If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/ant-media/Ant-Media-Server shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Mixed signals — read the receipts

• Last commit 3d ago
• 5 active contributors
• Other licensed
• CI configured
• Tests present
• ⚠ Concentrated ownership — top contributor handles 52% of recent commits
• ⚠ Non-standard license (Other) — review terms

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live ant-media/Ant-Media-Server repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/ant-media/Ant-Media-Server.

What it runs against: a local clone of ant-media/Ant-Media-Server — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in ant-media/Ant-Media-Server | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 33 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of ant-media/Ant-Media-Server. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/ant-media/Ant-Media-Server.git
#   cd Ant-Media-Server
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of ant-media/Ant-Media-Server and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "ant-media/Ant-Media-Server(\\.git)?\\b" \\
  && ok "origin remote is ant-media/Ant-Media-Server" \\
  || miss "origin remote is not ant-media/Ant-Media-Server (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 33 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~3d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/ant-media/Ant-Media-Server"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Ant Media Server is a scalable, open-source real-time streaming engine delivering ultra-low latency video delivery via WebRTC (~0.5s), SRT, RTMP, HLS, CMAF, and LL-HLS. It handles live broadcasting, adaptive bitrate transcoding, recording, and cloud auto-scaling across Java/Shell/Python, enabling telehealth, e-learning, sports streaming, and interactive RTC applications at scale. Maven monorepo structured around src/main/java/io (core streaming engine) with assembly modules (server.xml, server_enterprise.xml, war.xml) for different distributions. src/main/assembly/ contains deployment packaging. Dual assembly targets (community vs. enterprise) built from single codebase. CLI/demo tooling in shell scripts (redeploy.sh, repackage_*.sh).

DevOps engineers and backend developers building low-latency streaming infrastructure; streaming platform operators needing multi-protocol support (WebRTC, RTMP, SRT, HLS); enterprises deploying telehealth, sports, or live auction platforms requiring sub-second latency and adaptive bitrate delivery.

Production-ready. The project shows high maturity: Maven Central distribution (io.antmedia group), SonarCloud integration, Travis CI/GitHub Actions testing, dual licensing (Apache 2 + Enterprise), established organization structure, and enterprise edition indicating commercial deployments. Active maintenance evident from GitHub actions and version 4.0.0-SNAPSHOT.

Moderate risk: Java monolith with 6.4MB of code may have complex dependencies; no visible open issue count or PR velocity data provided. Single organization (ant-media) controls all listed repos. Enterprise/Community license split could indicate feature parity gaps. WebRTC/SRT protocols are mature but transcoding pipeline complexity warrants careful testing for your specific codec/bitrate combinations.

Version 4.0.0-SNAPSHOT in development. GitHub Actions workflows (.github/workflows/test.yml) automated testing. Dependabot enabled (.github/dependabot.yml) for dependency updates. Recent changes likely include H.265/HEVC support and LL-HLS improvements mentioned in README, but exact commit history not visible in provided data.

git clone git@github.com:ant-media/Ant-Media-Server.git && cd Ant-Media-Server && mvn clean install -DskipTests (using mvn-settings.xml for repo config). For enterprise features, build with 'repackage_enterprise.sh'. Deployment targets specified in pom.xml assembly modules.

Daily commands: mvn clean package builds JARs/WARs. Assembly configs in src/main/assembly/ generate distributable artifacts. Run via: java -jar target/ant-media-server-4.0.0-SNAPSHOT.jar or deploy WAR to servlet container. Configuration via data.properties. Enterprise edition: ./repackage_enterprise.sh before build.

