mysigner 0.3.4 → 0.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c8d828d29516e7df219e7a43cc21f66fe5dcfdce881f7ffb2168217626b6e204
-  data.tar.gz: 75444b456a228e57784a3b5376b57da4abe1963550b53b735d32836de3d0e981
+  metadata.gz: a7b51b5ca8891aa0e71405e1c5a2f8d0aef349ef8aaeca1e870925eb5403bcea
+  data.tar.gz: 45ceb49f0a2015ecbe689e17510af4c6a8b8c1c3c4c25c036f637ff4a541a842
 SHA512:
-  metadata.gz: 6aa433a444788a4205115f0165d4d264137921b6c06d00af81b4096272297141f1c275f848a798e8327e64d0151b50611ba7b313d7ceaa7a10ead7854a70863f
-  data.tar.gz: 18c7b935f4d59817d9286fbb95c9b9d21803c17930b74bb770fda57494c862a064764abfd3cd2000e5a2ec1c5738823d5df83021febc00adb90d2a39727db909
+  metadata.gz: e8ac1f132fbe6e912a918c923789c28784b46e5d978a7fb7fdfeca2b56a8ed33f23f613287459c65825868896df86029097ea0410482533667ab9800b799a8df
+  data.tar.gz: 3e7fbb4faf3dd82f831920ca7b7c306568cd70a911da7361da1080c7540449f75e0ba2bf54b8743f0560162490aa8308ac92e7e496b09fa5fc2e24607459c5e2

data/.github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: "3.2"
@@ -20,7 +20,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: "3.2"

data/CHANGELOG.md

@@ -5,6 +5,53 @@ All notable changes to My Signer CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.7] - 2026-06-26
+
+Small robustness + dependency-hygiene follow-ups.
+
+### Fixed
+- Pressing Ctrl-C while `ship appstore --wait` is polling now prints a clean "still processing on Apple's side — re-run to resume" hint and exits with the standard SIGINT code, instead of leaving a half-drawn "Waiting…" line.
+
+### Changed
+- Dependency hygiene: removed the redundant `xcodeproj` declaration from the Gemfile (it's already a gemspec dependency), and added `x86_64-linux` to `Gemfile.lock` so Linux/CI installs use the committed, audited dependency graph rather than re-resolving.
+
+## [0.3.6] - 2026-06-26
+
+Follow-up hardening from the audit's remaining medium/low findings.
+
+### Security
+- `status` no longer overstates at-rest protection: on Linux/Windows it now reports the encryption key as a local file (obfuscation, not vault-grade) rather than a bare "Encryption: ✓ Enabled", since the key sits next to the encrypted token; macOS reports the Keychain.
+- TLS certificate verification is now asserted explicitly on the API client instead of relying on the adapter default.
+- Release-metadata YAML parsing disables alias expansion (`aliases: false`), closing a YAML alias-bomb / billion-laughs DoS on a hostile project metadata file.
+- `devices` USB detection (`ideviceinfo`) and the `doctor` keychain key-import (`security import`) now run via argv (no shell), so a device-reported UDID or a `$HOME` containing a space can't break or inject.
+
+### Changed
+- The published gem no longer ships the dev-only `bin/` helpers or the internal `MANUAL_TEST.md`.
+
+## [0.3.5] - 2026-06-26
+
+Security & robustness hardening from a full multi-agent audit of the CLI. No breaking changes.
+
+### Security
+- iOS build/export no longer run `xcodebuild` through a shell: arguments are passed as a literal argv array, so a scheme, bundle ID, or project path containing a space or shell metacharacter (`;`, `$(...)`, backticks) can no longer be split or executed by `/bin/sh`.
+- The API token is never sent over an insecure connection: the CLI refuses any non-`https` `api_url` unless the host is loopback (localhost), and a scheme-less host now defaults to `https://`. This prevents the org token from being sent in cleartext or redirected to an attacker-set host via a poisoned config/env.
+- Local-only App Store keys are cleaned up: the materialized `~/.appstoreconnect/private_keys/AuthKey_*.p8` is deleted after upload (only the one the CLI created) instead of lingering as a plaintext signing key.
+- `logout` no longer orphans local credentials: a plain (non-`--purge`) logout keeps your local-only credentials AND keeps them decryptable — it no longer deletes the per-machine encryption key out from under them.
+- Android signing passwords stay off the process table: they are passed to Gradle via the child process environment instead of an `export VAR=… &&` shell string visible in `ps`.
+- Certificate and `doctor` checks no longer build shell strings from untrusted values — a certificate CN containing `$(...)` and the server-supplied `team_id` are handled as literal data.
+
+### Fixed
+- The default API client now sets explicit request/connect timeouts, so a stalled server can no longer hang the CLI indefinitely.
+- Non-interactive (CI/piped) runs fail loudly with an actionable hint when a keystore password, version code, or app target is required, instead of silently reading an empty value and failing later with a confusing "wrong password" error.
+- `mysigner export` runs `xcodebuild` via argv, so archive/output paths with spaces work; Expo prebuild likewise runs via `Dir.chdir` + argv.
+- App Store upload reads the IPA once (single-pass MD5 + SHA-256) instead of three times.
+
+### Changed
+- The `version` command and README point at the correct repository, and the README version/test-count are current.
+
+### Removed
+- Removed the unused `reline` dependency, ~360 lines of dead legacy uploader code, and stale references to the removed `--submit-for-review` / `--asc-timeout-seconds` flags.
+
 ## [0.3.4] - 2026-06-25
 
