refactor(4/12): extract build/test utilities, platform steps, and xcodebuild pipeline

[cameroncooke]

Summary

This is PR 4 of 12 in a stacked PR series that decouples the rendering pipeline from MCP transport. Depends on PR 3 (rendering engine).

Extracts shared build and test logic from monolithic utility files into focused, single-responsibility modules. This is prep work for the tool handler migrations (PRs 6-9) -- the extracted modules provide the building blocks that tool handlers will call instead of duplicating logic inline.

What was extracted and why

Build preflight (build-preflight.ts): Validates build parameters (project path, scheme, destination) before invoking xcodebuild. Previously scattered across individual tool handlers with subtle inconsistencies.

Test preflight (test-preflight.ts): Validates test parameters, resolves test plans, and checks for common misconfiguration. Extracted from the ~500-line test tool handlers where each platform (sim/device/macOS) had its own copy.

Platform step modules: Each platform's build/test/run workflow was a monolithic function. Now decomposed into composable steps:

• simulator-steps.ts: Boot simulator, install app, launch app, capture logs
• device-steps.ts: Prepare device, install, launch
• macos-steps.ts: Build, launch, capture logs
• app-path-resolver.ts: Locate built .app bundles in DerivedData (shared across all platforms)
• device-name-resolver.ts: Resolve device UDID to display name

Xcodebuild pipeline (xcodebuild-pipeline.ts): The core build/test execution engine. Accepts an emit callback from the handler context, streams parsed events during execution, and returns structured state. This replaces the old pattern where the pipeline owned renderers directly.

Xcodebuild output (xcodebuild-output.ts): Constructs the final event sequence from pipeline state (summary, detail trees, diagnostics). Separated from the pipeline itself so the same output logic works for both real builds and test replay.

Supporting extractions: derived-data-path.ts, log-paths.ts, xcodebuild-log-capture.ts, swift-test-discovery.ts, xcresult-test-failures.ts, simulator-test-execution.ts, tool-error-handling.ts.

Deleted modules

• capabilities.ts, validation/index.ts, test-result-content.ts, workflow-selection.ts -- functionality moved into the extracted modules or no longer needed with the new architecture.

Changes to existing modules

• build-utils.ts: Slimmed down significantly. Warning suppression, content consolidation, and build-specific logic moved to dedicated modules.
• test-common.ts: Simplified to a thin coordination layer that delegates to test-preflight.ts and swift-test-discovery.ts.

Stack navigation

• PR 1-3/12: Foundation (logging removal, event types, rendering engine)
• PR 4/12 (this PR): Build/test utility extraction, platform steps, xcodebuild pipeline
• PR 5/12: Runtime handler contract and tool invoker
• PR 6-9/12: Tool migrations (these use the extracted modules)
• PR 10-12/12: Boundaries, config, tests

Test plan

• npx vitest run passes -- tests for each extracted module
• Build preflight correctly rejects invalid schemes/destinations
• Pipeline streams events through emit callback during execution
• Xcodebuild output constructs correct event sequences from pipeline state

[cursor]

Direct child_process imports bypass dependency injection

Medium Severity

Several new modules import execSync, execFileSync, spawn, readFileSync, and unlinkSync directly from node:child_process and node:fs instead of using the injected CommandExecutor and FileSystemExecutor. The project architecture rules flag new child_process or fs imports as critical DI violations, since all shell commands must flow through CommandExecutor and filesystem access through FileSystemExecutor.

Additional Locations (2)

• src/utils/xcresult-test-failures.ts#L1
• src/utils/simulator-steps.ts#L1-L3

 

^{Triggered by project rule: Bugbot Review Guide for XcodeBuildMCP}

^{Reviewed by Cursor Bugbot for commit 379222d. Configure here.}

[cameroncooke]

The DI guidelines have been updated in this PR (76c9848) to clarify that CommandExecutor/FileSystemExecutor DI is required for MCP tool logic orchestrating complex, long-running processes with sub-processes (e.g. xcodebuild), where standard vitest mocking produces race conditions. Standalone utility modules with simple, short-lived commands (like xcrun devicectl list here) may use direct imports and standard vitest mocking. See updated docs in BUGBOT.md, TESTING.md, CODE_QUALITY.md, CONTRIBUTING.md, and ARCHITECTURE.md.

