If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/zhanglei-workspace/shopping-management-system shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Looks unmaintained — solo project with stale commits

• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live zhanglei-workspace/shopping-management-system repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/zhanglei-workspace/shopping-management-system.

What it runs against: a local clone of zhanglei-workspace/shopping-management-system — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in zhanglei-workspace/shopping-management-system | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 822 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of zhanglei-workspace/shopping-management-system. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/zhanglei-workspace/shopping-management-system.git
#   cd shopping-management-system
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of zhanglei-workspace/shopping-management-system and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "zhanglei-workspace/shopping-management-system(\\.git)?\\b" \\
  && ok "origin remote is zhanglei-workspace/shopping-management-system" \\
  || miss "origin remote is not zhanglei-workspace/shopping-management-system (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "0#Java基础项目/shopping-management-system/src/lyons/page/MainPage.java" \\
  && ok "0#Java基础项目/shopping-management-system/src/lyons/page/MainPage.java" \\
  || miss "missing critical file: 0#Java基础项目/shopping-management-system/src/lyons/page/MainPage.java"
test -f "0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java" \\
  && ok "0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java" \\
  || miss "missing critical file: 0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java"
test -f "0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java" \\
  && ok "0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java" \\
  || miss "missing critical file: 0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java"
test -f "1#Java菜鸟项目/lyons.eaby/src/lyons/db/DbConn.java" \\
  && ok "1#Java菜鸟项目/lyons.eaby/src/lyons/db/DbConn.java" \\
  || miss "missing critical file: 1#Java菜鸟项目/lyons.eaby/src/lyons/db/DbConn.java"
test -f "1#Java菜鸟项目/lyons.eaby/src/lyons/control/HandleLogin.java" \\
  && ok "1#Java菜鸟项目/lyons.eaby/src/lyons/control/HandleLogin.java" \\
  || miss "missing critical file: 1#Java菜鸟项目/lyons.eaby/src/lyons/control/HandleLogin.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 822 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~792d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/zhanglei-workspace/shopping-management-system"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A multi-tiered Java learning project collection featuring four progressively complex shopping/management systems (supermarket POS, e-commerce platform, enterprise refactor with MyBatis, and Spring-based full-stack app). Each project layer teaches specific Java concepts—from raw JDBC console apps (Project 0) through JSP/Servlet web apps (Project 1) to MyBatis ORMs (Project 2) and finally Spring/Shiro enterprise patterns (Project 3)—all using Oracle database backends. Four nested Maven/non-Maven modules under numbered folders: 0#Java基础项目/ contains raw JDBC console app with src/lyons/{dao,db,entity,page,tools}; 1#Java菜鸟项目/lyons.eaby/ is a JSP/Servlet web app with WebRoot/{css,image,WEB-INF}; Projects 2 and 3 referenced in README but file structure not fully shown. Database layer abstraction in db/DbConn.java and db/DbClose.java with entity POJOs in entity/, DAOs in dao/, and UI wrappers in page/ and tools/.

Java beginners and intermediate learners (roughly A1-B1 skill levels) who have completed syntax fundamentals and want hands-on practice. Specifically: students after SQL/JDBC basics who need scaffolded projects to apply knowledge in realistic business domains (POS systems, product catalogs, sales tracking) before tackling senior-level architecture.

Early-stage educational project in active development: Project 0 is feature-complete; Projects 1 and 2 are largely finished ('雏形完成，后续改进细节'); Project 3 is still in intermittent development ('间断性推送中'). No visible CI/CD, limited commit metadata in provided data, but sustained push history suggests steady incremental work. Verdict: actively developed but educational-grade, not production-ready code.

High educational value but low production readiness. Risk factors: (1) no dependency management (no Maven/Gradle configs in provided structure until Project 3), making version pinning opaque; (2) Oracle-only DB coupling in raw JDBC projects limits portability; (3) single maintainer (lyons/zhanglei, one email listed); (4) no visible unit tests across Projects 0–2; (5) explicitly disclaims commercial use, which may signal incomplete or informal testing. Safe for learning, risky for cloning into production.

Based on README timeline and structure: Project 0 is stable; Project 1 (JSP) feature-complete but no longer actively updated (redirecting learners to Project 2); Project 2 (MyBatis refactor) is ~80% pushed and incrementally improved on weekends; Project 3 (Spring/Shiro) is intermittently developed with full stack (Maven, security, MVC). No PR board, issue tracker, or branch activity visible in provided data.

