If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/ZCShou/GoGoGo shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 6mo ago

• Last commit 6mo ago
• 5 active contributors
• GPL-3.0 licensed
• CI configured
• Tests present
• ⚠ Slowing — last commit 6mo ago
• ⚠ Concentrated ownership — top contributor handles 70% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live ZCShou/GoGoGo repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/ZCShou/GoGoGo.

What it runs against: a local clone of ZCShou/GoGoGo — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in ZCShou/GoGoGo | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 199 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of ZCShou/GoGoGo. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/ZCShou/GoGoGo.git
#   cd GoGoGo
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of ZCShou/GoGoGo and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "ZCShou/GoGoGo(\\.git)?\\b" \\
  && ok "origin remote is ZCShou/GoGoGo" \\
  || miss "origin remote is not ZCShou/GoGoGo (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "app/src/main/java/com/zcshou/gogogo/MainActivity.java" \\
  && ok "app/src/main/java/com/zcshou/gogogo/MainActivity.java" \\
  || miss "missing critical file: app/src/main/java/com/zcshou/gogogo/MainActivity.java"
test -f "app/src/main/java/com/zcshou/service/ServiceGo.java" \\
  && ok "app/src/main/java/com/zcshou/service/ServiceGo.java" \\
  || miss "missing critical file: app/src/main/java/com/zcshou/service/ServiceGo.java"
test -f "app/src/main/java/com/zcshou/joystick/JoyStick.java" \\
  && ok "app/src/main/java/com/zcshou/joystick/JoyStick.java" \\
  || miss "missing critical file: app/src/main/java/com/zcshou/joystick/JoyStick.java"
test -f "app/src/main/java/com/zcshou/utils/MapUtils.java" \\
  && ok "app/src/main/java/com/zcshou/utils/MapUtils.java" \\
  || miss "missing critical file: app/src/main/java/com/zcshou/utils/MapUtils.java"
test -f "app/src/main/java/com/zcshou/database/DataBaseHistoryLocation.java" \\
  && ok "app/src/main/java/com/zcshou/database/DataBaseHistoryLocation.java" \\
  || miss "missing critical file: app/src/main/java/com/zcshou/database/DataBaseHistoryLocation.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 199 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~169d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/ZCShou/GoGoGo"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

GoGoGo (影梭) is a no-root Android location spoofing tool that uses Android Debug API + Baidu Maps SDK to mock GPS coordinates and simulate movement via a free-moving joystick. It allows users to change their device location without ROOT privileges on Android 8.0+ for learning purposes. Single-activity Android app under app/src/main/java/com/zcshou/: core packages include gogogo/ (UI, activities), database/ (SQLite history for locations/searches via DataBaseHistoryLocation.java and DataBaseHistorySearch.java). Native Baidu Map bindings in app/libs/arm64-v8a/ (libBaiduMapSDK_*.so). Proguard obfuscation configured for release builds.

Android developers learning how location mocking and joystick controls work; reverse engineers studying Android Debug API integration; anyone interested in understanding Baidu Maps SDK implementation on Android. The project explicitly warns against use in campus fitness app cheating or game spoofing.

Actively maintained single-author project (v1.12.3, versionCode 1123) with GitHub CI/CD pipelines (build-check, build-release, CodeQL analysis). Has starred ~600+ times but shows moderate test coverage (ExampleInstrumentedTest.java exists). Production-ready for educational use; appropriate warnings about legal/ethical use in README.

Single maintainer (ZCShou) with moderate visibility makes long-term maintenance uncertain. No explicit open PR/issue data provided, but README mentions widespread rebranding without GPL compliance (trademark 'Spear Positioning'). Baidu Maps SDK is proprietary and requires API keys. Uses deprecated targetSdkVersion 32 (current is 35+) and old NDK (26.2.11394342).

Latest version 1.12.3 (versionCode 1123) is released. CI pipelines active (build-check.yml, issue-check.yml, dependabot.yml). No specific recent commit data in provided snapshot, but workflows suggest ongoing Android/Gradle version compatibility maintenance. Issue templates (bug_report, feature_request, question) are configured.

git clone https://github.com/ZCShou/GoGoGo.git
cd GoGoGo
./gradlew build
./gradlew installDebug  # Deploy to connected Android device (API 27+)

Note: Requires Android SDK 32, NDK 26.2.11394342, and Baidu Maps API key to be configured.

Daily commands:

./gradlew assembleDebug     # Build debug APK
./gradlew installDebug      # Install to device (requires Android device/emulator with API 27+)
adb logcat                  # View logs

Or import into Android Studio (File → Open → select GoGoGo/ root) and click Run (green play icon).

