If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/paascloud/paascloud-master shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 3y ago

• 6 active contributors
• Apache-2.0 licensed
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Concentrated ownership — top contributor handles 61% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live paascloud/paascloud-master repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/paascloud/paascloud-master.

What it runs against: a local clone of paascloud/paascloud-master — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in paascloud/paascloud-master | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 972 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of paascloud/paascloud-master. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/paascloud/paascloud-master.git
#   cd paascloud-master
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of paascloud/paascloud-master and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "paascloud/paascloud-master(\\.git)?\\b" \\
  && ok "origin remote is paascloud/paascloud-master" \\
  || miss "origin remote is not paascloud/paascloud-master (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/dto/LoginAuthDto.java" \\
  && ok "paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/dto/LoginAuthDto.java" \\
  || miss "missing critical file: paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/dto/LoginAuthDto.java"
test -f "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/support/BaseService.java" \\
  && ok "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/support/BaseService.java" \\
  || miss "missing critical file: paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/support/BaseService.java"
test -f "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/config/CoreConfiguration.java" \\
  && ok "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/config/CoreConfiguration.java" \\
  || miss "missing critical file: paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/config/CoreConfiguration.java"
test -f "paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/constant/GlobalConstant.java" \\
  && ok "paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/constant/GlobalConstant.java" \\
  || miss "missing critical file: paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/constant/GlobalConstant.java"
test -f "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/aspect/LogAspect.java" \\
  && ok "paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/aspect/LogAspect.java" \\
  || miss "missing critical file: paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/aspect/LogAspect.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 972 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~942d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/paascloud/paascloud-master"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

PaasCloud is a Spring Cloud + Vue full-stack e-commerce simulator that demonstrates a complete microservices architecture with OAuth2.0, supporting a realistic shopping workflow and backend operations platform. It solves enterprise-scale microservice deployment by combining a distributed Spring Cloud ecosystem (Eureka, Config, Zipkin, Gateway) with Vue.js frontends, featuring stateless JWT+OAuth2 authentication, reliable MQ message delivery, and integrated third-party services (Aliyun SMS, Qiniu OSS, Amap). Modular monorepo structure: paascloud-common/ holds shared POJO/config/security (base, config, core, util, zk, security-*); paascloud-provider/ contains 5 microservices (MDC data, OMC orders, OPC integration, TPC tasks, UAC users) each with corresponding -api modules for Feign clients; paascloud-generator/ holds MyBatis Generator configs per service. Central infrastructure modules: Eureka (registry), Discovery (config center), Monitor, Zipkin (logging), Gateway form the backbone.

Java enterprise developers building scalable microservice platforms who need a production-reference implementation of Spring Cloud Edgware with real-world concerns (RBAC auth, distributed logging, task scheduling, message reliability). Also useful for architects designing multi-tenant e-commerce backends and DevOps engineers setting up cloud-native infrastructure.

This is an active learning/reference project (not production-battle-tested based on repo structure). The codebase is well-structured with 1.5M+ lines of Java, uses established frameworks (Spring Cloud Edgware, MyBatis, Druid, ElasticJob), and includes monitoring/logging infrastructure. However, the lack of visible test suites, CI configuration, or recent commit metadata in the provided data suggests it's a teaching project rather than a continuously maintained product.

High complexity risk: 10+ backend microservices + 3 frontend projects create deployment overhead; the README notes services were merged to conserve server costs, hinting at resource constraints. Dependency risk: relies on Aliyun SMS (paid), Qiniu cloud storage, and Amap APIs without obvious fallbacks. No visible dependency security scanning or update cadence. Single-maintainer project (author mentioned as working at 鲜易供应链平台) with no visible community contribution workflow.

