Onboarding: fbsamples/f8app

Generated by RepoPilot · 2026-05-06 · Source

Agent protocol

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/fbsamples/f8app shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

Verdict

WAIT — Stale — last commit 3y ago

• 15 active contributors
• Distributed ownership (top contributor 41% of recent commits)
• Other licensed
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Non-standard license (Other) — review terms
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

Verify before trusting

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live fbsamples/f8app repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/fbsamples/f8app.

What it runs against: a local clone of fbsamples/f8app — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in fbsamples/f8app | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | Last commit ≤ 1060 days ago | Catches sudden abandonment since generation |

<details> <summary><b>Run all checks</b> — paste this script from inside your clone of <code>fbsamples/f8app</code></summary>

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of fbsamples/f8app. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/fbsamples/f8app.git
#   cd f8app
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of fbsamples/f8app and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "fbsamples/f8app(\\.git)?\\b" \\
  && ok "origin remote is fbsamples/f8app" \\
  || miss "origin remote is not fbsamples/f8app (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1060 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1030d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/fbsamples/f8app"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

</details>

TL;DR

The complete source code of the official Facebook F8 conference app (2017), a production React Native mobile application showcasing modern Facebook open-source tooling. It demonstrates how to build a cross-platform iOS/Android app with React Native, Redux for state management, Relay for GraphQL data fetching, and server-driven UI patterns. Dual-platform monorepo: /android/app/ contains Android-specific Java/Gradle build config and resources; /ios/ would mirror this for iOS (not fully shown). JavaScript entry point and shared React Native components live at the root level (inferred from .babelrc, .eslintrc, .flowconfig at root). Redux state and Relay queries are likely in js/ or src/ directories (not fully enumerated). Assets and mocks in __mocks__/ for testing.

Who it's for

React Native developers, especially those learning production patterns and architecture; Facebook developers and conference attendees using the F8 app; teams building event-driven mobile applications that need to fetch dynamic schedule/speaker data via GraphQL.

Maturity & risk

Production-ready and historically mature—this is the actual shipping app code from Facebook's 2017 F8 conference, available on Google Play and App Store. However, the codebase is not actively maintained (appears frozen circa 2017–2018), serving primarily as an educational reference and tutorial resource at makeitopen.com rather than an evolving product.

Standard open source risks apply.

Active areas of work

Nothing—this is an archived snapshot of the 2017 F8 app. The repository is published for educational reference via makeitopen.com tutorials and is not under active development. No recent commits, PRs, or issues are expected.

Get running

Clone and install: git clone https://github.com/fbsamples/f8app.git && cd f8app && npm install (or yarn install). For Android: cd android && ./gradlew build. For iOS: cd ios && pod install && open f8app.xcworkspace. Start dev server with npm start or react-native start. Full local setup documented at http://makeitopen.com/docs/en/1-A1-local-setup.html.

Daily commands:

1. npm install (or yarn install) 2. npm start (or react-native start) to run Metro bundler 3. For iOS: react-native run-ios or open ios/f8app.xcworkspace in Xcode 4. For Android: react-native run-android (with running emulator/device) 5. Alternatively: cd android && ./gradlew installDebug to build APK directly.

Map of the codebase

• android/app/build.gradle: Android build configuration, dependency declarations, and React Native bundling setup via react.gradle plugin; entry point for Android build customization.
• .babelrc: Babel transpilation config for ES6+ and React Native JSX; required for JavaScript module transformation across both platforms.
• .flowconfig: Flow static type checker configuration; indicates codebase uses Flow types for type safety (contrast with TypeScript).
• .eslintrc: ESLint configuration for code style and quality checks; enforces linting rules across the JavaScript codebase.
• android/app/src/main/java/com/facebook/f8/MainActivity.java: Android entry point Activity; initializes React Native bridge and native modules for Android.
• .circleci/config.yml: CI/CD pipeline configuration; shows how builds, tests, and releases were (or were meant to be) automated.

How to make changes

UI Components & Screens: Look in root js/ or src/ for React Native screen components and views (conference schedule, speaker details, etc.). State Management: Redux reducers/actions likely in js/store/ or similar. Data Fetching: Relay queries in component files or js/queries/. Navigation: React Navigation setup (common in RN apps). Android-specific: android/app/src/main/java/com/facebook/f8/MainActivity.java and MainApplication.java for native module initialization. iOS-specific: Equivalent files in ios/ directory. Configuration: .babelrc, .eslintrc, .flowconfig for tooling; android/app/build.gradle for Android build parameters.

Traps & gotchas

1. Relay Version: Uses Relay v0.x (inferred from 2017 era), not Relay Modern—GraphQL query syntax and Relay APIs differ significantly; modern tutorials will not apply. 2. React Native Version: Pinned to ~2017 RN version; Metro bundler, native module linking, and API have changed—react-native link is deprecated. 3. Java/Gradle Versions: android/app/build.gradle references older Android SDK, Gradle plugin versions; may fail with modern Java/Gradle without compatibility adjustments. 4. GraphQL Endpoint: Likely hardcoded or config-driven to Facebook's internal F8 GraphQL server; running locally requires mocking or network access. 5. CocoaPods/Xcode: iOS build requires specific Xcode version and CocoaPods compatibility; .podfile version constraints are implicit. 6. No Test Suite Visible: No __tests__/ or .test.js files in file list; testing infrastructure may be sparse or not included in open-source release.

