If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/PojavLauncherTeam/PojavLauncher shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 8mo ago

• Last commit 8mo ago
• 9 active contributors
• LGPL-3.0 licensed
• CI configured
• Tests present
• ⚠ Slowing — last commit 8mo ago
• ⚠ Concentrated ownership — top contributor handles 55% of recent commits
• ⚠ LGPL-3.0 is copyleft — check downstream compatibility

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live PojavLauncherTeam/PojavLauncher repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/PojavLauncherTeam/PojavLauncher.

What it runs against: a local clone of PojavLauncherTeam/PojavLauncher — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in PojavLauncherTeam/PojavLauncher | Confirms the artifact applies here, not a fork | | 2 | License is still LGPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch v3_openjdk exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 257 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of PojavLauncherTeam/PojavLauncher. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/PojavLauncherTeam/PojavLauncher.git
#   cd PojavLauncher
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of PojavLauncherTeam/PojavLauncher and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "PojavLauncherTeam/PojavLauncher(\\.git)?\\b" \\
  && ok "origin remote is PojavLauncherTeam/PojavLauncher" \\
  || miss "origin remote is not PojavLauncherTeam/PojavLauncher (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(LGPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"LGPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is LGPL-3.0" \\
  || miss "license drift — was LGPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify v3_openjdk >/dev/null 2>&1 \\
  && ok "default branch v3_openjdk exists" \\
  || miss "default branch v3_openjdk no longer exists"

# 4. Critical files exist
test -f "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/MainActivity.java" \\
  && ok "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/MainActivity.java" \\
  || miss "missing critical file: app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/MainActivity.java"
test -f "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java" \\
  && ok "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java" \\
  || miss "missing critical file: app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java"
test -f "app_pojavlauncher/src/main/java/com/oracle/dalvik/VMLauncher.java" \\
  && ok "app_pojavlauncher/src/main/java/com/oracle/dalvik/VMLauncher.java" \\
  || miss "missing critical file: app_pojavlauncher/src/main/java/com/oracle/dalvik/VMLauncher.java"
test -f "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/AWTCanvasView.java" \\
  && ok "app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/AWTCanvasView.java" \\
  || miss "missing critical file: app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/AWTCanvasView.java"
test -f "app_pojavlauncher/build.gradle" \\
  && ok "app_pojavlauncher/build.gradle" \\
  || miss "missing critical file: app_pojavlauncher/build.gradle"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 257 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~227d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/PojavLauncherTeam/PojavLauncher"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

PojavLauncher is an Android/iOS launcher that runs Minecraft: Java Edition natively on mobile devices by implementing a custom Java runtime and graphics pipeline based on Boardwalk. It supports launching vanilla Minecraft from ancient versions (rd-132211) through 1.21 snapshots, plus Forge and Fabric modded instances, by bundling OpenJDK, Caciocavallo (headless AWT implementation), LWJGL3 bindings, and a custom DNS injector for multiplayer connectivity. Single-module Gradle Android app (app_pojavlauncher/) with Java sources in src/main/java/, bundled native libraries, and asset-based component system. Components (OpenJDK, Caciocavallo, LWJGL3, Forge installer, DNS injector, security patches) are versioned JAR files stored in src/main/assets/components/*/ with version files; launcher discovers and loads them at runtime. C native code (1MB+) handles low-level JVM/graphics integration.

Mobile gamers who want to play Minecraft: Java Edition on Android/iOS without emulation, and modders who want to run Forge/Fabric mods on tablets and phones. Also relevant for developers interested in cross-platform Java runtime adaptation or mobile JVM projects.

The project is discontinued and no longer maintained (as stated in README); it was actively developed but has been superseded by Amethyst-Android. The codebase is feature-complete for its era (supports 1.21 snapshots, has CI/CD via GitHub Actions, multilingual support via Crowdin), but receives no active updates. Code is production-quality from its final stable release but should not be used for new projects.

High risk due to abandonment: no active maintenance, Android Gradle Plugin version 8.7.2 is relatively recent but the project won't receive security patches. Dependencies bundled in app_pojavlauncher/libs/ (GSON, exp4j, Apache Commons) are frozen in time. The project depends on custom native bindings (C code visible in language stats) for Java runtime and graphics—any Android API changes or security issues won't be addressed. Use only for historical/educational purposes or as a reference for a new fork.