No recent commit metadata provided in data. Project appears to be a reference implementation snapshot rather than actively developed. The README indicates it was completed as a comprehensive learning/demo project showcasing Spring Cloud best practices circa Edgware release.

git clone https://github.com/paascloud/paascloud-master.git
cd paascloud-master
mvn clean install -DskipTests
# Start infrastructure: Eureka, Config Server, Zipkin, Gateway in order
# Then start provider services: paascloud-provider-uac, paascloud-provider-mdc, etc.

Requires Java 8, Maven 3.5+, and MySQL for data persistence.

Daily commands:

1. Start Eureka: java -jar paascloud-eureka/target/*.jar --server.port=8761
2. Start Config Server: java -jar paascloud-discovery/target/*.jar --server.port=8888
3. Start Zipkin: java -jar paascloud-zipkin/target/*.jar --server.port=9411
4. Start Gateway: java -jar paascloud-gateway/target/*.jar --server.port=8080
5. Start each provider in paascloud-provider/: java -jar paascloud-provider-uac/target/*.jar, etc. Each service reads config from Config Server on startup via bootstrap.yml (Spring Cloud standard).

• paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/dto/LoginAuthDto.java — Core authentication DTO used across OAuth2/JWT token flow; essential for understanding security model
• paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/support/BaseService.java — Abstract service layer foundation; all business logic inherits from this—critical for CRUD patterns
• paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/config/CoreConfiguration.java — Spring Cloud bootstrap config; registers beans for async, Redis, interceptors, and MQ
• paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/constant/GlobalConstant.java — Global application constants (status codes, error messages); referenced throughout codebase
• paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/aspect/LogAspect.java — AOP logging & operation audit trail; critical for tracing requests across microservices
• paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/interceptor/TokenInterceptor.java — JWT/OAuth2 token validation interceptor; enforces authentication on all secured endpoints
• paascloud-common/paascloud-common-config/src/main/java/com/paascloud/config/properties/PaascloudProperties.java — Application property bindings for Aliyun, Qiniu, async tasks; configures external service integrations

Add a new Microservice Provider (e.g., Product Service)

1. Create Maven module paascloud-provider-ppc extending parent pom.xml with spring-cloud-starter-eureka-client dependency (paascloud-master/pom.xml)
2. Define entity class extending BaseEntity, map to table with MyBatis annotations (paascloud-provider-ppc/src/main/java/com/paascloud/provider/entity/ProductEntity.java)
3. Create mapper interface extending MyMapper<ProductEntity> for auto-generated CRUD SQL (paascloud-provider-ppc/src/main/java/com/paascloud/provider/mapper/ProductMapper.java)
4. Implement service extending BaseService<ProductMapper, ProductEntity> for business logic (paascloud-provider-ppc/src/main/java/com/paascloud/provider/service/ProductService.java)
5. Create REST controller extending BaseController, annotate methods with @LogAnnotation and @RequestMapping (paascloud-provider-ppc/src/main/java/com/paascloud/provider/web/ProductController.java)
6. Add Eureka client config (spring.application.name, eureka.client.serviceUrl) to application-prod.yml (paascloud-provider-ppc/src/main/resources/application-prod.yml)

Add an Audit-Logged API Endpoint

1. In controller method, annotate with @LogAnnotation(module='product', operation='createProduct') to enable LogAspect interception (paascloud-provider-ppc/src/main/java/com/paascloud/provider/web/ProductController.java)
2. LogAspect will capture method args, return value, execution time, and user context from TokenCache (paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/aspect/LogAspect.java)
3. Operation log is async-published to Aliyun MQ topic 'paascloud_operation_log' for persistence in audit database (paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/constant/AliyunMqTopicConstants.java)

Integrate Third-Party Service (e.g., Qiniu Cloud for File Upload)

