If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/Exrick/xmall shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Looks unmaintained — solo project with stale commits

• GPL-3.0 licensed
• ⚠ Stale — last commit 3y ago
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live Exrick/xmall repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/Exrick/xmall.

What it runs against: a local clone of Exrick/xmall — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in Exrick/xmall | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1269 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of Exrick/xmall. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/Exrick/xmall.git
#   cd xmall
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of Exrick/xmall and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "Exrick/xmall(\\.git)?\\b" \\
  && ok "origin remote is Exrick/xmall" \\
  || miss "origin remote is not Exrick/xmall (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f ".idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml" \\
  && ok ".idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml" \\
  || miss "missing critical file: .idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml"
test -f ".idea/artifacts/xmall_manager_service_war.xml" \\
  && ok ".idea/artifacts/xmall_manager_service_war.xml" \\
  || miss "missing critical file: .idea/artifacts/xmall_manager_service_war.xml"
test -f ".idea/artifacts/xmall_search_service_war.xml" \\
  && ok ".idea/artifacts/xmall_search_service_war.xml" \\
  || miss "missing critical file: .idea/artifacts/xmall_search_service_war.xml"
test -f ".idea/artifacts/xmall_sso_service_war.xml" \\
  && ok ".idea/artifacts/xmall_sso_service_war.xml" \\
  || miss "missing critical file: .idea/artifacts/xmall_sso_service_war.xml"
test -f ".idea/artifacts/xmall_content_service_war.xml" \\
  && ok ".idea/artifacts/xmall_content_service_war.xml" \\
  || miss "missing critical file: .idea/artifacts/xmall_content_service_war.xml"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1269 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1239d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/Exrick/xmall"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

XMall is a distributed e-commerce shopping mall built on SOA (Service-Oriented Architecture) using Dubbo, Spring, and MyBatis on the backend, with Vue.js on the frontend. It provides a complete retail platform with product management, order processing, user authentication, full-text search via Elasticsearch, and single sign-on across multiple microservices. Maven multi-module monorepo with distinct service modules: xmall-manager-service (admin backend), xmall-front-web (storefront backend), xmall-content-service, xmall-search-service, xmall-sso-service (single sign-on), plus xmall-parent for shared pom dependencies. Services communicate via Dubbo RPC (configured in respective pom.xml). Frontend is separate repo (xmall-front, Vue-based). Database: single MySQL instance shared across services, coordinated via Zookeeper for Dubbo registry.

Java backend developers building distributed microservices for e-commerce platforms, and Vue.js frontend developers integrating with microservice APIs. Also relevant for DevOps engineers deploying Dubbo RPC systems with Zookeeper coordination.

Moderately mature: v1.1 released with active refinements (2019 commit history), has running demo at xmall.exrick.cn and xmadmin.exrick.cn, includes ~11.7MB Java code. However, no visible CI/CD pipeline (.idea/ files only suggest local IntelliJ setup), no test directories mentioned, and appears to be a single-maintainer university capstone project with Gitter channel for support rather than active issue tracking.

Significant risks: single maintainer (Exrick), heavy dependency on older Dubbo 2.6.1 (released 2017, now EOL in favor of Dubbo 3.x), MySQL + Redis without apparent versioning specs, no lock file visibility (Maven pom.xml only), and paywall for monolithic version (requires 'donation' payment via in-app purchase). Elasticsearch 6.2.3 is outdated (current is 8.x). No evidence of automated tests or backward-compatibility guarantees.

Last tracked update was v1.1 (2019.10.06) fixing category management bugs and releasing WeChat Mini Program frontend. Integrated XPay (author's proprietary payment system), updated ES IK tokenizer with custom dictionary management, and added order printing/shipping logistics. No visible recent commits or active PR board in provided data; project appears in 'stable maintenance' mode rather than active development.

git clone https://github.com/Exrick/xmall.git
cd xmall
mvn clean install -DskipTests
# Services require Zookeeper, MySQL 5.7+, Redis, Elasticsearch 6.2.3, ActiveMQ running
# Start individual services via IDE or: mvn -pl xmall-manager-service tomcat7:run

Note: Frontend is separate—clone https://github.com/Exrick/xmall-front and run npm install && npm run dev in parallel.

