If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/orientechnologies/orientdb shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• Last commit 1d ago
• 3 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Small team — 3 contributors active in recent commits
• ⚠ Concentrated ownership — top contributor handles 56% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live orientechnologies/orientdb repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/orientechnologies/orientdb.

What it runs against: a local clone of orientechnologies/orientdb — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in orientechnologies/orientdb | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch develop exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 31 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of orientechnologies/orientdb. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/orientechnologies/orientdb.git
#   cd orientdb
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of orientechnologies/orientdb and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "orientechnologies/orientdb(\\.git)?\\b" \\
  && ok "origin remote is orientechnologies/orientdb" \\
  || miss "origin remote is not orientechnologies/orientdb (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify develop >/dev/null 2>&1 \\
  && ok "default branch develop exists" \\
  || miss "default branch develop no longer exists"

# 4. Critical files exist
test -f "agent/pom.xml" \\
  && ok "agent/pom.xml" \\
  || miss "missing critical file: agent/pom.xml"
test -f "agent/src/main/java/com/orientechnologies/agent/OEnterpriseAgent.java" \\
  && ok "agent/src/main/java/com/orientechnologies/agent/OEnterpriseAgent.java" \\
  || miss "missing critical file: agent/src/main/java/com/orientechnologies/agent/OEnterpriseAgent.java"
test -f "agent/src/main/java/com/orientechnologies/agent/services/OEnterpriseService.java" \\
  && ok "agent/src/main/java/com/orientechnologies/agent/services/OEnterpriseService.java" \\
  || miss "missing critical file: agent/src/main/java/com/orientechnologies/agent/services/OEnterpriseService.java"
test -f "agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java" \\
  && ok "agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java" \\
  || miss "missing critical file: agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java"
test -f "agent/src/main/java/com/orientechnologies/agent/services/backup/OBackupService.java" \\
  && ok "agent/src/main/java/com/orientechnologies/agent/services/backup/OBackupService.java" \\
  || miss "missing critical file: agent/src/main/java/com/orientechnologies/agent/services/backup/OBackupService.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 31 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/orientechnologies/orientdb"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

OrientDB is a multi-model NoSQL DBMS written in Java that unifies Graph, Document, Full-Text search, Geospatial, and Reactive query capabilities in a single engine. It supports both SQL and ACID transactions, eliminating the traditional relational JOIN overhead by modeling connections as persistent pointers between records, enabling fast traversal of large datasets. Modular Maven monorepo: /agent module handles enterprise features (auditing, profiling, distributed coordination); core database logic lives in parent sibling modules (inferred from agent's parent reference to orientdb-parent); HTTP handlers in agent/src/main/java/com/orientechnologies/agent/http/ wrap REST APIs; cloud processors in agent/cloud/processor/ manage task scheduling and response handling.

Backend engineers and architects building applications that need flexible schema models (graph + document), DBA teams managing distributed databases, and developers familiar with SQL syntax who want to adopt NoSQL without steep learning curve. Enterprise users leverage the agent module (in /agent) for distributed deployment, auditing, and profiling.

Actively maintained at v4.0.0-SNAPSHOT with established Maven build system, CI/CD pipelines (GitHub Actions in .github/workflows/), and surefire/failsafe test suites configured. The codebase is large (23.7MB Java) and spans multiple modules, indicating production maturity, though the -SNAPSHOT version suggests ongoing active development rather than stable release.

Complexity risk: multi-model database logic (graph, document, geospatial, full-text, reactive) in a single engine creates maintenance burden. Dependency risk: metrics library (4.2.38) and other 3rd-party libs need monitoring. Single-point-of-failure pattern possible in distributed setups (OEnterpriseDistributedStrategy.java suggests enterprise-only HA features). Last observable commit age not provided in data, but active GitHub workflows suggest ongoing work.

Version 4.0.0-SNAPSHOT development is active with CI workflows for codeql analysis, dependency review, and release automation. Agent module shows recent work on enterprise profiling (OAgentProfilerService.java), session/query management (KillSessionFunction.java, ListQueriesFunction.java), and cloud integration (NewEnterpriseStatsTask.java). Security enhancements visible via EnterprisePermissions.java and password validation.

Clone: git clone https://github.com/orientechnologies/orientdb.git && cd orientdb. Install: ./mvnw clean install (Maven wrapper in .mvn/wrapper). Build agent module: ./mvnw -f agent/pom.xml clean package. Database startup requires JDK (Java-only) and standard JVM heap configuration.

