feat: add java-to-typescript skill

[aksOps]

Summary

• Adds a new skill java-to-typescript under skills/java-to-typescript/ for migrating Java services (Spring Boot, Quarkus, Micronaut, Spring MVC) to TypeScript across four phased gates (Analyze → Plan → Port → Verify).
• Ships the orchestrator (SKILL.md), four deterministic companion scripts (pom-to-workspace, record-fixtures, replay-fixtures + lib/), a 20-entry library registry, 13 reference docs, and a complete eval harness (E1 deterministic + E2/E3 mock-mode LLM-judged + E4 manual smoke).
• POM pre-set to 0.0.0 so the auto-publish workflow patch-bumps to 0.0.1 as the first Maven Central release.

What's in here

Scripts	4 scripts + 3 lib helpers, 44/44 Vitest unit tests, tsc --noEmit clean under strict + noUncheckedIndexedAccess + exactOptionalPropertyTypes
Registry	library-map.yaml — 20 entries + 18 default_picks (Express + tsyringe + zod + drizzle + pino + decimal.js + temporal-polyfill + vitest)
References	1 framework (spring-boot), 1 target (express), 1 runtime (node), 6 categories (persistence/validation/di/logging/config/testing), 3 cross-cutting (type-fidelity/build-layout/migration-modes)
Eval fixture	spring-boot-users — Maven multi-module + expected/ artifacts + sample/ reference inputs (plan.md + tsc-clean+vitest-green TS port)
Eval results	E1 PASS · E2 mean 9.00 ± 0.00 (mock, n=5) · E3 mean 8.00 ± 0.00 (mock, n=5, hard gate green)
Vendored	fast-xml-parser 4.5.0 (MIT) for air-gap pom parsing
CI	New .github/workflows/eval.yml runs typecheck + unit + E1 on PRs touching this skill
Bundle	java-to-typescript-0.0.0-bin.zip ~82 KB, 96 files (no tests, no node_modules, no fixture targets)

Constraints upheld (per design spec)

• LLM does all translation. Scripts are deterministic plumbing only — no codemod, no AST rewriter, no auto-translator anywhere in the skill.
• No runtime internet. Registry is the source of truth; context7 is not called at runtime; unmapped libs escalate to the user via AskUserQuestion.
• Air-gap friendly. Vendored XML parser; documented proxied-registry pattern for npm install.

Release behavior

Per publish.yml, merging this PR to main will:

1. Detect skills/java-to-typescript/** changed.
2. Bump pom from 0.0.0 → 0.0.1.
3. Publish io.github.randomcodespace.ai:java-to-typescript:0.0.1 to Maven Central via the Central Portal.
4. Create GitHub release java-to-typescript-v0.0.1 with the bundle as an attached zip.
5. Push the bumped pom back to main with [skip ci].

gitlab-helper:0.1.5 is untouched.

Test plan

• CI eval workflow runs and passes (typecheck + 44/44 unit tests + E1 deterministic eval).
• Local: cd skills/java-to-typescript && npx tsc --noEmit && npx vitest run — should be clean + 44/44.
• Local: npx tsx evals/runner.ts --eval all — E1 PASS, E2/E3 produce mock scores.
• Manual: mvn -pl skills/java-to-typescript package -DskipTests builds the bundle with 96 files (no tests, no node_modules).
• On merge: confirm publish.yml succeeds, io.github.randomcodespace.ai:java-to-typescript:0.0.1 appears on Maven Central, GitHub release java-to-typescript-v0.0.1 is created.

Follow-ups (M1 — separate plan)

• Quarkus / Micronaut / Spring MVC reference files; Koa / Hono / Restify targets; Bun / Deno runtimes.
• Remaining ~80 library registry entries.
• Two more eval fixtures (quarkus-orders, micronaut-products).
• Gradle Kotlin DSL parser (currently a documented stub).
• LLM-judged E2/E3 wired into a release-time workflow (ANTHROPIC_API_KEY secret).

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	maven/​org.hibernate.orm/​hibernate-core@​6.5.2.Final
	maven/​com.h2database/​h2@​2.3.232
	npm/​@​types/​express@​4.17.25
	npm/​@​anthropic-ai/​sdk@​0.96.0
	npm/​vitest@​2.1.9
	npm/​reflect-metadata@​0.2.2
	npm/​decimal.js@​10.6.0
	npm/​@​types/​node@​22.19.19
	npm/​tsx@​4.22.1
	npm/​tsyringe@​4.10.0
	npm/​drizzle-orm@​0.36.4
	npm/​typescript@​5.9.3
	maven/​org.springframework.boot/​spring-boot-starter-validation@​3.3.4
	maven/​org.springframework.boot/​spring-boot-starter-web@​3.3.4
	maven/​org.springframework.boot/​spring-boot-starter-data-jpa@​3.3.4
	npm/​pino@​9.14.0
	npm/​express@​4.22.2
	npm/​zod@​3.25.76

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT in maven org.apache.tomcat.embed:tomcat-embed-core CVE: GHSA-83qj-6fr2-vhqg Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CRITICAL) Affected versions: >= 11.0.0-M1 < 11.0.3; >= 10.1.0-M1 < 10.1.35; >= 9.0.0.M1 < 9.0.99; >= 8.5.0 <= 8.5.100 Patched version: 10.1.35 From: pom.xml → maven/org.springframework.boot/spring-boot-starter-web@3.3.4 → maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.30 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.30. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Apache Tomcat: CLIENT_CERT authentication does not fail as expected in maven org.apache.tomcat.embed:tomcat-embed-core CVE: GHSA-95jq-rwvf-vjx4 Apache Tomcat: CLIENT_CERT authentication does not fail as expected (CRITICAL) Affected versions: >= 9.0.83 < 9.0.116; >= 10.1.0-M7 < 10.1.53; >= 11.0.0-M1 < 11.0.20 Patched version: 10.1.53 From: pom.xml → maven/org.springframework.boot/spring-boot-starter-web@3.3.4 → maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.30 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.30. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report