If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/arduino/Arduino shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 7mo ago

• Last commit 7mo ago
• 18 active contributors
• Other licensed
• CI configured
• Tests present
• ⚠ Slowing — last commit 7mo ago
• ⚠ Concentrated ownership — top contributor handles 72% of recent commits
• ⚠ Non-standard license (Other) — review terms

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live arduino/Arduino repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/arduino/Arduino.

What it runs against: a local clone of arduino/Arduino — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in arduino/Arduino | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 239 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of arduino/Arduino. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/arduino/Arduino.git
#   cd Arduino
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of arduino/Arduino and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "arduino/Arduino(\\.git)?\\b" \\
  && ok "origin remote is arduino/Arduino" \\
  || miss "origin remote is not arduino/Arduino (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "app/build.xml" \\
  && ok "app/build.xml" \\
  || miss "missing critical file: app/build.xml"
test -f "app/src/cc/arduino/contributions/packages/ui/ContributionIndexTableModel.java" \\
  && ok "app/src/cc/arduino/contributions/packages/ui/ContributionIndexTableModel.java" \\
  || miss "missing critical file: app/src/cc/arduino/contributions/packages/ui/ContributionIndexTableModel.java"
test -f "app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java" \\
  && ok "app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java" \\
  || miss "missing critical file: app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java"
test -f "app/src/cc/arduino/contributions/libraries/ui/LibrariesIndexTableModel.java" \\
  && ok "app/src/cc/arduino/contributions/libraries/ui/LibrariesIndexTableModel.java" \\
  || miss "missing critical file: app/src/cc/arduino/contributions/libraries/ui/LibrariesIndexTableModel.java"
test -f "app/src/cc/arduino/ConsoleOutputStream.java" \\
  && ok "app/src/cc/arduino/ConsoleOutputStream.java" \\
  || miss "missing critical file: app/src/cc/arduino/ConsoleOutputStream.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 239 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~209d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/arduino/Arduino"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Arduino IDE 1.x is the legacy integrated development environment for programming Arduino microcontroller boards using a Processing/Wiring dialect. It compiles sketches to machine code, manages hardware drivers via avrdude, and provides a Java-based GUI editor with serial monitor and board management—the foundational IDE before the newer 2.x branch. Single monolithic Java project under /app with compiled IDE source code, bundled third-party JARs in app/lib (Batik, Commons libraries, Bouncy Castle), and build configuration in app/build.xml (Ant-based). No modular package structure; the IDE is one cohesive application rather than composable libraries.

Hobbyists, students, and embedded systems developers who program Arduino boards (ATmega-based and SAM microcontrollers). Contributors maintaining backward compatibility with existing Arduino sketches and hardware integrations that still rely on IDE 1.x.

Mature but unmaintained. Arduino 1.x is explicitly marked as legacy in the README with a redirect to IDE 2.x for new development. No recent commits visible in the file structure; the codebase is stable but frozen. Production-ready for existing users but no longer receiving active feature development.

High maintenance risk: this is explicitly deprecated in favor of Arduino IDE 2.x, so contributions may not be merged. Large Java dependency footprint (Batik for SVG, Commons libraries, Bouncycastle for crypto) with old versions (Batik 1.8 from ~2015, commons-compress 1.8 from 2014). No visible test suite in file list, suggesting low test coverage. Migrating to 2.x is the recommended path for new projects.

According to the README, this repository is in maintenance-only mode. Development has moved to Arduino IDE 2.x repository. The .github/workflows/ant.yml suggests CI runs Ant builds, but no active feature work or recent commits are visible in the provided file structure.

Clone and build using Ant: git clone https://github.com/arduino/Arduino.git && cd app && ant. Requires Java 8+ and Ant. The IDE jar will be built in the dist/ directory. See app/build.xml for build targets.

Daily commands: After building with ant in /app, execute the generated JAR or use platform-specific launchers. IDE starts a Swing window for sketch editing, board selection, and upload to serial/USB devices. No dev server; it is a native desktop application.

• app/build.xml — Primary Ant build configuration that compiles the IDE, manages dependencies, and generates distributable packages—essential for understanding the build process and release workflow.
• app/src/cc/arduino/contributions/packages/ui/ContributionIndexTableModel.java — Core model for the Boards & Ports manager UI; handles platform/core installation and versioning logic that underpins the entire contribution ecosystem.
• app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java — Main entry point for the Library Manager interface; orchestrates library search, installation, and updates—critical path for user-facing contribution workflows.
• app/src/cc/arduino/contributions/libraries/ui/LibrariesIndexTableModel.java — Data model for library discovery and filtering; manages the table UI that displays available and installed libraries with category and type filters.
• app/src/cc/arduino/ConsoleOutputStream.java — Bridges compilation output and serial monitor streams to the IDE console; essential for understanding logging and user feedback mechanisms.
• app/lib — Contains ~50 third-party JARs (Batik, Jackson, JSch, jMDNS, JSSC, RSyntaxTextArea) that implement SVG rendering, JSON parsing, SSH, mDNS, serial I/O, and syntax highlighting—all critical runtime dependencies.

