mysigner 0.1.7 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81a959dbc7121c7d7a05af1428691e2e569924c5aa5312a586b11ea0d828997a
-  data.tar.gz: d888bb57fc3f8f61abe40dca59be684b9b5eaac913229b783750888de1ef1eb9
+  metadata.gz: 0f998d494e2fc03d10bf8efc81bdca8675e5ff6037860a8acf750e66b5f2c2bb
+  data.tar.gz: 8c5d7bf17a9cc3556748c6b49106a57ece2f4044e61bfc5c85287e9e7d243d5e
 SHA512:
-  metadata.gz: d8765bed9b010e211949014c301bab4bbd05f28da40874ec7d018b2be4c457a9eedd5bea7b00d750e346ee04ef3290cb5416826ebedd3f5615f2dd4fd919fc25
-  data.tar.gz: e1e0ea6c6a1809dc3287a4972a685d07ce91bb64cacd8f2605d2300926e68b1646e03e9ae74e97ac7b37d7b91767164cf0520e05cee0039a3f010da112513b26
+  metadata.gz: 3c3929aaca39e935b3d2cb2030320e1955aa24f443d5f17d1bb9f2d996ef99fb10af71dd910fffb5f1c49293a23f90d4071d3055c47e82fb529f27655f29c926
+  data.tar.gz: 3c7a4976b73851217a9f1a892c0b6d7a2e43e15ea0678d61bc7edf2d790d634822bd843c2482760b673c692edaa39d12eab41922e5c59d011854c9835493c845

data/.gitignore

@@ -15,3 +15,28 @@
 # macOS
 .DS_Store
 **/.DS_Store
+
+# Dotenv / local config
+.env
+.env.*
+*.local
+
+# Signing material — must never be committed
+*.p8
+*.p12
+*.pem
+*.key
+*.jks
+*.keystore
+*.cer
+*.mobileprovision
+*.certSigningRequest
+google-service-account*.json
+service-account*.json
+
+# Editor / IDE / Ruby LSP
+.idea/
+.vscode/
+/.ruby-lsp/
+*.swp
+*~

data/.rubocop_todo.yml

@@ -66,6 +66,7 @@ Metrics/BlockNesting:
 Metrics/ClassLength:
   Exclude:
     - 'lib/mysigner/signing/wizard.rb'
+    - 'lib/mysigner/credential_resolver.rb'
 
 # Offense count: 26
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
@@ -91,6 +92,7 @@ Metrics/MethodLength:
     - 'lib/mysigner/cli/diagnostic_commands.rb'
     - 'lib/mysigner/cli/resource_commands.rb'
     - 'lib/mysigner/cli/validate_commands.rb'
+    - 'lib/mysigner/credential_resolver.rb'
     - 'lib/mysigner/signing/wizard.rb'
     - 'lib/mysigner/upload/app_store_automation.rb'
 
@@ -102,14 +104,16 @@ Metrics/ModuleLength:
     - 'lib/mysigner/cli/build_commands.rb'
     - 'lib/mysigner/cli/diagnostic_commands.rb'
     - 'lib/mysigner/cli/resource_commands.rb'
+    - 'lib/mysigner/credential_resolver.rb'
 
-# Offense count: 5
+# Offense count: 6
 # Configuration parameters: Max, CountKeywordArgs, MaxOptionalParameters.
 Metrics/ParameterLists:
   Exclude:
     - 'lib/mysigner/build/executor.rb'
     - 'lib/mysigner/signing/keystore_manager.rb'
     - 'lib/mysigner/upload/asc_rest_uploader.rb'
+    - 'lib/mysigner/upload/asc_submitter.rb'
     - 'lib/mysigner/upload/play_store_uploader.rb'
 
 # Offense count: 27
@@ -122,5 +126,6 @@ Metrics/PerceivedComplexity:
     - 'lib/mysigner/cli/diagnostic_commands.rb'
     - 'lib/mysigner/cli/resource_commands.rb'
     - 'lib/mysigner/cli/validate_commands.rb'
+    - 'lib/mysigner/credential_resolver.rb'
     - 'lib/mysigner/signing/wizard.rb'
     - 'lib/mysigner/upload/app_store_automation.rb'

