If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/shwenzhang/AndResGuard shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 16 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Single-maintainer risk — top contributor 80% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live shwenzhang/AndResGuard repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/shwenzhang/AndResGuard.

What it runs against: a local clone of shwenzhang/AndResGuard — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in shwenzhang/AndResGuard | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 961 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of shwenzhang/AndResGuard. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/shwenzhang/AndResGuard.git
#   cd AndResGuard
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of shwenzhang/AndResGuard and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "shwenzhang/AndResGuard(\\.git)?\\b" \\
  && ok "origin remote is shwenzhang/AndResGuard" \\
  || miss "origin remote is not shwenzhang/AndResGuard (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ApkDecoder.java" \\
  && ok "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ApkDecoder.java" \\
  || miss "missing critical file: AndResGuard-core/src/main/java/com/tencent/mm/androlib/ApkDecoder.java"
test -f "AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/ARSCDecoder.java" \\
  && ok "AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/ARSCDecoder.java" \\
  || miss "missing critical file: AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/ARSCDecoder.java"
test -f "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java" \\
  && ok "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java" \\
  || miss "missing critical file: AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java"
test -f "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java" \\
  && ok "AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java" \\
  || miss "missing critical file: AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java"
test -f "AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java" \\
  && ok "AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java" \\
  || miss "missing critical file: AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 961 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~931d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/shwenzhang/AndResGuard"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

AndResGuard is a command-line tool that obfuscates and shrinks Android APK resource files (drawable, layout, string, etc.) by renaming them to short identifiers (e.g., res/drawable/wechat → r/d/a, wechat.png → a.png) and optionally repackages with 7zip compression. It works without source code—just feed it an APK and get a smaller, obfuscated one in seconds. Two-module Gradle project: AndResGuard-core contains the engine (APK decoding in ApkDecoder.java, ARSC parsing in ARSCDecoder.java, resource repackaging in ResourceRepackage.java, APK signing in apksigner/); AndResGuard-cli wraps it as a command-line tool (entry point CliMain.java). Utility packages handle zip I/O (directory/ for file/zip abstraction) and little-endian binary parsing (mindprod/ledatastream/).

Android app developers at companies like WeChat (created by Tencent) who need to reduce APK size for distribution, prevent reverse-engineering via Apktool, and optimize the resources.arsc file. DevOps/build engineers integrating it into release pipelines via Gradle plugin.

Production-ready and actively maintained by Tencent's WeChat team. Has Gradle plugin on Bintray, Travis CI integration, and Android Arsenal badge. The codebase is ~300KB Java with real APK signing (ApkSignerTool) and ARSC (Android Resource Serialization Container) parsing logic, indicating battle-tested implementation. Last activity not visible in snippet, but infrastructure setup suggests mature tooling.

Low risk: single focused purpose (resource obfuscation), no npm/Maven dependency list visible so likely minimal external deps. Main risk is format coupling—it parses binary ARSC and APK structures (DEX-level code like LEDataInputStream suggests low-level I/O), so Android resource format changes could break it. Verify compatibility with your target Android API levels and APK format versions before production use.

Not visible from file structure alone, but the presence of Gradle plugin configuration (build.gradle with Bintray publishing) and Travis CI (.travis.yml) indicates active CI/CD. The gradle.properties and version management in AndResGuard-core suggest ongoing releases.

git clone https://github.com/shwenzhang/AndResGuard.git
cd AndResGuard
# Build both core and CLI
./gradlew build
# Or build just the CLI jar:
cd AndResGuard-cli
./gradlew buildJar
# Output goes to tool_output/

Daily commands:

# CLI usage (after buildJar):
java -jar tool_output/AndResGuard-cli-<version>.jar [options] input.apk

# With Gradle plugin (in your app's build.gradle):
apply plugin: 'AndResGuard'
buildscript {
  dependencies {
    classpath 'com.tencent.mm:AndResGuard-gradle-plugin:1.2.21'
  }
}
andResGuard {
  use7zip = true
  useSign = true
}
./gradlew resguardRelease

