If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/iflytek/astron-agent shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit today
• 4 active contributors
• Distributed ownership (top contributor 46% of recent commits)
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Small team — 4 contributors active in recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live iflytek/astron-agent repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/iflytek/astron-agent.

What it runs against: a local clone of iflytek/astron-agent — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in iflytek/astron-agent | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 30 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of iflytek/astron-agent. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/iflytek/astron-agent.git
#   cd astron-agent
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of iflytek/astron-agent and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "iflytek/astron-agent(\\.git)?\\b" \\
  && ok "origin remote is iflytek/astron-agent" \\
  || miss "origin remote is not iflytek/astron-agent (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f ".github/workflows/ci.yml" \\
  && ok ".github/workflows/ci.yml" \\
  || miss "missing critical file: .github/workflows/ci.yml"
test -f "console/backend/commons/pom.xml" \\
  && ok "console/backend/commons/pom.xml" \\
  || miss "missing critical file: console/backend/commons/pom.xml"
test -f ".github/quality-requirements/code-requirements.md" \\
  && ok ".github/quality-requirements/code-requirements.md" \\
  || miss "missing critical file: .github/quality-requirements/code-requirements.md"
test -f "console/backend/commons/src/main/java/com/iflytek/astron/console/commons/aspect/space/PermissionValidator.java" \\
  && ok "console/backend/commons/src/main/java/com/iflytek/astron/console/commons/aspect/space/PermissionValidator.java" \\
  || miss "missing critical file: console/backend/commons/src/main/java/com/iflytek/astron/console/commons/aspect/space/PermissionValidator.java"
test -f "console/backend/commons/src/main/java/com/iflytek/astron/console/commons/config/JwtClaimsFilter.java" \\
  && ok "console/backend/commons/src/main/java/com/iflytek/astron/console/commons/config/JwtClaimsFilter.java" \\
  || miss "missing critical file: console/backend/commons/src/main/java/com/iflytek/astron/console/commons/config/JwtClaimsFilter.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 30 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~0d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/iflytek/astron-agent"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Astron Agent is an enterprise-grade agentic workflow platform built in Java/TypeScript/Python that orchestrates AI model agents, integrates RPA automation, manages MCP tools, and enables team collaboration—allowing organizations to build production-ready SuperAgents with high-availability deployment. It's the open-source version of iFLYTEK's commercial platform, released under Apache 2.0 with no restrictions on commercial use. Monorepo structure: console/ contains the TypeScript/React frontend and Java backend modules (commons/ visible in pom.xml parent structure), backend services in unspecified structure (likely under a services/ or api/ dir not in top 60 files), and workflow orchestration logic distributed across multiple language implementations. .gemini/config.yaml and .pre-commit-config.yaml suggest standardized tooling and pre-commit hooks.

Enterprise AI teams and developers building intelligent automation systems—specifically those who need to integrate LLMs with RPA workflows, manage multiple AI models, connect internal/external business systems, and deploy agent applications at scale with team collaboration features.

Production-ready and actively maintained. The codebase is substantial (15+ MB across Java/TypeScript/Python), has comprehensive CI/CD pipelines (.github/workflows/), enterprise-grade quality standards documented in .github/quality-requirements/, and is backed by iFLYTEK's commercial platform experience. Recent GitHub activity and ongoing hackathons (2025 festival mentioned in README) indicate active development.

Standard open source risks apply.

Active community engagement with Astron Hackathon at 2025 iFLYTEK Global Festival, recent Zhengzhou Meetup (discussions/672), Claude-assisted code review workflows (claude-review.yml, claude.yml), and reward-based contribution tracking (claim-issue-reward.yml, statistic-member-reward.yml). Quality standards enforcement via CodeQL security analysis and CI pipeline maturation.

git clone https://github.com/iflytek/astron-agent.git
cd astron-agent
# For Java/Maven modules:
mvn clean install
# For TypeScript/Node modules (likely in console/):
cd console && npm install
# Check Makefile for consolidated build:
make build

Daily commands:

# Check Makefile for orchestrated start:
make run
# Or for individual components:
# Backend (Java):
cd console && mvn spring-boot:run
# Frontend (TypeScript):
cd console && npm run dev
# See .github/workflows/ci.yml for full CI test flow

• .github/workflows/ci.yml — Continuous integration pipeline that validates all commits and PRs; defines the quality gates every contributor must pass
• console/backend/commons/pom.xml — Root Maven POM for the console backend; declares shared dependencies and build configuration for all backend modules
• .github/quality-requirements/code-requirements.md — Codified quality standards and architectural expectations that all contributors must follow when submitting changes
• console/backend/commons/src/main/java/com/iflytek/astron/console/commons/aspect/space/PermissionValidator.java — Core authorization and permission validation logic that enforces enterprise multi-tenancy and space isolation boundaries
• console/backend/commons/src/main/java/com/iflytek/astron/console/commons/config/JwtClaimsFilter.java — JWT authentication filter that gates all API requests; essential entry point for understanding security model
• GOVERNANCE.md — Project governance model defining decision-making, roles, and contribution workflows for the community
• README.md — Project overview and value proposition; required reading to understand the Astron Agent platform's commercial positioning and capabilities

