AI Audit: Findings and Recommendations

[koxon]

Summary

AI-powered audit of the amplify-android fork, analyzing fork drift, customization justification, actual usage by the Android app, and maintenance strategy.

Key Findings

• Fork is ACTIVE (unlike amplify-swift which was unused) -- but only serves 2 of 189 app flavors (fcnantes and olympiquedemarseille)
• Fork is ~6 months behind upstream (v2.29.2 vs v2.33.0) with no sync workflow
• 4 legitimate customizations, all in aws-auth-cognito: WebView auth replacing Chrome Custom Tabs for OM SSO cookie injection
• Distributed via JitPack main-SNAPSHOT with no version pinning (non-reproducible builds)
• Single maintainer, no code reviews on any fork PR, no tests for custom code

Deliverables

• FINDINGS.md -- Prioritized findings (Critical > High > Medium > Low) with actionable recommendations
• CLAUDE.md -- Substantially rewritten with fork status, customization inventory, upstream sync strategy, and accurate dependency information

Critical Items

1. Fork is 4+ versions behind upstream -- security/compatibility risk
2. Hardcoded OM-specific cookies in library code -- wrong abstraction layer

Recommendations

1. Sync fork with upstream immediately
2. Investigate contributing WebView auth changes upstream to eliminate fork need
3. Switch from main-SNAPSHOT to tagged releases on JitPack
4. Add upstream remote and document sync process
5. Add tests for bFAN-specific WebView changes

---

Generated with Claude Code