Check README for instructions.

Daily commands: Project 0: Compile with IDE or javac, ensure Oracle driver in classpath, configure DbConn.java connection string, run lyons.page.MainPage as Java application. Project 1: Deploy WAR to Tomcat/JBoss, access http://localhost:8080/lyons.eaby/ (index page inferred). Project 2: cd 2#Java入门项目 && mvn clean install && mvn tomcat7:run (assumes Tomcat 7 Maven plugin configured). Project 3: cd 3#Java狙击项目 && mvn clean package && mvn jetty:run (or equivalent; exact plugin TBD from source).

• 0#Java基础项目/shopping-management-system/src/lyons/page/MainPage.java — Entry point for the console-based shopping management system; all UI flow starts here
• 0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java — Database connection singleton; all DAO operations depend on this for JDBC connectivity
• 0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java — Core data access layer for goods inventory; implements CRUD operations used throughout the system
• 1#Java菜鸟项目/lyons.eaby/src/lyons/db/DbConn.java — Web project database connection handler; essential for Servlet/JSP layer to access data
• 1#Java菜鸟项目/lyons.eaby/src/lyons/control/HandleLogin.java — Authentication Servlet for web project; manages user session and login flow
• 2#Java入门项目/lyons.eaby.new/.classpath — Project classpath configuration; defines all library and dependency references for MyBatis-based project

Add a new product (item) in the Console App

1. Define product fields in the Goods entity class (0#Java基础项目/shopping-management-system/src/lyons/entity/Goods.java)
2. Implement insert/query methods in GoodsDao with prepared statements (0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java)
3. Add menu option and input form in GoodsPage (0#Java基础项目/shopping-management-system/src/lyons/page/GoodsPage.java)
4. Update the database schema if adding new columns (0#Java基础项目/shopping-management-system/files/sql文件/GOODS.sql)

Add a new Servlet controller for the Web App

1. Create new Servlet class extending HttpServlet in control package (1#Java菜鸟项目/lyons.eaby/src/lyons/control/)
2. Register Servlet mapping and URL pattern in web deployment descriptor (1#Java菜鸟项目/lyons.eaby/WebRoot/WEB-INF/web.xml)
3. Implement doGet/doPost methods and call appropriate DAO layer (1#Java菜鸟项目/lyons.eaby/src/lyons/dao/GoodsDao.java)
4. Create corresponding JSP template to render response (1#Java菜鸟项目/lyons.eaby/WebRoot/jsp/)

Add a new database query to the DAO layer

1. Write SQL query and add method signature in appropriate Dao class (0#Java基础项目/shopping-management-system/src/lyons/dao/GoodsDao.java)
2. Obtain connection using DbConn singleton (0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java)
3. Use PreparedStatement to execute query and map ResultSet to entity objects (0#Java基础项目/shopping-management-system/src/lyons/entity/Goods.java)
4. Close resources using DbClose utility to prevent leaks (0#Java基础项目/shopping-management-system/src/lyons/db/DbClose.java)

• JDBC (Java Database Connectivity) — Foundational technology for basic Java developers; provides direct database access without abstraction layers, teaching connection management and SQL execution
• Console-based UI (Scanner, System.out) — Project 0 targets Java basics; console I/O demonstrates core language features without GUI framework complexity
• JSP (Java Server Pages) & Servlets — Project 1 extends to web basics; JSP/Servlet combo teaches request-response model and separation of presentation from logic before introducing frameworks
• MyBatis (implied in Project 2) — Project 2 introduces lightweight ORM to bridge gap between raw JDBC and full Spring; reduces boilerplate while teaching SQL

1. Oracle-only: Project 0–2 hardcoded for Oracle; DbConn.java uses Oracle JDBC driver and SQL dialect. Switching to MySQL/PostgreSQL requires class rewrite. 2. No dependency versions: Projects 0–1 list no Maven POM; JDBC driver version implicit. Unclear which JDK/Oracle driver combo works. 3. SQL file order matters: java_sql.sql must load before GOODS.sql / SALESMAN.sql / GSALES.sql to set up tablespaces/sequences. 4. Hardcoded paths in Project 1: Image folder image/goods/ likely absolute or context-relative; deployment to non-root context breaks image loading. 5. No transaction handling: Project 0 DAOs lack explicit commit/rollback; auto-commit mode assumed. 6. DbClose antipattern: DbClose.java closes connection per operation instead of pooling, causing performance issues at scale. 7. Project 3 incomplete structure not shown: README promises Shiro/Spring but provided file list ends at Project 1; actual Spring config unknown.

