If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/jeasonlzy/ImagePicker shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 6y ago

• 8 active contributors
• Apache-2.0 licensed
• ⚠ Stale — last commit 6y ago
• ⚠ Concentrated ownership — top contributor handles 72% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live jeasonlzy/ImagePicker repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/jeasonlzy/ImagePicker.

What it runs against: a local clone of jeasonlzy/ImagePicker — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in jeasonlzy/ImagePicker | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 2049 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of jeasonlzy/ImagePicker. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/jeasonlzy/ImagePicker.git
#   cd ImagePicker
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of jeasonlzy/ImagePicker and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "jeasonlzy/ImagePicker(\\.git)?\\b" \\
  && ok "origin remote is jeasonlzy/ImagePicker" \\
  || miss "origin remote is not jeasonlzy/ImagePicker (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 2049 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~2019d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/jeasonlzy/ImagePicker"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Android image picker library that replicates WeChat's photo selection UI, providing single/multi-select modes with support for photo capture, image rotation, and cropping (rectangle or circle shapes). It abstracts image loading via pluggable ImageLoader interface (supports Glide, Picasso, UIL, XUtils3) and handles crop output configuration including dimension and format control. Single-module library structure: imagepicker/ contains core picker logic; app/ is demo consuming the library. Demo shows four image loader implementations (Glide, Picasso, UIL, XUtils3) in app/src/main/java/com/lzy/imagepickerdemo/imageloader/. Core functionality split between crop/rotation handling (implied in activity flow) and image gallery UI (implied in adapter patterns).

Android developers building apps that need native-feeling photo selection/editing flows; particularly those wanting WeChat-like UX without building custom camera and gallery components. Useful for apps requiring avatar selection, profile pictures, or image-heavy content submission.

Maintenance-only status: project explicitly states "stopped maintenance" in README but accepts merge requests. No visible CI/CD pipeline in file list. Targets API 14+ (compileSdkVersion 25, built ~2017). No test directory visible. Clean architecture suggests stable, battle-tested codebase but stagnant—not actively developed.

Single-maintainer (liaojeason) with explicit low-maintenance commitment creates support risk. Dependency chain includes outdated libraries (Glide 3.7.0, Picasso 2.5.2, buildToolsVersion 25.0.3) with known security/compatibility gaps. No CI/unit tests visible increases regression risk on Android version updates. Note: README shows uncompleted feature ('原图复选框 has no compression logic').

No active development visible; project in maintenance mode. README explicitly states author has limited time and waits for community merge requests. No open milestone or PR data provided in file structure. Last real activity likely several years ago given SDK targets API 25.

git clone https://github.com/jeasonlzy/ImagePicker.git
cd ImagePicker
./gradlew assembleDebug  # or open in Android Studio and build

To run demo app: connect Android device (API 14+) and run ./gradlew installDebug or click 'Run' in Android Studio.

Daily commands:

1. Clone repo. 2. Open in Android Studio (File > Open > select project root). 3. Sync Gradle. 4. Select app module. 5. Click Run or execute ./gradlew installDebug. App targets minSdkVersion 14, maxSdkVersion compatible with API 25+ devices.

• app/src/main/java/com/lzy/imagepickerdemo/wxdemo/WxDemoActivity.java: Entry point showing complete ImagePicker configuration and usage pattern (crop, selection mode, image loader setup)
• app/src/main/java/com/lzy/imagepickerdemo/imageloader/GlideImageLoader.java: Reference implementation of ImageLoader interface; template for swapping image loading libraries
• app/src/main/res/layout/activity_wxdemo.xml: Demo grid layout showing how to display picked images post-selection
• imagepicker/: Core library module containing actual picker, crop, and gallery logic (implied from dependency usage)
• app/build.gradle: Declares all image loader dependencies and shows version constraints; critical for understanding library ecosystem

To add image loader: Extend com.lzy.imagepicker.loader.ImageLoader, implement displayImage() and clearMemoryCache() (see app/src/main/java/com/lzy/imagepickerdemo/imageloader/GlideImageLoader.java as template). To modify crop UI: Edit activity_image_picker.xml layout and corresponding Activity in core library. To change picker behavior: Edit ImagePickerActivity.java and WxDemoActivity.java for configuration patterns.

1. ImageLoader must be set before launching picker: Missing ImagePicker.getInstance().setImageLoader(...) causes NPE at runtime—no compile-time check. 2. Crop feature only works in single-select mode: Multi-select + crop setting is silently ignored. 3. '原图' (original image) checkbox in preview is UI-only: Compression/quality control not implemented (README note). 4. File permissions: Manifest requires READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, CAMERA—easy to forget in targetSdk 23+ requiring runtime permissions. 5. Glide 3.x compatibility: Using newer Glide (4.x+) may require code changes in displayImage() method.

• Strategy Pattern (ImageLoader interface) — Entire library's flexibility depends on swappable image loading implementations; understanding this pattern is key to extending or maintaining the picker
• Crop and Rotate transforms on bitmap — ImagePicker's core feature; understanding canvas transformations, matrix math, and bitmap lifecycle prevents image corruption or OOM errors
• Android Content Providers & File URIs (pre-API 24 vs Scoped Storage) — Photo picker must handle file access across Android versions; FileProvider and Uri conversion are critical for API 24+ compatibility issues
• RecyclerView.Adapter with ViewHolder pattern — Gallery grid and image selection list implemented via RecyclerView; understanding adapter lifecycle and selection state management is required for UI modifications
• Android lifecycle-aware Activity/Fragment state (savedInstanceState) — Picker preserves selection state during configuration changes; understanding Bundle serialization prevents loss of selected images on rotation
• Runtime Permissions (Android 6.0+) — App requires CAMERA, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE permissions that must be granted at runtime on targetSdk 23+

• pengjianbo/GalleryFinal — Direct predecessor explicitly mentioned in README as inspiration for ImagePicker's gallery UI and feature set
• easonline/AndroidImagePicker — Second project referenced in README acknowledgments; alternative WeChat-like image picker used as design reference
• bumptech/glide — Primary image loading dependency for demo app; understanding Glide 3.x API required to customize displayImage() method
• square/picasso — Alternative image loader integrated in demo (PicassoImageLoader); shows pluggable architecture pattern used in this library
• nostra13/Android-Universal-Image-Loader — Legacy image loader supported via UILImageLoader implementation; understanding UIL config matters for app/src/main/java/com/lzy/imagepickerdemo/imageloader/

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add AndroidX migration and update deprecated dependencies

The project uses Android Support Library (compileSdkVersion 25, appcompat-v7:25.3.1) which is deprecated. Modern Android development requires AndroidX. This affects imagepicker/build.gradle and app/build.gradle. Additionally, Glide 3.7.0 (2016) and other image loaders are outdated. Migrating to AndroidX and updating to modern library versions (Glide 4.x, current support libraries) will improve compatibility with modern Android projects and fix security vulnerabilities.

• [ ] Update gradle.properties to enable AndroidX: android.useAndroidX=true and android.enableJetifier=true
• [ ] Update app/build.gradle: compileSdkVersion to 33+, appcompat-v7 to androidx.appcompat:appcompat, recyclerview-v7 to androidx.recyclerview:recyclerview
• [ ] Update imagepicker/build.gradle with same AndroidX dependencies
• [ ] Update image loader dependencies: Glide 4.x, Picasso 2.8+, update xutils and universal-image-loader
• [ ] Update import statements in imagepicker/src/main/java/com/lzy/imagepicker/.java and app/src/main/java/com/lzy/imagepickerdemo/.java from android.support.* to androidx.*
• [ ] Test with WxDemoActivity and ImagePickerActivity to ensure all UI components work correctly

Add unit and instrumentation tests for ImagePicker core functionality

The project lacks automated tests. Critical functionality like ImageDataSource.java, ImagePicker.java configuration, and ImageRecyclerAdapter.java need test coverage. Create tests for: image data loading, permission handling, selection state management, and adapter behavior. This ensures refactors don't break functionality and helps new contributors verify their changes.

• [ ] Create imagepicker/src/test/java/com/lzy/imagepicker/ImagePickerTest.java for ImagePicker configuration and initialization tests
• [ ] Create imagepicker/src/test/java/com/lzy/imagepicker/ImageDataSourceTest.java for image loading and folder grouping logic
• [ ] Create imagepicker/src/androidTest/java/com/lzy/imagepicker/ImageRecyclerAdapterTest.java for adapter selection state and view binding
• [ ] Add test dependencies to imagepicker/build.gradle: junit, androidx.test:core, androidx.test.espresso:espresso-core
• [ ] Document test execution in README.md with command: ./gradlew imagepicker:test imagepicker:connectedAndroidTest

Add ProGuard/R8 configuration and obfuscation rules for library release

The imagepicker/proguard-rules.pro exists but is likely incomplete for a public library. Without proper rules, the library breaks when consumers use R8 minification. This causes crashes in production builds of apps using ImagePicker. Document and test ProGuard rules for: image loader callbacks, reflection-based libraries (xutils), adapter classes, and FileProvider.

