If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/proxyee-down-org/proxyee-down shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 2y ago

• 7 active contributors
• Apache-2.0 licensed
• ⚠ Stale — last commit 2y ago
• ⚠ Single-maintainer risk — top contributor 93% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live proxyee-down-org/proxyee-down repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/proxyee-down-org/proxyee-down.

What it runs against: a local clone of proxyee-down-org/proxyee-down — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in proxyee-down-org/proxyee-down | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 691 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of proxyee-down-org/proxyee-down. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/proxyee-down-org/proxyee-down.git
#   cd proxyee-down
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of proxyee-down-org/proxyee-down and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "proxyee-down-org/proxyee-down(\\.git)?\\b" \\
  && ok "origin remote is proxyee-down-org/proxyee-down" \\
  || miss "origin remote is not proxyee-down-org/proxyee-down (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 691 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~661d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/proxyee-down-org/proxyee-down"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Proxyee Down is an open-source HTTP high-speed downloader built on Netty that acts as a local HTTP proxy to enable multi-connection chunked downloads. It supports custom HTTP request headers, browser integration via proxy, and extensible plugins to handle special download scenarios (e.g., site-specific authentication or DRM stripping). Two-tier monorepo: front/ is a Vue 2 SPA (iView UI, Vuex store, i18n in src/) that communicates via WebSocket; main/ is a Spring Boot + Netty backend (pom.xml at main/pom.xml, core Java code at main/src/main/java/org/pdown) that implements the HTTP proxy and download engine. Frontend built to static assets, bundled into JAR.

End users who need to download large files faster than single-connection HTTP allows, and developers who want to extend download behavior via the plugin system. Power users familiar with proxy configuration and developers building automation around HTTP downloads.

Mature but officially discontinued: project has 5k+ stars and reached v3.0.0, but the maintainer announced maintenance pause in the README and recommends the new Golang+Flutter rewrite (Gopeed) instead. No recent commits visible in data provided; this is a stable but unmaintained release.

High maintenance risk: single maintainer (monkeyWie), archived in favor of Gopeed rewrite, issues module closed, and no CI/CD pipeline visible in file list. Heavy Java/JavaFX dependency creates large binary (noted as problem in README). Dependency chain includes Netty, Spring Boot, and Vue 2 (older, security patches may lag).

Project is in maintenance pause. The README explicitly states this repo is no longer actively developed and directs users to the Gopeed successor project (Go + Flutter) for active development. No ongoing feature work or bug fixes expected.

git clone https://github.com/proxyee-down-org/proxyee-down.git
cd proxyee-down/front
npm install
npm run build
cd ../main
mvn clean package -Pprd
java -jar target/proxyee-down-main.jar

Daily commands: Dev (frontend only): cd front && npm run serve (http://localhost:8080, proxies API to Java backend). Prod: compile both, run java -jar proxyee-down-main.jar (embedded frontend assets, listens on localhost:8888 by default for downloads).

• front/src/views/Tasks.vue: Main UI for task management and download display; core user interaction surface
• front/src/common/http.js: Axios HTTP client and WebSocket manager; handles all frontend-to-backend communication
• main/pom.xml: Spring Boot / Netty / Java dependency declarations and production build profile; critical for backend setup
• front/src/store.js: Vuex store for task state, settings, UI state; single source of truth for frontend
• front/src/components/Task/Create.vue: Task creation dialog with URL input, headers, proxy settings; entry point for download initiation
• front/src/router.js: Vue Router configuration; maps URLs to views (Tasks, Setting, Extension, About)
• front/src/i18n/en-US.js: i18n message keys; template for all UI strings across all languages

Add UI features: edit front/src/views/*.vue (Tasks.vue, Setting.vue, Extension.vue) and front/src/components/*.vue. Add i18n strings: update front/src/i18n/en-US.js, zh-CN.js, zh-TW.js. Add backend endpoints/logic: edit main/src/main/java/org/pdown/ (package structure suggests: core download logic, proxy handlers, task management). For plugins: see front/src/views/Extension.vue and look for extension manifest format in main/.