 ### Added

data/Gemfile

@@ -6,4 +6,3 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in mysigner.gemspec
 gemspec
-gem 'xcodeproj', '~> 1.27'

data/Gemfile.lock

@@ -1,14 +1,13 @@
 PATH
   remote: .
   specs:
-    mysigner (0.3.4)
+    mysigner (0.3.7)
       base64 (~> 0.2)
       faraday (~> 2.14)
       faraday-retry (~> 2.2)
       google-apis-androidpublisher_v3 (~> 0.54)
       googleauth (~> 1.11)
       plist (~> 3.7)
-      reline (~> 0.5)
       thor (~> 1.4)
       xcodeproj (~> 1.27)
 
@@ -65,7 +64,6 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     hashdiff (1.2.1)
-    io-console (0.8.1)
     json (2.19.5)
     jwt (3.2.0)
       base64
@@ -90,8 +88,6 @@ GEM
     rainbow (3.1.1)
     rake (13.3.0)
     regexp_parser (2.11.3)
-    reline (0.6.2)
-      io-console (~> 0.5)
     representable (3.2.0)
       declarative (< 0.1.0)
       trailblazer-option (>= 0.1.1, < 0.2.0)
@@ -153,6 +149,7 @@ GEM
 PLATFORMS
   arm64-darwin-24
   ruby
+  x86_64-linux
 
 DEPENDENCIES
   bundler (~> 2.5)
@@ -161,7 +158,6 @@ DEPENDENCIES
   rspec (~> 3.0)
   rubocop (~> 1.79)
   webmock (~> 3.24)
-  xcodeproj (~> 1.27)
 
 BUNDLED WITH
    2.7.2

data/README.md

@@ -2,7 +2,7 @@
 
 **One command from code to TestFlight or Google Play. No provisioning hell, no manual certificate wrangling.**
 
-Command-line interface for [My Signer](https://github.com/jurgenleka/my-signer) - the modern mobile app signing and deployment automation tool for iOS and Android.
+Command-line interface for [My Signer](https://github.com/jouleka/my-signer) - the modern mobile app signing and deployment automation tool for iOS and Android.
 
