If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/saysky/ForestBlog shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Looks unmaintained — solo project with stale commits

• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live saysky/ForestBlog repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/saysky/ForestBlog.

What it runs against: a local clone of saysky/ForestBlog — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in saysky/ForestBlog | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | Last commit ≤ 704 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of saysky/ForestBlog. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/saysky/ForestBlog.git
#   cd ForestBlog
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of saysky/ForestBlog and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "saysky/ForestBlog(\\.git)?\\b" \\
  && ok "origin remote is saysky/ForestBlog" \\
  || miss "origin remote is not saysky/ForestBlog (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 704 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~674d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/saysky/ForestBlog"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

ForestBlog is a full-featured personal blog system built with Spring 4.3 + SpringMVC + MyBatis 3 and JSP, designed as an educational SSM (Spring/SpringMVC/MyBatis) reference implementation. It provides a complete blogging platform with article management, categories, tags, comments, links, notices, and an admin dashboard—all packaged as a single deployable WAR for Tomcat. Monolithic WAR structure: ForestBlog/src/main/java follows package-by-feature (com.liuyanzhao.ssm.blog.*) with separate controller directories for admin (BackArticleController, BackCategoryController, etc.) and home (ArticleController, CategoryController). Entities live in /entity, DTOs in /dto, enums in /enums. Web layer is pure JSP with no frontend framework.

Java students and junior developers learning SSM architecture patterns, and bloggers seeking a simple yet complete blog platform they can self-host and customize. Particularly targeted at Chinese developer community based on README language and author's Bilibili presence.

Stable but aging: project is production-ready for small personal blogs (evidence: working demo at forestblog.liuyanzhao.com), but uses Spring 4.3 (EOL 2019) and MyBatis 3.x (pre-3.5). No visible test suite, no CI/CD pipeline, and no recent commits visible in file list—appears maintained primarily through direct support rather than active development.

Moderate risk for new production use: Spring 4.3 lacks modern security features and dependency injection improvements; no automated tests mean regression risk is high; single-maintainer model (author Liu Yanzhao) with support only via WeChat/QQ; MySQL password stored in plaintext in db.properties; file upload directory requires manual path configuration per deployment.

No active development visible from file structure alone. Author appears to focus on paid services (code debugging, thesis papers, video tutorials, cloud deployment) rather than ongoing feature work. Project maintained as educational resource and portfolio piece.

git clone https://github.com/saysky/ForestBlog.git && cd ForestBlog && mvn clean install && mvn tomcat7:run (ensure Maven is configured with Alibaba mirror and Lombok plugin is installed in IDE). Then import forest_blog.sql into MySQL 'forest_blog' database and update db.properties with your credentials.

Daily commands: After setup: mvn tomcat7:run -DskipTests (or configure Tomcat in IDEA and deploy WAR). Access http://localhost:8080 for frontend (application context must be '/'), http://localhost:8080/admin or /login for admin panel. Ensure uploads directory is mapped in Tomcat Virtual Directory with rootPath in UploadFileController.java.

• ForestBlog/pom.xml: Single source of truth for Spring 4.3, MyBatis, and dependency versions; Maven must succeed before any IDE import.
• ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/admin/: 8 admin controllers (BackArticleController, BackCategoryController, etc.) handle all content management; editing here is the most common change.
• ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/home/: 8 home controllers render public-facing pages; understand these to modify blog frontend behavior.
• ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/entity/: 12 entity classes (Article, Category, Comment, User, etc.) define the entire data model; schema changes start here.
• [ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/dto/ArticleParam.java, JsonResult.java, ResultVO.java](https://github.com/saysky/ForestBlog/blob/master/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/dto/ArticleParam.java, JsonResult.java, ResultVO.java): Request/response DTOs; used to decouple API contracts from entity models.
• ForestBlog/src/main/resources/db.properties: CRITICAL: Contains MySQL host, port, database, username, password in plaintext—must be edited per environment.
• ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/admin/UploadFileController.java: Handles file uploads; rootPath variable must be manually set to your D:/uploads or E:/uploads directory or uploads will fail silently.

Start in ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/ — controllers are split by feature (admin/ vs home/), so add new pages to home/PageController or admin/BackPageController. For new entities, create in /entity, add mapper XML in src/main/resources/mapper/, add service interface/impl, then controller methods. Database changes go to forest_blog.sql; always regenerate the file after schema modifications.

1. Tomcat application context MUST be '/' not '/ForestBlog' or CSS/JS paths break (listed as #4 in README setup). 2. Lombok plugin required in IDE or all @Data-annotated entities will show 'missing getter/setter' errors (no compilation failure, just red squiggles). 3. uploads directory is EXTERNAL to WAR—must manually configure in Tomcat Virtual Directory mapping AND modify rootPath in UploadFileController.java or file uploads fail. 4. db.properties uses plaintext MySQL credentials with no environment variable support; no override mechanism for CI/CD. 5. MySQL database must be utf-8 / utf-8_general_ci encoding or import fails silently. 6. No database migrations tool (Flyway/Liquibase)—schema changes require manual SQL edits to forest_blog.sql.

