If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/jeecgboot/jimureport shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Solo project — review before adopting

• Last commit 2d ago
• GPL-3.0 licensed
• Tests present
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live jeecgboot/jimureport repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/jeecgboot/jimureport.

What it runs against: a local clone of jeecgboot/jimureport — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in jeecgboot/jimureport | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 32 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of jeecgboot/jimureport. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/jeecgboot/jimureport.git
#   cd jimureport
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of jeecgboot/jimureport and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "jeecgboot/jimureport(\\.git)?\\b" \\
  && ok "origin remote is jeecgboot/jimureport" \\
  || miss "origin remote is not jeecgboot/jimureport (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java" \\
  && ok "jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java" \\
  || miss "missing critical file: jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java"
test -f "jimureport-example/pom.xml" \\
  && ok "jimureport-example/pom.xml" \\
  || miss "missing critical file: jimureport-example/pom.xml"
test -f "jimureport-example/src/main/resources/application.yml" \\
  && ok "jimureport-example/src/main/resources/application.yml" \\
  || miss "missing critical file: jimureport-example/src/main/resources/application.yml"
test -f "jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/CustomCorsConfiguration.java" \\
  && ok "jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/CustomCorsConfiguration.java" \\
  || miss "missing critical file: jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/CustomCorsConfiguration.java"
test -f "jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java" \\
  && ok "jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java" \\
  || miss "missing critical file: jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 32 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~2d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/jeecgboot/jimureport"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

JimuReport is an open-source, web-based report and BI dashboard designer that combines Excel-like drag-and-drop report design with data visualization for large-screen dashboards. It provides two main modules: JimuReport for complex traditional reports and printing, and JimuBI for real-time data visualization, large-screen dashboards, and interactive portals—positioning itself as a free alternative to FineReport and Tableau. Maven multi-module structure: jimureport-example/ is an executable SpringBoot 3 application demonstrating integration; the actual jimureport library is fetched from Maven Central (jeecg repositories). The example includes custom extensions (JimuDragExternalServiceImpl, JimuReportTokenServiceImpl), authentication via SaToken, and modular config (CustomCorsConfiguration, SecurityConfig, RedisConfig). No monorepo—just integration examples showing how to wire jimureport starters into a SpringBoot app.

Enterprise developers and business analysts building complex reports, data dashboards, and large-screen visualizations who need a self-hosted, drag-and-drop design tool without licensing costs. Also targets organizations migrating from commercial BI tools like FineReport, Tableau, or PowerBI.

Production-ready and actively maintained. Version 2.3.2 released 2026-04-13 with dedicated Java Spring Boot 3 and 2 starter packages, comprehensive Docker support, and example projects demonstrating integration. The project structure includes mature patterns (custom CORS, token services, Redis config) and is adopted in enterprise contexts, though it remains primarily maintained by Beijing Guoju Information Technology.

Low-to-medium risk: core jimureport library is proprietary ('代码不开放'—code not open), meaning you depend on compiled jars from jeecg Maven repositories. Example project shows authentication and security config but core report engine is a black box. Requires specific Java 17+ (SpringBoot 3) or Java 8+ (SpringBoot 2), and you must maintain database schema via jimureport.mysql5.7.create.sql—schema changes in new versions could be problematic. Single organization maintains both JimuReport and JimuBI.

Latest version 2.3.2 targets SpringBoot 3.5.5 with JDK 17, indicating active modernization. Supporting packages include jimureport-nosql-starter for MongoDB/Redis, jimureport-echarts-starter for EChart export, and jimubi-spring-boot3-starter for dashboard features. Docker examples and database schema files are present, suggesting ongoing containerization support.

Clone repo: git clone https://github.com/jeecgboot/jimureport.git. Navigate to example: cd jimureport-example. Install: mvn clean install. Configure database in application-dev.yml and initialize schema from db/jimureport.mysql5.7.create.sql. Run: mvn spring-boot:run. Or use Docker: docker-compose up (Dockerfile present in jimureport-example/).

