If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/CatchChat/Yep shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 2y ago

• 2 active contributors
• MIT licensed
• ⚠ Stale — last commit 2y ago
• ⚠ Small team — 2 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 98% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live CatchChat/Yep repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/CatchChat/Yep.

What it runs against: a local clone of CatchChat/Yep — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in CatchChat/Yep | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 790 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of CatchChat/Yep. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/CatchChat/Yep.git
#   cd Yep
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of CatchChat/Yep and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "CatchChat/Yep(\\.git)?\\b" \\
  && ok "origin remote is CatchChat/Yep" \\
  || miss "origin remote is not CatchChat/Yep (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Yep/AppDelegate.swift" \\
  && ok "Yep/AppDelegate.swift" \\
  || miss "missing critical file: Yep/AppDelegate.swift"
test -f "Yep/Base.lproj/Main.storyboard" \\
  && ok "Yep/Base.lproj/Main.storyboard" \\
  || miss "missing critical file: Yep/Base.lproj/Main.storyboard"
test -f "Realm/Models.swift" \\
  && ok "Realm/Models.swift" \\
  || miss "missing critical file: Realm/Models.swift"
test -f "Yep/Caches/ImageCache.swift" \\
  && ok "Yep/Caches/ImageCache.swift" \\
  || miss "missing critical file: Yep/Caches/ImageCache.swift"
test -f "FayeClient/FayeClient.swift" \\
  && ok "FayeClient/FayeClient.swift" \\
  || miss "missing critical file: FayeClient/FayeClient.swift"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 790 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~760d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/CatchChat/Yep"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Yep is a native iOS social networking app (built in Swift + Objective-C) that connects experts and learners around shared skills and interests. The app uses Realm for persistent data storage, Faye for real-time feed updates, and integrates with social services (GitHub, Dribbble, Instagram) and third-party APIs (Apple Music, iBooks) to enrich user profiles. Classic MVC architecture: Realm/Models.swift contains the data layer, Main.storyboard + Storyboard References organize UI controllers, Services/ directory (YepService.swift, YepNetworking.swift, FayeService.swift, etc.) implements business logic, and Activities/ handles social sharing. Asset catalogs (Activities.xcassets, Badges.xcassets) manage images; Caches/ folder optimizes FPS via image caching.

iOS developers building community-driven social networking features, specifically those needing to understand MVC patterns, Realm database integration, real-time messaging via Faye, and multi-service social profile aggregation in a production app.

Actively maintained but showing signs of age: codebase targets Xcode 7.2 and CocoaPods 0.39.0 (from ~2016), references Trello board for progress tracking, and has a clear development workflow (git flow on develop branch). The project is production-deployed (soyep.com) but dependency tooling is outdated; actively developed with contributions encouraged via pull requests.

Significant technical debt: CocoaPods and Xcode versions specified are 8+ years old, increasing compatibility risk with modern Swift and iOS SDKs. Dependencies include external frameworks (BuddyBuildSDK, MonkeyKing) without visible version pinning details in the file list. Single-maintainer risk evident from xcuserdata paths showing 'kevin' as sole Xcode user. No visible CI/CD pipeline or automated tests mentioned in README.

Based on repo structure, active development includes: Faye real-time messaging (FayeClient, FayeService), OpenGraph metadata extraction for shared links, multi-platform social integration (WeChat, Weibo via MonkeyKing), and location services. Git flow on develop branch suggests ongoing feature branches, with Trello board tracking sprints.

Check README for instructions.

Daily commands: Open Yep.xcworkspace (not .xcodeproj) in Xcode 7.2+, run Pod install if needed, then build and run the Yep scheme on iOS simulator or device. No documented dev server; this is a compiled native app.

