Add java-reviewer agent for Java and Spring Boot code review

[yashwardhan17]

What

Adds agents/java-reviewer.md — a Java and Spring Boot code reviewer agent.

Why

Java was missing as a language-specific reviewer alongside Go, Kotlin, and Python. This fills that gap following the exact same structure as go-reviewer.md and kotlin-reviewer.md.

What it covers

• CRITICAL: SQL injection, hardcoded secrets, PII logging, missing @Valid, swallowed exceptions
• HIGH: Field injection, business logic in controllers, wrong @transactional placement, N+1 queries, entity exposed in response
• MEDIUM: Mutable singleton fields, unbounded @async, weak test names, missing Mockito extension
• Workflow/state-machine patterns: idempotency, illegal state transitions, compensation flows, exponential backoff with jitter

---

Summary by cubic

Adds a java-reviewer agent for Java and Spring Boot that reviews changed .java files, runs mvn verify/./gradlew check, and reports severity-ranked findings on security, correctness, and Spring best practices. It reports only and escalates any CRITICAL security issue to security-reviewer.

• New Features

  • Adds java-reviewer in agents/java-reviewer.md with tools Read, Grep, Glob, Bash.
  • Flow: scoped git diff for .java, run build checks, focus on modified files, then report.
  • Checks: SQL/command/code injection, path traversal, PII/logging, REST/JPA patterns, concurrency, testing, and workflow/state-machine.
  • Output: severity-ranked findings with fix snippets and a one-line quality rating.

• Bug Fixes

  • Registers the agent in AGENTS.md.
  • Fixes tools format and narrows git diff to Java files.
  • Expands diagnostics (Checkstyle, SpotBugs, OWASP dependency check) and targeted grep.
  • Adds CRITICAL escalation, path/command injection checks, and corrects skill: springboot-patterns.

^{Written for commit 1848c54. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Added a Java/Spring Boot code-review agent that performs structured reviews, ranks findings by severity, suggests concrete fixes for high-severity issues, and returns a one-line quality rating plus top actionable change.

• Documentation

  • Updated agent listings and guidance for the new Java/Spring Boot reviewer, including activation steps, reporting expectations, and review behavior notes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new Java/Spring Boot code-review agent specification (agents/java-reviewer.md) and registers it in AGENTS.md; defines metadata, activation triggers, a structured multi-step review workflow, severity-based reporting, Java/Spring-specific checklist, diagnostic commands, and approval criteria.

Changes

Cohort / File(s)	Summary
Java Review Agent Spec agents/java-reviewer.md	New agent specification describing a senior Java/Spring Boot reviewer: metadata (name, model, tools), activation triggers (modified .java files, Spring components, /java-review), stepwise review workflow (discovery, reading, checklist-driven analysis), severity categories (CRITICAL/HIGH/MEDIUM) across multiple concern areas, reporting format, diagnostic commands, and approval criteria.
Agents Registry AGENTS.md	Added java-reviewer entry to the public agents list / Available Agents table with description and purpose "Java and Spring Boot code review".

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Repo as Repository/FS
    participant Agent as JavaReviewerAgent
    participant Model as LLM/Tooling

    User->>Agent: Trigger review (file change or `/java-review`)
    Agent->>Repo: Discover relevant files (`*.java`, Spring components)
    Agent->>Repo: Read file contents
    Agent->>Model: Request analysis using checklist and rules
    Model-->>Agent: Return findings (severity, snippets)
    Agent-->>Repo: (optional) collect diagnostics/commands output
    Agent-->>User: Publish structured report (CRITICAL→GOOD, score, top action)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• affaan-m

Poem

🐰 I nibble beans and bytes with care,
I hop through Spring in morning air,
I flag a bug, suggest a tweak,
No refactor — just notes I speak,
Hop on, compile, and cheer!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a new java-reviewer agent for Java/Spring Boot code review, which is directly reflected in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

agents/java-reviewer.md (1)

86-86: Use “or” instead of “/” for clearer prose in the checklist.

