If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/sofastack/sofa-boot shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit 2w ago
• 10 active contributors
• Distributed ownership (top contributor 46% of recent commits)
• Apache-2.0 licensed
• CI configured
• Tests present

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live sofastack/sofa-boot repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/sofastack/sofa-boot.

What it runs against: a local clone of sofastack/sofa-boot — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in sofastack/sofa-boot | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 44 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of sofastack/sofa-boot. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/sofastack/sofa-boot.git
#   cd sofa-boot
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of sofastack/sofa-boot and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "sofastack/sofa-boot(\\.git)?\\b" \\
  && ok "origin remote is sofastack/sofa-boot" \\
  || miss "origin remote is not sofastack/sofa-boot (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java" \\
  && ok "sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java" \\
  || miss "missing critical file: sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java"
test -f "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthCheckerProcessor.java" \\
  && ok "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthCheckerProcessor.java" \\
  || miss "missing critical file: sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthCheckerProcessor.java"
test -f "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckListener.java" \\
  && ok "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckListener.java" \\
  || miss "missing critical file: sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckListener.java"
test -f "sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports" \\
  && ok "sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports" \\
  || miss "missing critical file: sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports"
test -f "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessEndpoint.java" \\
  && ok "sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessEndpoint.java" \\
  || miss "missing critical file: sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessEndpoint.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 44 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~14d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/sofastack/sofa-boot"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

SOFABoot is a Spring Boot enhancement framework that extends Spring Boot 3.x with production-grade features like readiness health checks, class isolation via custom classloaders, Spring context isolation (ISLE), and log space separation. It bundles SOFAStack middleware SDKs as self-contained starters and maintains full Spring Boot compatibility while solving domain-specific issues Spring Boot leaves open. Maven monorepo anchored at sofa-boot-project/: sofa-boot-actuator-autoconfigure/ provides all health/readiness endpoints via Spring Boot's autoconfiguration mechanism (imports in META-INF/spring/), organized by domain (health/, isle/, rpc/, beans/, components/, startup/, threadpool/). Test structure mirrors source structure; HealthProperties.java and ReadinessAutoConfiguration.java are core readiness logic.

Java developers at scale building microservices with Spring Boot who need readiness guarantees before traffic arrives, fine-grained module isolation, and seamless integration with Ant Group's SOFAStack middleware (RPC, messaging, etc.). Operations teams need robust startup health verification.

Production-ready and actively maintained. Version 4.6.0 targets Spring Boot 3.5.12 and Java 17, has comprehensive actuator auto-configurations with multiple endpoints (readiness, beans, components, RPC, startup, threadpool), CI via GitHub Actions (maven.yml), and code coverage tracking via codecov.yml. Latest activity visible in release.yml workflow setup suggests active governance.

Low risk for adopters but requires Java 17+. Core risk is tight coupling to Spring Boot versions (currently 3.5.12); breaking changes between Spring Boot majors could require rework. No obvious single-maintainer risk given Ant Group backing, but Chinese origin means English documentation may lag. Isolation features (classloader-based) are non-trivial and bugs could cause subtle runtime issues.

Active development on actuator enhancements: multiple readiness configurations (ReadinessAutoConfiguration, ReadinessIsleAutoConfiguration, ReadinessRuntimeAutoConfiguration) and endpoint auto-configurations indicate ongoing expansion of observability. GitHub Actions workflows (cloud_code_scan.yml, release.yml) show CI/CD maturity and security scanning. Version bumped to 4.6.0 recently.

git clone https://github.com/sofastack/sofa-boot.git && cd sofa-boot && mvn clean install -DskipTests. View demo projects at https://github.com/sofastack-guides/sofa-boot-guides/tree/4.x for runnable examples (sofaboot-sample, sofaboot-sample-with-isolation, sofaboot-sample-with-rpc).

