ios-app-review-plugin 1.0.0

package/.claude/settings.local.json

@@ -0,0 +1,42 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(xargs:*)",
+      "Bash(npm install)",
+      "Bash(npm run build:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run lint:*)",
+      "Bash(git add:*)",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nImplement Phase 2: App Store Connect Integration\n\nAdd App Store Connect API integration to validate app metadata, screenshots,\nversions, and in-app purchases before submission.\n\nNew features:\n- JWT authentication using ES256 with token caching and auto-refresh\n- API client with rate limiting \\(500 req/hr\\), exponential backoff, pagination\n- ASC analyzers for metadata, screenshots, versions, and IAP validation\n- 5 new MCP tools: validate_asc_metadata, validate_asc_screenshots,\n  compare_versions, validate_iap, full_asc_validation\n- Updated analyze_ios_app with includeASC option\n\nGraceful handling when credentials not configured - returns info-level\nissue rather than failing, allowing local-only analysis to continue.\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git push)",
+      "Bash(gh auth status:*)",
+      "Bash(gh auth:*)",
+      "Bash(gh repo sync:*)",
+      "Bash(gh api:*)",
+      "Bash(npx tsc:*)",
+      "Bash(npx jest:*)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin status)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin diff --stat)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin log --oneline -5)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin diff)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin add package.json src/analyzer.ts src/analyzers/index.ts src/index.ts src/parsers/xcodeproj.ts src/types/index.ts src/analyzers/asc-iap.ts src/analyzers/asc-metadata.ts src/analyzers/asc-screenshots.ts src/analyzers/asc-version.ts src/analyzers/deprecated-api.ts src/analyzers/private-api.ts src/analyzers/security.ts src/analyzers/ui-ux.ts src/asc/ tests/analyzers/asc-iap.test.ts tests/analyzers/asc-metadata.test.ts tests/analyzers/asc-screenshots.test.ts tests/analyzers/asc-version.test.ts tests/analyzers/deprecated-api.test.ts tests/analyzers/private-api.test.ts tests/analyzers/security.test.ts tests/analyzers/ui-ux.test.ts tests/asc/)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin commit -m \"$\\(cat <<''EOF''\nImplement Phase 2 \\(ASC integration\\) and Phase 3 \\(advanced analysis\\)\n\nPhase 2 adds App Store Connect API integration with JWT auth, rate\nlimiting, and validators for metadata, screenshots, versions, and IAP.\nPhase 3 adds deprecated API detection \\(20 APIs with deployment target\nawareness\\), private API scanning \\(selectors, frameworks, URL schemes\\),\nsecurity analysis \\(weak crypto, insecure storage, SQL injection\\), and\nUI/UX compliance checks \\(launch screen, icons, iPad, accessibility\\).\nBumps version to 0.3.0 with 13 MCP tools and 114 passing tests.\n\nCo-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git commit:*)",
+      "Bash(gh release create:*)",
+      "Bash(wc:*)",
+      "Bash(ls:*)",
+      "Bash(npm run test:*)",
+      "Bash(npm list:*)",
+      "Bash(chmod:*)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin commit -m \"$\\(cat <<''EOF''\nImplement Phase 5: CI/CD & Polish \\(v1.0.0\\)\n\nDual-mode CLI/MCP entry point, parallel analysis with Promise.allSettled,\nfile caching, incremental git-based scanning, progress reporting, badge\ngeneration, GitHub Actions CI/publish workflows, Fastlane/Bitrise/Xcode\nCloud integrations, comprehensive docs, 486 tests at 80%+ coverage.\n\nCo-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin push)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin add docs/ROADMAP.md)",
+      "Bash(git -C /Users/austem/Developer/Private/ios-app-review-plugin commit -m \"$\\(cat <<''EOF''\nUpdate ROADMAP to mark Phase 5 as complete\n\nCo-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(gh issue list:*)",
+      "Bash(gh issue close:*)",
+      "Bash(npm whoami:*)",
+      "Bash(npm view:*)",
+      "Bash(npm publish:*)"
+    ]
+  }
+}