1. Add Qiniu SDK dependency to pom.xml and configure bucket, access key, secret key in application.yml (paascloud-common/paascloud-common-config/src/main/java/com/paascloud/config/properties/QiniuProperties.java)
2. Autowire QiniuProperties in service class and create upload method using Qiniu SDK client (paascloud-provider-mdc/src/main/java/com/paascloud/provider/service/FileUploadService.java)
3. Expose REST endpoint in controller; validate file size in DTO using @Size annotation (paascloud-provider-mdc/src/main/java/com/paascloud/provider/web/FileController.java)
4. Wrap third-party call in try-catch; throw BusinessException with code from ErrorCodeEnum on failure (paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/exception/BusinessException.java)

Implement Reliable Message Publishing (Guaranteed Delivery)

1. Create message event class extending MqMessage with orderId, userId, eventType fields (paascloud-common/paascloud-common-core/src/main/java/com/paascloud/core/mq/MqMessage.java)
2. After persisting order to DB, publish message via Aliyun MQ producer to topic defined in AliyunMqTopicConstants (paascloud-provider-omc/src/main/java/com)

Service startup order matters: Config Server must be first (services won't start without it); Eureka must be available before Gateway and providers register. External dependencies are hard-coded: Aliyun SMS, Qiniu OSS, and Amap APIs require valid credentials in ConfigServer or application.yml; missing them causes runtime failures, not compile-time errors. Database initialization: SQL schema is not in the repo (typical in companies using managed DBs); you must create databases manually matching service names (e.g., paascloud_uac, paascloud_omc) or provide via ConfigServer datasource config. OAuth2 client registration: UAC service expects OAuth2 clients pre-registered in database; missing client_id/client_secret in oauth_client_details table causes auth failures. Message queue setup: Aliyun MQ or equivalent must be running; code assumes MqMessageDto persistence and delivery, which fails silently if queue is unavailable. MyBatis Generator configs in paascloud-generator are not auto-run: must manually execute to regenerate mappers after entity changes.

• Service Registry & Discovery (Eureka) — PaasCloud's 5 microservices (MDC, OMC, OPC, TPC, UAC) all register with Eureka; understanding service discovery is critical for adding new services or debugging why Feign calls fail
• OAuth2 + JWT Token-Based Authentication — Core security model: stateless, distributed auth without session storage; required to understand UAC token issuance, Gateway validation, and Feign service-to-service propagation
• Reliable Message Delivery (Dual-Write Pattern) — PaasCloud guarantees 100% message delivery via MqMessageDto persistence + Aliyun MQ; prevents order loss in e-commerce; understand idempotency and retry logic
• RBAC (Role-Based Access Control) — Implemented across all services via Spring Security; users have roles (admin, buyer, seller) with permission boundaries enforced at Gateway and service method level
• Distributed Tracing (Zipkin + Spring Cloud Sleuth) — Traces requests across 5+ microservices; essential for debugging latency and failures in a distributed system; PaasCloud includes Zipkin center
• Elastic-Job Distributed Scheduling — Task service (TPC) uses Elastic-Job for scheduled jobs (e.g., order reminders, inventory sync) across multiple instances without duplicate execution
• Feign + Hystrix Circuit Breaker — Microservices call each other via Feign with Hystrix fallbacks; prevents cascading failures when downstream service is slow/down; critical for e-commerce reliability

• alibaba/spring-cloud-alibaba — Official Spring Cloud extension for Alibaba middleware (Nacos, Sentinel, Seata); PaasCloud uses Aliyun services, this adds native integration
• spring-projects/spring-cloud-netflix — Netflix OSS components (Eureka, Hystrix, Feign, Zuul) that form the core of PaasCloud's microservice infrastructure
• spring-projects/spring-security-oauth2-boot — Spring Security OAuth2 reference implementation; PaasCloud's JWT+OAuth2 auth layer is built on this
• pagehelper/Mybatis-PageHelper — Pagination library used in PaasCloud's data access layer; required for query result paging in provider services
• apache/incubator-dubbo — Alternative RPC framework; PaasCloud uses Spring Cloud Feign instead, but Dubbo is common in Chinese e-commerce stacks and a comparative study helps understand architectural choices

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for exception handling in paascloud-common-base

The paascloud-common-base module defines critical exception classes (BusinessException, ConfigException, ImportException, ReferenceModelNullException, BooleanParseException) but there are no visible test files in src/test/java (only .gitkeep placeholder). Given this is a foundational module used across the entire microservices architecture, adding unit tests for exception handling, serialization, and error message formatting would improve reliability and make it easier for contributors to understand expected behavior.

