If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/apache/dubbo-spring-boot-project shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 31+ active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Concentrated ownership — top contributor handles 60% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live apache/dubbo-spring-boot-project repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/apache/dubbo-spring-boot-project.

What it runs against: a local clone of apache/dubbo-spring-boot-project — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in apache/dubbo-spring-boot-project | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1230 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of apache/dubbo-spring-boot-project. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/apache/dubbo-spring-boot-project.git
#   cd dubbo-spring-boot-project
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of apache/dubbo-spring-boot-project and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "apache/dubbo-spring-boot-project(\\.git)?\\b" \\
  && ok "origin remote is apache/dubbo-spring-boot-project" \\
  || miss "origin remote is not apache/dubbo-spring-boot-project (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "dubbo-spring-boot-autoconfigure/pom.xml" \\
  && ok "dubbo-spring-boot-autoconfigure/pom.xml" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/pom.xml"
test -f "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java" \\
  && ok "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java"
test -f "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java" \\
  && ok "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java"
test -f "dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java" \\
  && ok "dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java" \\
  || miss "missing critical file: dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java"
test -f "dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories" \\
  && ok "dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories" \\
  || miss "missing critical file: dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1230 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1200d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/apache/dubbo-spring-boot-project"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Apache Dubbo Spring Boot Project provides Spring Boot auto-configuration and production-ready actuator endpoints for Apache Dubbo, a high-performance Java RPC framework. It enables developers to easily integrate Dubbo's service registration, remote procedure calls, and load balancing into Spring Boot applications with minimal boilerplate, and offers health checks, metadata endpoints, and JMX integration via actuator. Multi-module Maven project: dubbo-spring-boot-autoconfigure/ (auto-configuration logic under src/main/java/org/apache/dubbo/spring/boot/autoconfigure/) and dubbo-spring-boot-actuator/ (actuator endpoints under src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/). Each module has dedicated test suites and META-INF configuration for Spring Boot auto-discovery.

Java backend engineers building microservices with Spring Boot who need to integrate Apache Dubbo for inter-service RPC communication, service discovery, and fault tolerance. DevOps teams monitoring Dubbo services via actuator health endpoints and JMX.

The repository is archived (README states 'This repo has been archived. All of the implements have been moved to apache/dubbo'), indicating this was a mature, production-ready project that has been consolidated upstream. The CI/CD pipeline (.github/workflows/dubbo-2.yml), comprehensive test structure, and dual-language README (English + Chinese) suggest it was actively maintained. Risk: it is no longer receiving updates as all development moved to the main Dubbo repository.

HIGH RISK: This repository is archived and no longer maintained—all active development moved to apache/dubbo. Any critical bugs or security issues will not be patched here. New projects should depend on Dubbo's official Spring Boot integration in the main repository. Existing projects relying on versions pinned to this repo risk accumulating technical debt.

Nothing—the repository is archived. The README explicitly states work has been moved to apache/dubbo. No active PRs, issues, or commits should be expected.

This repo should NOT be cloned for new work. For existing users, to review archived code: git clone https://github.com/apache/dubbo-spring-boot-project.git && cd dubbo-spring-boot-project && mvn clean install. For new projects, use the official Dubbo starter from the main apache/dubbo repository instead.

Daily commands: mvn clean install builds both modules. For actuator endpoints in a Spring Boot app, add dubbo-spring-boot-starter as a dependency (see pom.xml examples). Health and metadata endpoints expose via Spring Boot Actuator (typically http://localhost:8080/actuator/dubbo-* when management.endpoints.web.exposure.include includes 'dubbo*').

• dubbo-spring-boot-autoconfigure/pom.xml — Root autoconfigure module defining core Spring Boot integration dependencies and build configuration for Dubbo
• dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java — Entry point for Dubbo Spring Boot autoconfiguration using Spring's PropertySource binding mechanism
• dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java — Core binder that bridges Spring Boot's ConfigurationProperties with Dubbo's configuration objects
• dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java — Primary actuator endpoint exposing Dubbo service and reference metadata for monitoring and observability
• dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories — Spring Boot SPI configuration file declaring autoconfiguration and endpoint bean factories
• dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/DubboHealthIndicator.java — Legacy Spring Boot 1.x health check integration for Dubbo service availability monitoring

