If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/k0shk0sh/FastHub shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 4y ago

• 19 active contributors
• Distributed ownership (top contributor 49% of recent commits)
• GPL-3.0 licensed
• ⚠ Stale — last commit 4y ago
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live k0shk0sh/FastHub repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/k0shk0sh/FastHub.

What it runs against: a local clone of k0shk0sh/FastHub — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in k0shk0sh/FastHub | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch development exists | Catches branch renames | | 4 | Last commit ≤ 1364 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of k0shk0sh/FastHub. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/k0shk0sh/FastHub.git
#   cd FastHub
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of k0shk0sh/FastHub and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "k0shk0sh/FastHub(\\.git)?\\b" \\
  && ok "origin remote is k0shk0sh/FastHub" \\
  || miss "origin remote is not k0shk0sh/FastHub (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify development >/dev/null 2>&1 \\
  && ok "default branch development exists" \\
  || miss "default branch development no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1364 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1334d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/k0shk0sh/FastHub"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

FastHub is a native Android GitHub client built entirely from scratch in Java and Kotlin that provides a full-featured GitHub interface on mobile. It supports multiple authentication methods (Basic Auth, OAuth, Personal Access Tokens), enterprise accounts, offline mode, and includes advanced features like code highlighting, markdown rendering, PR reviews, gist management, and real-time notifications—essentially replicating core GitHub web functionality for Android devices. Single-module Android app structure: app/src/main/ contains core source (AndroidManifest.xml, Java/Kotlin sources in unnamed package hierarchy), app/src/debug/ holds debug configs and secrets, app/src/release/ for release signing. Assets in app/src/main/assets/ include JSON data (colors.json, emojis.json), custom fonts, and HTML/CSS for code highlighting. Gradle-driven build with multiple Groovy plugins (Apollo, Firebase, Fabric) orchestrating compilation and signing.

Android developers and GitHub power users who need a native, feature-rich GitHub client on their phone without the limitations of the web app or GitHub's official mobile interface. Contributors are primarily Android engineers interested in Kotlin/Java architecture, API integration, and mobile UI patterns.

Actively maintained but under significant refactoring (V5 overhaul noted in README with PR #2599 tracking major changes). The project has 473 release versions with stable Google Play presence, uses proper CI (Bitrise), and incorporates modern tooling (Apollo GraphQL, Firebase, Fabric), indicating production-ready status—but ongoing architectural changes suggest caution with major version integrations.

The codebase is undergoing a 'huge refactoring' per README, which creates API instability risk for integrations. Single maintainer (k0shk0sh) ownership pattern visible, and the large Java codebase (2.2M lines) with mixed Java/Kotlin suggests potential technical debt. FireBase, Fabric, and OAuth credential management in build properties require careful environment handling and could fail silently if misconfigured.

Major V5 refactoring is the primary focus (see PR #2599 mentioned in README). Current version is 4.7.3 (versionCode 473). The project recently migrated to Apollo GraphQL plugin and Firebase Perf integration. README explicitly notes 'under huge refactoring—submit issues only if necessary', indicating developers should expect breaking changes and architectural shifts.

Clone the repository: git clone https://github.com/k0shk0sh/FastHub.git && cd FastHub. Copy debug_gradle.properties or create one with placeholder secrets (github_client_id, github_secret, imgur_client_id, imgur_secret). Run ./gradlew assembleDebug to build the debug APK, or ./gradlew installDebug to install on connected device. Requires Android SDK 21–29 and a JVM supporting Java 8+.

Daily commands: Build debug APK: ./gradlew assembleDebug (outputs to app/build/outputs/apk/debug/). Install & run: ./gradlew installDebug && adb shell am start -n com.fastaccess.github/.MainActivity. Emulator: Requires x86 or ARM emulator image with API 21–29. Gradle wrapper: Project uses gradle wrapper, no global Gradle install needed.

• app/build.gradle: Defines all dependencies (Apollo, Firebase, OkHttp, Retrofit), build variants, signing config, and API keys—critical for understanding the tech stack and build requirements
• app/src/main/AndroidManifest.xml: Declares all Activities, Services, Permissions (OAuth, GitHub API access), and intent filters—essential to understand app entry points and required permissions
• app/src/debug/res/values/secrets.xml: Placeholder for API credentials (GitHub OAuth, Imgur); must be populated with real secrets or app will fail at OAuth/image upload time
• [app/src/main/assets/emojis.json & colors.json](https://github.com/k0shk0sh/FastHub/blob/development/app/src/main/assets/emojis.json & colors.json): Data files for emoji rendering and theme colors; referenced at runtime for UI customization and emoji suggestions in comments
• app/src/main/assets/highlight/: JavaScript (prettify.js) and CSS for code syntax highlighting in file diffs and gist viewers—handles rendering GitHub code in WebView
• app/proguard-rules.pro: ProGuard/R8 config for release builds; critical for obfuscation rules and keeping Firebase/Apollo classes unobfuscated

Start here: app/src/main/ contains all source code. Authentication flows: Look for login-related Activities (likely in app/src/main/java/com/fastaccess/github/ui/). API calls: app/src/main/assets/ shows data structures; check Java files for Retrofit/Apollo service definitions. UI changes: Fragment layouts typically in app/src/main/res/layout/. New features: Add GitHub API models in app/src/main/java, wire through service → repository → ViewModel → Fragment. Offline support: Likely DB layer in a persistence package; check Room entity definitions. Theme/colors: app/src/main/assets/colors.json defines color scheme; update for theme changes.

