If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/insidegui/WWDC shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 8mo ago

• Last commit 8mo ago
• 6 active contributors
• BSD-2-Clause licensed
• Tests present
• ⚠ Slowing — last commit 8mo ago
• ⚠ Concentrated ownership — top contributor handles 68% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live insidegui/WWDC repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/insidegui/WWDC.

What it runs against: a local clone of insidegui/WWDC — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in insidegui/WWDC | Confirms the artifact applies here, not a fork | | 2 | License is still BSD-2-Clause | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 272 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of insidegui/WWDC. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/insidegui/WWDC.git
#   cd WWDC
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of insidegui/WWDC and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "insidegui/WWDC(\\.git)?\\b" \\
  && ok "origin remote is insidegui/WWDC" \\
  || miss "origin remote is not insidegui/WWDC (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(BSD-2-Clause)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"BSD-2-Clause\"" package.json 2>/dev/null) \\
  && ok "license is BSD-2-Clause" \\
  || miss "license drift — was BSD-2-Clause at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Packages/ConfCore/ConfCore/Storage.swift" \\
  && ok "Packages/ConfCore/ConfCore/Storage.swift" \\
  || miss "missing critical file: Packages/ConfCore/ConfCore/Storage.swift"
test -f "Packages/ConfCore/ConfCore/AppleAPIClient.swift" \\
  && ok "Packages/ConfCore/ConfCore/AppleAPIClient.swift" \\
  || miss "missing critical file: Packages/ConfCore/ConfCore/AppleAPIClient.swift"
test -f "Packages/ConfCore/ConfCore/SyncEngine.swift" \\
  && ok "Packages/ConfCore/ConfCore/SyncEngine.swift" \\
  || miss "missing critical file: Packages/ConfCore/ConfCore/SyncEngine.swift"
test -f "Packages/ConfCore/ConfCore/Session.swift" \\
  && ok "Packages/ConfCore/ConfCore/Session.swift" \\
  || miss "missing critical file: Packages/ConfCore/ConfCore/Session.swift"
test -f "Packages/ConfCore/ConfCore/Event.swift" \\
  && ok "Packages/ConfCore/ConfCore/Event.swift" \\
  || miss "missing critical file: Packages/ConfCore/ConfCore/Event.swift"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 272 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~242d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/insidegui/WWDC"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

An unofficial native macOS application for watching and managing Apple WWDC (Worldwide Developers Conference) videos with features like video playback, session transcripts, bookmarks, clip sharing, and iCloud sync. It pulls video metadata and content from Apple's developer infrastructure and provides a modern SwiftUI-based interface for browsing, filtering, and tracking progress across multiple years of WWDC sessions. Modular Swift framework structure: ConfUIFoundation/ is a reusable UI component framework containing shared Colors.swift (Definitions/), Fonts.swift, and utility extensions (NSColor+Hex.swift, CALayer+Asset.swift). The main app likely lives in the parent directories and uses WWDC data fetched from JSON endpoints (Fixtures/ contains mock responses: config.json, contents.json, layout.json, transcript manifests for testing). Architecture separates concerns into UI definitions, utilities, and data models.

macOS developers who attend or study WWDC sessions and want a native, feature-rich alternative to the web-based Apple Developer app. They need to watch videos at variable speeds, search transcripts, bookmark segments with notes, and sync their progress across multiple Macs via iCloud.

Production-ready with active maintenance. The project has been under development for several years (evident from fixture data spanning 2018–2020), uses SwiftLint for code quality enforcement (.swiftlint.yml present), and maintains a structured contribution process (CODE_OF_CONDUCT.md, CONTRIBUTING.md, issue templates in .github/). The large Swift codebase (1.07M lines) and organized architecture suggest a mature, stable macOS application.

Low-to-moderate risk: primary risk is single-maintainer dependency (insidegui as sole owner) with no visible CI/CD pipeline (no .github/workflows/ files shown). Secondary risk is tight coupling to Apple's internal API structure for fetching WWDC content—if Apple changes their video/metadata endpoints, the app breaks without maintainer intervention. No visible unit test fixtures in the file list suggests testing coverage is minimal.

No active development timeline visible in the provided file structure. The most recent fixture data is from 2020b, suggesting the app may be in maintenance mode or awaiting the next WWDC cycle. No open PRs, issues, or CI logs are visible in the provided data. The presence of comprehensive fixtures indicates developers can run and test against historical WWDC data.

