If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/tonikelope/megabasterd shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Single-maintainer risk — review before adopting

• Last commit 3w ago
• 3 active contributors
• GPL-3.0 licensed
• Tests present
• ⚠ Small team — 3 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 98% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live tonikelope/megabasterd repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/tonikelope/megabasterd.

What it runs against: a local clone of tonikelope/megabasterd — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in tonikelope/megabasterd | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 49 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of tonikelope/megabasterd. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/tonikelope/megabasterd.git
#   cd megabasterd
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of tonikelope/megabasterd and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "tonikelope/megabasterd(\\.git)?\\b" \\
  && ok "origin remote is tonikelope/megabasterd" \\
  || miss "origin remote is not tonikelope/megabasterd (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "src/main/java/com/tonikelope/megabasterd/MegaAPI.java" \\
  && ok "src/main/java/com/tonikelope/megabasterd/MegaAPI.java" \\
  || miss "missing critical file: src/main/java/com/tonikelope/megabasterd/MegaAPI.java"
test -f "src/main/java/com/tonikelope/megabasterd/MainPanelView.java" \\
  && ok "src/main/java/com/tonikelope/megabasterd/MainPanelView.java" \\
  || miss "missing critical file: src/main/java/com/tonikelope/megabasterd/MainPanelView.java"
test -f "src/main/java/com/tonikelope/megabasterd/DownloadManager.java" \\
  && ok "src/main/java/com/tonikelope/megabasterd/DownloadManager.java" \\
  || miss "missing critical file: src/main/java/com/tonikelope/megabasterd/DownloadManager.java"
test -f "src/main/java/com/tonikelope/megabasterd/UploadManager.java" \\
  && ok "src/main/java/com/tonikelope/megabasterd/UploadManager.java" \\
  || miss "missing critical file: src/main/java/com/tonikelope/megabasterd/UploadManager.java"
test -f "src/main/java/com/tonikelope/megabasterd/CryptTools.java" \\
  && ok "src/main/java/com/tonikelope/megabasterd/CryptTools.java" \\
  || miss "missing critical file: src/main/java/com/tonikelope/megabasterd/CryptTools.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 49 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~19d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/tonikelope/megabasterd"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

MegaBasterd is a cross-platform Java-based desktop client for MEGA (mega.io) that enables downloading, uploading, and streaming files directly from MEGA accounts with multi-threaded chunk parallelization. It bypasses MEGA's official client limitations by directly interacting with MEGA's API, supporting batch operations, 2FA authentication, and folder links while maintaining encryption/decryption locally. Monolithic single-package structure under src/main/java/com/tonikelope/megabasterd/ with ~50+ inter-dependent classes. Core layers: API clients (MegaAPI.java, MegaCrypterAPI.java), download/upload engines (Download.java, ChunkDownloader.java, ChunkUploader.java), UI (MainPanelView.java using Swing forms), database layer (DBTools.java with SQLite via sqlite-jdbc), and utility/crypto (CryptTools.java, MiscTools.java). No clear separation of concerns—business logic tightly coupled to UI.

Power users and developers who need to bulk download/upload files to MEGA accounts without rate-limiting constraints, users in regions with restricted MEGA client availability, and developers needing a programmatic headless interface to MEGA's undocumented API endpoints.

Active but aging codebase (v8.23 released, appears maintained based on README note for Java 11+ requirement). The single-maintainer (@tonikelope) nature and large monolithic Java structure suggest stability over rapid innovation. No visible test suite in file structure indicates acceptable-but-not-enterprise-grade quality. Appears production-usable but community-driven rather than enterprise-backed.

Single maintainer with no visible CI/CD pipeline or test coverage presents maintenance risk. Dependencies on outdated or custom repositories (olivier-ayache-xuggler Cloudsmith mirror, xuggler video codec library) may face supply-chain vulnerabilities. The project directly reverse-engineers MEGA's closed API, risking breakage if MEGA changes endpoints; this is explicitly noted as violating MEGA's ToS. Large monolithic codebase (~1.3MB Java) with minimal documentation makes onboarding difficult.

Cannot determine from file listing alone—no git log, PR list, or issue tracker snapshot provided. README references issue #397 (translation requests) and #385 (troubleshooting thread), suggesting active user engagement but no visibility into current sprint focus.

Clone and build with Maven: git clone https://github.com/tonikelope/megabasterd.git && cd megabasterd && mvn clean package. Run the compiled JAR (requires Java 11+): java -jar target/MegaBasterd-8.23.jar. No external service dependencies visible, but may require internet for MEGA API access.

