Skip to content

example/kotlin #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
drorIvry wants to merge 4 commits into
base: main
Choose a base branch
from
Open

example/kotlin #156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6678a34
Added examples for Kotlin
drorIvry Feb 4, 2026
ff7ed2b
wip
drorIvry Feb 4, 2026
156dd67
wip
drorIvry Feb 4, 2026
6293286
makefile
drorIvry Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,7 @@ bin/

# Go TUI
packages/tui/cmd/rogue/__debug*

# Gradle / Kotlin
.gradle/
**/build/
10 changes: 10 additions & 0 deletions examples/kotlin/shirtify-dropwizard/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
.PHONY: dev build clean

dev:
./gradlew run --args="server src/main/resources/config.yml"

build:
./gradlew shadowJar

clean:
./gradlew clean
62 changes: 62 additions & 0 deletions examples/kotlin/shirtify-dropwizard/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Shirtify T-Shirt Store Agent (Kotlin + LangChain4j + Dropwizard)

A Kotlin implementation of the Shirtify t-shirt store agent using LangChain4j
with Dropwizard and the A2A (Agent-to-Agent) protocol.

## Prerequisites

- JDK 25 or higher
- Gradle 9.x (wrapper included)
- OpenAI API key

## Quick Start

1. Set your OpenAI API key:
```bash
export OPENAI_API_KEY="your-api-key"
```

2. Build the project:
```bash
./gradlew shadowJar
```

3. Run the agent:
```bash
java -jar build/libs/shirtify-dropwizard.jar server src/main/resources/config.yml
```

Or using Gradle:
```bash
./gradlew run --args="server src/main/resources/config.yml"
```

4. The agent will be available at:
- Agent Card: `http://localhost:10004/.well-known/agent.json`
- A2A Endpoint: `http://localhost:10004/`
- Admin/Health: `http://localhost:10005/healthcheck`

## Testing with Rogue

Run a red team scan against this agent:

```bash
rogue-ai red-team --agent-url http://localhost:10004 --protocol a2a
```

## Project Structure

- `ShirtifyApplication.kt` - Dropwizard Application entry point
- `ShirtifyConfiguration.kt` - YAML configuration mapping
- `ShirtifyAgentService.kt` - LangChain4j AI Service (manual wiring)
- `ShirtifyTools.kt` - Tool definitions (inventory, email)
- `A2AResource.kt` - Jersey JAX-RS A2A endpoints
- `AgentHealthCheck.kt` - Dropwizard health check

## Tech Stack

- Kotlin 2.3
- Dropwizard 4.0
- LangChain4j 1.11.0
- Jersey (JAX-RS)
- Jetty
68 changes: 68 additions & 0 deletions examples/kotlin/shirtify-dropwizard/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
plugins {
kotlin("jvm") version "2.3.0"
application
id("com.gradleup.shadow") version "9.0.0-beta12"
}

group = "com.shirtify"
version = "1.0.0"

application {
mainClass.set("com.shirtify.agent.ShirtifyApplicationKt")
}

java {
toolchain {
languageVersion = JavaLanguageVersion.of(25)
}
}

repositories {
mavenCentral()
}

val dropwizardVersion = "4.0.7"
val langchain4jVersion = "1.11.0"

dependencies {
// Dropwizard
implementation("io.dropwizard:dropwizard-core:$dropwizardVersion")

// LangChain4j (core, no Spring Boot starters)
implementation("dev.langchain4j:langchain4j:$langchain4jVersion")
implementation("dev.langchain4j:langchain4j-open-ai:$langchain4jVersion")


// dotenv
implementation("io.github.cdimascio:dotenv-java:3.1.0")

// Kotlin
implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.17.2")
implementation("org.jetbrains.kotlin:kotlin-reflect")

// Test
testImplementation("io.dropwizard:dropwizard-testing:$dropwizardVersion")
testImplementation("org.junit.jupiter:junit-jupiter:5.10.2")
}

kotlin {
compilerOptions {
freeCompilerArgs.addAll("-Xjsr305=strict")
javaParameters = true // Required for LangChain4j tool parameter names
}
}

tasks.withType<Test> {
useJUnitPlatform()
}

tasks.named<com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar>("shadowJar") {
isZip64 = true
archiveBaseName.set("shirtify-dropwizard")
archiveClassifier.set("")
archiveVersion.set("")
mergeServiceFiles()
manifest {
attributes["Main-Class"] = "com.shirtify.agent.ShirtifyApplicationKt"
}
}
Comment on lines 1 to 68
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Dropwizard 4.0.7 latest version security advisories 2025

💡 Result:

What security advisories in 2025 matter for Dropwizard 4.0.7?