Line 86 reads cleaner as “@Service, @Component, or @Controller classes.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/java-reviewer.md` at line 86, Change the prose in the checklist to use
"or" instead of "/" for clarity: update the sentence that mentions `@Service` /
`@Component` / `@Controller` to read "`@Service`, `@Component`, or `@Controller`
classes" so it explicitly lists the annotations and avoids the slash shorthand.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@agents/java-reviewer.md`:
- Line 86: Change the prose in the checklist to use "or" instead of "/" for
clarity: update the sentence that mentions `@Service` / `@Component` /
`@Controller` to read "`@Service`, `@Component`, or `@Controller` classes" so it
explicitly lists the annotations and avoids the slash shorthand.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce971884-51f7-4c7b-a917-1ec5655f51cd

📥 Commits

Reviewing files that changed from the base of the PR and between b489309 and 73908c0.

📒 Files selected for processing (1)

• agents/java-reviewer.md

[greptile-apps]

Greptile Summary

This PR introduces agents/java-reviewer.md, a Java and Spring Boot code-review agent that fills the gap alongside the existing go-reviewer, kotlin-reviewer, and python-reviewer. It follows the established agent pattern closely (correct tools frontmatter, git diff -- '*.java' scope, report-only stance, security-reviewer escalation, valid skill: springboot-patterns reference, Approval Criteria, and Diagnostic Commands), with all issues raised in prior review rounds addressed.

Key observations:

• AGENTS.md count mismatch: Adding java-reviewer brings the total to 21 agents, but the header ("providing 20 specialized agents") and the Project Structure comment (agents/ — 20 specialized subagents) were not updated, leaving both stale.
• Invasive Step 2 build command: mvn verify -q runs the full Maven lifecycle (compile → test → integration-test → verify), which can be slow and environment-sensitive. Peer agents (go-reviewer, python-reviewer) use lightweight, read-only static analysis instead. Replacing this with ./mvnw checkstyle:check or ./mvnw spotbugs:check would align with the established pattern.
• Coverage is thorough: CRITICAL through MEDIUM severity tiers cover SQL injection, command injection, path traversal, ScriptEngine code injection, hardcoded secrets, PII logging, field injection, N+1 queries, unbounded async, and workflow/state-machine patterns — all well-suited to Spring Boot codebases.

Confidence Score: 4/5

• Safe to merge after fixing the agent count in AGENTS.md; the reviewer agent itself is solid.
• The PR is a documentation-only addition (a new agent markdown file plus a one-line AGENTS.md table entry). All security and structural issues raised in prior review rounds have been addressed. The remaining concerns are a stale count in AGENTS.md (factual but harmless) and a preference for lighter diagnostic commands in the workflow steps — neither blocks correctness or security.
• AGENTS.md — the "20 specialized agents" count on line 3 and the Project Structure comment need to be updated to 21.

Important Files Changed

Filename	Overview
AGENTS.md	Adds java-reviewer row to the agent table, but fails to update the "20 specialized agents" count in the header (line 3) or the Project Structure comment (line 136) — both should now read 21.
agents/java-reviewer.md	Solid Java/Spring Boot reviewer agent with comprehensive security checks (SQL injection, command injection, path traversal, code injection), correct skill: springboot-patterns reference, and proper escalation to security-reviewer on CRITICAL findings. Minor concern: Step 2 runs mvn verify -q (full lifecycle) rather than the lighter static-analysis commands used by peer agents.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[java-reviewer invoked] --> B[git diff -- '*.java']
    B --> C{Changes found?}
    C -- No --> D[git diff --staged or git log]
    C -- Yes --> E[mvn verify -q / ./gradlew check]
    E --> F[Focus on modified .java files]
    F --> G[CRITICAL Security checks]
    G --> H{CRITICAL security issue?}
    H -- Yes --> I[Stop & escalate to security-reviewer]
    H -- No --> J[CRITICAL Error Handling checks]
    J --> K[HIGH Spring Boot Architecture checks]
    K --> L[HIGH JPA / Database checks]
    L --> M[MEDIUM checks]
    M --> N[Approval Criteria]
    N --> O{Severity verdict}
    O -- No CRITICAL/HIGH --> P[Approve]
    O -- MEDIUM only --> Q[Warning]
    O -- CRITICAL or HIGH --> R[Block]