Clone the repo with git clone https://github.com/insidegui/WWDC.git && cd WWDC. Open WWDC.xcworkspace in Xcode (or WWDC.xcodeproj if no workspace exists). The Fixtures/ directory contains mock API responses; use testserver.sh scripts to serve them locally for development: bash Fixtures/testserver_2020.sh. Build and run the main target on a Mac running macOS 10.13+.

Daily commands: Open the Xcode project: open WWDC.xcworkspace. Select the main WWDC scheme and target the macOS simulator or a connected Mac. Press Cmd+R to build and run. For testing with real WWDC data, start a local fixture server: bash Fixtures/testserver_2020.sh (serves JSON fixtures on localhost) then point the app to that endpoint in Preferences.

• Packages/ConfCore/ConfCore/Storage.swift — Core data persistence layer using Realm; all session, bookmark, and favorite data flows through this abstraction.
• Packages/ConfCore/ConfCore/AppleAPIClient.swift — Handles all HTTP requests to Apple's WWDC API endpoints; required to understand data fetching and network error handling.
• Packages/ConfCore/ConfCore/SyncEngine.swift — Orchestrates CloudKit synchronization for bookmarks, favorites, and progress; critical for understanding multi-device sync.
• Packages/ConfCore/ConfCore/Session.swift — Primary domain model representing a WWDC session; foundational to understanding data structures across the app.
• Packages/ConfCore/ConfCore/Event.swift — Represents a WWDC event instance; models the temporal context for all sessions and schedule displays.
• ConfUIFoundation/Source/ConfUIFoundation.swift — Shared UI framework providing colors, fonts, and common UI utilities across macOS app; all UI components depend on definitions here.
• Packages/ConfCore/ConfCore/ConfCoreExports.swift — Public API surface for ConfCore package; defines what modules are exposed and consumed by the main app.

Add a new Session property or relationship

1. Add the new property to the Session class in Session.swift with appropriate Realm annotations (@Persisted, @Relationship) (Packages/ConfCore/ConfCore/Session.swift)
2. Add decoding logic in Session's CodingKeys and init(from:) if it comes from the API (Packages/ConfCore/ConfCore/Session.swift)
3. Create a StorageMigrator version bump in StorageMigrator.swift if the schema changed (Packages/ConfCore/ConfCore/StorageMigrator.swift)

Add a new API endpoint or response type

1. Create a new Decodable response struct (e.g., NewResponse.swift) with Codable conformance (Packages/ConfCore/ConfCore/ConfigResponse.swift)
2. Add a new method to AppleAPIClient to fetch the endpoint using URLSession (Packages/ConfCore/ConfCore/AppleAPIClient.swift)
3. Export the new types in ConfCoreExports.swift so they're visible to consumers (Packages/ConfCore/ConfCore/ConfCoreExports.swift)

Add CloudKit sync for a new entity type

1. Create a new SyncObject variant (e.g., EntitySyncObject.swift) following the pattern of FavoriteSyncObject.swift (Packages/ConfCore/ConfCore/FavoriteSyncObject.swift)
2. Implement CKRecord encoding/decoding in CloudKitHelper.swift for the new entity (Packages/ConfCore/ConfCore/CloudKitHelper.swift)
3. Register the new CKRecord type subscription in SyncEngine.swift's setupSubscriptions method (Packages/ConfCore/ConfCore/SyncEngine.swift)
4. Add conflict resolution logic in Entity+ConflictResolution.swift following Favorite+ConflictResolution.swift pattern (Packages/ConfCore/ConfCore/Favorite+ConflictResolution.swift)

Add a new UI color or font token

1. Add the color asset to ConfUIFoundation/Resources/ConfUIFoundation.xcassets/Colors/ (ConfUIFoundation/Resources/ConfUIFoundation.xcassets/Colors/Contents.json)
2. Define a semantic accessor in Colors.swift or add to the appropriate color set definition (ConfUIFoundation/Source/Definitions/Colors.swift)
3. For fonts, add to Fonts.swift and export via ConfUIFoundation.swift if it's a new category (ConfUIFoundation/Source/Definitions/Fonts.swift)

• Swift + SwiftUI — Native macOS performance and tight integration with Apple frameworks; code sharing with potential iOS port
• Realm — Persistent local storage with type-safe queries and automatic change notifications via Combine publishers
• CloudKit — Seamless iCloud sync for user state (bookmarks, favorites, progress) without backend infrastructure; leverages existing Apple accounts
• URLSession — Standard Apple networking stack for fetching WWDC catalog and metadata from Apple's public API endpoints
• Combine — Reactive data flow and synchronization of local changes with CloudKit and UI state updates