Daily commands: mvn spring-boot:run (from jimureport-example/). Or build JAR: mvn clean package && java -jar target/jimureport-example-2.2.jar. With Docker: docker-compose up (uses docker-compose.yml in jimureport-example/). Access at http://localhost:8080 after schema initialization.

• jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java — Spring Boot application entry point; all contributors must understand the application bootstrap and initialization flow
• jimureport-example/pom.xml — Maven configuration defining all project dependencies, Spring Boot version (3.5.5), and repository configurations; essential for build setup
• jimureport-example/src/main/resources/application.yml — Primary application configuration file; controls database, logging, and JimuReport system behavior
• jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/CustomCorsConfiguration.java — CORS and security configuration; critical for web access and cross-origin requests in the reporting system
• jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java — Authentication entry point; manages user login flow and session management
• jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/JimuReportTokenServiceImpl.java — Token service implementation; handles token generation and validation for secured report access
• db/jimureport.mysql5.7.create.sql — Database schema definition; required for understanding data model and initialization

Add Custom Authentication Token Service

1. Create new class extending or implementing JimuReportTokenService in jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/ (jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/JimuReportTokenServiceImpl.java)
2. Implement token generation and validation methods for your custom security model (jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/JimuReportTokenServiceImpl.java)
3. Register the service as a Spring @Component or @Service bean (jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java)
4. Test integration by verifying token validation in LoginController flow (jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java)

Add Custom Report Drag-and-Drop Behavior

1. Create new class extending JimuDragExternalService in the extend package (jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/JimuDragExternalServiceImpl.java)
2. Override methods to customize drag event handling, element validation, and drop logic (jimureport-example/src/main/java/com/jeecg/modules/jmreport/extend/JimuDragExternalServiceImpl.java)
3. Register bean in Spring context and ensure it is loaded before JimuReport initialization (jimureport-example/src/main/java/com/jeecg/JimuReportApplication.java)

Configure New Environment/Database Profile

1. Create new application config file (e.g., application-staging.yml) in src/main/resources/ (jimureport-example/src/main/resources/application-dev.yml)
2. Copy from existing profile (dev, prod) and customize database URL, credentials, and JimuReport settings (jimureport-example/src/main/resources/application.yml)
3. Run application with spring.profiles.active=staging to activate the new profile (jimureport-example/pom.xml)
4. Optional: Use Docker Compose (docker-compose.yml) to provision database container with new environment (jimureport-example/docker-compose.yml)

Add Global Exception Handler for Custom Business Logic

1. Create custom exception class extending RuntimeException in the exception package (jimureport-example/src/main/java/com/jeecg/modules/jmreport/satoken/exception/GlobalException.java)
2. Add @ExceptionHandler method in GlobalExceptionHandler for the custom exception (jimureport-example/src/main/java/com/jeecg/modules/jmreport/satoken/exception/GlobalExceptionHandler.java)
3. Return standardized AjaxJson response wrapper with error details and HTTP status code (jimureport-example/src/main/java/com/jeecg/modules/jmreport/satoken/exception/AjaxJson.java)
4. Throw the custom exception from business logic (controllers, services) to trigger centralized error handling (jimureport-example/src/main/java/com/jeecg/modules/jmreport/controller/LoginController.java)

• Spring Boot 3.5.5 — Modern Java framework providing dependency injection, web servlet support, and rapid application development
• Sa-Token — Lightweight authentication framework for token-based authorization without heavy JWT libraries
• Redis — In-memory cache for session storage, token validation, and performance optimization
• MySQL 5.7+ — Relational database for persisting report definitions, user data, and metadata
• Docker & Docker Compose — undefined

1. Proprietary core: jimureport-spring-boot3-starter is closed-source; you cannot debug or modify the actual report engine—only extend via interfaces. 2) Database initialization required: schema must be created before startup; missing tables cause silent failures in report operations. 3) SaToken dependency: token service must be properly implemented; default mock may cause permission issues in production. 4) Maven repository access: requires connectivity to jeecg Maven repos (https://maven.jeecg.org/); builds fail offline or behind proxies without caching. 5) Version mismatch risk: SpringBoot 3.5.5 + JDK 17 is strict; mixing with SpringBoot 2 jars will cause ClassNotFound errors. 6) Redis/MongoDB optional but recommend for multi-node deployments; file-based caching may cause data loss.