Secrets management: debug_gradle.properties and release_gradle.properties must exist with github_client_id, github_secret, imgur_client_id, imgur_secret, and android_key_alias/android_store_password—build will fail silently or crash at runtime if missing. Signing config: Release builds require a valid keystore file (fastaccess-public in this case) and correct passwords in gradle.properties. Apollo codegen: build.gradle references 'com.apollographql.android' plugin—if schema updates, run ./gradlew downloadApolloSchema to regenerate types or queries will break at compile. Firebase/Fabric: google-services.json in debug/ and release/ variants must match Firebase project IDs, or crashes and perf monitoring fail silently. Multi-dex required: multiDexEnabled true is set due to method count—removing it will cause immediate build failure above API 21.

• OAuth 2.0 Authorization Code Flow — FastHub implements three login types including OAuth; understanding the redirect dance (user clicks 'Login with GitHub' → browser → callback intent → token storage) is essential for debugging auth failures and adding new auth methods
• Apollo GraphQL Code Generation — The build.gradle applies 'com.apollographql.android' plugin which auto-generates Kotlin data classes from .graphql query files; understanding this pipeline prevents build breakage and helps add new API queries
• Android Fragment Lifecycle & Navigation — FastHub uses Fragment-based UI architecture (implied by typical Android patterns); misunderstanding Fragment lifecycle, back-stack management, and view state restoration causes memory leaks and state loss bugs
• ProGuard/R8 Code Obfuscation & Keep Rules — Release builds use ProGuard (proguard-rules.pro); misconfigured keep rules break API reflection (Firebase, Apollo, Retrofit) at runtime on production builds, causing silent crashes undetectable in debug builds
• Android Offline-First Architecture with Room/SQLite — FastHub advertises offline-mode support; this requires sync logic between remote REST/GraphQL APIs and local database (likely Room ORM)—essential for understanding cache invalidation and conflict resolution
• WebView Code Syntax Highlighting & JavaScript Bridge — Code diffs and gists render in WebView using prettify.js (assets/highlight/js/prettify.js); understanding Android WebView-Kotlin bridge and DOM manipulation prevents rendering bugs in code display
• Multi-Account Authentication & Keystore Security — FastHub supports multiple GitHub accounts and enterprise instances; tokens must be encrypted in Android Keystore (not plain SharedPreferences) to prevent credential theft—critical for security code review

• opticdev/FastHub-Development — Official development repository and issue tracker parallel to the main FastHub—tracks V5 refactoring PRs and architectural discussions
• googlesamples/android-architecture — Google's reference Android architecture (MVVM, Clean Architecture)—useful for understanding patterns FastHub may adopt during V5 refactoring
• Kotlin/kotlinx.coroutines — Coroutines library likely used in FastHub's Kotlin code for async API calls and background work—essential for understanding modern async patterns in this codebase
• apollographql/apollo-android — The GraphQL client used in FastHub (see com.apollographql.android plugin in build.gradle)—critical for understanding type-safe API generation and query caching
• square/retrofit — Likely REST HTTP client used alongside or before Apollo migration—needed to understand legacy API integration patterns in FastHub

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions CI workflow for automated APK builds and testing

The repo currently uses Bitrise for CI (as shown in README badge), but lacks a GitHub Actions workflow file. Adding a .github/workflows/android-build.yml would enable automated builds on every push/PR, provide transparency to contributors, and reduce dependency on external CI services. This is especially important during the V5 refactoring mentioned in README.

• [ ] Create .github/workflows/android-build.yml with Android SDK setup and gradle build steps
• [ ] Add signing configuration for debug builds using GitHub secrets
• [ ] Include lint checks and unit test execution before APK generation
• [ ] Add artifact upload step to store APK and test reports

Create unit tests for GraphQL queries and Apollo client integration

The project uses Apollo GraphQL (app/build.gradle shows 'com.apollographql.android' plugin) but there's no visible test directory for GraphQL operations. With V5 refactoring underway, adding comprehensive tests for GraphQL queries, mutations, and cache handling would ensure data layer stability and prevent regressions.

• [ ] Create app/src/test directory structure for Apollo tests if not present
• [ ] Add test cases for common GraphQL queries (repos, issues, pulls, user data)
• [ ] Implement mock Apollo server responses using apollo-testing-support
• [ ] Add cache invalidation and error handling test scenarios

Document build setup and add secrets template for new contributors

The build.gradle shows complex build property handling (buildProperties.secrets and buildProperties.notThere) with references to release_gradle.properties and debug_gradle.properties that aren't in the repo. New contributors will face build failures without understanding the secrets setup. Creating a BUILDING.md guide with a secrets.properties.template file will significantly reduce onboarding friction.

