If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/pardom-zz/ActiveAndroid shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Stale and unlicensed — last commit 5y ago

• 17 active contributors
• Distributed ownership (top contributor 34% of recent commits)
• CI configured
• Tests present
• ⚠ Stale — last commit 5y ago
• ⚠ No license — legally unclear to depend on

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live pardom-zz/ActiveAndroid repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/pardom-zz/ActiveAndroid.

What it runs against: a local clone of pardom-zz/ActiveAndroid — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in pardom-zz/ActiveAndroid | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 1696 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of pardom-zz/ActiveAndroid. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/pardom-zz/ActiveAndroid.git
#   cd ActiveAndroid
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of pardom-zz/ActiveAndroid and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "pardom-zz/ActiveAndroid(\\.git)?\\b" \\
  && ok "origin remote is pardom-zz/ActiveAndroid" \\
  || miss "origin remote is not pardom-zz/ActiveAndroid (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "src/com/activeandroid/Model.java" \\
  && ok "src/com/activeandroid/Model.java" \\
  || miss "missing critical file: src/com/activeandroid/Model.java"
test -f "src/com/activeandroid/ActiveAndroid.java" \\
  && ok "src/com/activeandroid/ActiveAndroid.java" \\
  || miss "missing critical file: src/com/activeandroid/ActiveAndroid.java"
test -f "src/com/activeandroid/DatabaseHelper.java" \\
  && ok "src/com/activeandroid/DatabaseHelper.java" \\
  || miss "missing critical file: src/com/activeandroid/DatabaseHelper.java"
test -f "src/com/activeandroid/ModelInfo.java" \\
  && ok "src/com/activeandroid/ModelInfo.java" \\
  || miss "missing critical file: src/com/activeandroid/ModelInfo.java"
test -f "src/com/activeandroid/query/Select.java" \\
  && ok "src/com/activeandroid/query/Select.java" \\
  || miss "missing critical file: src/com/activeandroid/query/Select.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1696 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1666d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/pardom-zz/ActiveAndroid"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

ActiveAndroid is an Active Record ORM for Android that maps SQLite database records to Java objects, eliminating the need to write SQL queries manually. It provides a fluent query API (Select, From, Where, Join), automatic schema generation from annotated model classes, and handles all database initialization, migrations, and lifecycle management through a single Configuration class. Single-module library: src/com/activeandroid/ contains the core ORM engine split into query builders (Select, From, Join, Update, Delete, Set), model reflection (Model, ModelInfo, TableInfo), persistence (DatabaseHelper, Cache), and type serializers. Annotations (@Table, @Column) drive model metadata. ContentProvider wrapper at src/com/activeandroid/content/ bridges Android's content provider interface.

Android developers building data-driven apps who want rapid SQLite persistence without writing raw SQL or managing Cursor objects manually. Particularly useful for small-to-medium projects where Ruby-on-Rails-style conventions and minimal boilerplate outweigh the overhead of a full ORM.

Moderately mature but dormant: version 3.1.0-SNAPSHOT suggests active development circa 2013-2015, CI is set up via Travis CI (.travis.yml present), but the last meaningful activity appears years old. No test files are evident in the file list, which is a red flag for a persistence library. Safe for production use in legacy projects, but not actively maintained.

Single maintainer (pardom) with no recent commits visible implies maintenance risk. No test suite files appear in the structure, making refactoring dangerous. Dependency on old libs/ (android.jar, android-support-v4.jar bundled locally rather than via gradle) suggests API level targeting is outdated. Android ORM landscape has shifted significantly (Room, Realm); adoption is low.

Project appears dormant. No active PRs, issues, or commits visible in the provided metadata. Last activity likely 2014-2015 based on version numbering and gradle setup (no Maven Central recent releases implied by snapshot tag).

git clone https://github.com/pardom-zz/ActiveAndroid.git && cd ActiveAndroid && ./gradlew build

Daily commands: No runnable artifact; this is a library. To integrate: add dependency to your Android project's build.gradle, initialize ActiveAndroid.initialize(new Configuration.Builder(context)...build()) in your Application.onCreate(), then annotate your model classes with @Table and fields with @Column.

• src/com/activeandroid/Model.java — Base class for all ORM models; defines save(), delete(), and query lifecycle methods that every contributor must understand
• src/com/activeandroid/ActiveAndroid.java — Main entry point and initialization API; handles database setup, configuration binding, and context lifecycle management
• src/com/activeandroid/DatabaseHelper.java — SQLite database creation, schema management, and migrations; critical for understanding table versioning and schema evolution
• src/com/activeandroid/ModelInfo.java — Reflection-based metadata extractor for model classes; bridges annotations to runtime type information
• src/com/activeandroid/query/Select.java — Query builder for SELECT statements; demonstrates the fluent API pattern used throughout the framework
• src/com/activeandroid/annotation/Table.java — Core annotation for marking model classes; defines table name and schema contract
• src/com/activeandroid/Cache.java — In-memory model instance cache to prevent duplicate object creation and improve query performance

Add a new Model class

1. Create a Java class extending Model and annotate with @Table(name="your_table_name") (src/com/activeandroid/Model.java)
2. Declare fields and annotate each with @Column(name="column_name") (src/com/activeandroid/annotation/Column.java)
3. Add model class to Configuration in ActiveAndroid.initialize() or via @Table discovery (src/com/activeandroid/Configuration.java)
4. Use model.save() and Model.find(id) to persist and query (src/com/activeandroid/Model.java)

Add a custom type serializer for non-primitive fields

1. Create a class implementing TypeSerializer interface with serialize() and deserialize() methods (src/com/activeandroid/serializer/TypeSerializer.java)
2. Register serializer in Configuration.addTypeSerializer(Class, TypeSerializer) (src/com/activeandroid/Configuration.java)
3. Annotate model fields with @Column and use the custom type; framework auto-routes through serializer (src/com/activeandroid/annotation/Column.java)

Build and execute a filtered query

1. Start with Select.from(MyModel.class) to create a query builder (src/com/activeandroid/query/Select.java)
2. Chain .where() conditions using SQL WHERE syntax (src/com/activeandroid/query/From.java)
3. Chain .orderBy(), .limit(), or .offset() for sorting/pagination (src/com/activeandroid/query/Select.java)
4. Call .execute() to return List<MyModel> or .executeSingle() for one result (src/com/activeandroid/query/Sqlable.java)

Handle database schema migrations

1. Increment the database version in Configuration (src/com/activeandroid/Configuration.java)
2. Create .sql files in assets/migrations/ named by version number (e.g., 2.sql) (tests/assets/migrations/2.sql)
3. DatabaseHelper.onUpgrade() automatically parses and executes SQL statements via SqlParser (src/com/activeandroid/DatabaseHelper.java)

• SQLite — Embedded relational database built into Android; no external dependencies or network calls
• Reflection & Annotations — Runtime introspection of @Table and @Column metadata eliminates boilerplate schema definitions and DAO classes
• Fluent Query Builder — Type-safe SQL generation without raw string concatenation, preventing injection and reducing errors
• In-Memory Cache (LRU) — Avoids duplicate object instantiation from repeated queries and improves perceived responsiveness
• ContentProvider Integration — Optional Android IPC mechanism for sharing model data across processes

• Reflection-based metadata extraction at initialization time

  • Why: Eliminates hand-written DAO/TypeMap classes and keeps code DRY
  • Consequence: Startup cost for classpath scanning; not suitable for zero-latency initialization or very large model counts

• Active Record pattern (save/delete on instance) vs. Repository pattern

  • Why: Closer to Rails idiom; more intuitive for simple CRUD operations
  • Consequence: Model class couples persistence logic with domain logic; harder to test models in isolation

• Manual migration files in assets/migrations/ vs. auto-schema generation

  • Why: Gives developers explicit control over schema changes and data migrations
  • Consequence: Requires manual version bumping and SQL writing; risk of migration order bugs

• Cursor-to-model marshalling via reflection vs. code generation

  • Why: Simpler distribution (no build step); runtime flexibility for custom serializers
  • Consequence: Slower deserialization than generated code; reflection overhead on each query result

• Not a real-time database; no WebSocket or subscription support
• Does not handle multi-process synchronization or cross-process caching
• No support for complex JOINs or aggregate queries beyond basic SQL
• Not designed for very large datasets (>100MB); optimized for mobile-app-scale local data
• Does not provide built-in encryption or security features beyond

No explicit test suite in src/test/ (major red flag for reliability). Database schema version upgrades require manual migration code in DatabaseHelper—no automatic schema diffing. Queries are built at runtime via reflection, so typos in field names are not caught at compile time. Foreign key constraints not enforced by default; rely on manual referential integrity in model code. Cache is global (static) and not automatically invalidated on direct SQL inserts bypassing ORM.