• Token-based Authentication (SaToken) — JimuReport integrates SaToken for stateless API security; understanding token lifecycle and permission binding is essential for protecting sensitive report data
• Drag-and-Drop Report DSL (Domain-Specific Language) — The core jimureport designer converts visual drag-drop operations into an internal XML/JSON report definition; understanding this serialization is key to programmatically generating reports
• Multi-datasource Connection Pooling (Druid) — JimuReport uses Druid to manage multiple database connections (MySQL, SQL Server, Oracle); critical for scaling reports across heterogeneous data sources
• Spring Boot Auto-Configuration (Starter Pattern) — jimureport-spring-boot3-starter auto-registers report endpoints, datasource managers, and permission validators without manual bean wiring; understanding starter conventions is essential for integration
• CORS (Cross-Origin Resource Sharing) Policy — JimuReport designer runs in browser and calls backend APIs from different origins; CustomCorsConfiguration.java controls which domains can access report endpoints
• NoSQL Dataset Caching (MongoDB/Redis) — jimureport-nosql-starter enables off-database caching of large datasets; critical for performance when reports query millions of records

• jeecgboot/jeecg-boot — Parent enterprise framework providing foundation patterns, security config (SaToken), and database ORM that JimuReport example extends
• zhangdaiscott/jmreport-cloud — Cloud-deployed variant of JimuReport demonstrating multi-tenant, SaaS-style report hosting architecture
• anji-plus/report — Alternative open-source Chinese BI tool; similar drag-drop report design but with full source code (vs JimuReport's proprietary core)
• pentaho/pentaho-reporting — Enterprise open-source reporting engine; mature alternative for complex reports but steeper integration curve than JimuReport's SpringBoot starter
• apache/superset — Open-source data visualization and dashboard tool; complementary for large-scale analytics alongside JimuReport's traditional reporting focus

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add Docker Compose CI/CD workflow for automated example application testing

The repo has a well-structured jimureport-example with docker-compose.yml and Dockerfile, but lacks a GitHub Actions workflow to automatically test the containerized setup on each PR. This would catch integration issues early, ensure the example stays functional, and validate that new changes don't break Docker deployments—critical for a tool positioned as a drop-in replacement for commercial BI solutions.

• [ ] Create .github/workflows/docker-compose-test.yml that builds and tests jimureport-example/docker-compose.yml on push/PR
• [ ] Add steps to verify MySQL database initialization from jimureport-example/db/jimureport.mysql5.7.create.sql
• [ ] Include health checks for the Spring Boot application startup and basic API connectivity tests
• [ ] Document in README.md how to run the Docker Compose setup locally for contributors

Add unit tests for CustomCorsConfiguration and SecurityConfig classes

The example application includes security-critical components (jimureport-example/src/main/java/com/jeecg/modules/jmreport/satoken/config/SecurityConfig.java and CustomCorsConfiguration.java) but there are no visible test files. Given this is a reporting tool handling potentially sensitive data, missing CORS and security config tests create blind spots for regressions and misconfigurations.

• [ ] Create jimureport-example/src/test/java/com/jeecg/modules/jmreport/config/CustomCorsConfigurationTest.java testing CORS header validation
• [ ] Create jimureport-example/src/test/java/com/jeecg/modules/jmreport/satoken/config/SecurityConfigTest.java testing authentication and authorization flows
• [ ] Add integration tests for LoginController.java to verify SaToken session handling
• [ ] Update pom.xml to include spring-boot-starter-test if not already present for JUnit 5 support

Create comprehensive API documentation and OpenAPI/Swagger integration for JimuReport endpoints

The repo contains multiple controller classes (LoginController.java visible in the example) and extends JimuReport functionality through custom services (JimuDragExternalServiceImpl.java, JimuReportTokenServiceImpl.java), but lacks visible API documentation or Swagger/OpenAPI specifications. This makes it harder for contributors and users to understand available endpoints and integration points.