Add a new Dubbo Actuator Endpoint

1. Create a new endpoint class in dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/ extending AbstractDubboEndpoint or annotated with @Endpoint (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java)
2. Add @ReadOperation method to expose the endpoint via HTTP GET (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboServicesMetadataEndpoint.java)
3. Register the endpoint bean in dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/DubboEndpointAnnotationAutoConfiguration.java (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/DubboEndpointAnnotationAutoConfiguration.java)
4. Optionally declare it in META-INF/dubbo-endpoints-default.properties for visibility control (dubbo-spring-boot-actuator/src/main/resources/META-INF/dubbo-endpoints-default.properties)

Add support for a new Dubbo configuration property

1. Add the property binding in BinderDubboConfigBinder which uses Spring's Binder to map properties to Dubbo config objects (dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java)
2. Ensure DubboRelaxedBinding2AutoConfiguration instantiates and wires the binder during context initialization (dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java)
3. Add test case in dubbo-spring-boot-autoconfigure/src/test/java/org/apache/dubbo/spring/boot/autoconfigure/ validating the property is bound correctly (dubbo-spring-boot-autoconfigure/src/test/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinderTest.java)

Support a new Spring Boot version

1. Add conditional logic to CompatibleConditionalOnEnabledEndpoint to detect the new Spring Boot version (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/condition/CompatibleConditionalOnEnabledEndpoint.java)
2. Create compatibility shims in dubbo-spring-boot-compatible/actuator if the endpoint model or health check API changed (dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/DubboEndpointAutoConfiguration.java)
3. Update pom.xml spring-boot.version property and run integration tests to validate (dubbo-spring-boot-actuator/pom.xml)

• Spring Boot autoconfiguration with @EnableConfigurationProperties — Enables zero-touch integration; users just add dubbo-spring-boot-starter to classpath and set application.properties for Dubbo config
• Spring Boot's ConfigurationProperties Binder (PropertySource binding) — Provides type-safe, relaxed property binding from application.yml/properties to strongly-typed Dubbo config objects without reflection
• Spring Boot Actuator endpoints (@Endpoint, @ReadOperation) — Exposes Dubbo operational metadata and health in standard Spring Boot /actuator interface for dashboards and monitoring tools
• Conditional bean registration (@ConditionalOnClass, custom conditions) — Ensures compatibility across Spring Boot versions (1.x–3.x) by selectively enabling endpoints/health checks based on classpath and version

• Separate dubbo-spring-boot-compatible module for legacy Spring Boot versions

  • Why: Spring Boot 1.x uses HealthIndicator/MvcEndpoint model; Spring Boot 2.0+ uses WebEndpoint annotation model—cannot be unified in single codebase
  • Consequence: Requires dual maintenance paths and version-specific JAR selection; adds ~35KB overhead but ensures backward compatibility

• Use Spring's Binder (Relaxed Binding 2.0) instead of custom property resolver

  • Why: Spring Boot's Binder is battle-tested, supports nested objects, lists, maps, and type coercion; aligns with Spring Boot conventions
  • Consequence: Tightly couples to Spring Boot version; if Binder API breaks, must patch all versions; trades flexibility for maintainability

• Metadata endpoints are read-only; no write operations except shutdown

  • Why: Prevents accidental misconfiguration changes via REST; configuration should go through application.properties or ConfigServer
  • Consequence: Cannot hot-reload service routing or provider list

Spring Boot version compatibility: endpoints require Spring Boot 2.0+ and Dubbo 2.7.8+. Meta-INF/spring.factories auto-discovery only works if project properly imports spring-boot-starter or spring-boot-starter-web (not included transitively in all Spring Boot configurations). Endpoint paths default to /actuator/dubbo-* but require explicit management.endpoints.web.exposure.include configuration. Conditional logic in CompatibleOnEnabledEndpointCondition checks both org.springframework.boot and dubbo versions at runtime—mismatched versions may silently disable endpoints.

