mysigner 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f998d494e2fc03d10bf8efc81bdca8675e5ff6037860a8acf750e66b5f2c2bb
-  data.tar.gz: 8c5d7bf17a9cc3556748c6b49106a57ece2f4044e61bfc5c85287e9e7d243d5e
+  metadata.gz: a4f9aa0a3421715b8f46fdadb8325195ed5d6ef145f2ecd73df124733b7f3f9b
+  data.tar.gz: 9d53d040cbcdb39bb2387262fb989d6922f33d8ec10cb7f9709831ef07900c44
 SHA512:
-  metadata.gz: 3c3929aaca39e935b3d2cb2030320e1955aa24f443d5f17d1bb9f2d996ef99fb10af71dd910fffb5f1c49293a23f90d4071d3055c47e82fb529f27655f29c926
-  data.tar.gz: 3c7a4976b73851217a9f1a892c0b6d7a2e43e15ea0678d61bc7edf2d790d634822bd843c2482760b673c692edaa39d12eab41922e5c59d011854c9835493c845
+  metadata.gz: c9dc5c8927301802a68cbd26938a1f04db2a77662529a814bfeb079236c6406271481b4856154bf81e83a4a0cad62463108636e25829a76ed5a2837b16fd8911
+  data.tar.gz: 27df131dcd35996606908032114c54b431ff651cfdeab6682a7109bcb22f9a8f6ea6074b9730918d5de1220b54b2e5e657a6f9d43de3dec3c129157002cd9b1a

data/.gitignore

@@ -40,3 +40,7 @@ service-account*.json
 /.ruby-lsp/
 *.swp
 *~
+
+# Local design docs / plans (superpowers skill output — kept local-only)
+/docs/superpowers/
+CLAUDE.md

data/CHANGELOG.md

@@ -97,6 +97,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.3.0] - 2026-05-28
+
+### Added
+- Persistent local-only mode: `mysigner config set local-only true` writes to `~/.mysigner/config.yml`, no flag repetition required ([mysigner-22](https://mysigner.youtrack.cloud/issue/mysigner-22) follow-up).
+- `mysigner config set <key> <value>` — extensible CLI knob for tweaking `~/.mysigner/config.yml`. Settable keys: `local-only`.
+- `Helpers#exit_unless_local_supported!` — every MySigner-only command now exits cleanly with an explanation when local-only is active, instead of the generic "Not logged in" error.
+
+### Changed
+- `doctor` now announces local-only mode and skips MySigner-side checks instead of reporting "Not logged in" as an issue.
+- `status` prints a local-mode credential-discovery summary when local-only is active.
+- `validate` runs the local `Signing::Validator` (same one used by `ship`) and skips the server POST when local-only is active.
+- `--local-only` Thor class_option no longer defaults to `false` — `--no-local-only` now correctly overrides the env var and the new persistent file setting.
+
+### Fixed
+- Precedence bug: with `MYSIGNER_LOCAL_ONLY=1` in the environment, `--no-local-only` did not actually disable local-only mode for that invocation.
+
+---
+
 ## [0.2.0] - 2026-05-26
 
 ### Added — `--local-only` mode

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    mysigner (0.2.0)
+    mysigner (0.3.0)
       base64 (~> 0.2)
       faraday (~> 2.14)
       faraday-retry (~> 2.2)

data/README.md

@@ -338,6 +338,47 @@ MYSIGNER_LOCAL_ONLY=1 mysigner ship testflight
 | CI/CD setup                     | API token in CI secrets                | Pre-populate `~/.mysigner/credentials/` from a secret store |
 | Revocation surface              | Revoke at server (audit log)           | Wipe the Keychain entry / local file             |
 