• pom.xml: Root Maven POM defining all dependencies, parent version 4.0.0-SNAPSHOT, and module structure for reproducible builds across distributions.
• src/main/assembly/server.xml: Maven assembly descriptor packaging community edition runtime, defines JARs and configs bundled in final distribution.
• src/main/assembly/server_enterprise.xml: Enterprise edition assembly with additional features; critical for understanding license-gated functionality differences.
• src/main/java/Version.java: Version constant source for release management and backward compatibility tracking across streaming protocol versions.
• .github/workflows/test.yml: CI test pipeline defining test suite scope, coverage gates, and deployment triggers for all pull requests.
• mvn-settings.xml: Maven repository configuration and credentials for dependency resolution and artifact publication to Central.
• README.md: Feature overview, protocol support matrix, and quick-start URLs for demos critical for understanding scope and user personas.
• [COMMUNITY_EDITION_LICENSE / ENTERPRISE_EDITION_LICENSE](https://github.com/ant-media/Ant-Media-Server/blob/master/COMMUNITY_EDITION_LICENSE / ENTERPRISE_EDITION_LICENSE): Dual licensing terms determining which features/protocols (WebRTC, transcoding, scaling) are open-source vs. proprietary.

Stream protocol handlers: src/main/java/io (examine package structure for RTMP/WebRTC/SRT implementation). Assembly/packaging: src/main/assembly/server.xml and server_enterprise.xml. Version config: src/main/java/Version.java. Add protocol support by extending existing protocol adapters in io.* packages. Transcoding logic likely in core io packages. Add tests under src/test/java (not visible but standard Maven convention).

1. Dual-build system (repackage_community.sh vs. repackage_enterprise.sh) — ensure correct script is run before assembly to avoid feature mismatches. 2) Assembly modules reference different resource sets; manual Maven invocation may miss enterprise modules if pom.xml parent version not correctly set. 3) Version.java is source-checked; update before release or CI may publish mismatched version strings. 4) Red5 code style (red5-eclipse-format.xml) suggests legacy code patterns; modern IDE formatters may conflict. 5) Protocol interop testing (WebRTC ↔ RTMP ↔ HLS) requires live streaming setup; unit tests may not cover transcoding edge cases.

• WebRTC (Web Real-Time Communication) — Core 0.5s ultra-low latency transport for Ant Media Server; understanding peer connection negotiation (STUN, TURN, ICE) is essential for debugging connection issues and scaling SFU/MCU topologies.
• Adaptive Bitrate (ABR) Streaming — Ant Media Server's transcoding pipeline produces multiple bitrates dynamically; understanding bitrate ladder design (resolution/fps/codec trade-offs) affects QoE tuning and infrastructure cost.
• RTMP (Real-Time Messaging Protocol) — Legacy but still-dominant ingest protocol for OBS/encoder publishing; Ant Media must decode RTMP frames and transcode—understanding RTMP chunking and AMF serialization helps diagnose publisher issues.
• HLS (HTTP Live Streaming) & CMAF (Common Media Application Format) — Primary playback protocol for web/mobile; Ant Media outputs both HLS and LL-HLS (Low-Latency HLS via CMAF)—understanding segment chunking, playlist generation, and playlist duration constraints is critical for latency tuning.
• SRT (Secure Reliable Transport) — Modern RTMP replacement for ingest: handles packet loss gracefully over unstable networks (cellular, satellite); Ant Media's SRT support requires understanding ARQ (Automatic Repeat reQuest) and bandwidth probing.
• Transcoding & Codec Negotiation — Ant Media's core value: real-time re-encoding input (RTMP H.264) to multiple output codecs/bitrates; understanding video encoder constraints (frame scheduling, rate control, keyframe placement) prevents quality loss and latency spikes.
• Maven Assembly & Multi-Distribution Packaging — Ant Media builds two distributions (community/enterprise) from one codebase using assembly descriptors; understanding Maven filtering and resource inclusion prevents deployment bugs where enterprise features are accidentally stripped.