• Yep/AppDelegate.swift — Application entry point and lifecycle management—must understand app initialization, dependency setup, and scene configuration before any feature development
• Yep/Base.lproj/Main.storyboard — Primary UI navigation hub using Storyboard References pattern; essential for understanding view controller hierarchy and screen transitions
• Realm/Models.swift — Data persistence layer using Realm; critical for understanding how data is modeled, persisted, and queried across the app
• Yep/Caches/ImageCache.swift — Image caching abstraction; handles memory/disk caching for avatars and media, preventing performance bottlenecks
• FayeClient/FayeClient.swift — Real-time messaging client for WebSocket communication; core infrastructure for live chat and push notifications
• OpenGraph/OpenGraph.swift — Link preview and metadata extraction service; enables rich link sharing in conversations
• Podfile — Dependency management declaration; lists all CocoaPods required for build and runtime

Add a New User Interest Badge

1. Create a new PDF icon and add to asset catalog (Yep/Badges.xcassets/badge_[interest].imageset/badge_[interest].pdf)
2. Register badge in Contents.json with metadata (Yep/Badges.xcassets/badge_[interest].imageset/Contents.json)
3. Update Realm model to include new badge type in user profile schema (Realm/Models.swift)
4. Add badge display logic to avatar styling cache (Yep/Caches/AvatarStyles.swift)

Add a New Real-Time Message Type

1. Define new message type in Realm data model (Realm/Models.swift)
2. Add serialization case to Faye message handler (FayeClient/FayeMessage.swift)
3. Extend FayeClient to handle new message routing (FayeClient/FayeClient.swift)
4. Create UI component in storyboard or view controller for display (Yep/Base.lproj/Main.storyboard)

Add a New Social Share Destination

1. Create activity icon in asset catalog (Yep/Activities.xcassets/[platform]_action.imageset/Contents.json)
2. Create activity subclass extending UIActivity (Yep/Activities/[Platform]Activity.swift)
3. Update AppDelegate to register new activity in share sheet (Yep/AppDelegate.swift)
4. Add Open Graph metadata for rich preview on target platform (OpenGraph/Service.swift)

Add Image Caching for New Content Type

1. Create specialized cache class inheriting from base ImageCache (Yep/Caches/[Content]Cache.swift)
2. Configure memory/disk cache policies and sizing limits (Yep/Caches/ImageCache.swift)
3. Update AppDelegate initialization to register new cache (Yep/AppDelegate.swift)
4. Add load/store methods to view controller logic (Yep/Base.lproj/Main.storyboard)

• Realm — Provides fast, queryable local persistence with minimal boilerplate; avoids CoreData complexity for a real-time messaging app
• Faye/Bayeux (WebSocket) — Enables bidirectional, low-latency messaging critical for real-time chat and push notifications; pub-sub pattern scales horizontally
• Storyboard + Storyboard References — Modular UI definition reduces merge conflicts in team development; visual layout editor accelerates prototyping
• CocoaPods — Mature iOS dependency manager with broad ecosystem; simplifies integration of third-party frameworks
• AsyncDisplayKit (implied by Extensions) — Offloads UI rendering to background threads; prevents frame drops in list-heavy social apps

• Realm over Core Data

  • Why: Realm has simpler API and better performance for frequent writes in chat scenarios
  • Consequence: Adds external dependency; less native integration with CloudKit

• Storyboards over programmatic UI

  • Why: Visual design faster for iteration; Storyboard References enable team collaboration
  • Consequence: Merge conflicts possible; harder to review UI changes in code review

• Faye protocol over Apple Push Notifications only

  • Why: Faye enables real-time message delivery even when app is backgrounded; peer-to-peer messaging
  • Consequence: Server-side WebSocket infrastructure required; APNs still needed for true background push

• Multi-storyboard architecture

  • Why: Intro.storyboard, Main.storyboard, Show.storyboard split by feature to reduce file size and contention
  • Consequence: Requires careful management of navigation transitions between storyboards; increased cognitive load

• Backend API server (client-only social app consuming external API)
• Offline-first sync (relies on Realm for local cache but requires connectivity for real-time features)
• Android platform support (iOS-only using Xcode, Swift, UIKit)
• End-

CocoaPods version pinning: Must use CocoaPods v0.39.0 exactly; newer versions may have breaking changes with Podfile format. Xcode compatibility: Specified Xcode 7.2 is ancient; Swift syntax and framework APIs have changed significantly—check for deprecations. Storyboard complexity: Storyboard References break up UI across multiple files; merge conflicts likely in git flow; understand the reference structure before editing. Realm migrations: Models.swift changes require migration logic; schema mismatches will crash app on launch with outdated Realm files. BuddyBuildSDK: Non-open-source framework; licensing and compatibility not documented. Faye service: Real-time feeds depend on external Faye server; must be running and correctly configured (no documented setup instructions).