+### Enabling local-only mode persistently
+
+Set it once per machine — no flag repetition required:
+
+```bash
+mysigner config set local-only true
+```
+
+This writes `local_only: true` to `~/.mysigner/config.yml`. Every subsequent command behaves as if `--local-only` was passed.
+
+**Precedence (most specific wins):**
+
+1. `--local-only` / `--no-local-only` on the command line
+2. `MYSIGNER_LOCAL_ONLY=1` in the environment
+3. `local_only: true` in `~/.mysigner/config.yml`
+4. Default off
+
+To temporarily override the persistent setting:
+
+```bash
+mysigner --no-local-only sync           # one-off server hit
+mysigner config set local-only false    # permanent disable
+```
+
+### What works locally
+
+| Command | Local-only? |
+|---|---|
+| `ship testflight/appstore/internal/alpha/beta/production` | ✅ |
+| `build`, `export`, `upload testflight` | ✅ |
+| `onboard` | ✅ |
+| `signing configure` | ✅ |
+| `doctor`, `status`, `validate` | ✅ (limited — no MySigner-side checks) |
+| `certificate check`, `device detect` | ✅ |
+| `android init/add/build/list` | ✅ |
+| `config`, `config set`, `version`, `help`, `tree`, `logout` | ✅ |
+| `login`, `switch`, `orgs`, `sync` | ❌ MySigner-only |
+| `apps`, `devices`, `certificates`, `profiles`, `bundleid`, `app-group(s)`, `merchant-id(s)`, `keystore`, `gp-credential`, `release`, `tracks`, `track`, `submit`, `device add/update`, `certificate download`, `profile download/delete` | ❌ MySigner-only |
+
+Server-only commands in local-only mode exit 2 with a one-line explanation and the override hint.
+
 ### What local-only does NOT do (v1)
 
 Local-only mode in v1 guards the **API-call-time credentials** (the ASC JWT and the Google OAuth token). The `ship` pipelines still talk to My Signer for orchestration. Be honest with yourself about which of these matter for your threat model:

data/lib/mysigner/cli/auth_commands.rb

@@ -3,6 +3,8 @@
 module Mysigner
   class CLI < Thor
     module AuthCommands
+      SETTABLE_CONFIG_KEYS = %w[local-only].freeze
+
       def self.included(base)
         base.class_eval do
           desc 'version', 'Show version information'
@@ -32,6 +34,8 @@ module Mysigner
             grant access to the organization it was created in.
           DESC
           def login
+            exit_unless_local_supported!('login')
+
             # Check if already logged in
             config = Config.new
             if config.exists?
@@ -676,6 +680,8 @@ module Mysigner
 
           desc 'status', 'Check connection, credentials, and App Store Connect setup'
           def status
+            return status_local_only if local_only?
+
             config = load_config
 
             say '📊 My Signer Status', :cyan
@@ -750,6 +756,8 @@ module Mysigner
 
           desc 'orgs', "List all organizations you're a member of"
           def orgs
+            exit_unless_local_supported!('orgs')
+
             config = load_config
             client = create_client(config)
 
@@ -823,6 +831,8 @@ module Mysigner
             from different user accounts will be rejected.
           DESC
           def switch(target_org_id = nil)
+            exit_unless_local_supported!('switch')
+
             config = load_config
             client = create_client(config)
 
@@ -1000,27 +1010,122 @@ module Mysigner
             end
           end
 
-          desc 'config', 'Show current CLI configuration (API URL, tokens, org)'
-          def config
-            config = Config.new
+          desc 'config [ACTION] [ARGS...]',
+               'Show or set CLI configuration (e.g. `mysigner config set local-only true`)'
+          long_desc <<~DESC
+            Without arguments: prints the current configuration.
 
-            unless config.exists?
+            Set a value:
+              mysigner config set local-only true
+              mysigner config set local-only false
+
+            Settable keys: local-only
+
+            `set` does NOT require a MySigner login — it is the bootstrap path
+            for users who want to use local-only mode from a fresh machine.
+          DESC
+          def config(action = nil, *args)
+            return config_set(*args) if action == 'set'
+
+            if action && action != 'set'
+              error "Unknown config action: #{action}"
+              say 'Did you mean: `mysigner config set <key> <value>`?', :yellow
+              exit 1
+            end
+
+            cfg = Config.new
+
+            unless cfg.exists?
               error "No configuration found. Run 'mysigner login' first."
               exit 1
             end
 
