If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/android10/Android-CleanArchitecture shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 11 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Single-maintainer risk — top contributor 85% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live android10/Android-CleanArchitecture repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/android10/Android-CleanArchitecture.

What it runs against: a local clone of android10/Android-CleanArchitecture — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in android10/Android-CleanArchitecture | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1136 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of android10/Android-CleanArchitecture. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/android10/Android-CleanArchitecture.git
#   cd Android-CleanArchitecture
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of android10/Android-CleanArchitecture and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "android10/Android-CleanArchitecture(\\.git)?\\b" \\
  && ok "origin remote is android10/Android-CleanArchitecture" \\
  || miss "origin remote is not android10/Android-CleanArchitecture (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/UseCase.java" \\
  && ok "domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/UseCase.java" \\
  || miss "missing critical file: domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/UseCase.java"
test -f "data/src/main/java/com/fernandocejas/android10/sample/data/repository/UserDataRepository.java" \\
  && ok "data/src/main/java/com/fernandocejas/android10/sample/data/repository/UserDataRepository.java" \\
  || miss "missing critical file: data/src/main/java/com/fernandocejas/android10/sample/data/repository/UserDataRepository.java"
test -f "domain/src/main/java/com/fernandocejas/android10/sample/domain/repository/UserRepository.java" \\
  && ok "domain/src/main/java/com/fernandocejas/android10/sample/domain/repository/UserRepository.java" \\
  || miss "missing critical file: domain/src/main/java/com/fernandocejas/android10/sample/domain/repository/UserRepository.java"
test -f "data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/UserDataStoreFactory.java" \\
  && ok "data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/UserDataStoreFactory.java" \\
  || miss "missing critical file: data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/UserDataStoreFactory.java"
test -f "domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java" \\
  && ok "domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java" \\
  || miss "missing critical file: domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1136 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1106d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/android10/Android-CleanArchitecture"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A production-grade Java sample app demonstrating Uncle Bob's Clean Architecture on Android, using a multi-layer approach with Domain/Data/Presentation modules. It fetches and displays a list of users from a REST API (via com.fernandocejas.android10.sample.data.net.RestApi), caches them to disk, and renders them in the UI—serving as a reference implementation for building testable, maintainable Android applications with clear separation of concerns. Three-module Gradle monorepo: domain/ (pure Java, business logic and use cases), data/ (repository pattern, REST/cache data stores, mappers in data/src/main/java/com/fernandocejas/android10/sample/data/), and presentation/ (Android UI layer with Activities/Fragments). Data layer routes through UserDataStoreFactory to choose between CloudUserDataStore (network) and DiskUserDataStore (cache) based on availability.

Android engineers learning or implementing Clean Architecture patterns, and teams evaluating architectural approaches before committing to a codebase. Specifically useful for developers who want to understand how to structure repository patterns, dependency injection with Dagger, and reactive data flows (RxJava) across multiple layers.

This is an established educational reference project (linked from multiple blog posts dating 2014–2016) with structured tests, CI/CD via Travis CI (.travis.yml), and Gradle build automation. However, it uses Android Gradle Plugin 3.0.1 and support libraries, indicating it was last significantly updated around 2017–2018. The README explicitly notes a newer Kotlin version exists; this Java version is stable but not actively maintained for modern Android APIs.

Low risk for learning purposes, but production use is risky: dependencies are outdated (Android Gradle 3.0.1, support libs vs. AndroidX), no visible recent commits, and the author has moved on to a Kotlin rewrite. Single-maintainer (Fernando Cejas) with no indication of community maintenance. Use this as a reference/template, not as a base for new projects.

No active development visible. The repo is frozen as a reference implementation. The README points users to the newer Kotlin-based rewrite (Architecting Android… Reloaded). Any maintenance would be by external forks or educators using it as teaching material.

git clone https://github.com/android10/Android-CleanArchitecture.git
cd Android-CleanArchitecture
./gradlew clean build
./gradlew installDebug  # requires connected Android device or emulator

Daily commands: After install via ./gradlew installDebug, the app launches on a connected device. For development builds: ./gradlew installDebug then manually open on device, or use ./gradlew runUnitTests to run domain/data layer tests without a device, or ./gradlew runAcceptanceTests for Espresso UI tests.

• domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/UseCase.java — Core abstraction defining how all business logic flows through Observable-based use cases; foundational to the entire clean architecture pattern.
• data/src/main/java/com/fernandocejas/android10/sample/data/repository/UserDataRepository.java — Concrete repository implementation that bridges domain layer (abstractions) with data layer (sources), managing cache vs. cloud data selection.
• domain/src/main/java/com/fernandocejas/android10/sample/domain/repository/UserRepository.java — Repository interface contract that domain layer depends on; defines the boundary between domain and data layers.
• data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/UserDataStoreFactory.java — Factory pattern implementation deciding whether to fetch from cloud or disk cache; critical decision point in data flow.
• domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java — Example use case implementation showing how domain layer composes repositories and uses threading to perform business logic.
• data/src/main/java/com/fernandocejas/android10/sample/data/cache/UserCacheImpl.java — Cache layer implementation handling persistence and serialization; critical for offline support and performance.
• buildsystem/dependencies.gradle — Centralized dependency management for Rx, Retrofit, and testing frameworks that enable the reactive architecture.

Add a new Use Case

1. Create a new use case class extending UseCase<Result, Params> in domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/ (domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java)
2. Implement buildUseCaseObservable() to compose repository call with domain logic (domain/src/main/java/com/fernandocejas/android10/sample/domain/interactor/GetUserList.java)
3. Add corresponding method to UserRepository interface if a new data operation is needed (domain/src/main/java/com/fernandocejas/android10/sample/domain/repository/UserRepository.java)
4. Write unit test in domain/src/test following GetUserListTest pattern, mocking the repository dependency (domain/src/test/java/com/fernandocejas/android10/sample/domain/interactor/GetUserListTest.java)

Add a new Data Source or modify data fetching

1. Create new data store class implementing UserDataStore interface in data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/ (data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/CloudUserDataStore.java)
2. Implement getUserList() to return Observable with data fetching logic (API call or cache read) (data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/CloudUserDataStore.java)
3. Register new data store in UserDataStoreFactory.createUserDataStore() to control selection logic (data/src/main/java/com/fernandocejas/android10/sample/data/repository/datasource/UserDataStoreFactory.java)
4. Create unit tests in data/src/test verifying the new data store returns correct Observable and handles errors (data/src/test/java/com/fernandocejas/android10/sample/data/repository/datasource/CloudUserDataStoreTest.java)

Add a new Entity and entity mapping

1. Create new entity class (e.g., PostEntity) in data/src/main/java/com/fernandocejas/android10/sample/data/entity/ (data/src/main/java/com/fernandocejas/android10/sample/data/entity/UserEntity.java)
2. Create corresponding domain model class in domain/src/main/java/com/fernandocejas/android10/sample/domain/ (domain/src/main/java/com/fernandocejas/android10/sample/domain/User.java)
3. Create entity mapper class in data/src/main/java/com/fernandocejas/android10/sample/data/entity/mapper/ implementing transform(UserEntity) and transformList(List<UserEntity>) (data/src/main/java/com/fernandocejas/android10/sample/data/entity/mapper/UserEntityDataMapper.java)
4. Write unit test in data/src/test/java/.../entity/mapper/ verifying bidirectional mapping (data/src/test/java/com/fernandocejas/android10/sample/data/entity/mapper/UserEntityDataMapperTest.java)

Integrate a new external API

1. Add new HTTP endpoint method to RestApi interface in data/src/main/java/com/fernandocejas/android10/sample/data/net/ (data/src/main/java/com/fernandocejas/android10/sample/data/net/RestApi.java)
2. Implement endpoint method in RestApiImpl using RestService and ApiConnection (data/src/main/java/com/fernandocejas/android10/sample/data/net/RestApiImpl.java)
3. Create or modify CloudUserDataStore to call new RestApi method and map response via entity mapper (data/src/main/java/com/fernando)

No obvious environment variables required, but: (1) The REST API endpoint is hard-coded in RestApiImpl.java—adjust if the demo server moves or goes offline. (2) Disk cache uses FileManager which writes to app's cache directory; on some devices this may be cleared by the OS if storage is low. (3) No AndroidX migration—uses deprecated android.support.* libraries; will fail to merge with projects already on AndroidX. (4) RxJava 1.x era code—manual Subscription management and no Lifecycle awareness; RxJava 2+ or LiveData is preferred in modern Android. (5) Thread safety in UserCacheImpl is not explicitly synchronized; concurrent cache reads/writes could race.

