If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/HannahMitt/HomeMirror shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 3y ago

• 11 active contributors
• Apache-2.0 licensed
• ⚠ Stale — last commit 3y ago
• ⚠ Concentrated ownership — top contributor handles 70% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live HannahMitt/HomeMirror repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/HannahMitt/HomeMirror.

What it runs against: a local clone of HannahMitt/HomeMirror — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in HannahMitt/HomeMirror | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1106 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of HannahMitt/HomeMirror. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/HannahMitt/HomeMirror.git
#   cd HomeMirror
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of HannahMitt/HomeMirror and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "HannahMitt/HomeMirror(\\.git)?\\b" \\
  && ok "origin remote is HannahMitt/HomeMirror" \\
  || miss "origin remote is not HannahMitt/HomeMirror (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "app/src/main/java/com/morristaedt/mirror/MirrorActivity.java" \\
  && ok "app/src/main/java/com/morristaedt/mirror/MirrorActivity.java" \\
  || miss "missing critical file: app/src/main/java/com/morristaedt/mirror/MirrorActivity.java"
test -f "app/src/main/java/com/morristaedt/mirror/MirrorApplication.java" \\
  && ok "app/src/main/java/com/morristaedt/mirror/MirrorApplication.java" \\
  || miss "missing critical file: app/src/main/java/com/morristaedt/mirror/MirrorApplication.java"
test -f "app/src/main/java/com/morristaedt/mirror/modules" \\
  && ok "app/src/main/java/com/morristaedt/mirror/modules" \\
  || miss "missing critical file: app/src/main/java/com/morristaedt/mirror/modules"
test -f "app/src/main/java/com/morristaedt/mirror/configuration/ConfigurationSettings.java" \\
  && ok "app/src/main/java/com/morristaedt/mirror/configuration/ConfigurationSettings.java" \\
  || miss "missing critical file: app/src/main/java/com/morristaedt/mirror/configuration/ConfigurationSettings.java"
test -f "app/src/main/java/com/morristaedt/mirror/receiver/AlarmReceiver.java" \\
  && ok "app/src/main/java/com/morristaedt/mirror/receiver/AlarmReceiver.java" \\
  || miss "missing critical file: app/src/main/java/com/morristaedt/mirror/receiver/AlarmReceiver.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1106 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1076d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/HannahMitt/HomeMirror"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

HomeMirror is an Android application that transforms a tablet mounted behind a two-way mirror into an interactive smart home display. It renders real-time day/time, weather forecasts, calendar events, stock prices, news headlines, XKCD comics, birthday reminders, and mood-detected face overlays using APIs from Forecast.io, Yahoo Finance, BBC News, and XKCD. Single-activity Android app: MirrorActivity.java is the main UI container; modules/ (TimeModule, WeatherModule, CalendarModule, etc.) fetch data and return rendered Views. SetUpActivity.java handles initial configuration. requests/ package handles Retrofit networking (ForecastRequest, YahooFinanceRequest). ConfigurationSettings.java persists user preferences. AlarmReceiver.java schedules periodic refreshes.

Makers and home automation enthusiasts who want to build a smart mirror installation using spare Android devices. Users are responsible for sourcing the hardware (mirror, adhesive, Android tablet) and configuring API keys; the app itself targets casual end-users viewing mirror content daily.

Abandoned. The README explicitly states 'code unmaintained' and suggests the author 'may pick it back up again one day.' Built on Android SDK 22 (API level) with Gradle buildToolsVersion 23.0.1, targeting devices from 2011+ (minSdkVersion 14). No test coverage visible beyond a placeholder ApplicationTest.java, no CI setup, and no recent commits evident in the file list.

High abandonment risk: single maintainer (HannahMitt), unmaintained codebase, and dependencies on deprecated APIs (Forecast.io was acquired and shut down, Yahoo Finance API changes break YahooFinanceModule, Fabric/Crashlytics requires SDK updates). Retrofit 1.9.0 is ancient; modern equivalents are 2.x+. No dependency management tooling (no gradle.lock, no version pinning). Face detection via Google Play Services Vision 8.1.0 is deprecated in favor of ML Kit.

