If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/nining377/dolby_beta shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 4 active contributors
• Distributed ownership (top contributor 45% of recent commits)
• MIT licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Small team — 4 contributors active in recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live nining377/dolby_beta repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/nining377/dolby_beta.

What it runs against: a local clone of nining377/dolby_beta — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in nining377/dolby_beta | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 715 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of nining377/dolby_beta. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/nining377/dolby_beta.git
#   cd dolby_beta
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of nining377/dolby_beta and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "nining377/dolby_beta(\\.git)?\\b" \\
  && ok "origin remote is nining377/dolby_beta" \\
  || miss "origin remote is not nining377/dolby_beta (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "app/src/main/java/com/raincat/dolby_beta/MainHook.java" \\
  && ok "app/src/main/java/com/raincat/dolby_beta/MainHook.java" \\
  || miss "missing critical file: app/src/main/java/com/raincat/dolby_beta/MainHook.java"
test -f "app/src/main/java/com/raincat/dolby_beta/HookerDispatcher.java" \\
  && ok "app/src/main/java/com/raincat/dolby_beta/HookerDispatcher.java" \\
  || miss "missing critical file: app/src/main/java/com/raincat/dolby_beta/HookerDispatcher.java"
test -f "app/src/main/java/com/raincat/dolby_beta/hook/EAPIHook.java" \\
  && ok "app/src/main/java/com/raincat/dolby_beta/hook/EAPIHook.java" \\
  || miss "missing critical file: app/src/main/java/com/raincat/dolby_beta/hook/EAPIHook.java"
test -f "app/src/main/java/com/raincat/dolby_beta/net/Http.java" \\
  && ok "app/src/main/java/com/raincat/dolby_beta/net/Http.java" \\
  || miss "missing critical file: app/src/main/java/com/raincat/dolby_beta/net/Http.java"
test -f "app/src/main/AndroidManifest.xml" \\
  && ok "app/src/main/AndroidManifest.xml" \\
  || miss "missing critical file: app/src/main/AndroidManifest.xml"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 715 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~685d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/nining377/dolby_beta"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Dolby Beta is an Xposed module that acts as an audio source proxy for NetEase Cloud Music (网易云音乐), replacing unavailable tracks with alternative sources rather than cracking DRM. It merged all functionality from UnblockMusicPro, intercepts music API calls via runtime hooking, and provides a settings UI embedded directly in the NetEase app. Monolithic single-module Android app: app/src/main/java/com/raincat/dolby_beta/ contains core logic split into Hook classes (hook/ directory with AdAndUpdateHook, CdnHook, etc.), Helpers (helper/ with EAPIHelper for API proxying, SignSongHelper for song matching), and database layer (db/ with CloudDao, ExtraDao for caching). Entry points are MainHook.java and HookerDispatcher.java which coordinate hook injection.

NetEase Cloud Music users in regions with music licensing restrictions who want to listen to unavailable tracks, and Android developers maintaining Xposed modules that need to hook and proxy API responses in third-party apps.

Production-ready with 354 version iterations and active maintenance (latest 3.5.4). GitHub CI/CD pipeline present (android.yml workflow), no visible test suite, but consolidated from a predecessor (UnblockMusicPro) indicating maturity. Single-maintainer project (nining377) with moderate GitHub stars suggests stable but not enterprise-scale adoption.

Single-maintainer risk is significant; depends on Xposed framework stability which is not under project control. Heavy reliance on hooking internal NetEase APIs (com.netease.cloudmusic) creates maintenance burden as app updates may break hooks—README explicitly warns about secondary-modified apps losing adaptation. No automated tests visible; relies on manual issue reports for regression detection.

Version 3.5.4 is current; README mentions focus on stability and seamless adaptation to latest NetEase Cloud Music versions. No active public roadmap visible, but project accepts issues and presumably merges PRs. Android compilation target remains SDK 29 (compiled December 2024 based on version naming), suggesting ongoing maintenance but not bleeding-edge development.

git clone https://github.com/nining377/dolby_beta.git && cd dolby_beta && ./gradlew assembleRelease

Daily commands: Module cannot run standalone—requires Xposed Framework installed on Android device. Build APK with: ./gradlew assembleRelease (output: app/build/outputs/apk/release/dolby_beta_*.apk). Install via Xposed Manager or embed into modified NetEase Cloud Music APK (see issue #142). No dev server—pure hooking module.