Daily commands: mvn clean install builds the entire project. No embedded app server detected in file list; this is a library/starter, not a runnable application. Use demo repos above to see spring-boot-maven-plugin usage. Tests run via mvn test.

• sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java — Core readiness check auto-configuration that orchestrates health checks during Spring Boot startup — foundational to SOFABoot's primary enhancement feature.
• sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthCheckerProcessor.java — Processes and executes health checker components; critical for understanding how readiness checks are invoked and managed throughout the application lifecycle.
• sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckListener.java — Spring event listener that triggers readiness checks during application startup; essential entry point for the readiness check flow.
• sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports — Spring Boot 2.7+ auto-configuration registry that enables all SOFABoot actuator features; must be reviewed when adding new autoconfiguration.
• sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessEndpoint.java — HTTP actuator endpoint exposing readiness status; critical for understanding how applications expose health/readiness to load balancers and orchestration platforms.
• pom.xml — Root Maven POM defining build configuration, dependency management, and module structure across SOFABoot project.

Add a Custom Health Checker

1. Create a class implementing HealthChecker interface (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthChecker.java)
2. Register it as a Spring @Bean or @Component in your configuration (sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java)
3. Optionally add it to the health checker processor configuration for ordering (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthCheckerConfig.java)

Add a New Actuator Endpoint

1. Create an endpoint class extending Spring Boot's AbstractEndpoint (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessEndpoint.java)
2. Create an auto-configuration class to register the endpoint conditionally (sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessEndpointAutoConfiguration.java)
3. Add the auto-configuration class to the Spring auto-configuration imports registry (sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports)

Implement a Readiness Callback Handler

1. Create a class implementing ReadinessCheckCallback interface (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckCallback.java)
2. Register it as a Spring @Bean so ReadinessCheckCallbackProcessor discovers it (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckCallbackProcessor.java)
3. The callback will be invoked when readiness check completes via the listener (sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/ReadinessCheckListener.java)

Add a New Health Check Configuration Property

1. Define properties in a @ConfigurationProperties class (sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/HealthProperties.java)
2. Reference the properties in the auto-configuration class (sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ReadinessAutoConfiguration.java)

Java 17 minimum enforced (spring.boot.version=3.5.12 implies this); building with Java 11 will fail. Spring Boot 3.x requires Jakarta EE (javax.* → jakarta.*), not javax.servlet; custom filters/interceptors must use jakarta imports. ISLE and classloader-based isolation is non-standard and can interact unexpectedly with reflection, bytecode libraries (CGLIB, ByteBuddy), and classloader hierarchies—test thoroughly in target deployment. Readiness checks are async; order of HealthIndicator beans matters (ReadinessAutoConfiguration may wait on multiple indicators). No obvious environment variable requirements, but sofa.boot.version property in POM is critical for consistency across modules.

• Readiness vs. Liveness Health Checks — SOFABoot solves the readiness gap that Spring Boot leaves open; liveness tells if app is alive, readiness tells if it can handle traffic—critical for zero-downtime deployments and Kubernetes probes
• Spring Boot Auto-Configuration (@EnableAutoConfiguration, spring.factories, AutoConfiguration.imports) — SOFABoot's entire extension mechanism relies on Spring Boot's auto-configuration contract; understanding how beans are conditionally registered is essential for debugging and extending
• Classloader-based Class Isolation / Module Isolation — SOFABoot's distinguishing feature over vanilla Spring Boot; custom classloaders prevent dependency conflicts in large microservices; requires understanding Java classloader hierarchies and OSGI-like module systems
• Spring Context Isolation (ISLE) — ISLE (inferred from IsleEndpointAutoConfiguration.java) creates separate Spring ApplicationContexts for different modules; allows finer isolation than traditional Spring Boot monoliths and reduces bean collision risk
• Actuator Endpoints (Spring Boot Actuator pattern) — SOFABoot exposes readiness, ISLE, RPC, startup timing, and threadpool metrics as REST endpoints via /actuator/*; understanding endpoint registration and @Endpoint annotation is core to adding observability
• Maven Multi-Module Projects with Property Inheritance — SOFABoot uses revision property and parent POM pattern to manage versions across sofa-boot-actuator-autoconfigure and other modules; critical for consistent, reproducible builds in large projects
• Health Indicators (Spring Boot HealthIndicator interface) — ReadinessAutoConfiguration registers multiple HealthIndicator beans that contribute to /actuator/health/readiness; understanding the HealthIndicator contract (health(), getHealth()) is essential for adding custom readiness logic

