mysigner 0.3.1 → 0.3.3

data/lib/mysigner/cli/auth_commands.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'stringio' # discover_local_*_silently use StringIO as a non-tty stderr proxy
+
 module Mysigner
   class CLI < Thor
     module AuthCommands
@@ -28,6 +30,10 @@ module Mysigner
 
             New user? Run 'mysigner onboard' for step-by-step guidance.
 
+            No My Signer account? You don't need one to sign and ship — run
+            'mysigner --local-only onboard' to use your own Apple/Google
+            credentials, kept on this machine.
+
             Your credentials will be stored securely in ~/.mysigner/config.yml
 
             Note: API tokens are organization-specific. This token will only
@@ -232,6 +238,26 @@ module Mysigner
 
             # Check if already configured
             config = Config.new
+
+            # Fresh user, interactive: offer the two modes up front so a newcomer
+            # doesn't assume a My Signer website account is mandatory.
+            if $stdin.tty? && !(config.exists? && config.current_organization_id)
+              say 'How do you want to use My Signer?', :cyan
+              say ''
+              say '  1. With a free My Signer account', :white
+              say '     (keys stored on the server; sync across machines & team)'
+              say '  2. Local-only — no account', :white
+              say '     (your Apple/Google keys stay on THIS machine; nothing sent to a server)'
+              say ''
+              say 'Not sure? Choose 2 (local-only).', :yellow
+              say ''
+              if ask('Select (1-2):', limited_to: %w[1 2]) == '2'
+                emit_local_only_banner
+                return onboard_local_only
+              end
+              say ''
+            end
+
             if config.exists? && config.api_token && config.current_organization_id
               say "✓ You're already logged in!", :green
               say ''
@@ -540,6 +566,19 @@ module Mysigner
                 end
               end
 
+              # Android: offer Google Play setup too. Previously onboard only
+              # ever configured App Store Connect, leaving Android users without
+              # a guided path even though setup_google_play_credentials existed.
+              # Only prompt interactively — in CI/non-tty contexts onboarding is
+              # driven by env vars/flags, not the wizard.
+              gp_configured = false
+              if $stdin.tty? && yes_with_default?('Set up Google Play (Android) credentials now?', :cyan)
+                say ''
+                gp_configured = setup_google_play_credentials(client, config, org_id)
+              elsif $stdin.tty?
+                say '⏭️  Skipped Google Play setup (run `mysigner onboard` again anytime)', :yellow
+              end
+
               say ''
               say '=' * 80, :green
               say '🎉 Setup Complete!', :green
@@ -564,6 +603,13 @@ module Mysigner
                 say "  Run 'mysigner doctor' to set it up", :yellow
               end
 
+              if gp_configured
+                say '✓ Google Play: Configured', :green
+              else
+                say '⚠️  Google Play: Not configured', :yellow
+                say "  Run 'mysigner onboard' to set it up", :yellow
+              end
+
               say ''
               say '🔒 Security Note:', :yellow
               say "  Your token is organization-specific. Use 'mysigner switch'", :yellow
@@ -663,10 +709,30 @@ module Mysigner
                 config.load
                 purge_server_credentials(config)
                 purge_local_credentials
-              rescue Mysigner::ClientError, Mysigner::ConfigError => e
-                error "Failed to purge credentials on the server: #{e.message}"
+              rescue Mysigner::ConfigError => e
+                # The stored token is UNREADABLE (can't be decrypted), so it can
+                # never be revoked on the server from here and retrying --purge
+                # would fail identically. Clearing local is the only way out, so
+                # we do that (the token is useless anyway) and fall through to
+                # config.clear below — the user ends up logged out, and we tell
+                # them to revoke the old token in the dashboard if they care.
+                reason = e.message.sub(/\AFailed to decrypt token:\s*/, '').strip
+                detail = reason.empty? ? '' : " (#{reason})"
+                say "⚠️  Your stored token is unreadable#{detail}, " \
+                    'so it could not be revoked on the server.', :yellow
+                say '   Logging you out locally anyway. To revoke the old token, do it in', :yellow
+                say '   the My Signer dashboard (it cannot be read from this machine).', :yellow
                 say ''
-                say 'Local config was NOT cleared so you can retry. Options:', :yellow
+                begin
+                  purge_local_credentials
+                rescue StandardError
+                  # best-effort; a corrupt Keychain entry must not block the clear
+                end
+                # fall through to config.clear
+              rescue Mysigner::ClientError => e
+                error "Couldn't reach the server to revoke your credentials: #{e.message}"
+                say ''
+                say 'Your local config was NOT cleared so you can retry. Options:', :yellow
                 say "  • Re-run 'mysigner logout --purge' once the server is reachable", :yellow
                 say "  • Run 'mysigner logout --no-purge' to log out locally only", :yellow
                 exit 1
@@ -1027,9 +1093,12 @@ module Mysigner
           def config(action = nil, *args)
             return config_set(*args) if action == 'set'
 
