@better-update/cli 0.10.1 → 0.12.0

package/dist/index.mjs

@@ -7,19 +7,20 @@ import { Command, FetchHttpClient, FileSystem, HttpApi, HttpApiClient, HttpApiEn
 import { NodeContext } from "@effect/platform-node";
 import path, { join } from "node:path";
 import process$1 from "node:process";
+import * as AppleUtils from "@expo/apple-utils";
+import { cancel, confirm, isCancel, multiselect, password, select, text } from "@clack/prompts";
+import { once } from "node:events";
+import { createServer } from "node:http";
 import { maxBy, uniqBy } from "es-toolkit";
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import { createReadStream, existsSync, readFileSync, writeFileSync } from "node:fs";
 import os from "node:os";
 import plist from "@expo/plist";
 import { ExpoRunFormatter } from "@expo/xcpretty";
-import { cancel, confirm, isCancel, multiselect, password, select, text } from "@clack/prompts";
 import forge from "node-forge";
 import { Buffer as Buffer$1 } from "node:buffer";
 import { getFormattedSerialNumber, getX509Certificate, parsePKCS12 } from "@expo/pkcs12";
 import qrcode from "qrcode-terminal";
-import { once } from "node:events";
-import { createServer } from "node:http";
 import { fileURLToPath } from "node:url";
 
 //#region \0rolldown/runtime.js
@@ -27,7 +28,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.10.1";
+var version = "0.12.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -1127,37 +1128,51 @@ var DevicesGroup = class extends HttpApiGroup.make("devices").add(HttpApiEndpoin
 
 //#endregion
 //#region ../../packages/api/src/domain/env-var.ts
-const EnvVarVisibility = Schema.Literal("plaintext", "sensitive", "secret");
+const EnvVarVisibility = Schema.Literal("plaintext", "sensitive");
+const EnvVarScope = Schema.Literal("project", "global");
+const EnvVarEnvironment = Schema.Literal("development", "preview", "production");
+const EnvVarListScope = Schema.Literal("all", "project", "global");
 var EnvVar = class extends Schema.Class("EnvVar")({
 	id: Id,
 	organizationId: Id,
-	projectId: Id,
-	environment: Schema.String,
+	projectId: Schema.NullOr(Id),
+	scope: EnvVarScope,
 	key: Schema.String,
 	visibility: EnvVarVisibility,
 	value: Schema.NullOr(Schema.String),
+	environments: Schema.Array(EnvVarEnvironment),
+	overridesGlobal: Schema.optional(Schema.Boolean),
 	createdAt: DateTimeString,
 	updatedAt: DateTimeString
 }) {};
 const EnvVarKey = Schema.String.pipe(Schema.pattern(/^[A-Z][A-Z0-9_]*$/u), Schema.maxLength(256));
 const EnvVarValue = Schema.String.pipe(Schema.maxLength(32768));
-const EnvVarEnvironment = Schema.String.pipe(Schema.minLength(1), Schema.maxLength(64));
+const EnvVarEnvironmentArray = Schema.Array(EnvVarEnvironment).pipe(Schema.minItems(1));
 const CreateEnvVarBody = Schema.Struct({
-	projectId: Id,
-	environment: EnvVarEnvironment,
+	scope: EnvVarScope,
+	projectId: Schema.optional(Id),
+	environments: EnvVarEnvironmentArray,
 	key: EnvVarKey,
 	value: EnvVarValue,
 	visibility: EnvVarVisibility
 });
 const UpdateEnvVarBody = Schema.Struct({
 	value: Schema.optional(EnvVarValue),
+	visibility: Schema.optional(EnvVarVisibility),
+	environments: Schema.optional(EnvVarEnvironmentArray)
+});
+const BulkImportEntry = Schema.Struct({
+	key: EnvVarKey,
+	value: EnvVarValue,
 	visibility: Schema.optional(EnvVarVisibility)
 });
 const BulkImportEnvVarsBody = Schema.Struct({
-	projectId: Id,
-	environment: EnvVarEnvironment,
-	content: Schema.String.pipe(Schema.maxLength(4e6)),