Loading

_{Last reviewed commit: 1848c54}

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="agents/java-reviewer.md">

<violation number="1" location="agents/java-reviewer.md:24">
P1: Java file discovery is arbitrarily truncated to 60 files, which can exclude relevant code and degrade review accuracy.</violation>

<violation number="2" location="agents/java-reviewer.md:30">
P2: Build context discovery omits `build.gradle.kts`, risking wrong Java/Spring version assumptions and incompatible review advice.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

agents/java-reviewer.md (1)

9-10: Improve determinism of scope discovery and build-tool detection.

Lines 9-10 state to run git diff -- '*.java' and mvn verify -q or ./gradlew check with no explicit diff base, but line 78 asks to read pom.xml/build.gradle to determine the build tool before reviewing. This creates a logical inconsistency: the initial workflow suggests running build commands before detecting which one is available. To improve reliability:

1. Check for pom.xml, build.gradle, or build.gradle.kts first
2. Use the matching build command deterministically
3. Use an explicit diff base (e.g., git diff origin/main...HEAD -- '*.java') to avoid scope gaps from local git state

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/java-reviewer.md` around lines 9 - 10, Update the workflow in
agents/java-reviewer.md so scope discovery and build-tool detection are
deterministic: first check for the presence of pom.xml, build.gradle, or
build.gradle.kts and pick the build command (mvn verify -q for Maven or
./gradlew check for Gradle) accordingly before running any build step, replace
the generic git diff -- '*.java' with an explicit diff base such as git diff
origin/main...HEAD -- '*.java' to avoid local-state gaps, and ensure the
selected command (mvn verify -q or ./gradlew check) is used consistently after
detection.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Line 30: The document's top summary count is out of date after adding the new
agent java-reviewer: update the headline agent count (the numeric summary at the
top of AGENTS.md that currently reads 16) to reflect the new total of 17 so it
matches the table entry for java-reviewer; ensure the summary number is
incremented anywhere that top-level agent count is mentioned.

---

Nitpick comments:
In `@agents/java-reviewer.md`:
- Around line 9-10: Update the workflow in agents/java-reviewer.md so scope
discovery and build-tool detection are deterministic: first check for the
presence of pom.xml, build.gradle, or build.gradle.kts and pick the build
command (mvn verify -q for Maven or ./gradlew check for Gradle) accordingly
before running any build step, replace the generic git diff -- '*.java' with an
explicit diff base such as git diff origin/main...HEAD -- '*.java' to avoid
local-state gaps, and ensure the selected command (mvn verify -q or ./gradlew
check) is used consistently after detection.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 16b51474-3d93-4677-9e8d-4534a1dc4832

📥 Commits

Reviewing files that changed from the base of the PR and between 73908c0 and 026bbcf.

📒 Files selected for processing (2)

• AGENTS.md
• agents/java-reviewer.md

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="AGENTS.md">

<violation number="1" location="AGENTS.md:30">
P2: Adding `java-reviewer` made AGENTS.md inventory counts stale (`16 specialized agents` and `13 specialized subagents`).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

🧹 Nitpick comments (2)

agents/java-reviewer.md (2)

67-79: Make diagnostics explicitly tool-conditional.