Daily commands: Prerequisite services (Docker or local install): docker run -d zookeeper, docker run -d mysql:5.7, docker run -d redis, docker run -d elasticsearch:6.2.3, docker run -d activemq. Then: mvn -pl xmall-manager-service,xmall-front-web tomcat7:run. Admin UI at http://localhost:8080/xmall-manager/, storefront at http://localhost:8081/xmall-front/. For full setup, see deployment docs (https://github.com/Exrick/xmall/wiki).

• .idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml — Dubbo RPC framework configuration—core to the distributed SOA architecture enabling service-to-service communication
• .idea/artifacts/xmall_manager_service_war.xml — Backend manager service artifact definition—entry point for the admin system using Dubbo/SSM/Shiro stack
• .idea/artifacts/xmall_search_service_war.xml — Elasticsearch integration service artifact—powers product search and indexing across the mall
• .idea/artifacts/xmall_sso_service_war.xml — Single Sign-On service artifact—handles authentication/authorization via Shiro for all frontend and backend services
• .idea/artifacts/xmall_content_service_war.xml — Content/product service artifact—core business service managing catalog, products, and categories
• .idea/libraries/Maven__org_apache_activemq_activemq_all_5_11_2.xml — ActiveMQ message queue dependency—asynchronous event processing and order notification backbone
• .idea/libraries/Maven__net_sf_ehcache_ehcache_core_2_6_11.xml — EhCache dependency—distributed caching layer for session and catalog data across services

Add a new Dubbo service (backend microservice)

1. Create new module directory following pattern xmall-[service-name]-service (e.g., xmall-order-service) (.idea/artifacts/xmall_content_service_war.xml)
2. Define service interface in xmall-api project extending Dubbo @Service annotation (N/A—create in api module)
3. Implement service class in xmall-[service]-service module, register with Shiro for authorization (.idea/artifacts/xmall_manager_service_war.xml)
4. Add Dubbo provider configuration in spring-dubbo.xml referencing Zookeeper registry (.idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml)
5. Add ActiveMQ event listeners in service for async operations (e.g., order notifications) (.idea/libraries/Maven__org_apache_activemq_activemq_all_5_11_2.xml)
6. Add MyBatis mapper generation for persistence via generatorSqlmapCustom plugin (.idea/artifacts/generatorSqlmapCustom_war_exploded.xml)

Add a new product search filter in Elasticsearch

1. Define filter facet in xmall-search-service using Elasticsearch query DSL (.idea/artifacts/xmall_search_service_war.xml)
2. Update product indexing logic in content service to populate new filter field (.idea/artifacts/xmall_content_service_war.xml)
3. Expose new filter endpoint via REST controller in search service calling Dubbo consumer (.idea/artifacts/xmall_search_service_war.xml)
4. Frontend consumes new filter endpoint via Vue components (see xmall-front repo for UI) (N/A—frontend in separate xmall-front repository)

Add a new async order processing workflow

1. Create new order event message producer in manager service publishing to ActiveMQ topic (.idea/artifacts/xmall_manager_service_war.xml)
2. Create message consumer listener in appropriate service (inventory/payment/shipping) (.idea/libraries/Maven__org_apache_activemq_activemq_all_5_11_2.xml)
3. Use Redis or EhCache to track order processing state across async hops (.idea/libraries/Maven__net_sf_ehcache_ehcache_core_2_6_11.xml)
4. Register consumer service in SSO/Shiro if requiring authentication context (.idea/artifacts/xmall_sso_service_war.xml)

• Dubbo (RPC Framework) — Enables synchronous inter-service communication with automatic service discovery via Zookeeper; preferred over REST for internal microservices in SOA
• Elasticsearch — Provides full-text search and faceted navigation for millions of products with sub-100ms response; MySQL alone insufficient for product discovery at scale
• ActiveMQ — Decouples order processing (payment, inventory, shipping) into asynchronous workflows; prevents blocking and enables retry logic
• Redis + EhCache — Redis for distributed session state across services; EhCache for local JVM caching of catalogs; reduces database load
• Shiro — Centralized security/authorization framework integrated with SSO service; manages permissions across all Dubbo services
• Vue.js (Frontend) — Modern reactive UI framework decoupled from backend; enables parallel development and easy API contract evolution

