mysigner 0.1.7 → 0.2.0

data/lib/mysigner/cli/auth_commands.rb

@@ -210,6 +210,16 @@ module Mysigner
             4. Configure your CLI
           DESC
           def onboard
+            # mysigner-44 — local-only mode short-circuits the server-mediated
+            # onboarding entirely. We never POST credentials and never ask the
+            # user for an API token; everything is captured into the local
+            # Keychain-backed store. The server-mediated path below is left
+            # untouched for backward compatibility.
+            if local_only?
+              emit_local_only_banner
+              return onboard_local_only
+            end
+
             say '🚀 My Signer Setup Guide', :cyan
             say '=' * 80, :cyan
             say ''
@@ -595,6 +605,27 @@ module Mysigner
           end
 
           desc 'logout', 'Log out and clear stored credentials'
+          long_desc <<~DESC
+            Log out of MySigner. Always clears local CLI config.
+
+            By default, ALSO asks whether to delete your stored credentials
+            (App Store Connect .p8 keys, Apple Search Ads keys, Google Play
+            service-account JSON, Android keystores) on the server and in
+            your local Keychain. The prompt defaults to No — the safer
+            choice — because logging out and back in restores access to
+            them otherwise.
+
+              --purge      Skip the prompt and DELETE the credentials.
+              --no-purge   Skip the prompt and KEEP them on the server.
+
+            In non-interactive contexts (CI, pipes), the prompt defaults
+            to No as well, matching `yes_with_default?` elsewhere.
+
+            See docs/policy/credential-retention.md (server repo) for the
+            authoritative retention policy.
+          DESC
+          method_option :purge, type: :boolean, default: nil,
+                                desc: 'Also delete stored credentials on the server and in local Keychain (skips prompt)'
           def logout
             config = Config.new
 
@@ -603,13 +634,44 @@ module Mysigner
               return
             end
 
-            if yes?('Are you sure you want to logout? (y/n)')
-              config.clear
-              say '✓ Successfully logged out', :green
-              say "Config file removed: #{Config::CONFIG_FILE}", :green
-            else
+            # Preserve the existing "Are you sure?" gate. Tests pin this exact
+            # prompt and a No answer must abort the entire logout. With
+            # --purge / --no-purge a user has already declared intent, but
+            # we still require the top-level confirmation when interactive —
+            # less surprising than two layered changes in one release.
+            unless yes?('Are you sure you want to logout? (y/n)')
               say 'Logout cancelled', :yellow
+              return
+            end
+
+            # Now we know the local logout is happening. Decide whether to
+            # ALSO purge server + local-Keychain credentials. Resolution
+            # order: explicit flag > interactive prompt > non-TTY default No.
+            should_purge = resolve_purge_decision(options[:purge])
+
+            if should_purge
+              # Load the config so we have the api_url/token/email needed
+              # for the server call. Failure here is loud — we don't fall
+              # back to "local-only clear" silently, that would leave the
+              # user's server credentials on disk against their explicit
+              # request.
+              begin
+                config.load
+                purge_server_credentials(config)
+                purge_local_credentials
+              rescue Mysigner::ClientError, Mysigner::ConfigError => e
+                error "Failed to purge credentials on the server: #{e.message}"
+                say ''
+                say 'Local config was NOT cleared so you can retry. Options:', :yellow
+                say "  • Re-run 'mysigner logout --purge' once the server is reachable", :yellow
+                say "  • Run 'mysigner logout --no-purge' to log out locally only", :yellow
+                exit 1
+              end
             end
+
+            config.clear
+            say '✓ Successfully logged out', :green
+            say "Config file removed: #{Config::CONFIG_FILE}", :green
           end
 
           desc 'status', 'Check connection, credentials, and App Store Connect setup'
@@ -971,6 +1033,93 @@ module Mysigner
               response.empty? || response == 'y' || response == 'yes'
             end
 