• app/src/main/java/com/raincat/dolby_beta/MainHook.java — Entry point for Xposed framework integration; orchestrates all hook initialization and module lifecycle
• app/src/main/java/com/raincat/dolby_beta/HookerDispatcher.java — Central dispatcher that routes hook execution; essential for understanding how individual hooks are triggered
• app/src/main/java/com/raincat/dolby_beta/hook/EAPIHook.java — Core encryption/decryption hook for Netease API; critical for audio source proxy functionality
• app/src/main/java/com/raincat/dolby_beta/net/Http.java — HTTP request handler for audio source replacement; implements the proxy mechanism
• app/src/main/AndroidManifest.xml — Declares Xposed module metadata and hooks configuration; required for framework recognition
• app/build.gradle — Build configuration targeting SDK 29 with architecture constraints; defines versioning and release process
• app/src/main/assets/xposed_init — Xposed framework initialization file; must specify hook entry classes

Add a new audio quality proxy (e.g., 128K or 320K)

1. Create a new View class in app/src/main/java/com/raincat/dolby_beta/view/proxy/ (e.g., ProxyQualityView.java) extending BaseDialogItem to define the UI toggle (app/src/main/java/com/raincat/dolby_beta/view/proxy/ProxyFlacView.java)
2. Add the view to SettingHook.java by injecting it into the settings dialog via Xposed hook (app/src/main/java/com/raincat/dolby_beta/hook/SettingHook.java)
3. Modify ProxyHook.java to intercept URL requests and apply quality-specific transformation logic (app/src/main/java/com/raincat/dolby_beta/hook/ProxyHook.java)
4. Store user preference in SettingHelper.java and retrieve it in ProxyHook to decide whether to apply the proxy (app/src/main/java/com/raincat/dolby_beta/helper/SettingHelper.java)

Add a new UI customization hook (e.g., hide a specific UI element)

1. Create a new hook class in app/src/main/java/com/raincat/dolby_beta/hook/ (e.g., HideCustomElementHook.java) extending Hook.java (app/src/main/java/com/raincat/dolby_beta/hook/Hook.java)
2. In the hook, use XposedHelpers to find and modify the target view class/method from the Netease app (app/src/main/java/com/raincat/dolby_beta/hook/HideBannerHook.java)
3. Register the hook in HookerDispatcher.java by adding it to the hook list and initialization logic (app/src/main/java/com/raincat/dolby_beta/HookerDispatcher.java)
4. Optionally add a UI toggle in BeautyTitleView.java or create a new beauty view class to allow users to toggle the feature (app/src/main/java/com/raincat/dolby_beta/view/beauty/BeautyTitleView.java)

Add a new alternative audio source for song matching

1. Extend or modify SignSongHelper.java to add logic for matching songs to your new audio source API (app/src/main/java/com/raincat/dolby_beta/helper/SignSongHelper.java)
2. Add encryption/decryption logic in NeteaseAES.java or NeteaseAES2.java if the new source requires Netease-compatible encryption (app/src/main/java/com/raincat/dolby_beta/utils/NeteaseAES.java)
3. Modify ProxyHook.java to detect requests to the new source and apply URL rewriting to your alternative source (app/src/main/java/com/raincat/dolby_beta/hook/ProxyHook.java)
4. Create a database DAO in app/src/main/java/com/raincat/dolby_beta/db/ to cache song matches and reduce repeated lookups (app/src/main/java/com/raincat/dolby_beta/db/ExtraDao.java)

Add EAPI encryption/decryption support for a new API version

1. Study the Netease EAPI protocol and add new encryption logic in NeteaseAES2.java (or create NeteaseAES3.java) (app/src/main)

1. Xposed framework version compatibility—module compiled against API 82 (Xposed Bridge 82+); mismatched framework versions will silently fail to hook. 2) UnblockNeteaseMusic backend requires extracted execution directory with write permissions; no explicit temp directory setup documented. 3) NetEase app signature verification may prevent hooking on certain ROM variants; undocumented in README. 4) Song matching relies on fuzzy audio fingerprinting; single-paid and no-copyright tracks will have false positives as acknowledged in README. 5) Build targets SDK 29 with arm64-v8a only—will not run on 32-bit devices. 6) No ProGuard obfuscation in release build (minifyEnabled: false) despite compiling against ProGuard rules—potential reverse-engineering vector.