Nothing. The repository is archived (per the README disclaimer). No active development, PRs, or issues are being triaged.

git clone https://github.com/HannahMitt/HomeMirror.git && cd HomeMirror && open app/ in Android Studio. You must obtain a Forecast.io API key, create app/src/main/res/values/keys.xml with <string name="dark_sky_api_key">YOUR_KEY</string>, then Build > Run (emulator or real device).

Daily commands: Android Studio: File > Open, select HomeMirror directory. Ensure you have SDK 22 and build tools 23.0.1 installed. Create keys.xml as described above. Click Run (green play button) or ./gradlew installDebug from command line. To enable auto-stay-awake: enable Developer Option 'Stay Awake' in device Settings.

• app/src/main/java/com/morristaedt/mirror/MirrorActivity.java — Main UI entry point that orchestrates all modules and handles the mirror display lifecycle.
• app/src/main/java/com/morristaedt/mirror/MirrorApplication.java — Application-level initialization and global state management for the mirror app.
• app/src/main/java/com/morristaedt/mirror/modules — Core module system where all features (weather, calendar, news, mood) are implemented as pluggable components.
• app/src/main/java/com/morristaedt/mirror/configuration/ConfigurationSettings.java — Centralized configuration for API keys, preferences, and feature toggles.
• app/src/main/java/com/morristaedt/mirror/receiver/AlarmReceiver.java — Background task scheduler that refreshes module data at regular intervals.
• app/src/main/AndroidManifest.xml — Declares permissions for network access, sensors (camera for mood detection), and wake locks.

• undefined — undefined

Add a new feature module

1. Create a new class extending Module pattern (see ForecastModule.java for reference) (app/src/main/java/com/morristaedt/mirror/modules/YourFeatureModule.java)
2. Implement update() method to fetch and format data for display (app/src/main/java/com/morristaedt/mirror/modules/YourFeatureModule.java)
3. Register module in MirrorActivity by adding to module list (app/src/main/java/com/morristaedt/mirror/MirrorActivity.java)
4. Add toggle switch in SetUpActivity UI if feature is optional (app/src/main/java/com/morristaedt/mirror/SetUpActivity.java)

Add a new external API integration

1. Create request class with API endpoint and HTTP method (see YahooFinanceRequest.java) (app/src/main/java/com/morristaedt/mirror/requests/YourAPIRequest.java)
2. Create response class matching the API's JSON schema (app/src/main/java/com/morristaedt/mirror/requests/YourAPIResponse.java)
3. Store API key in keys.xml resource file and add to ConfigurationSettings.java (app/src/main/res/values/keys.xml)
4. Create module class that uses YourAPIRequest to fetch and display data (app/src/main/java/com/morristaedt/mirror/modules/YourFeatureModule.java)

Enable background refresh scheduling

1. Configure alarm interval in AlarmReceiver which triggers module updates (app/src/main/java/com/morristaedt/mirror/receiver/AlarmReceiver.java)
2. Ensure your module's update() method is idempotent and can be called repeatedly (app/src/main/java/com/morristaedt/mirror/modules/YourFeatureModule.java)
3. Add android.permission.WAKE_LOCK permission to manifest if needed (app/src/main/AndroidManifest.xml)

• Android SDK (API 14+) — Target platform for running on dedicated mirror device hardware (likely a tablet or phone mounted behind reflective glass)
• HTTP REST APIs (Forecast.io, Yahoo Finance, BBC, XKCD) — Light-weight integration without heavy SDKs; data refreshed periodically rather than real-time
• Fabric Crashlytics — Remote crash reporting for unmaintained device in home setting to diagnose runtime issues
• AlarmManager + BroadcastReceiver — Schedule periodic background refresh without requiring persistent threads or high battery drain
• Camera API + Face Detection (implied by MoodModule) — Enables mood-based display personalization without requiring external sensors