• Repository Pattern — UserDataRepository abstracts data sources (network, disk, cache) behind a single interface; understanding this is core to the Data layer and enables swapping implementations without changing Domain logic
• Clean Architecture Layering (Domain/Data/Presentation) — This repo's entire structure rests on separating business rules (Domain), data access (Data), and UI concerns (Presentation); violations lead to tight coupling and hard-to-test code
• Dependency Injection (Dagger 2) — Dagger wires dependencies across layers at compile-time without Service Locator anti-pattern; this is how the codebase remains testable and loosely coupled
• Use Case (Interactor) — GetUserListUseCase encapsulates a single user-facing business operation and returns an Observable; this is the Domain layer's primary abstraction for Presentation to call
• Entity Mapping / Data Transfer Objects (DTOs) — UserEntity (REST/cache format) vs. User (Domain format); mappers (UserEntityDataMapper, UserEntityJsonMapper) prevent leakage of data-layer details into business logic
• RxJava Observable Streams — All async operations (network calls, cache reads) return Observables; Presenters subscribe and emit UI updates, enabling composable, backpressure-aware reactive code
• Thread Pool Executor (JobExecutor) — JobExecutor provides a background thread pool for Use Cases; understanding thread confinement prevents main-thread blocking and is critical to Android app responsiveness

• android10/Kotlin-CleanArchitecture — Official successor to this repo, same Clean Architecture principles but written in modern Kotlin with up-to-date Android libraries and Coroutines instead of RxJava
• googlesamples/architecture-samples — Google's official reference architecture for Android (TODOs app), demonstrates similar layering and repository patterns but uses LiveData, ViewModel, and AndroidX—more modern alternative
• square/retrofit — The HTTP client library used in RestApiImpl.java; essential for understanding how API calls are made and mocked in tests
• google/dagger — Dependency injection framework used throughout for decoupling layers and enabling testability in this architecture
• ReactiveX/RxJava — Reactive streams library powering the async data flow in Use Cases and Presenters; foundational to this codebase's async handling

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add integration tests for UserDataRepository data source selection logic

The UserDataRepository uses UserDataStoreFactory to switch between CloudUserDataStore and DiskUserDataStore based on cache state. While unit tests exist for individual data stores (CloudUserDataStoreTest.java, DiskUserDataStoreTest.java), there are no integration tests verifying the repository correctly delegates to the appropriate data source. This is critical for the clean architecture pattern where repository logic should be thoroughly tested.

• [ ] Create data/src/test/java/com/fernandocejas/android10/sample/data/repository/UserDataRepositoryIntegrationTest.java
• [ ] Test scenarios: user exists in cache (should use DiskUserDataStore), user not in cache with network available (should use CloudUserDataStore), network unavailable and no cache (should throw NetworkConnectionException)
• [ ] Mock both CloudUserDataStore and DiskUserDataStore dependencies to verify correct selection logic in UserDataRepository
• [ ] Verify integration with UserDataStoreFactory.createUserDataStore() is working as expected across different conditions

Add missing tests for UserEntityJsonMapper JSON parsing edge cases

UserEntityJsonMapper.java handles JSON serialization/deserialization of users, but UserEntityJsonMapperTest.java likely lacks coverage for error scenarios (malformed JSON, missing fields, null values). Given this is a data layer mapping critical component in clean architecture, comprehensive edge case testing is essential for robustness.

• [ ] Review existing UserEntityJsonMapperTest.java coverage gaps
• [ ] Add test cases: malformed JSON string, JSON missing required user fields (id, name, email), JSON with null values, empty JSON array/object
• [ ] Verify appropriate exceptions are thrown (JsonSyntaxException, IllegalArgumentException) with meaningful error messages
• [ ] Test round-trip serialization (object → JSON → object) maintains data integrity

Add GitHub Actions CI workflow to replace .travis.yml for modern Android testing

The repository has .travis.yml for Travis CI but lacks a modern GitHub Actions workflow (.github/workflows/*.yml). GitHub Actions provides better native GitHub integration and no longer relies on external CI services. This would improve maintainability and contributor experience while running the existing custom Gradle tasks (runUnitTests, runAcceptanceTests).