data/CHANGELOG.md

@@ -94,3 +94,95 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Progress spinners (TTY::Spinner)
 - CI/CD templates for GitHub Actions and GitLab CI
 - Phased release support for App Store
+
+---
+
+## [0.2.0] - 2026-05-26
+
+### Added — `--local-only` mode
+
+Brand-new opt-in mode that lets you ship to TestFlight / Play Store
+without sending any signing credentials to the MySigner server.
+Activate via the `--local-only` flag on any command or by setting
+`MYSIGNER_LOCAL_ONLY=1`. Proven end-to-end against a real iOS app
+(real TestFlight upload).
+
+- **Credential auto-discovery cascade** (`Mysigner::CredentialResolver`):
+  walks per-command flags → env vars (`APP_STORE_CONNECT_API_KEY_*`,
+  `GOOGLE_APPLICATION_CREDENTIALS`, `MYSIGNER_KEYSTORE_*` /
+  `ANDROID_KEYSTORE_*`) → macOS Keychain (`Mysigner::LocalCredentials`)
+  → standard tool locations (`~/.appstoreconnect/private_keys/AuthKey_*.p8`,
+  `eas.json`, `android/key.properties`, `android/app/build.gradle[.kts]`
+  inline `signingConfigs`, `~/.gradle/gradle.properties`) → interactive
+  prompt (TTY-gated; non-TTY fails loud with the exact override knob to
+  set).
+- **iOS local-only ship** (`mysigner --local-only ship appstore`):
+  bypasses MySigner auth bootstrap entirely (no login required). Mints
+  ASC JWT locally and shells out to `xcrun altool --upload-app` (Apple's
+  canonical CLI). Submit-for-review automated via the modern 3-step
+  `/v1/reviewSubmissions` choreography.
+- **Android local-only ship** (`mysigner --local-only ship play`): mints
+  Google OAuth2 access token locally from the discovered SA-JSON.
+  Pre-checks Play's highest existing `versionCode` and exits with a
+  "bump versionCode to N+1" hint before wasting an upload Google would
+  reject. Bypasses every MySigner server endpoint that previously ran
+  on the Android path (keystore download, build records, etc.).
+- **`mysigner onboard --local-only`**: walks the user through local
+  credential setup interactively; skips the per-platform prompt when
+  credentials are already discoverable via the cascade.
+
+### Added — Security & hygiene
+
+- **`mysigner logout --purge`**: optionally hard-deletes stored
+  credentials on the MySigner server AND wipes local Keychain entries.
+  Default behavior prompts (TTY-only; non-TTY defaults to No). New
+  `--no-purge` flag opts out without prompting.
+- Two new global flags: `--local-only` and `--auto-submit` /
+  `--no-auto-submit`.
+- New per-command flags on `ship`: `--asc-key-path`, `--asc-key-id`,
+  `--asc-issuer-id`, `--apple-id`, `--play-credentials`,
+  `--keystore-path`, `--keystore-password`, `--key-alias`,
+  `--key-password`.
+
+### Changed
+
+- "Not logged in" error now also suggests `--local-only` as an
+  alternative for users who don't want a MySigner account.
+- `Signing::Validator`'s no-team error message no longer suggests "Add
+  team to My Signer" when in `--local-only` mode.
+- Multiple Apple `appStoreState` values handled with actionable typed
+  errors during submit-for-review (`VersionInFlightError`,
+  `VersionAlreadyReleasedError`, `SubmissionRejectedError`,
+  `BuildProcessingTimeoutError`, `AppleApiError`).
+- Submit-for-review poll loop is resilient to transient errors and
+  respects HTTP 429 `Retry-After`.
+- `Config#load` uses `YAML.safe_load_file` instead of `YAML.load_file`
+  — rejects `!ruby/object:` directives loud.
+
+### Removed (breaking)
+
+- **`MYSIGNER_USE_LEGACY_ASC` env var + the legacy altool path it
+  gated**. The modern envelope-encryption path (vault mode) and the new
+  `--local-only` mode supersede it. Users relying on this env var will
+  need to migrate.
+- `Mysigner::Signing::KeystoreManager#list` / `#active_keystore` no
+  longer accept the deprecated `include_secrets:` keyword (fetch
+  passwords via `#fetch_secrets` instead — already the modern path).
+- Test certs / mobileprovision files removed from the gem bundle.
+
+### Fixed
+
+- Thor parser bug where `--local-only` (or any class_option) placed
+  before the subcommand was eaten by Thor's command-name lookup,
+  silently routing to `help`. The `exe/mysigner` entry point now hoists
+  leading class_options past the subcommand word.
+- The previous iOS REST upload reinvented Apple's `/v1/buildUploads`
+  payload shape and got it wrong (Apple rejected with
+  `ENTITY_ERROR.ATTRIBUTE.UNKNOWN` on `fileName` / `fileSize`); the
+  resulting 409 handler silently mapped every 409 to "build version
+  conflict" and masked the real error. Replaced with `xcrun altool`
+  shell-out (Apple's canonical CLI).
+- README's "Secure" bullet no longer says "credentials stored locally"
+  — was misleading in default vault mode. New copy names the AES-256
+  at-rest server encryption and points at the `--local-only` opt-in
+  that delivers the literal property.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    mysigner (0.1.7)
+    mysigner (0.2.0)
       base64 (~> 0.2)
       faraday (~> 2.14)
       faraday-retry (~> 2.2)
@@ -19,8 +19,8 @@ GEM
       base64
       nkf
       rexml
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
     ast (2.4.3)
     atomos (0.1.3)
     base64 (0.3.0)
@@ -32,7 +32,7 @@ GEM
       rexml
     declarative (0.0.20)
     diff-lcs (1.6.2)
-    faraday (2.14.1)
+    faraday (2.14.2)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
@@ -66,8 +66,8 @@ GEM
       signet (>= 0.16, < 2.a)
     hashdiff (1.2.1)
     io-console (0.8.1)
-    json (2.19.3)
-    jwt (3.1.2)
+    json (2.19.5)
+    jwt (3.2.0)
       base64
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
@@ -85,7 +85,7 @@ GEM
       racc
     plist (3.7.2)
     prism (1.9.0)
-    public_suffix (6.0.2)
+    public_suffix (7.0.5)
     racc (1.8.1)
     rainbow (3.1.1)
     rake (13.3.0)

