@analyticscli/growth-engineer 0.1.1-preview.15 → 0.1.1-preview.18

package/dist/runtime/openclaw-growth-wizard.mjs

@@ -108,7 +108,7 @@ const CONNECTOR_DEFINITIONS = [
         key: 'asc',
         label: 'ASC / App Store Connect CLI',
         summary: 'Read App Store analytics, reviews/ratings, builds/TestFlight/release context, subscriptions, purchases, and crash totals.',
-        needs: 'ASC_KEY_ID, ASC_ISSUER_ID, and the AuthKey_XXXX.p8 content or path.',
+        needs: 'Two App Store Connect API keys: a Sales and Reports or Finance key for ongoing use, plus a temporary Admin key for one-time analytics bootstrap.',
     },
     {
         key: 'stripe',
@@ -2535,7 +2535,7 @@ async function saveSecretsImmediately(secrets) {
     process.stdout.write(`Saved local secrets to ${secretsFile} with chmod 600.\n`);
     return true;
 }
-async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, sentryAccounts = [], paddleAccounts = [], }) {
+async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, runtimeEnv = {}, sentryAccounts = [], paddleAccounts = [], }) {
     if (connector === 'sentry' && sentryAccounts.length > 0) {
         await upsertSentryAccountsConfig(configPath, sentryAccounts);
     }
@@ -2546,6 +2546,7 @@ async function runImmediateConnectorHealthCheck({ rl, configPath, connector, sec
     const env = {
         ...process.env,
         ...secrets,
+        ...runtimeEnv,
     };
     const command = `${nodeRuntimeScriptCommand('openclaw-growth-start.mjs')} --config ${quote(configPath)} --setup-only --connectors ${quote(connector)} --only-connectors ${quote(connector)}`;
     let result = await runSetupCommandWithProgress(command, env, [connector], `Checking ${connectorLabel(connector)} immediately after setup...`);
@@ -2686,12 +2687,17 @@ function resolveSecretsFile() {
         return path.join(process.env.HOME, '.config', 'openclaw-growth', 'secrets.env');
     return path.resolve('.openclaw-growth-secrets.env');
 }
-function resolveAscPrivateKeyPath(keyId) {
+function resolveAscPrivateKeyPath(keyId, suffix = '') {
     const safeKeyId = (keyId || 'OPENCLAW').trim().replace(/[^a-zA-Z0-9_-]/g, '_') || 'OPENCLAW';
     const baseDir = process.env.HOME
         ? path.join(process.env.HOME, '.config', 'openclaw-growth')
         : path.resolve('.openclaw-growth');
-    return path.join(baseDir, `AuthKey_${safeKeyId}.p8`);
+    return path.join(baseDir, `AuthKey_${safeKeyId}${suffix}.p8`);
+}
+function inferAscKeyIdFromPrivateKeyPath(filePath) {
+    const fileName = path.basename(String(filePath || '').trim());
+    const match = fileName.match(/^AuthKey_([A-Za-z0-9]+)\.p8$/);
+    return match?.[1] || '';
 }
 function renderEnvValue(value) {
     return `"${String(value).replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\$/g, '\\$')}"`;
@@ -3384,11 +3390,14 @@ function validateAscPrivateKeyContent(value) {
         };
     }
 }
-async function askAscPrivateKeyContent(rl) {
-    process.stdout.write('\nPaste the full .p8 file content here. Leave the first line empty if you already saved the .p8 file on this host.\n');
-    process.stdout.write('The wizard validates the pasted key, stores it locally with chmod 600, and only saves ASC_PRIVATE_KEY_PATH.\n');
+async function askAscPrivateKeyContent(rl, options = {}) {
+    const envName = options.envName || 'ASC_PRIVATE_KEY';
+    const persistLabel = options.persistLabel || 'ASC_PRIVATE_KEY_PATH';
+    const keyLabel = options.keyLabel || 'this App Store Connect key';
+    process.stdout.write(`\nPaste the full .p8 file content for ${keyLabel}.\nLeave the first line empty if the .p8 file is already saved on this host.\n`);
+    process.stdout.write(`The wizard validates the pasted key, stores it locally with chmod 600, and only saves ${persistLabel}.\n`);