-	visibility: EnvVarVisibility
+	scope: EnvVarScope,
+	projectId: Schema.optional(Id),
+	environments: EnvVarEnvironmentArray,
+	content: Schema.optional(Schema.String.pipe(Schema.maxLength(4e6))),
+	entries: Schema.optional(Schema.Array(BulkImportEntry).pipe(Schema.maxItems(100))),
+	visibility: Schema.optional(EnvVarVisibility)
 });
 const BulkImportResult = Schema.Struct({
 	created: Schema.Number,
@@ -1172,7 +1187,7 @@ const EnvVarExportItem = Schema.Struct({
 });
 const EnvVarExportResult = Schema.Struct({
 	items: Schema.Array(EnvVarExportItem),
-	environment: Schema.String
+	environment: EnvVarEnvironment
 });
 
 //#endregion
@@ -1180,32 +1195,34 @@ const EnvVarExportResult = Schema.Struct({
 const idParam$5 = HttpApiSchema.param("id", Schema.String);
 var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).addError(BadRequest).addError(Conflict).annotateContext(OpenApi.annotations({
 	title: "Create environment variable",
-	description: "Create a new environment variable for a project"
+	description: "Create a new environment variable. Scope can be 'project' (requires projectId) or 'global' (organization-wide)."
 }))).add(HttpApiEndpoint.get("list", "/api/env-vars").setUrlParams(Schema.Struct({
-	projectId: Id,
-	environment: Schema.optional(Schema.String),
+	scope: Schema.optional(EnvVarListScope),
+	projectId: Schema.optional(Id),
+	environments: Schema.optional(Schema.String),
+	search: Schema.optional(Schema.String),
 	...PaginationParams.fields
-})).addSuccess(Schema.Struct({ items: Schema.Array(EnvVar) })).annotateContext(OpenApi.annotations({
+})).addSuccess(Schema.Struct({ items: Schema.Array(EnvVar) })).addError(BadRequest).annotateContext(OpenApi.annotations({
 	title: "List environment variables",
-	description: "List environment variables with optional filters"
+	description: "List environment variables. scope=all merges project + global vars with project overrides. environments is a comma-separated list. search matches key substring."
 }))).add(HttpApiEndpoint.get("get")`/api/env-vars/${idParam$5}`.addSuccess(EnvVar).annotateContext(OpenApi.annotations({
 	title: "Get environment variable",
 	description: "Get an environment variable by ID"
 }))).add(HttpApiEndpoint.patch("update")`/api/env-vars/${idParam$5}`.setPayload(UpdateEnvVarBody).addSuccess(EnvVar).addError(BadRequest).annotateContext(OpenApi.annotations({
 	title: "Update environment variable",
-	description: "Update an environment variable's value or visibility"
+	description: "Update value, visibility, or assigned environments"
 }))).add(HttpApiEndpoint.del("delete")`/api/env-vars/${idParam$5}`.addSuccess(DeleteEnvVarResult).annotateContext(OpenApi.annotations({
 	title: "Delete environment variable",
 	description: "Delete an environment variable"
 }))).add(HttpApiEndpoint.post("bulkImport", "/api/env-vars/bulk-import").setPayload(BulkImportEnvVarsBody).addSuccess(BulkImportResult).addError(BadRequest).annotateContext(OpenApi.annotations({
 	title: "Bulk import environment variables",
-	description: "Import environment variables from a dotenv-formatted string. Supports KEY=VALUE format with # comments. Quoted values (single/double) are unquoted. Multiline values are not supported."
+	description: "Import variables from a dotenv-formatted string. Applies to all selected environments. Supports KEY=VALUE format with # comments. Quoted values (single/double) are unquoted. Multiline values are not supported."