[cameroncooke]

• refactor(12/12): add snapshot test fixtures and benchmarks #330
• refactor(11/12): update manifests, config, docs, and example projects #329
• refactor(10/12): rewire CLI, daemon, and MCP server boundaries #328
• refactor(9/12): migrate debugging, swift-package, and remaining tools #327
• refactor(8/12): migrate UI automation tools to event-based handlers #326
• refactor(7/12): migrate device and macOS tools to event-based handlers #325
• refactor(6/12): migrate simulator tools to event-based handlers #324
• refactor(5/12): change handler contract to event-based emission #323
• refactor(4/12): extract build/test utilities, platform steps, and xcodebuild pipeline #322 👈 (View in Graphite)
• refactor(3/12): add rendering engine and output formatting #321
• refactor(2/12): add pipeline event types, parsers, and event builders #320
• refactor(1/12): remove deprecated logging tools #319
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cursor]

OSLog predicate allows bundle ID injection

Low Severity

In startOsLogStream, the bundleId is interpolated directly into a predicate string (subsystem == "${bundleId}") without sanitization. A bundleId containing a double-quote character could break the predicate syntax or alter its semantics. While bundleId typically comes from app metadata, the value flows from user-provided parameters through simctl launch output.

 

^{Triggered by project rule: Bugbot Review Guide for XcodeBuildMCP}

^{Reviewed by Cursor Bugbot for commit 9d23583. Configure here.}

[cameroncooke]

Out of scope for this PR. Bundle IDs follow Apple's reverse-DNS format and cannot contain double-quote characters. The predicate is passed as an array argument to spawn (not shell-interpolated), so there is no injection vector here.

[cameroncooke]

This is a Graphite stack artifact. getHandlerContext is imported from typed-tool-factory.ts where it will be defined in a later PR in this 12-PR stack. CodeQL analyzes each PR in isolation and flags it as undefined, but it will resolve when the full stack merges. Not actionable on this branch.

[cameroncooke]

This is a Graphite stack artifact. toErrorMessage will be exported from errors.ts in a later PR in this 12-PR stack. CodeQL analyzes each PR in isolation and flags it as undefined, but it will resolve when the full stack merges. Not actionable on this branch.

[cameroncooke]

This is a Graphite stack artifact. getHandlerContext will be exported from typed-tool-factory.ts in a later PR in this 12-PR stack. CodeQL analyzes each PR in isolation and flags it as undefined, but it will resolve when the full stack merges. Not actionable on this branch.

[cameroncooke]

This is a Graphite stack artifact. handlerContextStorage will be exported from typed-tool-factory.ts in a later PR in this 12-PR stack. CodeQL analyzes each PR in isolation and flags it as undefined, but it will resolve when the full stack merges. Not actionable on this branch.

[cameroncooke]

This is a Graphite stack artifact. handlerContextStorage will be exported from typed-tool-factory.ts in a later PR in this 12-PR stack. CodeQL analyzes each PR in isolation and flags it as undefined, but it will resolve when the full stack merges. Not actionable on this branch.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d279a9b. Configure here.}

[cursor]

Next steps silently dropped when text isn't last content item

Medium Severity

processToolResponse only appends next steps to the last content item if it's a text item (item.type === 'text' && index === response.content.length - 1). When a response has text followed by non-text items (e.g. [text, image]), the text item at index 0 doesn't match the last-index check, and the image at the last index doesn't match the type check. The hasTextContent guard then prevents adding a new text block. Result: next steps are silently dropped whenever text content exists but isn't the final item.

 

^{Reviewed by Cursor Bugbot for commit d279a9b. Configure here.}

[cameroncooke]

Merge activity

• Apr 10, 12:18 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 10, 12:19 PM UTC: @cameroncooke merged this pull request with Graphite.