blitzdotdev
diff --git a/‎.claude/skills/asc-iap-attach/SKILL.md‎
Lines changed: 20 additions & 32 deletions b/‎.claude/skills/asc-iap-attach/SKILL.md‎
Lines changed: 20 additions & 32 deletions
diff --git a/‎.claude/skills/asc-team-key-create/SKILL.md‎
Lines changed: 11 additions & 16 deletions b/‎.claude/skills/asc-team-key-create/SKILL.md‎
Lines changed: 11 additions & 16 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 69 additions & 7 deletions b/‎.github/workflows/build.yml‎
Lines changed: 69 additions & 7 deletions
@@ -22,7 +22,7 @@ This skill uses Apple's internal iris API (`/iris/v1/subscriptionSubmissions`) v
 
 ## Preconditions
 
-- Web session cached in macOS Keychain. If no session exists or it has expired (401), call the `asc_web_auth` MCP tool first — this opens the Apple ID login window in Blitz and captures the session automatically.
+- Web session file available at `~/.blitz/asc-agent/web-session.json`. If no session exists or it has expired (401), call the `asc_web_auth` MCP tool first — this opens the Apple ID login window in Blitz and captures the session automatically.
 - Know your app ID.
 - IAPs and/or subscriptions already exist and are in **Ready to Submit** state.
 - A build is uploaded and attached to the current app version.
@@ -32,7 +32,7 @@ This skill uses Apple's internal iris API (`/iris/v1/subscriptionSubmissions`) v
 ### 1. Check for an existing web session
 
 ```bash
-security find-generic-password -s "asc-web-session" -a "asc:web-session:store" -w > /dev/null 2>&1 && echo "SESSION_EXISTS" || echo "NO_SESSION"
+test -f ~/.blitz/asc-agent/web-session.json && echo "SESSION_EXISTS" || echo "NO_SESSION"
 ```
 
 - If `NO_SESSION`: call the `asc_web_auth` MCP tool first. Wait for it to complete before proceeding.
@@ -44,20 +44,16 @@ Use the iris API to list subscription groups (with subscriptions) and in-app pur
 
 ```bash
 python3 -c "
-import json, subprocess, urllib.request, sys
+import json, os, urllib.request, sys
 
 APP_ID = 'APP_ID_HERE'
 
-try:
-    raw = subprocess.check_output([
-        'security', 'find-generic-password',
-        '-s', 'asc-web-session',
-        '-a', 'asc:web-session:store',
-        '-w'
-    ], stderr=subprocess.DEVNULL).decode()
-except subprocess.CalledProcessError:
+session_path = os.path.expanduser('~/.blitz/asc-agent/web-session.json')
+if not os.path.isfile(session_path):
     print('ERROR: No web session found. Call asc_web_auth MCP tool first.')
     sys.exit(1)
+with open(session_path) as f:
+    raw = f.read()
 
 store = json.loads(raw)
 session = store['sessions'][store['last_key']]
@@ -118,18 +114,14 @@ Use the following script to attach subscriptions. **Do not print or log the cook
 
 ```bash
 python3 -c "
-import json, subprocess, urllib.request, sys
-
-try:
-    raw = subprocess.check_output([
-        'security', 'find-generic-password',
-        '-s', 'asc-web-session',
-        '-a', 'asc:web-session:store',
-        '-w'
-    ], stderr=subprocess.DEVNULL).decode()
-except subprocess.CalledProcessError:
+import json, os, urllib.request, sys
+
+session_path = os.path.expanduser('~/.blitz/asc-agent/web-session.json')
+if not os.path.isfile(session_path):
     print('ERROR: No web session found. Call asc_web_auth MCP tool first.')
     sys.exit(1)
+with open(session_path) as f:
+    raw = f.read()
 