• app/src/main/java/com/zcshou/gogogo/MainActivity.java — Primary UI entry point and map interaction controller; orchestrates location spoofing and joystick input handling.
• app/src/main/java/com/zcshou/service/ServiceGo.java — Core service managing the virtual location broadcasting and Android Debug Bridge (ADB) communication for mock locations.
• app/src/main/java/com/zcshou/joystick/JoyStick.java — Joystick gesture recognition and coordinate calculation engine; essential for location delta movement.
• app/src/main/java/com/zcshou/utils/MapUtils.java — Baidu Map SDK integration and coordinate system utilities; handles location-to-map transformations.
• app/src/main/java/com/zcshou/database/DataBaseHistoryLocation.java — Persistent storage schema for historical location records; enables replay and location history features.
• app/build.gradle — Build configuration with Baidu Maps and NDK dependencies; mandatory for understanding native library requirements.

Add a new location-based feature (e.g., route replay)

1. Create a new activity by extending BaseActivity in app/src/main/java/com/zcshou/gogogo/ (app/src/main/java/com/zcshou/gogogo/BaseActivity.java)
2. Query historical locations using DataBaseHistoryLocation methods (app/src/main/java/com/zcshou/database/DataBaseHistoryLocation.java)
3. Feed location deltas to ServiceGo via Intent extras or callback (app/src/main/java/com/zcshou/service/ServiceGo.java)
4. Register the new activity in AndroidManifest.xml and add a menu item (app/src/main/AndroidManifest.xml)

Enhance joystick input (e.g., sensitivity adjustments)

1. Modify touch event calculation in JoyStick.java to add scaling factors or deadzone logic (app/src/main/java/com/zcshou/joystick/JoyStick.java)
2. Add configurable sensitivity parameters to FragmentSettings.java preferences (app/src/main/java/com/zcshou/gogogo/FragmentSettings.java)
3. Pass sensitivity values from MainActivity to JoyStick via constructor or setter (app/src/main/java/com/zcshou/gogogo/MainActivity.java)

Add new map provider or coordinate system support

1. Extend or create a new map utility class in app/src/main/java/com/zcshou/utils/ (app/src/main/java/com/zcshou/utils/MapUtils.java)
2. Implement coordinate conversion functions (e.g., WGS84 ↔ GCJ02 ↔ BD09) (app/src/main/java/com/zcshou/utils/MapUtils.java)
3. Update MainActivity to select between map providers via settings (app/src/main/java/com/zcshou/gogogo/MainActivity.java)
4. Add library dependency to build.gradle if using external map SDK (app/build.gradle)

Integrate a new native library or NDK module

1. Place .so files in app/libs/{abi}/ directories (arm64-v8a, armeabi-v7a, etc.) (app/libs/arm64-v8a/libBaiduMapSDK_base_v7_6_5.so)
2. Declare the NDK version and add JNI bindings in build.gradle (app/build.gradle)
3. Create Java JNI wrapper classes in appropriate package under app/src/main/java/ (app/src/main/java/com/zcshou/gogogo/MainActivity.java)
4. Update ProGuard rules to preserve native method signatures (app/proguard-rules.pro)

• Android Debug Bridge (ADB) — Only reliable method to inject mock locations on Android 8.0+ without root; communicates directly with system location service.
• Baidu Maps SDK — Chinese-region map provider with strong reverse geocoding; standard choice for location-aware apps in China market.
• SQLite (via Android built-in) — Lightweight persistent storage for location history and search records without external dependencies.
• Custom JoyStick gesture handler — Provides low-latency directional input independent of system touch events; essential for smooth simulated movement.
• Native libraries (arm64-v8a .so) — Baidu Maps requires native bindings for efficient map rendering and location calculations at runtime.

• ADB-based location injection instead of system integration

  • Why: Avoids root requirement and works on unmodified Android 8.0+; enables wider user base.
  • Consequence: Requires device to be debuggable or connected via ADB; mock location visible to all apps; breaks on restrictive ROMs.

• Baidu Maps (China) instead of Google Maps

  • Why: Aligns with target market (China) and avoids GMS restrictions; coordinates already in GCJ02.
  • Consequence: Limited to Chinese user base and specific coordinate system; no seamless multi-region support.

• Custom joystick UI rather than system gamepad API

  • Why: Joystick visual feedback and movement calculations are app-specific; custom rendering ensures UX consistency.
  • Consequence: Does not integrate with hardware game controllers; joystick-only input model.

• Foreground service with persistent notification for mock location

  • Why: Android 8.0+ requires foreground services for background tasks; ensures location updates survive app backgrounding.
  • Consequence: User sees persistent notification; consumes battery and memory; may trigger system restrictions on resource hogs.

