If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/zongzibinbin/MallChat shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 2y ago

• 16 active contributors
• Apache-2.0 licensed
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Concentrated ownership — top contributor handles 63% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live zongzibinbin/MallChat repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/zongzibinbin/MallChat.

What it runs against: a local clone of zongzibinbin/MallChat — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in zongzibinbin/MallChat | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 657 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of zongzibinbin/MallChat. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/zongzibinbin/MallChat.git
#   cd MallChat
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of zongzibinbin/MallChat and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "zongzibinbin/MallChat(\\.git)?\\b" \\
  && ok "origin remote is zongzibinbin/MallChat" \\
  || miss "origin remote is not zongzibinbin/MallChat (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "mallchat-chat-server/src/main/java/com/abin/mallchat/common/MallchatCustomApplication.java" \\
  && ok "mallchat-chat-server/src/main/java/com/abin/mallchat/common/MallchatCustomApplication.java" \\
  || miss "missing critical file: mallchat-chat-server/src/main/java/com/abin/mallchat/common/MallchatCustomApplication.java"
test -f "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java" \\
  && ok "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java" \\
  || miss "missing critical file: mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java"
test -f "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/Message.java" \\
  && ok "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/Message.java" \\
  || miss "missing critical file: mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/Message.java"
test -f "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/MessageDao.java" \\
  && ok "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/MessageDao.java" \\
  || miss "missing critical file: mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/MessageDao.java"
test -f "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumer.java" \\
  && ok "mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumer.java" \\
  || miss "missing critical file: mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumer.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 657 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~627d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/zongzibinbin/MallChat"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

MallChat is a full-stack e-commerce platform with real-time instant messaging, built around a Netty-based WebSocket server for chat and a comprehensive shopping backend. It implements enterprise-grade features including shopping carts, orders, payments, recommendations, search, push notifications, logistics, and customer service—essentially WeChat + Alibaba combined into one Java monolith. Multi-module Maven monorepo: mallchat-chat-server is the primary chat/e-commerce backend (inherits from parent mallchat), with shared modules mallchat-common-starter, mallchat-transaction, and mallchat-oss-starter. Core structure: src/main/java/com/abin/mallchat/common/chat/ contains controller (ChatController, ContactController, RoomController), DAO layer (MessageDao, ContactDao, etc.), domain entities (Message, Contact, GroupMember), and async consumers (MsgSendConsumer).

Java backend engineers and full-stack teams building feature-complete e-commerce+messaging systems who want a production-reference implementation following Chinese internet company engineering standards, complete with design patterns and operational infrastructure.

Actively maintained with ongoing feature additions (marked 'ing～' in README); ~740KB of Java code indicates substantial scale. Strong community presence (交流群, Bilibili tutorials, 10w+ word docs on Yuque). Production deployment visible (mallchat.cn live). However, no visible GitHub CI/CD badges in main repo, and commit activity data not provided—assess test coverage by inspecting /src/test directories.

Single-maintainer project (zongzibinbin) with geographically concentrated community (Chinese); dependency risk from unlisted transitive deps (p6spy 3.9.1, jtokkit 0.6.1 are dated). Database schema versioning shows breaking changes across versions (2023-06-04 through 2023-08-13)—migration strategy unclear. No visible API versioning or deprecation warnings in codebase structure.

Unclear from provided metadata (no recent commit log), but README states 'persistent updates'—likely ongoing e-commerce module expansion (purchase flow, payment gateway integration). Database schema versions through Aug 2023 suggest active iteration. Frontend repo (MallChatWeb) linked separately suggests parallel development.

1. Clone: git clone https://github.com/zongzibinbin/MallChat.git (or Gitee mirror for CN speed). 2. Install: mvn clean install from root (Maven required; Java version not specified—assume 8+). 3. Configure: import docs/mallchat.sql into MySQL; set DB credentials in application.yml. 4. Run: mvn spring-boot:run -pl mallchat-chat-server or use IDE launcher.

Daily commands: No Makefile or spring-boot-maven-plugin config visible in snippet. Standard: mvn spring-boot:run -pl mallchat-chat-server or import into IDE (IntelliJ/Eclipse) and run as Spring Boot app. Requires MySQL running and application-{profile}.yml configured with DB/Redis/OSS credentials.