Concepts to learn

• GraphQL & Relay (v0.x) — f8app fetches all dynamic data (schedule, speakers, sessions) via Relay queries to a GraphQL endpoint; understanding Relay containers and fragment definitions is essential to adding new data fields or screens.
• React Native Bridge & Native Modules — f8app's Android (MainActivity.java) and iOS layers communicate with JavaScript via the React Native bridge; native modules are needed for platform-specific features like push notifications or sensor access.
• Redux State Container & Actions — f8app centralizes app state (user prefs, schedule filters, favorite sessions) in Redux; modifying or adding state requires understanding actions, reducers, and selectors.
• Babel & Metro Bundler — f8app's JavaScript is transpiled via Babel (.babelrc) and bundled by Metro for iOS/Android; understanding these tools is required to use modern JS syntax and debug bundling errors.
• Flow Static Type Checking — f8app uses Flow (not TypeScript) for type safety across components and Redux logic; reading and writing Flow types is required for contributions to maintain type integrity.
• Android Gradle Build System & React Gradle Plugin — Android build is orchestrated by Gradle; android/app/build.gradle uses Facebook's react.gradle plugin to bundle JS during build—understanding build variants and bundling config is key for Android-specific changes.
• Screen-Driven Navigation & Tab-Based UI — f8app (a conference app) likely uses tab navigation (Schedule, Speakers, Map, etc.) common in event apps; understanding how React Navigation manages screen stack and tab state is necessary to add new screens.

Related repos

• facebook/react-native — The foundational framework this app is built on; understanding React Native's architecture and APIs is essential to modifying f8app.
• facebook/relay — The GraphQL client library used for data fetching; f8app is a primary reference implementation of Relay patterns from 2017.
• redux/redux — State management library powering f8app's Redux store; essential for understanding how app state is organized and updated.
• react-navigation/react-navigation — Likely navigation library used for screen transitions in f8app (inferred from RN best practices); understanding navigation setup is key to adding new screens.
• facebook/flow — Static type checker used across f8app codebase (.flowconfig present); learning Flow is necessary to understand and modify typed components.

PR ideas

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions CI workflow for Android builds and tests

The repo has a CircleCI config (.circleci/config.yml) but no GitHub Actions workflow. Given the repo is on GitHub with Android and iOS builds, adding a .github/workflows/android.yml would provide faster feedback on PRs, reduce dependency on external CI services, and allow contributors to see build status directly in GitHub. This is especially valuable for React Native projects where platform-specific builds often fail.

• [ ] Create .github/workflows/android-build.yml with gradle build steps
• [ ] Add steps to run ./gradlew build and ./gradlew test for android/
• [ ] Include caching for gradle dependencies to speed up builds
• [ ] Test workflow triggers on push and pull_request events

Add unit tests for Redux action creators and reducers

The repo structure shows mocks/react-native.js exists but there's no visible test directory for Redux logic (actions, reducers, selectors). For a Redux-heavy app like F8, adding comprehensive unit tests would prevent regressions and make the codebase more maintainable. This is a high-value contribution because Redux logic is critical to app stability.

• [ ] Create js/tests/actions/ directory with tests for each action creator
• [ ] Create js/tests/reducers/ directory with tests for each reducer using initial state, known actions, and expected outputs
• [ ] Add test utilities/helpers in js/tests/utils.js for common Redux testing patterns
• [ ] Configure Jest in package.json if not already present, and run tests in CI

Add Flow type definitions for Android native modules (MainApplication.java, MainActivity.java)

The repo has .flowconfig indicating Flow is used for type checking, but there are no corresponding .js.flow files or typed wrappers for native Android modules exposed in android/app/src/main/java/com/facebook/f8/. Adding proper Flow types for native bridge calls would prevent type-related bugs at the JavaScript/native boundary and improve IDE autocompletion for React Native developers.

• [ ] Review MainApplication.java and MainActivity.java to identify exposed native modules and methods
• [ ] Create js/native-modules.js.flow with proper Flow type definitions for native module interfaces
• [ ] Document how to call native methods from JavaScript with correct signatures
• [ ] Add JSDoc comments with Flow annotations in any JavaScript files that interact with these native modules

Good first issues

• Add Flow type annotations to mock files: __mocks__/react-native.js likely lacks Flow type stubs; a junior could add typed mock definitions to improve type safety during testing.
• Document the GraphQL schema and Relay query structure: Create a docs/RELAY_GUIDE.md explaining how Relay queries are structured in this codebase, what the F8 GraphQL schema looks like, and how to add new queries—currently undocumented and a barrier to new contributors.
• Migrate CI config from outdated CircleCI format to modern syntax: .circleci/config.yml appears to be v1 format; upgrade to CircleCI v2 YAML syntax, add separate Android and iOS build jobs, and document test/build steps to unblock CI-driven development.