• ossrs/srs — Direct competitor: SRS (Simple RTMP Server) provides similar multi-protocol streaming (RTMP, HLS, WebRTC) with lower Java overhead; understand trade-offs in resource usage and protocol feature parity.
• arut/nginx-rtmp-module — RTMP ingestion alternative: Nginx RTMP module for high-throughput RTMP publishing; consider as upstream load-balancer in front of Ant Media Server for publisher scaling.
• joyent/libxo — Not a direct peer but used in streaming ecosystems: XO library for structured output (manifests, segment lists); relevant if integrating custom HLS/CMAF manifest generation.
• ant-media/Ant-Media-Server-Common — Official sibling repo containing shared libraries (likely protocol stubs, utilities) imported by ant-media-server; essential for understanding dependency graph and version compatibility.
• ant-media/StreamApp — Official example application layer built on Ant-Media-Server; reference implementation for multi-room, recording, and broadcast workflows.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for StreamIdValidator and FFmpegUtilities utility classes

The repo has critical utility classes (StreamIdValidator.java, FFmpegUtilities.java, SystemUtils.java) that lack visible test coverage. These are foundational utilities used across the streaming pipeline. Adding comprehensive unit tests would catch edge cases in stream ID validation logic and FFmpeg command generation, which are critical for stream reliability. This is a high-value, focused contribution that directly improves code quality.

• [ ] Create src/test/java/io/antmedia/StreamIdValidatorTest.java with test cases for various stream ID formats and edge cases
• [ ] Create src/test/java/io/antmedia/FFmpegUtilitiesTest.java with test cases for command generation, encoding settings, and error handling
• [ ] Create src/test/java/io/antmedia/SystemUtilsTest.java for system utility method validation
• [ ] Add tests for boundary conditions (empty strings, null values, special characters, very long inputs)
• [ ] Update .github/workflows/test.yml to include these new test suites in CI pipeline

Add integration tests for AnalyticEventLogger in the analytic module

The src/main/java/io/antmedia/analytic/ module contains event logging for PlayEvent, PublishEndedEvent, PlayerStatsEvent, and KeyFrameStatsEvent, but there are no visible integration tests verifying these events are correctly logged and processed. This is critical for analytics reliability in production. Adding integration tests would ensure analytics data integrity across different event types and edge cases.

• [ ] Create src/test/java/io/antmedia/analytic/AnalyticEventLoggerTest.java with integration test fixtures
• [ ] Add test cases for each event type: PlayEvent, PublishEndedEvent, PlayerStatsEvent, KeyFrameStatsEvent
• [ ] Add tests for concurrent event logging (multiple simultaneous events)
• [ ] Add tests for event persistence and retrieval scenarios
• [ ] Add tests for edge cases: null events, malformed data, system failures during logging

Add GitHub Actions workflow for dependency security scanning and OWASP compliance

The repo has owasp-suppressions.xml present but no visible GitHub Actions workflow for automated dependency scanning or OWASP dependency check. Given this is a streaming server handling user data, security scanning is critical. Adding a dedicated security workflow would catch vulnerable dependencies early in PRs and ensure compliance with security standards.

• [ ] Create .github/workflows/security-scan.yml with OWASP Dependency-Check action
• [ ] Configure the workflow to run on: pull_requests, pushes to main branches, and scheduled weekly scans
• [ ] Add Snyk or similar dependency vulnerability scanner for npm/Maven packages
• [ ] Configure workflow to fail builds when critical vulnerabilities are detected (configurable severity threshold)
• [ ] Add step to validate against owasp-suppressions.xml for approved exceptions
• [ ] Add status badge to README.md linking to security scan results

• Add integration test for H.265/HEVC bitstream validation — create src/test/java/io/antmedia/codec/HevcTranscodingTest.java with fixtures for real HEVC streams to verify the H.265 support mentioned in README against actual bitstreams.
• Document SRT protocol configuration in README — src/main/assembly/ shows SRT support but README lacks SRT server setup examples; add SRT listener config section and example publishUrl for SRT ingest.
• Create shell script helper for LL-HLS manifest generation testing — add src/main/assembly/test_llhls_manifest.sh to validate CMAF/LL-HLS output against spec-compliant duration and segment timing, covering gaps in current release documentation.