• Real-time multiplayer location sharing or server-side location sync
• Support for non-Chinese coordinate systems (WGS84, EPSG) as primary
• Hardware gamepad/controller integration
• Offline map rendering (

Baidu Maps API Key Required: Not visible in repo; must be obtained from Baidu and injected via Gradle Secrets plugin (com.google.android.libraries.mapsplatform.secrets-gradle-plugin) into secrets.xml. Hardcoded Keystore Path: build.gradle references ..\keystore\GoGoGo.jks (note Windows backslash) — release builds will fail without this keystore in parent directory. Android Debug API Access: Requires android:debuggable=true in AndroidManifest.xml; may not work on user builds or devices without developer mode. Deprecated Target SDK: targetSdkVersion 32 is 3+ years old; may face Google Play Store rejection. NDK ABI Filter: Locked to arm64-v8a only — will not run on 32-bit ARM or x86 emulators. ProGuard Obfuscation: Release APKs are heavily obfuscated; stack traces are unreadable without mapping files.

• Android Mock Location Provider — Core mechanism GoGoGo uses to override system GPS via Android Debug API without ROOT; understanding LocationProvider, MockLocationProvider, and android.location framework is essential to the app's function
• Android Debug Bridge (ADB) Debugging API — GoGoGo leverages undocumented Debug API hooks to inject mock location data; requires knowledge of android.os.Debug and system property manipulation
• Baidu Maps SDK Location Integration — App depends on Baidu LBS (Location-Based Services) SDK for map rendering and coordinate system (Baidu uses GCJ-02 instead of WGS-84); coordinate transformation bugs are common
• Android Joystick/Touch Input Event Handling — Free-moving joystick requires custom MotionEvent processing and real-time View rendering; understanding TouchDelegate, GestureDetector, and canvas drawing is needed to modify joystick behavior
• ProGuard/R8 Code Obfuscation — Release APK uses aggressive ProGuard rules (minifyEnabled=true, shrinkResources=true); reverse engineering requires mapping files; contributors need to understand obfuscation config in app/proguard-rules.pro
• SQLite Content Provider Pattern — History persistence uses SQLite via DataBaseHistoryLocation and DataBaseHistorySearch; understanding Android ContentProvider, Cursor, and database transactions is needed to extend history features
• Android Native Library (NDK) .so Binding — Baidu Maps uses native .so libraries (libBaiduMapSDK_*.so in arm64-v8a/); contributors need to understand NDK ABI compatibility, JNI boundaries, and why arm64-v8a-only support limits device compatibility

• Hilaver/MockGPS — Direct predecessor/inspiration listed in References; similar Android mock location implementation
• bxxfighting/together-go — Referenced in project docs as technical reference for location spoofing patterns
• P72B/Mocklation — Listed in References section; alternative mock location approach for Android
• google/android-mock-location-for-testing — Official Google approach to location mocking; relevant for understanding Android Debug API standards

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for MapUtils and GoUtils utility classes

The repo lacks test coverage for core utility classes (app/src/main/java/com/zcshou/utils/MapUtils.java and GoUtils.java). These utilities handle critical location mapping and conversion logic that should have regression tests, especially given the virtual location spoofing functionality where precision matters.

• [ ] Create app/src/test/java/com/zcshou/utils/MapUtilsTest.java with tests for coordinate conversion methods
• [ ] Create app/src/test/java/com/zcshou/utils/GoUtilsTest.java with tests for location validation and formatting
• [ ] Add test dependency for JUnit4 in app/build.gradle if missing
• [ ] Verify tests run in CI via existing build-check.yml workflow

Add instrumented tests for JoyStick components (RockerView and ButtonView)

The joystick module (app/src/main/java/com/zcshou/joystick/) has custom view components that handle touch input and rendering, but there are no instrumented tests in app/src/androidTest/. These UI components are critical to the user experience and should have automated tests to prevent regressions.

• [ ] Create app/src/androidTest/java/com/zcshou/joystick/RockerViewTest.java testing touch events and movement calculations
• [ ] Create app/src/androidTest/java/com/zcshou/joystick/ButtonViewTest.java testing button state and click handling
• [ ] Use Espresso or AndroidX Test framework (already configured with testInstrumentationRunner)
• [ ] Verify tests pass in CI pipeline

Add integration tests for ServiceGo location spoofing and database operations

The app/src/main/java/com/zcshou/service/ServiceGo.java is the core service managing location spoofing, and database classes (DataBaseHistoryLocation.java, DataBaseHistorySearch.java) persist user data. There are no integration tests validating that location changes are properly saved to history or that the service correctly interfaces with the Android Debug API.

