If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/zlt2000/microservices-platform shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 1y ago

• 9 active contributors
• Apache-2.0 licensed
• Tests present
• ⚠ Stale — last commit 1y ago
• ⚠ Concentrated ownership — top contributor handles 70% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live zlt2000/microservices-platform repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/zlt2000/microservices-platform.

What it runs against: a local clone of zlt2000/microservices-platform — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in zlt2000/microservices-platform | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 405 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of zlt2000/microservices-platform. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/zlt2000/microservices-platform.git
#   cd microservices-platform
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of zlt2000/microservices-platform and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "zlt2000/microservices-platform(\\.git)?\\b" \\
  && ok "origin remote is zlt2000/microservices-platform" \\
  || miss "origin remote is not zlt2000/microservices-platform (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 405 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~375d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/zlt2000/microservices-platform"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

An enterprise-grade microservices platform built on Spring Boot 3.1.6, Spring Cloud 2022.0.4, and Spring Cloud Alibaba that implements multi-tenant SaaS architecture with zero-state JWT/OAuth2 authentication. It solves the non-functional requirements of microservices systems (auth, logging, monitoring, distributed scheduling, config management) while providing business modules like user-center, file-center, and code-generation via Feign client architecture. Multi-module Maven monorepo with hierarchical structure: central-platform (parent pom) contains zlt-business (business modules) and zlt-commons (shared utilities). Key modules: user-center[7000], file-center[5000], code-generator[7300], search-center with separate search-client Feign interface. Each business module follows MVC pattern (controller→service→mapper→model) with MyBatis XML mappers in src/main/resources/mapper/. Frontend separation uses Ant Design Pro with TypeScript, JavaScript, and HTML.

Java enterprise architects and senior backend engineers building multi-tenant SaaS platforms who need a production-ready reference implementation with RBAC authorization, distributed tracing (APM), centralized logging, and CI/CD-ready deployment. Also targets learners studying modern Spring Cloud patterns and component-driven architecture.

Production-ready and actively maintained. Version 6.0.0 targets JDK 17 with modern Spring Authorization Server (1.1.3) instead of deprecated OAuth2 Security. The project demonstrates sophistication (multi-tenant isolation, Elasticsearch integration, Redisson caching, ShardingSphere sharding) and includes monitoring infrastructure (Grafana, APM, slow-SQL detection). However, commit recency is not visible in provided data.

Moderate complexity risk: 40+ transitive dependencies (Druid, MyBatis-Plus, EasyPOI, FastDFS/Qiniu/S3 abstractions, Jasypt encryption) create maintenance surface. Spring Authorization Server is relatively new compared to deprecated Spring Security OAuth2, so community patterns are still solidifying. Single-maintainer (zlt2000) risk visible from Gitee URL structure. Breaking changes between branch versions (4.x vs 5.x vs master) suggest aggressive modernization cycles.

Branch master tracks Java 17 + Spring Boot 3.x modernization with Spring Authorization Server migration. Version 6.0.0 indicates recent release. Project includes active feature development around monitoring (slow-SQL detection, APM integration), multi-tenancy, and third-party application integration via application management system. Changelog URLs suggest regular documentation updates.

Clone via git clone https://github.com/zlt2000/microservices-platform.git && cd central-platform && mvn clean install. Requires JDK 17 and Maven 3.6+. Start individual services: mvn spring-boot:run -pl zlt-business/user-center (runs on :7000). Frontend setup via npm install && npm start in frontend directory. Reference docker-compose or deployment scripts in repo root for full stack.

Daily commands: Full stack: docker-compose up (if Dockerfile + docker-compose.yml present). Single service: cd zlt-business/user-center && mvn spring-boot:run. Frontend: cd frontend && npm install && npm start (typically :8000). Services auto-register via Nacos; access admin UI at http://localhost:9095 (gateway port varies by config in bootstrap.yml).