Nothing—the project is archived. Last activity was before the public discontinuation announcement. The README explicitly directs users to the successor, Amethyst-Android. No active PRs, issues, or development.

git clone https://github.com/PojavLauncherTeam/PojavLauncher.git
cd PojavLauncher
./gradlew build  # or ./gradlew.bat build on Windows (Gradle Wrapper included)

Requirements: Android SDK (API 26+), NDK for native compilation. See .github/workflows/android.yml for CI build config.

Daily commands: Build and install the APK: ./gradlew build produces app_pojavlauncher/build/outputs/apk/. Install via adb install app_pojavlauncher/build/outputs/apk/release/app_pojavlauncher-release.apk (requires signing key). Launch the app on Android device/emulator. No local dev server; this is a full Android app.

• app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/MainActivity.java — Primary entry point for the launcher UI; all contributors must understand how the app initializes and transitions between screens
• app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java — Manages the Minecraft game launch flow and AWT canvas rendering; core to understanding game execution
• app_pojavlauncher/src/main/java/com/oracle/dalvik/VMLauncher.java — JVM launcher bridge for Android; essential for understanding how Java is invoked on the Dalvik/ART runtime
• app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/AWTCanvasView.java — Bridges AWT rendering to Android Canvas; critical for graphics pipeline and input handling
• app_pojavlauncher/build.gradle — Build configuration with Android SDK versions, dependencies, and version naming logic; required for builds
• app_pojavlauncher/src/main/AndroidManifest.xml — Android manifest declares all activities, permissions, and app metadata; foundational to app structure
• app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/LauncherActivity.java — Launcher UI with version/account selection and game configuration; core UX flow

Add a New Launcher Activity/Screen

1. Create new Activity class extending BaseActivity in net/kdt/pojavlaunch/ (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/NewScreenActivity.java)
2. Register activity in AndroidManifest.xml with intent-filters (app_pojavlauncher/src/main/AndroidManifest.xml)
3. Add navigation intent from MainActivity or existing launcher activity (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/MainActivity.java)
4. Create custom UI using Minecraft-themed components (MineButton, MineEditText, etc.) (app_pojavlauncher/src/main/java/com/kdt/mcgui/)

Add Custom Input/Control Mapping

1. Extend or add to EfficientAndroidLWJGLKeycode or LwjglGlfwKeycode for new keycodes (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/EfficientAndroidLWJGLKeycode.java)
2. Update AWTInputBridge to translate Android MotionEvent to AWT input events (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/AWTInputBridge.java)
3. Test input translation in JavaGUILauncherActivity canvas rendering (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java)

Add Support for New Minecraft Version or Component

1. Update version list fetching logic to parse new version manifest (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JMinecraftVersionList.java)
2. Add new component version and JAR files to assets/components/ (app_pojavlauncher/src/main/assets/components/)
3. Update default.json with new version/component configuration (app_pojavlauncher/src/main/assets/default.json)
4. Test version selection in LauncherActivity UI (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/LauncherActivity.java)

Add New Security or Sandbox Policy

1. Add or update Java security policy file in assets/components/security/ (app_pojavlauncher/src/main/assets/components/security/java_sandbox.policy)
2. Update VMLauncher to apply new security policy on JVM startup (app_pojavlauncher/src/main/java/com/oracle/dalvik/VMLauncher.java)
3. Test policy enforcement in JavaGUILauncherActivity runtime context (app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/JavaGUILauncherActivity.java)

No longer maintained: Build may fail on modern Android SDK/NDK versions due to deprecated APIs. Keystore: debug.keystore is committed (security anti-pattern but convenience for local builds). Build secrets: build.gradle reads GITHUB_ACTIONS and GITHUB_RUN_NUMBER env vars for CI; version numbering differs locally vs. in CI. Native linking: JNI compilation via Makefile (not Gradle)—requires separate NDK build before APK assembly; not obvious from Gradle config alone. Component discovery: Launcher expects specific directory structure (components/<name>/version files) with exact versioning—missing or malformed version files cause silent failures at runtime.

