The latest articles on DEV Community by Samuvel Pandian (@samuvelp). https://dev.to/samuvelp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3878843%2F369eb029-b1f6-43b4-aa53-bdb29ba81296.png https://dev.to/samuvelp en Samuvel Pandian Tue, 14 Apr 2026 16:44:52 +0000 https://dev.to/samuvelp/i-built-a-langgraph-agent-that-audits-android-projects-heres-the-architecture-53jh https://dev.to/samuvelp/i-built-a-langgraph-agent-that-audits-android-projects-heres-the-architecture-53jh <h2> The Problem Every Android Team Ignores Until It Hurts </h2> <p>You know that feeling. You open an Android project you haven't touched in three months and the build fails. AGP needs bumping. Kotlin wants a new version. The Compose BOM has moved two releases ahead. You update, fix the cascade of breaks, and push — only for someone to flag that your <code>targetSdk</code> is two versions behind and Google Play will start rejecting uploads next quarter.</p> <p>That's the dependency side. Meanwhile, your <code>AndroidManifest.xml</code> has an exported <code>Service</code> with no permission guard because someone added it during a hackathon. Your codebase still has <code>AsyncTask</code> in a file nobody wants to refactor. You're at 20% Compose adoption with 47 XML layouts and no migration plan. The tech debt isn't in one place — it's scattered across build files, manifests, source trees, and version catalogs.</p> <p>The tools exist in isolation: lint catches some things, dependency update plugins catch others, manual manifest review covers the security angle. But nobody runs all of them together, nobody prioritizes the results, and nobody tells you <em>"fix the exported BroadcastReceiver before you worry about bumping that minor AndroidX version."</em> That's the gap I wanted to close.</p> <h2> The Solution: One Command, Full Audit, AI Prioritization </h2> <p><strong>DroidDoctor</strong> is an open-source CLI that scans your entire Android project — Gradle dependencies, manifest security, deprecated API usage, Compose adoption — and feeds the structured findings to an LLM that returns a prioritized action plan. One command. A health score from 0-100. Concrete fix-now vs. fix-later recommendations. Built with LangGraph so the analysis pipeline is a proper state machine, not a pile of scripts.</p> <h2> Architecture Deep Dive: A 7-Node State Machine </h2> <p>Here's the graph topology:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────┐ │ scan_project_structure │ ← entry point └────────────┬────────────┘ │ ┌───────▼────────┐ error? │ conditional │──────────► END │ routing │ └───────┬────────┘ │ continue ┌───────▼──────────────────┐ │ analyze_gradle_deps │ └───────┬──────────────────┘ ┌───────▼──────────────────┐ │ audit_manifest │ └───────┬──────────────────┘ ┌───────▼──────────────────┐ │ detect_deprecated_apis │ └───────┬──────────────────┘ ┌───────▼──────────────────┐ │ check_compose_adoption │ └───────┬──────────────────┘ ┌───────▼──────────────────┐ │ collect_results │ ← fan-in sync point └───────┬──────────────────┘ │ ┌───────▼──────────────────┐ --no-llm? │ llm_analyze │──── skip ──┐ └───────┬──────────────────┘ │ ┌───────▼──────────────────┐ │ │ generate_report │◄────────────┘ └───────┬──────────────────┘ │ END </code></pre> </div> <p>Every node receives and returns the same <code>AgentState</code> TypedDict. LangGraph merges each node's return dict into the running state automatically — so nodes only return the keys they modify. This is the core pattern that makes the whole thing work cleanly.</p> <h3> The Key Design Decision </h3> <p><strong>The LLM never scans files.</strong> Each analysis node is deterministic Python code — regex, XML parsing, HTTP version checks. The LLM only receives a structured JSON summary at the end and synthesizes it into a prioritized report. This gives you reproducible scans, fast execution, and an <code>--no-llm</code> offline mode for CI pipelines.</p> <h3> What Each Node Does </h3> <p><strong>scanner</strong> — Parses <code>settings.gradle(.kts)</code> to discover modules via regex on <code>include()</code> declarations, then walks each module directory to locate build files, manifests, source trees, and layout directories. Populates a list of <code>ModuleInfo</code> dataclasses.</p> <p><strong>gradle</strong> — Parses <code>build.gradle(.kts)</code> and <code>libs.versions.toml</code> for every module. Extracts dependencies, SDK versions, AGP/Kotlin/Compose BOM versions. Then hits the Google Maven and Maven Central HTTP APIs to fetch latest versions and classify each dependency's staleness as <code>critical</code>, <code>major</code>, or <code>minor</code>.</p> <p><strong>manifest</strong> — Uses <code>xml.etree.ElementTree</code> to parse each <code>AndroidManifest.xml</code>. Checks for exported components without permission guards, dangerous permissions, cleartext traffic enabled, hardcoded <code>debuggable=true</code>, and missing backup rules.</p> <p><strong>deprecated</strong> — Regex-scans every <code>.kt</code> and <code>.java</code> file against 13 patterns: <code>AsyncTask</code>, <code>IntentService</code>, <code>startActivityForResult</code>, <code>LocalBroadcastManager</code>, <code>ViewModelProviders.of()</code>, <code>android.support.*</code> imports, <code>kotlin-android-extensions</code>, <code>kapt</code>, and more. Each hit gets a concrete replacement suggestion.