If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/stratumauth/app shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Single-maintainer risk — review before adopting

• Last commit 2d ago
• 7 active contributors
• GPL-3.0 licensed
• CI configured
• ⚠ Single-maintainer risk — top contributor 93% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live stratumauth/app repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/stratumauth/app.

What it runs against: a local clone of stratumauth/app — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in stratumauth/app | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 32 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of stratumauth/app. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/stratumauth/app.git
#   cd app
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of stratumauth/app and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "stratumauth/app(\\.git)?\\b" \\
  && ok "origin remote is stratumauth/app" \\
  || miss "origin remote is not stratumauth/app (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Stratum.Core/src/Entity/Authenticator.cs" \\
  && ok "Stratum.Core/src/Entity/Authenticator.cs" \\
  || miss "missing critical file: Stratum.Core/src/Entity/Authenticator.cs"
test -f "Stratum.Core/src/Service/Impl/AuthenticatorService.cs" \\
  && ok "Stratum.Core/src/Service/Impl/AuthenticatorService.cs" \\
  || miss "missing critical file: Stratum.Core/src/Service/Impl/AuthenticatorService.cs"
test -f "Stratum.Core/src/Backup/Backup.cs" \\
  && ok "Stratum.Core/src/Backup/Backup.cs" \\
  || miss "missing critical file: Stratum.Core/src/Backup/Backup.cs"
test -f "Stratum.Core/src/Generator/IGenerator.cs" \\
  && ok "Stratum.Core/src/Generator/IGenerator.cs" \\
  || miss "missing critical file: Stratum.Core/src/Generator/IGenerator.cs"
test -f "Stratum.Core/src/Converter/BackupConverter.cs" \\
  && ok "Stratum.Core/src/Converter/BackupConverter.cs" \\
  || miss "missing critical file: Stratum.Core/src/Converter/BackupConverter.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 32 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~2d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/stratumauth/app"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Stratum is a free, open-source 2FA authenticator app for Android and Wear OS that generates TOTP/HOTP codes using SHA1/SHA256/SHA512, with support for niche schemes like mOTP, Steam, and Yandex. It provides encrypted local backups (via StrongBackupEncryption in Stratum.Core/src/Backup/Encryption/), category/icon organization, and converters to import from Google Authenticator, Bitwarden, Aegis, AndOTP, and other apps. Monorepo with Stratum.Core as the shared C# library (939KB) containing core logic: Backup (encryption, import/export), Converter (multi-app backup parsers like AegisBackupConverter.cs, BitwardenBackupConverter.cs), Comparer (sorting/grouping logic), and Crypto utilities. Mobile app layer (likely in separate MAUI/Android projects not fully listed) consumes Core. Python (20KB) and Shell (421B) scripts likely handle CI/build orchestration.

Android users who need a secure, customizable 2FA manager with offline-first encrypted backups; developers contributing to the Stratum codebase who work in C# (.NET/MAUI for mobile) and need to extend backup converters, cryptography, or UI components.

Actively maintained and production-ready: the project has significant GitHub stars, published CI/CD pipelines (GitHub Actions in .github/workflows/main.yml and release.yml), multi-language localization via Crowdin, and is available on Google Play and F-Droid with signed APKs. The codebase shows recent activity and organized issue templates.

Single primary maintainer model increases bus-factor risk. The backup encryption system (LegacyBackupEncryption.cs, StrongBackupEncryption.cs, XChaCha20Poly1305Stream.cs) handles sensitive keys and should be audited carefully before forking. Dependency on Crowdin for translations adds external process coupling. No visible test directory in top-level structure suggests testing may be minimal or embedded in project files.

Active GitHub Actions workflows for CI (main.yml), releases (release.yml), and localization sync with Crowdin (crowdin.yml). Issue templates suggest ongoing feature requests and icon requests. The presence of multiple backup converter classes (GoogleAuthenticatorBackupConverter, EnteAuthBackupConverter, KeePassBackupConverter, etc.) indicates active work on import compatibility.

Clone the repo: git clone https://github.com/stratumauth/app.git && cd app. Restore .NET dependencies: dotnet restore Stratum.Core/Stratum.Core.csproj. Build Core: dotnet build Stratum.Core/Stratum.Core.csproj. Mobile app build requires Android SDK/Gradle (command depends on whether this is a Xamarin.Android or .NET MAUI project—check the mobile project file).

Daily commands: For the Core library: dotnet build Stratum.Core/Stratum.Core.csproj. For full app (requires Android SDK): consult the root project file or .github/workflows/main.yml for build commands (likely gradle build or dotnet build at repo root). See .github/workflows/release.yml for production build pipeline.