• AndResGuard-core/src/main/java/com/tencent/mm/androlib/ApkDecoder.java — Entry point for APK parsing and resource extraction; orchestrates the entire decoding pipeline that reads compiled Android resources
• AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/ARSCDecoder.java — Parses ARSC binary resource table format; critical for understanding and modifying resource metadata during obfuscation
• AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java — Core obfuscation logic that renames resources and rebuilds the APK structure with 7zip compression
• AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java — Reconstructs the APK from processed resources; handles signing and final package assembly
• AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java — Configuration model that defines obfuscation rules, keep patterns, and processing options for the entire tool
• AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/StringBlock.java — Handles string pool parsing and encoding; essential for resource name mapping and reference updates
• AndResGuard-cli/src/main/java/com/tencent/mm/resourceproguard/cli/CliMain.java — CLI entry point that coordinates command-line argument parsing and invokes the core resource obfuscation pipeline

Add a new resource name mapping strategy

1. Create new obfuscation strategy by modifying the naming algorithm in ResourceRepackage.java where resource names are generated (around the obfuscation loop) (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java)
2. Add configuration options to control strategy behavior in Configuration.java (AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java)
3. Update the resource mapping output logic in ResourceRepackage to export the new mapping format if needed (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java)

Support a new resource type in obfuscation

1. Extend ResType.java to recognize and model the new resource type category (AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/data/ResType.java)
2. Update ARSCDecoder.java to parse the new resource type from the ARSC binary format (AndResGuard-core/src/main/java/com/tencent/mm/androlib/res/decoder/ARSCDecoder.java)
3. Add keep/obfuscation rules in Configuration.java for the new type (AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java)
4. Update ResourceRepackage.java to handle obfuscation of the new resource type during repackaging (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceRepackage.java)

Implement a new compression format alternative to 7zip

1. Create a new compressor class similar to the existing compression logic in ResourceApkBuilder.java (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java)
2. Add compression format option to Configuration.java (AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/Configuration.java)
3. Update ResourceApkBuilder.java to delegate to the appropriate compressor based on configuration (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ResourceApkBuilder.java)

Add a new CLI command or option

1. Define the new command-line argument parsing in CliMain.java (AndResGuard-cli/src/main/java/com/tencent/mm/resourceproguard/cli/CliMain.java)
2. Add corresponding field and logic to InputParam.java or Configuration.java (AndResGuard-core/src/main/java/com/tencent/mm/resourceproguard/InputParam.java)
3. Integrate the new option into the main processing workflow in ApkDecoder.java or ResourceRepackage.java as needed (AndResGuard-core/src/main/java/com/tencent/mm/androlib/ApkDecoder.java)

• Java (source language) — Platform independence; runs on any JVM; matches Android build toolchain ecosystem
• Binary ARSC parsing — Android resources are compiled to binary ARSC format; must parse/rewrite in-place without decompilation
• 7zip compression — Better compression

APK signing: The tool includes its own ApkSignerTool.java (repackages APK with new signature) but requires a signing key/keystore—ensure you have one before running obfuscation in production. 7zip dependency: If use7zip=true in config, the system must have 7zip binary (7z command) installed on PATH; Linux/Mac recommended for best compression. Resource name collisions: The obfuscation engine assumes resource IDs are unique; duplicate resources across packages may cause mapping conflicts—enable mergeDuplicatedRes cautiously. String block encoding: StringBlock.java handles complex UTF-16/UTF-8 encoding in ARSC; if you modify resource strings, ensure encoding consistency or ARSC parsing breaks.

• ARSC (Android Resource Serialization Container) — The binary format that stores all Android app resources (strings, drawables, layouts); understanding ARSC structure is essential to modifying/obfuscating resources without breaking the app
• Little-endian encoding — Android APK/ARSC files use little-endian byte order; the codebase extensively uses LEDataInputStream to parse binary correctly—byte-order mistakes corrupt resource parsing
• Resource ID mapping and namespace collision — AndResGuard renames resources globally across the APK; understanding how resource IDs (0x7F020001 format) are tracked and remapped prevents inadvertent collisions and broken references
• APK signing and certificate pinning — After obfuscation, the APK must be re-signed with a valid keystore; mishandled signatures break APK installation and can trigger security warnings
• ZIP compression and 7zip LZMA — AndResGuard optionally repackages APKs (which are ZIPs) with 7zip's LZMA compression for ~10-30% additional size savings; different file types compress differently—the tool lets you configure per-pattern strategies
• DEX (Dalvik Executable) format and bytecode references — Android apps contain DEX bytecode that references resource IDs by numeric constant; if resource IDs change during obfuscation, DEX references must stay in sync—AndResGuard handles this transparently
• Whitelist-based obfuscation filtering — The whiteList config allows preserving certain resources (e.g., Crashlytics, Firebase strings); understanding glob/regex patterns ensures critical resources survive obfuscation