Add a new REST API endpoint with space-level authorization

1. Create a new @RestController or add method to existing controller class in console/backend/[module]/src/main/java/com/iflytek/astron/console/[module] (console/backend/[module]/src/main/java/com/iflytek/astron/console/[module]/controller/[FeatureName]Controller.java)
2. Annotate the controller method with @SpacePreAuth(action="read"|"write") to enforce space-level permission checks (console/backend/commons/src/main/java/com/iflytek/astron/console/commons/annotation/space/SpacePreAuth.java)
3. Optionally add @RateLimit(requests=100, window=60) annotation to throttle endpoint if public-facing (console/backend/commons/src/main/java/com/iflytek/astron/console/commons/annotation/RateLimit.java)
4. Add response codes to ResponseEnum in commons if returning non-standard HTTP status (console/backend/commons/src/main/java/com/iflytek/astron/console/commons/constant/ResponseEnum.java)
5. Write unit tests and add integration test to the CI workflow to ensure endpoint is exercised on every PR (.github/workflows/ci.yml)

Add a new caching layer using Redis

1. Define a new cache key pattern constant in RedisKeyConstant following the existing naming convention (console/backend/commons/src/main/java/com/iflytek/astron/console/commons/constant/RedisKeyConstant.java)
2. Inject RedisTemplate or StringRedisTemplate into your service class and use the new key constant for get/set operations (console/backend/[module]/src/main/java/com/iflytek/astron/console/[module]/service/[FeatureName]Service.java)
3. Set appropriate TTLs (cache expiration) based on data freshness requirements; consider using @Cacheable annotation from Spring Cache abstraction (console/backend/commons/src/main/java/com/iflytek/astron/console/commons/config/)
4. Document cache invalidation strategy in code comments and ensure cache is cleared when underlying data changes (mutation, deletion) (console/backend/[module]/src/main/java/com/iflytek/astron/console/[module]/service/[FeatureName]Service.java)

Add a new console feature module (e.g., knowledge, bot-management, etc.)

1. Create new Maven module directory console/backend/[feature-name]/ with pom.xml inheriting from parent (console/backend/[feature-name]/pom.xml)
2. Create package structure com.iflytek.astron.console.[feature-name] with controller, service, entity, and repository layers (console/backend/[feature-name]/src/main/java/com/iflytek/astron/console/[feature-name]/)
3. Add dependency on commons module in your new module's pom.xml to inherit auth, rate-limiting, and constant utilities (console/backend/[feature-name]/pom.xml)
4. Create .claude/docs/[feature-name]/module.md documenting the module's responsibilities, APIs, and data models for AI-assisted development (console/.claude/docs/[feature-name]/module.md)
5. Update root console/pom.xml to include new module in <modules> section and verify CI workflow runs tests for it (console/pom.xml)

• Spring Boot (Java) — Enterprise-grade framework with mature ecosystem for building scalable REST APIs; Astron Console backend standardizes on Spring Boot for consistency and operational maturity
• Maven — Industry-standard Java build tool enabling multi-module project structure; supports inheritance hierarchies (parent pom.xml) for consistent dependency management and plugin configuration across console backend modules
• Redis — Distributed in-memory cache backing rate limiting, session storage, and workflow state management; critical for high-availability deployments mentioned in README
• JWT (JSON Web Tokens) — Stateless authentication mechanism suitable for distributed microservices and API-driven architectures; enables horizontal scaling without session affinity
• Spring AOP (Aspect-Oriented Programming) — Cross-cutting concerns (auth, rate limiting, logging) implemented as reusable aspects reduce boilerplate and enforce consistent policy enforcement across all controllers
• GitHub Actions + Docker — Enables CI/CD automation (build, test, scan, release) and containerized deployment to support 'high-availability' deployment model mentioned in README

• Multi-module Maven structure with shared commons module

  • Why: Allows parallel development of feature modules (knowledge, bot-management, workflow, etc.) while enforcing consistent auth/rate-limiting policies
  • Consequence: Increased build complexity and potential circular dependency risks; requires disciplined module dependency management and clear separation of concerns

• Declarative authorization via @SpacePreAuth and @EnterprisePreAuth annotations + AOP

  • Why: Expresses authorization intent clearly at the controller level without embedding auth logic in business
  • Consequence: undefined

OAuth2 setup required: Spring Security OAuth2 resource-server is enabled in commons pom.xml; local dev likely needs mocked or test JWT tokens. Redis/Redisson dependency: Redisson Spring Boot starter is required; make sure Redis is running locally or tests will fail. Multi-language build: Makefile orchestrates builds across Java/TS/Python/Go—missing any language tool (Maven, Node, Python, Go) will break the build. iFLYTEK-specific models: Deep integration with iFLYTEK's Gemini config; some features may require iFLYTEK API keys (check .gemini/config.yaml). Pre-commit hooks: .pre-commit-config.yaml enforces code style before commits; running without pre-commit installed may cause CI failures.