• Xposed Framework Runtime Hooking — Core mechanism—this project hijacks method calls in NetEase Cloud Music at runtime to intercept API requests and CDN downloads; understanding XposedBridge.hookMethod() and XC_MethodHook callbacks is essential
• API Proxying and Man-in-the-Middle HTTP Interception — EAPIHelper intercepts NetEase API calls and forwards them to UnblockNeteaseMusic backend; requires understanding HTTP request/response mutation and proxy patterns
• Audio Fingerprinting and Content-Based Matching — SignSongHelper uses fuzzy matching (likely Shazam-style fingerprints) to map unavailable songs to alternative sources; understanding audio hashing improves song matching accuracy
• Bytecode Instrumentation with dexlib2 — Project uses dexlib2 (Smali bytecode library) for potential DEX manipulation; critical for understanding how hooks are injected into target APK if embedding into NetEase app
• SQLite Caching Strategy — CloudDao and ExtraDao implement local caching of API responses; understanding cache invalidation, TTL policies, and DB indexing improves module performance
• Process Isolation and Inter-Process Communication (IPC) — UnblockNeteaseMusic backend runs as separate Node.js subprocess; Dolby Beta communicates via socket/HTTP; understanding process lifecycle and cleanup prevents resource leaks
• Android Permissions and SELinux Contexts — Module requires INTERNET, WRITE_EXTERNAL_STORAGE, and elevated privileges to hook system services; understanding SELinux denials and permission models is critical for debugging on modern Android versions

• nondanee/UnblockNeteaseMusic — Original upstream project providing the audio source resolution backend (bundled as UnblockNeteaseMusic.zip); Dolby Beta is an Android wrapper around this Node.js server
• Flysky12138/UnblockNeteaseMusic-Android — Alternative Android implementation of Unblock Netease Music; shares same problem domain (audio source proxy) but different hooking approach—referenced in README credits
• bin456789/Unblock163MusicClient-Xposed — Predecessor Xposed module for NetEase Music; Dolby Beta incorporated concepts from this codebase as noted in credits
• UnblockNeteaseMusic/server — Maintained fork of UnblockNeteaseMusic backend; Dolby Beta may need to update bundled server.zip as this fork adds compatibility patches
• LSPosed/LSPosed — Modern Xposed replacement framework (post-Android 10); users seeking alternative module loaders should reference LSPosed compatibility considerations

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for database DAOs (CloudDao, ExtraDao, SignDao)

The repo has three database helper classes (CloudDbOpenHelper, ExtraDbOpenHelper, SignDbOpenHelper) with corresponding DAOs but no visible test coverage. Given this is a critical component for persisting user data and settings, adding unit tests would prevent regressions and make the codebase more maintainable for contributors.

• [ ] Create app/src/test/java/com/raincat/dolby_beta/db/ directory structure
• [ ] Add unit tests for CloudDao.java covering CRUD operations on cloud data
• [ ] Add unit tests for ExtraDao.java covering extra settings persistence
• [ ] Add unit tests for SignDao.java covering sign/authentication data storage
• [ ] Add SQLite test database setup using androidx.test libraries in build.gradle

Refactor hook classes into categorized subpackages for maintainability

The hook/ directory contains 20+ hook classes (AdAndUpdateHook, EAPIHook, ProxyHook, etc.) all at the same level, making it difficult to navigate and understand the architecture. Organizing them into logical categories (e.g., hook/ui/, hook/network/, hook/auth/) would improve code organization and help new contributors understand the module's structure.

• [ ] Create subpackages: hook/ui/, hook/network/, hook/auth/, hook/player/
• [ ] Move UI-related hooks (HideBannerHook, HideTabHook, HideSidebarHook, NightModeHook) to hook/ui/
• [ ] Move network-related hooks (ProxyHook, CdnHook, EAPIHook, DownloadMD5Hook) to hook/network/
• [ ] Move authentication hooks (LoginFixHook, AutoSignInHook, UserProfileHook) to hook/auth/
• [ ] Move player-related hooks (PlayerActivityHook, ListentogetherHook) to hook/player/
• [ ] Update all import statements in MainHook.java and HookerDispatcher.java

Add missing GitHub Action workflow for Android build validation on PRs

The repository has a .github/workflows/android.yml file referenced in the structure, but its contents are not provided. Given the complexity of the Xposed module with multiple dependencies (dexlib2, guava, gson) and NDK configuration, adding a complete CI workflow that validates builds, runs tests, and checks ProGuard rules on every PR would catch integration issues early.

