github · apple-docs-mcpHEAD

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "21:11",

      "title": "Handle DOM Response",

      "language": "swift",

      "code": "// Listen for authorization success.\ndocument.addEventListener('AppleIDSignInOnSuccess', (event) => {\n    // Handle successful response.\n    console.log(event.detail.data);\n});\n\n// Listen for authorization failures.\ndocument.addEventListener('AppleIDSignInOnFailure', (event) => {\n     // Handle error.\n     console.log(event.detail.error);\n});"

    }

  ],

  "resources": {

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "6:02",

      "title": "Register event handler",

      "language": "swift",

      "code": "import AccessorySetupKit\n\n// Create a session\nvar session = ASAccessorySession()\n\n// Activate session with event handler\nsession.activate(on: DispatchQueue.main, eventHandler: handleSessionEvent(event:))\n\n// Handle event\nfunc handleSessionEvent(event: ASAccessoryEvent) {  \n    switch event.eventType {\n    case .activated:\n        print(\"Session is activated and ready to use\")\n  

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "5:42",

      "title": "Function that retrieves a conversion tag from a URL",

      "language": "swift",

      "code": "func retrieveConversionTag(fromURL url: URL) -> String? {\n    guard let components = URLComponents(url: url, resolvingAgainstBaseURL: true) else {\n        print(\"Could not get components for URL.\")\n        return nil\n    }\n\n    guard let queryItems = components.queryItems else {\n        print(\"URL does not contain query items.\")\n        return nil\n    

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "8:23",

      "title": "Friending API",

      "language": "swift",

      "code": "// Call Friend Requests API to present friend request view from a view controller, when player click on Add Friends Button in your game\nlet error = GKLocalPlayer.local\n.presentFriendRequestCreatorFromViewController(using: navigationController)\n\nif error != nil {\n    print(\"Fail to send friend request with error: \\(error!.localizedDescription).\")\n}"

    },

    {

      "timestamp": "11:47",

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "12:44",

      "title": "Matter application controlling an LED light",

      "language": "swift",

      "code": "let led = LED()\n\n@_cdecl(\"app_main\")\nfunc app_main() {\n  print(\"🏎️   Hello, Embedded Swift!\")\n  \n  // (1) create a Matter root node\n  let rootNode = Matter.Node()\n  rootNode.identifyHandler = {\n    print(\"identify\")\n  }\n  \n  // (2) create a \"light\" endpoint, configure it\n  let lightEndpoint = Matter.ExtendedColorLight(node: rootNode)\n  lightEndpoint.

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "9:26",

      "title": "Creating the async message stream dispatcher",

      "language": "swift",

      "code": "// Create an async message stream dispatcher task\n\nTask {\n    do {\n        for try await output in session.outputs {\n            switch output {\n            case .requestProgress(let request, let fraction):\n                print(\"Request progress: \\(fraction)\")\n            case .requestComplete(let request, let result):\n                if case .modelFile(let u

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "9:26",

      "title": "Handle events",

      "language": "swift",

      "code": "// Handle event\nfunc handleSessionEvent(event: ASAccessoryEvent) {  \n    switch event.eventType {\n\n    case .accessoryAdded:\n        let newDice: ASAccessory = event.accessory!\n\n    case .accessoryChanged:\n        print(\"Accessory properties changed\")\n\n    case .accessoryRemoved:\n        print(\"Accessory removed from system\")\n\n    default:\n        print(\"Received event with type: \\(

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "6:00",

      "title": "Add devices to input & add inputs to the capture session & enable Cinematic Video capture",

      "language": "swift",

      "code": "// Add devices to inputs\n\nlet videoInput = try! AVCaptureDeviceInput(device: camera)\nguard captureSession.canAddInput(videoInput) else {\n    print(\"Can't add the video input to the session\")\n    return\n}\n\nlet audioInput = try! AVCaptureDeviceInput(device: microphone)\nguard captureSession.canAddInput(audioInput) else 

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "7:08",

      "title": "handleBAR",

      "language": "swift",

      "code": "class ExtensionDelegate: NSObject, WKExtensionDelegate {\n    func handle(_ backgroundTasks: Set<WKRefreshBackgroundTask>) {\n\n        for task in backgroundTasks {\n\n          switch task {\n          case let backgroundTask as WKApplicationRefreshBackgroundTask:\n\n                if let userInfo:NSDictionary = backgroundTask.userInfo as? NSDictionary {\n                   if let then:Date = userInfo[\

