Warden Scheduled Scan Results
Run: 2026-05-18T07:28:49.324Z
Commit: 8c91fa4
Summary
| Severity |
Count |
| High |
2 |
| Medium |
4 |
| Low |
4 |
Findings
QG8-JK7 .ts extension import breaks production build (L31) · high
This import uses a .ts extension, but all other imports in this file use .js extensions and tsconfig.build.json sets allowImportingTsExtensions: false, so this will cause a build failure.
Suggested fix: Change the extension from .ts to .js to match the rest of the file and satisfy the build tsconfig.
R6M-6V4 Remote script downloaded and executed without integrity verification (L62-L76) · high
The installXcodemake function fetches a shell script from a mutable GitHub URL (main branch, no pinned commit or tag) and immediately writes it to disk with chmod 0o755, then executes it — with no checksum or signature check. A compromised upstream repository or a MITM attack would result in arbitrary code execution on the developer's machine.ZJ9-B5V process.chdir() in doesMakeLogFileExist mutates global CWD, causing races with concurrent async operations (L136-L138) · medium
doesMakeLogFileExist calls process.chdir(projectDir) to resolve relative paths, but process.cwd() is process-wide state — any async operation that reads or resolves paths concurrently (e.g. other build tool calls or the MCP server handling parallel requests) will see the wrong working directory between the chdir and the finally restore.
KRM-JFL Missing close event handler in request causes 30-second hang on premature disconnect (L107-L109) · medium
The request method has no socket.on('close', ...) handler, so if the daemon closes the connection before sending a response (without emitting error), the returned promise silently hangs for the full timeout duration (default 30 s) instead of failing immediately.
369-938 disconnect() does not await or cancel an in-flight syncTools(), leaving tools re-registered after disconnect (L114-L119) · medium
disconnect() clears the registry and disconnects the service synchronously, but an already-running syncInFlight promise completes afterward and calls registry.sync() + server.sendToolListChanged(), which can re-register proxied tools on an otherwise-disconnected manager.
CTT-U68 ActiveRunDestination is silently dropped when ActiveScheme key is absent (L130-L134) · medium
When ActiveScheme is missing (activeSchemeIdx === -1) but ActiveRunDestination is present, findDictWithKey(objects, -1) returns undefined and the function returns an empty result, discarding the run-destination data entirely. The same bug exists in parseXcuserstateBuffer at line 201.
XED-CJS Falsy check on duration silently drops zero from log message (L113) · low
Using duration ? on line 113 treats duration = 0 as falsy, omitting it from the log even though 0 is a valid value (schema allows min(0)) and is correctly passed to the command via the !== undefined guard on line 100.
MHL-V48 Redundant early-return branch is dead code — both paths return identical result (L141-L145) · low
The if (Object.keys(synced).length === 0) guard at line 141 is unreachable dead code: the unconditional return createSyncXcodeDefaultsResult() at line 145 is always reached regardless, making both branches return the same value with no behavioral difference.
YW8-SPC File logging ignores configured log-level threshold (L268-L273) · low
The file-write block (line 268) only checks clientLogLevel !== 'none' but never calls shouldLog(), so every message (including debug) is written to the log file regardless of the configured severity threshold.
Suggested fix: Replace the coarse guard with the existing shouldLog() check so file output respects the same level filter as stderr.
W7J-9SV Shared deduplication set mixes compiler-diagnostic and test-failure keys (L139-L187) · low
Both acceptDedupedDiagnostic (compiler diagnostics) and the test-failure case write into the same seenDiagnostics set using different key formats. Compiler keys are location|message (lowercased/trimmed); test-failure keys are test|location|message or suite|test|message. A cross-type collision is only possible if a compiler diagnostic's location or message happens to embed a | that aligns with the test-failure layout. Since locations are normalized file:line:col strings and messages rarely contain |, the practical risk of silently dropping a legitimate diagnostic or test failure is very low, but the two key spaces should still be separated to make the dedup invariant explicit.