• Stratum.Core/src/Entity/Authenticator.cs — Core domain model representing a 2FA authenticator entry; all import/export/backup logic depends on this structure
• Stratum.Core/src/Service/Impl/AuthenticatorService.cs — Primary service orchestrating authenticator lifecycle (CRUD, code generation, persistence); entry point for business logic
• Stratum.Core/src/Backup/Backup.cs — Core backup/restore workflow; handles encryption, serialization, and data integrity—critical for user data protection
• Stratum.Core/src/Generator/IGenerator.cs — Abstract interface for all OTP generation algorithms (TOTP, HOTP, Steam, etc.); pluggable core abstraction
• Stratum.Core/src/Converter/BackupConverter.cs — Factory/dispatcher for importing backups from 10+ third-party authenticator formats; heavy dependency for data migration
• Stratum.Core/src/Persistence/IAuthenticatorRepository.cs — Data access abstraction layer; defines contract for all authenticator persistence operations
• Stratum.Core/src/OtpAuthMigration.cs — Parses OTPAuth URI format (QR code standard); foundational for account provisioning and import

Add Support for a New Third-Party Backup Format

1. Create a new converter class inheriting from BackupConverter in Stratum.Core/src/Converter/ (Stratum.Core/src/Converter/NewFormatBackupConverter.cs)
2. Implement the abstract Convert() method to parse the external format and map to Authenticator entities (Stratum.Core/src/Converter/NewFormatBackupConverter.cs)
3. Register the new converter in BackupConverter.cs's file type dispatcher/factory method (Stratum.Core/src/Converter/BackupConverter.cs)
4. Add test coverage for the converter with sample backup files ((implied test project))

Add a New OTP Algorithm Variant

1. Create a new class implementing IGenerator interface in Stratum.Core/src/Generator/ (Stratum.Core/src/Generator/NewOtpType.cs)
2. Implement GenerateAsync() to compute the OTP code using the algorithm's specification (Stratum.Core/src/Generator/NewOtpType.cs)
3. Add an entry to AuthenticatorType enum if it's a fundamentally new algorithm type (Stratum.Core/src/AuthenticatorType.cs)
4. Update AuthenticatorService.GetGeneratorAsync() to instantiate your new generator when needed (Stratum.Core/src/Service/Impl/AuthenticatorService.cs)

Add a New Backup Encryption Scheme

1. Create a new encryption class implementing IBackupEncryption in Stratum.Core/src/Backup/Encryption/ (Stratum.Core/src/Backup/Encryption/NewEncryptionScheme.cs)
2. Implement Encrypt() and Decrypt() methods with the new cryptographic algorithm (Stratum.Core/src/Backup/Encryption/NewEncryptionScheme.cs)
3. Register the encryption scheme in Backup.cs's encryption selector/dispatcher (Stratum.Core/src/Backup/Backup.cs)
4. Update BackupRequirement enum if introducing a new security tier (Stratum.Core/src/Backup/BackupRequirement.cs)

Add a New Service for Domain Operations

1. Create a service interface in Stratum.Core/src/Service/ (Stratum.Core/src/Service/INewDomainService.cs)
2. Implement the service in Stratum.Core/src/Service/Impl/ (Stratum.Core/src/Service/Impl/NewDomainService.cs)
3. Inject required repository and other service dependencies via constructor (Stratum.Core/src/Service/Impl/NewDomainService.cs)
4. Expose methods that coordinate between repositories, entities, and other services (Stratum.Core/src/Service/Impl/NewDomainService.cs)

No visible test suite in file list: tests may exist in separate directories not shown, but lack of explicit test files (xunit, nunit) in top-60 is a red flag—verify test structure locally. Encryption private keys likely required: backup/restore operations may depend on environment variables or keystore credentials for code-signing (see APK signatures in README)—check .github/workflows/release.yml for required secrets. Crowdin API token: .github/workflows/crowdin.yml requires CROWDIN_PERSONAL_TOKEN secret to sync translations. Multiple encryption strategies (Legacy vs. Strong): RestoreResult.cs must handle both; backward compatibility with old backups is mandatory. No vendored crypto libraries visible: relies on NuGet packages—ensure XChaCha20Poly1305 implementation is from a trusted NuGet source.