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "10:22",

      "title": "Communicate with accessory",

      "language": "swift",

      "code": "// Connect to accessory using CoreBluetooth\nlet central = CBCentralManager(delegate: self, queue: nil)\n\nfunc centralManagerDidUpdateState(_ central: CBCentralManager) {\n    switch central.state {\n    case .poweredOn:\n       // state will only be updated to poweredOn when you have paired accessories\n        let peripheral = central.retrievePeripherals(withIdentifiers: [newDice.bluet

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "25:32",

      "title": "Shared Worker",

      "language": "swift",

      "code": "// Create Shared Worker\nlet worker = new SharedWorker(\"SharedWorker.js\");\n\n// Listen for messages from Shared Worker\nworker.port.addEventListener(\"message\", function(event) {\n  console.log(\"Message received from worker: \" + event);\n});\n\n// Send messages to Shared Worker\nworker.port.postMessage(\"Send message to worker\");"

    },

    {

      "timestamp": "25:56",

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

"timestamp": "8:03",

      "title": "Request an age range",

      "language": "swift",

      "code": "// Request an age range\n\nimport SwiftUI\nimport DeclaredAgeRange\n\nstruct LandmarkDetail: View {\n    // ...\n    @State var photoSharingEnabled = false\n    @Environment(\\.requestAgeRange) var requestAgeRange\n    \n    var body: some View {\n        ScrollView {\n            // ...\n            Button(\"Share Photos\") {}\n                .disabled(!photoSharingEnabled)\n        }\n       

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "12:14",

      "title": "Fetching objects with #Predicate and FetchDescriptor",

      "language": "swift",

      "code": "let context = self.newSwiftContext(from: Trip.self)\nlet hotelNames = [\"First\", \"Second\", \"Third\"]\n\nvar predicate = #Predicate<Trip> { trip in\n    trip.livingAccommodations.filter {\n        hotelNames.contains($0.placeName)\n    }.count > 0\n}\n\nvar descriptor = FetchDescriptor(predicate: predicate)\nvar trips = try context.fetch(descriptor)"

    },

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "12:31",

      "title": "Tailor SwiftData Fetch in Custom Migration Stage",

      "language": "swift",

      "code": "static let migrateV1toV2 = MigrationStage.custom(\n   fromVersion: SampleTripsSchemaV1.self,\n   toVersion: SampleTripsSchemaV2.self,\n   willMigrate: { context in\n      var fetchDesc =  FetchDescriptor<SampleTripsSchemaV1.Trip>()\n      fetchDesc.propertiesToFetch = [\\.name]\n\n      let trips = try? context.fetch(fetchDesc)\n  \n      // De-duplicate Trip instanc

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "14:49",

      "title": "Efficient verifyPosts implementation",

      "language": "swift",

      "code": "func verifyPosts(in context: NSManagedObjectContext) throws {\n    try context.performAndWait {\n        let fetchRequest = Attachment.fetchRequest()\n        fetchRequest.resultType = .managedObjectIDResultType\n        let attachments = try context.fetch(fetchRequest) as! [NSManagedObjectID]\n\n        for index in 0...attachments.count - 1 {\n            let attachment = cont

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "7:56",

      "title": "Request the weather via REST API",

      "language": "swift",

      "code": "/* Request a token */\nconst tokenResponse = await fetch('https://example.com/token');\nconst token = await tokenResponse.text();\n\n/* Get my weather object */\nconst url = \"https://weatherkit.apple.com/1/weather/en-US/41.029/-74.642?dataSets=weatherAlerts&country=US\"\n\nconst weatherResponse = await fetch(url, {\nheaders: {\n\"Authorization\": token\n}\n});\nconst weather = await

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "6:12",

      "title": "REST API: wait for completion",

      "language": "swift",

      "code": "# Wait for completion\n\ndef watch_upload(submission_id, token):\n    while True:\n        resp = requests.get(\n            \"https://appstoreconnect.apple.com/notary/v2/submissions/\" + submission_id, \n            headers={\"Authorization\": \"Bearer \" + token})\n\n        output = resp.json()\n        current_status = output[\"data\"][\"attributes\"][\"status\"]\n        \n        

