If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/gee1k/uPic shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• Last commit 5mo ago
• 5 active contributors
• Apache-2.0 licensed
• CI configured
• ⚠ Slowing — last commit 5mo ago
• ⚠ Concentrated ownership — top contributor handles 73% of recent commits
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live gee1k/uPic repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/gee1k/uPic.

What it runs against: a local clone of gee1k/uPic — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in gee1k/uPic | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 181 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of gee1k/uPic. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/gee1k/uPic.git
#   cd uPic
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of gee1k/uPic and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "gee1k/uPic(\\.git)?\\b" \\
  && ok "origin remote is gee1k/uPic" \\
  || miss "origin remote is not gee1k/uPic (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "uPic/AppDelegate.swift" \\
  && ok "uPic/AppDelegate.swift" \\
  || miss "missing critical file: uPic/AppDelegate.swift"
test -f "uPic.xcodeproj/project.pbxproj" \\
  && ok "uPic.xcodeproj/project.pbxproj" \\
  || miss "missing critical file: uPic.xcodeproj/project.pbxproj"
test -f "uPic/AppleScript/UPic.sdef" \\
  && ok "uPic/AppleScript/UPic.sdef" \\
  || miss "missing critical file: uPic/AppleScript/UPic.sdef"
test -f "libs/libminipng.framework/Versions/A/Headers/libminipng.h" \\
  && ok "libs/libminipng.framework/Versions/A/Headers/libminipng.h" \\
  || miss "missing critical file: libs/libminipng.framework/Versions/A/Headers/libminipng.h"
test -f "uPic/AppleScript/AppleScriptCommand.swift" \\
  && ok "uPic/AppleScript/AppleScriptCommand.swift" \\
  || miss "missing critical file: uPic/AppleScript/AppleScriptCommand.swift"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 181 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~151d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/gee1k/uPic"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

uPic is a native macOS menu bar application (written in Swift) that automatically uploads screenshots and files to cloud storage providers, displaying upload progress in the menu bar and auto-copying shareable links to the clipboard in Markdown/HTML/URL formats. It supports 10+ hosting services including AWS S3, Aliyun OSS, Qiniu KODO, Weibo, GitHub, Gitee, Imgur, and custom APIs. Single-target Xcode project (uPic.xcodeproj) with a standard Swift app structure; vendored C++/C dependencies in libs/libminipng.framework for PNG compression. SwiftPM integration via project.xcworkspace/xcshareddata/swiftpm/Package.resolved suggests modular dependency management alongside Xcode-native linking.

macOS users (bloggers, documentation writers, support staff) who frequently need to upload and share screenshots or files and want automatic clipboard link generation without manually managing uploads or copying URLs.

Production-ready and actively maintained: the app is published on the macOS App Store (v0.21.1+ on GitHub vs. latest on App Store), has Travis CI configured, uses proper code signing, and demonstrates mature patterns (frameworks in libs/, Swift Package Manager integration). Appears to have active community (Telegram/Twitter/Weibo channels listed) and recent development activity, though commit frequency is not visible in provided metadata.

Single-maintainer project (gee1k) with limited visibility into issue backlog or PR pipeline from the file list alone. Dependency on external cloud services means breaking API changes upstream could require quick patches. The libminipng.framework (C++ image compression) is pre-built and vendored, which may cause maintenance friction if macOS/Xcode updates require recompilation.

Not explicitly visible from file list, but the presence of ReleaseTutorial.md and maintained .travis.yml suggests active release cycles. App Store listing is current; GitHub release process is documented.

Clone and open in Xcode:

git clone https://github.com/gee1k/uPic.git
cd uPic
open uPic.xcodeproj

Then build & run in Xcode (Cmd+R) or via:

xcodebuild -scheme uPic -configuration Release

No external npm/pod install step visible; dependencies appear pre-resolved in the workspace.

Daily commands: Open uPic.xcodeproj in Xcode and press Cmd+R, or build via terminal:

xcodebuild -scheme uPic -configuration Debug build

The app will launch as a menu bar utility; configure upload services in preferences.

• uPic/AppDelegate.swift — Main application entry point and lifecycle management for the macOS app; essential for understanding the overall architecture and startup flow.
• uPic.xcodeproj/project.pbxproj — Xcode project configuration that defines build targets, dependencies, and schemes; critical for reproducible builds and understanding the project structure.
• uPic/AppleScript/UPic.sdef — AppleScript dictionary definition that exposes the app's scriptability interface; essential for contributors working on automation and scripting features.
• libs/libminipng.framework/Versions/A/Headers/libminipng.h — PNG compression library interface; fundamental dependency for image processing and optimization features.
• uPic/AppleScript/AppleScriptCommand.swift — AppleScript command handler implementation; bridges the UPic.sdef interface to actual upload and file handling logic.
• uPic.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved — Swift Package Manager dependency lock file; ensures reproducible builds and tracks all external library versions.