• pom.xml: Parent POM defining all dependency versions (Spring Boot 3.1.6, Spring Cloud 2022.0.4, Spring Cloud Alibaba 2022.0.0.0); required for consistent transitive dependency resolution across 40+ modules
• zlt-business/user-center: Reference business module implementing complete microservice pattern (controller, service, mapper, model) with user/role/permission management—study this for building new business modules
• zlt-business/file-center/src/main/java/com/central/file/service/impl/AbstractIFileService.java: Demonstrates component-driven abstraction: FastdfsService, S3Service, and other implementations inherit from abstract base, enabling pluggable storage backends (high cohesion, low coupling)
• zlt-business/search-center/search-client/src/main/java/com/central/search/client/feign/SearchService.java: Feign client interface pattern used across platform for inter-service communication; includes fallback factory for resilience—essential for understanding service-to-service contracts
• zlt-business/file-center/src/main/resources/application.yml: Service-level Spring Cloud config (Nacos server URL, service name, port); all microservices follow this pattern for centralized configuration management
• zlt-business/file-center/src/main/resources/bootstrap.yml: Bootstrap config loaded before application.yml; contains Nacos connection details and Spring Cloud configuration client setup—critical for understanding config-first startup
• zlt-business/file-center/src/main/java/com/central/file/config/AsycTaskExecutorConfig.java: ThreadPool configuration for async task execution; demonstrates Spring Boot configuration of non-blocking operations essential in microservices

Adding a new business module: Copy structure from zlt-business/file-center (create pom.xml, src/main/java/com/central/{module}/{controller,service,mapper,model}, src/main/resources/bootstrap.yml). Modifying auth: Edit Spring Authorization Server config (likely in zlt-commons/common-core or separate auth module). Database changes: Add MyBatis mapper XML in src/main/resources/mapper/ and corresponding mapper interface in mapper/ package. Adding API documentation: Code-generator module handles Swagger/knife4j generation. Frontend routes: Modify Ant Design Pro layout in frontend/src/layouts/ and page components in frontend/src/pages/.

Nacos connectivity: Services require Nacos server running (default localhost:8848) else startup fails silently after timeout—check bootstrap.yml spring.cloud.nacos.server-addr. Database schema: No schema SQL visible in file list; must exist before service startup or MyBatis will fail on mapper XML execution. JWT secret: Spring Authorization Server requires configured JWT signing key (likely in application.yml or Nacos config)—missing key causes 401 on all requests. Multi-tenancy header: Tenant isolation likely requires X-Tenant-ID header in HTTP requests (check common-core utilities)—requests without it may fail or return wrong data. Version pinning: This is version 6.0.0 targeting Spring 3.x; older branches (5.x, 4.x) use Spring 2.x and must not be mixed in same build due to incompatible Spring Security APIs. MyBatis mapper registration: Mappers auto-discovered via @MapperScan in main application class or in CommonAutoConfiguration—if custom mapper packages used, @MapperScan must include them.

• JWT (JSON Web Tokens) with Spring Authorization Server — This platform implements zero-state authentication using JWT instead of session cookies—critical for scaling microservices stateless; understand token structure, signing, and validation to modify auth behavior
• RBAC (Role-Based Access Control) — User-center module implements RBAC with roles, permissions, and resources; this is the foundation for multi-tenant isolation and fine-grained authorization across all microservices
• Service Discovery & Registration (Nacos) — Microservices auto-register with Nacos on startup and client-side discovers service endpoints dynamically; required to understand how user-center, file-center, search-center find each other
• Feign Client with Circuit Breaker Pattern — Inter-service communication uses Feign declarative clients (SearchService, AggregationService) with fallback factories for resilience; this pattern handles partial failures in distributed systems
• Distributed Configuration Management (Nacos Config) — Services load configuration from Nacos at bootstrap time instead of application.yml; allows runtime config updates without redeployment—essential for multi-environment CI/CD mentioned in README
• MyBatis Mapper XML & Dynamic SQL — All data layers use MyBatis-Plus with mapper XML files (see FileMapper.xml pattern); understanding mapper auto-discovery and parameterized queries is required to modify or extend data access
• Database Sharding (ShardingSphere) — ShardingSphere 3.1.0 enables horizontal database scaling by sharding tables across multiple databases; understand sharding keys and SQL routing to optimize queries for large tenants