 ---
 
@@ -39,7 +39,7 @@ Mobile developers spend hours dealing with:
 - Ruby 3.2+ (recommended: 3.4.5)
 
 **Vault mode** (default — server-orchestrated):
-- [My Signer API](https://github.com/jurgenleka/my-signer) account and API token
+- [My Signer API](https://github.com/jouleka/my-signer) account and API token
 
 **Local-only mode** (`--local-only` — no MySigner account or token required):
 - Your own signing credentials: Apple `.p8` key / Google Play service-account JSON / Android keystore (set up via `mysigner --local-only onboard`, flags, or env vars)
@@ -61,7 +61,7 @@ gem install mysigner
 ### Install from source
 
 ```bash
-git clone https://github.com/jurgenleka/my-signer-cli.git
+git clone https://github.com/jouleka/my-signer-cli.git
 cd my-signer-cli
 bundle install
 bundle exec rake install
@@ -136,7 +136,7 @@ mysigner status
 # iOS
 mysigner ship testflight                   # Build + upload to TestFlight
 mysigner ship appstore                     # Build + submit to App Store
-mysigner ship appstore --submit-for-review # Auto-submit for review
+mysigner ship appstore --no-auto-submit    # Build + upload only (submit for review later)
 
 # Android
 mysigner ship internal --platform android  # Build + upload to internal testing
@@ -389,7 +389,7 @@ mysigner config set local-only false    # permanent disable
 | `doctor`, `status`, `validate` | ✅ (limited — no MySigner-side checks) |
 | `certificate check`, `device detect` | ✅ |
 | `android build` | ✅ |
-| `config`, `config set`, `version`, `help`, `tree`, `logout` | ✅ |
+| `config`, `config set`, `version`, `help`, `logout` | ✅ |
 | `login`, `switch`, `orgs`, `sync` | ❌ MySigner-only |
 | `android init`, `android add`, `android list` | ❌ MySigner-only (register or list MySigner-side records) |
 | `apps`, `devices`, `certificates`, `profiles`, `bundleid`, `app-group(s)`, `merchant-id(s)`, `keystore`, `gp-credential`, `release`, `tracks`, `track`, `submit`, `device add/update`, `certificate download`, `profile download/delete` | ❌ MySigner-only |
@@ -446,7 +446,7 @@ Storage:
 ```bash
 # iOS — local-mint ASC JWT, upload direct to Apple
 mysigner --local-only ship testflight
-mysigner --local-only ship appstore --submit-for-review
+mysigner --local-only ship appstore
 
 # Android — local-mint Google OAuth token, call Play Publishing API direct
 mysigner --local-only ship internal   --platform android
@@ -488,10 +488,10 @@ mysigner config set KEY VAL # Update configuration value
 
 ## Development Status
 
-**Current Version**: 0.1.0
+**Current Version**: 0.3.4
 
 ✅ **Complete**:
-- ✅ Gem structure and dependencies (Thor, Faraday, Reline, Google APIs)
+- ✅ Gem structure and dependencies (Thor, Faraday, Google APIs)
 - ✅ Config management (`~/.mysigner/config.yml`)
 - ✅ API client (Faraday with retry & error handling)
 - ✅ Core commands (login, logout, config, status, orgs, switch, onboard)
@@ -506,7 +506,7 @@ mysigner config set KEY VAL # Update configuration value
 - ✅ Server-side signing validation (`mysigner validate`)
 - ✅ Project detection (Native iOS/Android, React Native, Flutter, Capacitor/Ionic)
 - ✅ `mysigner doctor` health check with auto-fix capabilities
-- ✅ 260+ RSpec tests
+- ✅ Comprehensive RSpec suite (1,900+ examples)
 - ✅ Interactive prompts and wizards
 
 📅 **Future**:
@@ -515,7 +515,7 @@ mysigner config set KEY VAL # Update configuration value
 - `--json` flag for scripting
 - CI/CD templates (GitHub Actions, GitLab CI)
 
-See the [main project roadmap](https://github.com/jurgenleka/my-signer/blob/main/ROADMAP.md) for detailed plans.
+See the [main project roadmap](https://github.com/jouleka/my-signer/blob/main/ROADMAP.md) for detailed plans.
 
