If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/wikimedia/wikipedia-ios shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit 1d ago
• 7 active contributors
• MIT licensed
• CI configured
• Tests present
• ⚠ Concentrated ownership — top contributor handles 56% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live wikimedia/wikipedia-ios repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/wikimedia/wikipedia-ios.

What it runs against: a local clone of wikimedia/wikipedia-ios — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in wikimedia/wikipedia-ios | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 31 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of wikimedia/wikipedia-ios. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/wikimedia/wikipedia-ios.git
#   cd wikipedia-ios
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of wikimedia/wikipedia-ios and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "wikimedia/wikipedia-ios(\\.git)?\\b" \\
  && ok "origin remote is wikimedia/wikipedia-ios" \\
  || miss "origin remote is not wikimedia/wikipedia-ios (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "WMF Framework/CacheController.swift" \\
  && ok "WMF Framework/CacheController.swift" \\
  || miss "missing critical file: WMF Framework/CacheController.swift"
test -f "WMF Framework/Configuration.swift" \\
  && ok "WMF Framework/Configuration.swift" \\
  || miss "missing critical file: WMF Framework/Configuration.swift"
test -f "WMF Framework/ArticleCacheController.swift" \\
  && ok "WMF Framework/ArticleCacheController.swift" \\
  || miss "missing critical file: WMF Framework/ArticleCacheController.swift"
test -f ".github/copilot-instructions.md" \\
  && ok ".github/copilot-instructions.md" \\
  || miss "missing critical file: .github/copilot-instructions.md"
test -f "WMF Framework/Cache.xcdatamodeld/Cache 2.xcdatamodel/contents" \\
  && ok "WMF Framework/Cache.xcdatamodeld/Cache 2.xcdatamodel/contents" \\
  || miss "missing critical file: WMF Framework/Cache.xcdatamodeld/Cache 2.xcdatamodel/contents"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 31 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/wikimedia/wikipedia-ios"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

The official Wikipedia iOS app built in Swift and Objective-C, providing native mobile access to Wikipedia's content with offline reading, article browsing, language switching, and home feed personalization. It syncs reading history and saved articles across devices and includes widget support for quick article access. Modular structure: main Wikipedia app target with two app extensions (ContinueReadingWidget and NotificationServiceExtension), command-line utilities for language/localization updates, and centralized configuration via .xcodeproj. Code uses storyboard-based UI (Base.lproj, localized .lproj folders per language) and likely MVVM or layered architecture given the scale, with real-time sync via MediaWiki APIs.

iOS developers maintaining a large-scale production mobile app at Wikimedia Foundation, and contributors interested in open-source mobile development. Users are Wikipedia readers who want a native iOS experience instead of mobile web.

Highly mature and production-ready. The codebase is 7.8M lines of Swift and 1.5M of Objective-C, has active CI/CD pipelines (GitHub Actions for unit tests, UI tests, localization, and versioning), and maintains strict linting standards (.swiftlint.yml, .clang-format enforced via pre-commit hooks). The project is actively maintained by the Wikimedia Apps Team with regular releases and 55+ supported languages.

Standard open source risks apply.

Active development on localization (localization.yml workflow), CI/CD automation (GitHub Actions for tag_latest_beta, check_versions, update_version), and language support management (Command Line Tools for updating supported languages). Pull request reviews and bug tracking happen on Phabricator (task/edit form linked in README), with ongoing focus on UI tests and beta releases.

git clone https://github.com/wikimedia/wikipedia-ios.git
cd wikipedia-ios
./scripts/setup
open Wikipedia.xcodeproj

Then select the Wikipedia scheme and target in Xcode and run on the iOS Simulator.

Daily commands: Open Wikipedia.xcodeproj in Xcode 16.0+, select Wikipedia scheme, choose iOS Simulator, then press Run (⌘R). The app will launch on the simulator with the default language locale.

• WMF Framework/CacheController.swift — Core cache management system handling all article data persistence and retrieval; essential for understanding app's offline-first architecture
• WMF Framework/Configuration.swift — Central configuration and feature flags system that controls runtime behavior across the entire app
• WMF Framework/ArticleCacheController.swift — Article-specific cache logic managing article summaries, content, and media assets; critical data flow component
• .github/copilot-instructions.md — AI guidelines and architectural patterns specific to this codebase; sets expectations for code generation and contributions
• WMF Framework/Cache.xcdatamodeld/Cache 2.xcdatamodel/contents — Core Data schema defining the persistence layer; any data model changes require understanding this first
• README.md — Setup and build instructions; required reading for environment configuration and dependency management
• SECURITY — Security policies and vulnerability reporting procedures for the official Wikipedia app

Add a New Cacheable Article Feature

1. Define the Core Data entity in Cache.xcdatamodeld by opening Cache 2.xcdatamodel/contents and adding your new entity with relationships to CacheGroup (WMF Framework/Cache.xcdatamodeld/Cache 2.xcdatamodel/contents)
2. Create a new Swift class conforming to CacheDBWriting protocol to handle database writes for your feature (WMF Framework/CacheDBWriting.swift)
3. Create a new Swift class conforming to CacheFetching protocol to handle reads and queries (WMF Framework/CacheFetching.swift)
4. Register your cache writer and fetcher in ArticleCacheController or CacheController's initialization chain (WMF Framework/ArticleCacheController.swift)
5. Add configuration flags if the feature is conditional in Configuration.swift (WMF Framework/Configuration.swift)

Add a New UI Collection View Cell Type

1. Create your cell class extending UICollectionViewCell and adopt Themeable pattern from ArticleCollectionViewCell+Themeable.swift (WMF Framework/ArticleCollectionViewCell+Themeable.swift)
2. Define layout metrics using ColumnarCollectionViewLayoutMetrics to ensure responsive design (WMF Framework/ColumnarCollectionViewLayoutMetrics.swift)
3. Register your cell in the view controller's collection view and provide layout section info via ColumnarCollectionViewLayout (WMF Framework/ColumnarCollectionViewLayout.swift)
4. Implement edit mode support if needed by integrating with CollectionViewEditController (WMF Framework/CollectionViewEditController.swift)

Add a New App Feature with Background Fetch

1. Implement your feature's async operation by extending AsyncOperation for queue-based concurrency (WMF Framework/AsyncOperation.swift)
2. Add background fetch logic to BackgroundFetcher, which handles app refresh and prefetching (WMF Framework/BackgroundFetcher.swift)
3. Add a feature flag in Configuration.swift to control feature rollout (WMF Framework/Configuration.swift)
4. Wire the background fetch task into AppDelegate's didFinishLaunchingWithOptions by registering with BGTaskScheduler

Localize a New Widget or Extension

1. Add localization strings to the .lproj directories following the existing pattern in ContinueReadingWidget (e.g., en.lproj, be.lproj) (ContinueReadingWidget/en.lproj/InfoPlist.strings)
2. Use DateFormatter+WikipediaLanguage to ensure dates and content are formatted per language conventions (WMF Framework/DateFormatter+WikipediaLanguage.swift)
3. Import localization updates via the localization command-line utility (Command Line Tools/Update Localizations/localization.swift)

• Core Data (SQLite backend) — Provides robust offline-first architecture essential for Wikipedia app's offline reading capability; automatic schema versioning and migration support via xcdatamodeld
• Swift with Objective-C interop — Modern iOS development with gradual Objective-C migration path; allows leveraging legacy code while adopting Swift incrementally
• UICollectionView + Custom ColumnarLayout — Handles responsive, column-based layouts across iPad and iPhone devices; custom layout enables efficient scrolling and memory management
• Operation queues (AsyncOperation) — Manages concurrent network requests and background tasks with built-in cancellation and dependency management; safer than raw threads
• App Extensions (Widgets, Notification Service) — Delivers rich user experiences outside main app context; widgets show reading history, notifications deliver rich media

Xcode version requirement: Must use Xcode 16.0+; older versions will fail build. Pre-commit hooks: ./scripts/setup installs ClangFormat pre-commit hook that reformats Objective-C code automatically; disable with care. Relative paths in setup: Must run ./scripts/setup from repo root, not from scripts/ directory (noted explicitly in README). Language localization tooling: Updates to supported languages require running Command Line Tools utilities and committing generated files; manual edits to language lists will conflict with automation. Extension entitlements: ContinueReadingWidget and NotificationServiceExtension require matching bundle IDs and App Groups entitlements; misconfiguration breaks widgets silently at runtime. No package.json: Despite some Node/Ruby tooling, this is primarily Xcode-based; npm/gem are secondary.