Given Line 79, consider splitting commands into clear “Maven path” and “Gradle path” blocks (wrapper-first) so users don’t run incompatible commands by mistake.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/java-reviewer.md` around lines 67 - 79, Update the "Diagnostic
Commands" section to separate Maven and Gradle workflows so users only run
compatible commands: create two labeled blocks "Maven (wrapper-first)" and
"Gradle (wrapper-first)" and move commands like ./mvnw checkstyle:check, ./mvnw
spotbugs:check, ./mvnw test, ./mvnw dependency-check:check, and mvn verify into
the Maven block (prefer wrapper ./mvnw), and move ./gradlew check and ./gradlew
(wrapper) equivalents into the Gradle block; keep the git diff and grep lines as
shared checks but add a short note before the blocks to read
pom.xml/build.gradle to detect the build tool first.

---

51-51: Add Java version detection before enforcing Java 16+ idioms.

Line 51 recommends using pattern matching for instanceof checks (Java 16+), but line 79 only requires detecting build tool and Spring Boot version. Add explicit Java version detection (e.g., checking maven.compiler.source, targetCompatibility, or toolchain) before applying Java 16+ rules to avoid false positives on Java 8/11 projects.

Also applies to: 79-79

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/java-reviewer.md` at line 51, The "Missed pattern matching" instanceof
rule should first detect the project's Java language level before suggesting
Java 16+ idioms: update the checker that flags `instanceof`+cast to read build
settings (e.g., maven property `maven.compiler.source`/`maven.compiler.target`,
Gradle `targetCompatibility`/`sourceCompatibility`, or a Java toolchain
declaration) and only apply the pattern-matching recommendation when the
resolved Java version is >=16; reuse the existing Spring/build-tool detection
logic (the same detection used near the Spring Boot/version checks) to determine
project Java version and skip or downgrade the rule for Java 8/11 projects.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@agents/java-reviewer.md`:
- Around line 67-79: Update the "Diagnostic Commands" section to separate Maven
and Gradle workflows so users only run compatible commands: create two labeled
blocks "Maven (wrapper-first)" and "Gradle (wrapper-first)" and move commands
like ./mvnw checkstyle:check, ./mvnw spotbugs:check, ./mvnw test, ./mvnw
dependency-check:check, and mvn verify into the Maven block (prefer wrapper
./mvnw), and move ./gradlew check and ./gradlew (wrapper) equivalents into the
Gradle block; keep the git diff and grep lines as shared checks but add a short
note before the blocks to read pom.xml/build.gradle to detect the build tool
first.
- Line 51: The "Missed pattern matching" instanceof rule should first detect the
project's Java language level before suggesting Java 16+ idioms: update the
checker that flags `instanceof`+cast to read build settings (e.g., maven
property `maven.compiler.source`/`maven.compiler.target`, Gradle
`targetCompatibility`/`sourceCompatibility`, or a Java toolchain declaration)
and only apply the pattern-matching recommendation when the resolved Java
version is >=16; reuse the existing Spring/build-tool detection logic (the same
detection used near the Spring Boot/version checks) to determine project Java
version and skip or downgrade the rule for Java 8/11 projects.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c9a07145-c8ed-41c4-a5e9-622917f2a800

📥 Commits

Reviewing files that changed from the base of the PR and between 026bbcf and 71fa1b2.

📒 Files selected for processing (2)

• AGENTS.md
• agents/java-reviewer.md

[cubic-dev-ai]

2 issues found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="AGENTS.md">

<violation number="1" location="AGENTS.md:3">
P2: Agent inventory count is incorrect on the modified line; AGENTS.md says 17 agents but the repository currently has 19 agent definitions.</violation>
</file>

<file name="agents/java-reviewer.md">

<violation number="1" location="agents/java-reviewer.md:18">
P2: ScriptEngine is an in-process code execution sink, not an OS command invocation. Grouping it under command injection and suggesting sanitization as mitigation can understate the risk and mislead reviewers; untrusted ScriptEngine.eval usage generally requires avoidance or sandboxing rather than “sanitize and continue.”</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

🧹 Nitpick comments (1)

agents/java-reviewer.md (1)

74-85: Split diagnostics by build tool to avoid invalid command runs.

The current block mixes Maven and Gradle flows in one list. Consider separating into explicit “Maven” vs “Gradle” command sets so the agent doesn’t run irrelevant commands and report noisy failures.