 ---
 
@@ -524,7 +524,7 @@ See the [main project roadmap](https://github.com/jurgenleka/my-signer/blob/main
 ### Setup
 
 ```bash
-git clone https://github.com/jurgenleka/my-signer-cli.git
+git clone https://github.com/jouleka/my-signer-cli.git
 cd my-signer-cli
 bundle install
 ```
@@ -679,17 +679,17 @@ This is currently a private project. Contributions are not being accepted at thi
 
 ## Related Projects
 
-- **[My Signer API](https://github.com/jurgenleka/my-signer)** - The backend API and web dashboard
-- **[My Signer Docs](https://github.com/jurgenleka/my-signer/tree/main/app/views/docs)** - In-app documentation source
+- **[My Signer API](https://github.com/jouleka/my-signer)** - The backend API and web dashboard
+- **[My Signer Docs](https://github.com/jouleka/my-signer/tree/main/app/views/docs)** - In-app documentation source
 
 ---
 
 ## Support
 
 For questions or issues:
-- Check the [main project README](https://github.com/jurgenleka/my-signer/blob/main/README.md)
-- See [ROADMAP.md](https://github.com/jurgenleka/my-signer/blob/main/ROADMAP.md) for development plans
-- Review [CHANGELOG.md](https://github.com/jurgenleka/my-signer/blob/main/CHANGELOG.md) for recent updates
+- Check the [main project README](https://github.com/jouleka/my-signer/blob/main/README.md)
+- See [ROADMAP.md](https://github.com/jouleka/my-signer/blob/main/ROADMAP.md) for development plans
+- Review [CHANGELOG.md](https://github.com/jouleka/my-signer/blob/main/CHANGELOG.md) for recent updates
 
 ---
 

data/lib/mysigner/build/android_executor.rb

@@ -293,27 +293,21 @@ module Mysigner
           cmd_parts << '&&'
         end
 
-        # Phase 0: export signing env vars inline so they're only visible to
-        # the child process, not in argv. The Gradle init script below reads
-        # MYSIGNER_STORE_FILE / MYSIGNER_STORE_PASSWORD / MYSIGNER_KEY_ALIAS /
-        # MYSIGNER_KEY_PASSWORD and configures signingConfigs.release.
+        # M3: pass the signing secrets to the build via an env hash on the
+        # spawn (execute_with_output → IO.popen(env, …)) rather than an
+        # `export VAR=… &&` shell string, which would expose the keystore/key
+        # passwords on the process table (ps, /proc/<pid>/cmdline) for the
+        # build's lifetime. The Gradle init script reads them from ENV either
+        # way; argv-form already kept them off the -P flags.
+        @signing_env = {}
         if @keystore_path && File.exist?(@keystore_path) && @signing_init_script_path
-          cmd_parts << "export MYSIGNER_STORE_FILE=#{shell_escape(File.absolute_path(@keystore_path))}"
-          cmd_parts << '&&'
-          cmd_parts << "export MYSIGNER_STORE_PASSWORD=#{shell_escape(@keystore_password)}" if @keystore_password
-          cmd_parts << '&&' if @keystore_password
-          cmd_parts << "export MYSIGNER_KEY_ALIAS=#{shell_escape(@key_alias)}" if @key_alias
-          cmd_parts << '&&' if @key_alias
-          cmd_parts << "export MYSIGNER_KEY_PASSWORD=#{shell_escape(@key_password)}" if @key_password
-          cmd_parts << '&&' if @key_password
-        end
-
-        # Export the versionCode override so the init script applies it to
-        # android.defaultConfig (a bare -PversionCode property is inert).
-        if @version_code && @signing_init_script_path
-          cmd_parts << "export MYSIGNER_VERSION_CODE=#{shell_escape(@version_code.to_s)}"
-          cmd_parts << '&&'
+          @signing_env['MYSIGNER_STORE_FILE'] = File.absolute_path(@keystore_path)
+          @signing_env['MYSIGNER_STORE_PASSWORD'] = @keystore_password if @keystore_password
+          @signing_env['MYSIGNER_KEY_ALIAS'] = @key_alias if @key_alias
+          @signing_env['MYSIGNER_KEY_PASSWORD'] = @key_password if @key_password
         end
+        # The versionCode override also flows to the init script via ENV.
+        @signing_env['MYSIGNER_VERSION_CODE'] = @version_code.to_s if @version_code && @signing_init_script_path
 
         # Change to android directory and run gradle
         cmd_parts << "cd #{shell_escape(android_dir)}"
@@ -364,8 +358,9 @@ module Mysigner
         puts "🏗️  Running: gradle #{@variant}..."
         puts ''
 
-        # Run command and capture output in real-time
-        IO.popen("#{cmd} 2>&1", 'r') do |io|
+        # Run command and capture output in real-time. The signing secrets ride
+        # in the env hash (M3), never the command string / process table.
+        IO.popen(@signing_env || {}, "#{cmd} 2>&1", 'r') do |io|
           io.each_line do |line|
             next if line.strip.empty?
 

data/lib/mysigner/build/detector.rb

@@ -72,7 +72,9 @@ module Mysigner
 
         puts "\n📦 Expo managed workflow detected (no #{platform}/ folder)"
         puts "🔧 Running: npx expo prebuild --platform #{platform}\n\n"
-        result = system("cd #{directory} && npx expo prebuild --platform #{platform}")
+        # Run via Dir.chdir + argv (no shell) so a project directory containing
+        # a space or shell metacharacter isn't split/interpreted by /bin/sh.
+        result = Dir.chdir(directory) { system('npx', 'expo', 'prebuild', '--platform', platform.to_s) }
 
         native_dir = platform == :android ? 'android' : 'ios'
         return if result && Dir.exist?("#{directory}/#{native_dir}")

data/lib/mysigner/build/executor.rb

@@ -125,7 +125,12 @@ module Mysigner
           '-quiet'
         ]
 
-        cmd.join(' ')
+        # Return the argv ARRAY (not cmd.join(' ')). execute_with_output runs
+        # it via IO.popen(array) which execs xcodebuild directly with no
+        # shell, so a scheme / bundle_id / archive path containing a space or
+        # shell metacharacter ($(), ;, backticks) is passed as one literal
+        # argument instead of being split or executed by /bin/sh.
+        cmd
       end
 
       def execute_with_output(cmd)

data/lib/mysigner/cli/auth_commands.rb

@@ -17,8 +17,8 @@ module Mysigner
             say "Install:     #{File.expand_path('../../..', __dir__)}", :white
             say "Config:      #{Config::CONFIG_FILE}", :white
             say ''
-            say 'Repository:  https://github.com/mysigner-dev/mysigner-cli', :white
-            say 'Issues:      https://github.com/mysigner-dev/mysigner-cli/issues', :white
+            say 'Repository:  https://github.com/jouleka/my-signer-cli', :white
+            say 'Issues:      https://github.com/jouleka/my-signer-cli/issues', :white
             say ''
             say 'Docs:        https://mysigner.dev/docs/commands', :white
             say 'Support:     https://mysigner.dev/landing#contact', :white
@@ -764,7 +764,7 @@ module Mysigner
             say 'Configuration:', :bold
             say "  API URL:         #{config.api_url}"
             say "  User:            #{config.user_email || '(unknown)'}"
-            say "  Encryption:      #{config.encrypted_config? ? '✓ Enabled' : '✗ Disabled'}"
+            say "  Encryption:      #{encryption_status_line(config)}"
             say ''
 