Dropwizard 4.0.7 itself (released Mar 6, 2024) doesn’t have a widely-cited “Dropwizard-core” CVE issued in 2025; the main 2025 risk comes from transitive dependencies you may be pulling in.

Notable 2025 advisories that can impact typical Dropwizard apps

  • CVE-2025-12383 (Eclipse Jersey) – race condition that can cause critical SSL settings to be ignored in specific Jersey versions; patched in 2.46 / 3.0.17 / 3.1.10. If your Dropwizard app resolves an affected Jersey version (directly or via overrides), you should upgrade Jersey (or Dropwizard) accordingly. [1]
  • CVE-2025-8885 (Bouncy Castle bcprov / bc-fips) – potential DoS via excessive allocation when processing specially formed ASN.1 Object Identifiers; affects bcprov up to 1.77 (fixes are in later releases per vendor ecosystem). If your dependency tree includes affected Bouncy Castle, upgrade that library or upgrade Dropwizard to a release that pulls a fixed version. [2]

Dropwizard-specific advisory (not 2025, but often flagged)

  • CVE-2020-5245 / GHSA-3mcp-9wr4-cjqf – Dropwizard Validation “self-validating” feature could allow Java EL injection leading to RCE in older versions; fixed long ago, but it’s a common scanner finding to verify against. [3]

“Latest version” context (so you can patch effectively)

  • Dropwizard 5.0.0 was released Sep 16, 2025. [4]
  • Maven Central shows newer releases exist, including Dropwizard 5.0.1 (Jan 27, 2026) and Dropwizard 4.0.17 (Jan 27, 2026). [5]
  • Dropwizard maintainers announced Dropwizard 4.0.x EOL: Jan 31, 2026. [6]

Practical takeaway: for “2025 security advisories” affecting a 4.0.7-based app, you generally need to (1) check the resolved versions of Jersey/BouncyCastle/etc. in your dependency tree, and (2) upgrade Dropwizard (preferably) or override those dependencies to patched versions.

Sources: [1] [2] [3] [4] [5] [6]

🌐 Web query:

LangChain4j 1.11.0 latest stable version security updates 2025

💡 Result:

  • Latest stable LangChain4j version: 1.11.0, released February 4, 2026 (so it’s not a 2025 release). [1]
  • “Security updates in 2025” for LangChain4j 1.11.0: Not applicable, because 1.11.0 didn’t exist in 2025. [1]
  • Known 2025 CVEs specifically for “LangChain4j” projects: A published 2025 CVE I can find targets LangChain4j-AIDeepin (a separate community project), not the langchain4j/langchain4j core library. It’s fixed in LangChain4j-AIDeepin 3.5.0. [2]
  • Where LangChain4j core publishes updates: LangChain4j’s docs point to the GitHub Releases page for official release notes (including fixes). [3]

Sources: GitHub Releases (langchain4j/langchain4j) [1], INCIBE CVE-2025-21604 (LangChain4j-AIDeepin) [2], LangChain4j docs “Latest Release Notes” [3].

🌐 Web query:

Kotlin 1.9.25 JVM plugin latest version Java 17 compatibility

💡 Result:

  • Kotlin JVM Gradle plugin version 1.9.25 is published on the Gradle Plugin Portal (created July 19, 2024). [1]
  • Latest org.jetbrains.kotlin.jvm plugin on the Gradle Plugin Portal (as of Feb 4, 2026) is 2.3.20-Beta1 (created Jan 8, 2026). [2]

Java 17 compatibility (with Kotlin 1.9.25 / KGP 1.9.25):

  • Kotlin/JVM supports generating Java 17 bytecode by setting jvmTarget = 17 (the Kotlin compiler’s -jvm-target supports values including 17). [3]
  • In Gradle, the recommended way is to use a JVM toolchain (example: kotlin { jvmToolchain(17) }). [4]
  • Also ensure your Gradle runtime is compatible with Java 17 (modern Gradle versions run on JVM 17+). [5]

Sources:
[1] Gradle Plugin Portal – org.jetbrains.kotlin.jvm version 1.9.25 page.
[2] Gradle Plugin Portal – org.jetbrains.kotlin.jvm (latest) page.
[3] Kotlin docs – compiler option -jvm-target.
[4] Kotlin docs – Gradle toolchain configuration.
[5] Gradle docs – Java/Gradle compatibility matrix.