 }))).add(HttpApiEndpoint.get("export", "/api/env-vars/export").setUrlParams(Schema.Struct({
 	projectId: Id,
-	environment: Schema.String
+	environment: EnvVarEnvironment
 })).addSuccess(EnvVarExportResult).addError(Forbidden).annotateContext(OpenApi.annotations({
 	title: "Export environment variables",
-	description: "Export environment variables for a project environment"
+	description: "Export environment variables for a project environment. Global org-scoped vars are merged in; project values override globals on key collision."
 }))).addError(NotFound).addError(Forbidden).addError(BadRequest).annotateContext(OpenApi.annotations({
 	title: "Environment Variables",
 	description: "Manage environment variables for project builds and deployments"
@@ -1756,6 +1773,53 @@ const ApiClientLive = Layer.effect(ApiClientService, Effect.gen(function* () {
 	}) };
 }));
 
+//#endregion
+//#region src/lib/prompts.ts
+const ensureInteractive = (promptName) => Effect.gen(function* () {
+	if (!(yield* InteractiveMode).allow) return yield* new InteractiveProhibitedError({ message: `Interactive prompt "${promptName}" requested while running non-interactively. Provide the value via a flag, run with --interactive, or unset CI.` });
+});
+const handleCancel = (value) => {
+	if (isCancel(value)) {
+		cancel("Operation cancelled.");
+		process.exit(130);
+	}
+	return value;
+};
+const promptPassword = (message) => Effect.gen(function* () {
+	yield* ensureInteractive(message);
+	return handleCancel(yield* Effect.promise(async () => password({ message })));
+});
+const promptSelect = (message, options) => Effect.gen(function* () {
+	yield* ensureInteractive(message);
+	return handleCancel(yield* Effect.promise(async () => select({
+		message,
+		options: [...options]
+	})));
+});
+const promptMultiSelect = (message, options, config) => Effect.gen(function* () {
+	yield* ensureInteractive(message);
+	return handleCancel(yield* Effect.promise(async () => multiselect({
+		message,
+		options: [...options],
+		required: config?.required ?? false
+	})));
+});
+const promptText = (message, options) => Effect.gen(function* () {
+	yield* ensureInteractive(message);
+	return handleCancel(yield* Effect.promise(async () => text({
+		message,
+		...options?.placeholder === void 0 ? {} : { placeholder: options.placeholder },
+		...options?.defaultValue === void 0 ? {} : { defaultValue: options.defaultValue }
+	})));
+});
+const promptConfirm = (message, options) => Effect.gen(function* () {
+	yield* ensureInteractive(message);
+	return handleCancel(yield* Effect.promise(async () => confirm({
+		message,
+		...options?.initialValue === void 0 ? {} : { initialValue: options.initialValue }
+	})));
+});
+
 //#endregion
 //#region ../../packages/safe-json/src/index.ts
 const parseJsonResult = (text) => {
@@ -1781,6 +1845,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 	const homeDirectory = yield* (yield* CliRuntime).homeDirectory;
 	const sessionDir = path.join(homeDirectory, ".better-update");
 	const sessionFile = path.join(sessionDir, "apple-session.json");
+	const usernameFile = path.join(sessionDir, "apple-username.json");
 	return {
 		loadSession: Effect.gen(function* () {
 			const content = yield* fs.readFileString(sessionFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
@@ -1803,9 +1868,129 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			yield* fs.writeFileString(sessionFile, `${JSON.stringify(session, null, 2)}\n`);
 			yield* fs.chmod(sessionFile, 384);
 		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
-		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void))
+		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void)),
+		loadLastUsername: Effect.gen(function* () {
