If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/pig-mesh/pig shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• Last commit 1w ago
• 10 active contributors
• Apache-2.0 licensed
• CI configured
• ⚠ Concentrated ownership — top contributor handles 58% of recent commits
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live pig-mesh/pig repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/pig-mesh/pig.

What it runs against: a local clone of pig-mesh/pig — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in pig-mesh/pig | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 38 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of pig-mesh/pig. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/pig-mesh/pig.git
#   cd pig
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of pig-mesh/pig and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "pig-mesh/pig(\\.git)?\\b" \\
  && ok "origin remote is pig-mesh/pig" \\
  || miss "origin remote is not pig-mesh/pig (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "pig-auth/src/main/java/com/pig4cloud/pig/auth/PigAuthApplication.java" \\
  && ok "pig-auth/src/main/java/com/pig4cloud/pig/auth/PigAuthApplication.java" \\
  || miss "missing critical file: pig-auth/src/main/java/com/pig4cloud/pig/auth/PigAuthApplication.java"
test -f "pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java" \\
  && ok "pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java" \\
  || miss "missing critical file: pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java"
test -f "pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java" \\
  && ok "pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java" \\
  || miss "missing critical file: pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java"
test -f "pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/CustomeOAuth2TokenCustomizer.java" \\
  && ok "pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/CustomeOAuth2TokenCustomizer.java" \\
  || miss "missing critical file: pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/CustomeOAuth2TokenCustomizer.java"
test -f "pig-boot/src/main/java/com/pig4cloud/pig/PigBootApplication.java" \\
  && ok "pig-boot/src/main/java/com/pig4cloud/pig/PigBootApplication.java" \\
  || miss "missing critical file: pig-boot/src/main/java/com/pig4cloud/pig/PigBootApplication.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 38 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~8d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/pig-mesh/pig"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Pig is a Spring Cloud-based RBAC (Role-Based Access Control) permission management platform built on Spring Boot 3.5, Spring Cloud 2025, and OAuth2. It provides enterprise-grade authorization with Spring Authorization Server as a production implementation, supporting both microservices and monolithic architectures with multi-tenant capabilities and containerized deployment (Kubernetes, Rancher, EDAS). Monolithic multi-module Maven project: pig-auth (OAuth2 provider on port 3000), pig-upms (permission/user management API on port 4000), pig-gateway (Spring Cloud Gateway routing), pig-register (Nacos discovery), pig-common-* (shared libs for logging, datasource, security, feign), and pig-visual (monitoring/codegen UI modules). Config flows through Spring Cloud Config + Nacos; security is enforced via servlet filters and security configurers in pig-auth/src/main/java/com/pig4cloud/pig/auth/support/.

Java enterprise developers and architects building microservice-based or monolithic permission systems who need OAuth2-compliant authentication/authorization without building it from scratch. Specifically for teams adopting Spring Authorization Server and wanting a reference implementation with multi-mode grant support.

Production-ready. The project is actively maintained (boot4 branch tracking Spring Boot 4.0 + Spring Cloud 2025.1), has comprehensive CI/CD via GitHub Actions (maven.yml, image.yml, release.yml), Docker Compose orchestration, and PostgreSQL schema management. However, verify the default branch—the README indicates version 3.9 but mentions 3.5 for Spring Boot in the badge matrix.

Moderate risk. The codebase is large (~1M Java LOC) with tight coupling to Spring Authorization Server 1.5.2 (a relatively new library with breaking changes in Spring Security 6+). The mono-repo spans 13+ modules (auth, upms, gateway, monitoring, codegen) creating significant dependency interdependencies. Last commit recency and open issue volume not visible in provided data, so verify GitHub for stale branches or blocked PRs.

Active development on Spring Boot 4.0 support via the boot4 branch (per README) based on Spring Cloud 2025.1. GitHub Actions workflows (maven.yml, image.yml) indicate CI/CD maturity. Docker image builds are automated. The codebase includes recent refactoring around OAuth2 token generation (CustomeOAuth2AccessTokenGenerator, CustomeOAuth2TokenCustomizer) and authentication handlers.