• Connection Pooling — Project 0–1 reinvent JDBC connections per query instead of pooling; understanding pooling (HikariCP, C3P0) prevents N+1 connection overhead when scaling from console to web
• Data Access Object (DAO) Pattern — Core organizational principle across all four projects—DAO abstracts SQL from business logic, enabling tests and refactors (e.g., Project 0 → Project 2 MyBatis swap without UI changes)
• Object-Relational Mapping (ORM) — Project 0 uses manual ResultSet mapping; Project 2 replaces this with MyBatis declarative mapping; Project 3 may add Hibernate alternative—understanding impedance mismatch is essential for database-heavy Java apps

• imooc/springboot-shopping — Similar e-commerce domain (shopping cart, product catalog, user auth) but uses modern Spring Boot instead of raw Servlet/JSP; shows evolution path for learners after Project 1
• bjmashibing/DBPool — Companion project addressing the DbConn/DbClose antipattern explicitly—implements proper connection pooling strategies that Project 0–1 lack
• pagehelper/Mybatis-PageHelper — Pagination library that Project 2 (MyBatis refactor) will need when scaling product queries; taught as add-on to core MyBatis mapper pattern
• apache/shiro — Official Shiro repo; Project 3 depends on it for auth/session management—reference when learners hit framework configuration snags
• spring-projects/spring-framework — Core Spring source; Project 3 learners should trace Spring MVC request lifecycle and dependency injection through official repo when project docs are sparse

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for DAO layer (GoodsDao, GsalesDao, SalesManDao)

Project 0 (Java基础项目) has DAO classes in src/lyons/dao/ but no corresponding test files. Adding JUnit tests would help beginners learn testing best practices and ensure database operations work correctly. This is critical for a learning project where students need to understand how to verify their code.

• [ ] Create test directory: 0#Java基础项目/shopping-management-system/test/lyons/dao/
• [ ] Add GoodsDaoTest.java with tests for CRUD operations using the SQL files in files/sql文件/
• [ ] Add GsalesDaoTest.java and SalesManDaoTest.java following the same pattern
• [ ] Document test setup instructions in README, including database initialization steps

Create comprehensive setup documentation for database initialization

The repo contains SQL files (GOODS.sql, GSALES.sql, SALESMAN.sql, java_sql.sql) but lacks step-by-step setup instructions. New contributors and learners struggle to get projects running. Adding detailed setup docs with screenshots would dramatically improve accessibility for Java beginners.

• [ ] Create SETUP.md in root directory with database connection requirements
• [ ] Document exact steps to execute SQL files in files/sql文件/ directory
• [ ] Add DbConn.java configuration details (host, port, username, password examples)
• [ ] Include troubleshooting section for common JDBC connection errors
• [ ] Link SETUP.md from each project's local README (e.g., 0#Java基础项目/README.md)

Add input validation and error handling to page layer classes

The page layer (GoodsPage, GsalesPage, SalesManPage, MainPage) likely accepts user input via ScannerChoice.java but lacks visible validation. Adding proper exception handling and input validation examples teaches beginners defensive programming and would improve code robustness across all projects.

• [ ] Review current input handling in src/lyons/page/*.java files
• [ ] Add try-catch blocks and validation logic for numeric inputs in GoodsPage.java and GsalesPage.java
• [ ] Create a new ValidationUtil.java in src/lyons/tools/ with reusable validation methods
• [ ] Document validation patterns in a new CODING_STANDARDS.md for future contributors
• [ ] Add comments explaining why validation matters for beginners