• [ ] Create paascloud-common/paascloud-common-base/src/test/java/com/paascloud/base/exception/BusinessExceptionTest.java with tests for exception instantiation, message formatting, and error code propagation
• [ ] Create paascloud-common/paascloud-common-base/src/test/java/com/paascloud/base/exception/ConfigExceptionTest.java and ImportExceptionTest.java following the same pattern
• [ ] Add integration tests verifying that ErrorCodeEnum values are properly used in exception constructors
• [ ] Update pom.xml to include junit4 or junit5 dependency if not already present in parent

Add missing unit tests for core AOP aspects in paascloud-common-core

The paascloud-common-core module contains critical cross-cutting concerns (LogAspect, BindingResultAop, NotDisplaySqlAspect) that handle logging, validation, and SQL security. The src/test/java directory only contains .gitkeep, meaning these aspects lack test coverage. Given the importance of aspect-oriented programming in a microservices architecture, adding tests would catch regressions and demonstrate proper usage patterns for downstream services.

• [ ] Create paascloud-common/paascloud-common-core/src/test/java/com/paascloud/core/aspect/LogAspectTest.java using Spring Test framework to verify log messages are captured and formatted correctly
• [ ] Create paascloud-common/paascloud-common-core/src/test/java/com/paascloud/core/aspect/BindingResultAopTest.java to test validation error handling with @ValidateAnnotation
• [ ] Create paascloud-common/paascloud-common-core/src/test/java/com/paascloud/core/aspect/NotDisplaySqlAspectTest.java to verify SQL queries are properly masked in logs
• [ ] Add mock objects for ProceedingJoinPoint and ensure both success and exception paths are tested

Create integration tests for BaseVo, BaseQuery, and BaseTree DTOs in paascloud-common-base

The paascloud-common-base module defines foundational DTOs (BaseVo, BaseQuery, BaseTree) used throughout the microservices for data transfer, but lacks tests validating serialization, deserialization, and inheritance behavior. This is critical since all domain models inherit from these classes. Adding tests would prevent breaking changes and ensure consistent behavior across the OAuth2-enabled system.

• [ ] Create paascloud-common/paascloud-common-base/src/test/java/com/paascloud/base/dto/BaseDtoTest.java with Jackson/JSON serialization tests for BaseVo, BaseQuery, and BaseTree
• [ ] Add tests verifying inheritance chains work correctly (e.g., custom DTOs extending BaseTree maintain parent properties)
• [ ] Add validation tests for pagination fields in BaseQuery (pageNum, pageSize, sort) with boundary conditions
• [ ] Create paascloud-common/paascloud-common-base/src/test/java/com/paascloud/base/dto/CheckValidDtoTest.java to test validation logic with @Valid annotations

• Add unit tests for paascloud-common-base DTOs (BaseVo, BaseQuery, LoginAuthDto, KvDto) — currently no test coverage visible; create tests in src/test/java/ following Spring Boot test patterns
• Document the OAuth2 flow end-to-end: create a markdown guide showing UAC token issuance → Gateway token validation → Feign service-to-service propagation, with example curl commands; add to docs/
• Add a health-check endpoint to each microservice provider (paascloud-provider-mdc, -omc, -opc, -tpc, -uac) that verifies database connectivity and external API availability (Aliyun, Qiniu, Amap); return 500 if critical deps fail, useful for k8s liveness probes