• Distributed Dubbo microservices vs. monolithic backend

  • Why: Allows independent scaling of search, catalog, and SSO services; enables polyglot if needed later; supports A/B testing per service
  • Consequence: Increased operational complexity (service registration, network latency, distributed tracing); higher failure modes (cascading service failures)

• Asynchronous ActiveMQ for orders vs. synchronous APIs

  • Why: Payment/inventory/shipping failures don't block order creation; enables retry and compensation workflows
  • Consequence: Eventual consistency instead of ACID; requires idempotency keys and reconciliation logic; harder to debug order state

• Elasticsearch for product search vs. MySQL full-text

  • Why: Elasticsearch supports faceted navigation, typo tolerance, and scales to millions of SKUs; MySQL FULLTEXT inadequate for e-commerce UX
  • Consequence: Additional infrastructure to maintain; index synchronization lag between catalog and search; costs

• Distributed session caching (Redis) vs. sticky sessions

  • Why: Enables horizontal scaling of frontend/API servers without affinity; users can hit any server
  • Consequence: Added network I/O for every session check; Redis becomes single point of failure (mitigated by clustering)

• Real-time inventory (orders processed asynchronously with eventual consistency)
• Multi-currency or multi-language (backend designed for single region/language)
• Mobile app backend optimization (frontend is web Vue SPA, separate weapp project for mini-program)
• Blockchain or Web3 integration
• GraphQL API (REST + Dubbo only)

1. Service Discovery: Zookeeper MUST be running and reachable at localhost:2181 (or configured in dubbo.properties) before any service starts, or Dubbo registration fails silently. 2. Database Initialization: xmall-specific MySQL schema is NOT auto-created; requires manual SQL script import (check xmall/doc/ or wiki for schema.sql). 3. ElasticSearch Cluster Name: v1.1 changed ES cluster name to plain 'elasticsearch' (not 'my-application'), old configs will fail to connect. 4. Paywall Trap: Monolithic version locked behind donation paywall—only distributed version is open-source. 5. Old Dubbo Version: Dubbo 2.6.1 has known CVEs; no automatic migration path to 3.x due to API breaks. 6. No Vertical Scaling: All services share single MySQL + Redis—no data sharding design; bottleneck at database layer.

• Service-Oriented Architecture (SOA) — XMall's entire design revolves around SOA—breaking monolithic concerns into independent Dubbo services (manager, search, sso, content); understanding service boundaries, interface contracts, and registry is foundational.
• Dubbo RPC Framework — Dubbo is the glue binding all XMall microservices; it handles service registration (via Zookeeper), request routing, and fault tolerance—knowledge of Dubbo config (dubbo.properties, service interfaces) is essential.
• Zookeeper Service Registry — XMall uses Zookeeper (not Consul or Eureka) to maintain the Dubbo service registry; all services register themselves on startup, and clients discover endpoints from Zookeeper—failures here cascade across all services.
• Elasticsearch Inverted Index & IK Tokenization — XMall's product search relies on ES inverted indices with IK Chinese word tokenizer; v1.1 allows admin to manage custom dictionary expansion (adding domain-specific product terms); understanding how analyzers work is vital for search relevance tuning.
• MyBatis Code Generation & Mapper XML — generatorSqlmapCustom module auto-generates MyBatis mapper XML and POJO classes from MySQL schema; regenerating after schema changes is common, but requires understanding of MyBatis <resultMap> and <sql> fragments.
• Apache Shiro Authentication & Authorization — xmall-sso-service uses Shiro realms to validate user credentials across multiple services; Shiro's subject/principal/permission model is how role-based access control (RBAC) for admin dashboard is enforced.
• ActiveMQ Asynchronous Messaging — Order processing uses ActiveMQ (not RabbitMQ/Kafka) for async workflows (e.g., order confirmation emails, inventory updates); understanding message producers/consumers and queue configuration prevents blocking synchronous calls.