• iBotPeaches/Apktool — Reverse tool—AndResGuard obfuscates to prevent Apktool reverse-engineering; Apktool is what AndResGuard protects against
• google/bundletool — Google's official APK optimization and bundling tool; complementary approach to size reduction via dynamic delivery (vs static resource obfuscation)
• linkedin/qark — Android security analyzer; AndResGuard users often pair resource obfuscation with security scanning to harden APKs
• wemobiledev/AndResGuard-gradle-plugin — Official Gradle integration for AndResGuard; users depend on this plugin to integrate resource obfuscation into CI/CD build pipelines
• shwenzhang/MatryoshkaApp — Example Android app from same author demonstrating APK optimization techniques including resource obfuscation

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for ARSCDecoder and RawARSCDecoder

The AndResGuard-core module contains critical ARSC (Android Resource Table) parsing logic in ARSCDecoder.java and RawARSCDecoder.java, but there are no visible test files for these core decoders. These are essential for resource parsing correctness. Adding comprehensive unit tests would catch regressions when the decoder logic is modified and improve confidence in resource table handling across different Android versions.

• [ ] Create AndResGuard-core/src/test/java/com/tencent/mm/androlib/res/decoder/ directory structure
• [ ] Write unit tests for ARSCDecoder covering: basic ARSC parsing, multiple resource packages, string pools, and type chunks
• [ ] Write unit tests for RawARSCDecoder covering: raw table reading, entry parsing, and configuration handling
• [ ] Add test fixtures (sample ARSC binary files) in AndResGuard-core/src/test/resources/
• [ ] Update build.gradle to include test dependencies (JUnit, mockito)

Add integration tests for ApkDecoder and ResourceRepackage workflow

The core workflow of AndResGuard (ApkDecoder.java → resource processing → ResourceApkBuilder.java → ResourceRepackage.java) lacks visible integration tests. This end-to-end flow is critical for correctness. Integration tests would validate that APKs are properly decoded, resources are correctly renamed/obfuscated, and the repackaged APK remains valid.

• [ ] Create AndResGuard-core/src/test/java/com/tencent/mm/androlib/ directory for integration tests
• [ ] Add test APK fixtures in AndResGuard-core/src/test/resources/test-apks/ (small sample APKs)
• [ ] Write integration test class covering: APK decoding, resource ID mapping, resource repackaging, and output validation
• [ ] Validate repackaged APK integrity (zip structure, manifest validity, resource table consistency)
• [ ] Document test setup in CONTRIBUTING or TEST_GUIDE file

Add GitHub Actions CI workflow to replace Travis CI

The repo uses .travis.yml for CI, but Travis CI has deprecated free builds for public repositories. GitHub Actions is now the standard for GitHub-hosted projects and provides better integration. Migrating CI would ensure the build status badge and automated testing continue working, and enable testing against multiple Java versions and Android SDK versions.