• [ ] Review and expand imagepicker/proguard-rules.pro: add rules for -keep public class com.lzy.imagepicker.*, image loader libraries (Glide, Picasso, UIL), and xutils reflection
• [ ] Create app/build.gradle minify test variant: add minifyEnabled true to a new buildType for testing obfuscation
• [ ] Test app variant on emulator/device to verify ImagePicker functions with minification enabled
• [ ] Document ProGuard configuration in README.md with example consumer proguard rules
• [ ] Add a test case in app/src/main/java/com/lzy/imagepickerdemo/ to verify core flows work in minified builds

• Implement compression logic for 'original image' checkbox in preview screen (mentioned in README as incomplete). Update outPutX/outPutY to actually downscale the image using selected compression ratio before saving.
• Add unit tests for ImageLoader interface implementations (GlideImageLoader, PicassoImageLoader, etc.) in app/src/test/—currently no test directory exists and loading logic is untested.
• Document crop boundary behavior (focusWidth/focusHeight rounding, edge cases on small screens): create markdown file with test cases and add clarifying JavaDoc to ImagePicker configuration methods.

• High · Outdated and Vulnerable Dependencies — app/build.gradle, imagepicker/build.gradle. The project uses multiple outdated dependencies with known security vulnerabilities: Glide 3.7.0 (released 2016), Picasso 2.5.2 (released 2015), Universal Image Loader 1.9.5 (released 2014), and xutils 3.3.36. These libraries contain publicly disclosed CVEs and security issues that could be exploited. Fix: Update all dependencies to their latest stable versions: Glide to 4.15.x or later, Picasso to 2.8.1 or later, Universal Image Loader should be replaced with modern alternatives like Glide or Coil, and xutils should be updated or replaced. Perform dependency security scanning regularly.
• High · Outdated Android SDK and Build Tools — app/build.gradle. The project targets Android SDK 25 (Android 7.0 released 2015) with build tools 25.0.3. This is significantly outdated and lacks critical security patches and modern security features available in newer Android versions. The minimum SDK version of 14 (Android 4.0) is also extremely outdated. Fix: Update compileSdkVersion to 34 or higher, targetSdkVersion to at least 33 (preferably 34), buildToolsVersion to latest, and increase minSdkVersion to at least 21 (Android 5.0) to support modern security standards.
• High · Proguard/R8 Not Enabled in Release Builds — app/build.gradle. The build configuration shows minifyEnabled is set to false in the release build type. This means the compiled APK will contain readable Java code and strings, making it vulnerable to reverse engineering, sensitive data extraction, and malicious code injection. Fix: Enable minification by setting minifyEnabled to true. Configure proper ProGuard/R8 rules in proguard-rules.pro to obfuscate code while preserving necessary functionality. Also enable shrinking and optimization.
• Medium · File System Access Without Proper Validation — imagepicker/src/main/java/com/lzy/imagepicker/ImageDataSource.java, imagepicker/src/main/java/com/lzy/imagepicker/util/Utils.java. The ImagePicker library deals with image file access and storage. Without reviewing the actual implementation, there's potential risk of directory traversal, insecure file operations, or access to sensitive files outside intended directories, particularly in ImageDataSource.java and utility classes. Fix: Implement strict file path validation, use canonical paths to prevent directory traversal, restrict file access to app-specific directories (getExternalFilesDir), validate all user-supplied file paths, and use FileProvider for sharing files securely.
• Medium · Missing Content Provider Export Configuration — imagepicker/src/main/java/com/lzy/imagepicker/ImagePickerProvider.java, imagepicker/src/main/AndroidManifest.xml. The ImagePickerProvider.java suggests a content provider is implemented. Without reviewing AndroidManifest.xml content in detail, there's risk that the provider may be exported without proper permission restrictions, potentially allowing other apps to access image data. Fix: Ensure ContentProvider is not exported unnecessarily. If export is required, implement proper permission checks. Use android:exported='false' by default and implement granular permission checks in ContentProvider methods.
• Medium · Bitmap Processing Without Memory Leak Prevention — imagepicker/src/main/java/com/lzy/imagepicker/util/BitmapUtil.java. The BitmapUtil.java likely performs bitmap operations and image processing. Without proper resource management, this could lead to memory leaks, OutOfMemory exceptions, or DoS vulnerabilities when processing large images. Fix: Implement proper bitmap recycling, use try-finally blocks to ensure resource cleanup, consider using weak references for cached bitmaps, implement size limits on processed images, and validate image dimensions before processing.
• Medium · Project Appears Abandoned — README.md. The README explicitly states 'Due to limited personal time, this project has stopped maintenance.' This means security vulnerabilities will not be patched, and the library may accumulate security issues over time as the Android ecosystem evolves. Fix: Consider

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.