-            config.load
+            cfg.load
 
             say '⚙️  Configuration', :cyan
             say ''
-            config.display.each do |key, value|
-              say "  #{key.to_s.ljust(20)}: #{value}"
+            cfg.display.each do |key, val|
+              say "  #{key.to_s.ljust(20)}: #{val}"
             end
+            say "  #{'local-only'.ljust(20)}: #{cfg.local_only?}"
             say ''
             say "Config file: #{Config::CONFIG_FILE}"
           end
 
           no_commands do
+            def status_local_only
+              require 'mysigner/credential_resolver'
+
+              source = if options[:local_only] == true
+                         '--local-only flag'
+                       elsif ENV['MYSIGNER_LOCAL_ONLY'] && !ENV['MYSIGNER_LOCAL_ONLY'].empty?
+                         'MYSIGNER_LOCAL_ONLY env var'
+                       else
+                         'config file (~/.mysigner/config.yml)'
+                       end
+
+              say '📡 My Signer Status', :cyan
+              say '=' * 50, :cyan
+              say ''
+              say 'Local-only mode: ENABLED', :green
+              say "  Source: #{source}"
+              say ''
+              say 'Credential discovery:'
+              say "  ASC keys:        #{count_or_dash { Mysigner::CredentialResolver.resolve_asc(options: options.to_h) }}"
+              say "  Play SA-JSON:    #{count_or_dash { Mysigner::CredentialResolver.resolve_play(options: options.to_h) }}"
+              say "  Android keystore: #{count_or_dash { Mysigner::CredentialResolver.resolve_android_keystore(options: options.to_h) }}"
+              say ''
+              say "Config file: #{Mysigner::Config::CONFIG_FILE}"
+            end
+
+            def count_or_dash
+              yield
+              '1 (discovered)'
+            rescue Mysigner::CredentialResolver::CredentialNotFoundError
+              '0'
+            rescue Mysigner::CredentialResolver::AmbiguousCredentialsError
+              '2+ (ambiguous — pass via flag)'
+            rescue StandardError => e
+              warn "[mysigner] Unexpected error probing credentials: #{e.class}: #{e.message}"
+              '?'
+            end
+
+            def config_set(key = nil, value = nil)
+              if key.nil? || value.nil?
+                error 'Usage: mysigner config set <key> <value>'
+                say "Settable keys: #{SETTABLE_CONFIG_KEYS.join(', ')}", :yellow
+                exit 1
+              end
+
+              unless SETTABLE_CONFIG_KEYS.include?(key)
+                error "Unknown config key: #{key}"
+                say "Settable keys: #{SETTABLE_CONFIG_KEYS.join(', ')}", :yellow
+                exit 1
+              end
+
+              case key
+              when 'local-only'
+                bool = parse_bool_or_exit(value, key)
+                cfg = Config.new
+                cfg.load if cfg.exists?
+                cfg.local_only = bool
+                cfg.save
+                say "✓ Saved #{key}: #{bool}", :green
+                say "  #{key}: #{bool}"
+              end
+            end
+
+            def parse_bool_or_exit(value, key)
+              case value.to_s.downcase
+              when 'true', '1', 'yes'  then true
+              when 'false', '0', 'no'  then false
+              else
+                error "Invalid boolean for #{key}: #{value}"
+                say 'Use: true / false (also accepts 1/0, yes/no)', :yellow
+                exit 1
+              end
+            end
+
             # Helper method for yes/no prompts with Enter defaulting to yes.
             # Defaults to NO when stdin is not a TTY so automation (CI, pipes)
             # never silently opts-in to mutating operations.

data/lib/mysigner/cli/build_commands.rb

@@ -2222,6 +2222,8 @@ module Mysigner
           method_option :auto_submit, type: :boolean,
                                       desc: 'Submit for review. Defaults to dashboard CLI Defaults, else true. Use --no-auto-submit to skip.'
           def submit(track = nil)
+            exit_unless_local_supported!('submit')
+
             config = load_config
             client = create_client(config)
 

data/lib/mysigner/cli/concerns/helpers.rb

@@ -139,6 +139,10 @@ module Mysigner
           config.instance_variable_set(:@organizations, {})
           config.instance_variable_set(:@encryption_enabled, false)
           config.instance_variable_set(:@from_env, false)
+          # The whole point of this sentinel is to BE a local-only config —
+          # set @local_only = true so `config.local_only?` (and any caller
+          # reading `config.local_only`) agrees.
+          config.instance_variable_set(:@local_only, true)
           config
         end
 
@@ -146,11 +150,15 @@ module Mysigner
           say "✗ Error: #{message}", :red
         end
 