🌐 Web query:

jackson-module-kotlin 2.17.2 security advisories latest version

💡 Result:

  • Security advisories for com.fasterxml.jackson.module:jackson-module-kotlin 2.17.2: Jackson’s Kotlin module repo currently shows no published security advisories. [1]
  • What to watch instead: jackson-module-kotlin pulls in jackson-databind (and annotations) as dependencies, so most real-world Jackson CVEs typically apply via those core components rather than the Kotlin module itself. [2]
  • Latest version (same Maven coordinates): On Maven Central, the newest published com.fasterxml.jackson.module:jackson-module-kotlin directory version is 2.20.1 (dated 2025-10-31). [2]
  • Context for 2.17.2: Jackson 2.17.2 was released July 5, 2024 as a patch release. [3]

Sources:
[1] GitHub Security overview for FasterXML/jackson-module-kotlin (“There aren’t any published security advisories”) (github.com)
[2] Maven Central repository directory listing for jackson-module-kotlin (shows latest as 2.20.1) (repo1.maven.org)
[3] FasterXML Jackson Wiki: “Jackson Release 2.17.2” (released July 5, 2024) (github.com)

Citations:

🌐 Web query:

JUnit Jupiter 5.10.2 latest stable version 2025

💡 Result:

JUnit Jupiter 5.10.2 is not the latest stable in 2025.

The latest stable (GA) JUnit Jupiter version released in 2025 was 5.14.1, released October 31, 2025. [1]
(Just before that: 5.14.0, released September 30, 2025.) [2]

Maven/Gradle coordinate: org.junit.jupiter:junit-jupiter:5.14.1 [1]

Sources
[1] (docs.junit.org)
[2] (docs.junit.org)

Citations:

Upgrade Dropwizard and dependencies immediately: 4.0.7 is end-of-life (Jan 31, 2026) and has unpatched transitive dependency vulnerabilities.

Dropwizard 4.0.7 (Mar 6, 2024) is at or past EOL with no further support. Additionally, 2025 advisories affect libraries it typically pulls in: CVE-2025-12383 (Eclipse Jersey — SSL configuration bypass) and CVE-2025-8885 (Bouncy Castle — DoS). Upgrade to Dropwizard 5.0.1 (Jan 27, 2026) or at minimum 4.0.17, or manually override Jersey and Bouncy Castle to patched versions.

Other outdated dependencies worth upgrading:

  • Kotlin JVM plugin: 1.9.25 → 2.3.20 (or stable 2.2.x)
  • jackson-module-kotlin: 2.17.2 → 2.20.1
  • JUnit Jupiter: 5.10.2 → 5.14.1

LangChain4j 1.11.0 is the current stable version (no issues).

🤖 Prompt for AI Agents 
In `@examples/kotlin/shirtify-dropwizard/build.gradle.kts` around lines 1 - 64,
The build uses end-of-life Dropwizard 4.0.7 and several outdated plugins/deps;
update the dropwizardVersion variable (from "4.0.7") to a supported release
(preferably "5.0.1" or at minimum "4.0.17") or add forced resolution/constraints
for patched Jersey/BouncyCastle transitive deps, and update the Kotlin plugin
version string in plugins (kotlin("jvm") version "1.9.25"),
jackson-module-kotlin dependency
("com.fasterxml.jackson.module:jackson-module-kotlin:2.17.2") and JUnit
dependency ("org.junit.jupiter:junit-jupiter:5.10.2") to the recommended safe
versions (e.g., Kotlin 2.3.x/2.2.x, jackson 2.20.1, JUnit 5.14.1); ensure
application of these new versions propagates to the ShadowJar manifest settings
that reference Main-Class and that the kotlin.compilerOptions comment about
javaParameters remains valid.

Binary file added examples/kotlin/shirtify-dropwizard/gradle/wrapper/gradle-wrapper.jar
View file
Open in desktop
Binary file not shown.
7 changes: 7 additions & 0 deletions examples/kotlin/shirtify-dropwizard/gradle/wrapper/gradle-wrapper.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-9.3.1-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
201 changes: 201 additions & 0 deletions examples/kotlin/shirtify-dropwizard/gradlew
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading