If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/Qihoo360/RePlugin shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 8mo ago

• Last commit 8mo ago
• 10 active contributors
• Distributed ownership (top contributor 28% of recent commits)
• Apache-2.0 licensed
• ⚠ Slowing — last commit 8mo ago
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live Qihoo360/RePlugin repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/Qihoo360/RePlugin.

What it runs against: a local clone of Qihoo360/RePlugin — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in Qihoo360/RePlugin | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch dev exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 264 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of Qihoo360/RePlugin. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/Qihoo360/RePlugin.git
#   cd RePlugin
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of Qihoo360/RePlugin and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "Qihoo360/RePlugin(\\.git)?\\b" \\
  && ok "origin remote is Qihoo360/RePlugin" \\
  || miss "origin remote is not Qihoo360/RePlugin (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify dev >/dev/null 2>&1 \\
  && ok "default branch dev exists" \\
  || miss "default branch dev no longer exists"

# 4. Critical files exist
test -f "replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy" \\
  && ok "replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy" \\
  || miss "missing critical file: replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy"
test -f "replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/i/IPluginManager.java" \\
  && ok "replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/i/IPluginManager.java" \\
  || miss "missing critical file: replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/i/IPluginManager.java"
test -f "replugin-host-library/replugin-host-lib/src/main/aidl/com/qihoo360/loader2/IPlugin.aidl" \\
  && ok "replugin-host-library/replugin-host-lib/src/main/aidl/com/qihoo360/loader2/IPlugin.aidl" \\
  || miss "missing critical file: replugin-host-library/replugin-host-lib/src/main/aidl/com/qihoo360/loader2/IPlugin.aidl"
test -f "replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java" \\
  && ok "replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java" \\
  || miss "missing critical file: replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java"
test -f "replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginInfoParser.groovy" \\
  && ok "replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginInfoParser.groovy" \\
  || miss "missing critical file: replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginInfoParser.groovy"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 264 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~234d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/Qihoo360/RePlugin"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

RePlugin is a mature Android dynamic plugin framework that allows apps to load plugins at runtime without requiring app updates or restarts. It achieves extreme stability with only one ClassLoader hook (zero Binder hooks), enabling a 0.01% crash ratio while supporting nearly all Android components (Activities, Services, ContentProviders, BroadcastReceivers) and features like Task-Affinity, static Receivers, DataBinding, and AppCompat seamlessly. Monorepo with two main modules: replugin-host-gradle/ (Gradle plugin written in Groovy that instruments the host app and generates boilerplate) and replugin-host-library/ (the core runtime library). The Gradle plugin uses file creators under gradle/host/creator/ to auto-generate RePluginHostConfig Java files and plugin metadata JSON during build; manifest handling is in gradle/host/handlemanifest/ComponentsGenerator.groovy.

Android app developers at large-scale companies (360 MobileSafe has 100M+ users on RePlugin) who need to deploy new features, fix bugs, or add functionality to live apps without requiring users to update. Used by maintainers of feature-rich apps that need to reduce binary size and deployment friction through modular plugin architecture.

Production-ready and extensively battle-tested: deployed in 360 MobileSafe and mainstream third-party apps with 100M+ users since 2014, 103 plugins in active use, 596 versions released per year as of 2017. However, the repo shows signs of age—last significant activity appears to be around 2017-2018, with the README noting a jcenter shutdown migration to a custom Maven repo (maven.geelib.360.cn). No visible GitHub CI setup in the file list.

Moderate risks: (1) maintainer bus factor—appears to be a single company (360) project with unclear ongoing investment post-2018; (2) dependency on old Gradle (gradle:7.4.2) and outdated libraries (json:20160212 from 2016, groovy:2.4.7); (3) custom Maven repository dependency (maven.geelib.360.cn) introduces supply chain risk if 360 changes hosting; (4) no visible test suite or CI pipeline in provided file structure.

No visible active development in the repo snapshot. Based on the README, recent effort was migrating from jcenter to a custom 360-hosted Maven repository (maven.geelib.360.cn/nexus) due to jcenter shutdown. The project appears to be in maintenance mode rather than active feature development.

Clone the repo, then build the Gradle plugin module: cd replugin-host-gradle && ./gradlew build. The Gradle plugin is installed locally and consumed by host apps via apply plugin: 'replugin-host-gradle' in their build.gradle after adding the repository: maven { url 'http://maven.geelib.360.cn/nexus/repository/replugin/' }. Refer to replugin-host-gradle/README.md for detailed integration steps.

Daily commands: This is a library/framework, not a runnable application. To use it: (1) apply the Gradle plugin in a host Android app's build.gradle; (2) call RePlugin APIs (loading/unloading plugins) at runtime; (3) run the host app normally. Example: RePlugin.install('com.example.plugin') followed by RePlugin.startActivity(...) to launch plugin components.

• replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy — Main Gradle plugin entry point that orchestrates host app configuration and plugin integration
• replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/i/IPluginManager.java — Core interface defining the plugin lifecycle and management operations that all implementations must follow
• replugin-host-library/replugin-host-lib/src/main/aidl/com/qihoo360/loader2/IPlugin.aidl — AIDL interface defining inter-process communication contract between host and plugin processes
• replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java — Builder pattern implementation for constructing plugin loaders with consistent configuration
• replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginInfoParser.groovy — Parses plugin metadata from JSON manifests to enable dynamic plugin discovery and loading
• replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/handlemanifest/ComponentsGenerator.groovy — Generates Android manifest components (activities, services) for plugin host integration
• replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Finder.java — Locates and loads plugin resources and classes using custom classloader resolution strategies

Add a New Built-in Plugin

1. Create plugin metadata JSON in assets or raw resources (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginInfoParser.groovy)
2. Register plugin in PluginBuiltinJsonCreator to include it in APK (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/impl/json/PluginBuiltinJsonCreator.groovy)
3. Configure plugin finder to locate built-in plugin at runtime (replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/FinderBuiltin.java)

Implement a Custom Plugin Manager

1. Implement IPluginManager interface for lifecycle management (replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/i/IPluginManager.java)
2. Configure Builder to instantiate your custom manager (replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java)
3. Register in Gradle plugin configuration (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy)

Add Custom Plugin Discovery Strategy

1. Extend Finder interface with custom resolution logic (replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Finder.java)
2. Implement plugin location algorithm (file system, network, etc.) (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/creator/FileCreators.groovy)
3. Configure Builder to use custom finder during initialization (replugin-host-library/replugin-host-lib/src/main/java/com/qihoo360/loader2/Builder.java)

Extend Host Manifest with Plugin Components

1. Define component placeholders needed by plugins (replugin-host-library/replugin-host-lib/src/main/AndroidManifest.xml)
2. Update ComponentsGenerator to auto-generate manifest entries (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/handlemanifest/ComponentsGenerator.groovy)
3. Configure RePlugin Gradle plugin with component names (replugin-host-gradle/src/main/groovy/com/qihoo360/replugin/gradle/host/RePlugin.groovy)

(1) Custom Maven repository at maven.geelib.360.cn is mandatory—jcenter no longer works; build will fail silently if the 360 repo is not added to project build.gradle. (2) Groovy 2.4.7 is EOL; may have compatibility issues with recent Gradle versions. (3) No visible test suite; changes risk breaking existing plugin loading without CI catching them. (4) The Gradle plugin modifies the APK manifest and classloader at build time; mistakes in ComponentsGenerator.groovy or RePluginHostConfigCreator.groovy will silently produce broken APKs that fail to load plugins at runtime.