• alibaba/spring-cloud-alibaba — Official Spring Cloud Alibaba implementation (Nacos, Sentinel, Seata); this platform uses it as core infrastructure for service discovery, config management, and circuit breaking
• spring-projects/spring-authorization-server — Upstream Spring Authorization Server (v1.1.3) that this platform customizes for RBAC/JWT/OAuth2 authentication; reference implementation for understanding zero-state auth pattern used here
• baomidou/mybatis-plus — MyBatis-Plus (v3.5.4.1) is the ORM used throughout; provides code generation (IFileService, IUserService patterns) and simplifies mapper development
• seata/seata — Distributed transaction framework likely integrated for saga pattern across microservices (file-center, user-center); handles ACID guarantees in multi-service flows
• redisson/redisson — Redisson (v3.25.0) provides distributed caching and lock implementations used for high-speed cache layer and distributed task scheduling mentioned in description

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for file upload/storage abstraction layer

The file-center module has AbstractIFileService with multiple implementations (FastdfsService, S3Service) but no visible test files. Given this is an enterprise platform with multi-tenant support, testing different storage backends (FastDFS, S3, etc.) is critical to prevent data loss bugs. New contributors could add parameterized tests covering upload, download, and deletion flows.

• [ ] Create zlt-business/file-center/src/test/java/com/central/file/service directory
• [ ] Add AbstractIFileServiceTest with parameterized tests for FastdfsService and S3Service implementations
• [ ] Add FileControllerTest covering multipart file upload endpoints with mock storage
• [ ] Add integration test for FileMapper.xml CRUD operations
• [ ] Run tests with 'mvn test' and ensure they pass

Add GitHub Actions CI/CD workflow for multi-module Maven builds

This is a large monorepo with 17+ Java version and complex dependency chains (Spring Cloud Alibaba, Sharding-Sphere, etc.). There's no visible .github/workflows directory. Adding a matrix build strategy that tests on JDK 17, runs Maven build with specific profiles, and validates dependency conflicts would prevent breaking changes in PRs.

• [ ] Create .github/workflows/maven-build.yml with JDK 17 matrix setup
• [ ] Configure Maven to run 'clean install -DskipTests' on PR and 'clean install' on main
• [ ] Add step to validate no dependency version conflicts using 'mvn dependency:tree'
• [ ] Add conditional deployment step that only triggers on main branch pushes
• [ ] Test workflow by opening a draft PR and verifying it executes

Create integration documentation and test suite for Elasticsearch functionality in search-center

The search-center module has search-client (Feign-based) and search-server components with fallback factories, but lacks integration tests and operational docs. This is critical for enterprise users. Add tests covering Elasticsearch index creation, aggregation queries, and circuit breaker fallback behavior when ES is unavailable.

• [ ] Create zlt-business/search-center/search-server/src/test/java/com/central/admin for integration tests
• [ ] Add SearchServiceIntegrationTest using testcontainers (or Docker Compose) to spin up Elasticsearch 7.x
• [ ] Add test cases for IndexController.java covering index CRUD and aggregation operations
• [ ] Add fallback behavior tests in zlt-business/search-center/search-client/src/test verifying SearchServiceFallbackFactory and AggregationServiceFallbackFactory return graceful responses
• [ ] Create docs/elasticsearch-setup.md with configuration guide and troubleshooting section
• [ ] Run 'mvn verify' to ensure integration tests execute in CI