Daily commands: After ./mvnw clean install, database starts with embedded mode or server mode depending on main class invoked. Agent features available after building agent module. Tests run via ./mvnw test (surefire) or ./mvnw verify (failsafe). Set -DORIENTDB_HOME JVM property for runtime file storage location.

• agent/pom.xml — Defines Maven build configuration, dependencies (metrics 4.2.38), and artifact packaging for the enterprise agent module
• agent/src/main/java/com/orientechnologies/agent/OEnterpriseAgent.java — Main entry point and orchestrator for the enterprise agent, initializes all enterprise features and services
• agent/src/main/java/com/orientechnologies/agent/services/OEnterpriseService.java — Core service abstraction that manages enterprise-level capabilities including profiling, auditing, and backup
• agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java — Central profiling system using Dropwizard metrics to collect performance data and system telemetry
• agent/src/main/java/com/orientechnologies/agent/services/backup/OBackupService.java — Backup orchestration service coordinating backup tasks, configuration, and lifecycle management
• agent/src/main/java/com/orientechnologies/agent/operation/NodesManager.java — Distributed node management for multi-master clusters, handles inter-node communication and operation responses
• agent/src/main/java/com/orientechnologies/agent/EnterprisePermissions.java — Security and permissions enforcement layer for enterprise feature access control

Add a new HTTP API endpoint for enterprise management

1. Create a new command class extending OServerCommand in the http/command directory (agent/src/main/java/com/orientechnologies/agent/http/command/OServerCommandNewFeature.java)
2. Implement execute() method to handle HTTP request and delegate to appropriate service (agent/src/main/java/com/orientechnologies/agent/http/command/OServerCommandNewFeature.java)
3. Add permission checks using EnterprisePermissions if needed (agent/src/main/java/com/orientechnologies/agent/EnterprisePermissions.java)
4. Register the command in OEnterpriseAgent service initialization (agent/src/main/java/com/orientechnologies/agent/OEnterpriseAgent.java)

Add a new profiling metric for system monitoring

1. Create a new metric class implementing OMetric interface (Timer, Counter, Gauge, etc.) (agent/src/main/java/com/orientechnologies/agent/profiler/metrics/OCustomMetric.java)
2. Register the metric in OMetricsRegistry during profiler initialization (agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java)
3. Wire the metric data collection in appropriate component (e.g., query executor, cache layer) (agent/src/main/java/com/orientechnologies/agent/profiler/OEnterpriseProfiler.java)
4. Export metric via HTTP endpoint or CSV reporter (agent/src/main/java/com/orientechnologies/agent/profiler/source/CSVAggregateReporter.java)

Add a new backup strategy or storage provider

1. Create a new backup configuration class extending OBackupConfig with provider-specific settings (agent/src/main/java/com/orientechnologies/agent/services/backup/OCustomBackupConfig.java)
2. Implement OBackupTask subclass for the specific storage provider (agent/src/main/java/com/orientechnologies/agent/services/backup/OCustomBackupTask.java)
3. Add provider registration in OBackupService.createBackupTask() factory method (agent/src/main/java/com/orientechnologies/agent/services/backup/OBackupService.java)
4. Update OBackupDBLogger to handle new provider-specific logging (agent/src/main/java/com/orientechnologies/agent/services/backup/log/OBackupDBLogger.java)

Add a new distributed operation for cluster coordination

1. Create operation request class in operation package (agent/src/main/java/com/orientechnologies/agent/operation/CustomOperation.java)
2. Implement OperationResponseManager or NodeResponse for handling distributed responses (agent/src/main/java/com/orientechnologies/agent/operation/OperationResponseManager.java)
3. Register operation handler in NodesManager to route requests to target nodes (agent/src/main/java/com/orientechnologies/agent/operation/NodesManager.java)
4. Add HTTP command endpoint if external API access is needed (agent/src/main/java/com/orientechnologies/agent/http/command/OServerCommandDistributedManager.java)

JVM heap sizing critical for large datasets (no explicit default in visible config). Database home directory (ORIENTDB_HOME) must be writable and on fast storage for concurrent access. Maven wrapper requires .mvn/wrapper/maven-wrapper.jar to be pre-populated (included in repo). Enterprise features in agent module may require separate license and cloud connectivity to function (NewEnterpriseStatsTask suggests phone-home behavior). Password salt iterations hardcoded to 10 in test config (security.userPasswordSaltIterations=10) — production configs may differ. No visible Dockerfile in agent module, so containerized deployment requires custom image.