• Pluggable Module architecture instead of monolithic single view

  • Why: Allows independent feature additions and toggles without modifying core display logic
  • Consequence: Requires boilerplate for each new feature; slight memory overhead for multiple module instances

• Synchronous HTTP requests in modules instead of async/reactive

  • Why: Simpler code for a non-interactive display that refreshes infrequently (every 15-30 min)
  • Consequence: Risk of ANR (Application Not Responding) if any API is slow; requires running refresh in background thread

• No persistent data layer (no Room/SQLite cache visible in files)

  • Why: Fresh data always fetched; reduces complexity for a single-device app with reliable connectivity
  • Consequence: Blank display if network unavailable; higher API call count without intelligent caching

• Fullscreen immersive display with 'Stay Awake' developer option

  • Why: Maximizes visibility of mirror content on dedicated in-home device powered by mains
  • Consequence: Not suitable for battery-powered devices; locks out navigation unless developer mode disabled

• Real-time data updates (all modules refresh on 15-30 min interval)
• Multi-user or cloud synchronization
• Offline functionality or local caching
• Authentication or login (uses API keys only)
• Cross-platform support (Android only)
• Commercial API integrations (relies on free tiers of Forecast.io, Yahoo Finance, BBC)

Forecast.io API was acquired by Dark Sky (2016) and subsequently shut down by Apple (2023); hardcoded dark_sky_api_key in keys.xml will fail. Yahoo Finance API endpoints may have changed, breaking YahooStockResponse parsing. Google Play Services Vision 8.1.0 is deprecated; ML Kit is the replacement but requires rewrite. Face detection requires camera permissions not explicitly confirmed in modern Android (6.0+). No ProGuard obfuscation enabled in release builds (minifyEnabled false), exposing class names. SetUpActivity expects a UI flow not detailed in the file list; check AndroidManifest.xml for intent filters. AlarmReceiver assumes alarm scheduling via AlarmManager; no wakelock management visible (risk of short refresh cycles draining battery).

• Two-way mirror (one-way mirror) — The optical foundation of this project—understanding how the mirror reflects light while allowing the Android display to be visible is critical for hardware assembly and debugging screen visibility issues.
• Retrofit REST client abstraction — This codebase uses Retrofit 1.9.0 (deprecated) to declaratively define HTTP endpoints; understanding Retrofit's interface-based API generation is essential for adding new data sources or migrating to Retrofit 2.x.
• Android Activity lifecycle and View hierarchy — MirrorActivity.java manages the lifecycle of module Views; understanding onResume(), onPause(), and the View layout inflation pipeline is critical for adding modules or debugging screen refresh bugs.
• SharedPreferences for lightweight persistence — ConfigurationSettings.java stores user configuration (API keys, module toggles) in SharedPreferences; this is the only persistent storage layer in the app, so understanding its scope and Thread safety is important.
• Android AlarmManager and BroadcastReceiver — AlarmReceiver.java uses AlarmManager to schedule periodic data refreshes for the mirror display; understanding how alarms survive app process death and how to avoid excessive battery drain is critical for production stability.
• Google Play Services Vision (face detection via ML Kit) — MoodModule.java uses the deprecated Vision library for face and emotion detection; understanding camera permission flows and real-time vision processing is essential for modernizing to ML Kit.
• RSS feed parsing for news aggregation — NewsModule likely uses the android-rss library to fetch and parse BBC News feeds; understanding feed structure and parsing errors is necessary for adding or troubleshooting news display.

• HannahMitt/HomeMirror-Deployment — Likely companion repo for deployment scripts, Docker configs, or CI/CD setup specific to the mirror installation.
• MichMich/MagicMirror — Popular alternative smart mirror project written in Node.js/Electron with modular plugin architecture; shows the ecosystem of DIY mirror projects.
• E1EMENT/Magic-Mirror-1.0 — Another open-source smart mirror implementation; reference for comparison on layout, module patterns, and API integration strategies.
• espressif/esp-idf — Ecosystem context: some DIY mirror makers use ESP32 microcontrollers instead of Android; relevant for understanding hardware interop expectations.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Migrate deprecated Retrofit 1.9.0 to Retrofit 2.x with RxJava support

The project uses Retrofit 1.9.0 (released 2014), which is severely outdated and lacks security updates. This affects all API request classes (ForecastRequest, OpenWeatherRequest, XKCDRequest, YahooFinanceRequest). Upgrading to Retrofit 2.x would improve security, add proper error handling, enable reactive streams via RxJava, and reduce maintenance burden. This is critical for a production smart-home application.