Daily commands: mvn compile exec:java -Dexec.mainClass='com.tonikelope.megabasterd.MainPanelView' (if main class exists, not explicitly confirmed) OR build JAR and execute: mvn clean package && java -jar target/MegaBasterd-8.23.jar. GUI is Swing-based and will open a desktop window on successful execution.

• src/main/java/com/tonikelope/megabasterd/MegaAPI.java — Core MEGA API wrapper handling authentication, file operations, and crypto—every feature depends on this foundation.
• src/main/java/com/tonikelope/megabasterd/MainPanelView.java — Primary UI entry point and orchestrator connecting downloads, uploads, streaming, and user interactions.
• src/main/java/com/tonikelope/megabasterd/DownloadManager.java — Manages concurrent download queue, chunk coordination, and parallel transfer strategy—critical for performance.
• src/main/java/com/tonikelope/megabasterd/UploadManager.java — Orchestrates upload queue, chunk distribution, and MAC generation—parallel to DownloadManager in architecture.
• src/main/java/com/tonikelope/megabasterd/CryptTools.java — Encryption/decryption utilities for MEGA protocol—security-critical for file confidentiality.
• src/main/java/com/tonikelope/megabasterd/TransferenceManager.java — Abstract base managing throttling, concurrency, and state for both Download and Upload operations.
• pom.xml — Maven configuration defining Java 11+ requirement, Xuggler dependency, and build lifecycle—reproducibility linchpin.

Add a new download feature (e.g., pause/resume filters)

1. Extend Download.java with new state enum (e.g., FILTERED) and state-check methods (src/main/java/com/tonikelope/megabasterd/Download.java)
2. Update DownloadManager.java to filter transfers in processQueue() based on new state (src/main/java/com/tonikelope/megabasterd/DownloadManager.java)
3. Add UI checkbox or button in DownloadView.java to toggle the state for selected rows (src/main/java/com/tonikelope/megabasterd/DownloadView.java)

Add a new proxy routing strategy

1. Create a new strategy method in SmartMegaProxyManager.java (e.g., selectProxyByLatency()) (src/main/java/com/tonikelope/megabasterd/SmartMegaProxyManager.java)
2. Modify MegaProxyServer.java handle() to consult the new strategy for endpoint selection (src/main/java/com/tonikelope/megabasterd/MegaProxyServer.java)
3. Add config option in SettingsDialog.java to allow users to select routing mode (src/main/java/com/tonikelope/megabasterd/SettingsDialog.java)

Add support for a new file format in streaming

1. Define MIME type and codec metadata in ContentType.java or new enum (src/main/java/com/tonikelope/megabasterd/ContentType.java)
2. Extend KissVideoStreamServer.java to handle HTTP Range requests and transcode/stream the format (src/main/java/com/tonikelope/megabasterd/KissVideoStreamServer.java)
3. Update StreamerDialog.java to offer codec selection and preview the new format (src/main/java/com/tonikelope/megabasterd/StreamerDialog.java)

Implement a new security feature (e.g., master password encryption)

1. Add PBKDF2 + AES-256 helpers to CryptTools.java for password-based key derivation (src/main/java/com/tonikelope/megabasterd/CryptTools.java)
2. Create UI dialogs (SetMasterPasswordDialog.java, GetMasterPasswordDialog.java) for enrollment and prompt (src/main/java/com/tonikelope/megabasterd/SetMasterPasswordDialog.java)
3. Modify SqliteSingleton.java to encrypt/decrypt stored credentials using the master key on load/save (src/main/java/com/tonikelope/megabasterd/SqliteSingleton.java)

No Maven profiles for different OS-specific resources visible—cross-platform JAR may bundle unnecessary dependencies. Swing .form files require NetBeans IDE to edit GUI layouts properly; manual XML editing is error-prone. SQLite database path likely hardcoded in DBTools.java (common pattern); misconfiguration breaks all stored sessions. CryptTools.java uses JDK crypto which may require JDK policy files on older Java versions or in restricted jurisdictions. No environment variables or external config files evident—all settings baked into code or database. MEGA API is undocumented and reverse-engineered; no guarantee of API stability or warning if MEGA changes endpoints.