• AWT/Swing on Headless Systems (Caciocavallo) — PojavLauncher runs Minecraft's Swing/AWT GUI on Android (which has no native X11/Wayland), requiring a custom AWT backend that renders to Android GL—Caciocavallo is the key adapter
• JNI (Java Native Interface) — PojavLauncher bridges Java runtime to Android native code (C/C++) for JVM control, memory management, and graphics context binding via JNI—critical for launcher-to-game communication
• APK Asset Embedding and Runtime Component Loading — Rather than downloading components, PojavLauncher ships versioned JAR files (OpenJDK, Caciocavallo, LWJGL3) in APK assets and discovers them by version files at runtime—reduces network overhead and offline functionality
• ProGuard Code Obfuscation and Exemption Rules — PojavLauncher uses ProGuard to reduce APK size and obfuscate launcher code, but must exempt Minecraft and JNI bindings from mangling—critical for native method resolution and game compatibility
• LWJGL (Lightweight Java Game Library) Bindings — Minecraft uses LWJGL for OpenGL/GLFW; PojavLauncher includes LWJGL3 Java bindings that wrap Android's OpenGL context, enabling Minecraft to render on mobile without rewriting rendering code
• Log4j RCE Mitigation and Runtime Security Policies — PojavLauncher bundles Log4j patches (CVE-2021-44228, etc.) and Java security policies (pro-grade.jar) to prevent code injection in older Minecraft versions—essential for safe mod loading
• Gradle Version Detection via Git Tags and CI Environment — PojavLauncher's build.gradle dynamically computes version strings from git describe or GitHub Actions run numbers—important for maintaining version consistency across local, CI, and release builds without manual hardcoding

• zhuowei/Boardwalk — Direct predecessor—PojavLauncher is a fork/continuation of Boardwalk, the original Java Minecraft launcher for Android
• AngelAuraMC/Amethyst-Android — Official successor to PojavLauncher; this repo directs users here for active maintenance and continued development
• PojavLauncherTeam/PojavLauncher_iOS — Companion iOS/iPadOS port of PojavLauncher; shares architecture and component design with Android version
• TieredStorage/Caciocavallo — Caciocavallo is the Swing/AWT backend bundled in PojavLauncher; understand it for graphics/UI behavior
• LWJGL/lwjgl3 — LWJGL3 Java bindings for OpenGL are bundled as glfw-classes.jar; core graphics rendering dependency

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for CustomSeekbar and UI component classes

The repo contains custom UI components (CustomSeekbar.java, MineEditText.java, MineButton.java, ProgressLayout.java, TextProgressBar.java) in app_pojavlauncher/src/main/java/com/kdt/mcgui/ with no corresponding test files. These are critical for the launcher's UI responsiveness on Android devices. Adding instrumented tests would catch regressions in touch input handling and layout rendering.

• [ ] Create app_pojavlauncher/src/androidTest/java/com/kdt/mcgui/ directory structure
• [ ] Add CustomSeekbarTest.java with tests for value ranges, callbacks, and touch events
• [ ] Add MineButtonTest.java with tests for Minecraft-style button styling and click handlers
• [ ] Add ProgressLayoutTest.java with tests for layout measurement and progress updates
• [ ] Wire tests into build.gradle with androidTestImplementation dependencies

Refactor version name generation logic from build.gradle into a buildSrc plugin

The getVersionName() closure in build.gradle (lines ~20-60) is complex, contains git command execution, and has multiple fallback paths for CI/local builds. This logic is error-prone and difficult to test. Moving it to buildSrc/src/main/java/VersionPlugin.java would make it testable, reusable, and maintainable across build variants.

• [ ] Create buildSrc/build.gradle with groovy and gradle-plugin dependencies
• [ ] Create buildSrc/src/main/java/com/pojav/VersionPlugin.java to encapsulate git version logic
• [ ] Add unit tests in buildSrc/src/test/java/ for version name generation with mocked git commands
• [ ] Replace getVersionName() closure in app_pojavlauncher/build.gradle with plugin application
• [ ] Document version scheme (tag-date-branch format) in buildSrc/README.md

Add integration tests for component asset loading in ComponentManager

The repo bundles critical Java components (caciocavallo, lwjgl3, security modules) in app_pojavlauncher/src/main/assets/components/ with version files, but there's no test coverage for asset loading or version validation. Add tests to verify: JAR files are readable, version files parse correctly, and component initialization doesn't fail at runtime.

