feat: modernize MCP surface and expand ASC coverage

Author: zelentsov-dev

.github/workflows/ci.yml

@@ -24,5 +24,11 @@ jobs:
       - name: Build
         run: swift build
 
+      - name: Release build
+        run: swift build -c release 2>&1 | tee /tmp/asc_mcp_release.log
+
+      - name: Fail on release warnings
+        run: '! grep -q "warning:" /tmp/asc_mcp_release.log'
+
       - name: Test
         run: swift test

.gitignore

@@ -37,7 +37,6 @@ playground.xcworkspace
 # Swift Package Manager
 .swiftpm
 .build/
-Package.resolved
 
 # CocoaPods
 Pods/

ASC-COVERAGE-MATRIX-2026-05-05.md

@@ -0,0 +1,53 @@
+# App Store Connect API Coverage Matrix
+
+Date: 2026-05-05
+
+Source baseline:
+- Apple App Store Connect API overview: https://developer.apple.com/documentation/appstoreconnectapi
+- Apple API 4.0 release notes: https://developer.apple.com/documentation/appstoreconnectapi/app-store-connect-api-4-0-release-notes
+- Apple Webhook notifications: https://developer.apple.com/documentation/appstoreconnectapi/webhook-notifications
+
+This matrix tracks current `asc-mcp` coverage against the official App Store Connect API documentation. It is intentionally product-oriented: it names what users can do today, what is missing, and which additions should come first.
+
+## Executive Priority
+
+P0 additions:
+- Accessibility declarations, App Clips, background assets, app tags, routing app coverages, and customer review summaries.
+
+P1 additions:
+- Automated OpenAPI spec diff against `app-store-connect-openapi-specification.zip`.
+- Webhook receiver-side signature verification, event payload decoder, and triage resources/prompts.
+- Merchant IDs and Pass Type IDs under provisioning.
+- Analytics/customer-review summarization and metric recommendation ergonomics.
+
+## Area Matrix
+
+| Area | Status | Priority | Current worker keys | Missing / next |
+|---|---|---:|---|---|
+| Essentials: auth, errors, paging, uploads, rate limits | Partial | P1 | `auth` | OpenAPI spec diff; API key inventory/revocation helpers |
+| App Store app metadata and release operations | Partial | P0 | `apps`, `versions`, `app_info`, `pricing`, `app_events`, `screenshots`, `custom_pages`, `ppo`, `promoted`, `review_attachments`, `reviews` | accessibility declarations; App Clips; background assets; app tags; routing app coverages; customer review summary endpoint |
+| TestFlight builds, testers, groups, and beta app review | Partial | P0 | `builds`, `build_processing`, `build_beta`, `beta_groups`, `beta_feedback`, `beta_testers`, `beta_app`, `pre_release`, `beta_license` | beta recruitment criteria; beta app clip invocation/localization APIs |
+| Webhook notifications | Covered | P2 | `webhooks` | OpenAPI drift checks and receiver-side helper ergonomics |
+| Webhook notification receiver resources | Missing | P1 | none | signature verification helpers; event payload decoder; prompt/resource templates for event triage |
+| In-app purchases, subscriptions, and offers | Covered | P2 | `iap`, `subscriptions`, `offer_codes`, `winback`, `intro_offers`, `promo_offers` | OpenAPI drift checks and schema tightening |
+| Provisioning and identifiers | Partial | P1 | `provisioning` | merchant IDs; pass type IDs |
+| Users, access, and sandbox testers | Partial | P2 | `users`, `sandbox` | API key inventory helpers; API key revocation workflow |
+| Reporting, analytics, metrics, and diagnostics | Partial | P1 | `analytics`, `metrics` | analytics segment discovery ergonomics; customer review summarization; perf power metric recommendations |
+| Xcode Cloud workflows and builds | Partial | P1 | `xcode_cloud` | workflow create/update/delete; product delete; relationship-only linkage endpoints |
+| Game Center | Missing | P2 | none | Game Center details; leaderboards; achievements; activities; challenges |
+| Alternative distribution | Missing | P2 | none | alternative marketplace and web distribution workflows |
+
+## Implementation Order
+
+1. Add `--read-only` runtime guard so static and live validation can run safely in production-like MCP hosts.
+2. Add `AccessibilityWorker` and update `AppsWorker` for `accessibilityUrl`: this closes a new compliance-oriented App Store gap.
+3. Add OpenAPI drift tooling so future Apple release-note changes become visible before users report missing methods.
+4. Add webhook receiver helpers: signature verification, event payload decoder, and triage prompts/resources.
+5. Add merchant/pass identifiers, App Clips, background assets, Game Center, and alternative distribution as larger domain workers.
+
+## Safety Notes
+
+- Mutation tools must remain statically reviewable without live App Store Connect calls.
+- All new write tools should carry MCP annotations with `readOnlyHint = false`; destructive operations should carry `destructiveHint = true`.
+- Live validation should stay read-only unless a user explicitly provides a sandbox-like target and confirms the exact mutation.
+- Region- or entitlement-sensitive domains, especially alternative distribution, should be opt-in and clearly documented.

CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.0] - 2026-05-05
+
+### Added
+
+- MCP 2025-11-25 tool metadata policy for all 339 tools: standard annotations plus `anthropic/maxResultSizeChars`.
+- Webhook notification tools for listing, reading, creating, updating, deleting, delivery inspection, redelivery, and ping testing.
+- TestFlight beta feedback tools for crash submissions, screenshot submissions, crash log reads, and cleanup.
+- Xcode Cloud tools for products, workflows, build runs, actions, artifacts, issues, test results, Xcode/macOS versions, SCM providers, repositories, git references, pull requests, and starting builds.
+- `--read-only` runtime mode that blocks App Store Connect mutation tools before handler execution.
+- App Store Connect API coverage matrix for Apple 4.0+ documentation gaps and future worker planning.
+- Structured JSON results for JSON-producing handlers, with `outputSchema` on stable auth, company, apps, and selected analytics tools.
+- Structured App Store Connect error decoding and safe rate-limit metadata capture.
+- Metadata validation before key ASC mutations: locale, emoji, URL, and length checks.
+- HTTP and upload service tests, MCP result builder tests, metadata policy tests, and docs drift coverage.
+
+### Changed
+
+- Migrated deprecated MCP SDK `.text(...)` usage to current `Tool.Content.text(text:annotations:_meta:)` helpers.
+- Refactored `WorkerManager` routing into ordered descriptors for overlapping prefixes.
+- Refactored uploads to stream chunks from disk with bounded concurrency and streaming MD5.
+- Updated SwiftPM to Swift tools 6.2 and Swift language mode v6.
+- Release build is now warning-clean.
+
+### Security
+
+- Redacts sensitive identifiers and private-key paths in runtime diagnostic output.
+- Keeps ASC verification read-only for production smoke checks.
+
 ## [2.0.0] - 2026-03-24
 
 ### Breaking Changes

Package.resolved

@@ -1,4 +1,4 @@
-// swift-tools-version: 6.1
+// swift-tools-version: 6.2
 // The swift-tools-version declares the minimum version of Swift required to build this package.
 
 import PackageDescription
@@ -19,6 +19,9 @@ let package = Package(
             name: "asc-mcp",
             dependencies: [
                 .product(name: "MCP", package: "swift-sdk")
+            ],
+            swiftSettings: [
+                .swiftLanguageMode(.v6)
             ]
         ),
         .testTarget(
@@ -27,7 +30,10 @@ let package = Package(
                 "asc-mcp",
                 .product(name: "MCP", package: "swift-sdk")
             ],
-            resources: [.copy("Fixtures")]
+            resources: [.copy("Fixtures")],
+            swiftSettings: [
+                .swiftLanguageMode(.v6)
+            ]
         ),
     ]
 )