             # Show current organization
@@ -1176,6 +1176,17 @@ module Mysigner
               '?'
             end
 
+            # Honest at-rest description for `status`. On macOS the AES key is
+            # in the system Keychain (OS-protected); elsewhere it's a 0600 file
+            # right next to the encrypted token, so it's obfuscation — anyone
+            # who can read config.yml can read the key. Don't imply more.
+            def encryption_status_line(config)
+              return '✗ Disabled' unless config.encrypted_config?
+              return '✓ Enabled (macOS Keychain)' if RbConfig::CONFIG['host_os'] =~ /darwin/i
+
+              '✓ Enabled (local key file — obfuscation, not vault-grade; prefer MYSIGNER_API_TOKEN in CI)'
+            end
+
             def config_set(key = nil, value = nil)
               if key.nil? || value.nil?
                 error 'Usage: mysigner config set <key> <value>'

data/lib/mysigner/cli/build_commands.rb

@@ -660,11 +660,6 @@ module Mysigner
               say "  Target:      #{target_name}"
               say "  IPA Size:    #{format_bytes(File.size(ipa_path))}"
               say ''
-              if is_appstore && options[:submit_for_review]
-                poll_msg = options[:wait] ? "every #{automation.poll_interval}s" : 'skipped (--no-wait)'
-                say "  ASC Polling: #{poll_msg}"
-                say "  ASC Timeout: #{format_duration(options[:asc_timeout_seconds])}" if options[:asc_timeout_seconds]
-              end
 
               # Timing breakdown
               say '⏱️  Time Breakdown', :bold
@@ -1119,7 +1114,11 @@ module Mysigner
                   unless keystore_password
                     say '⚠️  Keystore password not found in My Signer', :yellow
                     say '    Upload your keystore with password: mysigner keystore upload FILE', :yellow
-                    keystore_password = ask('Keystore password:', echo: false)
+                    keystore_password = ask_required(
+                      'Keystore password:',
+                      'Pass --keystore-password or set MYSIGNER_KEYSTORE_PASSWORD to build non-interactively.',
+                      echo: false
+                    )
                     say ''
                     key_password ||= keystore_password
                   end
@@ -1621,7 +1620,8 @@ module Mysigner
                 unless version_code
                   say ''
                   say "Enter the version code to promote to #{track}:", :yellow
-                  version_code = ask('Version code:')
+                  version_code = ask_required('Version code:',
+                                              'Pass --version-code to promote non-interactively.')
                 end
 
                 say ''
@@ -1740,12 +1740,12 @@ module Mysigner
               stripped = content.lstrip
 
               begin
-                return YAML.safe_load(content, aliases: true) || {} if stripped.start_with?('---') || stripped.start_with?('- ')
+                return YAML.safe_load(content, aliases: false) || {} if stripped.start_with?('---') || stripped.start_with?('- ')
 
                 JSON.parse(content)
               rescue JSON::ParserError
                 begin
-                  YAML.safe_load(content, aliases: true) || {}
+                  YAML.safe_load(content, aliases: false) || {}
                 rescue Psych::Exception => e
                   raise MetadataFileError, "Failed to parse metadata file #{path}: #{e.message}"
                 end
@@ -1884,8 +1884,11 @@ module Mysigner
                 end
                 say ''
 
-                choice = ask("Select app to build (1-#{app_targets.count}):",
-                             limited_to: (1..app_targets.count).map(&:to_s))
+                choice = ask_required(
+                  "Select app to build (1-#{app_targets.count}):",
+                  'Pass --target <app> to select the app non-interactively.',
+                  limited_to: (1..app_targets.count).map(&:to_s)
+                )
                 target_name = app_targets[choice.to_i - 1].name
               else
                 target_name = options[:target] || parser.main_target.name

data/lib/mysigner/cli/concerns/actionable_suggestions.rb

@@ -36,8 +36,7 @@ module Mysigner
             suggestions: [
               'Apple typically takes 5-15 minutes to process builds',
               'Use --wait flag to automatically wait: mysigner ship appstore --wait',
-              'Check App Store Connect for processing status',
-              'Increase timeout: mysigner ship appstore --wait --asc-timeout-seconds 1800'
+              'Check App Store Connect for processing status'
             ]
           },
 