• Exrick/xmall-front — Official Vue.js frontend for XMall; required companion repo that calls the Dubbo backend services via HTTP REST endpoints
• Exrick/xmall-weapp — WeChat Mini Program frontend (released v1.1); shares backend APIs with xmall but targets mobile, demonstrating multi-client architecture
• Exrick/xpay — Personal payment gateway system integrated into XMall v1.1; handles credit processing without app; author's separate open-source project for monetization
• Exrick/x-boot — Author's front-end/back-end separation development platform (Spring Boot + Vue); shares architectural patterns (SSM stack, Shiro auth, Redis caching) with XMall but simpler single-service scope
• apache/dubbo — Official Dubbo RPC framework; XMall pins Dubbo 2.6.1 for service-to-service calls and registry via Zookeeper; understanding Dubbo internals is critical for extending this codebase

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Upgrade MySQL connector and address deprecated dependencies in generatorSqlmapCustom

The pom.xml uses mysql-connector-java 5.1.32 (released 2014) and mybatis-generator 1.3.5 (2016), both deprecated. MySQL 8.0+ requires newer connectors. This upgrade will improve security, compatibility with modern MySQL versions, and reduce technical debt across the entire SOA architecture that depends on this code generator.

• [ ] Update mysql-connector-java from 5.1.32 to 8.0.33 (or latest stable) in generatorSqlmapCustom/pom.xml
• [ ] Update mybatis-generator-maven-plugin and mybatis-generator-core from 1.3.5 to 1.4.1+ in the same pom.xml
• [ ] Test code generation against existing generator configuration files to ensure backward compatibility
• [ ] Run all dependent service modules (xmall_manager_service, xmall_content_service, xmall_search_service) to verify generated code still compiles and functions correctly
• [ ] Document breaking changes (if any) in CHANGELOG or migration guide

Add unit tests for MyBatis DAO layer classes generated by generatorSqlmapCustom

The repository has no visible test files despite being a distributed e-commerce system with multiple services using Dubbo/MyBatis. Generated DAO classes (from xmall_manager_service, xmall_content_service, etc.) need test coverage. This ensures data access layer correctness and prevents regressions during dependency upgrades.

• [ ] Create test directory structure: src/test/java/cn/exrick/xmall/{manager,content,search}_service/dao/
• [ ] Write unit tests using Spring Test + MyBatis TestContext for core DAO operations (CRUD) for high-traffic entities like Product, Order, User
• [ ] Configure test MySQL database (H2 or TestContainers for isolation) in src/test/resources/application-test.properties
• [ ] Add test dependencies to parent pom.xml: junit, spring-test, and h2 or testcontainers
• [ ] Document test execution in README.md with: mvn test or service-specific test commands

Create GitHub Actions CI/CD workflow for multi-service build and integration tests

This SOA architecture has 6+ interdependent services (manager, content, search, sso, front-web) with complex Dubbo/Zookeeper/ActiveMQ integration, but no automated CI visible. A GitHub Actions workflow will catch build breaks, dependency conflicts, and integration issues before merging—critical for a distributed system where manual testing across services is error-prone.

• [ ] Create .github/workflows/maven-build.yml to run mvn clean install on all pull requests
• [ ] Add service-specific build matrix for: generatorSqlmapCustom, xmall-parent, xmall_manager_service, xmall_content_service, xmall_search_service, xmall_sso_service
• [ ] Configure workflow to cache Maven dependencies (.m2) to reduce CI run time
• [ ] Add lint step to verify no uncommitted .idea/ IDE files are being committed (reference .gitignore violations)
• [ ] Document in CONTRIBUTING.md that CI must pass before PRs are reviewed, and how to reproduce locally

• Add integration tests for Dubbo service layer: Create xmall-manager-service/src/test/java/cn/exrick/manager/service/ProductServiceTest.java with mock Zookeeper/MySQL to verify Dubbo RPC calls without spinning up full cluster.
• Document Elasticsearch query DSL customization: xmall-search-service lacks inline comments explaining how IK tokenizer configs in elasticsearch.yml map to the custom dictionary expansion UI in admin panel—add detailed guide to xmall-wiki.
• Implement ActiveMQ consumer error handling: Order async messaging in xmall-manager-service/src/main/java/cn/exrick/manager/mq/ lacks dead-letter queue (DLQ) setup; add poison message handling and retry logic with exponential backoff.