• [ ] Create .github/workflows/build.yml with Java build matrix (Java 8, 11, 17)
• [ ] Configure gradle build steps: ./gradlew clean build
• [ ] Add jar artifact validation and unit test reporting
• [ ] Add optional step to test CLI jar output against sample APKs
• [ ] Update README.md badges to point to GitHub Actions instead of Travis CI
• [ ] Optionally remove or archive .travis.yml with deprecation notice

• Add unit tests for ARSCDecoder.java ARSC parsing—currently no test coverage visible for the core format parser; create tests using sample APKs from the test directory
• Document the resource obfuscation mapping format—the mappingFile option in README references a mapping.txt file, but its exact schema is undocumented; write a spec and example
• Support custom compression strategies per resource type—the compressFilePattern currently applies uniformly; extend ResourceApkBuilder.java to allow per-pattern 7zip flags (e.g., *.png:store vs *.xml:lzma)

• High · Unrestricted JAR Assembly with Unverified Dependencies — AndResGuard-cli/build.gradle (jar task configuration). The build.gradle file in AndResGuard-cli uses 'configurations.compile.collect' to embed all compiled dependencies directly into the final JAR without verification. This could allow transitive dependency vulnerabilities to be included in the distributed artifact. Additionally, the wildcard fileTree pattern includes all JARs from the libs directory without validation. Fix: Implement dependency verification, use gradle dependency lock files, validate checksums of transitive dependencies, and explicitly declare dependencies rather than using fileTree wildcards. Consider using gradle's dependency verification feature introduced in Gradle 6.1+
• High · Incomplete Security Policy Documentation — SECURITY.md. The SECURITY.md file lacks critical information for vulnerability reporters: no contact method, no SLA for response times, no vulnerability assessment process, and no guidance on disclosure timelines. This violates best practices (RFC 9116) and may discourage responsible disclosure. Fix: Complete the security policy with: (1) a specific contact email or security.txt file, (2) expected response timeframe (e.g., 90-day timeline), (3) whether vulnerability reporters should be publicly acknowledged, (4) explicit disclosure guidelines, (5) links to bug bounty program if available
• Medium · Obsolete Gradle Build Configuration Pattern — AndResGuard-cli/build.gradle. The build.gradle uses deprecated Gradle syntax ('compile' configuration deprecated since Gradle 3.0, removed in Gradle 7.0). This indicates the project may not be actively maintained and could miss critical security updates in build tools. Fix: Update to 'implementation' configuration and modernize Gradle to current LTS version. Run './gradlew wrapper --gradle-version=<latest-lts>' and update all build files accordingly
• Medium · Missing Input Validation in Resource Processing — AndResGuard-core/src/main/java/com/tencent/mm/androlib/ (ApkDecoder.java, ResourceRepackage.java, ZipRODirectory.java). The codebase processes untrusted APK files (ApkDecoder.java) and performs resource manipulation (ResourceRepackage.java) without visible input validation. Malformed APK files or ZIP structures could potentially trigger buffer overflows or path traversal vulnerabilities. Fix: Implement strict input validation for APK files: validate ZIP structure before processing, sanitize file paths against directory traversal attacks, implement size limits for resources, and add try-catch blocks with secure error messages
• Medium · Potential Cryptographic Implementation in APK Signing — AndResGuard-core/src/main/java/apksigner/ (ApkSignerTool.java, PasswordRetriever.java). The ApkSignerTool.java handles cryptographic operations for APK signing. Custom cryptographic implementations may have subtle vulnerabilities. The PasswordRetriever class may expose passwords in memory. Fix: Audit cryptographic code against OWASP guidelines, use only standard JDK crypto providers, implement secure password handling with char[] instead of String, use java.util.Arrays.fill() to erase sensitive data, and never log passwords
• Low · Missing MANIFEST Attributes Validation — AndResGuard-cli/build.gradle (jar.manifest section). The jar task in build.gradle dynamically includes 'Jar-Version' attribute from an undefined 'ANDRESGUARD_VESSION' variable, which could lead to version spoofing or inconsistent versioning. Fix: Define ANDRESGUARD_VESSION explicitly in gradle.properties or rootProject.ext, validate version format, and ensure version consistency across all artifacts
• Low · No CVE Scanning in CI/CD Pipeline — .travis.yml (implied missing configuration). .travis.yml configuration is referenced but not provided. The absence of dependency scanning in the CI pipeline means vulnerabilities in dependencies may not be detected before release. Fix: Add OWASP Dependency-Check or Snyk scanning to CI pipeline, configure build to fail on high-severity vulnerabilities, and establish baseline for low-severity CVEs
• Low · Insufficient Output Directory Permissions Handling — undefined. The buildJar task copies output to '../ Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.