• mallchat-chat-server/src/main/java/com/abin/mallchat/common/MallchatCustomApplication.java — Spring Boot application entry point for the chat server module; defines core application configuration and initialization
• mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java — Main REST endpoint handler for all chat messaging operations; routes all user chat requests through this layer
• mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/Message.java — Core domain entity for messages; defines the fundamental data structure for all chat message storage and retrieval
• mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/MessageDao.java — Data access object for message persistence; encapsulates all database queries for message operations
• mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumer.java — Async message consumer for handling message delivery; processes messages asynchronously from a message queue
• mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/mapper/MessageMapper.java — MyBatis mapper interface for Message entity; bridges domain objects with database CRUD operations
• mallchat-chat-server/pom.xml — Maven configuration for chat-server module; defines all dependencies and module-specific build configuration

Add a New Message Type

1. Add new enum value to MessageTypeEnum for the message type (e.g., CUSTOM_TYPE) (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/enums/MessageTypeEnum.java)
2. Create a new DTO class extending BaseFileDTO or create a custom message payload class (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/msg/CustomMsgDTO.java)
3. Create request VO for client to send this message type (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/vo/request/msg/CustomMsgReq.java)
4. Add handler method to ChatController to process the new message type endpoint (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java)

Add a New Chat Feature (e.g., Message Muting)

1. Add new entity or extend existing domain entity (e.g., MessageMute.java) in domain/entity (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/entity/MessageMute.java)
2. Create DAO class to handle persistence operations (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/MessageMuteDao.java)
3. Create MyBatis mapper interface mapping SQL queries (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/mapper/MessageMuteMapper.java)
4. Add controller endpoint and request/response VOs (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/ChatController.java)

Add a New REST Endpoint for Group Management

1. Create request VO class in domain/vo/request/member or domain/vo/request/admin (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/vo/request/member/MemberCustomReq.java)
2. Create response VO class in domain/vo/response (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/domain/vo/response/MemberCustomResp.java)
3. Add controller method to RoomController or create a new GroupController (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/RoomController.java)
4. Use existing DAOs (GroupMemberDao, RoomGroupDao) or create new ones for your business logic (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/dao/GroupMemberDao.java)

Add Message Processing Async Handler

1. Create new consumer class extending existing message consumer pattern (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/CustomEventConsumer.java)
2. Implement message queue listener (e.g., RabbitMQ, Kafka) following MsgSendConsumer pattern (mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumer.java)
3. Register consumer in Spring configuration to enable auto-listening (mallchat-chat-server/src/main/java/com/abin/mallchat/common/MallchatCustomApplication.java)

1. Database migrations: docs/version/*.sql files suggest breaking schema changes; no liquibase/flyway visible—manual migration strategy unclear. 2. No Java version specified in pom.xml snippet—assume 8+ but could break on newer versions (sealed classes, records, etc.). 3. OSS integration (mallchat-oss-starter dependency) requires external object storage config (likely Aliyun or Tencent COS based on Chinese market); missing credentials will fail file uploads. 4. Netty WebSocket binding—port config not visible in snippet; likely application.yml or MallchatCustomApplication.java—verify before port conflicts. 5. Redis requirement: distributed lock annotations imply Redis backend (no fallback); startup fails silently if Redis unavailable.