• App Extensions (WidgetKit) — This repo uses iOS app extensions (ContinueReadingWidget, NotificationServiceExtension) that run in separate processes with restricted entitlements; understanding extension lifecycle and App Groups is essential for maintaining the widget and notification features
• Storyboard-based UI with Localization — The app uses .lproj localization bundles per language (55+ languages) paired with Base.lproj storyboards; understanding how iOS resolves localized resources is critical for adding UI without breaking translations
• Offline Content Sync & Caching — Wikipedia iOS enables offline reading with synced article history; understanding cache invalidation, differential sync, and storage constraints is crucial for features like 'Continue Reading'
• Swift/Objective-C Interoperability (Bridging) — The codebase mixes 7.8M lines of Swift with 1.5M lines of legacy Objective-C; maintaining a bridging header and understanding name mangling is essential when refactoring or adding features that span both languages
• GitHub Actions CI/CD for iOS — This repo uses GitHub Actions workflows (.github/workflows/*.yml) for unit tests, UI tests, versioning, and beta releases; understanding how to trigger and debug CI pipelines is essential for merging PRs
• Pre-commit Hooks & Linting Automation — ./scripts/setup installs ClangFormat pre-commit hooks that auto-format Objective-C code; understanding git hooks prevents surprise reformatting and CI failures
• Phabricator Task Tracking — Unlike most GitHub projects, this repo tracks issues in Wikimedia's Phabricator instance (project 782); understanding the task workflow is essential for bug reports and feature planning

• wikimedia/mediawiki-api-docs — Official MediaWiki REST API documentation; the backend API surface that the iOS app consumes for article content
• wikimedia/android-wikipedia-app — Android counterpart to this iOS app; shares the same design language, API integration, and localization strategy across platforms
• wikimedia/phabricator-extensions — Wikimedia's Phabricator instance where this project's bugs, features, and milestones are tracked (linked in README)
• realm/SwiftLint — The linting tool installed by ./scripts/setup and enforced via .swiftlint.yml; critical for code quality in this codebase
• apple/swift-package-manager — Likely dependency manager for this Swift project; understanding SPM modules helps with adding new dependencies

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for WMF Framework core utilities (Array+SafeIndex.swift, AsyncOperation.swift, ArticleCacheController.swift)

The WMF Framework directory contains critical utility files but has minimal test coverage visible in the file structure. Array+SafeIndex.swift and AsyncOperation.swift are foundational utilities used throughout the app. Adding comprehensive unit tests for these core components would improve code reliability and catch regressions early, especially since AsyncOperation is likely used for background operations and resource fetching.

• [ ] Create Tests/WMFFrameworkTests/Array+SafeIndexTests.swift with tests for safe indexing edge cases (empty arrays, out-of-bounds, negative indices)
• [ ] Create Tests/WMFFrameworkTests/AsyncOperationTests.swift with tests for operation state transitions, completion handlers, and cancellation
• [ ] Create Tests/WMFFrameworkTests/ArticleCacheControllerTests.swift to verify cache hit/miss scenarios and resource synchronization via ArticleCacheDBWriter+SyncResources.swift
• [ ] Add these test targets to Wikipedia.xctestplan and WMFData.xctestplan if not already included

Implement SwiftLint coverage checking in CI (GitHub Actions integration for .swiftlint.yml rules)

The repo has two SwiftLint config files (.swiftlint.yml and .swiftlint-autocorrect.yml) but no visible GitHub Action workflow that enforces SwiftLint rules on PRs. While run_unit_tests.yml and run_ui_tests.yml exist, there's no linting step. Adding automated SwiftLint checks would catch style violations early, reduce reviewer burden, and maintain code quality consistency across contributions.

• [ ] Create .github/workflows/swiftlint_check.yml that runs SwiftLint on all Swift files in PR changes
• [ ] Configure the workflow to use .swiftlint.yml configuration and fail the check if violations are found
• [ ] Add a comment to the PR with SwiftLint violations summary using the SwiftLint GitHub Action
• [ ] Document the linting requirements in CONTRIBUTING.md or README.md (if missing)

Add UI tests for NotificationServiceExtension and ContinueReadingWidget critical paths

NotificationServiceExtension and ContinueReadingWidget are separate app targets with their own entitlements and localization, but there are no dedicated UI test files visible for these extensions. These are user-facing features that should have automated tests covering notification delivery and widget rendering. Test Plans/UITests.xctestplan likely doesn't cover these critical flows.