+            # Default-NO variant of yes_with_default? — used when the
+            # destructive answer must be opt-in (mysigner-47 logout purge).
+            # Non-TTY also defaults to No so CI never silently wipes server
+            # credentials. Only an explicit "y" or "yes" returns true.
+            def no_default_yes?(statement, color = nil)
+              unless $stdin.tty?
+                say "#{statement} [y/N] (non-interactive: assuming no)", color
+                return false
+              end
+              response = ask("#{statement} [y/N]", color).to_s.strip.downcase
+              %w[y yes].include?(response)
+            end
+
+            # mysigner-47 — resolve the purge decision for `mysigner logout`.
+            # `flag` is options[:purge] (true / false / nil).
+            #   true  → --purge passed; skip prompt, purge
+            #   false → --no-purge passed; skip prompt, keep
+            #   nil   → no flag; ask the user (default No), CI defaults to No
+            def resolve_purge_decision(flag)
+              return flag unless flag.nil?
+
+              no_default_yes?(
+                'Also delete your stored credentials on the server? ' \
+                'They will be gone forever.',
+                :yellow
+              )
+            end
+
+            # mysigner-47 — call DELETE /api/v1/organizations/:org/credentials
+            # using the loaded config. Surfaces per-kind counts on success.
+            # Raises Mysigner::ClientError on transport/auth failure so the
+            # caller can decide whether to abort the local clear.
+            def purge_server_credentials(config)
+              org_id = config.current_organization_id
+              if org_id.nil?
+                say '⚠️  No active organization in local config; skipping server purge.', :yellow
+                return
+              end
+
+              client = Client.new(
+                api_url: config.api_url,
+                api_token: config.api_token,
+                user_email: config.user_email
+              )
+
+              say 'Deleting stored credentials on the server...', :yellow
+              response = client.delete("/api/v1/organizations/#{org_id}/credentials")
+
+              deleted = response.dig(:data, 'deleted') || {}
+              asc   = deleted['asc'].to_i
+              ads   = deleted['apple_ads'].to_i
+              gp    = deleted['google_play'].to_i
+              ks    = deleted['android_keystore'].to_i
+
+              say '✓ Server credentials deleted:', :green
+              say "  • App Store Connect: #{asc}"
+              say "  • Apple Search Ads:  #{ads}"
+              say "  • Google Play:       #{gp}"
+              say "  • Android keystore:  #{ks}"
+            end
+
+            # mysigner-47 — wipe every locally stored credential the
+            # LocalCredentials store knows about, across all four kinds.
+            # We swallow per-entry deletion errors with a loud log line
+            # rather than aborting (Rule 12 — fail loud, but a corrupted
+            # Keychain entry must not block the rest of the wipe).
+            def purge_local_credentials
+              return unless defined?(Mysigner::LocalCredentials)
+
+              total = 0
+              Mysigner::LocalCredentials::KINDS.each do |kind|
+                ids = Mysigner::LocalCredentials.list(kind: kind)
+                ids.each do |id|
+                  Mysigner::LocalCredentials.delete(kind: kind, id: id)
+                  total += 1
+                rescue Mysigner::LocalCredentials::LocalCredentialsError => e
+                  say "⚠️  Failed to delete local credential #{kind}/#{id}: #{e.message}", :yellow
+                end
+              end
+
+              if total.positive?
+                say "✓ Local Keychain / file credentials deleted: #{total}", :green
+              else
+                say 'No local-only credentials to delete.', :white
+              end
+            end
+
             # Helper method for App Store Connect credential setup
             # Returns true if successfully configured, false otherwise
             def setup_app_store_connect_credentials(client, _config, org_id)
@@ -1380,9 +1529,210 @@ module Mysigner
                 false
               end
             end
+
+            # mysigner-44 — local-only onboarding. Captures ASC and/or Google
+            # Play credentials and persists them via LocalCredentials (Keychain
+            # on macOS, encrypted file fallback elsewhere). Never calls the
+            # server. Raises LocalOnlyOnboardError on invalid input so callers
+            # see the failure (Rule 12 — fail loud).
+            def onboard_local_only
+              say '🚀 My Signer Setup (local-only)', :cyan