• Chunked parallel download with resumption — Core differentiator of MegaBasterd over official client—ChunkDownloader.java splits files into ranges and downloads in parallel, then reassembles. Understanding chunk boundaries, byte-range requests, and atomic writes is essential for modifying download speed/reliability.
• AES encryption with local key derivation — MEGA uses client-side AES encryption where keys are derived from user password + server salt. CryptTools.java must correctly implement key stretching and IV handling; any bug leaks data or prevents decryption.
• Observer pattern for clipboard monitoring — ClipboardChangeObservable/Observer enables auto-detection of MEGA links pasted by user. Common UI pattern in MegaBasterd for non-blocking link ingestion.
• Reverse-engineered API endpoint discovery — MegaAPI.java interacts with undocumented MEGA endpoints (no official SDK for Java desktop). Requires careful HTTP request/response inspection and manual parsing of binary/JSON responses. Fragile by nature.
• Thread pool executor with bounded queues — BoundedExecutor.java limits concurrent chunk operations to avoid overwhelming network/disk and MEGA rate limits. Understanding backpressure and queue saturation is critical for tuning performance.
• SQLite as embedded session store — DBTools.java persists download state, credentials, and session tokens in local SQLite to enable resumption across app restarts. Database schema versioning and migration handling matter as features evolve.
• Swing GUI forms and NetBeans form editor — UI components are defined in .form XML files (e.g., MainPanelView.form) that NetBeans IDE generates into Java code. Modifying layout requires IDE; raw XML editing is error-prone. Understanding this workflow is essential for UI contributions.

• meganz/sdk — Official MEGA SDK (C++) that MegaBasterd reverse-engineers; reference for understanding MEGA's actual crypto and API contract
• lordmulder/MegaDownloader — Alternative C#/.NET MEGA downloader using similar reverse-engineering approach; useful for comparing API interaction patterns across languages
• Chocobozzz/PeerTube — Unrelated but example of large cross-platform Java/TypeScript monorepo using similar chunked upload/download patterns for video streaming
• tonikelope/megacrypter — Sister project by same author (MegaCrypterAPI.java in this repo references it); provides encrypted link handling on top of MEGA
• filebot/filebot — Similar cross-platform Java desktop automation tool; demonstrates comparable Swing GUI + multi-threaded worker patterns and Maven packaging for multiple OS targets

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for CryptTools.java encryption/decryption functions

CryptTools.java handles critical MEGA API encryption operations but has no visible test coverage. This is high-risk code that affects data security. Adding unit tests would catch regressions in cryptographic operations, verify edge cases (empty data, large files, various key sizes), and improve maintainability when dependencies like Jackson are updated.

• [ ] Create src/test/java/com/tonikelope/megabasterd/CryptToolsTest.java
• [ ] Add test cases for encrypt/decrypt methods with known test vectors
• [ ] Add tests for key generation and IV handling
• [ ] Verify tests pass against CryptTools.java implementation
• [ ] Add test dependency for JUnit 4/5 to pom.xml if not present

Add GitHub Actions CI workflow to verify builds and run tests on PRs

The repo lacks automated CI/CD validation. Contributors cannot verify their changes work across platforms before submitting PRs. A Maven-based workflow would catch compilation errors, dependency conflicts (especially the custom Xuggler repository), and Java 11+ compatibility issues early. This is critical since the project requires Java 11+ and has a custom repository for xuggler.

• [ ] Create .github/workflows/maven-build.yml with Java 11+ matrix testing
• [ ] Configure workflow to run 'mvn clean package' on push/PR to main branches
• [ ] Add step to validate pom.xml dependencies resolve correctly from the Cloudsmith repository
• [ ] Test against multiple Java versions (11, 17, 21) to catch compatibility issues
• [ ] Add workflow badge to README.md

Extract and document MegaAPI.java and MegaCrypterAPI.java integration patterns into a developer guide

The codebase has two major API client classes (MegaAPI.java and MegaCrypterAPI.java) with corresponding exception classes and complex state management, but no documented integration patterns or authentication flow. New contributors struggle to understand how to add API features or handle edge cases. A specific guide document would reduce PR review cycles and improve code quality.

