Add --force flag to release script for overwriting existing releases

Author: amcchord

README.md

@@ -955,6 +955,9 @@ The `release-all-in-one.sh` script automates the entire release workflow:
 
 # Build locally without pushing to GitHub
 ./scripts/release-all-in-one.sh --no-push
+
+# Re-release existing version (overwrite tag and GitHub release)
+./scripts/release-all-in-one.sh --force v2.5.0
 ```
 
 **What it does:**
@@ -972,14 +975,43 @@ The `release-all-in-one.sh` script automates the entire release workflow:
 12. Pushes to GitHub
 13. Creates GitHub release with all assets
 
-**Environment Variables:**
-- `APPLE_ID`: Apple ID for macOS notarization (optional)
-- `APP_SPECIFIC_PASSWORD`: App-specific password for notarization (optional)
+**Environment Variables (REQUIRED for releases):**
+- `APPLE_ID`: Apple ID for macOS notarization
+- `APP_SPECIFIC_PASSWORD`: App-specific password for notarization
+
+⚠️ **Important**: macOS binaries MUST be signed and notarized to work on user systems. The script enforces this requirement and will fail if credentials are not provided. For local testing only, use `--no-push --skip-macos-signing`.
+
+**Setting Up Credentials (One-Time Setup):**
+
+```bash
+# Option 1: Use credentials file (Recommended - saves credentials locally)
+# File is already created at scripts/release-env.sh and gitignored for security
+source scripts/release-env.sh
+
+# Option 2: Set manually each time
+export APPLE_ID='your-apple-id@example.com'
+export APP_SPECIFIC_PASSWORD='xxxx-xxxx-xxxx-xxxx'
+```
+
+**Getting Apple Credentials:**
+1. **Apple ID**: Your Apple Developer account email
+2. **App-Specific Password**:
+   - Go to [appleid.apple.com](https://appleid.apple.com)
+   - Sign in and navigate to Security section
+   - Click "Generate Password" under App-Specific Passwords
+   - Copy the generated password (format: xxxx-xxxx-xxxx-xxxx)
+3. **Developer ID Certificate**: Install from Apple Developer account
+   - Required for code signing
+   - Must be "Developer ID Application" certificate
+
+**Security Note**: The `scripts/release-env.sh` file is gitignored and will never be committed to the repository.
 
 **Options:**
 - `--dry-run`: Simulate without making changes
 - `--skip-tests`: Skip running tests
 - `--no-push`: Build locally without GitHub operations
+- `--skip-macos-signing`: Skip signing (TESTING ONLY, must use with --no-push)
+- `--force` or `-f`: Force overwrite existing release (deletes tag and GitHub release)
 - `--help`: Show detailed help
 
 ### Manual Release (Legacy)

docs/MODERNIZATION_NOTES.md

@@ -97,10 +97,11 @@ Created `scripts/release-all-in-one.sh` that consolidates the entire release wor
 - Version file updates (Makefile, config.go)
 - Optional test execution
 - Complete build pipeline
-- macOS signing and notarization
+- **Mandatory macOS signing and notarization** (enforced for releases)
 - Package creation and checksums
 - Git operations (commit, tag, push)
 - GitHub release creation and asset upload
+- Signature verification before release
 
 **Benefits:**
 - Single command for complete release
@@ -111,12 +112,36 @@ Created `scripts/release-all-in-one.sh` that consolidates the entire release wor
 
 **Options:**
 ```bash
---dry-run      # Test without changes
---skip-tests   # Skip test execution
---no-push      # Local build only
---help         # Show usage
+--dry-run              # Test without changes
+--skip-tests           # Skip test execution
+--no-push              # Local build only
+--skip-macos-signing   # Skip signing (TESTING ONLY, requires --no-push)
+--help                 # Show usage
 ```
 
+**macOS Code Signing (MANDATORY):**
+
+The release script enforces mandatory code signing and notarization for all macOS binaries:
+
+- **Why Required**: Unsigned binaries won't run on user systems due to macOS Gatekeeper
+- **Enforcement**: Script fails if Apple credentials not provided for GitHub releases
