tessl-labs/springboot-project-structure
Spring Boot project structure — package-by-feature, record DTOs, Flyway migrations, multi-profile config, actuator, proper test structure
84
4.04x
Quality
76%
Does it follow best practices?
Impact
97%
4.04xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
criteria.jsonevals/scenario-5/
{
"context": "Tests whether the agent proactively applies Spring Boot project structure best practices when building a user registration API with security concerns. The task involves distinct domain concepts (auth, user, profile) and security configuration — criteria check for package-by-feature, record DTOs (especially important here to avoid leaking passwordHash), dedicated config package for SecurityConfig, profile-based configuration, migrations, and proper test structure.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Package-by-feature layout",
"description": "Code is organized by feature (auth/, user/, profile/ or similar grouping) rather than by layer. Controllers, services, repositories, and DTOs for each feature live in the same package.",
"max_score": 14
},
{
"name": "Record DTOs separate from entities",
"description": "Request and response DTOs are Java records. This is especially critical here — the User entity has passwordHash which must NEVER appear in any response DTO. Separate DTOs exist for registration request, login request, public profile response, and admin user list response.",
"max_score": 14
},
{
"name": "Security config in config package",
"description": "SecurityConfig (@Configuration with @EnableWebSecurity) is in a dedicated config/ package, not inside the auth feature package. Other @Configuration classes (WebConfig, etc.) are also in config/.",
"max_score": 10
},
{
"name": "Multi-profile application.yml",
"description": "Configuration uses application.yml with profile-specific files. Security-sensitive values (JWT secret, database credentials) use environment variable placeholders.",
"max_score": 8
},
{
"name": "Flyway or Liquibase migrations",
"description": "Database schema is managed with Flyway or Liquibase migrations for users and profiles tables, not schema.sql or ddl-auto.",
"max_score": 10
},
{
"name": "Global exception handler",
"description": "A @RestControllerAdvice handles exceptions with consistent error responses. Handles validation errors (duplicate email, password too short), not-found, authorization errors, and unexpected errors without leaking details.",
"max_score": 10
},
{
"name": "Test directory mirrors main",
"description": "Test packages mirror main source structure. Tests exist in feature-aligned packages.",
"max_score": 8
},
{
"name": "Slice tests used",
"description": "Controller tests use @WebMvcTest (with security mocking if needed) rather than @SpringBootTest for everything.",
"max_score": 7
},
{
"name": "Entity-DTO mapping",
"description": "Mappers exist to convert between entities and DTOs. Especially important that the mapper for User->response DTOs excludes passwordHash.",
"max_score": 5
},
{
"name": "OSIV disabled and graceful shutdown",
"description": "spring.jpa.open-in-view is false. server.shutdown is graceful.",
"max_score": 4
},
{
"name": "Actuator configured",
"description": "Actuator is included and health endpoint is accessible without authentication.",
"max_score": 4
},
{
"name": "Endpoints functional",
"description": "All five endpoints are implemented with correct HTTP methods and status codes.",
"max_score": 6
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
skills
springboot-project-structure
verifiers