• spring-projects/spring-boot — Parent framework and dependency; SOFABoot extends and maintains compatibility with this
• sofastack/sofa-rpc — Companion middleware SDK packaged as a SOFABoot starter; provides RPC functionality exposed via RpcActuatorAutoConfiguration
• sofastack-guides/sofa-boot-guides — Official demo/example projects (sofaboot-sample, sofaboot-sample-with-isolation, sofaboot-sample-with-rpc); reference implementations for learning
• spring-projects/spring-boot-actuator — Spring Boot's built-in actuator library; SOFABoot's autoconfigure module extends this with additional health indicators and readiness endpoints
• alipay/SOFAStack — Parent organization; SOFABoot is the Spring Boot integration layer for SOFAStack ecosystem (RPC, messaging, tracing)

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive integration tests for ReadinessEndpointAutoConfiguration

The sofa-boot-actuator-autoconfigure module has ReadinessEndpointAutoConfigurationTests.java, but examining the file structure shows multiple readiness-related configurations (ReadinessAutoConfiguration, ReadinessIsleAutoConfiguration, ReadinessRuntimeAutoConfiguration, ManualReadinessCallbackEndpointAutoConfiguration) that likely lack corresponding integration tests. These test classes would verify that readiness checks work correctly across different isolation contexts and startup phases, which is critical for SOFABoot's core feature of application readiness management.

• [ ] Create ReadinessIsleAutoConfigurationTests.java to test readiness checks with ISLE (class isolation)
• [ ] Create ReadinessRuntimeAutoConfigurationTests.java to test runtime readiness configurations
• [ ] Add integration tests in sofa-boot-actuator-autoconfigure/src/test/java/com/alipay/sofa/boot/actuator/autoconfigure/health/ that verify cross-module readiness checks work together
• [ ] Verify test coverage includes edge cases like readiness callback failures and timeout scenarios

Add missing test coverage for ThreadPoolEndpointAutoConfiguration actuator endpoint

ThreadPoolEndpointAutoConfigurationTests.java exists but SOFABoot manages thread pools as part of its component lifecycle. The endpoint should expose thread pool metrics and configuration, but there are no visible tests verifying the actual endpoint response formats, metrics accuracy, or serialization under different thread pool states. This is important for operational visibility.

• [ ] Add tests to verify ThreadPoolEndpoint returns accurate metrics (active threads, queue sizes, rejection counts)
• [ ] Add tests for endpoint serialization and JSON response format validation
• [ ] Add tests for thread pool state transitions and metric accuracy during high load scenarios
• [ ] Verify endpoint works correctly with both built-in and custom thread pools in sofa-boot-project

Add GitHub Actions workflow for dependency version compatibility scanning

The repo has cloud_code_scan.yml, maven.yml, and release.yml workflows, but lacks automated testing against multiple Spring Boot/Java versions within the 3.5.x family and potential LTS upgrades. Given that SOFABoot enhances Spring Boot and must maintain compatibility, a workflow to test against minor version variations and early detection of breaking changes would prevent regressions.