• [ ] Add springdoc-openapi-starter-webmvc-ui dependency to jimureport-example/pom.xml
• [ ] Annotate LoginController.java and other controller endpoints with @Operation, @ApiResponse, and @Tag annotations
• [ ] Create API documentation in docs/API.md listing all custom extension points (JimuDragExternalServiceImpl, JimuReportTokenServiceImpl interfaces)
• [ ] Add Swagger UI access instructions to README.md (typically at /swagger-ui.html) and document in CONTRIBUTING guidelines

• Add integration tests for JimuReportTokenServiceImpl.java demonstrating token validation with invalid/expired tokens (currently only extends without test coverage).
• Document the exact datasource properties required in application.yml for non-MySQL databases (sqlserver example exists but lacks explanation of JDBC URL format, driver setup).
• Create a minimal custom data source connector example in extend/ showing how to implement jimureport's external dataset interface (reference TestRpSpringBean.java but formalize as reusable module).

• High · Outdated Spring Boot Version with Known Vulnerabilities — jimureport-example/pom.xml - spring-boot-starter-parent version 3.5.5. The project uses Spring Boot 3.5.5, which may contain known security vulnerabilities. Spring Boot versions should be kept up-to-date with the latest stable releases to patch security issues. Fix: Update to the latest stable Spring Boot 3.x version. Review the Spring Security release notes for any critical patches applicable to this version.
• High · Vulnerable MySQL Connector Version — jimureport-example/pom.xml - mysql-connector-java version 8.0.27. MySQL Connector Java 8.0.27 is outdated and contains known security vulnerabilities (CVE-2021-2471, CVE-2021-21409 and others). This version was released in 2021 and no longer receives security updates. Fix: Update to MySQL Connector Java 8.0.33 or later. For Java 17 compatibility, ensure using at least 8.0.31+.
• High · Outdated Druid Connection Pool — jimureport-example/pom.xml - druid version 1.2.24. Druid 1.2.24 is relatively old. While not critically vulnerable, newer versions contain important fixes and improvements. Check for known CVEs in this specific version. Fix: Update to Druid 1.2.27 or the latest stable version (1.2.x series). Review Druid changelog for security patches.
• High · Outdated MinIO Client Library — jimureport-example/pom.xml - minio version 8.0.3. MinIO 8.0.3 is outdated and may contain security vulnerabilities. Current versions are significantly newer and include important security patches. Fix: Update to the latest stable MinIO Java client (currently 8.5.x or newer). Review MinIO security advisories for patches applicable to 8.0.3.
• Medium · CORS Configuration May Be Too Permissive — jimureport-example/src/main/java/com/jeecg/modules/jmreport/config/CustomCorsConfiguration.java. The CustomCorsConfiguration.java file is present in the codebase. Without reviewing its contents, CORS misconfigurations are common in reporting tools and could allow unauthorized cross-origin requests. Fix: Review CORS configuration to ensure it only allows specific trusted origins. Avoid using '*' for allowedOrigins. Implement proper origin validation.
• Medium · SaToken Authentication Framework Integration — jimureport-example/src/main/java/com/jeecg/modules/jmreport/satoken/. The codebase integrates SaToken for authentication. Verify that SaToken is properly configured with secure session management, CSRF protection, and token expiration policies. Fix: Audit SaToken configuration in SaTokenConfigure.java and SecurityConfig.java. Ensure tokens have appropriate expiration times, refresh token rotation is implemented, and secure cookie flags are set.
• Medium · Potential SQL Injection Risks in Report Generation — jimureport-example/src/main/java/com/jeecg/modules/jmreport/ (query processing modules). As a reporting tool that likely executes dynamic SQL queries, there is inherent risk of SQL injection if user input is not properly parameterized when building report queries. Fix: Ensure all database queries use parameterized statements/prepared statements. Implement input validation and sanitization. Use ORM frameworks where possible. Audit any raw SQL execution paths.
• Medium · Missing Security Headers Configuration — SecurityConfig.java / SecurityConfiguration. No explicit security header configuration is visible (such as X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, etc.) in the provided file structure. Fix: Implement comprehensive security headers in Spring Security configuration. Add X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security, and Content-Security-Policy headers.
• Medium · — undefined. undefined Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.