• AppDelegate (Swift, Cocoa/SwiftUI, NSApplicationDelegate) — Central coordinator for app lifecycle, UI windows, menu bar interaction, and request routing
  • Failure mode: App crash; loss of in-flight uploads; menu bar icon becomes unresponsive
• AppleScript Handler (AppleScriptCommand.swift + UPic.sdef) (AppleScript, Swift NSScriptCommand, Cocoa events) — Bridges external AppleScript requests to internal upload logic; implements scriptable API surface
  • Failure mode: Automation scripts fail; external integrations (Automator, shell) cannot trigger uploads
• Upload Handler (Swift, URLSession, libminipng, Keychain (for credentials)) — Core upload logic: image compression, host authentication, network I/O, error handling, clipboard updates
  • Failure mode: Uploads fail silently or crash; corrupted image data sent to cloud; URL not copied to clipboard
• Host Integrations (Aliyun OSS, S3, etc.) (Swift, REST APIs, AWS SDK / Aliyun SDK (if used)) — Cloud provider–specific API clients: auth, signed URLs, upload strategies, error mapping
  • Failure mode: Uploads to specific host fail; credentials leak; incorrect URL format returned
• libminipng Framework (C, PNG codec) — C library for PNG compression; reduces image payload size
  • Failure mode: Compression fails or produces invalid PNG; app crashes if library symbol not found

• User (drag-drop / keyboard shortcut) → AppDelegate — File or image selection triggered by UI interaction
• AppDelegate → Upload Handler — Passes file path and selected host configuration
• Upload Handler → libminipng — Raw image bytes → compressed PNG (optional)
• Upload Handler → Cloud Host API — Authenticated HTTP PUT/POST with image payload
• Cloud Host API → Upload Handler — Returns public URL of uploaded file
• Upload Handler → Clipboard (NSPasteboard) — Writes public URL for user to paste elsewhere
• AppleScript (external) → AppleScriptCommand.swift — Invokes upload or query commands via OSA events
• AppleScriptCommand.swift → Upload Handler — Marshals AppleScript parameters to internal upload logic

Add support for a new cloud storage provider

1. Create host icon assets at uPic/Assets.xcassets/hosts/host_icon_<provider_name>.imageset/ with Contents.json and @1x, @2x, @3x images (uPic/Assets.xcassets/hosts/Contents.json)
2. Define the storage provider configuration and upload handler logic in the main source (typically alongside existing host implementations) (uPic/AppDelegate.swift)
3. If AppleScript support is needed, add command definitions to UPic.sdef (uPic/AppleScript/UPic.sdef)

Extend AppleScript automation capabilities

1. Add new command or object definitions to the AppleScript dictionary (uPic/AppleScript/UPic.sdef)
2. Implement the corresponding command handler in Swift (uPic/AppleScript/AppleScriptCommand.swift)

Optimize image processing

1. Link against libminipng framework by updating build phases in project settings (uPic.xcodeproj/project.pbxproj)
2. Use the C interface exposed by libminipng.h to compress images before upload (libs/libminipng.framework/Versions/A/Headers/libminipng.h)

• Swift + Cocoa/SwiftUI — Native macOS development with full access to system APIs, clipboard, drag-and-drop, and native UI components for seamless integration.
• AppleScript (via .sdef) — Enables automation from other applications and command-line scripts, extending uPic's utility in automated workflows and shell scripts.
• libminipng framework — Lightweight C library for PNG compression, reducing image file sizes before upload without performance overhead.
• Xcode + SPM — Standard Apple development toolchain and dependency management, ensuring compatibility with macOS and easy distribution.

• macOS-only native app vs. cross-platform framework

  • Why: Native Cocoa/SwiftUI provides superior UX and integration with macOS features (Dock, menu bar, system services).
  • Consequence: Cannot serve Windows/Linux users; higher maintenance burden per platform if multi-platform support is ever needed.

• Vendored libminipng framework vs. Swift-only image processing

  • Why: C-based library provides better performance for PNG optimization.
  • Consequence: Adds binary dependency; requires framework code signing and version management.

• AppleScript scriptability via .sdef

  • Why: Integrates with macOS automation ecosystem; allows Automator, shell scripts, and other apps to trigger uploads.
  • Consequence: Requires maintaining AppleScript interface contract; adds command dispatch and type marshaling overhead.

