- Confirm First: Never implement without user confirmation.
- Java First: Prefer Java for scripting/agent tasks over Python/Bash, unless standard Unix tooling.
- Workflow: Check
specifications/openspec/changes/for active changes and delta specs before implementing. Use/opsx-*workflows.
- TDD: Write unit/integration tests before implementing new functionality. Ensure full coverage.
- Style: Allman code style (new line braces), document non-obvious logic and all public API, JDK 21 features.
- Attribution: Mark exclusively AI-created files with the model name in class comments (e.g.
// AI-generated: <Model Name in use>). Dynamically detect and expose the actual model name in use (e.g.,Gemini 2.5 FlashorGemini 2.5 Pro). - Headers: Add Apache License 2.0 header to all new source files.
- Strict Java: Aggressive
finalmodifiers (variables, args, methods, fields). NO inline FQCNs; use explicit top imports. Unused imports and variables are strictly prohibited (completely out of the question).
- Backoffice UI: Strictly follow
.agent/guides/backoffice-ui-patterns.mdwhen building or updating backoffice templates.
- Dependencies: ALWAYS ask permission before adding. Document in
NOTICE.mdanddoc/3rd-party-licenses/. - Git: No fast-forward merges. Ask before stashing. Branch naming:
(feat|fix|chore|docs)/kebab-case.
- Maintenance: Tests MUST be created/updated for any logic or UI changes (reinforces TDD). Strictly adhere to
doc/tests/README.md; usedoc/tests/TEMPLATE.mdfor new cases.
ALL state-changing HTTP operations require CSRF protection.
- Thymeleaf: Forms (
method="post") MUST useth:action(auto-injects tokens), never hardcodedaction. - HTMX: State-modifying requests MUST include CSRF headers. Verify
<meta name="_csrf" th:content="${_csrf.token}"/>is present in layouts. - Endpoints: Spring Security auto-protects POST/PUT/DELETE/PATCH. Exempt:
/api/v2/**. Document and justify any other exceptions. - Testing: New state-changing endpoints MUST include CSRF tests (Valid token -> 200/302, Invalid/None -> 403).