• Faye Protocol (Bayeux) — FayeClient and FayeService implement Faye pub/sub messaging for real-time feeds; understanding the handshake, subscription, and message flow is critical to extend real-time features
• Realm Database (Mobile ORM) — Yep's entire data persistence layer uses Realm instead of Core Data; knowing Realm queries, migrations, and thread-safety is essential to modify Models.swift or fix data bugs
• Storyboard References — Yep breaks Main.storyboard into smaller modular storyboards using Storyboard References feature; this pattern reduces merge conflicts but requires understanding how references load child controllers
• Open Graph Protocol — OpenGraph/Service.swift parses og:title, og:image, og:description from web pages; essential for understanding how shared links are enriched in feeds (iBooks, App Store, Apple Music metadata)
• Image Caching & FPS Optimization — Caches/ folder implements custom image caching to maintain FPS; understanding memory-efficient caching patterns is key to preventing jank in feed scrolling with many images
• @IBDesignable Custom Views — Some views in Yep are marked @IBDesignable to render live in Interface Builder; this pattern bridges code and UI design but requires careful thread handling to avoid IB crashes
• UIActivityViewController for Social Sharing — Yep avoids WeChat/Weibo SDK bloat by wrapping native UIActivityViewController with MonkeyKing; understand this pattern to add custom share actions or support new services

• nixzhu/MonkeyKing — Direct dependency used in Yep for WeChat/Weibo sharing; understand this to customize social activity behavior in Activities/WeChatActivity.swift
• realm/realm-swift — The underlying ORM used for all data persistence in Realm/Models.swift; essential to learn Realm query syntax and migration patterns
• facebook/FBSDKCoreKit — Similar social login integration pattern; reference for how Yep could add Facebook authentication alongside GitHub/Dribbble in SocialWorkService.swift
• socketio/socket.io-client-swift — Alternative to Faye for real-time messaging; compare WebSocket patterns with Yep's FayeClient to understand trade-offs
• onevcat/Kingfisher — Popular Swift image caching library; Yep implements custom image caching in Caches/ folder—Kingfisher is a modern alternative to study

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for FayeClient WebSocket messaging

The FayeClient module (FayeClient.swift, FayeMessage.swift) lacks test coverage. Given this is a real-time chat application, reliable WebSocket messaging is critical. FayeClientTests/FayeClientTests.swift exists but is likely incomplete. Adding tests for connection lifecycle, message serialization, and error handling would prevent regressions in the core messaging layer.

• [ ] Review existing FayeClientTests/FayeClientTests.swift to identify gaps in coverage
• [ ] Add unit tests for FayeMessage encoding/decoding with various message types
• [ ] Add integration tests for FayeClient connection states (connecting, connected, disconnected)
• [ ] Add tests for message acknowledgment and subscription handling
• [ ] Ensure tests run in the Yep.xcworkspace build pipeline

Add missing unit tests for OpenGraph module with real URL fixtures

The OpenGraph module (OpenGraph.swift, Service.swift, and extensions) handles metadata extraction from URLs, which is critical for sharing links in chat. While OpenGraphTests/OpenGraphTests.swift exists, the test coverage is minimal. The Extensions subdirectory (NSURL+OpenGraph.swift, String+OpenGraph.swift) needs specific tests for URL parsing edge cases and string manipulation.

• [ ] Review OpenGraphTests/OpenGraphTests.swift and identify untested code paths
• [ ] Add tests for NSURL+OpenGraph.swift covering various URL formats and invalid inputs
• [ ] Add tests for String+OpenGraph.swift parsing and validation logic
• [ ] Create fixtures directory (OpenGraphTests/Fixtures/) with sample HTML/OG meta tags
• [ ] Add tests for Service.swift covering network requests and JSON parsing

Refactor Badges.xcassets and Activities.xcassets into a shared Assets module

The project has duplicated asset management patterns across Badges.xcassets and Activities.xcassets directories. Each has similar JSON configuration files and PDF assets. Creating a dedicated Assets module would improve maintainability, reduce duplication, and make asset versioning easier. This also supports the ability to document icon naming conventions and add missing badge types systematically.