-            if action && action != 'set'
+            # `show` is the documented alias for the bare display (README +
+            # `config [ACTION]` help). Treat nil/`show` as display; anything
+            # else is a genuine typo.
+            if action && !%w[show].include?(action)
               error "Unknown config action: #{action}"
-              say 'Did you mean: `mysigner config set <key> <value>`?', :yellow
+              say 'Did you mean: `mysigner config show` or `mysigner config set <key> <value>`?', :yellow
               exit 1
             end
 
@@ -1679,23 +1748,35 @@ module Mysigner
                 say ''
                 stored_play = collect_local_google_play_credential
               end
+              say ''
+
+              # Android signing keystore (the actual signing key). Stored locally
+              # in the exact envelope CredentialResolver#resolve_android_keystore
+              # expects, so `ship --platform android --local-only` can sign offline.
+              stored_keystore = []
+              if $stdin.tty? && yes_with_default?('Set up an Android signing keystore now?', :cyan)
+                say ''
+                stored_keystore = collect_local_keystore_credential
+              end
 
               say ''
               say '=' * 80, :green
               say '✓ Local-only setup complete.', :green
               say '=' * 80, :green
               say ''
-              if stored_asc.empty? && stored_play.empty?
+              if stored_asc.empty? && stored_play.empty? && stored_keystore.empty?
                 say 'No credentials were stored.', :yellow
                 say "Re-run 'mysigner --local-only onboard' when you're ready.", :yellow
               else
                 say 'Stored credentials:', :cyan
-                stored_asc.each  { |id| say "  • ASC key:        #{id}" }
-                stored_play.each { |id| say "  • Google Play SA: #{id}" }
+                stored_asc.each      { |id| say "  • ASC key:        #{id}" }
+                stored_play.each     { |id| say "  • Google Play SA: #{id}" }
+                stored_keystore.each { |id| say "  • Android keystore: #{id}" }
                 say ''
                 say 'To ship:', :bold
                 say '  mysigner --local-only ship appstore' unless stored_asc.empty?
                 say '  mysigner --local-only ship play'     unless stored_play.empty?
+                say '  mysigner --local-only ship internal --platform android' unless stored_keystore.empty?
               end
               say ''
             end
@@ -1721,8 +1802,14 @@ module Mysigner
               key_id = ask('Enter your Key ID (e.g., ABC12345):').to_s.strip if key_id.nil? || key_id.empty?
               raise_local_onboard_error!('Key ID cannot be empty') if key_id.empty?
 
+              say 'Find your Issuer ID at https://appstoreconnect.apple.com/access/api', :cyan
+              say '(the UUID shown at the top of the Keys page).', :cyan
               issuer_id = ask('Enter your Issuer ID (UUID):').to_s.strip
-              raise_local_onboard_error!('Issuer ID cannot be empty') if issuer_id.empty?
+              if issuer_id.empty?
+                raise_local_onboard_error!(
+                  "Issuer ID cannot be empty (it's the UUID at appstoreconnect.apple.com/access/api)"
+                )
+              end
 
               # Storage shape matches mysigner-42's Option A: id == key_id,
               # secret is a JSON envelope so AscJwtMinter can reconstruct
@@ -1753,6 +1840,42 @@ module Mysigner
               [client_email]
             end
 