• [ ] Create .github/secrets.properties.template with placeholders for github_client_id, github_secret, imgur_client_id, imgur_secret, and keystore credentials
• [ ] Write .github/BUILDING.md documenting local setup steps, Firebase config requirements, and keystore generation
• [ ] Update README.md to link to BUILDING.md in the development section
• [ ] Add note about debug vs release gradle.properties in CONTRIBUTING.md

• Add unit tests for API service layer (REST/Apollo calls): The app likely lacks test coverage for com.fastaccess.github.api or equivalent package. New contributors can write mock-based unit tests for GitHub API responses, OAuth token refresh, and rate-limit handling—foundational for refactoring.
• Implement missing fragment navigation tests: With Fragment-based architecture, add Espresso tests for common user flows (login → repo list → issue detail → comment) to catch regressions during V5 refactoring.
• Document emoji.json and colors.json data structure: The assets/emojis.json and colors.json files have no accompanying schema or README; add comments explaining field names, expected format, and how they're consumed by UI code—helps new contributors understand theme system.

• High · Sensitive Credentials in Build Configuration — app/build.gradle - buildConfigString declarations. Build.gradle contains references to sensitive credentials (GITHUB_CLIENT_ID, GITHUB_SECRET, IMGUR_CLIENT_ID, IMGUR_SECRET) that are loaded from gradle.properties files. While the build system attempts to use separate files for debug/release, this approach can expose secrets if the properties files are committed to version control or if build artifacts contain these values in BuildConfig. Fix: Use Android Keystore or a secure secrets management system. Never store secrets in gradle.properties files. Consider using Gradle build parameter injection or a CI/CD-managed secrets system. Remove secrets from BuildConfig if they're not strictly necessary at runtime.
• High · Hardcoded API Endpoints — app/build.gradle - buildConfigField declarations. REST_URL (https://api.github.com/) and IMGUR_URL (https://api.imgur.com/3/) are hardcoded in build.gradle. While these are public API endpoints, this pattern makes it difficult to rotate endpoints or implement proxy configurations for security purposes. Fix: Consider externalizing API endpoint configuration to a configuration file or environment variables that can be changed without rebuilding the app.
• Medium · Debug Build Configuration File Committed — app/src/debug/google-services.json, app/src/debug/res/values/secrets.xml. app/src/debug/google-services.json and app/src/debug/res/values/secrets.xml are present in the repository. Debug configuration files containing secrets or API keys should not be committed to version control. Fix: Add debug configuration files to .gitignore. Use a secrets management tool or CI/CD pipeline to inject these files during build time. If already committed, consider these credentials compromised and rotate them.
• Medium · Deprecated Kotlin Android Extensions Plugin — app/build.gradle - apply plugin: 'kotlin-android-extensions'. The build.gradle uses 'kotlin-android-extensions' plugin which has been deprecated in Kotlin 1.4.20+ and removed in Kotlin 2.0. This can lead to compatibility issues and lack of security updates. Fix: Migrate to ViewBinding instead of kotlin-android-extensions. Update the Kotlin compiler to the latest stable version.
• Medium · Older Compile SDK Version — app/build.gradle - compileSdkVersion 29. The app uses compileSdkVersion 29 (Android 10), which is outdated. Current recommendations are to target SDK 34+ (Android 14+). This may miss important security patches and modern Android security features. Fix: Update compileSdkVersion and targetSdkVersion to at least 34 (Android 14). Review and address any compatibility issues that arise from the update.
• Medium · Low Minimum SDK Version — app/build.gradle - minSdkVersion 21. minSdkVersion 21 (Android 5.0) is quite old and may include outdated libraries with known vulnerabilities. Supporting very old versions increases security risk surface. Fix: Evaluate if minSdkVersion 21 is necessary for your user base. Consider raising it to at least 24 or 26 to reduce legacy API usage and improve security baseline.
• Low · Missing Dependency Vulnerability Details — app/build.gradle - dependencies section (not shown). The build.gradle file is incomplete in the provided snippet. Full dependency list is not visible, making it impossible to assess for known vulnerable library versions. Dependencies like Firebase, Apollo GraphQL, and Fabric should be regularly audited. Fix: Implement dependency checking with tools like 'gradle dependencyUpdates' or 'OWASP Dependency-Check'. Regularly update dependencies and subscribe to security advisories for all major dependencies.
• Low · Missing ProGuard/R8 Security Configuration — app/proguard-rules.pro. While proguard-rules.pro exists, the file content is not provided. Improper ProGuard configuration can lead to inadequate code obfuscation, making reverse engineering easier. Fix: Ensure ProGuard/R8 rules properly obfuscate sensitive classes, API endpoints, and cryptographic operations. Test obfuscation thoroughly to ensure no runtime breakage.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.