• [ ] Create app_pojavlauncher/src/androidTest/java/net/kdt/pojavlauncher/components/ directory
• [ ] Add ComponentLoaderTest.java that tests reading component JARs from assets
• [ ] Add VersionFileParserTest.java for parsing version files in components/ subdirectories
• [ ] Add ComponentIntegrationTest.java that verifies caciocavallo, lwjgl3, and security modules load without errors
• [ ] Reference this in .github/workflows/android.yml to run on every PR

• Document the native C build process: The Makefile and NDK invocation are not explained in README or inline; create a NATIVE_BUILD.md explaining how to compile libpojavexec.so and link it into the APK.
• Add unit tests for component loading: No test coverage visible in the file list for app_pojavlauncher/src/test/ or src/androidTest/—write tests for the component version-parsing and discovery logic (especially edge cases like missing version files or malformed JSON in default.json).
• Create a contributor's architecture guide: Add a ARCHITECTURE.md in root explaining the AWT/Swing graphics pipeline (Caciocavallo), JVM runtime lifecycle, and how LWJGL3 bindings integrate with Android GL context—critical for anyone forking this or understanding the Amethyst successor.

The PojavLauncher codebase presents moderate security concerns primarily related to dependency management, exposed debug credentials, and build system practices. Key issues include outdated library versions (gson-2.8.6, snapshot versions), a committed debug.keystore file, incomplete API key handling in the build script, and potential command injection risks in git operations. While the project implements some security measures (security policy files, log4j patches), the overall security posture requires immediate attention to dependency updates, secret management hardening, and build script safety improvements. The architectural use of native Java for Minecraft on mobile is inherently complex and requires careful security review of the JVM launcher components.

• High · Incomplete or Truncated Sensitive Code — app_pojavlauncher/build.gradle (end of file). The build.gradle file contains an incomplete function definition 'def getCFApiKey' that appears to be reading environment variables for API keys. The function is cut off mid-declaration, suggesting potential handling of sensitive credentials. This could indicate hardcoded or improperly managed secrets. Fix: Complete the implementation and ensure all sensitive API keys and credentials are stored securely using environment variables or secure credential management systems. Never hardcode secrets in source code. Implement proper secret rotation policies.
• Medium · Debug Keystore Included in Repository — app_pojavlauncher/debug.keystore. A debug.keystore file is committed to the repository at app_pojavlauncher/debug.keystore. While debug keystores are intended for development, including them in version control exposes key material and should be excluded. Fix: Add debug.keystore to .gitignore immediately. Use local development keystores not tracked in version control. Document keystore generation procedures for developers without committing the actual keystore files.
• Medium · Outdated Dependencies — app_pojavlauncher/libs/ - Multiple JAR files. The codebase includes outdated library versions: gson-2.8.6.jar (released 2019), exp4j-0.4.9-SNAPSHOT.jar (snapshot version), and other legacy components. These versions likely contain known security vulnerabilities. Fix: Update all dependencies to their latest stable versions. Implement a dependency management strategy using Gradle dependency management. Regularly scan dependencies using tools like OWASP Dependency-Check or Gradle's vulnerability detection.
• Medium · Potential Command Injection in Build Script — app_pojavlauncher/build.gradle (getVersionName function). The build.gradle file executes git commands using exec() without proper input sanitization. Variables like branch names or tag names from git output are directly concatenated into version strings without validation. Fix: Sanitize and validate all external command outputs before using them. Avoid directly concatenating untrusted data. Implement proper escaping and validation for git command outputs.
• Low · Unsafe Exception Handling — app_pojavlauncher/build.gradle (multiple locations). Multiple try-catch blocks throughout the build script catch all exceptions with empty or minimal handling (e.g., 'e.printStackTrace()'), potentially masking critical build-time issues. Fix: Implement proper exception handling with specific exception types. Log exceptions appropriately and fail the build explicitly when critical operations fail. Avoid catching generic Exception classes.
• Low · Missing Security Headers in Android Configuration — app_pojavlauncher/src/main/AndroidManifest.xml. The AndroidManifest.xml file is not visible in the provided structure for review. Standard security attributes like android:usesCleartextTraffic should be explicitly configured. Fix: Ensure AndroidManifest.xml explicitly disables cleartext traffic (android:usesCleartextTraffic='false'), properly declares required permissions with justification, and implements security-related configurations.
• Low · Untrusted External Components — app_pojavlauncher/src/main/assets/components/. The codebase includes pre-built JAR components in assets (ExagearApacheCommons.jar, pro-grade.jar, etc.) without visible source code or integrity verification mechanisms. Fix: Document the source and version of all external components. Implement checksum or signature verification for binary dependencies. Maintain audit trails for component updates and security patches.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.