• TOTP (Time-Based One-Time Password) — Core OTP scheme supported by Stratum; RFC 6238 standard for time-synchronized 2FA codes; essential to understand authenticator implementations
• HOTP (HMAC-Based One-Time Password) — Counter-based OTP variant supported by Stratum; RFC 4226; needed for backup/restore of counter state and understanding code generation
• XChaCha20-Poly1305 AEAD Encryption — Stratum uses XChaCha20Poly1305Stream.cs for strong encrypted backups; extended-nonce variant allows secure encryption of long backup files without nonce reuse
• Base32 Encoding (RFC 4648) — Standard encoding for TOTP/HOTP secrets (the URI in QR codes uses base32); converters must handle base32 decoding from various backup formats
• Key Derivation Function (KDF) / PBKDF2 — Used in StrongBackupEncryption.cs to derive encryption keys from user passwords; essential for password-protected backup security
• Adapter Pattern (Backup Converters) — BackupConverter.cs and subclasses (AegisBackupConverter, BitwardenBackupConverter, etc.) use adapter pattern to normalize diverse backup formats into a unified authenticator object model
• Strategy Pattern (Encryption Strategies) — IBackupEncryption interface with implementations (NoBackupEncryption, LegacyBackupEncryption, StrongBackupEncryption) lets users or app choose encryption strength at runtime without changing backup code

• aegis-authenticator/aegis — Direct competitor in the 2FA authenticator space; Stratum has a dedicated AegisBackupConverter.cs for importing from it
• bitwarden/mobile — Alternative authenticator provider that Stratum imports from (BitwardenBackupConverter.cs); ecosystem integration point
• jcs-elpa/auth — Experimental TypeScript 2FA library; reference for cross-platform TOTP/HOTP implementations
• google/google-authenticator-android — The canonical Google Authenticator repo; Stratum migrates users away from it and provides a GoogleAuthenticatorBackupConverter.cs for data portability
• ja-fra/FreeOTP — Open-source 2FA app that Stratum includes a converter for (FreeOtpBackupConverter.cs and FreeOtpPlusBackupConverter.cs)

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for Stratum.Core backup encryption module

The Backup/Encryption directory contains multiple critical security implementations (LegacyBackupEncryption.cs, StrongBackupEncryption.cs, NoBackupEncryption.cs, and XChaCha20Poly1305Stream.cs) with no visible test files in the repo structure. Given this is a 2FA app handling sensitive authenticator data, comprehensive unit tests for encryption/decryption flows are essential to prevent regressions and security vulnerabilities.

• [ ] Create Stratum.Core.Tests/Backup/Encryption/ directory structure
• [ ] Add unit tests for StrongBackupEncryption.cs covering encryption, decryption, and failure cases
• [ ] Add unit tests for LegacyBackupEncryption.cs to ensure backward compatibility
• [ ] Add unit tests for XChaCha20Poly1305Stream.cs covering the crypto implementation
• [ ] Add integration tests for the Backup.cs class with different IBackupEncryption implementations
• [ ] Ensure tests cover edge cases like invalid passwords, corrupted data, and format mismatches

Add unit tests for all BackupConverter implementations

There are 13 different backup converter classes (AegisBackupConverter, AndOtpBackupConverter, GoogleAuthenticatorBackupConverter, etc.) that parse and convert authenticator data from external sources. Without tests, a contributor could inadvertently break conversion logic for popular services. This is a high-impact area for user-facing bugs.

• [ ] Create Stratum.Core.Tests/Converter/ directory with test fixtures for each backup format
• [ ] Add unit tests for GoogleAuthenticatorBackupConverter with sample backup files
• [ ] Add unit tests for AegisBackupConverter covering encrypted and unencrypted backups
• [ ] Add unit tests for FreeOtpPlusBackupConverter, BitwardenBackupConverter, and EnteAuthBackupConverter
• [ ] Add tests covering malformed input, missing fields, and version compatibility
• [ ] Create integration test in BackupConverterTests.cs that validates all converters can deserialize their respective formats without exceptions

Add unit tests for Comparer classes and sorting logic

The Comparer directory contains 4 comparer implementations (AuthenticatorCategoryComparer, AuthenticatorComparer, CategoryComparer, CustomIconComparer) that directly affect UI ordering and user experience. No test files are visible for these critical components. Bugs in comparers can lead to non-deterministic sorting and poor UX.