• High · Outdated Spring Cloud Version — paascloud-master (parent pom.xml) - Spring Cloud version specification. The project uses Spring Cloud Edgware, which reached end-of-life in December 2019. This version contains multiple known security vulnerabilities including CVE-2019-12086 (Jackson deserialization), CVE-2018-1258 (Spring Security OAuth2), and others. Edgware no longer receives security patches. Fix: Upgrade to Spring Cloud 2021.x (Spring Boot 2.6.x) or later. Perform thorough regression testing after upgrade. Alternatively, upgrade to Spring Cloud 2022.x with Spring Boot 3.x if Java 17+ compatibility is possible.
• High · OAuth2 Implementation Risk — paascloud-common-core, paascloud-common-config (interceptor and config packages). The project implements custom OAuth2 authorization through Spring Cloud Oauth2 on outdated framework versions. This creates risk of authorization bypass, token leakage, and improper token validation. Combined with older Spring Security versions, this is a critical area. Fix: Review and update OAuth2 implementation to Spring Authorization Server. Implement proper token validation, refresh token rotation, and PKCE for mobile clients. Audit TokenInterceptor and CoreHttpRequestInterceptor classes for proper validation.
• High · Potential SQL Injection via MyBatis — paascloud-common-core/src/main/java/com/paascloud/core/interceptor/SqlLogInterceptor.java and MyBatis mapper configurations. Project uses MyBatis with generic Mapper4 and PageHelper. Without code inspection, the risk exists for SQL injection if dynamic queries are constructed improperly. The NotDisplaySqlAspect suggests SQL logging without proper sanitization. Fix: Audit all MyBatis XML mappings and ensure parameterized queries are used exclusively. Never concatenate user input into SQL strings. Use MyBatis-provided parameter binding mechanisms only. Review SqlLogInterceptor to ensure sensitive data masking.
• High · Unencrypted Credential Storage in Properties — paascloud-common/paascloud-common-config/src/main/java/com/paascloud/config/properties/ - Multiple properties classes (AliyunProperties, QiniuProperties, GaodeProperties, etc.). Configuration files reference multiple external services: Aliyun SMS, Qiniu cloud storage, Gaode maps, and Zookeeper. These property files likely contain API keys and secrets in plaintext without encryption. Fix: Implement Spring Cloud Config encryption or use a secrets management system (AWS Secrets Manager, HashiCorp Vault, Spring Vault). Never commit credentials to version control. Use environment variables for sensitive configuration. Rotate all exposed credentials immediately.
• Medium · Insufficient Input Validation — paascloud-common-core/src/main/java/com/paascloud/core/aspect/BindingResultAop.java and validation annotations. The presence of CheckValidDto and ValidateAnnotation suggests validation is partially implemented but the BindingResultAop only indicates validation binding, not comprehensive input sanitization. XSS and injection vulnerabilities may exist in user input handling. Fix: Implement comprehensive input validation using Bean Validation (JSR-380). Sanitize all user inputs server-side. Implement output encoding for web responses. Use Spring Security's CSRF protection. Validate file uploads for type and size.
• Medium · Hardcoded JWT/OAuth Secrets Risk — paascloud-common/paascloud-common-base/src/main/java/com/paascloud/base/dto/LoginAuthDto.java and UserTokenDto.java. The LoginAuthDto and UserTokenDto classes suggest JWT token handling. Without configuration encryption, JWT signing keys are likely exposed in properties or configuration files. Fix: Store JWT signing keys in secure configuration management. Use strong, randomly generated keys. Implement key rotation strategy. Never commit keys to Git. Use separate keys for development and production environments.
• Medium · Insecure Direct Object References (IDOR) — All REST controllers (not visible but implied from DTO structure). REST API endpoints likely lack proper authorization checks on resource IDs. User authentication via JWT doesn't guarantee authorization to access specific resources. Fix: Implement proper authorization checks at controller level using @PreAuthorize annotations

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.