• Active Record Pattern — The entire library is built on this pattern (Model base class, save()/delete() instance methods); understanding it is essential to using ActiveAndroid idiomatically.
• Object-Relational Impedance Mismatch — ActiveAndroid solves this by automatically mapping SQLite rows to Java objects; recognizing the problem it solves helps justify its design tradeoffs.
• Fluent Interface / Builder Pattern — The Select/From/Join/Where chain (e.g., new Select().from(User.class).where(...)) is a fluent API; essential for writing readable queries.
• Identity Map Pattern — Cache.java implements this to ensure only one Java instance per database row; prevents inconsistency bugs when the same record is queried multiple times.
• Java Reflection and Annotation Processing — ModelInfo uses reflection to scan @Table/@Column annotations at runtime and build type metadata; understanding reflection is key to debugging model resolution issues.
• SQLiteOpenHelper Lifecycle — DatabaseHelper extends SQLiteOpenHelper; grasping onCreate/onUpgrade/onDowngrade is critical for managing schema versions and migrations.
• Content Provider Contract — The ContentProvider.java wrapper exposes ORM models via Android's ContentProvider interface; needed if integrating with other apps or sync adapters.

• greenrobot/greenDAO — Competing Android ORM with code generation instead of reflection; faster runtime performance but requires build-time annotation processing.
• realm/realm-java — Modern Android persistence library using Realm engine; replaces SQLite entirely with a custom database format and is actively maintained.
• google/android-architecture-components — Google's Room library (part of Architecture Components) is the current standard for Android SQLite ORM, replacing ActiveAndroid in modern projects.
• square/sqlbrite — Reactive wrapper around Android's SQLiteDatabase; designed to work alongside traditional query building rather than as a full ORM.
• raizlabs/DBFlow — Another annotation-driven Android ORM with code generation; stronger type safety than ActiveAndroid's reflection-based approach.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for query builder classes (Select, From, Join, Update, Delete)

The repo has a tests/ directory but no visible test files in the structure. The query building logic in src/com/activeandroid/query/ is critical path code that lacks test coverage. This would catch regressions in SQL generation and improve maintainability.

• [ ] Create tests/src/com/activeandroid/query/SelectTest.java to test SELECT clause generation with various conditions
• [ ] Create tests/src/com/activeandroid/query/JoinTest.java to test JOIN operations and alias handling
• [ ] Create tests/src/com/activeandroid/query/UpdateTest.java and DeleteTest.java for mutation operations
• [ ] Run tests via Maven (tests/pom.xml) to ensure compatibility with existing test infrastructure

Add unit tests for TypeSerializer implementations and custom serializer support

The src/com/activeandroid/serializer/ directory contains 7 different serializer classes (BigDecimal, Calendar, File, SqlDate, UUID, UtilDate) with no visible test coverage. These handle type conversion edge cases that are easy to break.

• [ ] Create tests/src/com/activeandroid/serializer/CalendarSerializerTest.java to test date/time parsing from multiple input formats
• [ ] Create tests/src/com/activeandroid/serializer/UUIDSerializerTest.java and BigDecimalSerializerTest.java for edge cases
• [ ] Create tests/src/com/activeandroid/serializer/FileSerializerTest.java to test path serialization and null handling
• [ ] Add a test utility in tests/ to verify serializer registration and lookup via ReflectionUtils

Migrate from Java 1.6 to Java 8+ and add null-safety annotations

The project targets Java 1.6 (build.gradle line: targetCompatibility = '1.6', sourceCompatibility = '1.6'), which is 15+ years old and incompatible with modern Android tooling. Migration enables nullable annotations in Cache.java, ModelInfo.java, and DatabaseHelper.java to prevent NPEs.