data/lib/mysigner/cli/concerns/api_helpers.rb

@@ -62,8 +62,16 @@ module Mysigner
 
         # Normalize API URL (add protocol, remove trailing slash)
         def normalize_api_url(url)
-          # Add http:// if no protocol specified
-          url = "http://#{url}" unless url.match?(%r{^https?://})
+          url = url.to_s.strip
+
+          # Add a scheme if none was given. Default to https; fall back to
+          # http ONLY for an obvious loopback host, so a scheme-less remote
+          # host never silently downgrades the API token to cleartext.
+          unless url.match?(%r{^https?://})
+            bare_host = url[%r{\A[^/:]+}].to_s.downcase
+            scheme = Mysigner::Client::LOOPBACK_HOSTS.include?(bare_host) ? 'http' : 'https'
+            url = "#{scheme}://#{url}"
+          end
 
           # Remove trailing slash
           url.chomp('/')
@@ -79,10 +87,15 @@ module Mysigner
           # Must have a host
           return false if uri.host.nil? || uri.host.empty?
 
+          # Plain http may only target a loopback host (local dev). The API
+          # token is sent as a Bearer header, so http to a remote host would
+          # leak it in cleartext. uri.hostname strips IPv6 brackets ([::1]).
+          return false if uri.scheme == 'http' &&
+                          !Mysigner::Client::LOOPBACK_HOSTS.include?(uri.hostname.downcase)
+
           # Valid formats:
           # - http://localhost:3000
           # - https://api.example.com
-          # - http://192.168.1.1:8080
           true
         rescue URI::InvalidURIError
           false

data/lib/mysigner/cli/concerns/error_handlers.rb

@@ -235,7 +235,6 @@ module Mysigner
           say ''
           say '   → Apple typically takes 5-15 minutes to process builds', :yellow
           say '   → Use --wait flag: mysigner ship appstore --wait', :yellow
-          say '   → Increase timeout: --asc-timeout-seconds 1800', :yellow
           say '   → Check App Store Connect for processing status', :yellow
           say ''
         end

data/lib/mysigner/cli/concerns/helpers.rb

@@ -4,14 +4,6 @@ module Mysigner
   class CLI < Thor
     module Concerns
       module Helpers
-        # Helper for timing operations
-        def with_timing(_label)
-          start = Time.now
-          result = yield
-          duration = Time.now - start
-          [result, duration]
-        end
-
         def format_duration(seconds)
           if seconds < 60
             "#{seconds.round}s"
@@ -27,13 +19,21 @@ module Mysigner
         end
 
         def format_bytes(bytes)
-          if bytes < 1024
-            "#{bytes} B"
-          elsif bytes < 1024 * 1024
-            "#{(bytes / 1024.0).round(1)} KB"
-          else
-            "#{(bytes / (1024.0 * 1024)).round(1)} MB"
+          Mysigner::Formatting.format_bytes(bytes)
+        end
+
+        # ask() that fails loud in non-interactive mode (no TTY) instead of
+        # silently consuming EOF — Thor's ask returns '' on EOF, which surfaces
+        # later as a confusing downstream error (e.g. "wrong keystore password"
+        # for an empty password). `hint` tells the user which flag/env var to
+        # pass instead. Behaves exactly like ask() when a terminal is attached.
+        def ask_required(prompt, hint, **)
+          unless $stdin.tty?
+            error "#{prompt.to_s.sub(/:\s*\z/, '')} is required, but no terminal is attached for input."
+            say hint, :yellow
+            exit 1
           end
+          ask(prompt, **)
         end
 
         # Client-side UDID validity check for iOS devices. Matches the two

data/lib/mysigner/cli/diagnostic_commands.rb

@@ -148,9 +148,13 @@ module Mysigner
                 say 'Checking signing identity for team...', :yellow
                 team_id = org_data['app_store_connect_team_id']
 