• CloudKit for sync instead of custom backend

  • Why: Reduces operational overhead and leverages user's existing iCloud credentials
  • Consequence: Limited to CloudKit's eventual consistency model; conflict resolution must handle edge cases (last-write-wins, custom merging logic per entity type)

• Realm for offline-first local storage

  • Why: Enables browsing cached content without network; fast change notifications
  • Consequence: Requires schema migrations on app updates; adds dependency on Realm licensing and compatibility

API Endpoint hardcoding: The app likely has hardcoded Apple developer API endpoints in source files (not shown); changing them requires code changes, not config. Objective-C bridge: NSColor+Accent.h suggests Objective-C interop for color handling—any color refactors must maintain this bridge. macOS version constraints: SwiftUI and modern AppKit APIs have version minimums; check Xcode build settings (likely macOS 10.13+ but verify in .pbxproj). iCloud sync: Requires Apple Developer account and proper CloudKit configuration—test fixtures won't cover this; must test on real Mac with iCloud enabled. Fixture servers: testserver.sh scripts assume Python/Ruby available; may fail on minimal development environments.

• iCloud Sync (CloudKit/NSUbiquitousKeyValueStore) — Core feature of this app allowing bookmarks, favorites, and progress to sync across user's Macs—understanding persistence synchronization is critical for modifying state management
• Transcript Search & Indexing — Sessions are searchable by transcript content; understanding how the app indexes and searches transcript-manifest-eng.json and segment timestamps is essential for search feature modifications
• Picture-in-Picture (PiP) Mode — Native macOS video feature allowing floating playback windows—implementation requires AVPlayer integration and window management, unique to macOS apps
• AppKit vs SwiftUI Interop — App likely mixes legacy AppKit and modern SwiftUI; understanding NSHostingController and NSViewControllerRepresentable is required for UI modifications
• Video Speed Control (Playback Rate Modification) — App supports 0.5x–2x variable speeds plus custom rates—requires AVPlayer rate property manipulation and UI state binding
• Deep Linking & Universal Links — App handles Apple Developer app universal links redirecting to sessions—routing and URL parsing logic prevents duplicate handlers and ensures seamless redirection
• Clip Sharing (Time-Bounded Video Export) — Feature allowing 5-minute max video segments to be shared—requires video trimming, encoding, and URL generation logic not typical in simple media apps

• sindresorhus/Lungo — Alternative macOS native app for media/conference content; demonstrates AppKit/SwiftUI patterns for macOS-first development
• Alamofire/Alamofire — HTTP networking library commonly paired with WWDC-style apps for robust API communication and error handling
• Apple/swift-collections — Official Swift data structures; relevant for efficient video list filtering and bookmark indexing
• realm/realm-swift — Alternative persistence layer to Core Data; many macOS apps use Realm for iCloud sync and offline bookmarks
• apple/sample-code-wwdc — Apple's official sample code from WWDC sessions; this app's main content source and reference for best practices

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for ConfCore package models and networking

The Packages/ConfCore directory contains critical business logic (AppleAPIClient.swift, Bookmark.swift, CloudKitHelper.swift, ConfigResponse.swift) but there are no visible test files in the file structure. This is a high-value addition since these are foundational models for the entire app. Testing these would catch regressions in API parsing, bookmark syncing, and CloudKit operations.

• [ ] Create Tests/ directory structure under Packages/ConfCore/
• [ ] Add unit tests for AppleAPIClient.swift covering JSON decoding of ConfigResponse and session data
• [ ] Add tests for Bookmark.swift and BookmarkSyncObject.swift covering conflict resolution logic
• [ ] Add tests for CloudKitHelper.swift mocking CKRecord operations
• [ ] Ensure tests use the existing Fixtures/json_2020/ data for realistic test cases

Add GitHub Actions CI workflow to run SwiftLint and build validation

The repo contains .swiftlint.yml configuration but no visible CI workflow file in .github/workflows/. A CI job would automatically validate code style on PRs, prevent lint violations from merging, and catch build failures early. This is especially important for a community-driven open source project.

• [ ] Create .github/workflows/swift-lint.yml to run swiftlint on pull requests
• [ ] Add build validation step to ensure the main WWDC target and ConfUIFoundation framework compile
• [ ] Configure workflow to check both macOS target (via xcodebuild) and Swift Package (ConfCore)
• [ ] Add workflow status badge to README.md

Create test fixtures and documentation for API client testing

The Fixtures/ directory contains JSON responses for different WWDC years (2018, 2020, 2020b, before_event) and shell scripts (testserver.sh) suggesting local API testing capability, but there's no documentation explaining how to use these fixtures or extend them. New contributors can't easily understand the API contract or add tests.