data/README.md

@@ -27,7 +27,7 @@ Mobile developers spend hours dealing with:
 ✅ **CI/CD Ready** - Automate builds in GitHub Actions, GitLab CI, etc.  
 ✅ **API-Powered** - Backed by My Signer API for team collaboration  
 ✅ **Smart Version Handling** - Auto-increment version codes for Android  
-✅ **Secure** - Token-based authentication, credentials stored locally
+✅ **Secure** - Token-based auth; signing credentials are AES-256 encrypted at rest on the MySigner server by default, with opt-in `--local-only` mode that keeps Apple `.p8` and Google service-account JSON on your machine
 
 ---
 
@@ -316,6 +316,99 @@ mysigner signing configure --all-targets   # Configure all targets
 
 ---
 
+## Local-only mode (`--local-only` / `MYSIGNER_LOCAL_ONLY`)
+
+Local-only mode routes signing-credential auth through your machine instead of the My Signer server. Your Apple `.p8` private key and Google Play service-account JSON live in the macOS Keychain (or an AES-256-GCM-encrypted file on Linux/Windows) and the CLI mints the ASC JWT and Google OAuth token locally at upload time. Activate per command with `--local-only` or globally with `MYSIGNER_LOCAL_ONLY=1`.
+
+```bash
+mysigner --local-only ship appstore
+mysigner --local-only ship play production
+MYSIGNER_LOCAL_ONLY=1 mysigner ship testflight
+```
+
+### Local-only vs vault (server) mode
+
+|                                 | Vault (default)                        | Local-only                                       |
+| ------------------------------- | -------------------------------------- | ------------------------------------------------ |
+| Holds `.p8` / SA-JSON at rest   | My Signer server (CMK-encrypted)       | Your macOS Keychain or local AES-256-GCM file    |
+| Mints ASC JWT / Google OAuth    | Server                                 | CLI, on your machine                             |
+| Server endpoints used at ship   | All (sync, list, builds, submit, etc.) | All except credential-minting and the actual API upload |
+| Multi-machine sync              | Yes — log in from anywhere             | No — re-onboard on each machine                  |
+| Team-sharing                    | Yes — server gates per-user access     | No — per-machine only                            |
+| CI/CD setup                     | API token in CI secrets                | Pre-populate `~/.mysigner/credentials/` from a secret store |
+| Revocation surface              | Revoke at server (audit log)           | Wipe the Keychain entry / local file             |
+
+### What local-only does NOT do (v1)
+
+Local-only mode in v1 guards the **API-call-time credentials** (the ASC JWT and the Google OAuth token). The `ship` pipelines still talk to My Signer for orchestration. Be honest with yourself about which of these matter for your threat model:
+
+- **`ship appstore --local-only`** still calls My Signer for pre-upload sync, app/build lookup, the post-upload poll loop, and `submit_for_review!`. Only the upload itself goes direct to Apple.
+- **`ship play --local-only`** still calls My Signer for the Android build record, `link_to_app`, release defaults, highest-version-code lookup, **and the keystore download** (via the keystore manager). Only the Play Publishing API call goes direct to Google.
+- **Android keystore is the biggest gap.** The signing keystore is still downloaded from My Signer in local-only mode. v1 does not guard the long-lived Android signing material itself — only the OAuth token used to talk to Google.