-                # Check if signing identities exist in keychain for this team
-                identities = `security find-identity -v -p codesigning 2>/dev/null | grep -i "#{team_id}"`
-                has_identity = $CHILD_STATUS.success? && !identities.strip.empty?
+                # Capture identities with a CONSTANT command (no interpolation)
+                # and filter in Ruby, so a server-supplied team_id can never be
+                # a shell / grep-regex injection sink. Matches `grep -i`
+                # (case-insensitive substring) semantics.
+                all_identities = `security find-identity -v -p codesigning 2>/dev/null`
+                has_identity = $CHILD_STATUS.success? &&
+                               all_identities.downcase.include?(team_id.to_s.downcase)
 
                 if has_identity
                   say "  ✓ Signing identity found for team #{team_id}", :green
@@ -738,8 +742,13 @@ module Mysigner
                 # Import private key directly to keychain (so certificate can pair)
                 File.write(key_path, key.to_pem)
 
-                `security import #{key_path} -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign -T /usr/bin/security 2>&1`
-                import_success = $CHILD_STATUS.success?
+                # argv form (no shell); expand the keychain path in Ruby so a
+                # $HOME containing a space doesn't break the import.
+                login_keychain = File.expand_path('~/Library/Keychains/login.keychain-db')
+                import_success = system('security', 'import', key_path,
+                                        '-k', login_keychain,
+                                        '-T', '/usr/bin/codesign', '-T', '/usr/bin/security',
+                                        out: File::NULL, err: File::NULL)
 
                 say '  ✓ CSR saved to Downloads', :green
                 if import_success
@@ -830,6 +839,8 @@ module Mysigner
                   say '  Downloading profile...', :cyan
                   download_url = "/api/v1/organizations/#{config.current_organization_id}/profiles/#{profile['id']}/download"
 
+                  # Never attach the API token to a non-https (non-loopback) endpoint.
+                  Mysigner::Client.assert_secure_api_url!(config.api_url)
                   conn = Faraday.new(url: config.api_url) do |f|
                     f.request :authorization, 'Bearer', config.api_token
                     f.adapter Faraday.default_adapter

data/lib/mysigner/cli/resource_commands.rb

@@ -305,7 +305,10 @@ module Mysigner
                 # Get device name if ideviceinfo is available
                 name = 'iOS Device'
                 if system('which ideviceinfo > /dev/null 2>&1')
-                  device_name = `ideviceinfo -u #{udid} -k DeviceName 2>/dev/null`.strip
+                  # argv form (no shell): a USB device reporting a UDID with
+                  # shell metacharacters can't inject. err → NULL mirrors 2>/dev/null.
+                  device_name = IO.popen(['ideviceinfo', '-u', udid, '-k', 'DeviceName'],
+                                         err: File::NULL, &:read).to_s.strip
                   name = device_name unless device_name.empty?
                 end
 
@@ -638,6 +641,8 @@ module Mysigner
                 say 'Fetching profile content...', :yellow
 
                 # Use Faraday directly with proper auth for binary download
+                # (never attach the API token to a non-https/non-loopback host).
+                Mysigner::Client.assert_secure_api_url!(config.api_url)
                 conn = Faraday.new(url: config.api_url) do |f|
                   f.request :authorization, 'Bearer', config.api_token
                   f.headers['X-User-Email'] = config.user_email if config.user_email
@@ -978,6 +983,8 @@ module Mysigner
                 say 'Fetching certificate content...', :yellow
 
                 # Use Faraday directly with proper auth for binary download
+                # (never attach the API token to a non-https/non-loopback host).
+                Mysigner::Client.assert_secure_api_url!(config.api_url)
                 conn = Faraday.new(url: config.api_url) do |f|
                   f.request :authorization, 'Bearer', config.api_token
                   f.headers['X-User-Email'] = config.user_email if config.user_email