• [ ] Create .github/workflows/android-ci.yml with jobs for unit tests (runDomainUnitTests, runDataUnitTests) and acceptance tests (runAcceptanceTests)
• [ ] Configure matrix strategy for multiple Android API levels (minimum 21, target 29+)
• [ ] Set up Android SDK caching to improve build times
• [ ] Add build status badge to README.md pointing to GitHub Actions workflow

• Add integration tests for UserDataStoreFactory: The factory's logic (choose CloudUserDataStore vs. DiskUserDataStore based on network state) lacks dedicated tests in data/src/test/. Write tests that mock Retrofit failures and verify the factory switches to disk cache.
• Migrate from RxJava 1.x Observable to LiveData or RxJava 2+: The Use Cases and Presenters use .subscribe() with manual Subscription cleanup. Create a refactor task to use Android's LiveData or RxJava 2's Disposable, respecting Activity/Fragment lifecycle and preventing memory leaks.
• Document the Data Store abstraction in README: Add a diagram or code walkthrough showing how UserDataStore → CloudUserDataStore/DiskUserDataStore flow works. Include an example of adding a new data source (e.g., in-memory cache or SQLite DB) to help new contributors understand the extension point.

This Clean Architecture Android sample project has a moderate security posture with several concerns. The most critical issue is the use of outdated Gradle build tools (3.0.1 from 2017) which lack modern security patches. Additional concerns include potential insecure serial

• High · Outdated Gradle Build Tools — build.gradle. The build.gradle file uses Gradle 3.0.1 (from 2017), which is significantly outdated and likely contains known security vulnerabilities. Modern Android development requires updated build tools for security patches and vulnerability fixes. Fix: Update com.android.tools.build:gradle to the latest stable version (currently 8.x). Review and update all dependencies in buildsystem/dependencies.gradle to their latest versions.
• Medium · Debug Keystore in Repository — buildsystem/debug.keystore. The file 'buildsystem/debug.keystore' appears to be a keystore file committed to version control. While debug keystores are intended for development, storing any keystore in the repository can pose security risks if the repository becomes public or is compromised. Fix: Remove the keystore from version control and add *.keystore to .gitignore. Document keystore generation instructions separately. Consider using Gradle-managed signing configurations for CI/CD pipelines.
• Medium · Potential Insecure Serialization — data/src/main/java/com/fernandocejas/android10/sample/data/cache/serializer/Serializer.java. The codebase includes custom Serializer and UserCache classes that handle serialization/deserialization. Custom serialization logic can be vulnerable to deserialization attacks or data tampering if not properly validated. Fix: Review serialization implementation to ensure: 1) Input validation before deserialization, 2) Use of secure serialization formats (e.g., Protocol Buffers), 3) Avoid Java serialization for untrusted data, 4) Implement integrity checks (HMAC) for cached data.
• Medium · Network Communication Security Not Visible — data/src/main/java/com/fernandocejas/android10/sample/data/net/RestApi.java, data/src/main/java/com/fernandocejas/android10/sample/data/net/RestApiImpl.java, data/src/main/java/com/fernandocejas/android10/sample/data/net/ApiConnection.java. The RestApi and ApiConnection classes handle network communication, but without visible source code, it's unclear if SSL/TLS pinning, certificate validation, or secure headers are properly implemented. Fix: Implement and verify: 1) Certificate pinning for HTTPS connections, 2) TLS 1.2 or higher enforcement, 3) Secure header validation (HSTS), 4) Disable cleartext traffic with network security configuration, 5) Validate all SSL/TLS certificates.
• Medium · Missing ProGuard/R8 Configuration Details — data/proguard-rules.pro. While proguard-rules.pro exists, the file content is not visible. Improper ProGuard configuration can fail to obfuscate sensitive code or remove debug information, exposing the app to reverse engineering. Fix: Review ProGuard rules to ensure: 1) Sensitive classes are obfuscated, 2) Debug information is stripped, 3) Exception messages don't leak sensitive info, 4) Use R8 (modern ProGuard replacement) in build.gradle
• Low · Test Implementation Runner — build.gradle - testInstrumentationRunner property. The codebase uses 'android.support.test.runner.AndroidJUnitRunner' which is from the legacy Android support library (deprecated since 2020). Fix: Migrate to androidx.test.runner.AndroidJUnitRunner from the AndroidX testing library for updated security patches and modern testing capabilities.
• Low · Deprecated Android Support Library — build.gradle. References to 'android.support.test' indicate the project may be using deprecated Android support libraries instead of AndroidX, which no longer receive security updates. Fix: Migrate all android.support.* dependencies to androidx.* equivalents. Run Android Studio's built-in migration tool to automate this process.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.