• [ ] Create Stratum.Core.Tests/Comparer/ directory
• [ ] Add unit tests for AuthenticatorComparer covering alphabetical sorting, custom order, and category grouping
• [ ] Add unit tests for CategoryComparer with edge cases (null names, special characters, empty categories)
• [ ] Add unit tests for AuthenticatorCategoryComparer verifying proper grouping and ordering of authenticators within categories
• [ ] Add unit tests for CustomIconComparer with various icon pack scenarios
• [ ] Add integration test validating that all comparers implement IComparer<T> correctly and handle null values without exceptions

• Add unit tests for Stratum.Core/src/Converter/GoogleAuthenticatorBackupConverter.cs with sample JSON payloads to ensure Google Authenticator import doesn't regress; currently no test file visible.
• Document the Stratum.Core/src/Backup/Backup.cs API contract (what exceptions BackupPasswordException and ConversionFailure represent, when to use NoBackupEncryption vs. StrongBackupEncryption) in a doc/CORE_API.md file.
• Implement a converter for Dashlane's 2FA export format by extending BackupConverter.cs (research their JSON schema and follow the pattern of AegisBackupConverter.cs and BitwardenBackupConverter.cs).

• High · Backup Encryption Implementation Review Required — Stratum.Core/src/Backup/Encryption/ and Stratum.Core/src/Converter/Crypto/. The codebase includes custom cryptographic implementations (LegacyBackupEncryption.cs, StrongBackupEncryption.cs) and custom crypto primitives (HChaCha20.cs, XChaCha20Poly1305Stream.cs). Custom cryptographic implementations are prone to implementation errors that can completely undermine security. The presence of 'Legacy' encryption suggests there may be deprecated algorithms still in use. Fix: Use well-tested, standard cryptographic libraries instead of custom implementations. If custom implementations are necessary, have them audited by security professionals. Ensure legacy encryption methods are deprecated and users are migrated to stronger alternatives. Consider using established libraries like Bouncy Castle or NaCl.
• High · Multiple Backup Format Converters - Input Validation Risk — Stratum.Core/src/Converter/*.cs. The codebase includes 13+ backup converters (Aegis, AndOtp, Bitwarden, Ente, FreeOtp, GoogleAuthenticator, KeePass, LastPass, ProtonAuthenticator, TotpAuthenticator, TwoFas, WinAuth, UriList, HtmlBackup). Each converter parses potentially untrusted input from various formats. Without comprehensive input validation and sanitization, these converters could be vulnerable to injection attacks, buffer overflows, or denial of service. Fix: Implement comprehensive input validation for all backup format parsers. Use allowlists for expected data formats. Implement size limits on processed files. Add robust error handling that doesn't expose sensitive information. Test with malformed and malicious backup files. Consider using established parsing libraries when available instead of custom parsers.
• High · HOTP Counter-Based Authentication - Replay Attack Potential — Stratum.Core/src/Generator/Hotp.cs. HOTP (Counter-Based OTP) implementation is present but file structure doesn't show counter persistence or duplicate code detection mechanisms. HOTP is vulnerable to replay attacks if the counter state isn't properly managed or if codes can be reused without incrementing the counter. Fix: Ensure HOTP implementation includes: (1) persistent counter storage that cannot be rolled back, (2) counter synchronization handling with server, (3) prevention of code reuse by enforcing counter incrementation, (4) protection against brute force attacks with rate limiting. Test counter synchronization edge cases.
• Medium · Custom Icon Handling - Potential Deserialization Vulnerability — Stratum.Core/src/Entity/CustomIcon.cs, Stratum.Core/src/ICustomIconDecoder.cs. The codebase includes CustomIcon entity with an ICustomIconDecoder interface. If icon data is deserialized without proper validation, this could lead to arbitrary code execution or denial of service attacks, especially if using unsafe deserialization methods. Fix: Implement strict type checking and validation when deserializing custom icons. Use safe deserialization methods that don't instantiate arbitrary types. Validate icon file sizes and formats before processing. Use allowlists of permitted icon formats (PNG, SVG, etc). Implement resource limits to prevent DoS attacks.
• Medium · Multiple Authenticator Types - Algorithm Support Risk — Stratum.Core/src/Generator/HashAlgorithm.cs, Stratum.Core/src/AuthenticatorType.cs. The codebase supports multiple OTP algorithms (TOTP, HOTP, MobileOtp, SteamOtp, YandexOtp) with configurable hash algorithms (SHA1, SHA256, SHA512). Some of these algorithms or configurations may be outdated or weak. SHA1 in particular is cryptographically broken. Fix: Deprecate SHA1 hashing for OTP generation. Recommend SHA256 or SHA512. Provide migration path for existing SHA1-based authenticators. Consider deprecating legacy algorithms like MobileOtp and YandexOtp. Provide clear warnings in UI for weak algorithm choices.
• Medium · Backup/Restore Process - Data Integrity Verification Missing — Stratum.Core/src/Backup/. The backup and restore functionality (Backup.cs, RestoreResult.cs, BackupResult.cs) doesn't show evidence of checksums, signatures, or integrity verification. Attackers could modify backup files in transit or at rest without detection. Fix:

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.