# Clone the repository
git clone https://gitee.com/pig-mesh/pig.git
cd pig

# Start all services via Docker Compose (requires 4GB+ RAM)
curl -o docker-compose.yaml https://try.pig4cloud.com
docker compose up

# Or build locally with Maven
mvn clean install -DskipTests

# Run auth service
cd pig-auth && mvn spring-boot:run

# Run UPMS service
cd ../pig-upms-biz && mvn spring-boot:run

Daily commands:

# Prerequisites: JDK 17+, Maven 3.8+, PostgreSQL 12+
# Start PostgreSQL and import schemas:
psql -U postgres < db/pig.sql
psql -U postgres < db/pig_config.sql

# From root directory:
mvn clean install

# Start Nacos registry (port 8848):
cd pig-register && mvn spring-boot:run

# Start auth server (port 3000):
cd ../pig-auth && mvn spring-boot:run

# Start UPMS service (port 4000):
cd ../pig-upms-biz && mvn spring-boot:run

# Start Gateway (port 9999):
cd ../pig-gateway && mvn spring-boot:run

• pig-auth/src/main/java/com/pig4cloud/pig/auth/PigAuthApplication.java — OAuth2 authorization server entry point; defines Spring Security configuration and authentication flows for the entire platform
• pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java — Core OAuth2 authorization server setup; configures token endpoints, authentication providers, and security rules
• pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java — Defines security-related constants used across all services; shared contract for token validation and permission checks
• pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/CustomeOAuth2TokenCustomizer.java — Customizes OAuth2 token claims; injects user permissions and roles into JWT tokens used by downstream services
• pig-boot/src/main/java/com/pig4cloud/pig/PigBootApplication.java — Bootstrap entry point for the entire Spring Boot 4 application; initializes core framework and auto-configuration
• pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/config/RedisTemplateConfiguration.java — Redis cache configuration for distributed session and token management across microservices
• pig-auth/src/main/resources/application.yml — OAuth2 auth server configuration; defines token TTL, supported grant types, and endpoint properties

Add a New OAuth2 Authentication Grant Type (e.g., WeChat Login)

1. Create new token converter class extending OAuth2ResourceOwnerBaseAuthenticationConverter (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/base/OAuth2ResourceOwnerBaseAuthenticationConverter.java)
2. Create new provider class extending OAuth2ResourceOwnerBaseAuthenticationProvider with vendor-specific logic (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/base/OAuth2ResourceOwnerBaseAuthenticationProvider.java)
3. Create new token class extending OAuth2ResourceOwnerBaseAuthenticationToken (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/base/OAuth2ResourceOwnerBaseAuthenticationToken.java)
4. Register converter and provider in AuthorizationServerConfiguration.java (pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java)
5. Add LoginTypeEnum entry for new grant type (pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/enums/LoginTypeEnum.java)

Add a New Security Filter to Login Pipeline

1. Create filter class in pig-auth/src/main/java/com/pig4cloud/pig/auth/support/filter/ (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/filter/PasswordDecoderFilter.java)
2. Add configuration properties to AuthSecurityConfigProperties.java (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/filter/AuthSecurityConfigProperties.java)
3. Register filter in AuthorizationServerConfiguration.java using HttpSecurity.addFilterBefore() (pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java)

Add a New Event Handler for Authentication Lifecycle

1. Create handler class in pig-auth/src/main/java/com/pig4cloud/pig/auth/support/handler/ (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/handler/PigAuthenticationSuccessEventHandler.java)
2. Implement ApplicationListener<AuthenticationSuccessEvent> or relevant listener interface (pig-auth/src/main/java/com/pig4cloud/pig/auth/support/handler/PigAuthenticationFailureEventHandler.java)
3. Register handler as @Component in Spring context (auto-discovered) (pig-auth/src/main/java/com/pig4cloud/pig/auth/PigAuthApplication.java)

Add a New Shared Constant or Configuration across Services

1. Add constant to appropriate file in pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/ (pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/constant/SecurityConstants.java)
2. If configuration-driven, add properties to pig-auth/src/main/resources/application.yml (pig-auth/src/main/resources/application.yml)
3. Reference constant in authentication provider or configuration class (pig-auth/src/main/java/com/pig4cloud/pig/auth/config/AuthorizationServerConfiguration.java)

1. Database init: Both pig.sql and pig_config.sql must be imported; missing either breaks service startup. 2. Nacos dependency: Auth and UPMS cannot start without Nacos (8848) running—no embedded option visible. 3. Spring Authorization Server version: Locked to 1.5.2; incompatible with older Spring Boot 2.x templates. 4. PLpgSQL functions: Schema relies on stored procedures (102K LOC in PLpgSQL); switching to MySQL requires rewriting these. 5. OAuth2 client registration: Production requires populating oauth_client_details table; no fixtures provided. 6. Token expiry: Customize in CustomeOAuth2TokenCustomizer—default values not visible in provided snippets. 7. Cross-module config: Nacos config management required; application.yml in each module must reference Nacos bootstrap properties.