Suggested restructuring

 ## Diagnostic Commands
 ```bash
-git diff -- '*.java'
-mvn verify -q
-./gradlew check                              # Gradle equivalent
-./mvnw checkstyle:check                      # style
-./mvnw spotbugs:check                        # static analysis
-./mvnw test                                  # unit tests
-./mvnw dependency-check:check                # CVE scan (OWASP plugin)
-grep -rn "@Autowired" src/main/java --include="*.java"
-grep -rn "FetchType.EAGER" src/main/java --include="*.java"
+# Common
+git diff -- '*.java'
+grep -rn "@Autowired" src/main/java --include="*.java"
+grep -rn "FetchType.EAGER" src/main/java --include="*.java"
+
+# Maven projects
+./mvnw verify -q
+./mvnw checkstyle:check
+./mvnw spotbugs:check
+./mvnw test
+./mvnw dependency-check:check
+
+# Gradle projects
+./gradlew check
+./gradlew test
+# (run Checkstyle/SpotBugs/OWASP tasks only if configured in the Gradle build)

Read pom.xml, build.gradle, or build.gradle.kts to determine the build tool and Spring Boot version before reviewing.

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @agents/java-reviewer.md around lines 74 - 85, The command list in
agents/java-reviewer.md mixes Maven and Gradle commands causing irrelevant runs;
split the block into a short "Common" section (keep git diff and the grep checks
for @Autowired and FetchType.EAGER) and two tool-specific sections ("Maven
projects" with ./mvnw verify -q, ./mvnw checkstyle:check, ./mvnw spotbugs:check,
./mvnw test, ./mvnw dependency-check:check) and ("Gradle projects" with
./gradlew check, ./gradlew test and optional Checkstyle/SpotBugs/OWASP tasks),
and update the instruction line to first read pom.xml or build.gradle(.kts) to
detect the build tool before running the appropriate command set.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @agents/java-reviewer.md:

• Around line 74-85: The command list in agents/java-reviewer.md mixes Maven and
  Gradle commands causing irrelevant runs; split the block into a short "Common"
  section (keep git diff and the grep checks for @Autowired and FetchType.EAGER)
  and two tool-specific sections ("Maven projects" with ./mvnw verify -q, ./mvnw
  checkstyle:check, ./mvnw spotbugs:check, ./mvnw test, ./mvnw
  dependency-check:check) and ("Gradle projects" with ./gradlew check, ./gradlew
  test and optional Checkstyle/SpotBugs/OWASP tasks), and update the instruction
  line to first read pom.xml or build.gradle(.kts) to detect the build tool before
  running the appropriate command set.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `e9cda48e-e5e8-44f8-98dc-e7795af9ac22`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 71fa1b27dcf7c7827a531a2630e45899551cca96 and 13e0603846ffa45eb2e18c35b77e002c552f5172.

</details>

<details>
<summary>📒 Files selected for processing (2)</summary>

* `AGENTS.md`
* `agents/java-reviewer.md`

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (1)</summary>

* AGENTS.md

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[cubic-dev-ai]

3 issues found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="agents/java-reviewer.md">

<violation number="1" location="agents/java-reviewer.md:22">
P1: Path traversal rule gives incorrect/incomplete remediation: `getCanonicalPath()` is not a `Path` API and canonicalization alone is insufficient without base-directory containment checks.</violation>

<violation number="2" location="agents/java-reviewer.md:28">
P1: Early-stop escalation on first CRITICAL security finding can suppress other CRITICAL/HIGH Java/Spring findings in the same review.</violation>
</file>

<file name="AGENTS.md">

<violation number="1" location="AGENTS.md:3">
P2: Agent count in the updated header is inconsistent with the actual agent list, causing internal documentation contradiction.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Path traversal rule gives incorrect/incomplete remediation: getCanonicalPath() is not a Path API and canonicalization alone is insufficient without base-directory containment checks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At agents/java-reviewer.md, line 22:

<comment>Path traversal rule gives incorrect/incomplete remediation: `getCanonicalPath()` is not a `Path` API and canonicalization alone is insufficient without base-directory containment checks.</comment>

<file context>
@@ -11,16 +11,22 @@ When invoked:
-- **Command injection**: User-controlled input passed to `ProcessBuilder`, `Runtime.exec()`, or `ScriptEngine` — validate and sanitise before any process invocation
+- **Command injection**: User-controlled input passed to `ProcessBuilder` or `Runtime.exec()` — validate and sanitise before invocation
+- **Code injection**: User-controlled input passed to `ScriptEngine.eval(...)` — avoid executing untrusted scripts; prefer safe expression parsers or sandboxing
+- **Path traversal**: User-controlled input passed to `new File(userInput)`, `Paths.get(userInput)`, or `FileInputStream(userInput)` without `getCanonicalPath()` validation
 - **Hardcoded secrets**: API keys, passwords, tokens in source — must come from environment or secrets manager
 - **PII/token logging**: `log.info(...)` calls near auth code that expose passwords or tokens
</file context>

Suggested change

	- **Path traversal**: User-controlled input passed to `new File(userInput)`, `Paths.get(userInput)`, or `FileInputStream(userInput)` without `getCanonicalPath()` validation
	- **Path traversal**: User-controlled input used in file APIs (`File`, `Path`, `FileInputStream`) without safe path validation — resolve/canonicalize (`File#getCanonicalPath()` or `Path#normalize()/toRealPath()` as appropriate) and enforce that the resolved path stays within an allowed base directory (plus input allowlisting where possible)

[yashwardhan17]

Addressed all structural feedback from the automated reviewers across 3 rounds of fixes — tools format, git diff scope, diagnostic commands, AGENTS.md registration, report-only disclaimer, path traversal, command/code injection separation, and security escalation. The remaining bot suggestions are contradictory (agent count flip-flopping between 17 and 19) and minor wording preferences. Happy to make any changes a maintainer requests.

[greptile-apps]

mvn verify is far more invasive than peer reviewers' diagnostics

Step 2 tells the agent to run mvn verify -q, which executes the full Maven lifecycle: compile → test → integration-test → verify. This can:

• Take minutes on any non-trivial project
• Fail for environment reasons (missing DB, missing env vars, network) with no relationship to the code under review
• Potentially produce side-effects (build artifacts, generated sources)

Compare with peer agents, which run fast, read-only static analysis:

• go-reviewer: go vet ./... and staticcheck ./...
• python-reviewer: equivalent linting commands

Consider replacing mvn verify -q with lighter-weight static checks, mirroring the diagnostic commands listed later in the file:

Suggested change

	2. Run `mvn verify -q` or `./gradlew check` if available
	2. Run `./mvnw checkstyle:check` or `./mvnw spotbugs:check` if available

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

agents/java-reviewer.md (1)

1-92: Add commands/java-review.md command for parity with other language reviewers.

The java-reviewer agent exists and is registered in AGENTS.md, but unlike Go, Kotlin, Python, and Rust reviewers, there is no corresponding commands/java-review.md entry. Create this command file to maintain consistency with the existing pattern of language-specific review commands.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/java-reviewer.md` around lines 1 - 92, Create a new command file that
registers the existing agent "java-reviewer" with the same pattern used by other
language reviewers: name the command "java-review", include the description
"Expert Java and Spring Boot code reviewer...", and copy the invocation steps
(run git diff -- '*.java', run mvn verify -q or ./gradlew check, focus on
modified .java files, begin review immediately) plus the Review Priorities and
Diagnostic Commands sections from agents/java-reviewer.md so the command mirrors
Go/Kotlin/Python/Rust reviewers; ensure the file's front-matter matches the
other commands (name, description, tools) and references the "java-reviewer"