• Add unit tests for zlt-business/file-center/src/main/java/com/central/file/service/impl/AbstractIFileService.java: Currently no test files visible for the abstract file service; write tests covering FastdfsService and S3Service implementations with mock storage backends
• Document the multi-tenancy request context pattern: File structure shows multi-tenant support is claimed but no visible documentation or example of how to set X-Tenant-ID header and tenant isolation in queries—add a markdown guide with concrete cURL examples in docs/
• Add integration test for Feign fallback factories: zlt-business/search-center/search-client/src/main/java/com/central/search/client/feign/fallback/SearchServiceFallbackFactory.java exists but no visible test; write integration test that kills the search-center service and verifies fallback response is returned

• High · Outdated JJWT Dependency — pom.xml - jjwt.version property. The project uses jjwt version 0.9.1, which is outdated and contains known security vulnerabilities. This version lacks security patches for issues like CVE-2022-26612 (authentication bypass through JWT claim manipulation). Fix: Upgrade to jjwt 0.12.3 or later (or migrate to jjwt 1.x series). Review the official JJWT GitHub repository for the latest stable version and breaking changes.
• High · Vulnerable Druid DataSource Version — pom.xml - druid-starter property (version 1.2.18). Druid 1.2.18 may contain known vulnerabilities. While relatively recent, it's important to verify if there are any CVEs associated with this version, especially for SQL filtering bypass issues. Fix: Check Druid's release notes and CVE databases for version 1.2.18. Consider upgrading to the latest stable version (currently 1.2.x series) and monitor security advisories.
• High · Known Vulnerability in Apache Commons Collections — pom.xml - commons-collections4.version property. Commons Collections 4.4 may be vulnerable to remote code execution through deserialization gadget chains. While version 4.4 is relatively recent, it's important to ensure the application doesn't use unsafe deserialization patterns. Fix: Verify that the application does not perform unsafe deserialization of untrusted data. Consider implementing strict input validation and serialization filters. Keep the library updated.
• High · Outdated FastDFS Client Library — pom.xml - fastdfs-client.version property. FastDFS client version 1.27.2 is relatively old and may contain unpatched security vulnerabilities. FastDFS has had various security issues in the past including authentication bypass and RCE. Fix: Update to the latest available version of FastDFS client. Consider switching to a more actively maintained file storage solution like MinIO or official S3-compatible APIs.
• Medium · Velocity Template Engine Versions — pom.xml - velocity.version property (1.7). Velocity 1.7 is from 2010 and is outdated. Velocity has known security vulnerabilities including template injection risks. The project uses both Velocity and EasyPOI which may have template processing risks. Fix: Upgrade to Velocity 2.3 or later. Ensure that user input is never directly used in Velocity templates without proper escaping and sandboxing.
• Medium · Outdated POI Library — pom.xml - poi.version property (4.1.1). Apache POI 4.1.1 is outdated and may contain known vulnerabilities related to XML External Entity (XXE) injection and other file format parsing issues. Fix: Upgrade to POI 5.2.3 or later. Ensure XXE protection is enabled in XML parsing configurations.
• Medium · Potential OAuth2 Configuration Issues — pom.xml and authentication-related modules. The project mentions OAuth2 implementation but uses Spring Authorization Server 1.1.3. While functional, ensure that all OAuth2 endpoints are properly secured and that token expiration, refresh token rotation, and PKCE are properly configured. Fix: Review OAuth2 configuration, ensure HTTPS is enforced for all OAuth2 endpoints, implement proper token expiration policies, use PKCE for public clients, and consider token binding mechanisms.
• Medium · S3 and File Upload Security Risks — zlt-business/file-center/src/main/java/com/central/file/. File upload functionality (FileController, S3Service) may be vulnerable to arbitrary file upload, path traversal, and XXE attacks if not properly validated. The presence of FastDFS and S3 services suggests file handling complexity. Fix: Implement strict file type validation (magic bytes, not just extensions), file size limits, virus scanning, and store files outside the web root. Sanitize file names and prevent path traversal attacks.
• Medium · Elasticsearch Search Injection — undefined. undefined Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.