+            # Returns Array<String> of ids actually stored (empty on skip).
+            # Persists the keystore bytes (base64) + passwords + alias under
+            # LocalCredentials(kind: :android_keystore) in the exact envelope
+            # CredentialResolver#resolve_android_keystore reads back.
+            def collect_local_keystore_credential
+              require 'base64'
+              say '🔑 Android keystore (local-only)', :cyan
+              say ''
+
+              ks_path = ask('Path to your keystore (.jks/.keystore):').to_s.strip.gsub(/^['"]|['"]$/, '')
+              ks_path = File.expand_path(ks_path)
+              raise_local_onboard_error!("Keystore file not found: #{ks_path}") unless File.exist?(ks_path)
+
+              # echo: false — keep secrets out of terminal scrollback, matching
+              # every other secret prompt in this file.
+              store_password = ask('Keystore password:', echo: false).to_s
+              raise_local_onboard_error!('Keystore password cannot be empty') if store_password.empty?
+
+              key_alias = ask('Key alias:').to_s.strip
+              raise_local_onboard_error!('Key alias cannot be empty') if key_alias.empty?
+
+              key_password = ask('Key password (press Enter to reuse the keystore password):', echo: false).to_s
+              key_password = store_password if key_password.empty?
+
+              envelope = JSON.generate(
+                'keystore_b64' => Base64.strict_encode64(File.binread(ks_path)),
+                'keystore_password' => store_password,
+                'key_alias' => key_alias,
+                'key_password' => key_password
+              )
+              Mysigner::LocalCredentials.store(kind: :android_keystore, id: key_alias, secret: envelope)
+
+              say "✓ Android keystore stored locally (alias: #{key_alias}).", :green
+              [key_alias]
+            end
+
             # Verifies the file looks like an EC private key in the form
             # AscJwtMinter requires. Fails loud — any malformed input raises
             # before we touch the Keychain.

data/lib/mysigner/cli/build_commands.rb

@@ -20,15 +20,18 @@ module Mysigner
           long_desc <<~DESC
             Build your project, sign it, and upload in one go.
 
-            iOS TARGETS
-              testflight : Upload a beta build to TestFlight
-              appstore   : Upload a production build to App Store Connect
+            iOS TARGETS (requires macOS + Xcode)
+              testflight : Beta testing via TestFlight
+              appstore   : Submit for public App Store release
 
-            ANDROID TARGETS
-              internal   : Upload to internal testing track
-              alpha      : Upload to alpha (closed testing) track
-              beta       : Upload to beta (open testing) track
-              production : Upload to production track
+            ANDROID TARGETS (works on macOS, Linux, and Windows)
+              internal   : Fastest — up to 100 testers you list. NOT public.
+              alpha      : Closed testing — an invite-only tester group.
+              beta       : Open testing — anyone with your opt-in link.
+              production : PUBLIC — goes LIVE to everyone on the Google Play Store.
+
+            An AAB (Android App Bundle, .aab) is what Google Play requires — the
+            CLI builds and signs it for you (you don't upload an APK).
 
             PLATFORM OPTIONS
               --platform ios       Force iOS build (auto-detected by default)
@@ -43,6 +46,14 @@ module Mysigner
               --release-notes TEXT   Release notes for Play Store
               --package-name PKG     Override the detected package name
 
+            LOCAL-ONLY (no My Signer account — use your OWN credentials)
+              Run `mysigner --local-only onboard` once for a guided setup, or pass:
+                iOS:     --asc-key-path (the AuthKey_XXXX.p8 from
+                         appstoreconnect.apple.com/access/api), --asc-key-id (the
+                         XXXX in that filename), --asc-issuer-id (the UUID on that page)
+                Android: --keystore-path / --keystore-password / --key-alias and
+                         --play-credentials (a Google Play service-account .json)
+
             WORKFLOW
               For iOS TestFlight:
                 mysigner ship testflight              # Build → Upload → Done!
@@ -140,7 +151,8 @@ module Mysigner
               return
             end
 
-            # iOS flow continues below...
+            # iOS flow continues below — requires macOS + Xcode.
+            require_macos!("ship #{target}")
 
             is_appstore = (target == 'appstore')
 