• High · Encrypted Credentials in Repository — codesigning.asc.enc. File 'codesigning.asc.enc' indicates presence of encrypted signing credentials stored in the repository. While encrypted, this suggests sensitive key material is version-controlled, which is a security anti-pattern. Fix: Move all credentials and signing keys to secure key management systems (HashiCorp Vault, AWS Secrets Manager, etc.). Use environment variables or secure CI/CD secret management instead of storing encrypted keys in the repository.
• High · Incomplete POM Repository Configuration — pom.xml - repositories section. The pom.xml file contains incomplete/truncated repository configuration (Central Portal Snapshots entry is cut off). This could lead to misconfigured dependency resolution, potentially pulling from unverified sources or failing builds. Fix: Complete and review all repository configurations. Ensure only trusted repositories are configured. Use repository manager (Nexus, Artifactory) to proxy and validate all dependencies.
• High · SNAPSHOT Dependencies in Production Build — pom.xml - version tag and snapshots configuration. Project version is '4.0.0-SNAPSHOT' with snapshot repositories enabled. SNAPSHOT versions are mutable and can change, leading to non-deterministic builds and potential introduction of vulnerable code unknowingly. Fix: Use only stable, released versions in production. Isolate snapshot builds to development environments. Implement dependency pinning and use lock files for reproducible builds.
• Medium · Insufficient Security Configuration Visibility — Root directory and src/main/resources. No visible security configuration files (.env, application.yml, security.xml) in the file structure. This suggests security settings may not be properly managed or documented, increasing risk of misconfigurations in deployment. Fix: Implement centralized security configuration with proper environment-specific settings. Use Spring Security for authentication/authorization. Document all security settings and implement defaults that are secure-by-default.
• Medium · Missing OWASP Dependency Check Configuration — pom.xml and owasp-suppressions.xml. While 'owasp-suppressions.xml' exists, there's no visible pom.xml dependency-check plugin configuration snippet shown. Suppressions without active scanning could mask vulnerable dependencies. Fix: Enable OWASP Dependency-Check Maven plugin in build pipeline. Review all suppressions in owasp-suppressions.xml for legitimacy. Implement CI/CD gates to fail builds on high/critical vulnerabilities unless properly justified.
• Medium · Multiple Encoding/Streaming Endpoints - Attack Surface — src/main/java/io/antmedia/ - protocol handlers. Ant Media Server supports multiple protocols (RTMP, RTSP, WebRTC, HLS, CMAF, SRT). Each protocol implementation increases attack surface. Without visible input validation patterns, stream handling could be vulnerable to injection attacks. Fix: Implement comprehensive input validation for all protocol handlers. Use allow-list validation for stream IDs, metadata, and parameters. Implement rate limiting and DDoS protection for all streaming endpoints.
• Medium · Analytics Event Logging - Information Disclosure Risk — src/main/java/io/antmedia/analytic/. Analytic event logging present (AnalyticEventLogger, PlayEvent, PublishStartedEvent) without visible data sanitization. Could log sensitive information like stream identifiers, user IPs, or metadata. Fix: Implement strict data sanitization in logging. Never log sensitive information (credentials, tokens, personal data). Use structured logging with appropriate log levels. Implement log access controls and encryption at rest.
• Medium · Console/Admin Application - Authentication Concerns — src/main/java/io/antmedia/console/AdminApplication.java. AdminApplication and console components visible but no authentication/authorization mechanism details shown. Admin interfaces are high-value targets. Fix: Implement strong authentication (multi-factor if possible) for all admin endpoints. Use role-based access control (RBAC). Implement session management with secure cookies (HttpOnly, Secure, SameSite flags). Require HTTPS for all admin traffic.
• Medium · Database Store Implementations - SQL Injection Risk — undefined. Multiple data store implementations visible (MapDBStore, Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.