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "8:41",

      "title": "SampleTrips Custom Migration Stage from Version 1.0 to 2.0",

      "language": "swift",

      "code": "static let migrateV1toV2 = MigrationStage.custom(\n   fromVersion: SampleTripsSchemaV1.self,\n   toVersion: SampleTripsSchemaV2.self,\n   willMigrate: { context in\n      let fetchDesc =  FetchDescriptor<SampleTripsSchemaV1.Trip>()\n      let trips = try? context.fetch(fetchDesc)\n  \n      // De-duplicate Trip instances here...\n\n      try? context.save()\

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "7:49",

      "title": "Implementing a SchemaMigrationPlan",

      "language": "swift",

      "code": "enum SampleTripsMigrationPlan: SchemaMigrationPlan {\n    static var schemas: [any VersionedSchema.Type] {\n        [SampleTripsSchemaV1.self, SampleTripsSchemaV2.self, SampleTripsSchemaV3.self]\n    }\n    \n    static var stages: [MigrationStage] {\n        [migrateV1toV2, migrateV2toV3]\n    }\n\n    static let migrateV1toV2 = MigrationStage.custom(\n        fromVersion: SampleT

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

// Extract current User-Agent from pre-generated headers

        currentUserAgent = (options.headers as any)?.['User-Agent'] || null;

        const response = await fetch(url, options);

        const responseTime = Date.now() - startTime;

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "9:33",

      "title": "SampleTrips Custom Migration Stage from Version 2.0 to 3.0",

      "language": "swift",

      "code": "static let migrateV2toV3 = MigrationStage.custom(\n  fromVersion: SampleTripsSchemaV2.self,\n  toVersion: SampleTripsSchemaV3.self,\n  willMigrate: { context in\n    let trips = try? context.fetch(FetchDescriptor<SampleTripsSchemaV2.Trip>())\n\n    // De-duplicate Trip instances here...\n\n    try? context.save()\n  }, \n  didMigrate: nil\n)"

    },

    {

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "5:32",

      "title": "Fetching with a FetchDescriptor",

      "language": "swift",

      "code": "let descriptor = FetchDescriptor<Trip>(predicate: tripPredicate)\n\nlet trips = try context.fetch(descriptor)"

    },

    {

      "timestamp": "5:46",

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "4:53",

      "title": "REST API: upload file for notarization",

      "language": "swift",

      "code": "# Upload file for notarization\n\ndef upload_file(token, filepath, sha256):\n    data = { \"sha256\": sha256, \"submissionName\": os.path.basename(filepath) }\n    resp = requests.post(\n       \"https://appstoreconnect.apple.com/notary/v2/submissions\",\n        json=data,\n        headers={\"Authorization\": \"Bearer \" + token})\n\n    output = resp.json()\n    aws_info = ou

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "5:07",

      "title": "Testing a large data generator",

      "language": "swift",

      "code": "class TestLargeDataGenerator: CoreDataCloudKitDemoUnitTestCase {\n    func testGenerateData() throws {\n        let context = self.coreDataStack.persistentContainer.newBackgroundContext()\n        try self.generator.generateData(context: context)\n        try context.performAndWait {                     \n            let posts = try context.fetch(Post.fetchRequest())\n            for p

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "13:11",

      "title": "Add relationshipsToPrefetch in Custom Migration Stage",

      "language": "swift",

      "code": "static let migrateV1toV2 = MigrationStage.custom(\n   fromVersion: SampleTripsSchemaV1.self,\n   toVersion: SampleTripsSchemaV2.self,\n   willMigrate: { context in\n      var fetchDesc =  FetchDescriptor<SampleTripsSchemaV1.Trip>()\n      fetchDesc.propertiesToFetch = [\\.name]\n      fetchDesc.relationshipKeyPathsForPrefetching = [\\.livingAccommodation]\n\n   

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "14:14",

      "title": "Problematic verifyPosts implementation",

      "language": "swift",

      "code": "func verifyPosts(in context: NSManagedObjectContext) throws {\n    try context.performAndWait {\n        let fetchRequest = Post.fetchRequest()\n        let posts = try context.fetch(fetchRequest)\n\n        for post in posts {\n            // verify post\n\n            let attachments = post.attachments as! Set<Attachment>\n            for attachment in attachments {\n\n     

