@analyticscli/growth-engineer 0.1.1-preview.15 → 0.1.1-preview.19

package/dist/runtime/openclaw-growth-wizard.mjs

@@ -108,7 +108,7 @@ const CONNECTOR_DEFINITIONS = [
         key: 'asc',
         label: 'ASC / App Store Connect CLI',
         summary: 'Read App Store analytics, reviews/ratings, builds/TestFlight/release context, subscriptions, purchases, and crash totals.',
-        needs: 'ASC_KEY_ID, ASC_ISSUER_ID, and the AuthKey_XXXX.p8 content or path.',
+        needs: 'Two App Store Connect API keys: a Sales and Reports or Finance key for ongoing use, plus a temporary Admin key for one-time analytics bootstrap.',
     },
     {
         key: 'stripe',
@@ -2535,7 +2535,7 @@ async function saveSecretsImmediately(secrets) {
     process.stdout.write(`Saved local secrets to ${secretsFile} with chmod 600.\n`);
     return true;
 }
-async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, sentryAccounts = [], paddleAccounts = [], }) {
+async function runImmediateConnectorHealthCheck({ rl, configPath, connector, secrets, runtimeEnv = {}, sentryAccounts = [], paddleAccounts = [], }) {
     if (connector === 'sentry' && sentryAccounts.length > 0) {
         await upsertSentryAccountsConfig(configPath, sentryAccounts);
     }
@@ -2546,6 +2546,7 @@ async function runImmediateConnectorHealthCheck({ rl, configPath, connector, sec
     const env = {
         ...process.env,
         ...secrets,
+        ...runtimeEnv,
     };
     const command = `${nodeRuntimeScriptCommand('openclaw-growth-start.mjs')} --config ${quote(configPath)} --setup-only --connectors ${quote(connector)} --only-connectors ${quote(connector)}`;
     let result = await runSetupCommandWithProgress(command, env, [connector], `Checking ${connectorLabel(connector)} immediately after setup...`);
@@ -2686,12 +2687,17 @@ function resolveSecretsFile() {
         return path.join(process.env.HOME, '.config', 'openclaw-growth', 'secrets.env');
     return path.resolve('.openclaw-growth-secrets.env');
 }
-function resolveAscPrivateKeyPath(keyId) {
+function resolveAscPrivateKeyPath(keyId, suffix = '') {
     const safeKeyId = (keyId || 'OPENCLAW').trim().replace(/[^a-zA-Z0-9_-]/g, '_') || 'OPENCLAW';
     const baseDir = process.env.HOME
         ? path.join(process.env.HOME, '.config', 'openclaw-growth')
         : path.resolve('.openclaw-growth');
-    return path.join(baseDir, `AuthKey_${safeKeyId}.p8`);
+    return path.join(baseDir, `AuthKey_${safeKeyId}${suffix}.p8`);
+}
+function inferAscKeyIdFromPrivateKeyPath(filePath) {
+    const fileName = path.basename(String(filePath || '').trim());
+    const match = fileName.match(/^AuthKey_([A-Za-z0-9]+)\.p8$/);
+    return match?.[1] || '';
 }
 function renderEnvValue(value) {
     return `"${String(value).replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\$/g, '\\$')}"`;
@@ -3384,11 +3390,14 @@ function validateAscPrivateKeyContent(value) {
         };
     }
 }
-async function askAscPrivateKeyContent(rl) {
-    process.stdout.write('\nPaste the full .p8 file content here. Leave the first line empty if you already saved the .p8 file on this host.\n');
-    process.stdout.write('The wizard validates the pasted key, stores it locally with chmod 600, and only saves ASC_PRIVATE_KEY_PATH.\n');
+async function askAscPrivateKeyContent(rl, options = {}) {
+    const envName = options.envName || 'ASC_PRIVATE_KEY';
+    const persistLabel = options.persistLabel || 'ASC_PRIVATE_KEY_PATH';
+    const keyLabel = options.keyLabel || 'this App Store Connect key';
+    process.stdout.write(`\nPaste the full .p8 file content for ${keyLabel}.\nLeave the first line empty if the .p8 file is already saved on this host.\n`);
+    process.stdout.write(`The wizard validates the pasted key, stores it locally with chmod 600, and only saves ${persistLabel}.\n`);
     while (true) {
-        const value = await readAscPrivateKeyPaste(rl);
+        const value = await readAscPrivateKeyPaste(rl, envName);
         if (!value.trim())
             return '';
         const validation = validateAscPrivateKeyContent(value);
@@ -3398,7 +3407,7 @@ async function askAscPrivateKeyContent(rl) {
         process.stdout.write('The .p8 was not saved. Paste the full file again from BEGIN to END, or leave empty to use a path.\n');
     }
 }
-async function readAscPrivateKeyPaste(rl) {
+async function readAscPrivateKeyPaste(rl, envName = 'ASC_PRIVATE_KEY') {
     return await new Promise((resolve, reject) => {
         let buffer = '';
         let settled = false;
@@ -3459,7 +3468,7 @@ async function readAscPrivateKeyPaste(rl) {
         process.stdin.setEncoding('utf8');
         process.stdin.on('data', onData);
         process.stdin.on('error', onError);
-        process.stdout.write('ASC_PRIVATE_KEY content: ');
+        process.stdout.write(`${envName} content: `);
         process.stdin.resume();
     });
 }
@@ -3467,9 +3476,11 @@ async function validateAscPrivateKeyPath(filePath) {
     const raw = await fs.readFile(filePath, 'utf8');
     return validateAscPrivateKeyContent(raw);
 }
-async function askAscPrivateKeyPath(rl) {
+async function askAscPrivateKeyPath(rl, options = {}) {
+    const label = options.label || 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)';
+    const defaultValue = options.defaultValue ?? process.env.ASC_PRIVATE_KEY_PATH ?? '';
     while (true) {
-        const privateKeyPath = await ask(rl, 'ASC_PRIVATE_KEY_PATH (path to AuthKey_XXXX.p8, leave empty to skip)', process.env.ASC_PRIVATE_KEY_PATH || '');
+        const privateKeyPath = await ask(rl, label, defaultValue);
         const trimmedPath = privateKeyPath.trim();
         if (!trimmedPath)
             return '';
@@ -3485,6 +3496,19 @@ async function askAscPrivateKeyPath(rl) {
         process.stdout.write('The ASC private key path was not saved. Paste a valid path, or leave empty to skip.\n');
     }
 }
+async function askAscPrivateKeyPathWithKeyId(rl, options = {}) {
+    const keyLabel = options.keyLabel || 'App Store Connect key';
+    while (true) {
+        const privateKeyPath = await askAscPrivateKeyPath(rl, options);
+        if (!privateKeyPath)
+            return { privateKeyPath: '', keyId: '' };
+        const keyId = inferAscKeyIdFromPrivateKeyPath(privateKeyPath);
+        if (keyId)
+            return { privateKeyPath, keyId };
+        process.stdout.write(`Could not infer Key ID for ${keyLabel} from the .p8 file name.\n`);
+        process.stdout.write('Use Apple\'s original downloaded file name: AuthKey_<KEY_ID>.p8. Do not rename the .p8 file.\n');
+    }
+}
 function printSection(title, lines = []) {
     process.stdout.write(`\n${ANSI.bold}${title}${ANSI.reset}\n`);
     process.stdout.write(`${'-'.repeat(title.length)}\n`);
@@ -3500,6 +3524,9 @@ function printBullets(lines) {
     }
     process.stdout.write('\n');
 }
+function bold(text) {
+    return `${ANSI.bold}${text}${ANSI.reset}`;
+}
 async function guideGitHubConnector(rl, secrets) {
     printSection('GitHub code access', [
         'Use this when OpenClaw should read repo context or create GitHub delivery artifacts.',
@@ -3921,41 +3948,39 @@ async function guideCoolifyConnector(rl, secrets) {
 }
 async function guideAscConnector(rl, secrets) {
     printSection('App Store Connect CLI', [
-        'Use this mainly for App Store analytics batch reports, plus builds, TestFlight, reviews, ratings, and store context.',
-        'The normal Growth Engineer path uses App Store Connect API-key reports. Experimental ASC web analytics is not part of setup.',
-    ]);
-    process.stdout.write('Create an App Store Connect API key here:\n  https://appstoreconnect.apple.com/access/integrations/api\n\n');
-    process.stdout.write('Roles to choose for this key:\n');
-    printBullets([
-        'Required for first setup: Admin, because Apple only allows Admin keys to create the initial Analytics Report Request.',
-        'Required for steady-state report downloads after the request exists: Sales and Reports, Finance, or Admin.',
-        'Recommended: Customer Support, for App Store ratings and review text.',
-        'Recommended: Developer, for builds, TestFlight, and delivery status.',
-        'Optional: App Manager, only if OpenClaw should also read or manage app metadata, pricing, or release settings.',
-        'Least privilege option: run setup once with Admin, then rotate Growth Engineer to a Sales and Reports key for ongoing analytics downloads.',
-    ]);
-    process.stdout.write('\nWhy Admin is requested during setup:\n');
-    printBullets([
-        'Growth Engineer automatically creates an ongoing App Analytics report request when none exists.',
-        'Without that request, Apple will not generate Impressions, Product Page Views, App Units, Conversion Rate, and related report instances.',
-        'A non-Admin key can read existing reports, but creation fails with a forbidden response.',
+        `${bold('Create 2 API keys')} here: https://appstoreconnect.apple.com/access/integrations/api`,
+        `1. ${bold('Reports key')} - role ${bold('Sales and Reports')} - saved for Growth Engineer.`,
+        `2. ${bold('Setup key')} - role ${bold('Admin')} - used once, then revoke.`,
     ]);
-    process.stdout.write('\nAfter creating the key, copy these values into this wizard:\n');
+    process.stdout.write(`${bold('Enter the Reports key now:')}\n`);
     printBullets([
-        'Issuer ID from the API keys page.',
-        'Key ID from the API key row or from the downloaded file name: AuthKey_<KEY_ID>.p8.',
-        'Download the .p8 file, open it, then paste the full file content into this terminal.',
-        'If the .p8 is already on this host, leave the content prompt empty and paste the file path instead.',
-        'Vendor Number from App Store Connect Sales and Trends > Reports. Required for healthy ASC status because Sales and Trends/App Units depend on it.',
+        `${bold('.p8 path')} to Apple\'s original ${bold('AuthKey_<KEY_ID>.p8')} file. ${bold('Do not rename it')}; KEY_ID is read from the filename.`,
+        `${bold('Issuer ID')} from the API keys page.`,
+        `${bold('Vendor Number')} from Sales and Trends > Reports.`,
     ]);
-    const keyId = await ask(rl, 'ASC_KEY_ID (leave empty to skip)', process.env.ASC_KEY_ID || '');
-    const issuerId = await ask(rl, 'ASC_ISSUER_ID (leave empty to skip)', process.env.ASC_ISSUER_ID || '');
-    if (keyId.trim())
-        secrets.ASC_KEY_ID = keyId.trim();
+    const normalKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'Reports .p8 path (AuthKey_<KEY_ID>.p8, empty = paste)',
+        defaultValue: process.env.ASC_PRIVATE_KEY_PATH || '',
+        keyLabel: 'the normal reporting key',
+    });
+    let keyId = normalKeyPath.keyId;
+    if (normalKeyPath.privateKeyPath) {
+        secrets.ASC_PRIVATE_KEY_PATH = normalKeyPath.privateKeyPath;