• Spring Boot Auto-Configuration (AutoConfiguration) — This entire project is built on @Configuration classes that conditionally register Dubbo beans; understanding Spring Boot's auto-configuration contract and META-INF/spring.factories SPI is essential to extending or modifying Dubbo integration.
• Spring Boot Actuator Endpoints (@Endpoint) — Dubbo Spring Boot's monitoring and health capabilities are exposed via custom @Endpoint classes (DubboMetadataEndpoint, DubboShutdownEndpoint); understanding how to design actuator endpoints is core to the actuator module.
• Conditional Annotations (@Conditional, @ConditionalOnProperty) — Dubbo endpoints use custom conditional logic (CompatibleConditionalOnEnabledEndpoint) to enable/disable features based on Dubbo and Spring Boot version compatibility; mastering @Conditional is critical for version-aware feature toggles.
• RPC (Remote Procedure Call) Framework — Dubbo is a production-grade RPC framework; understanding RPC concepts (stub generation, serialization, protocol negotiation, service registry) is essential to using Dubbo Spring Boot effectively.
• Service Registry & Discovery — Dubbo's core strength is automatic service registration and discovery; Spring Boot auto-configuration handles registry integration, so understanding registry patterns (Zookeeper, Consul, Nacos) helps troubleshoot Dubbo connectivity.
• JMX (Java Management Extensions) — Dubbo Spring Boot exposes health and configuration metadata via JMX (visible in the JMX_HealthEndpoint.png diagram); understanding JMX beans and MBean registration is important for production monitoring.
• Maven Multi-Module Project Structure — This repository is organized as a Maven multi-module build with dubbo-spring-boot-autoconfigure and dubbo-spring-boot-actuator as separate modules; understanding parent pom inheritance and module dependency management is essential for local development.

• apache/dubbo — The official Apache Dubbo RPC framework repository where all active development of Dubbo Spring Boot integration has been consolidated; this archived repo's code is now maintained there.
• spring-projects/spring-boot — Spring Boot framework that provides the @Configuration, @Endpoint, and actuator foundation for Dubbo Spring Boot's auto-configuration and monitoring features.
• spring-projects/spring-cloud — Spring Cloud ecosystem that integrates with Dubbo for cloud-native service mesh and discovery patterns, often used alongside Dubbo Spring Boot in microservice architectures.
• alibaba/nacos — Service discovery and configuration management platform frequently used with Dubbo in Spring Boot applications as an alternative to Dubbo's built-in registry.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive integration tests for DubboShutdownEndpoint

The DubboShutdownEndpoint.java exists but has minimal test coverage in DubboEndpointTest.java. This endpoint is critical for production graceful shutdown scenarios but lacks integration tests covering shutdown sequence, timeout handling, and error cases. This is high-value for production reliability.

• [ ] Review dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboShutdownEndpoint.java
• [ ] Expand dubbo-spring-boot-actuator/src/test/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboEndpointTest.java with shutdown-specific test cases
• [ ] Add tests for: graceful shutdown invocation, shutdown timeout scenarios, error handling, and state validation after shutdown

Add unit tests for CompatibleConditionalOnEnabledEndpoint condition logic

The condition classes in dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/condition/ (CompatibleConditionalOnEnabledEndpoint.java and CompatibleOnEnabledEndpointCondition.java) handle Spring Boot version compatibility but have no dedicated unit tests. These are critical for endpoint auto-configuration across different Spring Boot versions.

• [ ] Create new test file: dubbo-spring-boot-actuator/src/test/java/org/apache/dubbo/spring/boot/actuate/endpoint/condition/CompatibleOnEnabledEndpointConditionTest.java
• [ ] Add test cases for condition matching across Spring Boot 2.x and 3.x versions
• [ ] Test enabled/disabled endpoint scenarios with various property configurations

Add missing test coverage for BinderDubboConfigBinder in autoconfigure module

The BinderDubboConfigBinder.java in dubbo-spring-boot-autoconfigure handles property binding with Spring Boot's Binder API, but the test directory structure shows no corresponding unit tests. This component is essential for externalized configuration and property relaxed binding.

