MX-230: Improve the CodeRabbit yml file for Spring boot

[ansh-varshney]

Fixes: MX-230

• Switch profile from 'chill' to 'assertive' to align with request_changes_workflow enforcement.
• Ban @Autowired on fields explicitly; require constructor injection.
• Add explicit forbidden import list for domain layer (Spring, JPA, Hibernate, Jersey, Jackson, Swagger namespaces).
• Define standard SS-XXXX error response schema in API layer rules.
• Add dedicated sections for handler (CQRS), Liquibase migrations, and split pom.xml / README.md into separate path rules.
• Consolidate cross-cutting rules (logging ban, secrets, magic numbers) into global section to eliminate duplication.
• Enforce @transactional(readOnly=true) on read-only service methods.
• Add finishing_touches: true for auto Javadoc/test suggestions.

Summary by CodeRabbit

• Chores
  • Strengthened repository review configuration to an assertive profile and enabled finishing-touch checks (docstrings, unit-test guidance, simplifications).
  • Introduced repo-wide standards: security/secret handling, logging restrictions, complexity limits, stricter Java conventions (DI/Lombok/exception/nullability/controller API rules), layered DDD guidance, testing constraints, migration file placement conventions, and updated build/runtime and README requirements (modern Java/Spring versions, formatting and coverage enforcement).

[coderabbitai]

Warning

Rate limit exceeded

@ansh-varshney has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 54 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 54 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ef3854af-6dd2-4e6a-869f-d7437cdd45c5

📥 Commits

Reviewing files that changed from the base of the PR and between 3fcf4f0 and ef84bcd.

📒 Files selected for processing (1)

• .coderabbit.yaml

📝 Walkthrough

Walkthrough

Switched .coderabbit.yaml review profile from chill to assertive and expanded the review ruleset with comprehensive repo-wide standards covering global security/logging checks, Java/Spring-specific constraints, DDD-layer guidance, test and Liquibase migration rules, and build/README enforcement. (50 words)

Changes

Cohort / File(s)

Summary

Review Configuration /.coderabbit.yaml

Replaced profile chill → assertive; enabled reviews.finishing_touches (docstrings, unit_tests, simplify). Rewrote path_instructions into a detailed standards suite: global rules (secrets, logging bans, cyclomatic limit, SQL concat checks), Java/Spring rules (ban field @Autowired/@Inject, restrict Lombok @Data, ban @SneakyThrows, API/null/exception/controller rules), DDD package/layer rules (controller error-response shape, OpenAPI required, service transaction/readOnly placement, blocking-I/O flags, forbidden domain imports), CQRS/handler constraints, test requirements (tooling/structure, ban @SpringBootTest in unit tests), Liquibase migration standards under src/main/resources/db/changelog/**, and build/README constraints (Java 21+/Spring Boot 3+, dependency scope/snapshot checks, Spotless/Jacoco, README completeness). Lines changed roughly +326/−124.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Refactor .coderabbit.yaml for improved review guidelines #104: Edits .coderabbit.yaml with overlapping changes to review profile and rule content.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary change: updating the CodeRabbit YAML configuration file with more assertive review rules and standards for Spring Boot projects.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Line 21: The config sets finishing_touches as a boolean but the schema
requires an object; replace the boolean value for the finishing_touches key with
an object containing the nested properties (docstrings, unit_tests, simplify,
custom) and populate each with the appropriate type/values (e.g., booleans or
sub-objects per your schema) so the config validates—look for the
finishing_touches key and ensure it becomes an object with the docstrings,
unit_tests, simplify, and custom fields instead of true/false.
- Around line 186-220: The domain classes AppSelfServiceUserClientMapping,
AppSelfServiceUser, SelfServiceRegistration, and SelfBeneficiariesTPT currently
contain prohibited JPA annotations/imports; remove all jakarta.persistence (and
javax.persistence) imports and annotations from these domain classes, preserve
only pure domain logic (constructors/factories, invariants, value-object
immutability, equals/hashCode based on identity) and move all persistence
mapping into new or existing infrastructure-layer JPA entity or mapper classes
(e.g., create corresponding JPA entity DTOs and mapping methods or use a
dedicated infrastructure mapper to translate between the domain objects and
persistence entities), and ensure repository types in the domain remain
interfaces only (implementations live in infrastructure).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7ddd67ed-a485-486f-839b-6f14e274db1c

📥 Commits

Reviewing files that changed from the base of the PR and between 7e574f4 and 4cb7754.

📒 Files selected for processing (1)

• .coderabbit.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if existing domain layer classes use JPA annotations
rg -l 'jakarta\.persistence\.' --glob '**/domain/**/*.java' || echo "No JPA imports found in domain layer"

Repository: openMF/selfservice-plugin

Length of output: 455

---

Domain layer contains prohibited JPA annotations that violate framework independence rules.