-        # Local-only mode is active if either the --local-only flag is set
-        # on this invocation OR MYSIGNER_LOCAL_ONLY is truthy in ENV.
-        # Subsequent tickets gate credential-sending behavior on this.
+        # Local-only mode is active when any of, in precedence order:
+        #   1. --local-only / --no-local-only flag on this invocation
+        #   2. MYSIGNER_LOCAL_ONLY env var
+        #   3. `local_only: true` in ~/.mysigner/config.yml
+        # `Config.local_only?` (class method) walks #2 then #3.
         def local_only?
-          options[:local_only] || Mysigner::Config.local_only?
+          return options[:local_only] unless options[:local_only].nil?
+
+          Mysigner::Config.local_only?
         end
 
         # mysigner-22 Phase 5 — resolve ASC creds via the cascade (flag →
@@ -222,6 +230,22 @@ module Mysigner
                '(other MySigner APIs may still be used; see docs).'
         end
 
+        # Server-only command guard. SERVER commands (apps, orgs, sync,
+        # certificates, etc.) hit MySigner-side resources and have no
+        # local equivalent. Print a clean explanation and exit 2 when
+        # local-only mode is active, instead of letting load_config bail
+        # with the generic "Not logged in" path.
+        def exit_unless_local_supported!(command_name)
+          return unless local_only?
+
+          say "✗ `#{command_name}` manages MySigner-side resources and " \
+              "isn't available in local-only mode.", :red
+          say ''
+          say 'Disable persistently:  mysigner config set local-only false', :yellow
+          say "Override for one call: mysigner --no-local-only #{command_name}", :yellow
+          exit 2
+        end
+
         class << self
           def banner_emitted?
             @local_only_banner_emitted == true

data/lib/mysigner/cli/diagnostic_commands.rb

@@ -77,48 +77,54 @@ module Mysigner
               say ''
 
               # Check 4: My Signer Configuration
-              say 'Checking My Signer configuration...', :yellow
               client = nil
               org_data = nil
 
-              config = if Config.env_configured?
-                         Config.from_env
-                       else
-                         Config.new
-                       end
+              say 'Checking My Signer configuration...', :yellow
 
-              if config.from_env? || config.exists?
-                config.load unless config.from_env?
-                say config.from_env? ? '  ✓ Configured via environment variables' : '  ✓ Logged in', :green
+              if local_only?
+                say '  ✓ Local-only mode active — MySigner login not required', :green
+              else
+                config = if Config.env_configured?
+                           Config.from_env
+                         else
+                           Config.new
+                         end
 
-                begin
-                  client = Client.new(api_url: config.api_url, api_token: config.api_token,
-                                      user_email: config.user_email)
-                  client.test_connection
-                  say '  ✓ API connection working', :green
-
-                  # Get organization details
-                  if config.current_organization_id
-                    org_response = client.get("/api/v1/organizations/#{config.current_organization_id}")
-                    org_data = org_response[:data]
+                if config.from_env? || config.exists?
+                  config.load unless config.from_env?
+                  say config.from_env? ? '  ✓ Configured via environment variables' : '  ✓ Logged in', :green
+
+                  begin
+                    client = Client.new(api_url: config.api_url, api_token: config.api_token,
+                                        user_email: config.user_email)
+                    client.test_connection
+                    say '  ✓ API connection working', :green
+
+                    # Get organization details
+                    if config.current_organization_id
+                      org_response = client.get("/api/v1/organizations/#{config.current_organization_id}")
+                      org_data = org_response[:data]
+                    end
+                  rescue Mysigner::UnauthorizedError
+                    say '  ✗ Token is invalid or expired', :red
+                    issues << "Token authentication failed - run 'mysigner onboard' to re-authenticate"
+                    client = nil
+                  rescue Mysigner::ConnectionError => e
+                    say "  ✗ Cannot connect to API: #{e.message}", :red
+                    issues << 'API connection failed - check your network or API URL'
+                    client = nil
+                  rescue StandardError => e
+                    say "  ✗ API error: #{e.message}", :red
+                    issues << 'API connection failed - check your configuration'
+                    client = nil
                   end
-                rescue Mysigner::UnauthorizedError
-                  say '  ✗ Token is invalid or expired', :red
-                  issues << "Token authentication failed - run 'mysigner onboard' to re-authenticate"
-                  client = nil
-                rescue Mysigner::ConnectionError => e
-                  say "  ✗ Cannot connect to API: #{e.message}", :red
-                  issues << 'API connection failed - check your network or API URL'
-                  client = nil
-                rescue StandardError => e
-                  say "  ✗ API error: #{e.message}", :red
-                  issues << 'API connection failed - check your configuration'
-                  client = nil
+                else
+                  say '  ✗ Not logged in', :red
+                  issues << "Run 'mysigner onboard' to authenticate"
                 end
-              else
-                say '  ✗ Not logged in', :red
-                issues << "Run 'mysigner onboard' to authenticate"
               end
+
               say ''
 