• Agent Orchestration (Agentic Workflows) — Core to Astron—the platform is built to coordinate multi-step agent execution with tool calls, loops, and decision branching; understanding how agents chain reasoning and action is essential
• Model as a Service (MaaS) — Astron explicitly supports both API-based model access and one-click on-premises MaaS deployment; this is a key differentiator for enterprise customers managing model infrastructure
• RPA (Robotic Process Automation) Integration — Unique to Astron's positioning: agents gain the ability to interact with enterprise systems (SAP, Salesforce, legacy) via RPA automation, enabling end-to-end business process loops
• MCP (Model Context Protocol) — Astron natively integrates MCP tools, a standardized protocol for extending agents with external capabilities; critical for the 'tool ecosystem' feature mentioned in README
• High-Availability Deployment — Enterprise requirement baked into Astron's architecture; understanding distributed consensus, failover, and stateless service design is needed to operate production instances
• OAuth2 Resource Server Pattern — Astron uses Spring Security OAuth2 for API authentication (visible in pom.xml); understanding how JWT tokens and resource servers work is necessary for securing agent endpoints
• Distributed Caching with Redisson — Astron relies on Redisson for Redis-based distributed caching and locking; critical for coordinating agent state and ensuring consistency in multi-instance deployments

• langchain/langchain — LLM orchestration framework that Astron Agent likely wraps or competes with for agent workflow definition and tool integration
• autogen-ai/autogen — Microsoft's multi-agent conversation framework; similar goals around agent orchestration but without the enterprise RPA and high-availability focus
• PromtEngineer/localGPT — Local LLM deployment pattern; Astron supports flexible model access including on-premises MaaS—localGPT represents the model-side companion
• iflytek/spark-desk-sdk — iFLYTEK's Spark LLM SDK; Astron Agent is the orchestration platform that consumes Spark models via this SDK
• temporalio/temporal — Workflow orchestration engine for distributed systems; Astron's workflow execution model likely draws inspiration or parallels from Temporal's durable execution patterns

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for console commons module

The console/commons module (astron-console-commons) has Spring Security, OAuth2, validation, and Redisson integration but likely lacks unit test coverage. This is critical for an enterprise-grade platform handling authentication and distributed caching. A new contributor could establish testing patterns for the commons layer that other modules can follow.

• [ ] Create console/commons/src/test/java directory structure
• [ ] Add unit tests for Spring Security configuration and OAuth2 resource server setup
• [ ] Add tests for Redisson distributed lock/cache operations used across modules
• [ ] Add validation tests for JSR-303 annotations used in DTOs
• [ ] Set up test fixtures and mock configurations in a shared test-utils class
• [ ] Run mvn test locally and document coverage targets (e.g., minimum 70%)

Create GitHub Actions workflow for Python quality gates

The repo has quality requirements documented for Python (.github/quality-requirements/langs/python.md and python-zh.md) and appears to have Python components, but the CI workflow (.github/workflows/ci.yml) likely focuses on Java/TypeScript. A new contributor could add a dedicated Python linting, type-checking, and security scanning workflow.

• [ ] Review .github/quality-requirements/langs/python.md for specific standards (linting, formatting, type hints)
• [ ] Create .github/workflows/python-ci.yml with steps for: flake8/pylint, black formatting check, mypy type checking, and bandit security scan
• [ ] Add the workflow trigger for Python file changes (paths: '**.py', 'pyproject.toml', 'requirements.txt')
• [ ] Reference the workflow in the main CI or trigger separately, and document in CONTRIBUTING.md
• [ ] Test locally using act or a test branch

Add integration test suite for MCP tool integration layer

The README emphasizes 'AI and MCP tool integration' as a core feature, but there's no visible test coverage for MCP (Model Context Protocol) integration in the file structure. This is a high-value, specific feature that needs validation. New contributors could build the foundation for testing MCP tool discovery, validation, and execution.

