feat(android): add auth0-android-major-migration skill

[sanchitmehtagit]

Description

Adds the auth0-android-major-migration skill — the Android counterpart to auth0-swift-major-migration (#104) — for upgrading an existing com.auth0.android:auth0 (v3) integration to the next major version (v4).

The skill is source-driven and grep-gated: it fetches the v4 SDK's actual Kotlin source to confirm signatures, audits which Auth0 APIs the project actually calls, and applies only the breaking changes that affect real call sites — then builds until green and emits a migration summary.

Argument-based version selection (improvement over the Swift sibling):

• Pass a target version (e.g. /auth0-android-major-migration 4.0.0) — it's validated (published tag, within the next major, not a downgrade) and the skill stops and asks on failure.
• Omit it — the skill auto-resolves the latest v4 release (including pre-releases; resolves 4.0.0-beta.1 today).

Prerequisite gate (RAPID "block until satisfied"): minSdk 26, Java 17, Gradle 8.11.1+, AGP 8.10.1+, Kotlin 2.0.21 — checked and applied before any API migration.

Breaking changes covered (all grep-gated):

§	Change
7.1	PasskeyAuthProvider removed → AuthenticationAPIClient passkey APIs
7.2	Management API removed (UsersAPIClient) → // TODO: + backend follow-up
7.3	Deprecated MFA methods removed → mfaClient(mfaToken) / MfaApiClient
7.4	WebAuthProvider.useDPoP(context) moved to the login builder
7.5	DPoPException.UNSUPPORTED_ERROR removed
7.6	SSOCredentials.expiresIn: Int → expiresAt: Date
7.7	SecureCredentialsManager Auth0-based constructors removed

Behavioral changes (surfaced, no code change): default minTtl 0 → 60s, clearCredentials() now clears all storage, CredentialsManager uses the global executor.

Structure

• SKILL.md — argument-based version resolution + validation, prerequisite gate, source fetch, grep-gated audit, build-until-green, migration summary
• references/process.md — version validation, prerequisite handling, build-system edge cases, MFA map, backend pattern, Gson notes, rollback
• references/security.md — Android security invariants
• tests/ — eval suite (evals.json, graders.json, graders.ts, benchmark-config.json, package.json)

Registers the skill across the plugin manifests and READMEs.

Testing

• skillsaw --strict passes: A+, 0 errors, 0 warnings (43 skills)
• All JSON validated; every v4 signature confirmed against the actual SDK source on v4_development

Checklist

• This change adds test coverage for new/changed functionality
• Documentation added for new functionality
• All active checks for tests, formatting, and security are passing

Summary by CodeRabbit

• New Features

  • Added auth0-android-major-migration skill enabling automated migration of Auth0.Android projects from v3 to v4.

• Documentation

  • Added comprehensive migration guide covering prerequisite checks, breaking changes, behavioral updates, build verification, and security best practices.

[coderabbitai]

Warning

Review limit reached

@sanchitmehtagit, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 53 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 05f1fc2d-e76c-451a-b10e-e310f4057732

📥 Commits

Reviewing files that changed from the base of the PR and between b88c41b and 911dbb0.

📒 Files selected for processing (3)

• plugins/auth0/skills/auth0-android-major-migration/SKILL.md
• plugins/auth0/skills/auth0-android-major-migration/references/process.md
• plugins/auth0/skills/auth0-android-major-migration/references/security.md

📝 Walkthrough

Walkthrough

Adds the auth0-android-major-migration skill to the Auth0 agent-skills plugin. This includes a 549-line SKILL.md migration guide for upgrading Auth0.Android v3→v4, two reference documents covering process edge cases and security invariants, registration of the skill across all plugin manifests and READMEs, and a full evaluation/grading test harness with TypeScript grader shim.

Changes

auth0-android-major-migration skill

Layer / File(s)	Summary
Plugin registration and marketplace metadata .claude-plugin/marketplace.json, .cursor-plugin/marketplace.json, plugins/auth0/.codex-plugin/plugin.json, plugins/auth0/.cursor-plugin/plugin.json, plugins/auth0/README.md, PLUGIN.md, README.md	Adds the android-major-migration keyword to all four plugin manifests, inserts a new row in the Auth0 skills table, and adds the install command and directory entry to the root docs.
Core SKILL.md and reference docs plugins/auth0/skills/auth0-android-major-migration/SKILL.md, plugins/auth0/skills/auth0-android-major-migration/references/process.md, plugins/auth0/skills/auth0-android-major-migration/references/security.md	Introduces the complete 549-line migration guide with version resolution, prerequisite gating, seven enumerated breaking-change sections, build verification, behavioral change callouts, and a migration summary template; supplemented by a process reference for edge cases and a security checklist covering secrets, token storage, PKCE, and DPoP preservation.
Evaluation and grading harness plugins/auth0/skills/auth0-android-major-migration/tests/evals.json, tests/graders.json, tests/graders.ts, tests/benchmark-config.json, tests/package.json	Adds the eval prompt/expectations spec, an ordered 12-rule graders.json rubric, a TypeScript shim (GraderDef, RichGrader, mapGrader, defineGraders) that normalizes grader types for the eval runner, a benchmark config with baseline/without_skill/with_skill configurations, and the npm package for running evals.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• tanya732
• subhankarmaiti