@@ -1817,6 +1829,7 @@ module Mysigner
           method_option :skip_extensions, type: :boolean, default: false,
                                           desc: 'Skip extension targets (useful when extensions are not configured)'
           def build
+            require_macos!('build')
             config = load_config
             client = create_client(config)
 
@@ -2031,6 +2044,7 @@ module Mysigner
                                  desc: 'Export method (appstore, adhoc, enterprise, development)'
           method_option :output, type: :string, desc: 'Output directory for .ipa file'
           def export(archive_path)
+            require_macos!('export')
             load_config
 
             begin
@@ -2085,6 +2099,7 @@ module Mysigner
                "Upload existing .ipa to TestFlight (advanced - most users should use 'ship')"
           method_option :wait, type: :boolean, default: false, desc: 'Wait for processing to complete'
           def upload(target, ipa_path)
+            require_macos!('upload testflight')
             unless target == 'testflight'
               error "Only 'testflight' target is supported currently"
               say 'Usage: mysigner upload testflight IPA_PATH', :yellow

data/lib/mysigner/cli/concerns/error_handlers.rb

@@ -84,19 +84,16 @@ module Mysigner
           say ''
           say 'To fix this:', :cyan
           say ''
-          if api_url.include?('localhost')
-            say '  For local development:', :bold
-            say '    1. Make sure Rails server is running:'
-            say '       cd path/to/my-signer'
-            say '       bin/rails server'
-            say ''
-            say "    2. Verify it's accessible:"
-            say "       curl #{api_url}/up"
+          if api_url.include?('localhost') && ENV['MYSIGNER_DEV']
+            say '  For My Signer backend development:', :bold
+            say '    1. Start the Rails server: cd path/to/my-signer && bin/rails server'
+            say "    2. Verify it's accessible: curl #{api_url}/up"
           else
-            say '  For production:', :bold
-            say '    1. Check the API URL is correct'
-            say '    2. Verify the service is running'
-            say '    3. Check your internet connection'
+            say '  To fix:', :bold
+            say '    1. Check your internet connection'
+            say '    2. Verify the API URL is correct: mysigner config show'
+            say "    3. Don't need a My Signer account? Run any command with --local-only"
+            say '       to sign with your own Apple/Google credentials.'
           end
           say ''
           say '  Or set a custom API URL:', :bold

data/lib/mysigner/cli/concerns/helpers.rb

@@ -102,11 +102,27 @@ module Mysigner
             say '  (auto-discovers ASC .p8 from ~/.appstoreconnect/private_keys/,', :yellow
             say '   Google Play SA-JSON from GOOGLE_APPLICATION_CREDENTIALS / eas.json,', :yellow
             say '   keystore from key.properties / eas.json — or set them via flags / env.)', :yellow
+            say '  Note: build / ship / sign work fully local; account commands', :yellow
+            say '  (orgs / switch / sync) still need a My Signer login.', :yellow
             say '  See "Local-only mode" section in README.', :yellow
             exit 1
           end
 
           config.load
+
+          # Surface an unreadable stored token as a clean re-login prompt here,
+          # at the auth gate, instead of letting the decrypt error explode later
+          # inside create_client / Config#display. (api_token decrypts lazily.)
+          begin
+            config.api_token
+          rescue Mysigner::ConfigError
+            error 'Your saved login is unreadable (encryption key changed or ' \
+                  'config copied between machines).'
+            say "Run 'mysigner logout' then 'mysigner login' to re-authenticate.", :yellow
+            say 'Or run with --local-only to skip MySigner entirely.', :yellow
+            exit 1
+          end
+
           config
         end
 
@@ -150,6 +166,27 @@ module Mysigner
           say "✗ Error: #{message}", :red
         end
 
