If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/facebook/stetho shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 26+ active contributors
• Distributed ownership (top contributor 45% of recent commits)
• MIT licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 2y ago

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live facebook/stetho repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/facebook/stetho.

What it runs against: a local clone of facebook/stetho — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in facebook/stetho | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 589 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of facebook/stetho. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/facebook/stetho.git
#   cd stetho
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of facebook/stetho and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "facebook/stetho(\\.git)?\\b" \\
  && ok "origin remote is facebook/stetho" \\
  || miss "origin remote is not facebook/stetho (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java" \\
  && ok "stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java" \\
  || miss "missing critical file: stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java"
test -f "stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java" \\
  && ok "stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java" \\
  || miss "missing critical file: stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java"
test -f "stetho-okhttp/src/main/java/com/facebook/stetho/okhttp/StethoInterceptor.java" \\
  && ok "stetho-okhttp/src/main/java/com/facebook/stetho/okhttp/StethoInterceptor.java" \\
  || miss "missing critical file: stetho-okhttp/src/main/java/com/facebook/stetho/okhttp/StethoInterceptor.java"
test -f "stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsRuntimeRepl.java" \\
  && ok "stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsRuntimeRepl.java" \\
  || miss "missing critical file: stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsRuntimeRepl.java"
test -f "build.gradle" \\
  && ok "build.gradle" \\
  || miss "missing critical file: build.gradle"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 589 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~559d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/facebook/stetho"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Stetho is a Chrome Developer Tools integration for Android apps that enables remote debugging via chrome://inspect. It provides DOM inspection, network monitoring, SQLite database browsing, and optional JavaScript console (via Rhino) without requiring code instrumentation—just call Stetho.initializeWithDefaults() in your Application class. Multi-module Gradle monorepo: core stetho library at root, optional interceptor modules (stetho-okhttp3, stetho-urlconnection) as separate packages, stetho-js-rhino provides Rhino-based JS runtime. Build tools in build-tools/ include protocol.json scraper (scraper.js) to sync with Chrome DevTools wire format. Scripts in scripts/ provide dumpapp CLI and HPROF utilities.

Android developers building client apps who need real-time debugging capabilities equivalent to Chrome DevTools on desktop. Network engineers integrating with OkHttp 2.x/3.x to inspect HTTP traffic. QA engineers using the dumpapp command-line tool to examine app internals without source access.

Production-ready and actively maintained by Facebook. The codebase shows ~824KB of Java with established Gradle/CI setup (.travis.yml present), modular architecture (separate packages for stetho-okhttp3, stetho-urlconnection, stetho-js-rhino), and standardized release process (CHANGELOG.md, release.gradle). Last visible activity shows version 1.6.0 with stable Maven/Gradle distribution.

Low risk for established Android projects: no external service dependencies (fully local), optional modules mean you can adopt incrementally. Main risk is tight coupling to Chrome DevTools protocol (build-tools/protocol.json) which could break on protocol version mismatches. JavaScript console (stetho-js-rhino) adds Rhino engine dependency that may inflate APK size.

Based on file structure and versioning (1.6.0), the project appears stable with maintenance mode activity. The presence of build-tools/protocol.json and build-tools/scraper.js suggests ongoing synchronization with Chrome DevTools protocol. stetho-js-rhino has separate Gradle config and ProGuard rules, indicating active support for JavaScript debugging features.

git clone https://github.com/facebook/stetho.git
cd stetho
./gradlew build
./gradlew installDebug  # If you have an Android emulator running

Then add to your Android app's build.gradle: implementation 'com.facebook.stetho:stetho:1.6.0' and initialize in Application.onCreate().

Daily commands: For development: ./gradlew build compiles all modules. To test with a sample app: clone, then integrate the built JAR into a test Android app and run on emulator/device, then visit chrome://inspect in Chrome desktop browser.

• stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java — Entry point demonstrating how to initialize Stetho in an Android application—essential for understanding the library's primary usage pattern.
• stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java — Core network interceptor implementation for OkHttp3; shows how Stetho hooks into HTTP traffic for Chrome DevTools inspection.
• stetho-okhttp/src/main/java/com/facebook/stetho/okhttp/StethoInterceptor.java — Network interceptor for OkHttp (v2); demonstrates the pattern used to capture and expose HTTP requests/responses.
• stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsRuntimeRepl.java — JavaScript REPL runtime using Rhino engine; critical for understanding the optional dumpapp console feature.
• build.gradle — Root build configuration defining SDK versions, repositories, and Gradle plugin dependencies for the entire multi-module project.
• README.md — Project overview and setup instructions; required reading to understand Stetho's purpose and integration requirements.
• settings.gradle — Gradle module configuration file; defines which sub-projects (stetho-okhttp, stetho-okhttp3, stetho-js-rhino, stetho-sample) are included in the build.

Add Support for a New HTTP Client Library

1. Create a new module mirroring stetho-okhttp3 structure (e.g., stetho-httpclient). (settings.gradle)
2. Implement an Interceptor or equivalent hook in the new HTTP client that mimics StethoInterceptor pattern. (stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java)
3. Write unit tests following the same structure as StethoInterceptorTest to verify traffic capture. (stetho-okhttp3/src/test/java/com/facebook/stetho/okhttp3/StethoInterceptorTest.java)
4. Update build.gradle for the new module with appropriate HTTP client dependency and test configuration. (stetho-okhttp3/build.gradle)
5. Document integration usage in README.md alongside existing OkHttp examples. (README.md)

Create a Custom Dumpapp Plugin

1. Study the HelloWorldDumperPlugin example to understand the plugin interface and registration. (stetho-sample/src/debug/java/com/facebook/stetho/sample/HelloWorldDumperPlugin.java)
2. Implement a new plugin class following the same pattern (e.g., DatabaseInspectorPlugin). (stetho-sample/src/debug/java/com/facebook/stetho/sample/APODDumperPlugin.java)
3. Register the plugin in the SampleDebugApplication initialization where Stetho.initializeWithDefaults() is called. (stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java)
4. Test the plugin via dumpapp command-line tool to verify command handling and output. (scripts/dumpapp)

Enable JavaScript REPL Console in Dumpapp

1. Add the stetho-js-rhino dependency to your application's build.gradle. (stetho-js-rhino/build.gradle)
2. Review JsRuntimeReplFactoryBuilder to configure the JavaScript runtime with custom global objects. (stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsRuntimeReplFactoryBuilder.java)
3. Instantiate and register the JS REPL in your Stetho initialization code (similar to SampleDebugApplication). (stetho-sample/src/debug/java/com/facebook/stetho/sample/SampleDebugApplication.java)
4. Test JavaScript code execution through the dumpapp console using the registered REPL. (stetho-js-rhino/src/test/java/com/facebook/stetho/rhino/JsFormatTest.java)

Add a New Module to the Project

1. Create the new module directory structure (e.g., stetho-sqlite) with src/main/java and build.gradle. (settings.gradle)
2. Add the module to settings.gradle to include it in the multi-project build. (settings.gradle)
3. Configure build.gradle with appropriate Android plugin, target SDK (30), and dependencies. (stetho-okhttp3/build.gradle)
4. Create AndroidManifest.xml for the new module. (stetho-okhttp3/src/main/AndroidManifest.xml)

• Android Framework (SDK 30) — Stetho integrates directly with Android application lifecycle and interceptor APIs to hook into HTTP traffic and app internals.
• OkHttp / OkHttp3 — Widely-used Android HTTP client libraries; Stetho provides interceptor modules to capture and expose network traffic without app code changes.
• Chrome DevTools Protocol — Allows seamless integration with Chrome browser's native debugging tools; leveraged via WebSocket communication from Stetho bridge.
• Rhino JavaScript Engine — Enables optional JavaScript REPL execution in dumpapp console for dynamic scripting on device without native code recompilation.
• Gradle Multi-Module Build — Allows optional/modular dependencies (okhttp, okhttp3, js-rhino) so apps only include what they need.