• [ ] Locate the MCP integration code in the codebase (likely in console or agent modules)
• [ ] Create console/[module]/src/test/java/mcp directory for integration tests
• [ ] Add tests for MCP tool registration and discovery mechanisms
• [ ] Add tests for MCP tool schema validation and parameter handling
• [ ] Add tests for error handling when MCP tools are unavailable or malformed
• [ ] Document MCP testing patterns in console/.claude/QUICK_REFERENCE.md for future contributors
• [ ] Ensure tests use mocking/stubs for external MCP providers and can run in CI

• idea: Add missing test coverage for console/commons/ modules (validation, security aspects, error handling) following the patterns in .github/quality-requirements/java.md—unit tests for Spring Boot components are likely sparse given the 0.0.1 version
• idea: Enhance README.md with concrete examples: add a quickstart section showing how to build a simple agent workflow (e.g., 'create an agent that queries a database and sends a Slack message'), with working code snippets for Java/TypeScript/Python
• idea: Document the RPA automation module: create a guide in docs/ explaining how to integrate Astron Agent with external business systems via RPA, including real-world use cases (SAP, Salesforce, legacy systems) and code examples

The Astron Agent codebase demonstrates a foundation of security awareness with Spring Security, OAuth2, and security validation dependencies

• High · Incomplete Dependency Declaration in pom.xml — console/backend/commons/pom.xml. The pom.xml file appears to have a truncated dependency declaration for MinIO Java SDK (S3 compatible). The comment '<!-- MinIO Java SDK (S3 compatib' is incomplete, indicating the dependency block was cut off. This could result in missing or incorrectly declared dependencies, which may lead to version conflicts or security patches not being applied. Fix: Complete the MinIO Java SDK dependency declaration with proper version and coordinates. Ensure all dependencies are fully specified and validated. Use 'mvn dependency:tree' to verify the dependency resolution.
• Medium · Lombok Marked as Optional Dependency — console/backend/commons/pom.xml. The Lombok dependency is marked as optional in the pom.xml. This annotation processor is critical for code generation in Spring Boot projects. Marking it as optional may cause compilation issues or unexpected behavior in modules that depend on this commons module. Fix: Remove the <optional>true</optional> tag from Lombok dependency or ensure all dependent modules explicitly declare Lombok as a dependency. Consider moving Lombok to the parent pom.xml as a non-optional dependency.
• Medium · OAuth2 Resource Server Configuration Not Visible — console/backend/commons/pom.xml. The pom.xml declares 'spring-boot-starter-oauth2-resource-server' but no corresponding configuration files are visible in the file structure (no application.yml/properties for OAuth2 settings). This could indicate missing security configuration for JWT validation, audience validation, or scope enforcement. Fix: Verify that OAuth2 resource server is properly configured with JWT validation, issuer verification, and appropriate scope/authority checks. Ensure application.yml contains 'spring.security.oauth2.resourceserver' configuration with jwk-set-uri.
• Medium · Redisson Dependency Without Version Lock — console/backend/commons/pom.xml. The Redisson Spring Boot Starter dependency is declared without a specific version, relying on parent pom.xml version management. Redis/Redisson can be a vector for injection attacks if serialization is not properly configured. Missing explicit version control may introduce security patches retroactively. Fix: Verify parent pom.xml specifies a secure Redisson version (>= 3.24.0). Ensure Redis connection uses TLS/SSL and implements strict serialization/deserialization controls. Review Redisson configuration for safe serialization codecs.
• Low · Potential Information Disclosure via GitHub Configuration — .github/workflows/. The repository contains comprehensive GitHub workflow files (.github/workflows/) including CI/CD, CodeQL security analysis, and Claude review automation. While this is standard practice, workflows may inadvertently log sensitive information or expose build artifacts. Fix: Review all workflow files for credential handling. Ensure secrets are not printed in logs. Use 'secrets' context for sensitive values. Implement branch protection rules and require code reviews for sensitive operations.
• Low · Spring Boot Web Starter Without Explicit Security Hardening — console/backend/commons/pom.xml. The project includes 'spring-boot-starter-web' and 'spring-boot-starter-security' but no visible security configuration files (SecurityConfig, FilterChain configuration) in the file structure provided. Fix: Verify that SecurityConfig bean is properly configured with CSRF protection, CORS restrictions, security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security), and session management. Implement HttpSecurity configuration explicitly.
• Low · Missing SBOM and Dependency Audit Tooling Visibility — console/backend/commons/pom.xml, Makefile, .github/workflows/. No evidence of Software Bill of Materials (SBOM) generation, dependency-check integration, or vulnerability scanning in visible build configuration. For enterprise-grade applications, this is a best practice gap. Fix: Integrate OWASP Dependency-Check Maven plugin, CycloneDX SBOM generation, and automated vulnerability scanning in CI/CD pipelines. Add 'mvn org.owasp:dependency-check-maven:check' to build process.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.