• [ ] Update build.gradle dependencies from retrofit:1.9.0 to retrofit:2.x and add converter-gson
• [ ] Refactor app/src/main/java/com/morristaedt/mirror/requests/ForecastRequest.java to use Retrofit 2 interface pattern
• [ ] Refactor app/src/main/java/com/morristaedt/mirror/requests/OpenWeatherRequest.java with new API
• [ ] Refactor app/src/main/java/com/morristaedt/mirror/requests/XKCDRequest.java with proper error callbacks
• [ ] Refactor app/src/main/java/com/morristaedt/mirror/requests/YahooFinanceRequest.java
• [ ] Update all response classes to use @SerializedName annotations properly
• [ ] Add unit tests in app/src/androidTest for at least one request class

Add comprehensive unit tests for module classes with mock API responses

The app has 9 modules (BirthdayModule, CalendarModule, ChoresModule, CountdownModule, DayModule, ForecastModule, MoodModule, NewsModule, TimeModule, TrainScheduleModule, XKCDModule, YahooFinanceModule) but only a skeleton ApplicationTest.java exists. No modules are tested. Adding tests would catch regressions when updating dependencies and ensure data parsing logic is correct.

• [ ] Create app/src/androidTest/java/com/morristaedt/mirror/modules/ForecastModuleTest.java with mock weather responses
• [ ] Create app/src/androidTest/java/com/morristaedt/mirror/modules/YahooFinanceModuleTest.java with mock stock data
• [ ] Create app/src/androidTest/java/com/morristaedt/mirror/modules/XKCDModuleTest.java with mock XKCD responses
• [ ] Use Mockito to mock API requests and verify module update() methods parse data correctly
• [ ] Add test fixtures in app/src/androidTest/resources/ with sample JSON responses
• [ ] Verify all modules handle null/empty API responses gracefully

Update targetSdkVersion from 22 to 31+ and address runtime permission requirements

The app targets API 22 (Android 5.1, released 2015) but modern Google Play Store requires targetSdkVersion 34+. The face detection feature in MoodModule and calendar access require runtime permissions that aren't properly declared. This PR would modernize the app for current Android ecosystem, improve security posture, and enable Play Store distribution.

• [ ] Update build.gradle: change targetSdkVersion from 22 to 34, buildToolsVersion to current
• [ ] Review AndroidManifest.xml and add missing permission declarations for CAMERA (MoodModule), READ_CALENDAR, READ_EXTERNAL_STORAGE
• [ ] Add runtime permission requests in app/src/main/java/com/morristaedt/mirror/MirrorActivity.java using requestPermissions()
• [ ] Update app/src/main/java/com/morristaedt/mirror/modules/MoodModule.java to check permissions before accessing camera
• [ ] Update app/src/main/java/com/morristaedt/mirror/modules/CalendarModule.java to check permissions before querying calendar
• [ ] Test on Android 12+ to verify no crashes from permission denials

• Migrate from deprecated Forecast.io API: Replace ForecastRequest.java and ForecastResponse.java to use Open-Meteo (free, no key required) or NOAA API, then update ConfigurationSettings.java to remove dark_sky_api_key requirement. Tests would validate that ForecastResponse correctly parses new JSON structure.
• Add unit tests for modules: Create app/src/androidTest/java/com/morristaedt/mirror/modules/TimeModuleTest.java and similar for CalendarModule, ForecastModule to verify getView() renders correct data—currently only a stub ApplicationTest.java exists.
• Modernize Retrofit to 2.x and update deprecated Google Play Services Vision to ML Kit: Replace retrofit:1.9.0 with retrofit:2.9.0 and play-services-vision:8.1.0 with google-mlkit-face-detection, then refactor request classes to use new Retrofit interfaces and update MoodModule.java to call ML Kit APIs instead of deprecated Vision APIs.