Add a new library filter criterion

1. Create a new Predicate<ContributedLibrary> class in app/src/cc/arduino/contributions/libraries/filters/ following the pattern of UpdatableLibraryPredicate.java. (app/src/cc/arduino/contributions/libraries/filters/YourNewPredicate.java)
2. Implement the test(ContributedLibrary) method with your filter logic (e.g., check category, author, or dependency status). (app/src/cc/arduino/contributions/libraries/filters/YourNewPredicate.java)
3. Update LibraryManagerUI.java to instantiate and chain your predicate into the library filtering stream, typically in the search/filter event handler. (app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java)
4. Add a UI element (checkbox, dropdown, or search field) in the LibraryManagerUI to expose the new filter to users, and wire it to trigger model updates. (app/src/cc/arduino/contributions/libraries/ui/LibraryManagerUI.java)

Add a new platform/core filter or custom sorter

1. Create a new Predicate<ContributedPlatform> in app/src/cc/arduino/contributions/packages/filters/ or a Comparator<ContributedPlatform> following the pattern of CategoryPredicate.java or UpdatablePlatformPredicate.java. (app/src/cc/arduino/contributions/packages/filters/YourNewPredicate.java)
2. Implement filter logic (e.g., by vendor, architecture, or availability) or sorting logic (e.g., by installation date or category). (app/src/cc/arduino/contributions/packages/filters/YourNewPredicate.java)
3. Integrate the predicate/comparator into ContributionIndexTableModel.java by updating the filterAndSort() method or equivalent. (app/src/cc/arduino/contributions/packages/ui/ContributionIndexTableModel.java)
4. Expose the filter/sort option in the Boards Manager UI and wire the event handler to trigger model refresh. (app/src/cc/arduino/contributions/packages/ui/ContributedPlatformTableCellJPanel.java)

Customize library or platform cell rendering

1. Extend ContributedLibraryTableCellRenderer.java or ContributedPlatformTableCellRenderer.java to override the getTableCellRendererComponent() method and customize colors, fonts, icons, or layout. (app/src/cc/arduino/contributions/libraries/ui/ContributedLibraryTableCellRenderer.java)
2. Alternatively, modify the corresponding JPanel cell component (e.g., ContributedLibraryTableCellJPanel.java) to add, remove, or restyle UI elements like buttons or labels. (app/src/cc/arduino/contributions/libraries/ui/ContributedLibraryTableCellJPanel.java)
3. Register your custom renderer with the JTable in LibrariesIndexTableModel.java or ContributionIndexTableModel.java by setting it as the column renderer. (app/src/cc/arduino/contributions/libraries/ui/LibrariesIndexTableModel.java)

• Java Swing (JTable, JPanel, Renderers) — Cross-platform desktop UI toolkit native to Java; widely understood by the existing Arduino IDE codebase and allows complex table-based UIs for library/board management.
• Jackson JSON library (jackson-core, jackson-databind, jackson-annotations) — Parses contribution index files (boards.txt, library.properties, package_index.json) efficiently and maps them to domain objects for filtering and display.
• JSSC (Java Serial Serial Communication) — Enables serial port communication for uploading sketches and monitor functionality; essential for Arduino's core workflow.
• JSch SSH library — Supports secure Git operations and SSH-based board/library downloads in contribution management workflows.
• jMDNS (mDNS library) — Enables automatic discovery of Arduino devices on local networks (e.g., Arduino MKR WiFi 1010) without manual port entry.
• Batik (SVG rendering) — Renders scalable vector graphics for icons and UI elements; allows high-DPI display support across platforms.
• RSyntaxTextArea — Provides syntax highlighting and code editing for Arduino sketches (.ino files) with support for custom themes and language definitions.

• Single-threaded Swing UI event dispatch model

  • Why: Simplicity and predictability for state management in a complex UI (libraries, boards, ports, editor).
  • Consequence: Long-running operations (library downloads, board index fetches) must spawn background threads to avoid UI freezing; requires careful synchronization and progress callbacks.