 store = json.loads(raw)
 session = store['sessions'][store['last_key']]
@@ -178,18 +170,14 @@ For in-app purchases (non-subscription), change the type and relationship:
 
 ```bash
 python3 -c "
-import json, subprocess, urllib.request, sys
-
-try:
-    raw = subprocess.check_output([
-        'security', 'find-generic-password',
-        '-s', 'asc-web-session',
-        '-a', 'asc:web-session:store',
-        '-w'
-    ], stderr=subprocess.DEVNULL).decode()
-except subprocess.CalledProcessError:
+import json, os, urllib.request, sys
+
+session_path = os.path.expanduser('~/.blitz/asc-agent/web-session.json')
+if not os.path.isfile(session_path):
     print('ERROR: No web session found. Call asc_web_auth MCP tool first.')
     sys.exit(1)
+with open(session_path) as f:
+    raw = f.read()
 
 store = json.loads(raw)
 session = store['sessions'][store['last_key']]
@@ -243,7 +231,7 @@ After attachment, call `get_tab_state` for `ascOverview` to refresh the submissi
 The subscription is already attached — this is safe to ignore. HTTP 409 with this message means the item was previously attached.
 
 ### 401 Not Authorized (iris API)
-The web session has expired. Call the `asc_web_auth` MCP tool to open the Apple ID login window in Blitz — this captures a fresh session and saves it to the keychain automatically. The user will need to complete Apple ID login + 2FA in the popup. After the tool returns success, retry the iris API calls.
+The web session has expired. Call the `asc_web_auth` MCP tool to open the Apple ID login window in Blitz — this captures a fresh session and refreshes `~/.blitz/asc-agent/web-session.json` automatically. The user will need to complete Apple ID login + 2FA in the popup. After the tool returns success, retry the iris API calls.
 
 ## Agent Behavior
 
 
@@ -15,17 +15,17 @@ Use this skill to create a new App Store Connect API Key with Admin permissions
 
 ## Preconditions
 
-- Web session cached in macOS Keychain. If no session exists or it has expired (401), call the `asc_web_auth` MCP tool first — this opens the Apple ID login window in Blitz and captures the session automatically.
+- Web session file available at `~/.blitz/asc-agent/web-session.json`. If no session exists or it has expired (401), call the `asc_web_auth` MCP tool first — this opens the Apple ID login window in Blitz and captures the session automatically.
 - The authenticated Apple ID must have Account Holder or Admin role.
 
 ## Workflow
 
 ### 1. Check for an existing web session
 
-Before anything else, check if a web session already exists in the macOS Keychain:
+Before anything else, check if a web session file already exists:
 
 ```bash
-security find-generic-password -s "asc-web-session" -a "asc:web-session:store" -w > /dev/null 2>&1 && echo "SESSION_EXISTS" || echo "NO_SESSION"
+test -f ~/.blitz/asc-agent/web-session.json && echo "SESSION_EXISTS" || echo "NO_SESSION"
 ```
 
 - If `NO_SESSION`: call the `asc_web_auth` MCP tool first to open the Apple ID login window in Blitz. Wait for it to complete before proceeding.
@@ -41,22 +41,17 @@ Use the following self-contained script. Replace `KEY_NAME` with the user's chos
 
 ```bash
 python3 -c "
-import json, subprocess, urllib.request, base64, os, sys, time
+import json, urllib.request, base64, os, sys, time
 
 KEY_NAME = 'KEY_NAME_HERE'
 
-# Extract cookies from keychain (silent — never print these)
-try:
-    raw = subprocess.check_output([
-        'security', 'find-generic-password',
-        '-s', 'asc-web-session',
-        '-a', 'asc:web-session:store',
-        '-w'
-    ], stderr=subprocess.DEVNULL).decode()
-except subprocess.CalledProcessError:
-    print('ERROR: No web session found. User must authenticate first.')
-    print('Run: asc web auth login --apple-id EMAIL')
+# Read web session file (silent — never print these)
+session_path = os.path.expanduser('~/.blitz/asc-agent/web-session.json')
+if not os.path.isfile(session_path):
+    print('ERROR: No web session found. Call asc_web_auth MCP tool first.')
     sys.exit(1)
+with open(session_path) as f:
+    raw = f.read()
 
 store = json.loads(raw)
 session = store['sessions'][store['last_key']]
@@ -191,7 +186,7 @@ After the script runs, report:
 ## Common Errors
 
 ### 401 Not Authorized
-The web session has expired or doesn't exist. Call the `asc_web_auth` MCP tool — this opens the Apple ID login window in Blitz and captures the session to the macOS Keychain automatically. Then retry the key creation script.
+The web session has expired or doesn't exist. Call the `asc_web_auth` MCP tool — this opens the Apple ID login window in Blitz and refreshes `~/.blitz/asc-agent/web-session.json` automatically. Then retry the key creation script.
 