• [ ] Verify/update .github/workflows/android.yml to include: gradle build validation
• [ ] Add lint checks using Android Lint with the existing lintOptions configuration
• [ ] Add APK build artifact generation and size reporting
• [ ] Add ProGuard rule validation step referencing app/proguard-rules.pro
• [ ] Configure workflow to fail on lint errors (currently abortOnError is false in build.gradle)
• [ ] Add test execution step once unit tests are added per PR idea #1

• Add unit tests for SignSongHelper song matching algorithm: File app/src/main/java/com/raincat/dolby_beta/helper/SignSongHelper.java has no test coverage. Add JUnit tests for edge cases: empty queries, Chinese/English name variants, numbers in titles. This improves robustness against the matching errors mentioned in README.
• Document CloudDao and database schema in code comments: app/src/main/java/com/raincat/dolby_beta/db/CloudDao.java lacks inline documentation of database tables, columns, and query purposes. Add JavaDoc explaining cache hit/miss logic for contributors unfamiliar with the codebase.
• Create integration test for EAPIHelper proxy layer: app/src/main/java/com/raincat/dolby_beta/helper/EAPIHelper.java intercepts live API calls but has no mock tests. Add mock HTTP tests using MockWebServer to verify request/response transformation without requiring actual NetEase servers.

• High · Outdated Gson Dependency with Known Vulnerabilities — app/build.gradle - dependency: com.google.code.gson:gson:2.8.9. The project uses Gson 2.8.9, which has known vulnerabilities. Gson versions before 2.8.9 and 2.9.1 are vulnerable to deserialization attacks that could lead to arbitrary code execution or denial of service. Fix: Update to Gson 2.10.1 or later to patch known deserialization vulnerabilities.
• High · Custom HTTPS Trust Manager - Potential SSL/TLS Bypass — app/src/main/java/com/raincat/dolby_beta/net/HTTPSTrustManager.java. The presence of HTTPSTrustManager.java suggests custom certificate validation logic. This is a common source of security vulnerabilities where developers may inadvertently disable certificate pinning or hostname verification, allowing MITM attacks. Fix: Review HTTPSTrustManager implementation to ensure proper certificate validation. Never disable hostname verification or certificate pinning. Consider using standard Android security libraries.
• High · Xposed Module Security - Unrestricted Hook Capabilities — app/src/main/java/com/raincat/dolby_beta/hook/ - Multiple hook files including ProxyHook.java, EAPIHook.java. The application is a Xposed module that hooks into other applications (network music service). This provides deep system-level access to intercept and modify app behavior. Malicious actors could exploit this for credential theft, data interception, or code injection. Fix: Implement strict input validation and output encoding in all hook implementations. Avoid logging sensitive data (credentials, tokens). Consider code signing and integrity verification.
• High · Plaintext Proxy Configuration — app/src/main/java/com/raincat/dolby_beta/hook/ProxyHook.java. ProxyHook.java suggests HTTP proxy functionality. If proxy configurations are stored or transmitted in plaintext, this could expose user traffic paths and enable traffic manipulation. Fix: Ensure all proxy credentials and configurations are encrypted at rest. Use secure channels for transmission. Never log proxy credentials.
• Medium · Outdated Compile SDK Version — app/build.gradle - compileSdkVersion 29. The project targets compileSdkVersion 29 (Android 10, released 2019). Modern Android requires compilation against recent API levels to ensure access to latest security patches and features. Fix: Update compileSdkVersion to 34 or later (Android 14+) to access current security patches and APIs.
• Medium · Database Security Concerns — app/src/main/java/com/raincat/dolby_beta/db/ - CloudDbOpenHelper.java, ExtraDbOpenHelper.java, SignDbOpenHelper.java. Multiple database helper classes (CloudDbOpenHelper.java, ExtraDbOpenHelper.java, SignDbOpenHelper.java) are present. Without review of their implementation, there's risk of SQL injection if queries are constructed with unsanitized user input. Fix: Audit all database queries to ensure parameterized queries are used. Never concatenate user input directly into SQL statements. Use Room ORM for type-safe database access.
• Medium · Embedded Asset - Unknown Integrity — app/src/main/assets/UnblockNeteaseMusic.zip. UnblockNeteaseMusic.zip is bundled as an asset in the APK. The integrity and source of this binary asset should be verified to prevent supply chain attacks. Fix: Verify the integrity of bundled assets through hash verification. Document the source and version of UnblockNeteaseMusic.zip. Consider signing critical assets.
• Medium · Network Security Configuration Not Visible — app/src/main/AndroidManifest.xml (referenced configuration). No network_security_config.xml is visible in the provided file structure. This could mean default insecure network settings or missing certificate pinning configuration. Fix: Create and configure network_security_config.xml with proper certificate pinning, disallow cleartext traffic for sensitive domains, and define trusted CAs.
• Medium · Cryptographic Utilities — undefined. undefined Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.