| Version | Supported |
|---|---|
| 2.2.x | Yes |
| 2.1.x | Yes |
| 2.0.x | Yes |
| 1.x | Security fixes only |
| < 1.0 | No |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email: fullback.94@gmail.com
- Include: description, reproduction steps, and impact assessment
- You will receive a response within 48 hours
- Never commit
.p8private keys to version control - Use environment variables or a
companies.jsonfile outside your repo - Add
companies.json,*.p8,*.pem,*.keyto your.gitignore - Rotate App Store Connect API keys periodically
- Use
--workersflag to limit exposed tools to only what you need - JWT tokens are held in memory only and expire after 20 minutes
- Prefer read-only MCP smoke checks (
auth_generate_token,auth_token_status,apps_list limit=1) after reloads - Review tool annotations before approving high-risk actions such as submit, release, delete, revoke, clear, or cancel