feat(build-tools): Add build pipeline workflow with 4 new tools

.mcp.json

@@ -1,8 +1,3 @@
 {
-  "mcpServers": {
-    "sentry": {
-      "type": "http",
-      "url": "https://mcp.sentry.dev/mcp"
-    }
-  }
+  "mcpServers": {}
 }

CHANGELOG.md

@@ -5,6 +5,13 @@
 ### Added
 
 - Added `xcodebuildmcp upgrade` command to check for updates and upgrade in place. Supports `--check` (report-only) and `--yes`/`-y` (skip confirmation). Detects install method (Homebrew, npm-global, npx) and queries the appropriate channel source (`brew info`, `npm view`, or GitHub Releases) for the latest version. Non-interactive environments exit 1 when an auto-upgrade is possible but `--yes` was not supplied.
+- Added `build-tools` workflow group with 4 new tools for macOS build pipeline automation
+- Added `xcodegen_generate` tool for generating Xcode projects from xcodegen specs
+- Added `create_dmg` tool for creating DMG disk images with path traversal and symlink escape protection
+- Added `codesign_app` tool for code signing and optional notarization (sign, verify, notarize, staple)
+- Added `pfctl_anchor` tool for read-only PF firewall anchor inspection
+- Added `xcodebuildmcp.output.command-result` structured output schema shared by all build-tools
+- Added `CommandResultDomainResult` type to domain results union
 
 ## [2.3.2]
 

docs/TOOLS-CLI.md

@@ -2,10 +2,20 @@
 
 This document lists CLI tool names as exposed by `xcodebuildmcp <workflow> <tool>`.
 
-XcodeBuildMCP provides 71 canonical tools organized into 13 workflow groups.
+XcodeBuildMCP provides 75 canonical tools organized into 14 workflow groups.
 
 ## Workflow Groups
 
+### Build Pipeline Tools (`build-tools`)
+**Purpose**: Extended build pipeline — project generation (xcodegen), DMG creation, code signing/notarization, and PF firewall anchor inspection. (4 tools)
+
+- `codesign` - Code-sign and optionally notarize a macOS application or DMG.
+- `dmg` - Create DMG disk image from built macOS application.
+- `pfctl` - Inspect PF firewall anchor rules (read-only). Cannot modify firewall state. Requires passwordless sudo for pfctl on host.
+- `xcodegen` - Generate Xcode project from xcodegen spec (project.yml).
+
+
+
 ### Build Utilities (`utilities`)
 **Purpose**: Utility tools for cleaning build products and managing build artifacts. (1 tools)
 
@@ -185,10 +195,10 @@ XcodeBuildMCP provides 71 canonical tools organized into 13 workflow groups.
 
 ## Summary Statistics
 
-- **Canonical Tools**: 71
-- **Total Tools**: 99
-- **Workflow Groups**: 13
+- **Canonical Tools**: 75
+- **Total Tools**: 103
+- **Workflow Groups**: 14
 
 ---
 
-*This documentation is automatically generated by `scripts/update-tools-docs.ts` from the tools manifest. Last updated: 2026-04-24T09:29:18.061Z UTC*
+*This documentation is automatically generated by `scripts/update-tools-docs.ts` from the tools manifest. Last updated: 2026-04-25T17:46:30.532Z UTC*

docs/TOOLS.md

@@ -1,9 +1,19 @@
 # XcodeBuildMCP MCP Tools Reference
 
-This document lists MCP tool names as exposed to MCP clients. XcodeBuildMCP provides 77 canonical tools organized into 15 workflow groups for comprehensive Apple development workflows.
+This document lists MCP tool names as exposed to MCP clients. XcodeBuildMCP provides 81 canonical tools organized into 16 workflow groups for comprehensive Apple development workflows.
 
 ## Workflow Groups
 
+### Build Pipeline Tools (`build-tools`)
+**Purpose**: Extended build pipeline — project generation (xcodegen), DMG creation, code signing/notarization, and PF firewall anchor inspection. (4 tools)
+
+- `codesign_app` - Code-sign and optionally notarize a macOS application or DMG.
+- `create_dmg` - Create DMG disk image from built macOS application.
+- `pfctl_anchor` - Inspect PF firewall anchor rules (read-only). Cannot modify firewall state. Requires passwordless sudo for pfctl on host.
+- `xcodegen_generate` - Generate Xcode project from xcodegen spec (project.yml).
+
+
+
 ### Build Utilities (`utilities`)
 **Purpose**: Utility tools for cleaning build products and managing build artifacts. (1 tools)
 