• Package-by-feature (feature-driven directory structure) — ForestBlog organizes code as controller/admin, controller/home, entity/, dto/ rather than by layer; understanding this pattern helps navigate the codebase and add new features (e.g., adding a new 'Product' feature means creating ProductController, Product entity, ProductMapper).
• Data Transfer Objects (DTOs) / Value Objects — ArticleParam.java, JsonResult.java, ResultVO.java decouple request/response shapes from ORM entities; critical to understand when modifying API contracts without breaking the database schema.
• MyBatis mapper XML configuration — ForestBlog uses external XML mapping (not Spring Data JPA annotations); understanding MyBatis select/insert/update XML syntax and dynamic SQL is mandatory for querying and modifying database logic.
• Spring Dependency Injection via XML configuration — ForestBlog uses applicationContext.xml Spring bean definitions (no Java-based @Configuration); understanding bean scopes, constructor/setter injection, and ref attributes is essential to modify service layer.
• Virtual Directory mapping in Servlet containers (Tomcat) — ForestBlog separates code artifacts (WAR) from user-uploaded files (external /uploads directory); Tomcat Virtual Directory mapping allows serving uploaded files without embedding them in WAR—critical for production deployments.
• Service layer abstraction (Spring service beans) — ForestBlog follows controller → service → mapper → database pattern; services contain business logic (e.g., findByIdAndStatus) and transaction boundaries; understanding service layer is key to adding new queries or business rules.
• Enum-driven status fields (ArticleStatus, LinkStatus, etc.) — ForestBlog uses Java enums (in /enums/) to constrain entity states (e.g., published/draft), preventing invalid database states; understanding how these enums map to database INT/VARCHAR columns is important for schema and ORM queries.

• halo-dev/halo — Modern Java blog platform (Spring Boot + JPA + Vue.js); successor pattern to ForestBlog addressing REST API and cloud-native needs.
• imlgx/blog-spring-boot — Alternative SSM-style blog in same ecosystem; uses Spring Boot instead of manual XML config, useful for comparing legacy vs modern Spring setup.
• Song-Li/blog — Another Chinese SSM blog reference implementation; similar architecture for comparative learning of controller/service/mapper patterns.
• apache/mybatis-3 — Official MyBatis repository; ForestBlog relies on MyBatis 3.x mapper XML syntax and CRUD patterns, understanding MyBatis source helps debug custom SQL queries.
• spring-projects/spring-framework — Spring 4.3 source repository; essential for understanding dependency injection, AOP, and transaction management used throughout ForestBlog's service layer.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for service layer (ArticleService and related mappers)

The repo has a complete service and mapper layer (ArticleService.java, ArticleMapper.java, etc.) but no visible test directory. For an educational SSM project, adding unit tests with Spring Test and Mockito would demonstrate best practices and help learners understand how to test Spring services with MyBatis mappers. This is critical for a learning resource.

• [ ] Create ForestBlog/src/test/java/com/liuyanzhao/ssm/blog/service directory
• [ ] Create ForestBlog/src/test/java/com/liuyanzhao/ssm/blog/mapper directory
• [ ] Add ArticleServiceTest.java with @RunWith(SpringRunner.class) and @SpringBootTest (or Spring Test config) testing key methods like article CRUD operations
• [ ] Add ArticleMapperTest.java testing mapper query and insert operations with an in-memory H2 database
• [ ] Update pom.xml to include junit, spring-test, mockito, and h2 database dependencies in test scope
• [ ] Add example test configuration file (ForestBlog/src/test/resources/application-test.properties)

Refactor large controller classes into multiple focused controllers with extracted service methods

Controllers like AdminController.java, BackArticleController.java, and ArticleController.java likely contain multiple responsibilities. Modern Spring patterns separate concerns better. Extract business logic from controllers into dedicated service methods, create separate DTOs for request/response binding, and use Spring validation annotations (@Valid, @NotNull, etc.) for input validation across all controllers. This improves testability and maintainability.

• [ ] Analyze AdminController.java and BackArticleController.java to identify mixed concerns (validation, business logic, response formatting)
• [ ] Create dedicated service methods in ArticleService.java and similar service classes for each business operation
• [ ] Add validation annotations to ArticleParam.java and other DTO classes (ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/dto/)
• [ ] Update pom.xml to include spring-boot-starter-validation or javax.validation dependencies
• [ ] Refactor controller methods to delegate to services and use @Valid on request parameters
• [ ] Update JsonResult.java and ResultVO.java to provide consistent error/validation response handling

Add interceptor logging and error handling with proper exception classes

The project has interceptors (AdminInterceptor.java, LoginInterceptor.java, HomeResourceInterceptor.java) and multiple controllers, but likely lacks centralized exception handling and detailed logging. Add a @ControllerAdvice exception handler with custom exception classes (ArticleNotFoundException, UnauthorizedException, etc.) and use SLF4J for logging across interceptors and controllers. This improves debugging and user experience.