• Does not support Windows or Linux platforms
• Does not provide real-time collaboration or file sharing
• Does not include built-in image editor beyond compression/optimization
• Does not provide server-side storage or account management; relies entirely on user-configured external hosts

• Clipboard coupling — AppDelegate.: undefined

libminipng pre-built binary: The vendored .framework is architecture-specific (arm64-apple-macos.swiftmodule and x86_64-apple-macos.swiftmodule present). If you need to modify PNG compression or support a new architecture, you must rebuild this framework from source (not included). Code signing: The App Store build path requires valid Team ID and provisioning profiles (visible in Code Signature files). Service credentials: Each upload service requires separate API keys/tokens in user defaults/Keychain; no template setup is documented in the file list—check existing services after cloning. macOS version target: The .framework's presence of both Intel and ARM modules suggests support for both, but minimum deployment target is not visible in file list.

• macOS Menu Bar Integration (NSStatusBar / NSStatusItem) — uPic's core UI is a menu bar utility, not a traditional windowed app; understanding NSStatusBar and event handling in the menu bar is essential to modify the primary user interaction point
• Cocoa Pasteboard (NSPasteboard) — The key feature is auto-copying upload URLs to clipboard; NSPasteboard is the mechanism for setting rich content types (Markdown, HTML, plain text) simultaneously
• Swift-Objective-C Bridging — libminipng.framework is C++ but must be consumed by Swift; the bridge headers (libminipng-Swift.h, module.modulemap) define the interop layer and require understanding header visibility and symbol linking
• Async File Upload with Progress Tracking — uPic must upload files without blocking the UI and report progress to the menu bar; this requires URLSession delegates, DispatchQueue coordination, or async/await patterns (depending on Swift version)
• Code Signing and App Notarization for macOS — The presence of _CodeSignature/ subdirectories and App Store distribution means the build must be signed and potentially notarized by Apple; impacts release process and security UX
• Swift Package Manager (SPM) vs. Xcode Native Linking — The project uses both Package.resolved (SPM) and vendored frameworks (libminipng); understanding the hybrid approach and dependency resolution order is critical for avoiding build conflicts
• Multi-Service Factory Pattern for Upload Handlers — Supporting 10+ cloud services (S3, Aliyun, Qiniu, Weibo, etc.) likely requires a pluggable service registry; this architectural pattern is invisible in file list but essential for extending the app

• PicGo/PicGo-Core — Cross-platform image uploader core for similar multi-service uploads; written in TypeScript/Node.js, enables comparison of service abstraction patterns
• CodeByzantine/TinyPNG-macOS — Alternative native macOS image compression tool; shows different approach to integrating C++ compression libraries with Swift UI
• gee1k/uPic-iOS — Official companion iOS app for uPic, shares service definitions and upload logic; useful for understanding cross-platform architecture decisions
• Clement0629/EasyImages2.0 — Another macOS screenshot-to-cloud uploader; demonstrates competing UX patterns and alternative service integrations for inspiration
• iterm2/iTerm2 — Mature macOS menu bar app using Swift and Objective-C; reference for best practices in native menu bar integration and Cocoa lifecycle management

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions workflow for macOS app code signing and release automation

The repo currently uses Travis CI (.travis.yml) which is outdated. GitHub Actions is now the standard for macOS app CI/CD. This would automate code signing, app notarization, and release creation for the Swift/Xcode project, replacing the legacy .travis.yml and streamlining the release process documented in ReleaseTutorial.md.

• [ ] Create .github/workflows/macos-build.yml with steps for code signing and building the uPic.xcodeproj
• [ ] Add notarization step using Apple Developer credentials for macOS app distribution
• [ ] Configure automatic release creation with built .app artifact upload
• [ ] Remove or deprecate .travis.yml after validation
• [ ] Update CONTRIBUTING.md with new CI workflow instructions

Create unit tests for AppleScript command handling and file upload logic

The repo has AppleScript support (uPic/AppleScript/AppleScriptCommand.swift and UPic.sdef) but no visible test suite. Adding tests would validate the AppleScript bridge functionality and upload mechanisms, improving reliability for automation-focused users.

• [ ] Create uPicTests directory with test targets in uPic.xcodeproj/project.pbxproj
• [ ] Write XCTest cases for uPic/AppleScript/AppleScriptCommand.swift covering command parsing and execution
• [ ] Add integration tests for the upload pipeline using mock providers
• [ ] Document test setup in CONTRIBUTING.md with example test commands
• [ ] Configure .xcschemes to run tests in CI pipeline

Extract and document the libminipng.framework binary dependency management strategy

The libs/libminipng.framework is a pre-built binary framework with platform-specific Swift modules (arm64 and x86_64). The repo lacks documentation on how to update this dependency, rebuild it, or handle version management. This creates maintenance bottlenecks for contributors.