     while (true) {
-        const value = await readAscPrivateKeyPaste(rl);
+        const value = await readAscPrivateKeyPaste(rl, envName);
         if (!value.trim())
             return '';
         const validation = validateAscPrivateKeyContent(value);
@@ -3398,7 +3407,7 @@ async function askAscPrivateKeyContent(rl) {
         process.stdout.write('The .p8 was not saved. Paste the full file again from BEGIN to END, or leave empty to use a path.\n');
     }
 }
-async function readAscPrivateKeyPaste(rl) {
+async function readAscPrivateKeyPaste(rl, envName = 'ASC_PRIVATE_KEY') {
     return await new Promise((resolve, reject) => {
         let buffer = '';
         let settled = false;
@@ -3459,7 +3468,7 @@ async function readAscPrivateKeyPaste(rl) {
         process.stdin.setEncoding('utf8');
         process.stdin.on('data', onData);
         process.stdin.on('error', onError);
-        process.stdout.write('ASC_PRIVATE_KEY content: ');
+        process.stdout.write(`${envName} content: `);
         process.stdin.resume();
     });
 }
@@ -3467,9 +3476,11 @@ async function validateAscPrivateKeyPath(filePath) {
     const raw = await fs.readFile(filePath, 'utf8');
     return validateAscPrivateKeyContent(raw);
 }
-async function askAscPrivateKeyPath(rl) {
+async function askAscPrivateKeyPath(rl, options = {}) {
+    const label = options.label || 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)';
+    const defaultValue = options.defaultValue ?? process.env.ASC_PRIVATE_KEY_PATH ?? '';
     while (true) {
-        const privateKeyPath = await ask(rl, 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)', process.env.ASC_PRIVATE_KEY_PATH || '');
+        const privateKeyPath = await ask(rl, label, defaultValue);
         const trimmedPath = privateKeyPath.trim();
         if (!trimmedPath)
             return '';
@@ -3485,6 +3496,19 @@ async function askAscPrivateKeyPath(rl) {
         process.stdout.write('The ASC private key path was not saved. Paste a valid path, or leave empty to skip.\n');
     }
 }
+async function askAscPrivateKeyPathWithKeyId(rl, options = {}) {
+    const keyLabel = options.keyLabel || 'App Store Connect key';
+    while (true) {
+        const privateKeyPath = await askAscPrivateKeyPath(rl, options);
+        if (!privateKeyPath)
+            return { privateKeyPath: '', keyId: '' };
+        const keyId = inferAscKeyIdFromPrivateKeyPath(privateKeyPath);
+        if (keyId)
+            return { privateKeyPath, keyId };
+        process.stdout.write(`Could not infer Key ID for ${keyLabel} from the .p8 file name.\n`);
+        process.stdout.write('Use Apple\'s original downloaded file name: AuthKey_<KEY_ID>.p8. Do not rename the .p8 file.\n');
+    }
+}
 function printSection(title, lines = []) {
     process.stdout.write(`\n${ANSI.bold}${title}${ANSI.reset}\n`);
     process.stdout.write(`${'-'.repeat(title.length)}\n`);
@@ -3921,41 +3945,58 @@ async function guideCoolifyConnector(rl, secrets) {
 }
 async function guideAscConnector(rl, secrets) {
     printSection('App Store Connect CLI', [
-        'Use this mainly for App Store analytics batch reports, plus builds, TestFlight, reviews, ratings, and store context.',
-        'The normal Growth Engineer path uses App Store Connect API-key reports. Experimental ASC web analytics is not part of setup.',
+        'You need two App Store Connect API keys: one normal reporting key and one temporary Admin key.',
+        'Create both here: https://appstoreconnect.apple.com/access/integrations/api',
     ]);
-    process.stdout.write('Create an App Store Connect API key here:\n  https://appstoreconnect.apple.com/access/integrations/api\n\n');
-    process.stdout.write('Roles to choose for this key:\n');