• Separate modules for OkHttp2 and OkHttp3
  • Why: OkHttp3 is incompatible with OkHttp2 API; maintaining separate interceptors allows both versions to coexist in ecosystem.
  • Consequence: Increased code

Stetho requires either an Android emulator or physical device connected via ADB; it will not work in standalone JVM tests. The Chrome DevTools protocol version in build-tools/protocol.json must match your Chrome version or inspection may fail silently. stetho-js-rhino adds ~2MB to APK; use ProGuard consumer rules (proguard-consumer.pro) to minimize footprint. Network inspection with OkHttp requires explicitly adding StethoInterceptor—it is not automatic.

• Chrome DevTools Protocol — Stetho is fundamentally a Chrome DevTools Protocol server for Android; understanding the wire format in build-tools/protocol.json is essential for adding new inspector features
• OkHttp Interceptor API — Network inspection in stetho-okhttp3 relies on OkHttp's Interceptor contract; you must understand Request/Response mutation patterns to extend network debugging
• WebSocket duplex communication — Stetho communicates with Chrome over WebSocket; understanding full-duplex messaging patterns is needed to trace remote debugging handshakes
• Android ContentProvider abstraction — Database inspection (stetho-dbinspector) queries SQLite via ContentProvider interfaces; you need this to understand how Stetho isolates database access without direct file access
• ProGuard/R8 obfuscation configuration — stetho-js-rhino includes proguard-consumer.pro rules; understanding these is critical to avoid minification breakage when shipping with ProGuard
• Gradle multi-module builds — Stetho is a 5+ module Gradle project; understanding settings.gradle module imports and inter-module dependencies is essential for local builds and release management
• Android Application lifecycle hooks — Stetho initialization occurs in Application.onCreate(); understanding how Stetho registers itself with the runtime without manifest modifications requires grasping late-binding service registration

• square/okhttp — OkHttp is the primary HTTP client integrated with Stetho for network inspection via StethoInterceptor
• facebook/react-native — React Native apps on Android often use Stetho for debugging; shares Facebook's DevTools integration philosophy
• google/android-studio — Android Studio's built-in debugger provides overlapping functionality but Stetho targets Chrome DevTools specifically as an alternative
• ChromeDevTools/devtools-frontend — Canonical Chrome DevTools source; Stetho's protocol.json is derived from this and must track breaking changes
• mozilla/rhino — Rhino is the JavaScript engine embedded in stetho-js-rhino for the optional JavaScript console feature

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for stetho-okhttp StethoInterceptor

The stetho-okhttp module only has a test directory structure but the actual test file for StethoInterceptor.java appears to be missing or minimal. This is a critical integration point where OkHttp requests are intercepted for Chrome DevTools inspection. Adding thorough unit tests would ensure network interception works correctly across OkHttp versions and request types.

• [ ] Create comprehensive test suite at stetho-okhttp/src/test/java/com/facebook/stetho/okhttp/StethoInterceptorTest.java
• [ ] Add tests for: request/response interception, header handling, request body inspection, response body inspection, error cases, and network timing
• [ ] Test integration with OkHttp's Interceptor chain and verify no request data is lost
• [ ] Add tests for both sync and async request scenarios

Migrate from jcenter to Maven Central and update build configuration

The build.gradle still references jcenter() which was sunset by JFrog in 2021. This blocks users on newer Android builds and prevents the library from being published to modern repositories. Updating the build configuration and documenting the new artifact location would improve accessibility.

• [ ] Replace jcenter() with mavenCentral() in build.gradle and settings.gradle
• [ ] Verify gradle.properties and release.gradle are configured for Maven Central publishing (check for OSSRH credentials setup)
• [ ] Update README.md with new Maven Central coordinates if the artifact location changed
• [ ] Test the build locally: ./gradlew clean build to ensure all dependencies resolve
• [ ] Update CI configuration (.travis.yml) if needed for new repository credentials

Add integration tests for stetho-js-rhino JavaScript REPL functionality

The stetho-js-rhino module provides a JavaScript runtime for console evaluation, but only has one test file (JsFormatTest.java). The core functionality in JsRuntimeRepl.java and JsConsole.java lacks integration tests. This is critical since JS evaluation is a key debugging feature exposed through Chrome DevTools.