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"hasTranscript": true,

  "hasCode": false,

  "transcript": {

    "fullText": "♪ ♪ Razvan: Hello! I'm Razvan, an engineer on the WebKit Developer Experience team, and I'm here to tell you about some of the new features and improvements we've made to Web Inspector this year. Web Inspector is part of Safari on macOS, and it provides a powerful set of tools that allow you to inspect all the resources and activities of a website, web app, web extension, or home screen web app. I'm excited to show you

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "6:11",

      "title": "Fetching a composite attribute",

      "language": "swift",

      "code": "private func findAircraft(with color: String) {\n    viewContext.performAndWait {\n        let fetchRequest = Aircraft.fetchRequest()\n        fetchRequest.predicate = NSPredicate(format: \"colorScheme.primary == %@\", color)\n        \n        do {\n            var fetchedResults: [Aircraft]\n            fetchedResults = try viewContext.fetch(fetchRequest)\n            \n            /

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "16:54",

      "title": "willMigrationHandler and didMigrationHandler of NSCustomMigrationStage",

      "language": "swift",

      "code": "customStage.willMigrateHandler = { migrationManager, currentStage in\n    guard let container = migrationManager.container else {\n        return\n    }\n\n    let context = container.newBackgroundContext()\n    try context.performAndWait {\n        let fetchRequest = NSFetchRequest<NSFetchRequestResult>(entityName: \"Aircraft\")\n        fetchR

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "5:46",

      "title": "Fetching with fetch and sort descriptors",

      "language": "swift",

      "code": "let descriptor = FetchDescriptor<Trip>(\n    sortBy: SortDescriptor(\\Trip.name),\n    predicate: tripPredicate\n)\n\nlet trips = try context.fetch(descriptor)"

    },

    {

      "timestamp": "6:15",

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "7:34",

      "title": "Process history changes",

      "language": "swift",

      "code": "private func findTrips(in transactions: [DefaultHistoryTransaction]) -> (Set<Trip>, DefaultHistoryToken?) {\n        let taskContext = ModelContext(modelContainer)\n        var resultTrips: Set<Trip> = []\n        for transaction in transactions {\n            for change in transaction.changes {\n                let modelID = change.changedPersistentIdentifier\n                let fetchDescri

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "11:54",

      "title": "Fetching objects with FetchDescriptor",

      "language": "swift",

      "code": "let context = self.newSwiftContext(from: Trip.self)\nvar trips = try context.fetch(FetchDescriptor<Trip>())"

    },

    {

      "timestamp": "12:14",

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "12:27",

      "title": "Fetching objects with #Predicate and FetchDescriptor",

      "language": "swift",

      "code": "let context = self.newSwiftContext(from: Trip.self)\n\npredicate = #Predicate<Trip> { trip in\n    trip.livingAccommodations.filter {\n        $0.hasReservation == false\n    }.count > 0\n}\n\ndescriptor = FetchDescriptor(predicate: predicate)\nvar trips = try context.fetch(descriptor)"

    },

    {

      "timestamp": "13:18",

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"timestamp": "13:28",

      "title": "Update Widget to harness fetchLimit",

      "language": "swift",

      "code": "// Widget code to get new Timeline Entry\n\nfunc getTimeline(in context: Context, completion: @escaping (Timeline<Entry>) -> Void) {\n  let currentDate = Date.now\n  var fetchDesc = FetchDescriptor(sortBy: [SortDescriptor(\\Trip.startDate, order: .forward)])\n  fetchDesc.predicate = #Predicate { $0.endDate >= currentDate }\n\n  fetchDesc.fetchLimit = 1\n  \n  let modelContext = M

MCP tool input schema exposes an unconstrained string/any field with a risky name (command/query/sql/code/script/url/path/expr/ eval). Any caller can pass arbitrary values, which typically widens the tool's blast radius well beyond its intent. Narrow the schema with `.enum()`, `.regex()`, `.max()`, `Literal[...]`, Pydantic `Field(max_length=..., pattern=...)`, or a JSON Schema `enum` / `pattern` / `maxLength`.