</p> <p><strong>compose</strong> — Counts XML layout files across all <code>res/layout*</code> directories and Kotlin files containing <code>@Composable</code> annotations. Calculates adoption percentage. Simple metric, but it makes migration progress visible.</p> <p><strong>analyzer</strong> — Serializes all findings to JSON, sends them to an LLM with an opinionated system prompt, and extracts a health score from the response. Supports Claude, OpenAI, Gemini, Groq, and Ollama via dynamic imports.</p> <p><strong>reporter</strong> — Assembles everything into a markdown report with tables for dependencies, manifest issues, deprecated APIs, and the AI analysis section.</p> <h3> Conditional Routing </h3> <p>Two routing decisions exist in the graph. First, after scanning: if no <code>build.gradle</code> files are found, the state gets an <code>error</code> key and the graph routes to <code>END</code> immediately. Second, the <code>--no-llm</code> flag: when set, <code>build_graph(skip_llm=True)</code> wires <code>collect_results</code> directly to <code>generate_report</code>, skipping the LLM node entirely. The graph is literally different depending on the flag — not just a runtime check.</p> <h2> Code Walkthrough </h2> <h3> The State That Flows Through Everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">AgentState</span><span class="p">(</span><span class="n">TypedDict</span><span class="p">,</span> <span class="n">total</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span> <span class="n">project_path</span><span class="p">:</span> <span class="nb">str</span> <span class="n">project_name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">is_multi_module</span><span class="p">:</span> <span class="nb">bool</span> <span class="n">modules</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">ModuleInfo</span><span class="p">]</span> <span class="n">llm_provider</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># claude | openai | gemini | groq | ollama </span> <span class="n">llm_model</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">gradle_deps</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">GradleDependency</span><span class="p">]</span> <span class="n">sdk_versions</span><span class="p">:</span> <span class="n">SdkVersions</span> <span class="n">manifest_issues</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">ManifestIssue</span><span class="p">]</span> <span class="n">deprecated_apis</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">DeprecatedApiUsage</span><span class="p">]</span> <span class="n">compose_metrics</span><span class="p">:</span> <span class="n">ComposeAdoptionMetrics</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">health_score</span><span class="p">:</span> <span class="nb">int</span> <span class="c1"># 0-100 </span> <span class="n">llm_report</span><span class="p">:</span> <span class="nb">str</span> <span class="n">final_report</span><span class="p">:</span> <span class="nb">str</span> <span class="n">error</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> </code></pre> </div> <p><code>total=False</code> means every key is optional — nodes only populate their slice. LangGraph handles the merge.</p> <h3> Version Catalog Parsing (The Tricky Part) </h3> <p>Gradle's <code>libs.versions.toml</code> has three formats for declaring a library, and you have to handle all of them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_parse_library_line</span><span class="p">(</span><span class="n">line</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">catalog</span><span class="p">:</span> <span class="n">VersionCatalog</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">alias_match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^(\S+)\s*=\s*(.+)$</span><span class="sh">'</span><span class="p">,</span> <span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">alias_match</span><span class="p">:</span> <span class="k">return</span> <span class="n">alias</span> <span class="o">=</span> <span class="n">alias_match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">value</span> <span class="o">=</span> <span class="n">alias_match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">2</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="c1"># Format 1: "group:artifact:version" </span> <span class="n">simple</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^</span><span class="sh">"</span><span class="s">([^:]+):([^:]+):([^</span><span class="sh">"</span><span class="s">]+)</span><span class="sh">"</span><span class="s">$</span><span class="sh">'</span><span class="p">,</span> <span class="n">value</span><span class="p">)</span> <span class="k">if</span> <span class="n">simple</span><span class="p">:</span> <span class="n">catalog</span><span class="p">.