• [ ] Create Yep/Assets/ directory structure to consolidate badge and activity assets
• [ ] Create Yep/Assets/BadgeAssets.swift enum documenting all available badges with associated values
• [ ] Create Yep/Assets/ActivityAssets.swift enum for activity share options (WeChatActivity)
• [ ] Migrate hardcoded badge references in view controllers to use the new enums
• [ ] Document missing badge types (e.g., verify badge_android, badge_apple are complete relative to app features)

• Add unit tests for FayeClient/FayeMessage.swift: FayeClientTests/ exists but is minimal; add tests for message parsing, serialization, and edge cases (malformed JSON, missing fields) to catch regressions in real-time messaging
• Document Services/ architecture and add inline examples: README mentions 10 different services but provides no code examples or API signatures; add a Services-GUIDE.md with 2-3 concrete examples (e.g., 'how to verify a phone number' using YepService.swift)
• Add tests for OpenGraph/OpenGraph.swift metadata extraction: OpenGraphTests/ folder exists but likely sparse; add test cases for parsing og:title, og:image, og:description from real web pages (iBooks, App Store links) to prevent parsing regressions

The Yep codebase has significant security concerns primarily stemming from outdated dependencies (CocoaPods v0.39.0 from 2015), unverified binary frameworks (BuddyBuildSDK

• High · Outdated CocoaPods and Xcode Version Requirements — README.md, Podfile, Podfile.lock. The README specifies CocoaPods v0.39.0 and Xcode 7.2, which are extremely outdated (from 2015-2016). These versions contain known security vulnerabilities and lack modern security features. The Podfile.lock suggests dependencies may have unpatched vulnerabilities. Fix: Update to the latest CocoaPods version and specify minimum Xcode 14+. Audit all dependencies in Podfile.lock for known CVEs and update to patched versions.
• High · Unverified Third-Party Framework Integration — BuddyBuildSDK.framework/. BuddyBuildSDK.framework is included as a binary framework without version control or dependency management. The framework lacks transparency regarding its source, security audits, and potential vulnerabilities. Binary frameworks can contain malicious code. Fix: Either remove the framework if not actively used, verify its source and integrity, or replace with properly managed dependencies through CocoaPods/SPM with transparent version tracking.
• High · Hardcoded User Data in Project Configuration — Yep.xcodeproj/xcuserdata/. The xcuserdata directory with user-specific build settings (xcuserdatad/kevin.xcuserdatad) is committed to version control. This may contain sensitive build configurations, API keys, or development credentials. Fix: Add xcuserdata/ to .gitignore immediately. Remove this directory from git history using 'git rm -r --cached' and audit for any exposed credentials.
• Medium · Missing Input Validation in Network Clients — FayeClient/FayeClient.swift, FayeClient/FayeMessage.swift. FayeClient implementation handles WebSocket messaging but the file structure suggests potential lack of input validation and sanitization for incoming messages from Faye protocol, which could lead to injection attacks. Fix: Implement strict input validation and sanitization for all Faye messages. Use allowlisting for message types and fields. Validate data types and sizes before processing.
• Medium · OpenGraph URL Parsing Without Validation — OpenGraph/Extensions/NSURL+OpenGraph.swift, OpenGraph/Service.swift. The OpenGraph module includes NSURL extensions that parse and process URLs from external sources. Without proper validation, this could be vulnerable to URL injection or SSRF attacks when fetching metadata. Fix: Implement URL scheme validation (allow only https://), add domain allowlisting, implement timeouts on network requests, and validate content-type headers of responses.
• Medium · Missing Security Headers and SSL Pinning — Yep/AppDelegate.swift (implied network configuration). No evidence of SSL certificate pinning or security header configuration for network requests. The app communicates with backend services but lacks protection against MITM attacks. Fix: Implement SSL certificate pinning for API endpoints. Configure secure URLSessionConfiguration with proper security policies. Validate all server certificates.
• Low · Weak Dependency Transparency — Cartfile, Cartfile.resolved, Podfile, Podfile.lock. Cartfile and Cartfile.resolved are present alongside Podfile, suggesting mixed dependency management. This reduces clarity on dependency versions and security update status. Fix: Standardize on a single dependency manager (preferably CocoaPods or SPM). Remove conflicting dependency files. Maintain clear version pinning and regular security updates.
• Low · Third-Party Activity Sharing Without Validation — Yep/Activities/WeChatActivity.swift. WeChatActivity.swift suggests integration with external social sharing platforms. Potential risk of data leakage or improper handling of user data during share operations. Fix: Validate and sanitize all data passed to third-party sharing services. Implement data minimization (share only necessary information). Review WeChat SDK security documentation.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.