• [ ] Update build.gradle to set targetCompatibility and sourceCompatibility to '1.8'
• [ ] Add androidx.annotation dependency to build.gradle (compile 'androidx.annotation:annotation:1.x.x')
• [ ] Add @Nullable/@NonNull annotations to public methods in src/com/activeandroid/Cache.java and src/com/activeandroid/Model.java
• [ ] Run existing tests via .travis.yml to verify no behavioral changes

• Add a unit test suite under src/test/: start by testing Model.save() and Select().where() with an in-memory SQLite database to catch regressions early and improve maintainability.
• Document the type serializer extension API: create a tutorial example showing how to add a custom TypeSerializer for Gson or Parcelable types, filling a gap in the wiki docs.
• Add support for composite primary keys: modify TableInfo and Model to handle @Column(primaryKey=true) on multiple fields, and update Select/Where to generate correct WHERE clauses.

• High · SQL Injection Risk in Query Builder — src/com/activeandroid/query/ directory (Select.java, Delete.java, Update.java, Join.java, SqlParser.java). The codebase contains SQL query construction patterns (Select.java, Delete.java, Update.java, Join.java) that may be vulnerable to SQL injection attacks if user input is not properly parameterized. The presence of SqlParser.java and raw SQL handling suggests potential for unsafe string concatenation when building dynamic queries. Fix: Ensure all user-supplied inputs are properly parameterized using prepared statements with binding parameters rather than string concatenation. Review SqlParser.java for unsafe query construction patterns and validate all inputs before SQL execution.
• High · Outdated Android Support Library — libs/android-support-v4.jar. The project includes android-support-v4.jar in the libs directory, which is an outdated Android support library version. Modern Android versions and security updates are not available in v4, and this increases exposure to known vulnerabilities. Fix: Update to AndroidX libraries and remove the legacy android-support-v4.jar dependency. Use current androidx.appcompat:appcompat and other AndroidX equivalents via Gradle dependencies instead of bundled JARs.
• Medium · Missing Input Validation on Database Operations — src/com/activeandroid/Model.java, src/com/activeandroid/DatabaseHelper.java, src/com/activeandroid/content/ContentProvider.java. The Model.java, DatabaseHelper.java, and ContentProvider.java classes appear to handle database operations without visible input validation mechanisms. This could allow malformed data to be inserted into the database. Fix: Implement comprehensive input validation in all database operation methods. Validate table names, column names, and data types before executing any database operations. Use allowlisting for identifiers.
• Medium · Potential Information Disclosure via Logging — src/com/activeandroid/util/Log.java. Custom Log utility (src/com/activeandroid/util/Log.java) may output sensitive database information or query details in debug builds. If debug logging is enabled in production, it could expose sensitive data. Fix: Implement conditional logging that is disabled in production builds. Use build variants to ensure debug logging is only enabled in development. Never log sensitive data such as user credentials, PII, or complete SQL queries.
• Medium · Unencrypted SQLite Database Storage — src/com/activeandroid/DatabaseHelper.java. The ActiveAndroid ORM uses SQLite for persistence, but there is no evidence of encryption mechanisms for the database file. SQLite databases are stored in plaintext on the device, making them accessible to attackers with physical access or application-level exploits. Fix: Implement database encryption using SQLCipher for Android or consider using Android Keystore for sensitive data. At minimum, document that sensitive data should not be stored unencrypted, and provide guidance for developers on encryption best practices.
• Medium · Reflection-Based Code May Bypass Security Checks — src/com/activeandroid/util/ReflectionUtils.java, src/com/activeandroid/ModelInfo.java, src/com/activeandroid/TableInfo.java. The ReflectionUtils.java utility suggests extensive use of reflection for dynamic class loading and field access. Reflection can bypass normal security boundaries and access restrictions. Fix: Minimize reflection usage where possible. If reflection is necessary, validate all reflected classes and methods against an allowlist. Ensure no untrusted input is used in reflection operations. Add security manager checks for sensitive reflection operations.
• Low · Missing Security Headers and Configuration Documentation — README.md, Configuration.java. No evidence of security best practices documentation or security headers configuration guidance. The README lacks security recommendations for developers using this ORM. Fix: Add a security section to the README documenting best practices for using ActiveAndroid securely. Include guidance on parameterized queries, input validation, data encryption, and secure credential handling.
• Low · Deprecated Java 1.6 Target Compatibility — build.gradle. The build.gradle specifies targetCompatibility and sourceCompatibility of '1.6', which is extremely outdated and lacks modern security features, vulnerability patches, and security APIs. Fix: Update targetCompatibility and sourceCompat

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.