+    process.stdout.write('\nStep 1 - normal key, saved for Growth Engineer\n');
     printBullets([
-        'Required for first setup: Admin, because Apple only allows Admin keys to create the initial Analytics Report Request.',
-        'Required for steady-state report downloads after the request exists: Sales and Reports, Finance, or Admin.',
-        'Recommended: Customer Support, for App Store ratings and review text.',
-        'Recommended: Developer, for builds, TestFlight, and delivery status.',
-        'Optional: App Manager, only if OpenClaw should also read or manage app metadata, pricing, or release settings.',
-        'Least privilege option: run setup once with Admin, then rotate Growth Engineer to a Sales and Reports key for ongoing analytics downloads.',
+        'Create an API key named "Growth Engineer Reports".',
+        'Role: Sales and Reports. Finance or Admin also works.',
+        'Optional extra roles: Customer Support for reviews, Developer for builds/TestFlight.',
+        'Copy this key into the ASC_KEY_ID, ASC_ISSUER_ID, and ASC_PRIVATE_KEY prompts below.',
     ]);
-    process.stdout.write('\nWhy Admin is requested during setup:\n');
+    process.stdout.write('\nStep 2 - temporary Admin key, used once\n');
     printBullets([
-        'Growth Engineer automatically creates an ongoing App Analytics report request when none exists.',
-        'Without that request, Apple will not generate Impressions, Product Page Views, App Units, Conversion Rate, and related report instances.',
-        'A non-Admin key can read existing reports, but creation fails with a forbidden response.',
+        'Create a second API key named "Growth Engineer Setup Admin".',
+        'Role: Admin.',
+        'Use it only when the wizard asks for ASC_BOOTSTRAP_* later.',
+        'The wizard does not save this key to secrets.env. Revoke it in App Store Connect after setup.',
     ]);
-    process.stdout.write('\nAfter creating the key, copy these values into this wizard:\n');
+    process.stdout.write('\nWhy two keys?\n');
     printBullets([
-        'Issuer ID from the API keys page.',
-        'Key ID from the API key row or from the downloaded file name: AuthKey_<KEY_ID>.p8.',
-        'Download the .p8 file, open it, then paste the full file content into this terminal.',
-        'If the .p8 is already on this host, leave the content prompt empty and paste the file path instead.',
-        'Vendor Number from App Store Connect Sales and Trends > Reports. Required for healthy ASC status because Sales and Trends/App Units depend on it.',
+        'Apple requires Admin once to create the initial App Analytics report request.',
+        'After that, Growth Engineer only needs the normal reporting key for downloads.',
     ]);
-    const keyId = await ask(rl, 'ASC_KEY_ID (leave empty to skip)', process.env.ASC_KEY_ID || '');
-    const issuerId = await ask(rl, 'ASC_ISSUER_ID (leave empty to skip)', process.env.ASC_ISSUER_ID || '');
-    if (keyId.trim())
-        secrets.ASC_KEY_ID = keyId.trim();
+    process.stdout.write('\nNeeded values for the normal key now\n');
+    printBullets([
+        'Issuer ID: shown at the top of the API keys page.',
+        '.p8 file path: use Apple\'s original downloaded file name AuthKey_<KEY_ID>.p8.',
+        'Do not rename the .p8 file; the wizard reads ASC_KEY_ID from the file name.',
+        'Vendor Number: App Store Connect > Sales and Trends > Reports.',
+    ]);
+    const normalKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'ASC_PRIVATE_KEY_PATH for normal reporting key (AuthKey_<KEY_ID>.p8 path, empty = paste content instead)',
+        defaultValue: process.env.ASC_PRIVATE_KEY_PATH || '',
+        keyLabel: 'the normal reporting key',
+    });