+- **Single-account assumption.** Both `ship appstore` and `ship play` pick the first credential in storage order (`LocalCredentials.list.first`). If you have multiple ASC accounts or multiple Google Play SA-JSONs, there is no way to choose between them yet. Multi-account routing (`--asc-account`, `--google-play-account`) is a planned follow-up.
+- **CI/CD non-interactive onboarding.** `mysigner onboard --local-only` is interactive only. For CI you must pre-populate `~/.mysigner/credentials/` from a secret store before invoking the CLI; a non-interactive onboarding mode is a planned follow-up.
+
+### Setup
+
+Run the guided flow:
+
+```bash
+mysigner --local-only onboard
+```
+
+You'll be asked whether to set up App Store Connect, Google Play, or both:
+
+```
+🚀 My Signer Setup (local-only)
+================================================================================
+
+Local-only mode: credentials stay on this machine.
+
+Set up App Store Connect credentials now? [Y/n]
+
+📱 App Store Connect (local-only)
+
+Path to your .p8 private key:        # e.g. ~/Downloads/AuthKey_ABC12345.p8
+Enter your Key ID (e.g., ABC12345):  # auto-detected from filename when possible
+Enter your Issuer ID (UUID):
+
+Set up Google Play credentials now? [Y/n]
+
+🤖 Google Play (local-only)
+
+Path to your service-account JSON:   # e.g. ~/Downloads/sa-key.json
+```
+
+Storage:
+- **macOS**: Keychain service `com.mysigner.cli.credentials`, accounts namespaced as `asc:<key_id>` and `google_play:<client_email>`.
+- **Other OSes**: per-credential AES-256-GCM files under `~/.mysigner/credentials/<kind>/<id>`, mode `0600`, encrypted under the same per-machine key as `Config`.
+
+### Daily usage
+
+```bash
+# iOS — local-mint ASC JWT, upload direct to Apple
+mysigner --local-only ship testflight
+mysigner --local-only ship appstore --submit-for-review
+
+# Android — local-mint Google OAuth token, call Play Publishing API direct
+mysigner --local-only ship internal   --platform android
+mysigner --local-only ship production --platform android
+
+# Or set globally for the shell / CI job
+export MYSIGNER_LOCAL_ONLY=1
+mysigner ship testflight
+```
+
+### Threat model
+
+In vault mode, My Signer's CMK / envelope encryption gates access to your `.p8` and SA-JSON at rest on the server, and access is logged and revocable at the org level. In local-only mode the same material sits in your macOS Keychain (or AES-256-GCM file) gated by your machine's user account. The tradeoff is **who you trust**: My Signer's infrastructure vs your own machine. Single-developer teams, regulated industries, and security-paranoid setups generally prefer local-only; collaborative teams generally prefer vault mode for its revocation surface and shared visibility.
+
+### Migration
+
+To switch from vault to local-only, run `mysigner --local-only onboard` and re-enter your credentials. The server-stored credentials stay in My Signer but the CLI stops fetching them while `--local-only` / `MYSIGNER_LOCAL_ONLY` is set. To switch back, run `mysigner onboard` (no flag). There is no automated data migration — credentials are re-entered on the new side.
+
+---
+
 ## Configuration
 
 My Signer CLI stores configuration in `~/.mysigner/config.yml`:

data/exe/mysigner

@@ -3,6 +3,60 @@
 
 require 'mysigner'
 