+- **Verification**: Signatures are verified before creating GitHub release
+- **Testing Mode**: Use `--no-push --skip-macos-signing` for local testing only
+
+**Required Environment Variables:**
+```bash
+export APPLE_ID='your-apple-id@example.com'
+export APP_SPECIFIC_PASSWORD='xxxx-xxxx-xxxx-xxxx'
+```
+
+The script will:
+1. Check for macOS environment
+2. Validate Apple credentials
+3. Sign binaries with Developer ID Application certificate
+4. Submit for notarization (may take several minutes)
+5. Verify signatures before proceeding
+6. Fail release if any signing step fails
+
 ### 5. Code Quality Improvements
 
 #### Tool Description Organization

release/v2.5.0/RELEASE_NOTES.md

@@ -0,0 +1,27 @@
+# Slide MCP Server v2.5.0
+
+## Changes
+
+- Various improvements and bug fixes
+
+## Installation
+
+Download the appropriate binary for your platform:
+
+- **Linux x64**: slide-mcp-server-$NEW_VERSION-macos-x64.tar.gz
+- **Linux ARM64**: slide-mcp-server-$NEW_VERSION-macos-arm64.tar.gz  
+- **macOS x64**: slide-mcp-server-$NEW_VERSION-macos-x64.tar.gz (or darwin-amd64.tar.gz)
+- **macOS ARM64**: slide-mcp-server-$NEW_VERSION-macos-arm64.tar.gz (or darwin-arm64.tar.gz)
+- **Windows x64**: slide-mcp-server-$NEW_VERSION-windows-x64.zip
+
+## Verification
+
+Verify the integrity of your download using the checksums.sha256 file:
+
+```bash
+shasum -a 256 -c checksums.sha256
+```
+
+## macOS Security
+
+The macOS binaries are signed and notarized by Apple. They should run without security warnings on macOS 10.15+ systems.

release/v2.5.0/checksums.sha256

@@ -0,0 +1,9 @@
+38f56d0b365f238feda98080c9310b85507d9698fdb234b88b62575a558a45b0  ./slide-mcp-server-darwin-amd64.zip
+5f864ddd37edb21f954333d4b633f56c454e6381939c4acff0e37a39a59afcbe  ./slide-mcp-server-darwin-arm64.zip
+8f18eacb8c9411b0ed7c448b0455950e1e2378321f1907000de50ec6ea349105  ./slide-mcp-server-v2.5.0-darwin-amd64.tar.gz
+27239f21ca58ee098ea5715e50f261cc54605f06e82b958f502e8da4fa21138e  ./slide-mcp-server-v2.5.0-darwin-arm64.tar.gz
+946b94efe7e66e801ac9f1c1a735b5eccc9953413aa8d9bcddd9ea567d328fd5  ./slide-mcp-server-v2.5.0-linux-amd64.tar.gz
+712f4b821e46504f99884593c8d0e341b5c531c0f4b29db522975b262adbc1fd  ./slide-mcp-server-v2.5.0-linux-arm64.tar.gz
+26176e17758812fa2de98e542fcc5bd888a7f558bacb5bffc012a9fda9fd13a3  ./slide-mcp-server-v2.5.0-macos-amd64.tar.gz
+27239f21ca58ee098ea5715e50f261cc54605f06e82b958f502e8da4fa21138e  ./slide-mcp-server-v2.5.0-macos-arm64.tar.gz
+5d0ad48d34fdc8e3531eab3177787ddf2399bf6cb62780f5a30f12a8f67cb8d5  ./slide-mcp-server-v2.5.0-windows-x64.zip

scripts/RELEASE_README.md

@@ -4,23 +4,27 @@ This document describes how to use the automated release script for Slide MCP Se
 
 ## Quick Start
 
-First, set your Apple credentials as environment variables:
+First, set your Apple credentials. **Option 1 (Recommended)**: Use the credentials file:
 
 ```bash
-export APPLE_ID='your-apple-id@example.com'
-export APP_SPECIFIC_PASSWORD='your-app-specific-password'
+# One-time setup (credentials are saved securely and gitignored)
+cp scripts/release-env.template scripts/release-env.sh
+# Edit scripts/release-env.sh with your actual credentials
+nano scripts/release-env.sh  # or use your preferred editor
+
+# Then, before each release:
+source scripts/release-env.sh
 ```
 
-Or use the provided template:
+**Option 2**: Set environment variables manually each time:
 
 ```bash
-# Copy and customize the template
-cp scripts/release-env.template scripts/release-env.sh
-# Edit scripts/release-env.sh with your credentials
-# Source the environment
-source scripts/release-env.sh
+export APPLE_ID='your-apple-id@example.com'
+export APP_SPECIFIC_PASSWORD='your-app-specific-password'
 ```
 
+The credentials file (`scripts/release-env.sh`) is automatically gitignored, so your credentials stay secure on your local machine.
+
 To create a new release with auto-incremented version:
 
 ```bash