+    let keyId = normalKeyPath.keyId;
+    if (normalKeyPath.privateKeyPath) {
+        secrets.ASC_PRIVATE_KEY_PATH = normalKeyPath.privateKeyPath;
+        secrets.ASC_KEY_ID = keyId;
+        process.stdout.write(`Inferred ASC_KEY_ID=${keyId} from ${path.basename(normalKeyPath.privateKeyPath)}.\n`);
+    }
+    const issuerId = await ask(rl, 'ASC_ISSUER_ID for normal reporting key (leave empty to skip)', process.env.ASC_ISSUER_ID || '');
     if (issuerId.trim())
         secrets.ASC_ISSUER_ID = issuerId.trim();
-    const privateKeyContent = await askAscPrivateKeyContent(rl);
-    if (privateKeyContent) {
+    if (!normalKeyPath.privateKeyPath) {
+        keyId = await ask(rl, 'ASC_KEY_ID for normal reporting key (from AuthKey_<KEY_ID>.p8, leave empty to skip)', process.env.ASC_KEY_ID || '');
+        if (keyId.trim())
+            secrets.ASC_KEY_ID = keyId.trim();
+        const privateKeyContent = await askAscPrivateKeyContent(rl, {
+            keyLabel: 'the normal reporting key',
+        });
+        if (!privateKeyContent)
+            return await guideAscBootstrapAdminKey(rl, issuerId.trim());
         const privateKeyPath = resolveAscPrivateKeyPath(keyId);
         await fs.mkdir(path.dirname(privateKeyPath), { recursive: true, mode: 0o700 });
         await fs.writeFile(privateKeyPath, privateKeyContent, { encoding: 'utf8', mode: 0o600 });
@@ -3963,14 +4004,85 @@ async function guideAscConnector(rl, secrets) {
         secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath;
         process.stdout.write(`Saved ASC private key to ${privateKeyPath} with chmod 600.\n`);
     }
-    else {
-        const privateKeyPath = await askAscPrivateKeyPath(rl);
-        if (privateKeyPath.trim())
-            secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath.trim();
-    }
     const vendorNumber = await ask(rl, 'ASC_VENDOR_NUMBER for Sales and Trends/App Units (required for healthy ASC status)', process.env.ASC_VENDOR_NUMBER || '');
     if (vendorNumber.trim())
         secrets.ASC_VENDOR_NUMBER = vendorNumber.trim();
+    return await guideAscBootstrapAdminKey(rl, issuerId.trim());
+}
+async function guideAscBootstrapAdminKey(rl, issuerIdDefault = '') {
+    const bootstrapEnv = {};
+    process.stdout.write('\nStep 3 - temporary Admin key for first ASC setup\n');
+    printBullets([
+        'Use the second key you created with the Admin role.',
+        'This is only needed to create the first App Analytics report request.',
+        'The wizard does not save ASC_BOOTSTRAP_* to secrets.env.',
+        'Use Apple\'s original AuthKey_<KEY_ID>.p8 file name so the wizard can infer ASC_BOOTSTRAP_KEY_ID.',
+        'Do not rename the .p8 file.',
+        'If you paste the .p8 content, the local temporary file is deleted after analytics initialization.',
+        'Revoke this Admin key in App Store Connect after setup.',
+    ]);
+    const bootstrapKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'ASC_BOOTSTRAP_PRIVATE_KEY_PATH for temporary Admin key (AuthKey_<KEY_ID>.p8 path, empty = paste content instead)',
+        defaultValue: '',
+        keyLabel: 'the temporary Admin key',
+    });
+    let bootstrapKeyId = bootstrapKeyPath.keyId;
+    const bootstrapIssuerId = await ask(rl, 'ASC_BOOTSTRAP_ISSUER_ID for temporary Admin key', issuerIdDefault);
+    if (bootstrapKeyPath.privateKeyPath) {
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = bootstrapKeyPath.privateKeyPath;
+        process.stdout.write(`Inferred ASC_BOOTSTRAP_KEY_ID=${bootstrapKeyId} from ${path.basename(bootstrapKeyPath.privateKeyPath)}.\n`);
+        const shouldDelete = await askYesNo(rl, 'Delete this temporary Admin .p8 file from this host after the setup check?', true);
+        if (shouldDelete)