Generated by Warden
Warden Scheduled Scan Results
Run: 2026-05-18T07:28:49.324Z
Commit:
8c91fa4Summary
Findings
src/utils/xcodebuild-domain-results.tsQG8-JK7.tsextension import breaks production build (L31) · highThis import uses a
.tsextension, but all other imports in this file use.jsextensions andtsconfig.build.jsonsetsallowImportingTsExtensions: false, so this will cause a build failure.Suggested fix: Change the extension from
.tsto.jsto match the rest of the file and satisfy the build tsconfig.src/utils/xcodemake.tsR6M-6V4Remote script downloaded and executed without integrity verification (L62-L76) · highThe
installXcodemakefunction fetches a shell script from a mutable GitHub URL (mainbranch, no pinned commit or tag) and immediately writes it to disk withchmod 0o755, then executes it — with no checksum or signature check. A compromised upstream repository or a MITM attack would result in arbitrary code execution on the developer's machine.ZJ9-B5Vprocess.chdir()indoesMakeLogFileExistmutates global CWD, causing races with concurrent async operations (L136-L138) · mediumdoesMakeLogFileExistcallsprocess.chdir(projectDir)to resolve relative paths, butprocess.cwd()is process-wide state — any async operation that reads or resolves paths concurrently (e.g. other build tool calls or the MCP server handling parallel requests) will see the wrong working directory between thechdirand thefinallyrestore.src/cli/daemon-client.tsKRM-JFLMissingcloseevent handler inrequestcauses 30-second hang on premature disconnect (L107-L109) · mediumThe
requestmethod has nosocket.on('close', ...)handler, so if the daemon closes the connection before sending a response (without emittingerror), the returned promise silently hangs for the full timeout duration (default 30 s) instead of failing immediately.src/integrations/xcode-tools-bridge/manager.ts369-938disconnect()does not await or cancel an in-flightsyncTools(), leaving tools re-registered after disconnect (L114-L119) · mediumdisconnect()clears the registry and disconnects the service synchronously, but an already-runningsyncInFlightpromise completes afterward and callsregistry.sync()+server.sendToolListChanged(), which can re-register proxied tools on an otherwise-disconnected manager.src/utils/nskeyedarchiver-parser.tsCTT-U68ActiveRunDestination is silently dropped when ActiveScheme key is absent (L130-L134) · mediumWhen
ActiveSchemeis missing (activeSchemeIdx === -1) butActiveRunDestinationis present,findDictWithKey(objects, -1)returnsundefinedand the function returns an empty result, discarding the run-destination data entirely. The same bug exists inparseXcuserstateBufferat line 201.src/mcp/tools/ui-automation/swipe.tsXED-CJSFalsy check ondurationsilently drops zero from log message (L113) · lowUsing
duration ?on line 113 treatsduration = 0as falsy, omitting it from the log even though0is a valid value (schema allowsmin(0)) and is correctly passed to the command via the!== undefinedguard on line 100.src/mcp/tools/xcode-ide/sync_xcode_defaults.tsMHL-V48Redundant early-return branch is dead code — both paths return identical result (L141-L145) · lowThe
if (Object.keys(synced).length === 0)guard at line 141 is unreachable dead code: the unconditionalreturn createSyncXcodeDefaultsResult()at line 145 is always reached regardless, making both branches return the same value with no behavioral difference.src/utils/logger.tsYW8-SPCFile logging ignores configured log-level threshold (L268-L273) · lowThe file-write block (line 268) only checks
clientLogLevel !== 'none'but never callsshouldLog(), so every message (includingdebug) is written to the log file regardless of the configured severity threshold.Suggested fix: Replace the coarse guard with the existing
shouldLog()check so file output respects the same level filter as stderr.src/utils/xcodebuild-run-state.tsW7J-9SVShared deduplication set mixes compiler-diagnostic and test-failure keys (L139-L187) · lowBoth
acceptDedupedDiagnostic(compiler diagnostics) and thetest-failurecase write into the sameseenDiagnosticsset using different key formats. Compiler keys arelocation|message(lowercased/trimmed); test-failure keys aretest|location|messageorsuite|test|message. A cross-type collision is only possible if a compiler diagnostic's location or message happens to embed a|that aligns with the test-failure layout. Since locations are normalized file:line:col strings and messages rarely contain|, the practical risk of silently dropping a legitimate diagnostic or test failure is very low, but the two key spaces should still be separated to make the dedup invariant explicit.Generated by Warden