+# Hoist class_options written BEFORE the subcommand to AFTER it.
+# Thor's `retrieve_command_name` only treats the first non-flag arg as the
+# command — when ARGV starts with a class_option flag like `--local-only`,
+# Thor sees no command, silently dispatches to `help`, and we get
+# `"mysigner help" was called with arguments ["ship", "appstore", ...]`.
+#
+# We avoid hard-coding the flag list by reading
+# `Mysigner::CLI.class_options` at startup. Class-option booleans support
+# Thor's auto-generated `--no-flag` / `--skip-flag` variants too. String/
+# numeric options aren't currently used as class_options here, but if one
+# is added we also recognise `--flag value` (separate-arg form).
+def hoist_leading_class_options!(argv)
+  return argv if argv.empty?
+
+  class_opts = Mysigner::CLI.class_options
+  switches = class_opts.each_with_object({}) do |(_, opt), acc|
+    Array(opt.switch_name).each { |s| acc[s] = opt }
+    opt.aliases.each { |s| acc[s] = opt }
+    next unless opt.type == :boolean && opt.switch_name.start_with?('--')
+
+    base = opt.switch_name.sub(/\A--/, '')
+    acc["--no-#{base}"] = opt
+    acc["--skip-#{base}"] = opt
+  end
+
+  hoisted = []
+  i = 0
+  while i < argv.length
+    arg = argv[i]
+    flag_name = arg.split('=', 2).first
+    break unless switches.key?(flag_name)
+
+    hoisted << arg
+    # `--flag value` form: pull the value too, but only when the flag was
+    # written WITHOUT `=` AND the option isn't a boolean (booleans don't
+    # take a value).
+    opt = switches[flag_name]
+    if opt.type != :boolean && !arg.include?('=') && argv[i + 1] && !argv[i + 1].start_with?('-')
+      hoisted << argv[i + 1]
+      i += 1
+    end
+    i += 1
+  end
+
+  return argv if hoisted.empty?
+  # No command word follows the leading flags — leave argv alone so Thor
+  # can fall through to its own no-command help dispatch.
+  return argv if i >= argv.length
+
+  command = argv[i]
+  rest = argv[(i + 1)..]
+  [command, *hoisted, *rest]
+end
+
 # Normalize `mysigner <cmd> [args…] --help` → `mysigner help <cmd>`. Thor
 # treats extra positional args as a fatal argument-count error, so without
 # this rewrite users who type `mysigner ship testflight --help` see
@@ -19,4 +73,4 @@ def rewrite_help_flag!(argv)
   ['help', first]
 end
 
-Mysigner::CLI.start(rewrite_help_flag!(ARGV))
+Mysigner::CLI.start(rewrite_help_flag!(hoist_leading_class_options!(ARGV)))

data/lib/mysigner/auth/asc_jwt_minter.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'openssl'
+
+module Mysigner
+  module Auth
+    # Mints an Apple App Store Connect API JWT locally from a .p8 private key.
+    #
+    # Used by the CLI's local-only mode (epic mysigner-22) so credentials never
+    # leave the user's machine. The MySigner server path mints the same shape
+    # server-side; this class produces a token equivalent to what the server
+    # would return, so downstream ASC callers (e.g. Mysigner::Upload::AscRestUploader)
+    # are agnostic to where the token came from.
+    #
+    # Apple's spec (https://developer.apple.com/documentation/appstoreconnectapi/
+    # generating-tokens-for-api-requests):
+    #   - header: { alg: ES256, kid: <key_id>, typ: JWT }
+    #   - claims: iss=<issuer_id>, iat=<now>, exp=<iat+TTL>, aud=appstoreconnect-v1
+    #   - signed ES256 over base64url(header).base64url(claims) with the .p8 EC key
+    #
+    # Apple caps token lifetime at 20 minutes. We default to 19 minutes so
+    # consumers can safely reuse a token throughout a typical ASC upload session
+    # without bumping into the cap mid-request.
+    class AscJwtMinter
+      DEFAULT_TTL = 19 * 60
+      AUDIENCE    = 'appstoreconnect-v1'
+
+      def initialize(key_id:, issuer_id:, p8_pem:)
+        @key_id    = present!(key_id, 'key_id')
+        @issuer_id = present!(issuer_id, 'issuer_id')
+        @ec_key    = parse_ec_key(present!(p8_pem, 'p8_pem'))
+      end
+
+      # Returns a String JWT. `now` is injectable for testability.
+      def mint(ttl: DEFAULT_TTL, now: Time.now)
+        iat = now.to_i
+        payload = {
+          iss: @issuer_id,
+          iat: iat,
+          exp: iat + ttl,
+          aud: AUDIENCE
+        }
+        headers = { kid: @key_id, typ: 'JWT' }
+        # JWT.encode with ES256 produces a fixed-width raw r||s signature per
+        # JWA RFC 7518, which is what Apple requires.
+        JWT.encode(payload, @ec_key, 'ES256', headers)
+      end
+
+      private
+
+      def present!(value, name)
+        raise ArgumentError, "#{name} must be present" if value.nil? || value.to_s.empty?
+
+        value
+      end
+
+      def parse_ec_key(p8_pem)
+        key = OpenSSL::PKey.read(p8_pem.to_s)
+        raise ArgumentError, "p8_pem must be an EC private key (got #{key.class})" unless key.is_a?(OpenSSL::PKey::EC)
+
+        key
+      rescue OpenSSL::PKey::PKeyError => e
+        raise ArgumentError, "p8_pem could not be parsed as a private key: #{e.message}"
+      end
+    end
+  end
+end