* Schema for search_wwdc_content

 */

export const searchWWDCContentSchema = z.object({

  query: z.string().min(1).describe('Search query'),

  searchIn: z.enum(['transcript', 'code', 'both']).default('both').describe('Where to search'),

  year: z.string().optional().describe('Filter by WWDC year'),

  language: z.string().optional().describe('Filter code by language'),

MCP tool input schema exposes an unconstrained string/any field with a risky name (command/query/sql/code/script/url/path/expr/ eval). Any caller can pass arbitrary values, which typically widens the tool's blast radius well beyond its intent. Narrow the schema with `.enum()`, `.regex()`, `.max()`, `Literal[...]`, Pydantic `Field(max_length=..., pattern=...)`, or a JSON Schema `enum` / `pattern` / `maxLength`.

import { z } from 'zod';

export const searchAppleDocsSchema = z.object({

  query: z.string().describe('Search query for Apple Developer Documentation'),

  type: z.enum(['all', 'documentation', 'sample']).default('all')

    .describe('Type of content to search for (documentation=API reference, sample=code samples)'),

});

MCP tool input schema exposes an unconstrained string/any field with a risky name (command/query/sql/code/script/url/path/expr/ eval). Any caller can pass arbitrary values, which typically widens the tool's blast radius well beyond its intent. Narrow the schema with `.enum()`, `.regex()`, `.max()`, `Literal[...]`, Pydantic `Field(max_length=..., pattern=...)`, or a JSON Schema `enum` / `pattern` / `maxLength`.

import { z } from 'zod';

export const getAppleDocContentSchema = z.object({

  url: z.string().describe('URL of the Apple Developer Documentation page'),

  includeRelatedApis: z.boolean().default(false).describe('Include related APIs analysis'),

  includeReferences: z.boolean().default(false).describe('Include references resolution'),

  includeSimilarApis: z.boolean().default(false).describe('Include similar APIs discovery'),

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

- name: Upload coverage reports

        if: matrix.node-version == '20.x'

        uses: codecov/codecov-action@v4

        with:

          files: ./coverage/lcov.info

          flags: unittests

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

        with:

          fetch-depth: 0

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

        with:

          version: 9

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

actions: read # Required for Claude to read CI results on PRs

    steps:

      - name: Checkout repository

        uses: actions/checkout@v4

        with:

          fetch-depth: 1

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

version: 9

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: 20.x

          cache: 'pnpm'

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Create GitHub Release

        uses: softprops/action-gh-release@v1

        with:

          generate_release_notes: true

          body: |

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout repository

        uses: actions/checkout@v4

        with:

          fetch-depth: 1

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

- name: Run Claude Code Review

        id: claude-review

        uses: anthropics/claude-code-action@v1

        with:

          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

          prompt: |

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

version: 9

      - name: Setup Node.js ${{ matrix.node-version }}

        uses: actions/setup-node@v4

        with:

          node-version: ${{ matrix.node-version }}

          cache: 'pnpm'

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

- name: Comment PR status

        if: always()

        uses: actions/github-script@v7

        with:

          script: |

            const { context } = require('@actions/github');

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

        with:

          version: 9

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

version: 9

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: 20.x

          cache: 'pnpm'

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

        with:

          version: 9

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

- name: Run Claude Code

        id: claude

        uses: anthropics/claude-code-action@v1

        with:

          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

version: 9

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: 20.x

          cache: 'pnpm'

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Run security audit

        run: pnpm audit --audit-level=high || true

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

version: 9

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: 20.x

          cache: 'pnpm'

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

uses: actions/checkout@v4

      - name: Install pnpm

        uses: pnpm/action-setup@v3

        with:

          version: 9

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

fetch-depth: 0

      - name: Install pnpm

        uses: pnpm/action-setup@v3

        with:

          version: 9

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

"timestamp": "31:02",

      "title": "Terrain material transition using the slider",

      "language": "swift",

      "code": "@State private var sliderValue: Float = 0.0\n\nSlider(value: $sliderValue, in: (0.0)...(1.0))\n    .onChange(of: sliderValue) { _, _ in\n        guard let terrain = rootEntity.findEntity(named: \"DioramaTerrain\"),\n                var modelComponent = terrain.components[ModelComponent.self],\n                var shaderGraphMaterial = modelComponent.materials.first \n   

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

"timestamp": "20:47",

      "title": "Relevant Intents Function",

      "language": "swift",

      "code": "func updateBackyardRelevantIntents() async {\n    let modelContext = ModelContext(DataGeneration.container)\n    var relevantIntents = [RelevantIntent]()\n    \n    for backyard in Backyard.allBackyards(modelContext: modelContext) {\n\n        let configIntent = ConfigurationAppIntent()\n        configIntent.backyardID = backyard.id.uuidString\n        let relevantFoodDateContext = Relevan