• [ ] Create Fixtures/README.md documenting the structure of each JSON fixture directory
• [ ] Document what each JSON file represents (contents.json, config.json, layout.json, etc.)
• [ ] Add instructions on how to run testserver.sh and point AppleAPIClient at local fixtures
• [ ] Add a sample Swift test file (Packages/ConfCore/Tests/Fixtures.swift) showing how to load and use fixtures in unit tests
• [ ] Document how to add new fixtures when WWDC API responses change

• Add unit tests for ConfUIFoundation/Source/Util/NSColor+Hex.swift—currently has no visible test coverage; write tests for hex-to-NSColor conversion edge cases (invalid formats, alpha channels).
• Expand ConfUIFoundation/Source/Definitions/Fonts.swift documentation—add missing @doc comments describing font sizes and usage guidelines for different UI contexts (body text, headlines, captions).
• Create a missing fixture for Fixtures/json_2020/layout.json by reverse-engineering from app code—the layout structure is used for Explore tab layout but the fixture is absent, blocking offline testing.

The WWDC macOS application codebase shows reasonable security practices overall. No critical vulnerabilities were identified in the visible file structure. The main concerns are: (1) Test fixture files that should be reviewed for sensitive data exposure, (2) Test server scripts that need proper security isolation, (3) CloudKit integration requiring validation of data sync operations, (4) API client implementation requiring TLS and credential security review, and (5) Limited visibility into Swift Package dependencies. The application appears to handle user data (bookmarks, notes, favorites) with CloudKit sync, which requires proper data isolation and security controls. No hardcoded credentials, SQL injection vectors, or obvious misconfigurations were detected in the provided file structure.

• Medium · Fixtures Directory Contains Sensitive Test Data — Fixtures/ directory. The Fixtures directory contains JSON files with test data (contents.json, videos_live.json, config.json, etc.) that could expose API response structures or internal data formats. While these appear to be test fixtures, they should be carefully reviewed to ensure they don't contain any sensitive information that could be exploited. Fix: Review all fixture files to ensure they don't contain real credentials, API keys, or sensitive data. Consider using placeholder values instead of realistic data in fixtures. Add Fixtures to .gitignore if they contain real data.
• Low · Test Server Scripts Without Security Hardening — Fixtures/testserver.sh, Fixtures/testserver_2018.sh, Fixtures/testserver_2020.sh, Fixtures/testserver_before_event.sh. Multiple testserver.sh scripts are present in the Fixtures directory. These shell scripts for serving test data may not have proper security controls, potentially exposing endpoints or allowing unauthorized access during testing. Fix: Ensure test servers are only accessible locally (bind to 127.0.0.1), implement authentication for test endpoints if needed, document proper usage, and ensure these are never deployed to production environments.
• Low · CloudKit Integration Without Visible Security Validation — Packages/ConfCore/ConfCore/CloudKitHelper.swift, Packages/ConfCore/ConfCore/Data+CloudKit.swift. The codebase includes CloudKit integration (CloudKitHelper.swift, CKRecord+SystemFields.swift) for syncing bookmarks and favorites. CloudKit interactions should validate data integrity and ensure proper authentication/authorization. Fix: Verify that CloudKit operations use proper error handling, validate data before syncing, implement record-level security checks, and ensure users can only access their own data. Review CloudKit container permissions and database permissions configuration.
• Low · API Client Implementation Requires Review — Packages/ConfCore/ConfCore/AppleAPIClient.swift. AppleAPIClient.swift exists but implementation details are not visible. API clients are common sources of security issues including insufficient TLS validation, improper credential handling, or insecure request construction. Fix: Ensure API client uses TLS 1.2+, validates SSL certificates, doesn't log sensitive data, uses secure credential storage, implements rate limiting, and properly handles API errors. Review URL construction to prevent injection vulnerabilities.
• Low · Missing Visibility into Dependency Management — Package.swift, Package.resolved (not provided). No Package.swift or dependency lock file is provided in the analysis. Swift Package Manager dependencies are not fully visible, making it impossible to identify if any transitive dependencies have known vulnerabilities. Fix: Regularly audit Swift Package dependencies using swift package update and check for security advisories. Maintain a Package.resolved file for reproducible builds. Consider using tools like OWASP Dependency-Check for automated vulnerability scanning.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.