data/lib/mysigner/auth/google_oauth_minter.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'stringio'
+require 'googleauth'
+
+module Mysigner
+  module Auth
+    # Mints a short-lived Google OAuth2 access_token from a service-account
+    # JSON key, locally — without going through the MySigner server. The
+    # service-account JSON never leaves the caller's process.
+    #
+    # Delegates the JWT mint + assertion exchange + caching to googleauth
+    # (Google::Auth::ServiceAccountCredentials), which is already a runtime
+    # dependency for the Play Publishing API client.
+    class GoogleOauthMinter
+      DEFAULT_SCOPE = 'https://www.googleapis.com/auth/androidpublisher'
+      REQUIRED_KEYS = %w[type client_email private_key project_id].freeze
+
+      # @param service_account_json [String, Hash] the raw JSON string or an
+      #   already-parsed Hash. Validated for required keys.
+      # @raise [ArgumentError] when input is nil/empty, unparseable, or missing
+      #   any of {REQUIRED_KEYS}.
+      def initialize(service_account_json)
+        @json_hash = coerce_to_hash(service_account_json)
+        validate_required_keys!(@json_hash)
+      end
+
+      # @param scope [String] OAuth2 scope. Defaults to the Play Publishing
+      #   scope used by `ship play`. Override for other Google APIs.
+      # @return [String] a non-empty access_token (e.g. "ya29...").
+      def mint(scope: DEFAULT_SCOPE)
+        token_data = fetch_token(scope)
+        token_data['access_token'] || token_data[:access_token]
+      end
+
+      # Variant that returns both the token and its expiry timestamp, for
+      # callers that want to manage caching themselves.
+      # @return [TokenWithExpiry] members :access_token, :expires_at (Time or nil)
+      def mint_with_expiry(scope: DEFAULT_SCOPE)
+        token_data = fetch_token(scope)
+        access_token = token_data['access_token'] || token_data[:access_token]
+        expires_in = token_data['expires_in'] || token_data[:expires_in]
+        expires_at = expires_in ? Time.now + expires_in.to_i : nil
+        TokenWithExpiry.new(access_token, expires_at)
+      end
+
+      TokenWithExpiry = Struct.new(:access_token, :expires_at)
+
+      private
+
+      def fetch_token(scope)
+        creds = Google::Auth::ServiceAccountCredentials.make_creds(
+          json_key_io: StringIO.new(JSON.dump(@json_hash)),
+          scope: scope
+        )
+        creds.fetch_access_token!
+      end
+
+      def coerce_to_hash(input)
+        raise ArgumentError, 'service_account_json is required' if input.nil?
+
+        case input
+        when Hash
+          raise ArgumentError, 'service_account_json hash is empty' if input.empty?
+
+          input.transform_keys(&:to_s)
+        when String
+          raise ArgumentError, 'service_account_json is required' if input.strip.empty?
+
+          begin
+            JSON.parse(input)
+          rescue JSON::ParserError => e
+            raise ArgumentError, "service_account_json is not valid JSON: #{e.message}"
+          end
+        else
+          raise ArgumentError, "service_account_json must be a String or Hash, got #{input.class}"
+        end
+      end
+
+      def validate_required_keys!(hash)
+        missing = REQUIRED_KEYS.reject { |key| hash[key].is_a?(String) && !hash[key].strip.empty? }
+        return if missing.empty?
+
+        raise ArgumentError, "service_account_json is missing required keys: #{missing.join(', ')}"
+      end
+    end
+  end
+end

data/lib/mysigner/cleanup/private_keys_purger.rb

@@ -15,7 +15,6 @@ module Mysigner
       end
 
       def call
-        return if ENV['MYSIGNER_USE_LEGACY_ASC'] == '1'
         return if File.exist?(marker_path)
 
         LEGACY_DIRS.each do |dir|