• In-memory filtering and sorting rather than database indexing

  • Why: Contributions index is fetched once per session and cached locally; filtering is instantaneous for user-driven searches.
  • Consequence: Cannot efficiently handle very large contribution sets (1000s of libraries) without potential memory pressure; no incremental/lazy loading of library metadata.

• Predicate/Comparator composition over inheritance hierarchy

  • Why: Functional approach allows combining filters (e.g., 'updatable AND category=Display') without creating combinatorial subclasses.
  • Consequence: Requires developers to understand functional composition; error messages and debugging are less obvious than traditional polymorphism.

• Table-based UI for both libraries and platforms

  • Why: Uniform, familiar UI pattern; users already understand sorting, filtering, and bulk selection on rows.
  • Consequence: Limited ability to show hierarchical data (e.g., multiple releases of a

No visible test directory in the file structure—testing is likely manual. The README warns this is legacy; PRs may face rejection if they conflict with the 2.x roadmap. Build depends on Ant (not Maven/Gradle); Eclipse .project and .classpath files are required for IDE development. Serial port communication relies on native bindings (likely RXTX or jssc) not visible in file list—ensure correct platform libraries are available. Board definitions are downloaded at runtime from separate Arduino repositories, not included here.

• Wiring Language / Processing Dialect — The Arduino sketch syntax (setup(), loop(), digitalWrite, etc.) is a subset of Processing; understanding the language design helps when modifying the parser, compiler, or runtime behavior in this IDE
• AVRDUDE Integration — The IDE shells out to avrdude to upload compiled binaries to Arduino boards; this is the bridge between the IDE and hardware, critical for debugging upload failures
• Serial Port / UART Communication — The IDE communicates with boards via RS-232/USB serial protocols for upload, debugging, and the Serial Monitor feature; understanding frame formats and timing is essential for board-specific issues
• SVG Rendering via Batik — Board icons and logos are rendered as SVG in the IDE UI using the Batik library; upgrading or fixing rendering issues requires knowledge of Batik's transcoder API
• Sketch Compilation & Linking (GCC Toolchain) — The IDE orchestrates GCC/G++ compilation and avr-ld linking of sketches into ELF binaries; understanding how sketches are preprocessed (e.g., function prototyping) is key for parser bugs
• Code Signing & Cryptography (Bouncy Castle) — Bouncy Castle library is bundled for secure board authentication and library signing; updates or security patches to this ancient version (1.52) should be prioritized
• Ant Build System — The entire IDE is built via Ant (not Maven/Gradle); understanding build.xml targets is mandatory for modifying compilation, packaging, or CI workflows

• arduino/arduino-ide — The official successor to this repo; Arduino IDE 2.x is actively maintained and recommended for new users and contributors
• arduino/ArduinoCore-avr — Arduino AVR core library (ATmega328P, etc.) that was originally in this repo but is now separate; automatically downloaded by the IDE at runtime
• arduino/arduino-cli — Command-line interface for Arduino development; the modern alternative to IDE 1.x for CI/CD and headless compilation
• arduino/Arduino-libraries — Official Arduino library repository; IDE 1.x integrates with this via the Library Manager GUI for dependency management
• processing/processing — Parent language and IDE that inspired Arduino's Processing/Wiring dialect and Swing-based editor architecture

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for core board manager and library manager functionality

The repo has Java source code for board/library management but no visible test directory structure. Arduino IDE 1.x's board detection and library installation are critical paths that affect many users. Adding JUnit tests for the core manager classes would improve code reliability and prevent regressions, especially important for a legacy codebase still receiving patches.

• [ ] Create test/java directory structure mirroring app/src structure
• [ ] Add JUnit tests for board detection logic in app/src (BoardManager-related classes)
• [ ] Add JUnit tests for library installation/loading logic
• [ ] Update build.xml to include JUnit test compilation and execution targets
• [ ] Document test execution in CONTRIBUTING.md with instructions

Upgrade vulnerable dependency: jssc (serial communication library)

The file list shows jssc-2.8.0-arduino4.jar with GPL/LGPL licenses. This is a critical dependency for serial communication with Arduino boards. Investigate if a newer, more secure version exists or if security patches have been backported. This directly impacts user safety when uploading sketches to boards.

