Skip to content

zelentsov-dev/asc-mcp

v1.0.0 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 3mo MCP SaaS Integrations
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

ai-tools app-store-connect claude ios mcp model-context-protocol
+2 more
swift testflight

Affected surfaces

auth deps

Summary

AI summary

JWT authentication added with ES256 signing and automatic refresh.

Full changelog

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[1.0.0] - 2025-02-17

Added

  • 17 workers with ~109 tools covering the full App Store Connect API
  • Multi-account support via companies.json configuration
  • Worker filtering with --workers flag for tool-limited MCP clients
  • JWT authentication with ES256 signing and automatic 20-minute refresh
  • HTTP client as actor with retry logic, 429 rate-limit handling, and idempotent request support
  • Pagination helper for traversing large API result sets

Workers

  • CompaniesWorker (3 tools) — multi-account management, switching, listing
  • AuthWorker (4 tools) — JWT token generation, validation, refresh
  • AppsWorker (9 tools) — app listing, metadata, localized descriptions, keywords
  • BuildsWorker (4 tools) — build listing, details, individual build info
  • BuildBetaDetailsWorker (9 tools) — TestFlight localizations, beta groups, notifications
  • BuildProcessingWorker (5 tools) — build states, encryption declarations
  • AppLifecycleWorker (12 tools) — version create/submit/release, phased rollout
  • ReviewsWorker (8 tools) — customer reviews, responses, statistics
  • BetaGroupsWorker (9 tools) — TestFlight groups CRUD, testers, builds
  • BetaTestersWorker (6 tools) — tester management, search, invite
  • InAppPurchasesWorker (12 tools) — IAP and subscriptions CRUD, localizations, submit
  • ProvisioningWorker (17 tools) — bundle IDs, devices, certificates, profiles, capabilities
  • AppInfoWorker (6 tools) — app info, categories, age rating, localizations
  • PricingWorker (6 tools) — territories, availability, price points and schedules
  • UsersWorker (6 tools) — team members, roles, invitations
  • AppEventsWorker (6 tools) — in-app events CRUD, localizations
  • AnalyticsWorker (4 tools) — sales reports, financial reports, analytics

Security

  • SSRF protection for pagination URL validation
  • Sensitive credential masking in MCP responses
  • HTTPS-only communication with App Store Connect API
  • JWT tokens held in memory only, never persisted

Testing

  • 295+ unit tests using Swift Testing framework
  • Test fixtures with placeholder credentials (no real keys)

Security Fixes

  • SSRF protection for pagination URL validation
  • Sensitive credential masking in MCP responses
  • HTTPS-only communication with App Store Connect API
  • JWT tokens held in memory only, never persisted
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track zelentsov-dev/asc-mcp

Get notified when new releases ship.

Sign up free

About zelentsov-dev/asc-mcp

App Store Connect API server with 208 tools for managing apps, builds, TestFlight, subscriptions, reviews, and more — directly from any MCP client.

All releases →

Related context

Earlier breaking changes

  • v3.0.0 Removed public prefixes `offer_codes_*`, `intro_offers_*`, `promo_offers_*`, and `winback_*` from v3 worker schema.

Beta — feedback welcome: [email protected]