JavaFX requirement: if using OpenJDK, must explicitly install openjfx (Oracle JDK includes it). Port conflicts: proxy listens on localhost:8888 by default; conflicts block startup silently. Extension/plugin protocol: no visible schema in file list; trial-and-error needed to extend. Stopped maintenance: bug fixes and new features will not be merged; fork required for active development.

• HTTP Range Requests & Chunked Downloads — Core to multi-connection speedup: splitting large file into byte ranges, downloading in parallel, reassembling. Central to Proxyee's speed advantage.
• Local HTTP Proxy Interception — Proxyee acts as a transparent/explicit proxy on localhost; downloads flow through it, allowing request modification and chunking before reaching origin server.
• Netty Event-Driven I/O — Backend uses Netty's non-blocking, event-loop architecture to handle thousands of concurrent chunk downloads without spawning threads per connection.
• Vuex State Management — Frontend centralizes task state (running, paused, completed) and UI state in store.js; enables consistent views across components (Tasks.vue, Task/Create.vue) and WebSocket updates.
• WebSocket Bidirectional Communication — Real-time progress updates from Java backend to Vue frontend without polling; handled by reconnecting-websocket library in front/src/common/http.js.
• Plugin/Extension System Architecture — Extensible download handling via plugins (visible in Extension.vue, but undocumented API); allows custom auth, DRM bypass, site-specific logic without core rebuild.
• Spring Boot Embedded Application — Packages backend, frontend assets, and Netty all into single JAR with embedded Tomcat; eliminates deployment complexity for end users.

• GopeedLab/gopeed — Official successor rewrite in Go + Flutter; actively maintained, addresses Java fatness and binary size issues mentioned in README
• aria2/aria2 — Lightweight multi-protocol downloader (HTTP/FTP/BitTorrent); alternative if Proxyee Down's plugin system not needed
• mitmproxy/mitmproxy — Python-based HTTP proxy; shares same proxy-as-download-engine architecture, useful for learning proxy patterns
• iview-ui/iview — The UI component library (iview 2.14) used in front/; upstream for theming and component behavior
• netty/netty — Async I/O framework powering the HTTP server and download socket handling in backend

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions CI/CD workflow for Vue.js frontend build and lint

The repo lacks automated CI/CD for the Vue.js frontend (front/) which has eslint and build scripts defined but no GitHub Actions workflow. This is critical for catching build failures and lint errors on PRs before merge, especially important since the project is transitioning maintenance.

• [ ] Create .github/workflows/frontend-ci.yml with steps to run 'npm install' in front/ directory
• [ ] Add job to run 'npm run lint' to catch code style violations
• [ ] Add job to run 'npm run build' to verify production build succeeds
• [ ] Configure workflow to trigger on push to main/develop branches and pull requests

Add unit tests for front/src/common/http.js and front/src/common/native.js

The common utility modules (http.js for axios-based HTTP client and native.js for native integration) have no visible test files. These are critical integration points between Vue frontend and the Java backend. Adding tests would prevent regressions in core communication layer.

• [ ] Create front/src/common/tests/http.spec.js with tests for request/response handling, error cases, and axios interceptor logic
• [ ] Create front/src/common/tests/native.spec.js with tests for native bridge communication
• [ ] Add Jest or Mocha/Chai configuration to front/package.json if not present
• [ ] Update front/.gitignore to exclude test coverage directories

Create API documentation for WebSocket message protocol between Java backend and Vue frontend

The frontend uses 'reconnecting-websocket' (front/package.json) for real-time communication with the Java backend, but there is no documented message format or protocol specification. This is a barrier for new contributors and fork maintainers. The README mentions this is now in maintenance pause, making documentation critical.