Poem

🐇 Hop hop, the Android skips ahead,
From v3's burrow to v4's new thread.
MinSdk raised, Java seventeen bright,
SecureCredentials built just right.
The rabbit checks graders, fetches the source —
No secrets in logs, staying on course! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new auth0-android-major-migration skill to the plugin ecosystem.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch skills/add-auth0-android-major-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/auth0/skills/auth0-android-major-migration/references/process.md`:
- Around line 14-17: The markdown file contains three formatting issues that
need to be addressed for consistency with markdown linting standards. First, add
blank lines before and after the fenced code block containing the gh api command
(lines 14-17) and the code block at lines 96-97 to improve readability. Second,
add the language specifier "text" to the code block at line 157 that shows the
App and Backend architecture diagram pattern. These changes ensure the markdown
is properly formatted and maintains consistency throughout the documentation.

In `@plugins/auth0/skills/auth0-android-major-migration/references/security.md`:
- Around line 13-19: The markdown file has formatting inconsistencies flagged by
the linter. Add the language specifier `text` to all checklist code blocks (the
ones containing [ ] checkboxes at lines 13-19, 29-33, 46-50, and 54-58) by
changing ``` to ```text. Additionally, ensure blank lines exist before and after
the code blocks at lines 22 and 36 to comply with MD031 markdown rule for proper
spacing around code blocks.
- Around line 73-77: The three consecutive bullet points about scopes, audience,
and callback URL scheme (lines 74-76) all begin with the verb "Verify", creating
repetitive sentence structure that reduces readability. Vary the opening verbs
by replacing "Verify" in the second bullet point with "Confirm" and in the third
bullet point with "Check" to maintain clarity while improving the flow and
readability of the list.

In `@plugins/auth0/skills/auth0-android-major-migration/SKILL.md`:
- Around line 245-260: The markdown formatting requires blank lines between
block-level elements to pass the markdownlint-cli2 linter. In the SKILL.md file,
add a blank line after each of the three section headers (the ones ending with
"build.gradle):**", "build.gradle.kts):**", and "libs.versions.toml):**") before
the opening of their respective code fences (groovy, kotlin, and toml). This
will ensure proper separation between the bold introductory text and the fenced
code blocks that follow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 762a67b2-3cfe-40a2-85c0-c1fa05383d95

📥 Commits

Reviewing files that changed from the base of the PR and between fcc4f20 and b88c41b.

📒 Files selected for processing (15)

• .claude-plugin/marketplace.json
• .cursor-plugin/marketplace.json
• PLUGIN.md
• README.md
• plugins/auth0/.codex-plugin/plugin.json
• plugins/auth0/.cursor-plugin/plugin.json
• plugins/auth0/README.md
• plugins/auth0/skills/auth0-android-major-migration/SKILL.md
• plugins/auth0/skills/auth0-android-major-migration/references/process.md
• plugins/auth0/skills/auth0-android-major-migration/references/security.md
• plugins/auth0/skills/auth0-android-major-migration/tests/benchmark-config.json
• plugins/auth0/skills/auth0-android-major-migration/tests/evals.json
• plugins/auth0/skills/auth0-android-major-migration/tests/graders.json
• plugins/auth0/skills/auth0-android-major-migration/tests/graders.ts
• plugins/auth0/skills/auth0-android-major-migration/tests/package.json

[sanchitmehtagit]

Tested against a sample scaffold

Ran the skill's full workflow against a realistic v3 scaffold — a Kotlin app on com.auth0.android:auth0:3.19.0, minSdk 24 / Java 8, with AuthManager.kt deliberately mixing changed APIs (SecureCredentialsManager(Auth0, …), SSOCredentials.expiresIn, getCredentials without minTtl, clearCredentials) and unchanged ones (no MFA / Management / Passkey / DPoP) to confirm the grep-gating only touches what's used.

Workflow results:

Step	Result
Pre-flight	Clean-tree gate passed; backup branch created
Version resolution	Detected 3.19.0; no arg → auto-resolved 4.0.0-beta.1, flagged as pre-release
Prerequisite gate	Flagged all bumps; correctly tagged minSdk 24 → 26 as a hard block (drops Android 7.1)
Source fetch	4.0.0-beta.1 tag carries source; every signature confirmed
Audit	Uses: §7.6, §7.7, §8.1, §8.3 · Skips: §7.1–7.5, §8.4
Dependency	3.19.0 → 4.0.0-beta.1 (exact pin for pre-release)
Code changes	§7.7 constructor rebuilt to AuthenticationAPIClient; §7.6 expiresIn: Int → expiresAt: Date (+ Date import)
Behavioral	§8.1 (minTtl 0→60) and §8.3 (clearCredentials clears all) surfaced in summary

Correctness checks: no removed-v3 API names remain in source; new SecureCredentialsManager(apiClient, context, storage) matches the v4 3-arg constructor read from source; all Auth0 symbols used in the file exist in the 4.0.0-beta.1 tree (no hallucinated APIs); SharedPreferencesStorage is built-in, so the §8.4 skip was correct.

Result: a minimal, correct changeset that touched only the four APIs the project actually uses.

[github-actions]

✅ skillsaw — All checks passed

Full report

Linting: /home/runner/work/agent-skills/agent-skills


Summary:
  Errors:   0
  Warnings: 0

✓ All checks passed!

skillsaw 0.4.3 · config · custom rules · run