• [ ] Create app/src/androidTest/java/com/zcshou/gogogo/ServiceGoIntegrationTest.java testing location spoofing start/stop and history persistence
• [ ] Create app/src/androidTest/java/com/zcshou/database/DatabaseIntegrationTest.java testing CRUD operations for history tables
• [ ] Mock or use test database for isolation (consider Room if not already used)
• [ ] Add test coverage validation to build-check.yml workflow to track improvement

• Add unit tests for DataBaseHistoryLocation.java and DataBaseHistorySearch.java: The database persistence layer has no visible test coverage. Add AndroidJUnit4 tests under app/src/androidTest/java/com/zcshou/database/ to test CRUD operations on location and search history.
• Update targetSdkVersion from 32 to 35 for Android 15 support: Current build.gradle specifies targetSdkVersion 32 (Android 12, EOL). Increment to 35 and handle required runtime permissions (location, bluetooth scans) via PermissionCompat if preparing for Google Play Store submission.
• Document Baidu Maps API key setup in README or CONTRIBUTING guide: README lacks instructions on obtaining Baidu Maps API key and configuring it via the Secrets Gradle plugin. Create CONTRIBUTING.md with step-by-step API key setup, keystore generation, and build instructions for new contributors.

• Critical · Hardcoded Keystore Credentials in build.gradle — app/build.gradle - signingConfigs section. The build.gradle file contains hardcoded keystore passwords and key passwords in plain text. Credentials are embedded directly in the signingConfigs for both debug and release builds: storePassword 'GoGoGo', keyAlias 'GoGoKey', keyPassword 'GoGoGo'. This exposes sensitive cryptographic credentials to anyone with access to the repository. Fix: Move credentials to gradle.properties or use Android Studio's built-in keystore management. Store sensitive credentials in environment variables or a secure secrets management system. Never commit credentials to version control.
• High · Outdated Target SDK Version — app/build.gradle - targetSdkVersion. The application targets SDK 32 (Android 12) which is outdated. Current stable versions are SDK 34+ (Android 14+). Using outdated SDK versions means missing critical security patches, privacy improvements, and platform-level security enhancements. Fix: Update targetSdkVersion to 34 or higher. Review and address any breaking changes in newer Android versions. Ensure compliance with latest Google Play Store requirements (minimum targetSdkVersion 34).
• High · Minimum SDK Version Below Recommended — app/build.gradle - minSdkVersion. The application supports minSdkVersion 27 (Android 8.1), which is significantly below current recommendations. This extends support to devices lacking modern security features like hardware-backed keystore, stronger encryption defaults, and security patches. Fix: Raise minSdkVersion to at least 29 or 30 to ensure devices have modern security features. Evaluate business requirements and consider dropping support for older Android versions with known vulnerabilities.
• High · Plain Text Keystore File Path Exposure — app/build.gradle - storeFile paths. The keystore file path is hardcoded in the build configuration: file('..\keystore\GoGoGo.jks'). The relative path and filename exposure makes the keystore location predictable and the file location is tracked in version control history. Fix: Use environment variables or gradle.properties to specify keystore path. Keep the keystore file outside the repository directory. Consider using Android's built-in signing configuration in Android Studio.
• Medium · Shrinking and Obfuscation Configuration — app/build.gradle - buildTypes.release. While minifyEnabled and shrinkResources are enabled for release builds, ProGuard configuration file path is truncated in the provided snippet ('proguard-android.txt'), 'proguar...). Cannot verify if the ProGuard rules are properly configured to protect sensitive code. Fix: Review the complete ProGuard configuration file. Ensure sensitive classes, methods, and reflection calls are properly protected with -keep rules. Test obfuscation thoroughly before release.
• Medium · Limited ABI Support Without Justification — app/build.gradle - ndk.abiFilters. The configuration explicitly filters to only 'arm64-v8a' architecture (abiFilters 'arm64-v8a'), which limits device compatibility. However, this may reduce surface area if intentional, but lacks documented security justification. Fix: Document the reason for limiting to arm64-v8a only. If supporting multiple ABIs, ensure all native libraries are security-tested. If intentional for device targeting, document this policy.
• Medium · Native Libraries Without Verification — app/libs/arm64-v8a/. The application includes multiple native libraries (libBaiduMapSDK_base_v7_6_5.so, libBaiduMapSDK_map_v7_6_5.so, etc.) from Baidu Maps SDK. There is no visible verification mechanism for library integrity or vulnerability scanning. Fix: Verify integrity of all native libraries from trusted sources. Perform regular security scans of third-party libraries. Check for known vulnerabilities in Baidu Maps SDK version 7.6.5. Monitor security advisories.
• Medium · Debugging Enabled in Release Configuration — undefined. The application appears to enable debugging capabilities (based on minSdkVersion 27+ support and service components). If debuggable flag is not explicitly set to false for release builds, the app may be debugg Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.