• Multi-Model Database — OrientDB's core differentiator; understanding how Graph, Document, Full-Text, Geospatial, and Reactive models coexist in one engine explains architectural decisions throughout the codebase
• Persistent Pointers / Record Links — OrientDB avoids expensive JOINs by storing connections as persistent pointers between records; this fundamental design choice drives the graph traversal performance claims
• Multi-Master Replication — Implemented in OEnterpriseDistributedStrategy.java; critical for understanding distributed deployments and conflict resolution in cluster mode
• Schema-Mixed Mode — OrientDB supports schema-less, schema-full, and hybrid modes; enables flexible data modeling without traditional RDBMS constraints, visible in Document and Graph model implementations
• Predicate-Based Security — EnterprisePermissions.java implements role-based access control with predicate evaluation; necessary for understanding fine-grained authorization in multi-tenant scenarios
• ACID Transactions — OrientDB guarantees ACID properties despite being NoSQL; differentiates it from eventually-consistent databases and impacts query planning and concurrency handling
• Full-Text Indexing — One of five core query models; enables fast document search without traversing entire datasets, critical for text-heavy applications

• neo4j/neo4j — Comparable graph database with multi-model capabilities; direct competitor in the NoSQL graph space with similar ACID transaction support
• mongodb/mongo — Document-oriented NoSQL alternative; OrientDB targets users wanting both document and graph models where MongoDB only provides document
• apache/cassandra — Distributed NoSQL database; architecturally relevant for understanding OrientDB's Multi-Master replication strategy in OEnterpriseDistributedStrategy.java
• orientechnologies/orientdb-gremlin — Official Gremlin language binding for OrientDB graph traversal; ecosystem companion for graph query language support
• orientechnologies/orientdb-docs — Official documentation repository; essential reference for feature behavior and configuration options not visible in this code repository

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for agent security components (EnterprisePasswordValidator, EnterprisePermissions)

The agent module contains critical security classes like EnterprisePasswordValidator.java and EnterprisePermissions.java, but there's no visible test directory structure for the agent module. Given that OrientDB emphasizes 'strong security profiling system based on user, roles and predicate security', these enterprise security components need dedicated unit tests to ensure password validation logic, permission enforcement, and role-based access control work correctly across distributed deployments.

• [ ] Create agent/src/test/java/com/orientechnologies/agent directory structure
• [ ] Add unit tests for EnterprisePasswordValidator covering salt iterations, hashing algorithms, and edge cases
• [ ] Add unit tests for EnterprisePermissions covering role assignment, permission inheritance, and predicate security evaluation
• [ ] Configure maven-surefire-plugin in agent/pom.xml to run tests (similar to failsafe configuration already present)
• [ ] Add test cases for DatabaseAuditingResource.java to verify audit logging functionality

Add distributed operation integration tests for agent NodesManager and OperationResponseManager

The agent module contains distributed operation classes (NodesManager.java, OperationResponseManager.java, NodeNotReachable.java) critical for Multi-Master replication. These classes handle inter-node communication and response coordination but lack visible integration tests. Given OrientDB's emphasis on distributed support, these components need integration tests to verify fault tolerance, node failure handling, and response synchronization in multi-node scenarios.

• [ ] Create agent/src/test/java/com/orientechnologies/agent/operation directory with integration test classes
• [ ] Add tests for NodesManager covering node discovery, health checks, and node removal scenarios
• [ ] Add tests for OperationResponseManager covering response aggregation, timeout handling, and partial failure scenarios
• [ ] Add tests for NodeNotReachable exception handling and failover logic
• [ ] Configure maven-failsafe-plugin (partially configured in pom.xml) to run *IT.java integration tests separately

Add GitHub Actions workflow for agent-specific security and dependency scanning

While codeql.yml and depsreview.yaml workflows exist in .github/workflows, there's no agent-specific security validation workflow. The agent module handles critical enterprise security features (password validation, permissions, auditing) and metrics collection. A dedicated workflow should run security-focused checks, OWASP dependency checks, and agent integration tests on PR/push to the agent module specifically, separate from full repository builds.