</span><span class="n">libraries</span><span class="p">[</span><span class="n">alias</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ParsedDependency</span><span class="p">(</span> <span class="n">group</span><span class="o">=</span><span class="n">simple</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="n">artifact</span><span class="o">=</span><span class="n">simple</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="n">version</span><span class="o">=</span><span class="n">simple</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">3</span><span class="p">),</span> <span class="p">)</span> <span class="k">return</span> <span class="c1"># Format 2+3: { module = "g:a", version.ref = "x" } </span> <span class="c1"># or: { group = "g", name = "a", version.ref = "x" } </span> <span class="n">group</span> <span class="o">=</span> <span class="nf">_extract_field</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="sh">"</span><span class="s">group</span><span class="sh">"</span><span class="p">)</span> <span class="n">name</span> <span class="o">=</span> <span class="nf">_extract_field</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">)</span> <span class="n">module</span> <span class="o">=</span> <span class="nf">_extract_field</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="sh">"</span><span class="s">module</span><span class="sh">"</span><span class="p">)</span> <span class="n">version_ref</span> <span class="o">=</span> <span class="nf">_extract_field</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="sh">"</span><span class="s">version.ref</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">module</span><span class="p">:</span> <span class="n">parts</span> <span class="o">=</span> <span class="n">module</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">:</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> <span class="n">group</span><span class="p">,</span> <span class="n">name</span> <span class="o">=</span> <span class="n">parts</span> <span class="n">resolved_version</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">if</span> <span class="n">version_ref</span> <span class="ow">and</span> <span class="n">version_ref</span> <span class="ow">in</span> <span class="n">catalog</span><span class="p">.</span><span class="n">versions</span><span class="p">:</span> <span class="n">resolved_version</span> <span class="o">=</span> <span class="n">catalog</span><span class="p">.</span><span class="n">versions</span><span class="p">[</span><span class="n">version_ref</span><span class="p">]</span> <span class="n">catalog</span><span class="p">.</span><span class="n">libraries</span><span class="p">[</span><span class="n">alias</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ParsedDependency</span><span class="p">(</span> <span class="n">group</span><span class="o">=</span><span class="n">group</span><span class="p">,</span> <span class="n">artifact</span><span class="o">=</span><span class="n">name</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="n">resolved_version</span> <span class="p">)</span> </code></pre> </div> <p>Then, to connect catalog entries to actual build files, you convert the TOML alias to a Gradle accessor (<code>androidx-core-ktx</code> becomes <code>libs.androidx.core.ktx</code>) and check if it appears in the build file content. This two-phase approach handles the indirection that version catalogs introduce.</p> <h3> Wiring the Graph </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">build_graph</span><span class="p">(</span><span class="n">skip_llm</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">StateGraph</span><span class="p">:</span> <span class="n">graph</span> <span class="o">=</span> <span class="nc">StateGraph</span><span class="p">(</span><span class="n">AgentState</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">scan_project_structure</span><span class="sh">"</span><span class="p">,</span> <span class="n">scan_project_structure</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">analyze_gradle_dependencies</span><span class="sh">"</span><span class="p">,</span> <span class="n">analyze_gradle_dependencies</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">audit_manifest</span><span class="sh">"</span><span class="p">,</span> <span class="n">audit_manifest</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">detect_deprecated_apis</span><span class="sh">"</span><span class="p">,</span> <span class="n">detect_deprecated_apis</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">check_compose_adoption</span><span class="sh">"</span><span class="p">,</span> <span class="n">check_compose_adoption</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">collect_results</span><span class="sh">"</span><span class="p">,</span> <span class="n">_collect_results</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">skip_llm</span><span class="p">:</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_analyze</span><span class="sh">"</span><span class="p">,</span> <span class="n">llm_analyze</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_node</span><span class="p">(</span><span class="sh">"</span><span class="s">generate_report</span><span class="sh">"</span><span class="p">,</span> <span class="n">generate_report</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">set_entry_point</span><span class="p">(</span><span class="sh">"</span><span class="s">scan_project_structure</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_conditional_edges</span><span class="p">(</span> <span class="sh">"</span><span class="s">scan_project_structure</span><span class="sh">"</span><span class="p">,</span> <span class="n">_route_after_scan</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">continue</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">analyze_gradle_dependencies</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="n">END</span><span class="p">},</span> <span class="p">)</span> <span class="c1"># Sequential chain through analysis nodes </span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">analyze_gradle_dependencies</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">audit_manifest</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">audit_manifest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">detect_deprecated_apis</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">detect_deprecated_apis</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">check_compose_adoption</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">check_compose_adoption</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">collect_results</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">skip_llm</span><span class="p">:</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">collect_results</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">generate_report</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">collect_results</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">llm_analyze</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_analyze</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">generate_report</span><span class="sh">"</span><span class="p">)</span> <span class="n">graph</span><span class="p">.</span><span class="nf">add_edge</span><span class="p">(</span><span class="sh">"</span><span class="s">generate_report</span><span class="sh">"</span><span class="p">,</span> <span class="n">END</span><span class="p">)</span> <span class="k">return</span> <span class="n">graph</span> </code></pre> </div> <p>Notice how <code>skip_llm</code> changes the graph topology at build time, not at runtime. The compiled graph is a different shape depending on the flag.</p> <h3> The LLM Prompt </h3> <p>The system prompt is opinionated by design — it forces the LLM to be a senior engineer, not a polite assistant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SYSTEM_PROMPT</span> <span class="o">=</span> <span class="sh">"""</span><span class="se">\ </span><span class="s">You are DroidDoctor, a senior Android engineer performing a project health review. Given the audit data, produce: 1. A HEALTH SCORE (0-100) based on: - Dependency freshness (30% weight) - Security posture from manifest (30% weight) - Code modernization / deprecated API usage (20% weight) - Compose adoption progress (20% weight) 2. A prioritized action plan grouped by: FIX NOW — security vulnerabilities, critical outdated deps FIX THIS SPRINT — major version gaps, deprecated APIs PLAN FOR NEXT QUARTER — compose migration, minor updates Be opinionated. A senior Android engineer would be direct. Avoid generic advice — reference the specific deps and files found. </span><span class="sh">"""</span> </code></pre> </div> <h3> Dynamic Provider Loading </h3> <p>Five LLM providers, zero hard dependencies beyond the default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">PROVIDER_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">claude</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">langchain_anthropic</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ChatAnthropic</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">claude-sonnet-4-20250514</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">openai</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">langchain_openai</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ChatOpenAI</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">gpt-4o</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">gemini</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">langchain_google_genai</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ChatGoogleGenerativeAI</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">gemini-2.5-pro-preview-06-05</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">groq</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">langchain_groq</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ChatGroq</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llama-3.3-70b-versatile</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">ollama</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">langchain_ollama</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ChatOllama</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llama3.1</span><span class="sh">"</span><span class="p">},</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">_build_llm</span><span class="p">(</span><span class="n">provider</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">BaseChatModel</span><span class="p">:</span> <span class="n">config</span> <span class="o">=</span> <span class="n">PROVIDER_CONFIG</span><span class="p">[</span><span class="n">provider</span><span class="p">]</span> <span class="n">module</span> <span class="o">=</span> <span class="n">importlib</span><span class="p">.</span><span class="nf">import_module</span><span class="p">(</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">])</span> <span class="n">cls</span> <span class="o">=</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="nf">cls</span><span class="p">(</span><span class="o">**</span><span class="p">{</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_kwarg</span><span class="sh">"</span><span class="p">]:</span> <span class="n">model</span> <span class="ow">or</span> <span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">default_model</span><span class="sh">"</span><span class="p">]})</span> </code></pre> </div> <p><code>importlib.import_module</code> means you only need to install the provider you actually use. Run with Ollama locally? No API key needed, no <code>langchain-anthropic</code> in your environment.