agent name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@agents/java-reviewer.md`:
- Around line 73-86: The diagnostic commands block currently mixes Maven wrapper
commands (mvn, ./mvnw ...) with Gradle commands and can miss checks on
Gradle-only repos; update the diagnostics in the "Diagnostic Commands" section
so they first detect the build tool (presence of pom.xml or
build.gradle/build.gradle.kts or gradlew) and then run the appropriate branch:
for Maven projects run mvn verify -q and the ./mvnw checks (checkstyle,
spotbugs, test, dependency-check), and for Gradle projects run ./gradlew check
plus any configured Gradle equivalents (e.g., checkstyleMain, spotbugsMain,
test, dependencyCheckAnalyze); keep the common grep lines for `@Autowired` and
FetchType.EAGER unchanged.

---

Nitpick comments:
In `@agents/java-reviewer.md`:
- Around line 1-92: Create a new command file that registers the existing agent
"java-reviewer" with the same pattern used by other language reviewers: name the
command "java-review", include the description "Expert Java and Spring Boot code
reviewer...", and copy the invocation steps (run git diff -- '*.java', run mvn
verify -q or ./gradlew check, focus on modified .java files, begin review
immediately) plus the Review Priorities and Diagnostic Commands sections from
agents/java-reviewer.md so the command mirrors Go/Kotlin/Python/Rust reviewers;
ensure the file's front-matter matches the other commands (name, description,
tools) and references the "java-reviewer" agent name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 63a97dd9-5889-4f68-9b63-d023f0a1278d

📥 Commits

Reviewing files that changed from the base of the PR and between 13e0603 and 1848c54.

📒 Files selected for processing (2)

• AGENTS.md
• agents/java-reviewer.md

🚧 Files skipped from review as they are similar to previous changes (1)

• AGENTS.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make diagnostics explicitly build-tool-aware to avoid false negatives on Gradle projects.

Line 77 includes Gradle, but Lines 78-81 are Maven-wrapper-only commands. For Gradle-only repos, this can skip style/security checks despite the agent being “for all Java code changes” (Line 3). Split diagnostics into Maven vs Gradle branches with equivalent checks.

Suggested adjustment

 ## Diagnostic Commands
 ```bash
 git diff -- '*.java'
-mvn verify -q
-./gradlew check                              # Gradle equivalent
-./mvnw checkstyle:check                      # style
-./mvnw spotbugs:check                        # static analysis
-./mvnw test                                  # unit tests
-./mvnw dependency-check:check                # CVE scan (OWASP plugin)
+# Maven projects (pom.xml / mvnw)
+mvn verify -q
+./mvnw checkstyle:check
+./mvnw spotbugs:check
+./mvnw test
+./mvnw dependency-check:check
+
+# Gradle projects (build.gradle / build.gradle.kts / gradlew)
+./gradlew check
+# If configured in Gradle:
+# ./gradlew checkstyleMain spotbugsMain test dependencyCheckAnalyze
 grep -rn "@Autowired" src/main/java --include="*.java"
 grep -rn "FetchType.EAGER" src/main/java --include="*.java"

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @agents/java-reviewer.md around lines 73 - 86, The diagnostic commands block
currently mixes Maven wrapper commands (mvn, ./mvnw ...) with Gradle commands
and can miss checks on Gradle-only repos; update the diagnostics in the
"Diagnostic Commands" section so they first detect the build tool (presence of
pom.xml or build.gradle/build.gradle.kts or gradlew) and then run the
appropriate branch: for Maven projects run mvn verify -q and the ./mvnw checks
(checkstyle, spotbugs, test, dependency-check), and for Gradle projects run
./gradlew check plus any configured Gradle equivalents (e.g., checkstyleMain,
spotbugsMain, test, dependencyCheckAnalyze); keep the common grep lines for
@Autowired and FetchType.EAGER unchanged.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[yashwardhan17]

Just rebased to resolve the AGENTS.md merge conflict with upstream main. The agent content in java-reviewer.md is unchanged. Ready to merge whenever you are.