+        secrets.ASC_KEY_ID = keyId;
+        process.stdout.write(`Inferred ASC_KEY_ID=${keyId} from ${path.basename(normalKeyPath.privateKeyPath)}.\n`);
+    }
+    const issuerId = await ask(rl, 'ASC_ISSUER_ID (reports key, empty = skip)', process.env.ASC_ISSUER_ID || '');
     if (issuerId.trim())
         secrets.ASC_ISSUER_ID = issuerId.trim();
-    const privateKeyContent = await askAscPrivateKeyContent(rl);
-    if (privateKeyContent) {
+    if (!normalKeyPath.privateKeyPath) {
+        keyId = await ask(rl, 'ASC_KEY_ID (from AuthKey_<KEY_ID>.p8, empty = skip)', process.env.ASC_KEY_ID || '');
+        if (keyId.trim())
+            secrets.ASC_KEY_ID = keyId.trim();
+        const privateKeyContent = await askAscPrivateKeyContent(rl, {
+            keyLabel: 'the normal reporting key',
+        });
+        if (!privateKeyContent)
+            return await guideAscBootstrapAdminKey(rl, issuerId.trim());
         const privateKeyPath = resolveAscPrivateKeyPath(keyId);
         await fs.mkdir(path.dirname(privateKeyPath), { recursive: true, mode: 0o700 });
         await fs.writeFile(privateKeyPath, privateKeyContent, { encoding: 'utf8', mode: 0o600 });
@@ -3963,14 +3988,81 @@ async function guideAscConnector(rl, secrets) {
         secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath;
         process.stdout.write(`Saved ASC private key to ${privateKeyPath} with chmod 600.\n`);
     }
-    else {
-        const privateKeyPath = await askAscPrivateKeyPath(rl);
-        if (privateKeyPath.trim())
-            secrets.ASC_PRIVATE_KEY_PATH = privateKeyPath.trim();
-    }
-    const vendorNumber = await ask(rl, 'ASC_VENDOR_NUMBER for Sales and Trends/App Units (required for healthy ASC status)', process.env.ASC_VENDOR_NUMBER || '');
+    const vendorNumber = await ask(rl, 'ASC_VENDOR_NUMBER (Sales and Trends > Reports)', process.env.ASC_VENDOR_NUMBER || '');
     if (vendorNumber.trim())
         secrets.ASC_VENDOR_NUMBER = vendorNumber.trim();
+    return await guideAscBootstrapAdminKey(rl, issuerId.trim());
+}
+async function guideAscBootstrapAdminKey(rl, issuerIdDefault = '') {
+    const bootstrapEnv = {};
+    process.stdout.write(`\n${bold('Enter the Setup Admin key:')}\n`);
+    printBullets([
+        `${bold('Role must be Admin')} so Apple can create the first App Analytics report request.`,
+        `${bold('Use original AuthKey_<KEY_ID>.p8 filename')} so KEY_ID is read automatically.`,
+        `${bold('Not saved')} to secrets.env. Revoke this key after setup.`,
+    ]);
+    const bootstrapKeyPath = await askAscPrivateKeyPathWithKeyId(rl, {
+        label: 'Setup Admin .p8 path (AuthKey_<KEY_ID>.p8, empty = paste)',
+        defaultValue: '',
+        keyLabel: 'the temporary Admin key',
+    });
+    let bootstrapKeyId = bootstrapKeyPath.keyId;
+    const bootstrapIssuerId = await ask(rl, 'ASC_BOOTSTRAP_ISSUER_ID', issuerIdDefault);
+    if (bootstrapKeyPath.privateKeyPath) {
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = bootstrapKeyPath.privateKeyPath;
+        process.stdout.write(`Inferred ASC_BOOTSTRAP_KEY_ID=${bootstrapKeyId} from ${path.basename(bootstrapKeyPath.privateKeyPath)}.\n`);
+        const shouldDelete = await askYesNo(rl, 'Delete this temporary Admin .p8 file from this host after the setup check?', true);
+        if (shouldDelete)
+            bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+    }
+    else {
+        bootstrapKeyId = await ask(rl, 'ASC_BOOTSTRAP_KEY_ID (from AuthKey_<KEY_ID>.p8)', '');
+    }
+    if (!bootstrapKeyId.trim() || !bootstrapIssuerId.trim())