@@ -201,10 +211,10 @@ This document lists MCP tool names as exposed to MCP clients. XcodeBuildMCP prov
 
 ## Summary Statistics
 
-- **Canonical Tools**: 77
-- **Total Tools**: 105
-- **Workflow Groups**: 15
+- **Canonical Tools**: 81
+- **Total Tools**: 109
+- **Workflow Groups**: 16
 
 ---
 
-*This documentation is automatically generated by `scripts/update-tools-docs.ts` from the tools manifest. Last updated: 2026-04-24T09:29:18.061Z UTC*
+*This documentation is automatically generated by `scripts/update-tools-docs.ts` from the tools manifest. Last updated: 2026-04-25T17:46:30.532Z UTC*

manifests/tools/codesign_app.yaml

@@ -0,0 +1,16 @@
+id: codesign_app
+module: mcp/tools/build-tools/codesign_app
+names:
+  mcp: codesign_app
+  cli: codesign
+description: Code-sign and optionally notarize a macOS application or DMG.
+outputSchema:
+  schema: xcodebuildmcp.output.command-result
+  version: "1"
+predicates:
+  - hideWhenXcodeAgentMode
+annotations:
+  title: Code Sign App
+  readOnlyHint: false
+  destructiveHint: false
+  openWorldHint: false

manifests/tools/create_dmg.yaml

@@ -0,0 +1,21 @@
+id: create_dmg
+module: mcp/tools/build-tools/create_dmg
+names:
+  mcp: create_dmg
+  cli: dmg
+description: Create DMG disk image from built macOS application.
+outputSchema:
+  schema: xcodebuildmcp.output.command-result
+  version: "1"
+predicates:
+  - hideWhenXcodeAgentMode
+annotations:
+  title: Create DMG
+  readOnlyHint: false
+  destructiveHint: false
+  openWorldHint: false
+nextSteps:
+  - label: Sign the app
+    toolId: codesign_app
+    priority: 1
+    when: success

manifests/tools/pfctl_anchor.yaml

@@ -0,0 +1,14 @@
+id: pfctl_anchor
+module: mcp/tools/build-tools/pfctl_anchor
+names:
+  mcp: pfctl_anchor
+  cli: pfctl
+description: Inspect PF firewall anchor rules (read-only). Cannot modify firewall state. Requires passwordless sudo for pfctl on host.
+outputSchema:
+  schema: xcodebuildmcp.output.command-result
+  version: "1"
+annotations:
+  title: PF Anchor Inspector
+  readOnlyHint: true
+  destructiveHint: false
+  openWorldHint: false

manifests/tools/xcodegen_generate.yaml

@@ -0,0 +1,21 @@
+id: xcodegen_generate
+module: mcp/tools/build-tools/xcodegen_generate
+names:
+  mcp: xcodegen_generate
+  cli: xcodegen
+description: Generate Xcode project from xcodegen spec (project.yml).
+outputSchema:
+  schema: xcodebuildmcp.output.command-result
+  version: "1"
+predicates:
+  - hideWhenXcodeAgentMode
+annotations:
+  title: Xcodegen Generate
+  readOnlyHint: false
+  destructiveHint: false
+  openWorldHint: false
+nextSteps:
+  - label: Build macOS app
+    toolId: build_macos
+    priority: 1
+    when: success

manifests/workflows/build-tools.yaml

@@ -0,0 +1,8 @@
+id: build-tools
+title: Build Pipeline Tools
+description: Extended build pipeline — project generation (xcodegen), DMG creation, code signing/notarization, and PF firewall anchor inspection.
+tools:
+  - xcodegen_generate
+  - create_dmg
+  - codesign_app
+  - pfctl_anchor