• [ ] Create docs/WEBSOCKET_PROTOCOL.md documenting message types (task creation, download progress, etc.)
• [ ] Reference front/src/components/Task/Create.vue and front/src/views/Tasks.vue to extract actual message formats used
• [ ] Document both client→server and server→client message structures with JSON examples
• [ ] Add link to protocol documentation in README.md to help maintainers of future forks

• Add unit tests for front/src/common/http.js and WebSocket reconnection logic; currently no test files visible in front/ directory.
• Improve i18n coverage: compare front/src/i18n/en-US.js with actual template strings in .vue files and add missing keys (likely incomplete in discontinued state).
• Document the extension/plugin API: create EXTENSION.md explaining manifest format and JavaScript API for custom downloaders (referenced in Extension.vue but undocumented).

• High · Outdated Axios Dependency with Known Vulnerabilities — front/package.json - dependencies.axios. The project uses axios ^0.18.0, which is extremely outdated (released in 2018). Multiple security vulnerabilities have been discovered in this version, including request smuggling and SSRF issues. Current stable version is 1.6+. Fix: Upgrade axios to the latest stable version (^1.6.0 or higher). Run 'npm audit fix' to identify and resolve all vulnerable dependencies.
• High · Outdated Vue and Vue Router with Known Vulnerabilities — front/package.json - dependencies.vue, dependencies.vue-router. Vue ^2.5.17 and vue-router ^3.0.1 are from 2018-2019 and contain known XSS and prototype pollution vulnerabilities. Vue 2 is in LTS but these specific versions are far out of date. Vue 3 should be considered. Fix: Update to vue@^2.6.14 (latest Vue 2) or migrate to Vue 3. Update vue-router to ^3.6.5 minimum.
• High · Outdated iview UI Library — front/package.json - dependencies.iview, devDependencies.iview-loader. iview ^2.14.3 is from 2018 and no longer maintained. The project also includes iview-loader in devDependencies, both of which may contain unpatched vulnerabilities. Fix: Consider migrating to a maintained UI library such as Element Plus, Ant Design Vue, or Bootstrap Vue. If continuing with iview, upgrade to the latest version and evaluate security patches.
• Medium · Potential MITM Interception Capabilities — main/src/main/java/org/pdown/gui/extension/mitm/. The codebase contains MITM (Man-in-the-Middle) proxy interception components including SSL certificate handling, request interception (AjaxIntercept, CookieIntercept, ScriptIntercept), and proxy server implementation. While this may be intentional for the download tool's functionality, these components present security risks if misused or compromised. Fix: Implement strict certificate pinning validation, ensure MITM features are only active when explicitly enabled by the user, add audit logging for all intercepted requests, and document security implications clearly to users.
• Medium · JavaScript Runtime Execution Environment — main/src/main/java/org/pdown/gui/extension/jsruntime/. The codebase includes a custom JavaScript engine runtime (JavascriptEngine.java) with polyfills for Window, Document, XMLHttpRequest, and Console. This could allow arbitrary JavaScript execution, especially when loading extension scripts or hook scripts. Fix: Implement strict sandboxing for JavaScript execution, use a security manager to restrict dangerous operations, validate all scripts before execution, and consider using a more hardened JavaScript engine with security guarantees.
• Medium · Browser Extension Hook Script Injection — main/src/main/java/org/pdown/gui/extension/HookScript.java, main/src/main/java/org/pdown/gui/extension/ContentScript.java. The extension system allows loading of HookScript and ContentScript components that can modify network traffic and interact with web pages. There's potential for XSS if these scripts are not properly validated. Fix: Implement Content Security Policy (CSP) for extension scripts, validate script signatures, implement a whitelist for allowed script sources, and sanitize all script content before execution.
• Medium · Outdated Vuex and Vue-i18n — front/package.json - dependencies.vuex, dependencies.vue-i18n. vuex ^3.0.1 and vue-i18n ^8.0.0 are from 2018-2019. These state management and internationalization libraries may have known vulnerabilities. Fix: Update vuex to ^4.0.2 (compatible with Vue 2, or ^4.1.0 for Vue 3). Update vue-i18n to ^8.28.0 minimum for Vue 2, or ^9.x for Vue 3.
• Medium · Missing HTTP Security Headers — undefined. No evidence of security headers (Content Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.