package/.github/actions/ios-review/action.yml

@@ -0,0 +1,106 @@
+name: 'iOS App Review'
+description: 'Scan an iOS project for App Store review issues before submission'
+author: 'ahmetsina'
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
+inputs:
+  project-path:
+    description: 'Path to the iOS project (.xcodeproj or .xcworkspace directory)'
+    required: true
+  format:
+    description: 'Output format: json, markdown, or html'
+    required: false
+    default: 'json'
+  analyzers:
+    description: 'Comma-separated list of analyzers to run (default: all). Options: info-plist, privacy, entitlements, code, deprecated-api, private-api, security, ui-ux'
+    required: false
+    default: 'all'
+  config:
+    description: 'Path to custom rules config file (.ios-review-rules.json)'
+    required: false
+    default: ''
+  version:
+    description: 'Version of ios-app-review-plugin to install (default: latest)'
+    required: false
+    default: 'latest'
+
+outputs:
+  exit-code:
+    description: 'Exit code from the scan (0 = passed, 1 = issues found, 2 = error)'
+    value: ${{ steps.scan.outputs.exit-code }}
+  report-path:
+    description: 'Path to the generated report file'
+    value: ${{ steps.scan.outputs.report-path }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Node.js 20
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20
+
+    - name: Install ios-app-review-plugin
+      shell: bash
+      run: npm install -g ios-app-review-plugin@${{ inputs.version }}
+
+    - name: Run iOS App Review scan
+      id: scan
+      shell: bash
+      run: |
+        REPORT_DIR="${RUNNER_TEMP}/ios-review-report"
+        mkdir -p "$REPORT_DIR"
+
+        # Determine file extension based on format
+        case "${{ inputs.format }}" in
+          json) EXT="json" ;;
+          html) EXT="html" ;;
+          markdown) EXT="md" ;;
+          *) EXT="json" ;;
+        esac
+
+        REPORT_PATH="${REPORT_DIR}/report.${EXT}"
+
+        # Build the command
+        CMD="ios-app-review scan ${{ inputs.project-path }} --format ${{ inputs.format }} --output ${REPORT_PATH}"
+
+        # Add analyzers if not 'all'
+        if [ "${{ inputs.analyzers }}" != "all" ]; then
+          CMD="${CMD} --analyzers ${{ inputs.analyzers }}"
+        fi
+
+        # Add custom config if provided
+        if [ -n "${{ inputs.config }}" ]; then
+          CMD="${CMD} --config ${{ inputs.config }}"
+        fi
+
+        # Run the scan and capture exit code
+        set +e
+        eval "$CMD"
+        EXIT_CODE=$?
+        set -e
+
+        echo "exit-code=${EXIT_CODE}" >> "$GITHUB_OUTPUT"
+        echo "report-path=${REPORT_PATH}" >> "$GITHUB_OUTPUT"
+
+        # Print summary
+        if [ "$EXIT_CODE" -eq 0 ]; then
+          echo "::notice::iOS App Review scan passed with no issues."
+        elif [ "$EXIT_CODE" -eq 1 ]; then
+          echo "::warning::iOS App Review scan found issues. See report at ${REPORT_PATH}"
+        else
+          echo "::error::iOS App Review scan failed with exit code ${EXIT_CODE}"
+        fi
+
+        exit $EXIT_CODE
+
+    - name: Upload report artifact
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: ios-review-report
+        path: ${{ steps.scan.outputs.report-path }}
+        retention-days: 30

package/.github/workflows/ci.yml

@@ -0,0 +1,103 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run ESLint
+        run: npx eslint src/**/*.ts
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run TypeScript type checking
+        run: npx tsc --noEmit
+
+  test:
+    name: Test (Node ${{ matrix.node-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [18, 20, 22]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests with coverage
+        run: npx jest --coverage
+
+      - name: Upload coverage report
+        if: matrix.node-version == 20
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/
+          retention-days: 14
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [lint, typecheck, test]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build package
+        run: npm run build
+
+      - name: Verify dist output exists
+        run: test -f dist/index.js

package/.github/workflows/publish.yml

@@ -0,0 +1,57 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Build & Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter
+        run: npx eslint src/**/*.ts
+
+      - name: Run type checking
+        run: npx tsc --noEmit
+
+      - name: Run tests
+        run: npx jest --coverage
+
+      - name: Build package
+        run: npm run build
+
+      - name: Verify dist output exists
+        run: test -f dist/index.js
+
+      - name: Verify tag matches package.json version
+        run: |
+          PACKAGE_VERSION="v$(node -p "require('./package.json').version")"
+          TAG_VERSION="${GITHUB_REF#refs/tags/}"
+          if [ "$PACKAGE_VERSION" != "$TAG_VERSION" ]; then
+            echo "Error: Tag $TAG_VERSION does not match package.json version $PACKAGE_VERSION"
+            exit 1
+          fi
+          echo "Version verified: $TAG_VERSION"
+
+      - name: Publish to npm
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/CHANGELOG.md

