Read-only checklist for Jakarta Bean Validation on Spring API models (DTOs, request bodies). Produces a markdown report with PASS/FAIL; does not modify source files.
@PostMapping / @PutMapping endpoints or changing DTO shapes.quality-gates.mdc Gate 1 (controller @Valid + BindingResult where applicable).Include types that cross the HTTP boundary, for example:
**/*Request.java, **/*Response.java, **/*Dto.java, **/*DTO.java@RequestBody parameters (discover via controller scan in the same change or module)record types used as API request bodiesExclude unless explicitly in scope:
@Entity classes (validation rules differ; use persistence-layer review)Adjust globs per repo layout (e.g. api.dto, web.model).
This skill only instructs analysis and reporting. The agent must not apply fixes unless the user or Zeus brief explicitly authorizes edits.
For each @RequestBody parameter:
@Valid (or @Validated with appropriate group) when the type contains constrained fields.@Valid on the nested property inside the parent type.For each type in scope:
@NotNull, @NotBlank, @Size, @Email, @Min/@Max, @Pattern).null is explicitly allowed and handled; document as assumption in the report.@NotNull / custom validator — likely HIGH if the type maps unvalidated JSON to persistence or security-sensitive operations.Usually fewer constraints; flag if sensitive data could leak through unbounded collections or unvalidated maps — MEDIUM informational.
If @Validated groups or @Constraint are used, note in the report whether group sequences are consistent with controller @Validated usage.
Emit, in order:
Scope — globs and packages analyzed; list of files (or count + samples).
Findings table
| File | Line or symbol | Issue | Severity | Fix hint |
Severity: HIGH (unvalidated user input on write path), MEDIUM (missing nested @Valid, weak bounds), LOW (style / optional clarity).
Verdict — single line: PASS (no HIGH/MEDIUM) or FAIL (one or more HIGH/MEDIUM).
Assumptions — bullets for anything not verifiable without compilation or tests.
String email field and no @Email / @NotBlank on a POST body → at least one MEDIUM or HIGH finding.@Valid on the controller parameter and nested @Valid where needed → PASS for that path.Registered in .cursor/rules/tool-registry.mdc as draft until Zeus verifies output on a real PR; then move row status to active.