               # Check 4a: Signing Identity in Keychain (CRITICAL)
@@ -446,7 +452,11 @@ module Mysigner
                 end
                 say ''
               elsif project_info && (!client || !org_data)
-                say '⚠️  Project detected but cannot check signing (not logged in)', :yellow
+                if local_only?
+                  say '⚠️  Project detected — local-only mode (signing checks limited).', :yellow
+                else
+                  say '⚠️  Project detected but cannot check signing (not logged in)', :yellow
+                end
                 say ''
               end
             end
@@ -893,6 +903,8 @@ module Mysigner
           DESC
           option :force, type: :boolean, aliases: '-f', desc: 'Force sync even if recently synced'
           def sync(platform = 'ios')
+            exit_unless_local_supported!('sync')
+
             config = load_config
             client = create_client(config)
 

data/lib/mysigner/cli/resource_commands.rb

@@ -12,6 +12,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Devices per page'
           def devices
+            exit_unless_local_supported!('devices')
+
             config = load_config
             client = create_client(config)
 
@@ -121,6 +123,7 @@ module Mysigner
           DESC
           method_option :platform, type: :string, default: 'IOS', aliases: '-p', desc: 'Platform (IOS, MAC_OS, TV_OS)'
           def device(action, *args)
+            exit_unless_local_supported!("device #{action}") unless action == 'detect'
             config = load_config
             client = create_client(config)
 
@@ -457,6 +460,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Profiles per page'
           def profiles
+            exit_unless_local_supported!('profiles')
+
             config = load_config
             client = create_client(config)
 
@@ -589,6 +594,7 @@ module Mysigner
 
             case action
             when 'download'
+              exit_unless_local_supported!('profile download')
               if args.empty?
                 error 'Usage: mysigner profile download ID [--output path.mobileprovision]'
                 say ''
@@ -703,6 +709,7 @@ module Mysigner
                 exit 1
               end
             when 'delete'
+              exit_unless_local_supported!('profile delete')
               if args.empty?
                 error 'Usage: mysigner profile delete ID'
                 say ''
@@ -760,6 +767,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Certificates per page'
           def certificates
+            exit_unless_local_supported!('certificates')
+
             config = load_config
             client = create_client(config)
 
@@ -829,6 +838,7 @@ module Mysigner
           DESC
           method_option :output, type: :string, aliases: '-o', desc: 'Output file path (default: certificate name)'
           def certificate(action, *args)
+            exit_unless_local_supported!("certificate #{action}") unless action == 'check'
             config = load_config
             client = create_client(config)
 
@@ -1104,6 +1114,8 @@ module Mysigner
           method_option :app_id, type: :numeric, desc: 'Associate with Android app ID'
           method_option :output, type: :string, aliases: '-o', desc: 'Output path for download'
           def keystore(action, *args)
+            exit_unless_local_supported!("keystore #{action}")
+
             config = load_config
             client = create_client(config)
 
@@ -2217,6 +2229,8 @@ module Mysigner
               • After registering, run 'mysigner sync ios' to update local cache
           DESC
           def bundleid(action, *args)
+            exit_unless_local_supported!("bundleid #{action}")
+
             config = load_config
             client = create_client(config)
 
@@ -2419,6 +2433,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Apps per page'
           def apps
+            exit_unless_local_supported!('apps')
+
             config = load_config
             client = create_client(config)
 
@@ -2521,6 +2537,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Items per page'
           def merchant_ids
+            exit_unless_local_supported!('merchant-ids')
+
             config = load_config
             client = create_client(config)
 