• ClassLoader Hook — RePlugin's core stability innovation: it intercepts only the ClassLoader to inject plugin classes, avoiding fragile Binder hooks that break across Android versions. Understanding why this is safer than deep framework hooks is essential to appreciating RePlugin's design.
• APK as Plugin Container — RePlugin loads actual APK files as plugins at runtime, not DEX files or JAR archives. This means plugins are structured exactly like apps, but the framework unpacks and injects their classes into the host process.
• Manifest Stub Generation — RePlugin auto-generates Android manifest placeholder components during build (not manually added by developers). This clever technique allows the system to resolve plugin Activities/Services without the host app knowing about them upfront.
• Gradle Plugin Architecture (Groovy DSL) — The replugin-host-gradle module is itself a Gradle plugin written in Groovy. Understanding how it hooks into the Android build pipeline (via task creation and variant transformation) is necessary to extend or debug the framework.
• Task Affinity & Process Isolation — RePlugin supports Task-Affinity for plugins, allowing them to run in separate processes while still being dynamically loadable. This requires careful process communication that avoids standard IPC binder calls.
• Plugin Versioning & Upgrade Protocol — RePlugin includes a protocol for versioning plugins, checking compatibility, and upgrading in-place. The PluginBuiltinJsonCreator and plugin metadata system are the foundation of this—critical for production stability.

• alibaba/atlas — Alternative Android dynamic framework by Alibaba; similar goal of runtime plugin loading but uses different hooking strategies and supports more modern Android versions.
• DiDE-Org/DynamicAPK — Another Android plugin framework supporting dynamic loading; smaller project but shares similar architecture of build-time instrumentation + runtime loader.
• Qihoo360/ArgusAPM — Companion project by 360 team for performance monitoring; integrates with RePlugin-based apps to track crashes and performance metrics.
• google/android-gradle-dsl — Official Gradle DSL documentation; critical for understanding the Gradle plugin APIs that RePlugin uses for build-time transformation.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for replugin-host-gradle Groovy classes

The replugin-host-gradle module contains critical Gradle plugin code (RePlugin.groovy, RePluginHostConfigCreator.groovy, PluginBuiltinJsonCreator.groovy, ComponentsGenerator.groovy) but lacks any visible test coverage. These files handle manifest processing, JSON config generation, and component creation—core functionality that should be validated. Adding Groovy unit tests would catch regressions in gradle task execution and file generation logic.

• [ ] Create replugin-host-gradle/src/test/groovy directory structure
• [ ] Add test class RePluginHostConfigCreatorTest.groovy covering config generation with various plugin metadata
• [ ] Add test class PluginBuiltinJsonCreatorTest.groovy validating JSON output format and required fields
• [ ] Add test class ComponentsGeneratorTest.groovy for manifest component injection logic
• [ ] Update replugin-host-gradle/build.gradle to include test dependencies (spock or junit + groovy-test)

Add GitHub Actions CI workflow for Gradle plugin validation

The repo lacks continuous integration for the Gradle plugin modules. Currently there is no automated testing when PRs modify replugin-host-gradle or replugin-host-library. A GitHub Actions workflow would verify Gradle plugin compilation, run tests, and validate the plugin can be applied to sample Android projects without breaking.

• [ ] Create .github/workflows/gradle-plugin-tests.yml
• [ ] Add job to build replugin-host-gradle with 'gradle build -p replugin-host-gradle'
• [ ] Add job to validate Gradle plugin publishing (dry-run) using './gradlew publishToMavenLocal'
• [ ] Add job to compile replugin-host-library with the plugin applied
• [ ] Trigger on push to master and all PRs modifying files in replugin-host-gradle/ or replugin-host-library/

Document Gradle plugin configuration options in dedicated guide

RePlugin.groovy and AppConstant.groovy define configurable Gradle extension properties, but there is no dedicated documentation file explaining available options. Users must read Groovy source code to understand configuration. Creating replugin-host-gradle/GRADLE_CONFIG_GUIDE.md with parameter descriptions, defaults, and examples would reduce onboarding friction.