+        # True on macOS. iOS building/signing (Xcode, xcodebuild, the keychain)
+        # only works there; iOS-only commands call require_macos! to fail with a
+        # clear message instead of a raw "xcodebuild: not found" backtrace.
+        def macos?
+          !(RbConfig::CONFIG['host_os'] =~ /darwin/i).nil?
+        end
+
+        # Guard for iOS-only commands. On non-macOS, explain plainly and point
+        # the user at the Android path that DOES work cross-platform, then exit.
+        def require_macos!(command_label = 'This command')
+          return if macos?
+
+          error "#{command_label} requires macOS with Xcode."
+          say ''
+          say 'iOS building, signing, and uploading only work on a Mac (they use Xcode).', :yellow
+          say 'On Linux or Windows you can still build and ship Android:', :yellow
+          say '  mysigner ship internal --platform android', :cyan
+          say '  mysigner android build', :cyan
+          exit 1
+        end
+
         # Local-only mode is active when any of, in precedence order:
         #   1. --local-only / --no-local-only flag on this invocation
         #   2. MYSIGNER_LOCAL_ONLY env var

data/lib/mysigner/cli/diagnostic_commands.rb

@@ -18,8 +18,6 @@ module Mysigner
 
             # Determine which platforms to check
             platform_filter = options[:platform]&.downcase
-            check_ios = platform_filter.nil? || platform_filter == 'all' || platform_filter == 'ios'
-            check_android = platform_filter.nil? || platform_filter == 'all' || platform_filter == 'android'
 
             if platform_filter && !%w[ios android all].include?(platform_filter)
               error "Invalid platform: #{platform_filter}"
@@ -27,6 +25,18 @@ module Mysigner
               exit 1
             end
 
+            want_ios = platform_filter.nil? || platform_filter == 'all' || platform_filter == 'ios'
+            # iOS checks only mean something on macOS. On Linux/Windows, skip them
+            # with one info line instead of a wall of red "Xcode not found" issues —
+            # unless the user EXPLICITLY asked for --platform ios.
+            check_ios = want_ios && (macos? || platform_filter == 'ios')
+            check_android = platform_filter.nil? || platform_filter == 'all' || platform_filter == 'android'
+
+            if want_ios && !check_ios
+              say 'ℹ️  iOS checks skipped — iOS building requires macOS + Xcode.', :cyan
+              say ''
+            end
+
             # Check 1: Xcode (iOS only)
             if check_ios
               say 'Checking Xcode...', :yellow
@@ -110,6 +120,12 @@ module Mysigner
                     say '  ✗ Token is invalid or expired', :red
                     issues << "Token authentication failed - run 'mysigner onboard' to re-authenticate"
                     client = nil
+                  rescue Mysigner::ConfigError
+                    # An undecryptable stored token is a LOCAL credential problem,
+                    # not an API/network failure — say so and point at re-login.
+                    say '  ✗ Saved credentials unreadable (encryption key changed or config corrupt)', :red
+                    issues << "Stored login unreadable - run 'mysigner logout' then 'mysigner login'"
+                    client = nil
                   rescue Mysigner::ConnectionError => e
                     say "  ✗ Cannot connect to API: #{e.message}", :red
                     issues << 'API connection failed - check your network or API URL'
@@ -253,18 +269,24 @@ module Mysigner
               end
               say ''
 