• [ ] Create .github/workflows/compatibility-matrix.yml that runs tests against Spring Boot 3.5.x versions (3.5.0, 3.5.6, 3.5.12) and upcoming patch versions
• [ ] Include matrix testing for Java 17, 21, and 23 (since java.version is 17 in pom.xml)
• [ ] Configure the workflow to run on schedule (weekly) and on pull requests to sofa-boot-project/pom.xml
• [ ] Report results back to PRs using GitHub check annotations to prevent accidental dependency incompatibilities

• Add missing test coverage for ReadinessRuntimeAutoConfiguration.java (exists in src/main but no matching test file visible in src/test); write a test that verifies runtime readiness indicators are registered and callable
• Expand ManualReadinessCallbackEndpointAutoConfiguration.java documentation: add JavaDoc explaining the manual readiness callback pattern, when to use it vs. automatic health indicators, with a code example
• Create an integration test in sofa-boot-actuator-autoconfigure/src/test that starts a full Spring Boot app with ISLE enabled and verifies the IsleEndpoint returns correct context isolation metadata (exercise the full stack end-to-end)

The SOFABoot codebase demonstrates a reasonable security posture with proper licensing, security reporting policy, and structured project organization. However, several areas require attention: (1) Dependency management should include automated vulnerability scanning; (2) Actuator endpoints expose internal details and need access control; (3) Maven plugin versions should be modernized; (4) The pom.xml appears incomplete or truncated, preventing full assessment. The project benefits from Spring Boot's security foundations but should implement additional input validation in health check components and apply least-privilege principles to actuator endpoints. The presence of a SECURITY.md file is commendable and shows security awareness.

• Medium · Spring Boot 3.5.12 with Known Vulnerabilities — pom.xml (parent version: spring-boot-starter-parent:3.5.12). The project uses Spring Boot 3.5.12 as the parent version. While this is a relatively recent version, Spring Boot dependencies may contain known CVEs. No explicit vulnerability scanning or dependency lock file is visible in the provided structure. Fix: Regularly run dependency vulnerability scans using tools like OWASP Dependency-Check, Snyk, or Maven's dependency:analyze goals. Keep Spring Boot updated to the latest patch version. Add a BOM (Bill of Materials) lock file if not present.
• Medium · Incomplete Maven Security Plugin Configuration — pom.xml (maven.gpg.plugin property appears incomplete). The pom.xml snippet appears truncated and shows incomplete Maven plugin versions. GPG plugin version (1.6) is outdated. This may indicate incomplete security signing configuration and potential supply chain risks. Fix: Complete the pom.xml configuration. Update Maven GPG plugin to version 1.7.0 or later. Add explicit checksums verification for dependencies. Implement Maven Central signature verification.
• Low · Potential Information Disclosure via Actuator Endpoints — sofa-boot-project/sofa-boot-actuator-autoconfigure/src/main/java/com/alipay/sofa/boot/actuator/autoconfigure/. Multiple actuator endpoints are configured (beans, components, health, readiness, startup, threadpool, rpc, isle) which expose internal application details. Without proper access control, these could leak sensitive information about the application structure and configuration. Fix: Implement role-based access control (RBAC) on all actuator endpoints. Use Spring Security to restrict access to actuator endpoints. Set 'management.endpoints.web.exposure.include' to minimal required endpoints. Configure 'management.endpoint.health.show-details=WHEN_AUTHORIZED'.
• Low · Missing Input Validation in Health Check Components — sofa-boot-project/sofa-boot-actuator/src/main/java/com/alipay/sofa/boot/actuator/health/HealthChecker.java, HealthCheckerProcessor.java. HealthChecker and HealthCheckerProcessor classes may accept external input for health checking. Without visible input validation, these could be vectors for DoS or injection attacks. Fix: Add comprehensive input validation for all health check parameters. Implement rate limiting on health check endpoints. Add timeout mechanisms to prevent long-running health checks from causing resource exhaustion.
• Low · Weak Maven Plugin Version Management — pom.xml (maven.staging.plugin:1.7.0). Maven staging plugin version (1.7.0) is from 2015. Older plugin versions may have unpatched security issues or compatibility problems. Fix: Update Maven staging plugin to the latest stable version. Implement a Maven plugin version lock file or use Maven Enforcer plugin to enforce minimum versions.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.