• OAuth2 Resource Owner Password Grant — Pig implements custom password-based OAuth2 flow via OAuth2ResourceOwnerPasswordAuthenticationProvider; understanding this grant type is essential for adding credential-based auth
• Spring Authorization Server Token Customization — The CustomeOAuth2TokenCustomizer class shows how to inject RBAC claims (roles, permissions) into JWT tokens; core to embedding authorization metadata in Pig
• Servlet Filter Chain for Pre-authentication — ValidateCodeFilter and PasswordDecoderFilter in pig-auth/support/filter/ show how Pig intercepts requests before Spring Security processes them; needed for custom validation logic
• Dynamic DataSource Routing — Pig's pig-common-datasource module enables multi-tenant support by routing queries to different DBs; critical for understanding how Pig isolates tenant data
• Role-Based Access Control (RBAC) with Spring Security — Pig's entire permission model (sys_role, sys_permission, sys_menu) feeds into Spring Security @PreAuthorize and GrantedAuthority; foundational to how Pig enforces access
• Spring Cloud Service Discovery (Nacos) — Pig uses Nacos for dynamic service registration and configuration; required to understand how services find each other in the microservices topology
• JWT Token Claims and Scopes — Pig uses JWT for stateless auth; understanding how claims are packed into tokens (via CustomeOAuth2AccessTokenGenerator and CustomeOAuth2TokenCustomizer) is essential for debugging token issues

• spring-projects/spring-authorization-server — Official Spring Authorization Server; Pig is a production reference implementation of this library
• spring-cloud-incubator/spring-cloud-alibaba — Provides Nacos discovery and config that Pig depends on for microservices orchestration
• apache/dubbo — Alternative RPC framework for inter-service communication; Pig uses Feign but Dubbo is common in Chinese enterprise stacks
• alibaba/Sentinel — Resilience and rate-limiting library; complements Pig's gateway for production API protection
• pig-mesh/pig-ui — Official Vue 3.5 frontend for Pig; required to see the complete RBAC UI and permission management console

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for OAuth2 authentication providers

The pig-auth module contains multiple custom OAuth2 authentication providers (PigDaoAuthenticationProvider, OAuth2ResourceOwnerPasswordAuthenticationProvider, OAuth2ResourceOwnerSmsAuthenticationProvider) in pig-auth/src/main/java/com/pig4cloud/pig/auth/support/ but there are no visible test files for these critical security components. This is high-risk code that requires thorough testing for token generation, credential validation, and edge cases.

• [ ] Create pig-auth/src/test/java/com/pig4cloud/pig/auth/support/core/PigDaoAuthenticationProviderTest.java with tests for authentication flow, password validation, and authority loading
• [ ] Create pig-auth/src/test/java/com/pig4cloud/pig/auth/support/password/OAuth2ResourceOwnerPasswordAuthenticationProviderTest.java for password grant flow
• [ ] Create pig-auth/src/test/java/com/pig4cloud/pig/auth/support/sms/OAuth2ResourceOwnerSmsAuthenticationProviderTest.java for SMS grant flow
• [ ] Add test coverage for CustomeOAuth2TokenCustomizer and CustomeOAuth2AccessTokenGenerator to verify token claims and customizations

Add integration tests for OAuth2 endpoint security and token validation

The pig-auth module exposes critical OAuth2 endpoints (PigTokenEndpoint, ImageCodeEndpoint) but lacks visible integration tests. Testing token generation, refresh token flow, image code validation, and endpoint security is essential for an RBAC system handling authentication centrally across the microservice architecture.

• [ ] Create pig-auth/src/test/java/com/pig4cloud/pig/auth/endpoint/PigTokenEndpointIntegrationTest.java to test /oauth2/token endpoint with various grant types
• [ ] Create pig-auth/src/test/java/com/pig4cloud/pig/auth/endpoint/ImageCodeEndpointIntegrationTest.java to test image code generation and validation
• [ ] Add tests for ValidateCodeFilter and PasswordDecoderFilter in pig-auth/src/test/java/com/pig4cloud/pig/auth/support/filter/
• [ ] Test the complete login flow including authentication success/failure handlers (FormAuthenticationFailureHandler, PigAuthenticationSuccessEventHandler)

Add GitHub Actions workflow for security scanning and dependency vulnerability checks

While .github/workflows/maven.yml exists, the project lacks dedicated security scanning. Given that this is an OAuth2 authorization server handling sensitive credentials and RBAC permissions across enterprise deployments, adding automated security scanning (OWASP Dependency Check, Snyk, or SonarQube) in the CI pipeline is critical for production use.