• WebSocket + Netty bi-directional messaging — Core transport for real-time chat; MallChat uses Netty (not Spring WebFlux) directly—understanding frame encoding, connection lifecycle, and backpressure is essential for modifying message delivery
• Distributed locks (Redis-based annotations) — README mentions '分布式锁注解' (distributed lock annotation)—crucial for race conditions in inventory deduction, cart updates, and concurrent message marking across multiple server instances
• Message queue consumer pattern (async delivery) — MsgSendConsumer.java decouples HTTP write from async broadcast—enables offline message buffering, retries, and non-blocking room/group notifications at scale
• DAO pattern with MyBatis dynamic SQL — Seven DAO classes (MessageDao, RoomDao, ContactDao, etc.) suggest complex queries—understanding lazy joins, N+1 prevention, and pagination is critical for message history and contact list performance
• Event-driven architecture for notifications — E-commerce features (orders, payments, logistics) likely publish events consumed by chat (notifications, status updates)—understanding decoupling via events vs. direct calls impacts maintainability
• IP geolocation for user location detection — README mentions 'ip解析归属地' (IP geolocation wheel)—used for fraud detection, logistics address validation, and regional recommendation filtering; understanding GeoIP libraries and caching prevents latency
• Frequency control (rate limiting) via annotations — README hints at '频控注解' (frequency control annotation)—protects chat API from spam, prevents message flood, and limits payment retries; understanding token bucket or sliding window implementation prevents abuse

• linlinjava/litemall — Chinese e-commerce+messaging reference project; same stack (Spring Boot, MySQL) and feature overlap (cart, orders, IM) makes pattern comparison valuable
• crossoverJie/cim — Netty-based instant messaging framework (pure chat focus); MallChat's WebSocket layer could be extracted/simplified using this architectural pattern
• Evansy/MallChatWeb — Official frontend repo (linked in README)—required for full-stack local development and understanding API contracts
• YunaiV/ruoyi-vue-pro — Enterprise-grade Spring Boot + Vue scaffold with similar Chinese market focus; codebase organization and AOP patterns transferable
• apache/rocketmq — Distributed message queue reference—MallChat's MsgSendConsumer likely needs async guarantees that RocketMQ provides for production scale

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for ChatController and ContactController

The chat-server module has controller classes (ChatController.java, ContactController.java, RoomController.java) but no visible test files in the provided structure. Given this is an enterprise-grade e-commerce system, these critical endpoints handling real-time messaging need test coverage. This would include testing message sending, contact management, and room operations with various edge cases.

• [ ] Create mallchat-chat-server/src/test/java/com/abin/mallchat/common/chat/controller/ChatControllerTest.java with tests for sendMessage, recallMessage, markMessage endpoints
• [ ] Create mallchat-chat-server/src/test/java/com/abin/mallchat/common/chat/controller/ContactControllerTest.java testing contact CRUD operations
• [ ] Add tests for RoomController.java covering room creation, member management, and room queries
• [ ] Mock dependencies (MessageDao, RoomDao, ContactDao) using Mockito
• [ ] Ensure test coverage for both happy path and error scenarios (invalid inputs, database failures)

Add database migration validation tests for version SQL files

The project has multiple versioned SQL files (docs/version/2023-06-04.sql through 2023-08-13.sql) for schema evolution, but no automated tests to ensure migrations are compatible and don't break existing data. This is critical for an e-commerce system to prevent production issues during deployments.

• [ ] Create mallchat-chat-server/src/test/java/com/abin/mallchat/common/chat/MigrationTest.java
• [ ] Implement test that applies each version SQL file sequentially using an embedded H2 database or testcontainers
• [ ] Validate that core tables (Message, Contact, Room, RoomFriend, RoomGroup) exist and have expected columns after each migration
• [ ] Test data integrity: verify foreign key relationships and constraints are maintained
• [ ] Add test to ensure schema from docs/mallchat.sql matches the final state after all migrations

Add integration tests for MsgSendConsumer message processing pipeline

MsgSendConsumer.java handles critical asynchronous message processing but appears to have no visible integration tests. This consumer is essential for reliability in a chat system—missing tests could hide issues with message delivery, ordering, or state inconsistencies.