schemas/structured-output/xcodebuildmcp.output.command-result/1.schema.json

@@ -0,0 +1,56 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://xcodebuildmcp.com/schemas/structured-output/xcodebuildmcp.output.command-result/1.schema.json",
+  "title": "Command Result",
+  "description": "Structured output envelope for shell command execution results.",
+  "type": "object",
+  "additionalProperties": false,
+  "allOf": [
+    {
+      "$ref": "https://xcodebuildmcp.com/schemas/structured-output/_defs/common.schema.json#/$defs/errorConsistency"
+    }
+  ],
+  "properties": {
+    "schema": {
+      "const": "xcodebuildmcp.output.command-result"
+    },
+    "schemaVersion": {
+      "const": "1"
+    },
+    "didError": {
+      "type": "boolean"
+    },
+    "error": {
+      "type": ["string", "null"]
+    },
+    "data": {
+      "anyOf": [
+        {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "command": {
+              "type": "string",
+              "description": "The tool/command that was executed"
+            },
+            "summary": {
+              "$ref": "https://xcodebuildmcp.com/schemas/structured-output/_defs/common.schema.json#/$defs/statusSummary"
+            },
+            "output": {
+              "type": "string",
+              "description": "Stdout from the command"
+            },
+            "diagnostics": {
+              "$ref": "https://xcodebuildmcp.com/schemas/structured-output/_defs/common.schema.json#/$defs/basicDiagnostics"
+            }
+          },
+          "required": ["command", "summary", "diagnostics"]
+        },
+        {
+          "type": "null"
+        }
+      ]
+    }
+  },
+  "required": ["schema", "schemaVersion", "didError", "error", "data"]
+}

scripts/ensure-mcp-server.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# ensure-mcp-server.sh — Start the MCP bridge if not already running.
+#
+# Idempotent: safe to call on every container start, cron, or manually.
+# Checks if port is already in use before spawning.
+#
+# Usage:
+#   ./scripts/ensure-mcp-server.sh              # default port 9090
+#   ./scripts/ensure-mcp-server.sh --port 8080   # custom port
+#   WORKFLOWS="build-tools" ./scripts/ensure-mcp-server.sh
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PORT=9090
+
+# Parse --port from args
+prev_arg=""
+for arg in "$@"; do
+  if [[ "$prev_arg" == "--port" ]]; then
+    PORT="$arg"
+  fi
+  prev_arg="$arg"
+done
+
+# --- PID file management ---
+LOG_DIR="${SCRIPT_DIR}/../logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="${LOG_DIR}/mcp-server.log"
+PID_FILE="${LOG_DIR}/mcp-server-${PORT}.pid"
+
+stop_old_process() {
+  if [[ ! -f "$PID_FILE" ]]; then
+    return
+  fi
+  local old_pid
+  old_pid=$(cat "$PID_FILE")
+  if kill -0 "$old_pid" 2>/dev/null; then
+    echo "[ensure-mcp] Stopping previous server (PID $old_pid)..."
+    kill -TERM "$old_pid" 2>/dev/null || true
+    # Wait up to 5s for graceful shutdown (serve-mcp.sh trap propagates to children)
+    local i=0
+    while kill -0 "$old_pid" 2>/dev/null && (( i < 10 )); do
+      sleep 0.5
+      (( i++ ))
+    done
+    if kill -0 "$old_pid" 2>/dev/null; then
+      echo "[ensure-mcp] Force-killing old server (PID $old_pid)..."
+      kill -9 "$old_pid" 2>/dev/null || true
+    fi
+  fi
+  rm -f "$PID_FILE"
+}
+
+# Check if already running and healthy on this port
+if [[ -f "$PID_FILE" ]]; then
+  old_pid=$(cat "$PID_FILE")
+  if kill -0 "$old_pid" 2>/dev/null && lsof -ti :"$PORT" -sTCP:LISTEN >/dev/null 2>&1; then
+    echo "[ensure-mcp] Server already running (PID $old_pid, port $PORT)"
+    exit 0
+  fi
+  # Stale PID file or port not listening — clean up
+  stop_old_process
+fi
+
+# Port in use but no PID file — something else owns it
+if lsof -ti :"$PORT" -sTCP:LISTEN >/dev/null 2>&1; then
+  echo "[ensure-mcp] ERROR: Port $PORT in use by another process"
+  lsof -ti :"$PORT" -sTCP:LISTEN
+  exit 1
+fi
+
+# --- Launch ---
+echo "[ensure-mcp] Starting MCP server on port $PORT..."
+nohup "$SCRIPT_DIR/serve-mcp.sh" --port "$PORT" "$@" \
+  >> "$LOG_FILE" 2>&1 &
+
+SERVER_PID=$!
+echo "$SERVER_PID" > "$PID_FILE"
+
+# Wait briefly to confirm it started
+sleep 2
+if kill -0 "$SERVER_PID" 2>/dev/null; then
+  echo "[ensure-mcp] MCP server running (PID $SERVER_PID, port $PORT)"
+  echo "[ensure-mcp] Log: $LOG_FILE"
+else
+  echo "[ensure-mcp] ERROR: MCP server failed to start. Check $LOG_FILE"
+  rm -f "$PID_FILE"
+  exit 1
+fi