• [ ] Create UITests/NotificationServiceExtensionUITests.swift testing notification delivery, user interaction, and rich content rendering
• [ ] Create UITests/ContinueReadingWidgetUITests.swift testing widget display, article loading from saved articles, and tap-through navigation
• [ ] Add tests for localization display across the language variants already configured (be.lproj, en.lproj, sr-Latn.lproj)
• [ ] Update Test Plans/UITests.xctestplan to include these new test classes and ensure they run in run_ui_tests.yml workflow

• Add unit test coverage for ContinueReadingWidget/WMFTodayContinueReadingWidgetViewController.swift. Currently no test file visible in the structure; write tests for widget initialization and data binding.: Improves test coverage for a user-facing extension and helps new contributors understand the widget architecture
• Document the pre-commit hook setup and ClangFormat configuration in CONTRIBUTING.md or a setup troubleshooting guide. Current README mentions it briefly but many developers skip ./scripts/setup and encounter linting failures later.: Reduces friction for new contributors and prevents CI failures from surprise pre-commit hooks
• Add integration tests for the MediaWiki REST API sync layer (article fetch, offline caching, language switching). Run them in run_ui_tests.yml CI pipeline to catch API changes early.: Critical for a content-driven app; API breaking changes should be caught automatically before release

The Wikipedia iOS application shows a basic security structure with some configurations in place (SwiftLint, GitHub Actions, secure file structure), but critical vulnerability assessment is incomplete due to missing dependency manifests and configuration file contents. The primary risks are: (1) Unable to assess third-party dependency security without Podfile/Package.swift analysis, (2) Unknown CI/CD security posture without workflow file review, (3) Potential submodule risks. Recommendations: Implement automated dependency scanning, provide complete configuration files for analysis, establish clear security policies, and enforce security checks in the build pipeline. No obvious hardcoded credentials, SQL injection vectors, or infrastructure misconfigurations detected in the file structure provided.

• Medium · Missing Dependency Manifest Analysis — Repository root (dependency manifests not provided). No Package.swift, Podfile, Cartfile, or other dependency management file content was provided for analysis. Unable to assess if third-party dependencies contain known vulnerabilities or outdated versions. Fix: Provide dependency manifests (Podfile, Package.swift, etc.) for security audit. Implement automated dependency vulnerability scanning using tools like CocoaPods audit, Swift Package Manager audits, or third-party services (Dependabot, Snyk).
• Medium · Insufficient Docker/Infrastructure Security Visibility — Repository infrastructure configuration (not provided). No Docker configuration files or infrastructure-as-code files were provided. Unable to assess container security, exposed ports, or deployment configurations. Fix: If Docker is used, provide Dockerfile and docker-compose.yml for analysis. Scan container images for vulnerabilities. Implement security scanning in CI/CD pipelines.
• Low · SwiftLint Configuration Accessibility — .swiftlint.yml, .swiftlint-autocorrect.yml. .swiftlint.yml and .swiftlint-autocorrect.yml files exist in the repository root. While configuration files are generally not sensitive, exposing linting rules could hint at code structure patterns. Fix: Review SwiftLint configuration for security rules. Ensure rules include checks for common Swift security issues (hardcoded credentials, unsafe APIs). Keep linting rules enforced in CI/CD.
• Low · GitHub Actions Workflow Security — .github/workflows/ (content not provided). Multiple GitHub Actions workflows are present (.github/workflows/) but content was not provided for analysis. Workflows may contain secrets exposure, insecure checkout practices, or permission escalation risks. Fix: Review all workflow files for: proper secret management (use GitHub Secrets), least-privilege permissions, checkout security, third-party action versions pinned to specific commits, and audit logging.
• Low · Submodule Dependencies Not Audited — .gitmodules. .gitmodules file exists indicating git submodule dependencies. The actual content and security posture of these submodules could not be assessed. Fix: Audit all submodule dependencies for security vulnerabilities. Ensure submodules are from trusted sources. Consider migrating to package managers (SPM, CocoaPods) for better dependency tracking.
• Low · No SECURITY.md Policy Review — SECURITY (content not provided). A SECURITY file exists but content was not provided. Unable to verify if security vulnerability disclosure procedures are properly documented. Fix: Ensure SECURITY.md contains clear vulnerability disclosure procedures, contact information, and responsible disclosure guidelines. Publish security policy prominently.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.