• [ ] Create .github/workflows/agent-security.yml with triggers for agent/** path changes
• [ ] Add OWASP dependency check task targeting agent/pom.xml to detect vulnerable transitive dependencies
• [ ] Add SonarQube/code quality checks focused on agent authentication and authorization code patterns
• [ ] Include maven verify step with agent integration tests (failsafe-plugin)
• [ ] Add artifact vulnerability scanning for agent JAR before release (integrate with release.yml)

• Add unit tests for agent/src/main/java/com/orientechnologies/agent/functions/ListQueriesFunction.java and ListSessionsFunction.java — these session management functions lack visible test coverage in the file list, making them candidates for regression bugs.
• Document the EnterprisePasswordValidator.java password policy logic in a new SECURITY.md file under agent/ — current implementation is undocumented, creating onboarding friction for security-sensitive deployments.
• Implement missing HTTP REST endpoints in agent/src/main/java/com/orientechnologies/agent/http/command/ for the KillQueryFunction and KillSessionFunction — functions exist but command wrapper classes appear absent from file list.

• High · Outdated Metrics Dependency — agent/pom.xml - <metrics.version>4.2.38</metrics.version>. The agent module uses metrics-core version 4.2.38, which may contain known vulnerabilities. Version 4.2.38 is from 2024 and while relatively recent, it should be verified against the NVD and Maven Central for any reported CVEs. The parent POM should enforce consistent dependency versioning across the project. Fix: Regularly update dependencies using 'mvn versions:display-dependency-updates' and apply patches. Implement automated dependency scanning in CI/CD pipeline (GitHub Dependabot is already configured but needs verification of policy enforcement).
• High · SQL Injection Vulnerability Risk in OSQLEnterpriseFunction — agent/src/main/java/com/orientechnologies/agent/functions/OSQLEnterpriseFunction.java. The file 'OSQLEnterpriseFunction.java' suggests custom SQL function handling. Without code review, functions that accept user input and construct SQL queries dynamically pose significant SQL injection risks, especially given OrientDB's SQL support. Fix: Review all SQL function implementations for parameterized queries. Use prepared statements and parameterized queries exclusively. Implement input validation and sanitization. Add unit tests for SQL injection payloads.
• High · Potential Authentication Bypass in EnterprisePasswordValidator — agent/src/main/java/com/orientechnologies/agent/EnterprisePasswordValidator.java and pom.xml test configuration. The 'EnterprisePasswordValidator.java' file indicates custom password validation logic. Weak or improper password validation could allow attackers to bypass authentication or use weak credentials. The test configuration shows 'security.userPasswordSaltIterations=10' which is extremely low (OWASP recommends minimum 100,000+ for PBKDF2). Fix: Increase password salt iterations to at least 100,000+ for production. Use bcrypt or Argon2 instead of simple hashing. Never use fixed weak iterations for passwords. Implement password complexity requirements and enforce them.
• High · Weak Test Security Configuration — agent/pom.xml - maven-surefire-plugin configuration. The surefire plugin configuration shows security.userPasswordSaltIterations=10 for testing, which if accidentally used in production code, would severely compromise password security. This extremely low iteration count (10) is unsuitable even for testing. Fix: Ensure test security configurations are isolated from production. Use configuration profiles for test/prod separation. Never hardcode security parameters; use external configuration. Implement at least 100,000 iterations even in test environments.
• Medium · Missing Security Headers Configuration — agent/src/main/java/com/orientechnologies/agent/http/command/. Multiple HTTP command classes (OServerCommand*) are present but without visible security header configuration. HTTP responses from OrientDB server may lack security headers like HSTS, X-Content-Type-Options, X-Frame-Options, CSP. Fix: Implement comprehensive security headers in all HTTP responses. Add HSTS, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy, and other protective headers. Create a centralized filter for header injection.
• Medium · Potential XSS in HTTP Response Handling — agent/src/main/java/com/orientechnologies/agent/http/command/OServerCommand*.java. HTTP command handlers (OServerCommandGetProfiler, OServerCommandGetSecurityConfig) likely output data in JSON/HTML format. Without visible output encoding, user-controlled data could be reflected in responses causing XSS. Fix: Implement context-appropriate output encoding. Use JSON encoding for JSON responses, HTML encoding for HTML. Never trust user input in responses. Implement Content-Type headers properly and validate all output.
• Medium · Insufficient Input Validation in Administrative Commands — agent/src/main/java/com/orientechnologies/agent/http/command/OServerCommand*.java. Administrative commands like OServerCommandAuditing, OServerCommandBackupManager, and OServerCommandDistributedManager handle critical operations. Lack of visible input validation could allow privilege escalation or unauthorized operations. Fix: Implement strict input validation for all administrative commands. Validate data types, ranges,

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.