@@ -0,0 +1,66 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2026-02-06
+
+### Added
+- **CLI mode**: Dual-mode entry point — run as CLI tool (`ios-app-review scan`) or MCP server
+  - `scan` command with `--format`, `--output`, `--analyzers`, `--badge`, `--save-history` options
+  - `help` and `version` commands
+  - Exit codes: 0 (pass), 1 (issues found), 2 (error)
+- **Parallel analysis**: Analyzers run concurrently via `Promise.allSettled`
+- **Incremental scanning**: `--changed-since` flag scans only git-changed files
+- **Progress reporting**: EventEmitter-based progress events per analyzer
+- **File caching**: In-memory cache keyed by path + mtime for MCP server mode
+- **Badge generation**: shields.io-style SVG badges with score and pass/fail status
+- **GitHub Actions**: CI workflow (lint, typecheck, test matrix), publish workflow, reusable composite action
+- **CI/CD integrations**: Fastlane lane, Bitrise step, Xcode Cloud post-clone script
+- **Comprehensive documentation**: API reference, CLI guide, analyzer docs, custom rules guide, CI/CD tutorials, troubleshooting, security policy, video script outlines
+- **Examples**: GitHub Action workflow, Fastlane lane, Bitrise workflow, custom rules config
+- **Benchmarks**: Performance benchmark script for small/medium/large projects
+
+### Changed
+- README rewritten with full v1.0 feature documentation
+- Jest coverage thresholds raised to 80%
+- Version bumped to 1.0.0
+
+## [0.4.0] - 2026-02-06
+
+### Added
+- **Guidelines cross-reference**: `GuidelineMatcher` maps issues to specific App Store Review Guidelines with citations and links
+- **Report generation**: Markdown, HTML, and JSON formatters with score display, severity breakdown, and guideline references
+- **Historical comparison**: `HistoryStore` saves scan results as JSON; `HistoryComparator` diffs between scans showing new/resolved/recurring issues
+- **Custom rule engine**: `RuleLoader` reads `.ios-review-rules.json`; `CustomRuleEngine` evaluates regex-based rules with severity overrides and disable support
+- **Score calculation**: Weighted scoring (error: -10, warning: -3, info: -1) with enriched report output
+
+## [0.3.0] - 2026-02-05
+
+### Added
+- **Deprecated API analyzer**: Detects 50+ deprecated iOS APIs including UIWebView, AddressBook, UIAlertView, UIActionSheet, and deprecated UIKit/Foundation methods
+- **Private API analyzer**: Flags undocumented Apple API usage (_UIView, _NS prefixed, dlopen/dlsym, IOKit calls, and known private selectors)
+- **Security analyzer**: ATS exception auditing, weak crypto detection (MD5, SHA1, DES), insecure storage patterns, jailbreak detection code
+- **UI/UX compliance analyzer**: Launch storyboard presence, orientation support, accessibility labels, dynamic type, dark mode assets, minimum touch target hints
+
+## [0.2.0] - 2026-02-05
+
+### Added
+- **App Store Connect API client**: JWT authentication with auto-refresh, rate limiting with retry, paginated response handling
+- **ASC metadata validator**: App name length, description quality, privacy policy URL, age rating, content rights declaration
+- **ASC screenshots validator**: Screenshot count per device class, dimension validation, missing device coverage
+- **ASC version validator**: Version state checks, build attachment, copyright format, release type
+- **ASC IAP validator**: In-app purchase localization completeness, pricing configuration, review screenshot presence
+
+## [0.1.0] - 2026-02-04
+
+### Added
+- Initial release as MCP server with 17 tools
+- **Info.plist analyzer**: Required keys (CFBundleIdentifier, CFBundleVersion), privacy usage descriptions, minimum deployment target
+- **Privacy manifest analyzer**: iOS 17+ Required Reason API detection and PrivacyInfo.xcprivacy validation
+- **Entitlements analyzer**: Capability configuration, debug-only entitlements, App Groups/Associated Domains/iCloud format validation
+- **Code scanner**: Hardcoded API keys, debug print statements, force unwraps, TODO/FIXME markers, HTTP URLs
+- **Xcode project parser**: `.xcodeproj` and `.xcworkspace` support, target extraction, build settings, source file discovery
+- **Property list parser**: XML plist and OpenStep (pbxproj) format parsing