• Critical · Outdated MySQL Connector with Known Vulnerabilities — generatorSqlmapCustom/pom.xml and xmall-parent/pom.xml. The project uses mysql-connector-java version 5.1.32 (released 2014), which contains multiple CVEs including CVE-2015-2573, CVE-2015-4429, and others. This version has been superseded and is no longer maintained. Fix: Upgrade to mysql-connector-java 5.1.49 or preferably to 8.0.x series. Review all dependencies for EOL versions.
• Critical · Outdated Dubbo Framework with Known Vulnerabilities — .idea/libraries/Maven__com_alibaba_dubbo_2_6_1.xml. The project uses Dubbo 2.6.1 (released 2018), which has reached EOL and contains multiple security vulnerabilities including deserialization issues (CVE-2019-2725, CVE-2020-1938). This is a critical RPC framework that handles inter-service communication. Fix: Upgrade to Dubbo 2.7.x or later (preferably 3.x). Review security advisories: https://dubbo.apache.org/en/docs/references/protocols/dubbo/
• Critical · Outdated ActiveMQ with Critical RCE Vulnerability — .idea/libraries/Maven__org_apache_activemq_activemq_all_5_11_2.xml. The project uses ActiveMQ 5.11.2 (released 2015), which contains CVE-2015-4852 and other vulnerabilities. More critically, older 5.x versions are vulnerable to remote code execution via crafted serialized objects. Fix: Upgrade to ActiveMQ 5.15.16+ or 5.16.x/5.17.x depending on Java version. Apply security patches immediately.
• High · Multiple Outdated Dependencies with Known CVEs — .idea/libraries/ directory and transitive dependencies. Several dependencies are significantly outdated: Elasticsearch client libraries, Zookeeper clients (curator 4.0.1), Jackson 2.9.1, Netty 4.1.16, etc. These accumulate multiple CVEs including deserialization attacks, information disclosure, and DoS vulnerabilities. Fix: Perform comprehensive dependency audit using 'mvn dependency:tree' and 'mvn org.owasp:dependency-check-maven:check'. Update all dependencies to latest stable versions. Consider using Dependabot or similar tools.
• High · Use of Log4j 1.2.x with Known Vulnerabilities — .idea/libraries/Maven__log4j_log4j_1_2_*.xml. The project includes log4j 1.2.16 and 1.2.17, which are EOL and contain CVE-2021-44228 (Log4Shell) in the 1.2.x branch as well as other vulnerabilities. Although 1.2.x has limited exposure to Log4Shell compared to 2.x, it still poses security risks. Fix: Migrate from Log4j 1.x to SLF4J + Logback or upgrade to Log4j 2.17.1+. Ensure all appenders are properly configured.
• High · Potential SQL Injection via MyBatis Generator Configuration — generatorSqlmapCustom/ module, potential mapper XML files. The project uses MyBatis Generator for ORM layer. If the generator configuration files are not properly secured and the resulting code uses dynamic SQL without parameterization, SQL injection is possible. The presence of jsqlparser and pagination plugins increases surface area. Fix: Review all generated mapper XML files to ensure parameterized queries (#{}) are used, not string concatenation (${}) for user input. Implement input validation at service layer. Use prepared statements exclusively.
• High · Outdated Curator (Zookeeper Client) with Connection Security Issues — .idea/libraries/Maven__org_apache_curator_curator_*.xml. Curator 4.0.1 is from 2016 and predates several security improvements for Zookeeper connections, ACLs, and authentication mechanisms. Fix: Upgrade Curator to 4.3.0+ or

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.