@@ -2584,6 +2602,8 @@ module Mysigner
           DESC
           method_option :name, type: :string, aliases: '-n', desc: 'Friendly name for the Merchant ID'
           def merchant_id(action, identifier = nil)
+            exit_unless_local_supported!("merchant-id #{action}")
+
             config = load_config
             client = create_client(config)
 
@@ -2681,6 +2701,8 @@ module Mysigner
           desc 'tracks PACKAGE_NAME', 'List Google Play tracks for an Android app'
           method_option :sort, type: :boolean, desc: 'Sort by track name'
           def tracks(package_name = nil)
+            exit_unless_local_supported!('tracks')
+
             config = load_config
             client = create_client(config)
 
@@ -2754,6 +2776,8 @@ module Mysigner
 
           desc 'track PACKAGE_NAME TRACK_NAME', 'Show details for a specific Google Play track'
           def track(package_name = nil, track_name = nil)
+            exit_unless_local_supported!('track')
+
             config = load_config
             client = create_client(config)
 
@@ -2851,6 +2875,8 @@ module Mysigner
           method_option :page, type: :numeric, default: 1, desc: 'Page number'
           method_option :per_page, type: :numeric, default: 50, desc: 'Items per page'
           def app_groups
+            exit_unless_local_supported!('app-groups')
+
             config = load_config
             client = create_client(config)
 
@@ -2920,6 +2946,8 @@ module Mysigner
           DESC
           method_option :name, type: :string, aliases: '-n', desc: 'Friendly name for the App Group'
           def app_group(action, identifier = nil)
+            exit_unless_local_supported!("app-group #{action}")
+
             config = load_config
             client = create_client(config)
 
@@ -3055,6 +3083,8 @@ module Mysigner
               mysigner gp-credential delete 3
           DESC
           def gp_credential(action, *args)
+            exit_unless_local_supported!("gp-credential #{action}")
+
             config = load_config
             client = create_client(config)
 
@@ -3274,6 +3304,8 @@ module Mysigner
           method_option :release_type, type: :string, desc: 'Release type: manual, after_approval, scheduled'
           method_option :scheduled_date, type: :string, desc: 'Scheduled release date (ISO 8601)'
           def release(action, *args)
+            exit_unless_local_supported!("release #{action}")
+
             config = load_config
             client = create_client(config)
 

data/lib/mysigner/cli/validate_commands.rb

@@ -37,6 +37,8 @@ module Mysigner
           method_option :bundle_id, type: :string, aliases: '-b', desc: 'Bundle identifier (e.g., com.example.app)'
           method_option :type, type: :string, aliases: '-t', desc: 'Signing type: development, appstore, adhoc, inhouse'
           def validate
+            return validate_local_only if local_only?
+
             config = load_config
             client = create_client(config)
 
@@ -137,6 +139,34 @@ module Mysigner
             end
           end
 
+          no_commands do
+            def validate_local_only
+              say '🔍 Local-only validation', :cyan
+              say '=' * 50, :cyan
+              say ''
+              say 'Running local Signing::Validator (server checks skipped in local-only mode).', :yellow
+              say ''
+
+              project_info = Mysigner::Build::Detector.detect
+              parser = Mysigner::Build::Parser.new(project_info)
+              target_name = parser.main_target.name
+
+              validator = Mysigner::Signing::Validator.new(
+                parser, target_name, options[:configuration] || 'Release',
+                team_id: options[:team], local_only: true
+              )
+
+              begin
+                validator.validate!
+              rescue Mysigner::Signing::Validator::ValidationError => e
+                error e.message
+                exit 1
+              end
+
+              say '✓ Local validation passed.', :green
+            end
+          end
+
           private
 
           def detect_bundle_id_from_project

data/lib/mysigner/cli.rb

@@ -25,7 +25,7 @@ Mysigner::Cleanup::PrivateKeysPurger.new.call
 module Mysigner
   class CLI < Thor
     class_option :verbose, type: :boolean, aliases: '-v', desc: 'Verbose output'
-    class_option :local_only, type: :boolean, default: false,
+    class_option :local_only, type: :boolean,
                               desc: 'Do not send credentials to the server (local-only mode)'
 
     def self.exit_on_failure?

data/lib/mysigner/config.rb

@@ -25,7 +25,7 @@ module Mysigner
     ENV_ORG_ID = 'MYSIGNER_ORG_ID'
     ENV_LOCAL_ONLY = 'MYSIGNER_LOCAL_ONLY'
 