-              # Check 8: Project Detection (if in a project directory)
+              # Check 8: Project Detection (read-only — must NEVER trigger an
+              # expo prebuild from a diagnostic, hence allow_prebuild: false).
               say 'Checking current directory...', :yellow
               project_info = nil
               begin
-                project_info = Build::Detector.detect
-                framework = case project_info[:framework]
-                            when :capacitor then 'Capacitor/Ionic'
-                            when :react_native then 'React Native'
-                            when :flutter then 'Flutter'
-                            else 'Native iOS'
-                            end
-                say "  ✓ Found #{framework} project: #{File.basename(project_info[:path])}", :green
+                project_info = Build::Detector.detect(allow_prebuild: false)
+                if project_info[:needs_prebuild]
+                  say '  ℹ️  Expo managed project detected (no native ios/ folder yet)', :cyan
+                  say '     Generate it with: mysigner ship  (or `npx expo prebuild`)', :cyan
+                else
+                  framework = case project_info[:framework]
+                              when :capacitor then 'Capacitor/Ionic'
+                              when :react_native then 'React Native'
+                              when :flutter then 'Flutter'
+                              else 'Native iOS'
+                              end
+                  say "  ✓ Found #{framework} project: #{File.basename(project_info[:path])}", :green
+                end
               rescue StandardError
                 say '  ℹ️  No project detected in current directory', :cyan
               end
@@ -516,6 +538,12 @@ module Mysigner
                     say '  ⚠️  JAVA_HOME not set', :yellow
                   end
                 end
+              elsif platform_filter == 'android'
+                # When the user explicitly asks to check Android, a missing JDK
+                # is a hard blocker, not an FYI — otherwise doctor green-lights an
+                # environment that cannot build.
+                say '  ✗ Java not found (required for Android)', :red
+                issues << 'Java (JDK) not found — required to build Android. Install JDK 17+ and set JAVA_HOME.'
               else
                 say '  ℹ️  Java not found (required for Android)', :cyan
               end
@@ -525,6 +553,9 @@ module Mysigner
               if android_home && Dir.exist?(android_home)
                 say "  ✓ Android SDK: #{android_home}", :green
                 android_available = true
+              elsif platform_filter == 'android'
+                say '  ✗ Android SDK not found (set ANDROID_HOME)', :red
+                issues << 'Android SDK not found — set ANDROID_HOME to your SDK location.'
               else
                 say '  ℹ️  Android SDK not found (set ANDROID_HOME)', :cyan
               end
@@ -581,25 +612,32 @@ module Mysigner
                 say ''
               end
 
-              # Check 15: Android Project Detection
-              nil
+              # Check 15: Android Project Detection (read-only — must NEVER
+              # trigger an expo prebuild from a diagnostic, hence allow_prebuild:
+              # false).
               begin
-                android_project = Build::Detector.detect_android
-                framework = case android_project[:framework]
-                            when :capacitor then 'Capacitor/Ionic'
-                            when :react_native then 'React Native'
-                            when :flutter then 'Flutter'
-                            else 'Native Android'
-                            end
+                android_project = Build::Detector.detect_android(allow_prebuild: false)
                 say 'Checking Android project...', :yellow
-                say "  ✓ Found #{framework} Android project", :green
-
-                # Parse project details
-                require_relative '../build/android_parser'
-                parser = Build::AndroidParser.new(android_project)
-                say "  Package: #{parser.application_id}", :cyan
-                say "  Version: #{parser.version_name} (#{parser.version_code})", :cyan
-                say "  Gradle wrapper: #{parser.gradle_wrapper_exists? ? '✓' : '✗'}", :cyan
+                if android_project[:needs_prebuild]
+                  say '  ℹ️  Expo managed project detected (no android/ folder yet)', :cyan
+                  say '     Generate it with: mysigner android build', :cyan
+                  say '     (needs Node >= 20.19.4 and `npm install` first)', :cyan
+                else
+                  framework = case android_project[:framework]
+                              when :capacitor then 'Capacitor/Ionic'
+                              when :react_native then 'React Native'
+                              when :flutter then 'Flutter'
+                              else 'Native Android'
+                              end
+                  say "  ✓ Found #{framework} Android project", :green
+
+                  # Parse project details
+                  require_relative '../build/android_parser'
+                  parser = Build::AndroidParser.new(android_project)
+                  say "  Package: #{parser.application_id}", :cyan
+                  say "  Version: #{parser.version_name} (#{parser.version_code})", :cyan
+                  say "  Gradle wrapper: #{parser.gradle_wrapper_exists? ? '✓' : '✗'}", :cyan
+                end
                 say ''
               rescue Build::Detector::NoProjectError
                 # Not an Android project, that's fine
@@ -617,7 +655,7 @@ module Mysigner
             if issues.empty? && warnings.empty?
               say "🎉 All checks passed! You're good to go!", :green
               say ''
-              say 'Try: mysigner ship testflight', :cyan
+              say(platform_filter == 'android' ? 'Try: mysigner ship internal --platform android' : 'Try: mysigner ship testflight', :cyan)
             elsif issues.empty?
               say "⚠️  #{warnings.length} warning(s), but you're mostly good!", :yellow
               say ''