviews Spring Boot code by severity: critical (will not compile, security regressions), warnings (Boot 2 idioms), suggestions (records, virtual threads, slice tests)

What Makes This Different

The community .cursorrules for Spring Boot mostly cover style (use SOLID, name beans clearly). None of them:

• Enforce the jakarta.* rename (the single most common Boot 3 compile error)
• Catch WebSecurityConfigurerAdapter and antMatchers (will not compile under Spring Security 6)
• Push records as the default DTO shape with Jakarta validation
• Teach virtual threads (spring.threads.virtual.enabled) on Java 21
• Teach @MockitoBean over the deprecated @MockBean
• Wire Testcontainers via @ServiceConnection with zero @DynamicPropertySource boilerplate

Fixtures

tests/fixtures/anti-pattern-sample/ is a deliberately broken Boot 2-style service (does not compile under Boot 3, by design). tests/fixtures/correct-sample/ shows the same shape rebuilt with Boot 3 idioms: jakarta imports, constructor injection, SecurityFilterChain, records, virtual threads.

License

MIT - see LICENSE

Links

• Spring Boot 3.5 release notes
• Spring Boot 3.4 release notes
• Spring Security 6 migration guide
• Cursor Plugin Documentation
• RoninForge