• [ ] Create mallchat-chat-server/src/test/java/com/abin/mallchat/common/chat/consumer/MsgSendConsumerTest.java
• [ ] Set up test infrastructure using testcontainers for any message broker (Kafka/RabbitMQ) used by the consumer
• [ ] Test the full message flow: produce message → consumer processes → verify Message entity created/updated in database
• [ ] Add tests for edge cases: duplicate messages, out-of-order delivery, consumer failures, and retry logic
• [ ] Verify MessageMarkDao and MessageDao are called correctly and database state is consistent after processing
• [ ] Test interaction with GroupMemberDao for group message delivery across multiple users

• Add unit tests for MessageDao.java query methods (findByRoomId, findByUserId patterns)—currently no /src/test visible in chat module, critical for regression testing message history pagination
• Document missing enum values in GroupConst.java—README mentions 'group chat' but constant definitions invisible; adding Javadocs and usage examples would help new contributors understand group permission model
• Implement missing DTOs for e-commerce checkout flow (OrderDTO, PaymentDTO, CartItemDTO)—visible gap between chat module completeness and shopping cart mentioned in README as 'must-have'; stub classes would unblock parallel frontend work

• High · Outdated Spring Framework Version — mallchat-chat-server/pom.xml - spring-test dependency (version 5.3.19). The codebase uses Spring 5.3.19, which is no longer receiving security updates. This version was released in 2021 and has known vulnerabilities. Spring 5.3.x reached end-of-life in December 2023. Fix: Upgrade to Spring 6.x or latest 5.3.x patch version. Review and apply all available security patches for all Spring Framework dependencies.
• High · P6Spy Debug Library in Production — mallchat-chat-server/pom.xml - p6spy dependency. P6Spy (version 3.9.1) is a JDBC proxy library primarily used for SQL logging and debugging. Including it in production dependencies can expose sensitive SQL queries, connection details, and parameter values in logs, potentially leading to information disclosure. Fix: Move P6Spy to test/debug profile only. Use Maven profiles to exclude it from production builds, or configure it only for development environments.
• Medium · Unclear Token Library - Security Validation Required — mallchat-chat-server/pom.xml - jtokkit dependency (version 0.6.1). The dependency 'jtokkit' (version 0.6.1) from com.knuddels is used but its purpose in a chat/e-commerce system is unclear. Token handling libraries require careful vetting for security. The library appears to be for token counting related to LLM APIs, which may have undisclosed security implications. Fix: Document the purpose of this library. Perform a security audit of the library's source code. Ensure token handling is properly secured and doesn't expose sensitive data.
• Medium · Missing Input Validation on Chat/Message Controllers — mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/. The file structure shows ChatController.java, ContactController.java, and RoomController.java handling user input (ChatMessageBaseReq, ChatMessageReq, etc.) for chat operations. Without visible validation logic in the structure, there's risk of injection attacks (XSS, SQLi) in message processing. Fix: Implement comprehensive input validation on all request objects using JSR-303/JSR-380 annotations (@NotNull, @Pattern, @Size). Sanitize message content before storage and especially before rendering. Use prepared statements for all database queries.
• Medium · No Visible Authentication/Authorization Framework — mallchat-chat-server/src/main/java/com/abin/mallchat/common/chat/controller/. The file structure shows chat, room, and contact management endpoints but no visible security configuration, authentication filters, or authorization annotations. This suggests potential missing security controls for multi-user chat operations. Fix: Implement Spring Security with proper authentication (JWT, OAuth2, or session-based). Add authorization checks to ensure users can only access their own messages, rooms, and contacts. Implement role-based access control (RBAC) for group/admin operations.
• Medium · SQL Files in Version Control — docs/mallchat.sql, docs/version/*.sql. Database migration files are stored in Git (docs/version/*.sql, docs/mallchat.sql). These files may contain sensitive schema information and could be leveraged for SQL injection attacks if endpoints are vulnerable. Fix: While SQL schema is typically not secret, follow principle of least privilege. Consider moving to a migration tool like Flyway or Liquibase with parameterized queries. Never commit database dumps with real data.
• Medium · WebSocket/Real-time Communication Security Unknown — mallchat-chat-server (WebSocket implementation not visible in provided structure). MallChat is a chat system requiring real-time messaging, likely using WebSockets. The configuration and security of WebSocket endpoints is not visible in the provided file structure, potentially missing CSRF protection, authentication validation, and rate limiting. Fix: Ensure WebSocket endpoints validate authentication tokens on each message. Implement CSRF tokens for WebSocket upgrades. Add rate limiting to prevent message flooding. Validate all incoming WebSocket messages rigorously.
• Low · Test Dependencies in Production Scope — undefined. junit and spring-boot- Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.