feat: support Individual API Keys (issuer-less JWT)

[conversun]

Summary

Adds support for App Store Connect Individual API Keys, which use a different JWT shape than Team Keys (no issuer ID, sub: "user" instead of iss). Team Key behavior is fully preserved — this is purely additive.

Per Apple's spec:

• Team Key → JWT payload uses iss claim
• Individual Key → JWT payload omits iss and uses sub: \"user\"

Changes

Model (Company)

• issuerID is now String? with a computed isIndividualKey flag
• Custom encode(to:) omits issuer_id from JSON when absent → backward compatible with existing Team Key configs

JWT (JWTService)

• Branches payload construction by key type
• JWTPayload custom encoder skips nil claims so the wire format matches Apple's spec exactly

Config loading

• Single-company env vars: ASC_ISSUER_ID is now optional
• Multi-company env vars: ASC_COMPANY_N_ISSUER_ID is now optional
• Env loading is injectable for testability

UX

• Company list, current/switch handlers, and startup logs display "Individual Key" vs "Team Key"
• --test mode guards against missing config (no crash on smoke path)

Docs

• README.md — Individual API Keys subsection with env + JSON examples and access limitations
• CLAUDE.md — note that issuerID is optional for Individual Keys
• companies.example.json — third example without issuer_id

Limitations (documented)

Individual API Keys cannot access:

• Provisioning endpoints
• Sales / Finance reports
• notarytool endpoints

Calls to those will fail with 403 at the Apple API level — no client-side pre-validation.

Test Plan

• `swift build` — clean
• `swift test` — 452/452 passed across 32 suites (16 new tests added)
• New coverage:
  • `CompanyModelTests` — decode / encode / roundtrip with optional `issuerID`
  • `CompaniesConfigModelTests` — mixed Team + Individual config decoding
  • `CompaniesManagerEnvTests` — Team / Individual / mixed env var combinations (single + multi-company)
  • `JWTServiceTests` — Team Key payload uses `iss`; Individual Key payload omits `iss` and uses `sub: "user"`; header and expiration parity verified

Backward Compatibility

• Existing Team Key JSON configs decode and re-encode identically (no `issuer_id` change on disk)
• Existing Team Key env vars continue to work unchanged
• JWT wire format for Team Keys is byte-identical to before

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f23e04bf6d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Re-throw failures in debug test mode

Catching all errors here and then returning makes asc-mcp --test exit successfully even when testAppMetadata() or testCompanySwitching() fails. That regresses test-mode behavior from fail-fast to silent success, which can mask real breakages in local/CI smoke checks that rely on process exit status. Log the error if needed, but propagate it (or call exit(1)) so failed test runs are observable.

Useful? React with 👍 / 👎.