If you discover a security vulnerability in this project, please report it privately via GitHub Security Advisories.

Do not open a public issue for security reports. We aim to acknowledge reports within 48 hours and will work with you on a fix before any public disclosure.

The following areas are in scope for security reports against this project:

• Tool input validation (date strings, event IDs, calendar names passed to the Swift binary)
• JSON output construction in the Swift binary
• EventKit data access and exposure (calendar data, event notes)
• Write gate (ICAL_ALLOW_WRITE) bypass
• MCP transport security (stdio)

The following should be reported to their respective maintainers:

• EventKit or Apple Calendar vulnerabilities — report to Apple
• macOS TCC (Transparency, Consent, and Control) issues — report to Apple
• MCP SDK vulnerabilities — report to modelcontextprotocol/typescript-sdk
• Bun runtime issues — report to oven-sh/bun

This server accesses all calendars on the host system by default. Event notes are opt-in per-request (include_notes: true) and may contain sensitive information. Write operations (create, update, delete) are gated behind the ICAL_ALLOW_WRITE=true environment variable (off by default).

Users should be mindful of this when granting calendar access and when connecting the server to an MCP client.