Top contributors

• @dependabot[bot] — 28 commits
• @frantic — 17 commits
• @gengjiawen — 7 commits
• @oclbdk — 3 commits
• [@Christine Abernathy](https://github.com/Christine Abernathy) — 2 commits

Recent commits

• 119f062 — Bump handlebars from 4.1.2 to 4.5.3 (#269) (dependabot[bot])
• a72cc60 — Bump stringstream from 0.0.5 to 0.0.6 in /server/parse-server (dependabot[bot])
• cb3ad19 — Bump method-override from 2.3.7 to 2.3.10 (dependabot[bot])
• 2b88e60 — Bump sshpk from 1.13.1 to 1.16.1 in /server/graphql (dependabot[bot])
• 0d31186 — Bump sshpk from 1.13.1 to 1.16.1 in /server/parse-server (dependabot[bot])
• c72c9b6 — Bump eslint from 3.18.0 to 4.18.2 (#261) (dependabot[bot])
• 177c9da — Bump is-my-json-valid from 2.15.0 to 2.20.0 (dependabot[bot])
• cb85a91 — Bump moment from 2.17.1 to 2.24.0 (dependabot[bot])
• 4ae62f7 — Bump diff from 3.1.0 to 3.5.0 (dependabot[bot])
• c477a16 — Bump marked from 0.3.6 to 0.3.19 (dependabot[bot])

Security observations

The F8 app codebase has several significant security concerns, primarily related to Docker infrastructure and deployment configuration. The most critical issues are the exposed Parse Server/Dashboard ports without authentication, unauthenticated MongoDB access, and unencrypted inter-service communication. The Android application configuration lacks explicit security hardening for production builds.

• High · Exposed Parse Server and Dashboard Ports — docker-compose.yml (parse, parse_dashboard, graphql services). The docker-compose.yml configuration exposes Parse Server (port 1337), Parse Dashboard (port 4040), and GraphQL server (port 4000) directly to the host without authentication or firewall restrictions. This allows unauthorized access to sensitive backend services and the admin dashboard. Fix: Implement reverse proxy with authentication, use environment-specific port bindings (127.0.0.1 for local dev), add authentication layer, and implement network isolation. Never expose admin dashboards directly.
• High · Missing MongoDB Authentication — docker-compose.yml (mongo service). The MongoDB service in docker-compose.yml is deployed without any authentication credentials (no MONGO_INITDB_ROOT_USERNAME/PASSWORD). This allows unauthenticated access to the database. Fix: Add MongoDB authentication: set MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD environment variables. Use MongoDB auth in connection strings. Implement network policies to restrict access.
• High · Unencrypted Network Communication — docker-compose.yml (graphql service environment). The docker-compose.yml services communicate over unencrypted HTTP (PARSE_URL=http://parse:1337/parse). GraphQL, Parse, and other services lack TLS/SSL configuration for inter-service communication. Fix: Implement TLS/SSL for all service-to-service communication. Use HTTPS endpoints. Implement Docker network encryption or service mesh (Istio/Linkerd).
• Medium · Potential Hardcoded Keystore Credentials — android/keystores/debug.keystore.properties. The android/keystores/debug.keystore.properties file suggests keystore configuration that may contain sensitive signing credentials. Debug keystores should never be committed to version control. Fix: Never commit keystores or their properties files to version control. Use environment variables or secure credential management. Create a .gitignore entry for keystore files. Use separate debug/release signing configurations.
• Medium · Insufficient Build Security Configuration — android/app/build.gradle, android/app/proguard-rules.pro. The android/app/proguard-rules.pro may have weak obfuscation settings. The build.gradle lacks security-related configurations such as minification, code shrinking, or security headers configuration. Fix: Enable ProGuard/R8 with aggressive obfuscation rules. Enable code shrinking and resource shrinking in release builds. Configure security-aware build variants for production.
• Medium · Missing Environment Configuration Security — Project root / docker-compose.yml. The repository lacks visible environment-based configuration management (.env files are not present). Without proper environment separation, secrets risk being hardcoded or misconfigured across environments. Fix: Implement environment-based configuration using .env files (excluded from git), implement secrets management (HashiCorp Vault, AWS Secrets Manager), use Docker secrets for Swarm deployments.
• Low · Missing Security Headers in App Configuration — app.json, graphql server configuration. The app.json and project configuration files don't show explicit security headers or content security policies for the web/GraphQL components. Fix: Implement Content Security Policy (CSP) headers, X-Frame-Options, X-Content-Type-Options, and other security headers in server responses. Configure API CORS policies appropriately.
• Low · Debug Configuration Exposed — android/app/src/debug/, .eslintrc configuration. The presence of debug build variants and configurations (android/app/src/debug) suggests debug features may be enabled in development builds. Risk of debug endpoints being accidentally exposed. Fix: Ensure debug features are completely disabled in release builds. Use build flavor-specific configurations. Implement compile-time feature flags to strip debug code from production builds.

LLM-derived; treat as a starting point, not a security audit.

Where to read next

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

---

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.