+            bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+    }
+    else {
+        bootstrapKeyId = await ask(rl, 'ASC_BOOTSTRAP_KEY_ID for temporary Admin key (from AuthKey_<KEY_ID>.p8, required)', '');
+    }
+    if (!bootstrapKeyId.trim() || !bootstrapIssuerId.trim())
+        return { bootstrapEnv };
+    bootstrapEnv.ASC_BOOTSTRAP_KEY_ID = bootstrapKeyId.trim();
+    bootstrapEnv.ASC_BOOTSTRAP_ISSUER_ID = bootstrapIssuerId.trim();
+    if (!bootstrapKeyPath.privateKeyPath) {
+        const bootstrapPrivateKeyContent = await askAscPrivateKeyContent(rl, {
+            envName: 'ASC_BOOTSTRAP_PRIVATE_KEY',
+            persistLabel: 'ASC_BOOTSTRAP_PRIVATE_KEY_PATH temporarily',
+            keyLabel: 'the temporary Admin key',
+        });
+        if (!bootstrapPrivateKeyContent)
+            return { bootstrapEnv };
+        const bootstrapPrivateKeyPath = resolveAscPrivateKeyPath(bootstrapKeyId, '_bootstrap_admin');
+        await fs.mkdir(path.dirname(bootstrapPrivateKeyPath), { recursive: true, mode: 0o700 });
+        await fs.writeFile(bootstrapPrivateKeyPath, bootstrapPrivateKeyContent, { encoding: 'utf8', mode: 0o600 });
+        await fs.chmod(bootstrapPrivateKeyPath, 0o600);
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = bootstrapPrivateKeyPath;
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+        process.stdout.write(`Saved temporary Admin ASC private key to ${bootstrapPrivateKeyPath} with chmod 600. It will be deleted after the setup check.\n`);
+    }
+    return { bootstrapEnv };
+}
+async function cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv = {}) {
+    const privateKeyPath = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH || '').trim();
+    const shouldDelete = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE || '').trim().toLowerCase();
+    if (!privateKeyPath || !['1', 'true', 'yes'].includes(shouldDelete))
+        return;
+    if (privateKeyPath === String(bootstrapEnv.ASC_PRIVATE_KEY_PATH || process.env.ASC_PRIVATE_KEY_PATH || '').trim()) {
+        process.stdout.write('Temporary Admin .p8 path matches the steady-state ASC_PRIVATE_KEY_PATH; leaving it in place.\n');
+        process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+        return;
+    }
+    try {
+        await fs.unlink(privateKeyPath);
+        process.stdout.write(`Deleted temporary Admin .p8 from ${privateKeyPath}.\n`);
+    }
+    catch (error) {
+        if (error?.code === 'ENOENT') {
+            process.stdout.write(`Temporary Admin .p8 was already absent at ${privateKeyPath}.\n`);
+            process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+            return;
+        }
+        process.stdout.write(`Could not delete temporary Admin .p8 at ${privateKeyPath}: ${error instanceof Error ? error.message : String(error)}\n`);
+    }
+    process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
 }
 async function shouldRunSelfUpdate(workspaceRoot, force) {
     if (force)
@@ -4204,13 +4316,16 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     if (selected.includes('asc')) {
         while (true) {
             clearTerminal();
-            await guideAscConnector(rl, secrets);
-            const check = await runImmediateConnectorHealthCheck({
+            const ascSetup = await guideAscConnector(rl, secrets);
+            let bootstrapEnv = ascSetup?.bootstrapEnv || {};
+            let check = await runImmediateConnectorHealthCheck({
                 rl,
                 configPath: args.config,
                 connector: 'asc',
                 secrets,
+                runtimeEnv: bootstrapEnv,
             });
+            await cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv);
             if (!check.retry)
                 break;
         }