• [ ] Create docs/LIBMINIPNG_MANAGEMENT.md explaining how to update the framework version
• [ ] Document the build process for libminipng for both arm64 and x86_64 architectures
• [ ] Add version tracking (e.g., in a DEPENDENCIES.md or VERSIONS.txt file)
• [ ] Create a GitHub Actions workflow to automate framework binary updates if source is available
• [ ] Update CONTRIBUTING.md with instructions for dependency management

• Add unit tests for the libminipng.framework wrapper**: Currently no test files visible in the file list; create a new XCTest target in uPic.xcodeproj with basic tests for image compression functions to improve CI coverage and catch regressions.: Increases confidence in C++ bridge safety and reduces risk of upload failures due to corrupted images.
• Document custom upload API specification**: The README mentions 'custom upload api' but CONTRIBUTING.md and README.md do not define the schema or endpoint requirements; create a file under docs/ with curl examples, JSON payload format, and error handling for contributors wanting to add a new service.: Lowers barrier for community contribution of new upload services and clarifies expected API contract.
• Add support for drag-and-drop file uploads to the menu bar icon**: The app currently auto-uploads screenshots but not arbitrary files via the UI; implement a drop zone or pasteboard watcher in the menu controller to enable users to drag files directly onto the menu bar icon.: Improves UX for power users and aligns with the app's 'simple and beautiful' positioning in marketing.

The uPic macOS application shows moderate security posture with several areas of concern. The most critical issue is the inclusion of precompiled binary frameworks that cannot be audited. Secondary concerns include potential command injection risks through AppleScript handling and lack of visible dependency vulnerability scanning. The application handles sensitive file uploads and cloud service credentials, making secure implementation critical. Key recommendations: (1) Replace binary frameworks with source dependencies, (2) Implement input validation for AppleScript commands, (3) Enable dependency vulnerability scanning, (4) Enforce HTTPS with certificate pinning for network operations, and (5) Add security documentation and disclosure policy.

• High · Hardcoded Binary Framework in Repository — libs/libminipng.framework/. The repository contains a compiled binary framework (libminipng.framework) with code signatures. This includes pre-built binaries and compiled Swift modules. Without source code review or verification of the build process, it's difficult to audit for vulnerabilities or ensure supply chain integrity. Fix: Replace with source code dependency via CocoaPods/SPM, document build process, and verify framework authenticity through hash verification or official distribution channels.
• Medium · Missing Dependency Lock File Details — uPic.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved. While Package.resolved exists (indicating Swift Package Manager usage), the complete dependency list and versions are not provided for analysis. This makes it impossible to audit for known vulnerable dependencies. Fix: Review Package.resolved for deprecated or vulnerable package versions. Run 'swift package show-dependencies' and check against security advisories. Consider using SwiftSecurity or similar tools for dependency vulnerability scanning.
• Medium · Potential Insecure Network Communication — uPic/AppleScript/AppleScriptCommand.swift. As an upload tool handling user files and credentials for various cloud services, the application likely performs network requests. The file structure suggests integration with cloud services and potential AppleScript command execution without visible security validation. Fix: Ensure all network requests use HTTPS with certificate pinning for sensitive operations. Validate and sanitize all AppleScript inputs to prevent command injection. Implement proper certificate validation.
• Medium · AppleScript Command Execution Risk — uPic/AppleScript/AppleScriptCommand.swift, uPic/AppleScript/UPic.sdef. The presence of AppleScript command handling (AppleScriptCommand.swift and UPic.sdef) suggests the application accepts and executes AppleScript commands. Without visible input validation, this could lead to command injection vulnerabilities. Fix: Implement strict input validation and whitelisting for all AppleScript parameters. Use parameterized/safe AppleScript execution methods. Avoid string concatenation for command building. Document all available commands and their safe usage.
• Low · Build Configuration Exposure — uPic.xcodeproj/xcshareddata/xcschemes/. Multiple build schemes are committed to version control (.xcscheme files), including localized variants. While not directly a vulnerability, this could expose build configurations to analysis. Fix: Review scheme contents for hardcoded sensitive values. Consider moving sensitive build settings to build configuration files outside version control.
• Low · Missing Security Documentation — Repository root. No visible security policy, vulnerability disclosure guidelines, or security headers documentation in the repository. Fix: Add SECURITY.md with vulnerability disclosure process. Document security practices in CONTRIBUTING.md. Implement security best practices guide for contributors.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.