-    attr_accessor :api_url, :user_email, :current_organization_id, :encryption_enabled
+    attr_accessor :api_url, :user_email, :current_organization_id, :encryption_enabled, :local_only
     attr_reader :organizations
 
     def initialize
@@ -34,6 +34,7 @@ module Mysigner
       @current_organization_id = nil
       @organizations = {}
       @encryption_enabled = true # Enable by default for security
+      @local_only = false
       @from_env = false
       load if exists?
     end
@@ -49,6 +50,7 @@ module Mysigner
       config = allocate
       config.instance_variable_set(:@encryption_enabled, false)
       config.instance_variable_set(:@from_env, true)
+      config.instance_variable_set(:@local_only, false)
 
       org_id = ENV.fetch(ENV_ORG_ID, nil)
       token = ENV.fetch(ENV_API_TOKEN, nil)
@@ -67,15 +69,30 @@ module Mysigner
       @from_env
     end
 
-    # Local-only mode: when true, credentials never leave the machine.
-    # Config-level check sees only ENV — Thor's --local-only flag is layered
-    # on top in the CLI Helpers concern (which can read `options`).
+    # Local-only mode at the Config level: cascade ENV → file. The CLI
+    # Helpers concern layers --local-only / --no-local-only on top.
     def self.local_only?
-      truthy_env?(ENV_LOCAL_ONLY)
+      truthy_env?(ENV_LOCAL_ONLY) || local_only_from_file?
     end
 
+    # Lightweight check that reads only ~/.mysigner/config.yml's
+    # `local_only:` key without invoking #load (which decrypts tokens
+    # via the Keychain). A user with no MySigner account still needs
+    # to flip this setting, so we never raise on a missing/corrupt
+    # or absent file — we just return false.
+    def self.local_only_from_file?
+      data = YAML.safe_load_file(CONFIG_FILE)
+      data.is_a?(Hash) && data['local_only'] == true
+    rescue Errno::ENOENT, Psych::SyntaxError
+      false
+    end
+
+    # Instance-level predicate. Merges two surfaces:
+    #   - @local_only: set to true by Helpers#blank_local_only_config so a
+    #     sentinel config always answers true without touching ENV or disk.
+    #   - self.class.local_only?: the normal ENV → file cascade.
     def local_only?
-      self.class.local_only?
+      @local_only || self.class.local_only?
     end
 
     # Get API token for current organization (or specific org)
@@ -135,9 +152,10 @@ module Mysigner
 
       # mysigner-51 — safe_load_file rejects arbitrary Ruby object
       # instantiation in the YAML (`!ruby/object:Foo` etc.). The config
-      # shape is just String/Integer/Hash (api_url, user_email,
-      # current_organization_id, organizations: {id => {name, token}}),
-      # all in safe_load's default allowed set, so no permitted_classes
+      # shape is just String/Integer/Boolean/Hash (api_url, user_email,
+      # current_organization_id, local_only, organizations: {id => {name,
+      # token}}), all in safe_load's default allowed set, so no
+      # permitted_classes
       # extension is needed. Low risk (the file is 0600 and user-owned)
       # but cheap hardening against a future RCE if config write or read
       # ever moves outside the owner-only assumption.
@@ -147,6 +165,7 @@ module Mysigner
       @user_email = data['user_email']
       @current_organization_id = data['current_organization_id']
       @organizations = data['organizations'] || {}
+      @local_only = data['local_only'] == true
 
       # Auto-detect encryption from config
       @encryption_enabled = encrypted_config?
@@ -164,7 +183,8 @@ module Mysigner
         'api_url' => @api_url,
         'user_email' => @user_email,
         'current_organization_id' => @current_organization_id,
-        'organizations' => @organizations
+        'organizations' => @organizations,
+        'local_only' => @local_only
       }
 
       File.write(CONFIG_FILE, data.to_yaml)
@@ -180,6 +200,7 @@ module Mysigner
       @user_email = nil
       @current_organization_id = nil
       @organizations = {}
+      @local_only = false
 
       File.delete(CONFIG_FILE) if exists?
 

data/lib/mysigner/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mysigner
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mysigner
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Jurgen Leka