The .coderabbit.yaml configuration explicitly forbids jakarta.persistence.* imports in domain classes. The following files violate this rule:

• src/main/java/org/apache/fineract/selfservice/useradministration/domain/AppSelfServiceUserClientMapping.java
• src/main/java/org/apache/fineract/selfservice/useradministration/domain/AppSelfServiceUser.java
• src/main/java/org/apache/fineract/selfservice/registration/domain/SelfServiceRegistration.java
• src/main/java/org/apache/fineract/selfservice/account/domain/SelfBeneficiariesTPT.java

Remove JPA annotations from these domain classes and relocate persistence mapping logic to the infrastructure layer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 186 - 220, The domain classes
AppSelfServiceUserClientMapping, AppSelfServiceUser, SelfServiceRegistration,
and SelfBeneficiariesTPT currently contain prohibited JPA annotations/imports;
remove all jakarta.persistence (and javax.persistence) imports and annotations
from these domain classes, preserve only pure domain logic
(constructors/factories, invariants, value-object immutability, equals/hashCode
based on identity) and move all persistence mapping into new or existing
infrastructure-layer JPA entity or mapper classes (e.g., create corresponding
JPA entity DTOs and mapping methods or use a dedicated infrastructure mapper to
translate between the domain objects and persistence entities), and ensure
repository types in the domain remain interfaces only (implementations live in
infrastructure).

[coderabbitai]

🧹 Nitpick comments (2)

.coderabbit.yaml (2)

380-381: Broken link detection is a manual review instruction.

CodeRabbit does not automatically verify URL availability or file path existence. This instruction will require manual reviewer verification or integration of a separate link-checking tool in the CI pipeline.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 380 - 381, The rule "Must not contain broken
links" in .coderabbit.yaml is currently a manual-only instruction and cannot be
enforced automatically; update the configuration or workflow to either (A) mark
this rule explicitly as "manual review required" in the rule metadata and
clarify the reviewer action, or (B) integrate an automated link-checking step
into CI (e.g., add a job that runs a tool like markdown-link-check, linkinator,
or a custom script) that validates HTTP 4xx/5xx responses and repo file path
existence, then reference that job in the policy so the rule is enforced
automatically during PRs.

---

89-94: Dependency injection rules will flag existing codebase patterns.

The rule on line 93 correctly states that @Autowired on constructors is redundant since Spring 4.3. However, existing code (e.g., SelfSavingsDataValidator) uses this pattern and will be flagged. Additionally, SelfServiceSecurityConfiguration has 14+ field-level @Autowired annotations that violate the ban on line 90.

Consider whether a migration plan or tracking issue should accompany this enforcement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 89 - 94, The rule flags field-level and
constructor-level `@Autowired/`@Inject usages; update offending classes (e.g.,
SelfServiceSecurityConfiguration and SelfSavingsDataValidator) to use
constructor injection: remove `@Autowired/`@Inject from fields and constructors,
make injected dependencies final, and either add an explicit constructor or
annotate the class with Lombok's `@RequiredArgsConstructor` to generate it; ensure
all former field injections become constructor parameters and delete redundant
`@Autowired` on constructors so the code conforms to the STRICT DI policy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.coderabbit.yaml:
- Around line 380-381: The rule "Must not contain broken links" in
.coderabbit.yaml is currently a manual-only instruction and cannot be enforced
automatically; update the configuration or workflow to either (A) mark this rule
explicitly as "manual review required" in the rule metadata and clarify the
reviewer action, or (B) integrate an automated link-checking step into CI (e.g.,
add a job that runs a tool like markdown-link-check, linkinator, or a custom
script) that validates HTTP 4xx/5xx responses and repo file path existence, then
reference that job in the policy so the rule is enforced automatically during
PRs.
- Around line 89-94: The rule flags field-level and constructor-level
`@Autowired/`@Inject usages; update offending classes (e.g.,
SelfServiceSecurityConfiguration and SelfSavingsDataValidator) to use
constructor injection: remove `@Autowired/`@Inject from fields and constructors,
make injected dependencies final, and either add an explicit constructor or
annotate the class with Lombok's `@RequiredArgsConstructor` to generate it; ensure
all former field injections become constructor parameters and delete redundant
`@Autowired` on constructors so the code conforms to the STRICT DI policy.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c51be6b0-d271-43bd-8a1b-8f7570493795

📥 Commits

Reviewing files that changed from the base of the PR and between 4cb7754 and 3fcf4f0.

📒 Files selected for processing (1)

• .coderabbit.yaml

[IOhacker]

I am setting this "Request changes" until we fix the tech debt. Please feel free to add your comments!!