package/CONTRIBUTING.md

@@ -0,0 +1,175 @@
+# Contributing to iOS App Store Review Plugin
+
+Thank you for your interest in contributing! This document provides guidelines and information for contributors.
+
+## Development Setup
+
+### Prerequisites
+
+- Node.js 18+
+- npm or pnpm
+- TypeScript knowledge
+- Familiarity with MCP (Model Context Protocol)
+- macOS recommended (for Xcode project testing)
+
+### Getting Started
+
+```bash
+# Fork and clone the repository
+git clone https://github.com/YOUR_USERNAME/ios-app-review-plugin.git
+cd ios-app-review-plugin
+
+# Install dependencies
+npm install
+
+# Run in development mode
+npm run dev
+
+# Run tests
+npm test
+
+# Build for production
+npm run build
+```
+
+## Project Architecture
+
+### Core Components
+
+1. **MCP Server (`src/index.ts`)**: Entry point that exposes tools to Claude Code
+2. **Analyzers (`src/analyzers/`)**: Individual analysis modules for different checks
+3. **ASC Client (`src/asc/`)**: App Store Connect API integration
+4. **Parsers (`src/parsers/`)**: Xcode project and plist file parsers
+5. **Rules (`src/rules/`)**: App Store Guidelines rule definitions
+
+### Adding a New Analyzer
+
+1. Create a new file in `src/analyzers/`
+2. Implement the `Analyzer` interface:
+
+```typescript
+interface Analyzer {
+  name: string;
+  description: string;
+  analyze(projectPath: string): Promise<AnalysisResult>;
+}
+
+interface AnalysisResult {
+  passed: boolean;
+  issues: Issue[];
+  warnings: Warning[];
+}
+```
+
+3. Register the analyzer in `src/analyzers/index.ts`
+4. Add tests in `tests/analyzers/`
+
+### Adding New Guidelines
+
+Guidelines are defined in `src/rules/guidelines.ts`:
+
+```typescript
+const guideline: Guideline = {
+  id: "5.1.1",
+  title: "Data Collection and Storage",
+  description: "Apps that collect user data must have a privacy policy",
+  severity: "error",
+  check: async (context) => {
+    // Implementation
+  }
+};
+```
+
+## Code Style
+
+- Use TypeScript strict mode
+- Follow ESLint configuration
+- Use meaningful variable and function names
+- Add JSDoc comments for public APIs
+- Keep functions small and focused
+
+## Testing
+
+### Unit Tests
+
+```bash
+npm test                 # Run all tests
+npm test -- --watch      # Watch mode
+npm test -- --coverage   # With coverage
+```
+
+### Test Structure
+
+```
+tests/
+├── analyzers/
+│   ├── info-plist.test.ts
+│   └── privacy.test.ts
+├── asc/
+│   └── client.test.ts
+├── fixtures/            # Sample Xcode projects for testing
+│   ├── valid-app/
+│   └── invalid-app/
+└── integration/
+    └── full-scan.test.ts
+```
+
+### Adding Fixtures
+
+Place sample Xcode projects in `tests/fixtures/`. Include both valid and invalid examples to test detection capabilities.
+
+## Pull Request Process
+
+1. **Create an issue first** for significant changes
+2. **Fork the repository** and create a feature branch
+3. **Follow the branch naming convention**:
+   - `feature/description` for new features
+   - `fix/description` for bug fixes
+   - `docs/description` for documentation
+4. **Write tests** for new functionality
+5. **Update documentation** as needed
+6. **Submit a PR** with a clear description
+
+### PR Checklist
+
+- [ ] Tests pass (`npm test`)
+- [ ] Linting passes (`npm run lint`)
+- [ ] Build succeeds (`npm run build`)
+- [ ] Documentation updated
+- [ ] CHANGELOG updated (for significant changes)
+
+## Issue Guidelines
+
+### Bug Reports
+
+Include:
+- iOS/Xcode version
+- Plugin version
+- Steps to reproduce
+- Expected vs. actual behavior
+- Sample project if possible
+
+### Feature Requests
+
+Include:
+- Use case description
+- Related App Store Guideline (if applicable)
+- Proposed implementation (optional)
+
+## Release Process
+
+1. Update version in `package.json`
+2. Update CHANGELOG.md
+3. Create a git tag: `git tag v1.0.0`
+4. Push tag: `git push origin v1.0.0`
+5. GitHub Actions will publish to npm
+
+## Getting Help
+
+- Open an issue for questions
+- Join discussions in GitHub Discussions
+- Check existing issues before creating new ones
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the MIT License.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ahmetsina
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.