zelentsov-dev/asc-mcp

v2.5.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 14d MCP SaaS Integrations

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-tools app-store-connect claude ios mcp model-context-protocol

+2 more

swift testflight

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 14d

v2.5.0 hardens safety with transactional company_switch rollback, Apple-format rate-limit parsing, and credential redaction in MCP output. Features include preflight validation on app_versions_release.

Why it matters: Credential redaction prevents secret leakage in logs. Transaction rollback prevents state races on reinit failure. Rate-limit parsing prevents retry storms on Apple endpoints. Test preflight checks; standard hardening.

Summary

AI summary

Updates Hardening, Verification, and P1-01 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Apple-format X-Rate-Limit parsing with legacy fallback implemented; HTTP-date Retry-After parsed. Apple-format X-Rate-Limit parsing with legacy fallback implemented; HTTP-date Retry-After parsed. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Transactional company_switch with rollback on failed reinit implemented. Transactional company_switch with rollback on failed reinit implemented. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Demo-account passwords and secret-like keys redacted in MCP results. Demo-account passwords and secret-like keys redacted in MCP results. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature
Feature	Medium	`app_versions_submit_for_review` now surfaces submission_id and partial-failure context. `app_versions_submit_for_review` now surfaces submission_id and partial-failure context. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	`app_versions_release` now includes preflight state check and explicit confirmation. `app_versions_release` now includes preflight state check and explicit confirmation. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Pagination host allowlist follows the configured base URL. Pagination host allowlist follows the configured base URL. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Webhook tool schemas no longer break Claude Code sub-agents. Webhook tool schemas no longer break Claude Code sub-agents. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Clearer diagnostics for malformed companies.json provided. Clearer diagnostics for malformed companies.json provided. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Highlights

Critical fix: webhook tool schemas no longer break Claude Code sub-agents.
webhooks_verify_signature, webhooks_parse_payload, and webhooks_triage_event
emitted a top-level anyOf in their input schema, which the Anthropic API
rejects — every Claude Code sub-agent (Explore, Plan, teammates) failed with
HTTP 400 since v2.4.0. Fixed at the source and guarded centrally in
ToolMetadataPolicy, with a regression test forbidding top-level composition
across all tool schemas.

Hardening (2026-05-18 audit)

Transactional company_switch with rollback on failed reinit (P1-01)
app_versions_submit_for_review surfaces submission_id + partial-failure context (P1-02)
Apple-format X-Rate-Limit parsing with legacy fallback; HTTP-date Retry-After (P2-01, P3-01)
app_versions_release preflight state check + explicit confirmation (P2-02)
Demo-account passwords and secret-like keys redacted in MCP results (P2-03)
Pagination host allowlist follows the configured base URL (P2-04)
Clearer diagnostics for malformed companies.json (P3-02)

Verification

swift build: ok
swift test: 516 tests / 46 suites passing
live tools/list: 348 tools, 0 with top-level oneOf/anyOf/allOf

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track zelentsov-dev/asc-mcp

Get notified when new releases ship.

About zelentsov-dev/asc-mcp

App Store Connect API server with 208 tools for managing apps, builds, TestFlight, subscriptions, reviews, and more — directly from any MCP client.

All releases →

Related context

Related tools

Earlier breaking changes

v3.0.0 Removed public prefixes `offer_codes_*`, `intro_offers_*`, `promo_offers_*`, and `winback_*` from v3 worker schema.