If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/shuzheng/zheng shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 3y ago

• 4 active contributors
• MIT licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Small team — 4 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 94% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live shuzheng/zheng repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/shuzheng/zheng.

What it runs against: a local clone of shuzheng/zheng — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in shuzheng/zheng | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 1269 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of shuzheng/zheng. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/shuzheng/zheng.git
#   cd zheng
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of shuzheng/zheng and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "shuzheng/zheng(\\.git)?\\b" \\
  && ok "origin remote is shuzheng/zheng" \\
  || miss "origin remote is not shuzheng/zheng (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1269 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1239d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/shuzheng/zheng"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A software project. See architecture tab.

Developers.

See activity metrics.

Standard open source risks apply.

Check recent commits.

Check README for instructions.

Explore the code to find key files.

Fork and submit a PR.

Standard debugging applies.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for zheng-upms (User Permission Management System) module

The zheng-upms module is critical for single sign-on and centralized permission management, but there are no visible test files in the repository structure. This is a core microservice that needs robust test coverage for authentication, role-based access control, and permission validation. Adding unit tests would improve reliability and make the codebase safer for contributors to modify.

• [ ] Create src/test/java directory structure under zheng-upms/
• [ ] Add unit tests for authentication service (login, logout, token validation)
• [ ] Add unit tests for role and permission service (RBAC validation)
• [ ] Add integration tests for single sign-on flow
• [ ] Configure test database (H2 or in-memory) in zheng-upms/pom.xml and application-test.properties

Upgrade Maven compiler and dependencies from Java 1.7 to Java 8+ with corresponding library updates

The pom.xml specifies Java 1.7 as source/target, which is obsolete (released 2011, EOL 2015). This blocks usage of modern Spring Boot versions, security patches, and features like lambdas. Given the project targets enterprise development, upgrading to Java 8+ (with 11 or 17 as LTS targets) would significantly improve security, performance, and maintainability. This requires updating all 12 modules and testing the distributed system.

• [ ] Update root pom.xml: change maven.compiler.source/target to 1.8 (or 11/17)
• [ ] Add Java version property to enforce consistency across all 12 modules (zheng-admin, zheng-common, zheng-upms, zheng-cms, zheng-pay, zheng-ucenter, zheng-wechat, zheng-shop, zheng-api, zheng-message, zheng-oss, zheng-demo)
• [ ] Update Spring Framework, Spring Boot, and MyBatis dependency versions in pom.xml to versions supporting Java 8+
• [ ] Test all microservices locally and update .travis.yml to run builds against Java 8+
• [ ] Update README.md with new Java version requirement

Add GitHub Actions CI/CD workflow to replace Travis CI and add automated database migration testing

The project uses .travis.yml (dated, slower, enterprise-focused) and contains multiple SQL migration files (update_20170328_1_to_20170405_1.sql, zheng.sql, etc.) in project-datamodel/ with no automated testing. A modern GitHub Actions workflow would automatically test database migrations, build all 12 modules, run integration tests against the data model, and provide faster feedback to contributors.

• [ ] Create .github/workflows/maven-build.yml to build all modules on push/PR
• [ ] Add database migration testing step using Docker Compose to spin up MySQL and run zheng.sql and all migration scripts
• [ ] Add automated test execution for zheng-upms, zheng-cms, zheng-pay modules (once tests are added)
• [ ] Configure workflow to fail if migrations don't apply cleanly or if data model schema tests fail
• [ ] Update README.md to reference new GitHub Actions badge instead of Travis CI

Check the issue tracker.

• Critical · Outdated Java Compiler Version — pom.xml - maven.compiler properties. The project is configured to compile with Java 1.7 (released 2011), which is severely outdated and contains numerous known security vulnerabilities. Java 1.7 reached end-of-life in July 2019 and no longer receives security updates. Fix: Update to Java 11 LTS or Java 17 LTS minimum. Modify maven.compiler.source, maven.compiler.target, and maven.compiler.compilerVersion to at least 11.
• High · Dependency Version Management Missing — pom.xml. The pom.xml does not specify a <dependencyManagement> section and appears to lack explicit version pinning for dependencies. This can lead to inconsistent and potentially vulnerable transitive dependency versions across modules. Fix: Implement a dependencyManagement section with explicit versions for all dependencies, especially Spring, MyBatis, and security-related libraries. Use a Bill of Materials (BOM) for Spring projects.
• High · No Evidence of Security Dependency Updates — pom.xml and project structure. Based on the file structure, this appears to be a legacy project (last updates visible in 2017). No evidence of dependency scanning, security plugin configuration, or automated vulnerability checks is present. Fix: Add security scanning plugins: maven-dependency-check-plugin, OWASP Dependency-Check, or similar. Implement automated dependency updates using Dependabot or similar tools.
• High · Potential Hardcoded Configuration Exposure — project-tools/nginx/servers/, project-tools/ngrok/, project-datamodel/. Multiple configuration files in project-tools (nginx.conf, ngrok.cfg) and database schemas in project-datamodel suggest potential hardcoded credentials, connection strings, or API keys in configuration files. Fix: Move all credentials, API keys, and sensitive configuration to environment variables or secure vaults (HashiCorp Vault, AWS Secrets Manager). Never commit sensitive data to version control.
• High · Missing HTTPS Configuration — project-tools/nginx/servers/. nginx.conf and server configuration files are visible but no HTTPS/TLS configuration or certificate management is evident. API endpoints may be exposed over insecure HTTP. Fix: Configure HTTPS with modern TLS 1.2+ enforced. Implement HSTS headers, certificate pinning, and automated certificate renewal (Let's Encrypt).
• Medium · Distributed System Security Architecture Unclear — Architecture design - multiple modules (zheng-api, zheng-upms, zheng-cms, etc.). The architecture description mentions 'distributed system' with Spring+SpringMVC+MyBatis, but no evidence of inter-service authentication, authorization, or encrypted communication between services is visible. Fix: Implement service-to-service authentication using mutual TLS (mTLS), OAuth2 tokens, or API keys. Document security boundaries between services.
• Medium · Third-Party Login Integration Risks — zheng-ucenter, zheng-wechat modules. The project supports third-party login (WeChat, etc.) but no OAuth2/OIDC framework configuration is visible, raising concerns about improper token handling, redirect URL validation, or state parameter validation. Fix: Implement proper OAuth2/OIDC frameworks with strict redirect URL validation, PKCE for mobile clients, secure token storage, and state parameter validation.
• Medium · SQL Injection Risk - MyBatis Usage — Database modules (zheng-cms, zheng-upms, zheng-ucenter, zheng-pay). The project uses MyBatis extensively (zheng-cms, zheng-upms, zheng-ucenter). While MyBatis provides parameterized queries, the visibility of raw SQL files and schema files suggests potential for manual SQL concatenation or unsafe dynamic SQL. Fix: Ensure all MyBatis mappings use parameterized queries exclusively. Conduct code review for any raw SQL usage. Implement ORM-level query validation.
• Medium · No Evidence of Input Validation Framework — undefined. Multiple frontend assets (zheng-admin/src/js) suggest client-side code, but no Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.