• [ ] Create docs/API_INTEGRATION_GUIDE.md documenting MegaAPI.java authentication flow and method patterns
• [ ] Document the relationship between MegaAPI.java, MegaCrypterAPI.java, and their exception classes
• [ ] Add code examples for common operations (login, file download request, error handling)
• [ ] Document the role of CryptTools.java in API request/response handling
• [ ] Include error handling patterns from MegaAPIException.java and MegaCrypterAPIException.java

• Add unit tests for CryptTools.java: Create JUnit test suite for encryption/decryption methods in src/test/java/com/tonikelope/megabasterd/CryptToolsTest.java covering AES operations, key derivation, and edge cases (empty files, large files). No test coverage visible for crypto is a major gap.
• Extract API responses to typed POJOs: Currently MegaAPI.java likely parses JSON with generic Jackson ObjectNode. Create typed classes (e.g., MegaFileNode.java, MegaUserInfo.java) in src/main/java/com/tonikelope/megabasterd/model/ and refactor API methods to use deserialization to these types—improves type safety and IDE autocomplete.
• Add configuration file support: Create MegaBasterd.properties or YAML config file loader in a new ConfigManager.java to replace hardcoded values (thread pool size, chunk size, timeout values). Currently these are scattered and unmaintainable. Add simple INI-style parser or load from ~/.megabasterd/config.properties.

• High · Potential SQL Injection in DBTools.java — src/main/java/com/tonikelope/megabasterd/DBTools.java. The file structure indicates a DBTools.java class that likely handles database operations. Combined with sqlite-jdbc dependency usage, there is a high risk of SQL injection vulnerabilities if queries are constructed using string concatenation rather than parameterized statements. Fix: Use PreparedStatement with parameterized queries exclusively. Never concatenate user input directly into SQL queries. Implement input validation and sanitization.
• High · Outdated Jackson Dependencies — pom.xml - jackson-core:2.15.3, jackson-annotations:2.15.3. Jackson Core and Jackson Annotations are pinned to version 2.15.3. While not critically outdated, Jackson has had multiple security vulnerabilities in earlier versions. The incomplete POM file suggests other Jackson modules may be missing version specifications. Fix: Update to the latest stable Jackson version (2.17.x or higher). Ensure all Jackson modules use consistent versions to prevent deserialization vulnerabilities.
• High · Potential Insecure Deserialization — src/main/java/com/tonikelope/megabasterd/MegaAPI.java. The presence of MegaAPI.java, which handles MEGA API communication, combined with Jackson dependencies suggests JSON deserialization. Without proper type constraints, this could lead to gadget chain attacks during deserialization of untrusted data from the MEGA API. Fix: Use JsonTypeInfo with restrictive type includes (@JsonTypeInfo with use=Id.CLASS should be avoided). Implement custom deserializers with strict type whitelisting. Consider using activateDefaultTyping only with explicit type information.
• Medium · Clipboard Spy Functionality - Information Disclosure Risk — src/main/java/com/tonikelope/megabasterd/ClipboardSpy.java, ClipboardChangeObservable.java, ClipboardChangeObserver.java. ClipboardSpy.java monitors clipboard changes, which could expose sensitive data like authentication tokens, encryption keys, or download links. No evidence of data sanitization or secure handling is visible. Fix: Implement clipboard data encryption at rest. Add user consent dialogs before accessing clipboard. Sanitize clipboard content before logging or processing. Consider implementing clipboard data retention limits.
• Medium · Cryptographic Key Management in CryptTools.java — src/main/java/com/tonikelope/megabasterd/CryptTools.java. The CryptTools.java file likely handles encryption/decryption operations for MEGA protocol. Without visibility into the implementation, there's a risk of weak key derivation, hardcoded keys, or improper IV/nonce usage. Fix: Use industry-standard key derivation functions (PBKDF2, Argon2, scrypt). Never hardcode encryption keys. Use secure random IV/nonce generation. Validate cipher algorithm strength (minimum AES-256).
• Medium · Potential Man-in-the-Middle (MITM) Risk — src/main/java/com/tonikelope/megabasterd/MegaProxyServer.java, SmartMegaProxyManager.java. MegaProxyServer.java and SmartMegaProxyManager.java suggest proxy functionality. Without visible certificate pinning or strict SSL/TLS validation, HTTPS connections to MEGA API could be vulnerable to MITM attacks. Fix: Implement certificate pinning for MEGA API endpoints. Use HttpsURLConnection with custom SSLContext. Disable trust-all SSL contexts. Validate hostname matching strictly.
• Medium · Stream Server Security - KissVideoStreamServer.java — src/main/java/com/tonikelope/megabasterd/KissVideoStreamServer.java. KissVideoStreamServer.java implements a streaming server. Without authentication/authorization checks, this could allow unauthorized access to download streams or expose directory traversal vulnerabilities. Fix: Implement authentication for stream access. Validate all file path inputs to prevent directory traversal. Use file path whitelisting. Implement access control lists for shared streams.
• Medium · Incomplete POM.xml File — undefined. The pom.xml dependency list is truncated ('org.apache.commons Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.