• [ ] Create ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/exception directory with custom exception classes (ArticleNotFoundException.java, UnauthorizedException.java, etc.)
• [ ] Create ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/exception/GlobalExceptionHandler.java with @ControllerAdvice and @ExceptionHandler methods
• [ ] Add SLF4J dependency to pom.xml and configure logback-spring.xml in ForestBlog/src/main/resources/
• [ ] Update AdminInterceptor.java, LoginInterceptor.java to use logger.info/logger.debug instead of System.out.println
• [ ] Update controller methods to throw custom exceptions instead of returning error responses directly
• [ ] Map exception responses to JsonResult.java with appropriate HTTP status codes (404, 403, 500, etc.)

• Add unit tests for entity models: Zero test coverage visible in pom.xml or file list; add JUnit 4 + Spring TestContext tests for Article.java, User.java, Comment.java to catch regressions when modifying entities.
• Externalize database configuration from db.properties: Credentials currently hardcoded in plaintext; add environment variable fallback (System.getenv) or application.yml Spring Boot style to support Docker / cloud deployments without exposing secrets.
• Document mapper XML file locations and custom SQL: No reference in file list to src/main/resources/mapper/ XML files; create a MAPPER_GUIDE.md listing each mapper's purpose (ArticleMapper.xml, UserMapper.xml, etc.) to help contributors understand the data layer.

• Critical · Outdated Spring Framework with Known Vulnerabilities — pom.xml - spring.version property (4.3.19.RELEASE). The project uses Spring 4.3.19.RELEASE which was released in 2019 and contains multiple known CVEs including CVE-2022-22965 (Spring4Shell), CVE-2022-22947, and others. Spring 4.x reached end of life and should be upgraded to Spring 5.x or 6.x. Fix: Upgrade to Spring 5.3.x (LTS) or Spring 6.x. Update all Spring dependencies accordingly and test thoroughly for compatibility.
• Critical · Vulnerable Jackson Databind Version — pom.xml - jackson-databind-version (2.10.1). jackson-databind 2.10.1 has multiple known CVEs including deserialization gadget chain vulnerabilities (CVE-2020-14622, CVE-2020-14626, CVE-2020-35490). This can lead to remote code execution. Fix: Upgrade to jackson-databind 2.15.2+ which includes security patches. Ensure compatibility with the Spring version being used.
• High · SQL Injection Risk in Mapper Layer — ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/mapper/ - All mapper files. MyBatis mappers are present but without visible parameterized query enforcement. Raw SQL queries in mapper XML files could be vulnerable to SQL injection if user input is concatenated instead of properly parameterized. Fix: Verify all MyBatis SQL queries use parameterized queries (#{} syntax in XML, not ${}). Use prepared statements exclusively. Implement input validation at controller/service layer.
• High · Potential Cross-Site Scripting (XSS) Vulnerability — ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/home/ - All view-rendering controllers. JSP files are used for rendering but there's no indication of output encoding. User-generated content from articles, comments, and pages could be rendered unescaped, leading to XSS attacks. Fix: Implement output encoding using JSTL <c:out> tag or Spring's escapeXmlAttribute. Use Content Security Policy (CSP) headers. Sanitize HTML input from comments and articles.
• High · Missing CSRF Protection — ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/admin/ - All admin controllers. No visible CSRF token implementation in the codebase (no Spring Security configuration detected). Admin endpoints are vulnerable to Cross-Site Request Forgery attacks. Fix: Implement Spring Security with CSRF token generation and validation. Add CSRF tokens to all forms and AJAX requests in JSP templates.
• High · Obsolete Lombok Version — pom.xml - lombok version (1.16.22). lombok 1.16.22 (released 2017) contains potential security issues and lacks modern features. Current version is 1.18.x+. Fix: Upgrade to lombok 1.18.30+ to receive security updates and bug fixes.
• High · Missing Authentication/Authorization Framework — ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/interceptor/. The codebase appears to use custom interceptors (AdminInterceptor, LoginInterceptor) instead of Spring Security. Custom security implementations are prone to bypass and authorization flaws. Fix: Implement Spring Security framework for robust authentication and authorization. Migrate from custom interceptors to Spring Security filters and method-level security annotations.
• High · File Upload Vulnerability — ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/controller/admin/UploadFileController.java. UploadFileController exists but without visible file type validation, size limits, or storage path verification. This could lead to arbitrary file upload and execution. Fix: Implement strict file type whitelist validation, enforce file size limits, store uploads outside webroot, disable script execution in upload directory, use random

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.