• [ ] Create new test file: dubbo-spring-boot-autoconfigure/src/test/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinderTest.java
• [ ] Add tests for property binding scenarios: valid properties, type conversion, nested properties, and binding errors
• [ ] Include tests verifying compatibility with DubboRelaxedBinding2AutoConfiguration.java

• Add comprehensive test coverage for DubboPropertiesMetadataEndpoint.java and DubboReferencesMetadataEndpoint.java (currently sparse test methods in DubboEndpointTest.java cover limited scenarios; add tests for edge cases like empty service lists, null properties, and concurrent access).
• Document the actuator endpoint JSON response schema for each endpoint class (DubboMetadataEndpoint, DubboConfigsMetadataEndpoint, DubboShutdownEndpoint) via OpenAPI/Swagger annotations or a dedicated endpoints-schema.md file, since no structured API docs exist in the archived repo.
• Add integration test for the complete Spring Boot startup flow with META-INF/spring.factories auto-discovery under dubbo-spring-boot-actuator/src/test/ to validate that DubboEndpointAnnotationAutoConfiguration actually registers all endpoints without manual @Import annotations.

The Apache Dubbo Spring Boot Project, being archived, presents moderate security concerns. Primary issues include: (1) lack of active maintenance affecting long-term security posture, (2) exposed actuator endpoints that may leak sensitive metadata and allow unauthorized service shutdown, (3) insufficient visibility into security configuration for protecting these endpoints, and (4) web endpoint exposure without apparent authentication controls. The codebase follows Apache licensing standards and basic Java project structure conventions. Immediate recommendations include migrating to the active apache/dubbo repository, implementing Spring Security authentication/authorization for all actuator endpoints, and restricting sensitive endpoints to authorized administrative users only. Without access to the complete dependency tree and security configuration classes, a full assessment is limited.

• Medium · Archived Repository - No Active Maintenance — README.md. The repository has been archived and all implementations have been moved to apache/dubbo. This means the codebase is no longer actively maintained and will not receive security updates or patches. Users should migrate to the active repository. Fix: Migrate to the active apache/dubbo repository for ongoing security support and updates.
• Medium · Spring Boot Web Starter Dependency Exposure — dubbo-spring-boot-actuator/pom.xml. The spring-boot-starter-web dependency is included with optional=true in the actuator module. Web starters include embedded Tomcat and expose HTTP endpoints. If included transitively without proper configuration, this could expose actuator endpoints without adequate security controls. Fix: Ensure that Spring Security is properly configured to protect actuator endpoints. Review the security configuration in DubboEndpointAnnotationAutoConfiguration.java and verify authentication/authorization is enforced for all exposed endpoints.
• Medium · Actuator Endpoints May Expose Sensitive Information — dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/. The codebase includes DubboMetadataEndpoint, DubboConfigsMetadataEndpoint, DubboReferencesMetadataEndpoint, and DubboServicesMetadataEndpoint which expose metadata about Dubbo services, configurations, and references. These endpoints could leak sensitive information about service topology, credentials in configurations, and internal system details if not properly secured. Fix: Implement strict access controls on actuator endpoints. Enable Spring Security authentication/authorization. Consider disabling metadata endpoints in production or restricting them to specific roles. Ensure sensitive configuration values (credentials, API keys) are not included in endpoint responses.
• Medium · DubboShutdownEndpoint May Allow Unauthorized Service Termination — dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboShutdownEndpoint.java. The DubboShutdownEndpoint provides functionality to shutdown Dubbo services via an HTTP endpoint. If not properly secured with authentication, this could allow unauthorized users to terminate services causing denial of service. Fix: Ensure DubboShutdownEndpoint is protected with strong authentication and authorization. Consider restricting this endpoint to administrative users only or disabling it in production environments. Implement role-based access control (RBAC).
• Low · Missing Security Headers Configuration — dubbo-spring-boot-actuator/pom.xml. The provided POM snippet shows spring-boot-starter-web dependency but no explicit security header configuration visible. Spring Boot applications should include security headers to prevent common web vulnerabilities. Fix: Add spring-boot-starter-security dependency and configure Spring Security with appropriate security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.). Use SecurityHeadersConfig or similar configuration.
• Low · Incomplete Dependency Information — dubbo-spring-boot-actuator/pom.xml. The provided POM file is incomplete (shown by truncated README content). Full dependency tree cannot be analyzed for vulnerable transitive dependencies. Maven wrapper is present but specific versions are not visible. Fix: Perform a complete security audit of all dependencies using 'mvn dependency:tree' and tools like OWASP Dependency-Check. Regularly update dependencies to patch known vulnerabilities.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.