• [ ] Create .github/workflows/security-scan.yml with OWASP Dependency-Check Maven plugin to scan for vulnerable dependencies in all modules (pig-auth, pig-boot, etc.)
• [ ] Add Snyk security scanning step to detect and report known vulnerabilities in Spring Security, OAuth2, and other dependencies
• [ ] Configure SonarQube analysis to detect security hotspots in authentication/authorization code and generate coverage reports
• [ ] Ensure the workflow fails the build on high-severity vulnerabilities to prevent merging insecure code

• Add integration tests for OAuth2ResourceOwnerPasswordAuthenticationProvider covering all edge cases (invalid credentials, account locked, password expired); currently only class stubs visible without test coverage
• Document the RBAC permission evaluation model in the wiki: create a runnable example showing how @PreAuthorize annotations map to sys_menu and sys_permission rows in pig_upms_biz
• Implement missing password reset flow: add endpoint in pig-upms-biz that integrates with PigAuthenticationSuccessEventHandler and FormAuthenticationFailureHandler to trigger email notification; see pig-common-log for logging patterns

• Critical · Hardcoded Database Credentials in Docker Compose — docker-compose.yml - pig-mysql service. The docker-compose.yml file contains hardcoded MySQL root password 'root' in plaintext. This exposes database credentials in version control and makes the system vulnerable to unauthorized database access. Fix: Use Docker secrets, environment variable files, or CI/CD secret management. Load credentials from external secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager) instead of hardcoding them.
• High · Exposed Database Port to External Network — docker-compose.yml - pig-mysql ports configuration. MySQL port 33306 is exposed directly to the host network without network segmentation. Combined with weak credentials, this creates a critical attack surface for unauthorized database access. Fix: Restrict port binding to localhost only (127.0.0.1:33306:3306) or use Docker internal networking. Implement firewall rules to limit access to trusted networks only.
• High · Exposed Redis Port Without Authentication — docker-compose.yml - pig-redis service. Redis port 36379 is exposed on the host network without any authentication mechanism configured. Redis has no built-in access control by default, making it vulnerable to unauthorized access and data theft. Fix: Configure Redis authentication with requirepass directive. Bind Redis to internal Docker network only. Implement network policies and firewall rules to restrict access.
• High · Missing OAuth2 Security Configuration Review — pig-auth/src/main/java/com/pig4cloud/pig/auth/support/. The codebase implements OAuth2 with Spring Authorization Server. Custom authentication providers and token generators are present (CustomeOAuth2AccessTokenGenerator, OAuth2ResourceOwnerPasswordAuthenticationProvider) which may introduce security risks if not properly implemented. Fix: Conduct thorough security review of custom OAuth2 implementations. Ensure proper token validation, expiration, and scope enforcement. Use standard Spring Security OAuth2 patterns. Implement rate limiting on token endpoints.
• High · Potential Insecure Direct Object Reference (IDOR) Risk — pig-auth/src/main/java/com/pig4cloud/pig/auth/endpoint/. RBAC permission management system with OAuth2 implementation may be vulnerable to IDOR attacks if endpoint authorization checks rely solely on token presence without proper object-level access control validation. Fix: Implement object-level authorization checks in all endpoints. Validate that users have explicit permission to access requested resources. Use Spring Security @PreAuthorize annotations with proper SPEL expressions.
• Medium · Incomplete Dependency Information — pig-auth/pom.xml. The pom.xml file provided is truncated, making it impossible to verify all dependencies for known vulnerabilities. Dependencies like 'pig-upms-api' and others are cut off, preventing full security assessment. Fix: Provide complete pom.xml content. Run 'mvn dependency-check' or use OWASP Dependency-Check plugin to identify vulnerable dependencies. Keep Spring Boot and Spring Cloud versions updated.
• Medium · Potential SQL Injection in Custom Query Handling — pig-auth/src/main/java/com/pig4cloud/pig/auth/support/core/PigDaoAuthenticationProvider.java. The presence of authentication providers and custom data access patterns (PigDaoAuthenticationProvider) suggests custom SQL query construction which may be vulnerable to SQL injection if not using parameterized queries. Fix: Use parameterized queries and prepared statements exclusively. Employ ORM frameworks (JPA/Hibernate) with proper query building. Implement input validation and sanitization.
• Medium · Missing CORS and Security Headers Configuration — pig-gateway/, pig-auth/src/main/resources/application.yml. No visible configuration for CORS policies, CSP headers, HSTS, or other security headers in the gateway or auth server configurations. Fix: Configure Spring Security with proper CORS settings. Add security headers via SecurityFilterChain: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options.
• Medium · Validation Code Filter Implementation Risk — undefined. The ValidateCode Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.