• [ ] Create replugin-host-gradle/GRADLE_CONFIG_GUIDE.md
• [ ] Extract all configurable properties from AppConstant.groovy and RePlugin.groovy (e.g., persistentEnable, pluginInfoFile, etc.)
• [ ] Document each property with: name, type, default value, purpose, and usage example
• [ ] Add section showing minimal build.gradle configuration snippet needed to apply replugin-host-gradle plugin
• [ ] Link GRADLE_CONFIG_GUIDE.md from main README.md under 'Configuration' section

• Add unit tests for PluginInfoParser.groovy: currently no visible test coverage for parsing plugin JSON metadata. Start by creating a test fixture with malformed plugin JSON and verify error handling.
• Update outdated dependencies: json:20160212 (2016) and groovy:2.4.7 (2015) have known vulnerabilities. Create a PR to bump to recent stable versions and verify all Gradle plugin tests still pass.
• Document the plugin packaging format: the README does not explain how plugin APKs differ from normal APKs or what metadata must be embedded. Add a 'Plugin Developer Guide' in docs/ with a concrete example plugin source structure.

The RePlugin codebase presents several security concerns, primarily centered on significantly outdated dependencies. The critical issues include a 2016-era JSON library (org.json:json:20160212) and Groovy runtime (2.4.7) that lack modern security patches. The migration to an insecure HTTP repository for Maven artifacts further elevates risk. The Android Gradle Plugin and other build tools are also outdated. Overall security posture is weak due to dependency age and the

• High · Outdated Gradle Dependency with Known Vulnerabilities — replugin-host-gradle/build.gradle - dependencies section. The dependency 'org.json:json:20160212' is from February 2016 and contains known security vulnerabilities. This outdated JSON parser library should be updated to a recent version to patch security issues. Fix: Update 'org.json:json:20160212' to at least version 20231013 or later. Use: implementation 'org.json:json:20231013'
• High · Outdated Groovy Dependency — replugin-host-gradle/build.gradle - dependencies section. The dependency 'org.codehaus.groovy:groovy:2.4.7' is from 2016 and is significantly outdated. This version may contain unpatched security vulnerabilities and lacks security improvements from newer versions. Fix: Update 'org.codehaus.groovy:groovy:2.4.7' to version 3.0.17 or later (supporting Java 8+). Use: implementation 'org.codehaus.groovy:groovy:3.0.17'
• Medium · Outdated APK Parser Dependency — replugin-host-gradle/build.gradle - dependencies section. The dependency 'net.dongliu:apk-parser:2.2.0' is outdated. Newer versions may contain important security and stability fixes for APK parsing operations. Fix: Update 'net.dongliu:apk-parser:2.2.0' to version 2.6.10 or later. Use: implementation 'net.dongliu:apk-parser:2.6.10'
• Medium · Insecure Maven Repository Configuration — README.md and project build configuration. The README indicates migration to 'http://maven.geelib.360.cn/nexus' using plain HTTP instead of HTTPS. This creates a risk of man-in-the-middle attacks on dependency downloads. Fix: Use HTTPS for all Maven repositories: 'https://maven.geelib.360.cn/nexus/repository/replugin/' instead of HTTP
• Medium · Outdated Android Gradle Plugin — replugin-host-gradle/build.gradle - dependencies section. The dependency 'com.android.tools.build:gradle:7.4.2' is from early 2023. Using outdated build tools may miss important security patches and lint rules. Fix: Update to the latest Android Gradle Plugin version (8.1.x or later). Use: implementation 'com.android.tools.build:gradle:8.1.0' or check for the latest stable version
• Low · Outdated JavaPoet Dependency — replugin-host-gradle/build.gradle - dependencies section. The dependency 'com.squareup:javapoet:1.5.1' is from 2016. While not critical, updating to a recent version ensures access to bug fixes and improvements. Fix: Update 'com.squareup:javapoet:1.5.1' to version 1.13.0 or latest. Use: implementation 'com.squareup:javapoet:1.13.0'
• Low · Outdated OS Detector Gradle Plugin — replugin-host-gradle/build.gradle - dependencies section. The dependency 'com.google.gradle:osdetector-gradle-plugin:1.2.1' is from 2017 and should be updated to the latest version for compatibility and security patches. Fix: Update to 'com.google.gradle:osdetector-gradle-plugin:1.7.3' or the latest available version

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.