• [ ] Create JsRuntimeReplTest.java to test: script execution, variable persistence, error handling, and output capture
• [ ] Create JsConsoleTest.java to test: console.log/warn/error output formatting, and console API method availability
• [ ] Add test for JsRuntimeReplFactoryBuilder to verify runtime initialization and configuration
• [ ] Include tests for edge cases: syntax errors, infinite loops (timeout handling), undefined variables, and Rhino-specific quirks
• [ ] Verify integration with the rest of Stetho's debugger infrastructure through the REPL

• Add SQLite query history/logging to dumpapp tool: the scripts/dumpapp interface has basic database inspection but no query result caching or export—implement persistent query log in scripts/ that survives app restart
• Expand protocol.json documentation: build-tools/protocol.json is machine-generated from scraper.js but lacks developer comments on which Chrome DevTools sections map to which Stetho features—add JSDoc-style annotations
• Test coverage for JsConsole.java: stetho-js-rhino/src/main/java/com/facebook/stetho/rhino/JsConsole.java lacks corresponding unit tests in stetho-js-rhino/src/test/—add test cases for formatting edge cases (circular refs, large objects, non-serializable types)

Stetho has moderate security concerns primarily centered on outdated build tools and SDK versions. The most critical issue is the use of Gradle 4.1.2 from 2018, which contains multiple known vulnerabilities. The project targets Android 11 (SDK 30) instead of current best practices (SDK 34+), missing important security features and patches. Additionally, the debug nature of this library requires careful production build safeguards. The removal of jcenter() repository and updates to modern build tooling are essential. No evidence of hardcoded secrets was found, but security documentation and runtime protections should be enhanced.

• High · Outdated Gradle Build Plugin — build.gradle (classpath 'com.android.tools.build:gradle:4.1.2'). The project uses Gradle 4.1.2, which was released in October 2018 and contains multiple known security vulnerabilities. This version is significantly outdated and no longer receives security updates. Modern Android development requires much newer versions to address known CVEs. Fix: Upgrade to the latest stable version of Android Gradle Plugin (currently 7.x or 8.x). Review and update all dependencies to their latest secure versions.
• High · Outdated Compile and Target SDK Versions — build.gradle (compileSdkVersion = 30, targetSdkVersion = 30). The project targets SDK version 30 (Android 11, released in 2020). Current best practices recommend targeting SDK 34+ (Android 14). Using outdated target SDKs means missing critical security patches and modern security features like stricter permission handling. Fix: Update compileSdkVersion and targetSdkVersion to at least 34 or higher. Review and implement privacy-related changes for modern Android versions (scoped storage, package visibility, etc.).
• Medium · Use of jcenter() Repository — build.gradle (repositories block). The project includes 'jcenter()' in its repositories configuration. JCenter was deprecated by JFrog and has been sunset. This can lead to build failures and potential security risks from outdated or missing dependencies. Fix: Remove jcenter() from all repository configurations. Use only 'google()' and 'mavenCentral()' repositories.
• Medium · Debug Bridge with Potential Accessibility Issues — Project structure - core Stetho module. Stetho is a debug bridge that provides access to Chrome Developer Tools and app internals. When enabled in production builds, it exposes sensitive application data and debugging capabilities that could be exploited by attackers with physical or network access to the device. Fix: Ensure Stetho is only enabled in debug builds. Implement build variant checks to prevent Stetho initialization in release builds. Document security implications clearly in usage guidelines.
• Medium · Missing Security Headers and Configuration Details — stetho-okhttp3/src/main/java/com/facebook/stetho/okhttp3/StethoInterceptor.java and stetho-okhttp/src/main/java/com/facebook/stetho/okhttp/StethoInterceptor.java. No visible security configuration files (.proguard rules have only consumer rules), missing security policy documentation, and no evidence of certificate pinning for network communications (based on OkHttp integration modules). Fix: Implement certificate pinning for network interceptors. Add comprehensive security guidelines. Create proguard/R8 rules files with security-sensitive method/class protection.
• Low · Outdated CI/CD Configuration — .travis.yml. The .travis.yml file is present but the Travis CI service has shifted to travis-ci.com and uses a different configuration model. This may indicate the project's CI/CD pipeline is not actively maintained. Fix: Migrate to modern CI/CD solutions like GitHub Actions. Ensure automated security scanning (SAST, dependency checking) is in place.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.