+              say '=' * 80, :cyan
+              say ''
+              say 'Local-only mode: credentials stay on this machine.', :bold
+              say ''
+
+              # mysigner-22 Phase 5 — discovery first. If the user already
+              # has credentials elsewhere (env vars, ~/.appstoreconnect, a
+              # service-account JSON at the project root, GOOGLE_APPLICATION_
+              # CREDENTIALS) we tell them they don't need to onboard for that
+              # platform. We avoid prompting on discovery itself by using a
+              # non-TTY stdin proxy, so the resolver fails fast on miss
+              # instead of blocking the user.
+              asc_already, asc_hint   = discover_local_asc_silently
+              play_already, play_hint = discover_local_play_silently
+
+              if asc_already
+                say "✓ Detected App Store Connect credentials (#{asc_hint}). No onboarding needed.", :green
+                say ''
+              end
+              if play_already
+                say "✓ Detected Google Play credentials (#{play_hint}). No onboarding needed.", :green
+                say ''
+              end
+
+              stored_asc = []
+              stored_play = []
+
+              if !asc_already && yes_with_default?('Set up App Store Connect credentials now?', :cyan)
+                say ''
+                stored_asc = collect_local_asc_credential
+              end
+              say ''
+
+              if !play_already && yes_with_default?('Set up Google Play credentials now?', :cyan)
+                say ''
+                stored_play = collect_local_google_play_credential
+              end
+
+              say ''
+              say '=' * 80, :green
+              say '✓ Local-only setup complete.', :green
+              say '=' * 80, :green
+              say ''
+              if stored_asc.empty? && stored_play.empty?
+                say 'No credentials were stored.', :yellow
+                say "Re-run 'mysigner --local-only onboard' when you're ready.", :yellow
+              else
+                say 'Stored credentials:', :cyan
+                stored_asc.each  { |id| say "  • ASC key:        #{id}" }
+                stored_play.each { |id| say "  • Google Play SA: #{id}" }
+                say ''
+                say 'To ship:', :bold
+                say '  mysigner --local-only ship appstore' unless stored_asc.empty?
+                say '  mysigner --local-only ship play'     unless stored_play.empty?
+              end
+              say ''
+            end
+
+            # Returns Array<String> of ids actually stored (empty on skip).
+            def collect_local_asc_credential
+              say '📱 App Store Connect (local-only)', :cyan
+              say ''
+
+              p8_path = ask('Path to your .p8 private key:').to_s.strip.gsub(/^['"]|['"]$/, '')
+              p8_path = File.expand_path(p8_path)
+              raise_local_onboard_error!(".p8 file not found: #{p8_path}") unless File.exist?(p8_path)
+
+              p8_pem = File.read(p8_path)
+              validate_p8_pem!(p8_pem)
+
+              # Auto-detect Key ID from filename (AuthKey_ABC123.p8 → ABC123).
+              key_id = nil
+              if File.basename(p8_path) =~ /AuthKey_([A-Z0-9]+)\.p8/i
+                key_id = ::Regexp.last_match(1)
+                say "✓ Auto-detected Key ID: #{key_id}", :green
+              end
+              key_id = ask('Enter your Key ID (e.g., ABC12345):').to_s.strip if key_id.nil? || key_id.empty?
+              raise_local_onboard_error!('Key ID cannot be empty') if key_id.empty?
+
+              issuer_id = ask('Enter your Issuer ID (UUID):').to_s.strip
+              raise_local_onboard_error!('Issuer ID cannot be empty') if issuer_id.empty?
+
+              # Storage shape matches mysigner-42's Option A: id == key_id,
+              # secret is a JSON envelope so AscJwtMinter can reconstruct
+              # (key_id, issuer_id, p8_pem) from one lookup.
+              secret = JSON.generate('issuer_id' => issuer_id, 'p8_pem' => p8_pem)
+              Mysigner::LocalCredentials.store(kind: :asc, id: key_id, secret: secret)
+
+              say '✓ ASC credential stored locally.', :green
+              [key_id]
+            end
+
+            # Returns Array<String> of ids actually stored (empty on skip).
+            def collect_local_google_play_credential
+              say '🤖 Google Play (local-only)', :cyan
+              say ''
+
+              json_path = ask('Path to your service-account JSON:').to_s.strip.gsub(/^['"]|['"]$/, '')
+              json_path = File.expand_path(json_path)
+              raise_local_onboard_error!("SA-JSON file not found: #{json_path}") unless File.exist?(json_path)