 ### 409 Conflict
 A key with the same name may already exist, or another conflict occurred. Try a different name.
 
@@ -12,6 +12,13 @@ jobs:
     runs-on: macos-15
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: deps/App-Store-Connect-CLI-helper/go.mod
 
       - name: Select Xcode
         run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
@@ -45,6 +52,13 @@ jobs:
     runs-on: macos-15-intel
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: deps/App-Store-Connect-CLI-helper/go.mod
 
       - name: Select Xcode
         run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
@@ -82,6 +96,13 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: deps/App-Store-Connect-CLI-helper/go.mod
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -119,21 +140,40 @@ jobs:
           # Add to search list
           security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db
 
+      - name: Validate production signing inputs
+        env:
+          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_INSTALLER_IDENTITY: ${{ secrets.APPLE_INSTALLER_IDENTITY }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+        run: |
+          [ -n "$APPLE_CERTIFICATE_BASE64" ] || { echo "Missing APPLE_CERTIFICATE_BASE64"; exit 1; }
+          [ -n "$APPLE_CERTIFICATE_PASSWORD" ] || { echo "Missing APPLE_CERTIFICATE_PASSWORD"; exit 1; }
+          [ -n "$APPLE_SIGNING_IDENTITY" ] || { echo "Missing APPLE_SIGNING_IDENTITY"; exit 1; }
+          [ -n "$APPLE_INSTALLER_IDENTITY" ] || { echo "Missing APPLE_INSTALLER_IDENTITY"; exit 1; }
+          [ -n "$APPLE_API_KEY" ] || { echo "Missing APPLE_API_KEY"; exit 1; }
+          [ -n "$APPLE_API_ISSUER" ] || { echo "Missing APPLE_API_ISSUER"; exit 1; }
+          [ -n "$APPLE_API_KEY_BASE64" ] || { echo "Missing APPLE_API_KEY_BASE64"; exit 1; }
+
       - name: Build release .app
         env:
-          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY || '-' }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          BLITZ_REQUIRE_SIGNED_RELEASE: "1"
         run: |
           swift build -c release
           bash scripts/bundle.sh release
 
       - name: Build .pkg
         env:
-          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY || '-' }}
-          APPLE_INSTALLER_IDENTITY: ${{ secrets.APPLE_INSTALLER_IDENTITY || '' }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_INSTALLER_IDENTITY: ${{ secrets.APPLE_INSTALLER_IDENTITY }}
+          BLITZ_REQUIRE_SIGNED_RELEASE: "1"
         run: bash scripts/build-pkg.sh
 
       - name: Notarize .pkg
-        if: env.APPLE_API_KEY != ''
         env:
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           APPLE_API_KEY_PATH: ${{ runner.temp }}/AuthKey.p8
@@ -165,7 +205,9 @@ jobs:
 
       - name: Get version
         id: version
-        run: echo "version=$(node -e "process.stdout.write(require('./package.json').version)")" >> "$GITHUB_OUTPUT"
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Extract changelog notes
         id: changelog
@@ -224,6 +266,13 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: deps/App-Store-Connect-CLI-helper/go.mod
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -260,11 +309,24 @@ jobs:
 
       - name: Get version
         id: version
-        run: echo "version=$(node -e "process.stdout.write(require('./package.json').version)")" >> "$GITHUB_OUTPUT"
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Validate x86_64 signing inputs
+        env:
+          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+        run: |
+          [ -n "$APPLE_CERTIFICATE_BASE64" ] || { echo "Missing APPLE_CERTIFICATE_BASE64"; exit 1; }
+          [ -n "$APPLE_CERTIFICATE_PASSWORD" ] || { echo "Missing APPLE_CERTIFICATE_PASSWORD"; exit 1; }
+          [ -n "$APPLE_SIGNING_IDENTITY" ] || { echo "Missing APPLE_SIGNING_IDENTITY"; exit 1; }
 
       - name: Build x86_64 .app artifact
         env:
-          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY || '-' }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          BLITZ_REQUIRE_SIGNED_RELEASE: "1"
         run: |
           swift build -c release
           bash scripts/bundle.sh release