• Critical · Hardcoded Signing Credentials in Build Configuration — app/build.gradle (lines loading signing.properties). The build.gradle file loads signing credentials from 'signing.properties' file which is referenced in the repository structure but should never be committed to version control. If this file was ever committed, it exposes keystore passwords and key aliases used to sign the application, allowing attackers to forge APK signatures and distribute malicious versions of the app. Fix: Ensure signing.properties is in .gitignore (verify in .gitignore file). Use Android Studio's built-in signing configuration through environment variables or secure credential management. Never commit sensitive credentials to any repository branch, including history.
• High · Outdated and Vulnerable Dependencies — app/build.gradle (dependencies section). Multiple dependencies are significantly outdated and contain known vulnerabilities: Retrofit 1.9.0 (released 2014, end-of-life), AppCompat-v7 22.0.0 (2014), Picasso 2.5.2 (2014), Play Services Vision 8.1.0 (2015), and Crashlytics 2.5.2 (2015). These versions have known security issues including improper certificate validation, HTTP security issues, and unpatched vulnerabilities. Fix: Update all dependencies to latest stable versions: Retrofit to 2.9.0 or use OkHttp3 directly, AppCompat to 1.6.x, Picasso to 2.8.1, Play Services to latest, and Crashlytics to latest Firebase version. Implement dependency scanning in CI/CD pipeline.
• High · Insecure HTTP API Communication — app/src/main/java/com/morristaedt/mirror/requests/ (all Request classes). The application uses Retrofit 1.9.0 to communicate with multiple APIs (Yahoo Finance, Forecast.io, BBC, XKCD). This outdated version has known issues with certificate pinning and may not enforce modern TLS standards. Additionally, there's no evidence of certificate pinning or SSL/TLS validation hardening, making the app vulnerable to MITM attacks. Fix: Upgrade to Retrofit 2.x with OkHttp3. Implement certificate pinning using OkHttp's CertificatePinner. Enforce TLS 1.2 minimum and disable legacy SSL protocols. Validate all API endpoints use HTTPS.
• High · API Keys Stored in Code/Resources — app/src/main/res/values/keys.xml (implied, likely contains secrets). The README indicates API keys (forecast.io/Dark Sky API key) are stored in res/values/keys.xml file. API keys should never be committed to version control as they can be extracted from APK using decompilation tools, allowing attackers to impersonate the application and consume API quotas or abuse services. Fix: Move API keys to a secure backend service. Application should authenticate to backend which then handles API key management. Use Android Keystore for any secrets that must be stored locally. Rotate all exposed API keys immediately.
• High · ProGuard Minification Disabled in Release Build — app/build.gradle (release buildType, minifyEnabled = false). The build.gradle shows minifyEnabled is set to false for release builds. This means the APK is released with unobfuscated code that can be easily reverse-engineered using standard tools (apktool, jadx), exposing application logic, API endpoints, and sensitive algorithms. Fix: Set minifyEnabled = true in release builds. Configure comprehensive ProGuard rules in proguard-rules.pro to obfuscate all classes, including library classes. Test obfuscated builds thoroughly for functionality.
• Medium · Low Target SDK Version — app/build.gradle (targetSdkVersion 22). Target SDK is set to 22 (Android 5.1, released 2015). Modern Android security features introduced in later API levels (runtime permissions, scoped storage, background execution limits, etc.) are not enforced, reducing security posture on newer devices. Fix: Update targetSdkVersion to 33 or higher (current minimum recommended). Update minSdkVersion to at least 21 to reduce legacy OS support burden. Address deprecated API usage and implement modern permissions model.
• Medium · Missing Security Headers and Network Configuration — undefined. No NetworkSecurityConfiguration.xml file is Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.