+
+              raw = File.read(json_path)
+              parsed = validate_sa_json!(raw)
+              client_email = parsed['client_email']
+
+              Mysigner::LocalCredentials.store(kind: :google_play, id: client_email, secret: raw)
+
+              say "✓ Google Play credential stored locally (#{client_email}).", :green
+              [client_email]
+            end
+
+            # Verifies the file looks like an EC private key in the form
+            # AscJwtMinter requires. Fails loud — any malformed input raises
+            # before we touch the Keychain.
+            def validate_p8_pem!(pem)
+              key = OpenSSL::PKey.read(pem.to_s)
+              return if key.is_a?(OpenSSL::PKey::EC)
+
+              raise_local_onboard_error!("invalid .p8: expected EC private key, got #{key.class}")
+            rescue OpenSSL::PKey::PKeyError => e
+              raise_local_onboard_error!("invalid .p8: #{e.message}")
+            end
+
+            # Returns the parsed hash. Validates the three fields the
+            # GoogleOauthMinter (and the SA JWT spec) actually need.
+            def validate_sa_json!(raw)
+              parsed = JSON.parse(raw)
+              missing = []
+              missing << "type=='service_account'"   unless parsed['type'] == 'service_account'
+              missing << 'client_email'              if parsed['client_email'].to_s.empty?
+              missing << 'private_key'               if parsed['private_key'].to_s.empty?
+              raise_local_onboard_error!("invalid service-account JSON (missing/wrong: #{missing.join(', ')})") if missing.any?
+
+              parsed
+            rescue JSON::ParserError => e
+              raise_local_onboard_error!("invalid service-account JSON: #{e.message}")
+            end
+
+            def raise_local_onboard_error!(message)
+              raise Mysigner::CLI::LocalOnlyOnboardError, message
+            end
+
+            # mysigner-22 Phase 5 — silent ASC discovery for onboard. Returns
+            # [bool, hint_string]. We feed the resolver a non-TTY stdin proxy
+            # so the prompt tier is OFF — discovery either resolves from a
+            # higher tier or returns false-with-no-hint. Any structural
+            # surprises (Keychain corruption, multiple disk files needing
+            # disambiguation) bubble out as "no, prompt for it" rather than
+            # crashing the onboard flow.
+            def discover_local_asc_silently
+              require 'mysigner/credential_resolver'
+              no_tty = Object.new
+              def no_tty.tty?
+                false
+              end
+              creds = Mysigner::CredentialResolver.resolve_asc(stdin: no_tty, stderr: StringIO.new)
+              hint = case creds.source
+                     when :flag     then 'from --asc-* flags'
+                     when :env      then 'from APP_STORE_CONNECT_API_KEY_* env vars'
+                     when :keychain then "from Keychain (#{creds.key_id})"
+                     when :disk     then "from #{Mysigner::CredentialResolver::APPLE_PRIVATE_KEYS_DIR}/AuthKey_#{creds.key_id}.p8"
+                     else 'from cascade'
+                     end
+              [true, hint]
+            rescue Mysigner::CredentialResolver::CredentialNotFoundError,
+                   Mysigner::CredentialResolver::AmbiguousCredentialsError
+              [false, nil]
+            end
+
+            def discover_local_play_silently
+              require 'mysigner/credential_resolver'
+              no_tty = Object.new
+              def no_tty.tty?
+                false
+              end
+              creds = Mysigner::CredentialResolver.resolve_play(stdin: no_tty, stderr: StringIO.new)
+              hint = case creds.source
+                     when :flag     then 'from --play-credentials flag'
+                     when :env      then 'from GOOGLE_APPLICATION_CREDENTIALS'
+                     when :keychain then "from Keychain (#{creds.client_email})"
+                     when :disk     then "from project (#{creds.client_email})"
+                     else 'from cascade'
+                     end
+              [true, hint]
+            rescue Mysigner::CredentialResolver::CredentialNotFoundError,
+                   Mysigner::CredentialResolver::AmbiguousCredentialsError
+              [false, nil]
+            end
           end
         end
       end
     end
+
+    # Raised by `onboard` in local-only mode when user input is unusable
+    # (missing file, malformed PEM, malformed SA-JSON). Surfaces the failure
+    # to the caller rather than silently writing a broken credential.
+    class LocalOnlyOnboardError < StandardError; end
   end
 end