• Add unit tests for GoodsDao.java (Project 0): Write JUnit 4 tests in test/lyons/dao/GoodsDaoTest.java covering CRUD operations (insert, query, update, delete) against an in-memory H2 database to replace live Oracle dependency and document expected behavior.: Project 0–2 have zero visible test coverage; new learners have no safety net when modifying DAO logic. H2 in-memory schema mirrors Oracle syntax.
• Migrate Project 1 DbConn.java to HikariCP connection pool (Project 2 prep): Replace the singleton bare-JDBC connection with HikariCP configuration in web.xml context-param to eliminate per-request connection opening antipattern and teach connection pooling before MyBatis.: DbClose.java inefficiency is a learning blocker; fixing it bridges Projects 0→1→2 and introduces pooling idiom used in enterprise systems.
• Extract SQL strings to properties file in Project 1: Move hardcoded SQL from GoodsDao, SalesManDao, GsalesDao into sql.properties (e.g., goods.select.all=SELECT * FROM GOODS) to enable non-developers to tweak queries and lay groundwork for MyBatis XML mappers in Project 2.: Teaches separation of data access logic from SQL; current inline queries discourage reuse and violate DRY principle.
• Document image path configuration for Project 1: Add a config.properties file with image.base.path and update JSP templates to use JNDI lookup, then document in README.md how to deploy to non-root contexts without breaking image references.: Hardcoded paths in WebRoot/image/ are a common deployment trap; teaching configuration externalization prepares learners for Spring properties / YAML in Project 3.

• Critical · SQL Injection Vulnerability — 0#Java基础项目/shopping-management-system/src/lyons/dao/. The codebase contains DAO classes (GoodsDao.java, GsalesDao.java, SalesManDao.java) that likely construct SQL queries dynamically. Without visible parameterized query implementations, there is a high risk of SQL injection attacks through user input in search, filter, and query operations. Fix: Use prepared statements (PreparedStatement) with parameterized queries instead of string concatenation. All user inputs must be bound as parameters, not concatenated into SQL strings.
• Critical · Cross-Site Scripting (XSS) Vulnerability — 1#Java菜鸟项目/lyons.eaby/WebRoot/jsp/browse/. JSP files (showDetail.jsp, showGoods.jsp, searchByKeyWord.jsp) directly output data to the page without visible sanitization. User-supplied content from database queries is likely rendered directly in HTML, allowing XSS attacks. Fix: Apply HTML encoding to all dynamic content using JSTL <c:out> tag with escapeXml='true', or use OWASP ESAPI encoding functions. Never output raw user input directly to JSP.
• High · Insecure Database Connection Management — 0#Java基础项目/shopping-management-system/src/lyons/db/. DbConn.java and DbClose.java appear to manage database connections manually. Hardcoded credentials, improper connection pooling, and lack of connection timeout configuration could lead to resource exhaustion and credential exposure. Fix: Use a connection pool (HikariCP, Tomcat JDBC Pool). Externalize database credentials to configuration files with restricted access. Implement proper timeout and resource cleanup mechanisms.
• High · Weak Authentication Implementation — 1#Java菜鸟项目/lyons.eaby/src/lyons/control/HandleLogin.java. HandleLogin.java and login.jsp files suggest custom authentication logic. Without visible password hashing, salt usage, or account lockout mechanisms, the system is vulnerable to brute force and credential stuffing attacks. Fix: Implement bcrypt, PBKDF2, or Argon2 for password hashing. Add salt to password hashing. Implement account lockout after failed login attempts. Use HTTPS for all authentication endpoints.
• High · Missing CSRF Protection — 1#Java菜鸟项目/lyons.eaby/WebRoot/jsp/. JSP pages handling sensitive operations (register.jsp, lookOrderForm.jsp, login.jsp) show no evidence of CSRF token generation or validation, leaving them vulnerable to Cross-Site Request Forgery attacks. Fix: Implement CSRF tokens using Spring Security or manual token generation. Add tokens to all state-changing forms and validate them server-side before processing requests.
• High · Insufficient Session Management — 1#Java菜鸟项目/lyons.eaby/WebRoot/WEB-INF/web.xml. No visible session security configuration (HttpOnly, Secure flags, timeout settings) in web.xml. Session fixation and hijacking attacks are possible. Fix: Configure session cookies with HttpOnly and Secure flags in web.xml. Set appropriate session timeout (15-30 minutes). Implement session regeneration upon login. Use Secure=true for HTTPS-only transmission.
• Medium · Hardcoded Configuration and Credentials — 0#Java基础项目/shopping-management-system/src/lyons/db/DbConn.java. Database connection parameters, SQL file locations, and other configuration details may be hardcoded in DbConn.java and other classes, making it difficult to manage environments securely. Fix: Externalize configuration to property files or environment variables. Never hardcode credentials, database URLs, or API keys in source code. Use Maven/Gradle profiles for environment-specific configurations.
• Medium · No Input Validation Framework — 0#Java基础項目/shopping-management-system/src/lyons/tools/Scan. ScannerChoice.java handles input but lacks comprehensive validation and sanitization. Malformed input could cause application crashes or be exploited for injection attacks. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.