+        return { bootstrapEnv };
+    bootstrapEnv.ASC_BOOTSTRAP_KEY_ID = bootstrapKeyId.trim();
+    bootstrapEnv.ASC_BOOTSTRAP_ISSUER_ID = bootstrapIssuerId.trim();
+    if (!bootstrapKeyPath.privateKeyPath) {
+        const bootstrapPrivateKeyContent = await askAscPrivateKeyContent(rl, {
+            envName: 'ASC_BOOTSTRAP_PRIVATE_KEY',
+            persistLabel: 'ASC_BOOTSTRAP_PRIVATE_KEY_PATH temporarily',
+            keyLabel: 'the temporary Admin key',
+        });
+        if (!bootstrapPrivateKeyContent)
+            return { bootstrapEnv };
+        const bootstrapPrivateKeyPath = resolveAscPrivateKeyPath(bootstrapKeyId, '_bootstrap_admin');
+        await fs.mkdir(path.dirname(bootstrapPrivateKeyPath), { recursive: true, mode: 0o700 });
+        await fs.writeFile(bootstrapPrivateKeyPath, bootstrapPrivateKeyContent, { encoding: 'utf8', mode: 0o600 });
+        await fs.chmod(bootstrapPrivateKeyPath, 0o600);
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH = bootstrapPrivateKeyPath;
+        bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE = '1';
+        process.stdout.write(`Saved temporary Admin ASC private key to ${bootstrapPrivateKeyPath} with chmod 600. It will be deleted after the setup check.\n`);
+    }
+    return { bootstrapEnv };
+}
+async function cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv = {}) {
+    const privateKeyPath = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_PATH || '').trim();
+    const shouldDelete = String(bootstrapEnv.ASC_BOOTSTRAP_PRIVATE_KEY_DELETE_AFTER_USE || '').trim().toLowerCase();
+    if (!privateKeyPath || !['1', 'true', 'yes'].includes(shouldDelete))
+        return;
+    if (privateKeyPath === String(bootstrapEnv.ASC_PRIVATE_KEY_PATH || process.env.ASC_PRIVATE_KEY_PATH || '').trim()) {
+        process.stdout.write('Temporary Admin .p8 path matches the steady-state ASC_PRIVATE_KEY_PATH; leaving it in place.\n');
+        process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+        return;
+    }
+    try {
+        await fs.unlink(privateKeyPath);
+        process.stdout.write(`Deleted temporary Admin .p8 from ${privateKeyPath}.\n`);
+    }
+    catch (error) {
+        if (error?.code === 'ENOENT') {
+            process.stdout.write(`Temporary Admin .p8 was already absent at ${privateKeyPath}.\n`);
+            process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
+            return;
+        }
+        process.stdout.write(`Could not delete temporary Admin .p8 at ${privateKeyPath}: ${error instanceof Error ? error.message : String(error)}\n`);
+    }
+    process.stdout.write('You can also revoke the temporary Admin API key in App Store Connect.\n');
 }
 async function shouldRunSelfUpdate(workspaceRoot, force) {
     if (force)
@@ -4204,13 +4296,16 @@ async function runConnectorSetupSteps({ rl, args, selected, healthByConnector, a
     if (selected.includes('asc')) {
         while (true) {
             clearTerminal();
-            await guideAscConnector(rl, secrets);
-            const check = await runImmediateConnectorHealthCheck({
+            const ascSetup = await guideAscConnector(rl, secrets);
+            let bootstrapEnv = ascSetup?.bootstrapEnv || {};
+            let check = await runImmediateConnectorHealthCheck({
                 rl,
                 configPath: args.config,
                 connector: 'asc',
                 secrets,
+                runtimeEnv: bootstrapEnv,
             });
+            await cleanupTemporaryAscBootstrapPrivateKey(bootstrapEnv);
             if (!check.retry)
                 break;
         }