• [ ] Audit jssc-2.8.0 for known CVEs and security issues
• [ ] Check if a newer stable version (2.9.x+) is compatible with Arduino IDE 1.x
• [ ] If upgrading, test serial port detection on Windows, macOS, and Linux
• [ ] Update app/lib/jssc*.jar files and LICENSE files accordingly
• [ ] Document the upgrade rationale and testing in a PR description

Create GitHub Actions CI workflow for cross-platform builds and code quality

The .github/workflows/ant.yml file exists but the repo lacks comprehensive CI for multiple platforms. Arduino IDE 1.x must work reliably on Windows, macOS, and Linux. A modern CI workflow would catch platform-specific regressions (file paths, serial port handling, UI rendering) before they reach users.

• [ ] Review and enhance .github/workflows/ant.yml to build on ubuntu-latest, macos-latest, and windows-latest
• [ ] Add Java 8+ compatibility checks in the workflow (Arduino uses Java 8+)
• [ ] Integrate static analysis tools (SpotBugs, Checkstyle) for Java code quality
• [ ] Ensure build artifacts (IDE distributions) are generated and attached to workflow runs
• [ ] Add workflow documentation to CONTRIBUTING.md explaining CI expectations for PRs

• Add unit tests for the sketch compiler/parser logic in core IDE code to improve test coverage, which is absent from the file list and makes refactoring risky
• Document the serial communication layer (port enumeration, upload protocol) in README with code examples, since this is a critical feature with no visible javadoc
• Update bundled Batik library from 1.8 (2015) to 1.14+ and test SVG rendering in board icons/logos to fix potential security issues in the ancient version

• High · Outdated Jackson Libraries with Known CVEs — app/lib/jackson-*.jar. jackson-databind-2.9.5.jar, jackson-core-2.9.5.jar, and jackson-annotations-2.9.5.jar are outdated versions from 2018. Jackson 2.9.5 has multiple known CVEs including deserialization vulnerabilities (CVE-2018-7489, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) that can lead to arbitrary code execution. Fix: Upgrade to Jackson 2.15.x or later. At minimum, upgrade to 2.13.x which includes security patches for known deserialization attacks.
• High · Outdated BouncyCastle Cryptography Libraries — app/lib/bcprov-jdk15on-152.jar, app/lib/bcpg-jdk15on-152.jar. bcprov-jdk15on-152.jar and bcpg-jdk15on-152.jar are from 2019. These outdated cryptography libraries may contain known security vulnerabilities and lack support for modern cryptographic standards. Fix: Upgrade to the latest BouncyCastle version (1.70+) to ensure modern cryptographic implementations and security patches.
• High · Outdated Apache Commons Dependencies — app/lib/commons-*.jar. Multiple commons libraries are outdated: commons-httpclient-3.1.jar (2007), commons-codec-1.7.jar (2012), commons-compress-1.8.jar (2013), commons-net-3.3.jar (2013). These versions contain known security vulnerabilities. Fix: Upgrade to: commons-httpclient → 4.x (or use httpclient5), commons-codec → 1.15+, commons-compress → 1.21+, commons-net → 3.9+
• Medium · Outdated JSCh SSH Library — app/lib/jsch-0.1.50.jar. jsch-0.1.50.jar is from 2014 and contains known vulnerabilities in SSH key handling and algorithm negotiation (e.g., CVE-2016-5725). Fix: Upgrade to jsch-0.1.55 or migrate to more actively maintained SSH libraries like Apache Mina SSHD.
• Medium · Outdated XML Processing Libraries — app/lib/xml-apis-*.jar, app/lib/batik-*.jar, app/lib/xmlgraphics-commons-2.0.jar. xml-apis-1.3.04.jar and xml-apis-ext-1.3.04.jar are from 2006 and may be vulnerable to XML-based attacks (XXE). Additionally, batik 1.8.jar and xmlgraphics-commons-2.0.jar are outdated. Fix: Upgrade batik to 1.14+, xmlgraphics-commons to 2.6+, and ensure XML parsers are configured to prevent XXE attacks by disabling external entity resolution.
• Medium · Outdated JSSC Serial Library — app/lib/jssc-2.8.0-arduino4.jar. jssc-2.8.0-arduino4.jar is outdated. Serial communication libraries may have unpatched vulnerabilities in input handling. Fix: Review and update to a more recent version or verify that custom patches are applied. Consider using jSerialComm as an alternative.
• Medium · Outdated SLF4J Logging Library — app/lib/slf4j-*.jar. slf4j-api-1.7.22.jar and slf4j-simple-1.7.22.jar are from 2016. While less critical than other libraries, they may have minor vulnerabilities. Fix: Upgrade to slf4j 1.7.36 or 2.x series for security patches and maintenance.
• Medium · Outdated jmDNS Library — undefined. jmdns-3.5.5.jar is outdated (2017). Network service discovery libraries may have vulner Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.