</p> <h2> Example Output </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>╭──────── Health Score — MyApp ────────╮ │ 62/100 │ ╰──────── 3 module(s) scanned ─────────╯ ┌─────────────── Outdated Dependencies ────────────────┐ │ Dependency │ Current │ Latest │ Sev. │ │ com.android.tools.build │ 8.1.0 │ 8.7.3 │ MAJOR │ │ org.jetbrains.kotlin │ 1.9.10 │ 2.1.0 │ CRIT. │ │ targetSdk │ 33 │ 35 │ CRIT. │ │ androidx.core:core-ktx │ 1.10.0 │ 1.15.0 │ MINOR │ └──────────────────────────────────────────────────────┘ ┌─────────────── Manifest Issues ──────────────────────┐ │ CRITICAL │ Service "SyncService" exported without │ │ │ intent-filter or permission protection │ │ CRITICAL │ Cleartext (HTTP) traffic is enabled │ │ WARNING │ Dangerous permission: CAMERA │ └──────────────────────────────────────────────────────┘ ╭──── Compose Adoption ────╮ │ XML Layouts: 47 │ │ Composables: 12 │ │ Coverage: 20.3% │ │ ░░░░████████████████ 20% │ ╰──────────────────────────╯ ╭──────────── AI-Powered Analysis ─────────────╮ │ FIX NOW: │ │ - SyncService is exported with no permission │ │ guard. Any app on the device can bind to │ │ it. Add android:permission or set │ │ exported="false". │ │ - Kotlin 1.9 → 2.1 is a major jump. Do it │ │ before the ecosystem moves further. │ │ │ │ THIS SPRINT: │ │ - Replace AsyncTask in NetworkHelper.java │ │ with viewModelScope.launch + Dispatchers.IO │ │ - Bump AGP 8.1 → 8.7 (required for │ │ targetSdk 35 support) │ │ │ │ NEXT QUARTER: │ │ - 47 XML layouts at 20% Compose. Start with │ │ new screens only, convert settings/profile │ │ screens first (low risk). │ ╰──────────────────────────────────────────────╯ </code></pre> </div> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>droiddoctor <span class="c"># Set your preferred LLM provider key</span> <span class="nb">export </span><span class="nv">ANTHROPIC_API_KEY</span><span class="o">=</span>sk-ant-... <span class="c"># Run against your project</span> droiddoctor /path/to/your/android-project <span class="c"># Or use a different provider</span> droiddoctor <span class="nb">.</span> <span class="nt">--provider</span> openai <span class="c"># Offline mode (no LLM, just raw scan data)</span> droiddoctor <span class="nb">.</span> <span class="nt">--no-llm</span> </code></pre> </div> <h2> What I Learned Building This </h2> <p><strong>LangGraph vs. rolling your own orchestration.</strong> For a linear pipeline like this, you could absolutely get away with calling functions in sequence. But LangGraph gives you conditional routing, state management, and streaming progress updates out of the box. When I added <code>--no-llm</code>, I didn't write an if-statement in a run loop — I changed the graph topology. When I eventually add parallel execution for the analysis nodes, I change edges, not control flow. The abstraction pays for itself the moment your pipeline gets a second branch.</p> <p><strong>Deterministic nodes + LLM synthesis beats giving the LLM raw files.</strong> Early prototype: I fed <code>build.gradle</code> content directly to Claude and asked it to find issues. It hallucinated dependency versions. It missed the version catalog indirection. It couldn't check Maven Central for latest releases. The current architecture is: code does the scanning (correctly, every time), LLM does the reasoning about what matters most. The LLM is dramatically better at prioritization than at file parsing.</p> <p><strong>Version catalog parsing is surprisingly tricky.</strong> Three declaration formats (<code>"g:a:v"</code>, <code>{ module = "g:a" }</code>, <code>{ group = "g", name = "a" }</code>), version indirection through <code>version.ref</code>, alias-to-accessor name conversion (<code>androidx-core-ktx</code> becomes <code>libs.androidx.core.ktx</code> in Gradle). I considered using a TOML parser library, but the line-by-line regex approach handles the formats you actually see in real projects without pulling in another dependency.</p> <p><strong>Cap penalty per category.</strong> The health score uses weighted categories with maximum deductions: dependencies can take off at most 30 points, security at most 30, deprecated APIs at most 20, Compose adoption at most 20. Without caps, a project with 50 outdated dependencies would score 0 even if the manifest was clean and the code was modern. Caps keep the score meaningful — it reflects breadth of issues, not depth of one problem.</p> <h2> What's Next </h2> <p>DroidDoctor is early and there's plenty of room to contribute:</p> <ul> <li> <strong>Parallel analysis nodes</strong> — The four analysis nodes are sequential today. LangGraph supports fan-out/fan-in; wiring them to run in parallel would cut scan time significantly.</li> <li> <strong>ProGuard/R8 rule validation</strong> — Check for missing keep rules, overly broad rules, and common obfuscation mistakes.</li> <li> <strong>CI integration</strong> — GitHub Action that posts the health report as a PR comment, with score trend tracking over time.</li> <li> <strong>Gradle build scan integration</strong> — Pull data from existing build scans instead of re-parsing files.</li> <li> <strong>Custom rule definitions</strong> — Let teams define their own deprecated patterns and manifest policies via a config file.</li> </ul> <p>The repo is at <a href="https://github.com/samuvelp/droiddoctor" rel="noopener noreferrer">github.com/samuvelp/droiddoctor</a>. Issues and PRs welcome.</p> android python ai langgraph