+			const content = yield* fs.readFileString(usernameFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			if (!content) return null;
+			const parsed = safeJsonParse(content);
+			if (!isRecord(parsed) || typeof parsed["username"] !== "string") return null;
+			return parsed["username"];
+		}),
+		saveLastUsername: (username) => Effect.gen(function* () {
+			yield* fs.makeDirectory(sessionDir, { recursive: true });
+			yield* fs.chmod(sessionDir, 448);
+			yield* fs.writeFileString(usernameFile, `${JSON.stringify({ username }, null, 2)}\n`);
+			yield* fs.chmod(usernameFile, 384);
+		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple username: ${formatCause(cause)}` })))
+	};
+}));
+
+//#endregion
+//#region src/services/apple-auth.ts
+const defaultAppleUtils = {
+	Auth: AppleUtils.Auth,
+	Session: AppleUtils.Session,
+	CookieFileCache: AppleUtils.CookieFileCache
+};
+var AppleAuth = class extends Context.Tag("cli/AppleAuth")() {};
+const sessionFromAuthState = (state) => ({
+	username: state.username,
+	teamId: state.context.teamId ?? state.session.provider.publicProviderId,
+	teamName: state.session.provider.name,
+	providerId: state.context.providerId ?? state.session.provider.providerId
+});
+const sessionFromInfo = (username, info) => ({
+	username,
+	teamId: info.provider.publicProviderId,
+	teamName: info.provider.name,
+	providerId: info.provider.providerId
+});
+const restoreFromCookies = (appleUtils, cookies, providerId, teamId) => Effect.tryPromise({
+	try: async () => {
+		const input = {
+			cookies,
+			...providerId === void 0 ? {} : { providerId },
+			...teamId === void 0 ? {} : { teamId }
+		};
+		return appleUtils.Auth.loginWithCookiesAsync(input);
+	},
+	catch: (cause) => new AppleAuthError$1({ message: `Failed to restore Apple session: ${formatCause(cause)}` })
+});
+const loginWithCredentials = (appleUtils, credentials) => Effect.tryPromise({
+	try: async () => appleUtils.Auth.loginWithUserCredentialsAsync(credentials, { autoResolveProvider: true }),
+	catch: (cause) => new AppleAuthError$1({ message: `Apple login failed: ${formatCause(cause)}` })
+});
+const readJarCookies = (appleUtils) => appleUtils.CookieFileCache.getCookiesJSON();
+const promptCredentials = (defaultUsername) => Effect.gen(function* () {
+	const username = yield* promptText("Apple ID", defaultUsername === void 0 ? { placeholder: "you@example.com" } : {
+		defaultValue: defaultUsername,
+		placeholder: defaultUsername
+	});
+	return {
+		username,
+		password: yield* promptPassword(`Password for ${username}`)
+	};
+});
+const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(function* () {
+	const store = yield* AppleSessionStore;
+	if (!(yield* InteractiveMode).allow) return yield* new InteractiveProhibitedError({ message: "Apple ID login requires an interactive terminal. Re-run with --interactive or provide an ASC API key (APPLE_ASC_KEY_ID, APPLE_ASC_ISSUER_ID, APPLE_ASC_KEY)." });
+	const defaultUsername = options.username ?? cachedUsername;
+	const { username, password } = yield* promptCredentials(defaultUsername === null ? void 0 : defaultUsername);
+	yield* Effect.logInfo(`Authenticating with Apple as ${username}...`);
+	const state = yield* loginWithCredentials(appleUtils, {
+		username,
+		password
+	});
+	if (state === null) return yield* new AppleAuthError$1({ message: "Apple login returned no session (unexpected)." });
+	const session = sessionFromAuthState(state);
+	yield* store.saveSession({
+		cookies: readJarCookies(appleUtils),
+		username: session.username,
+		teamId: session.teamId,
+		...session.providerId === void 0 ? {} : { providerId: session.providerId }
+	});
+	yield* store.saveLastUsername(session.username);
+	return session;
+});
+const tryRestore = (appleUtils, store) => Effect.gen(function* () {
+	const stored = yield* store.loadSession;
+	if (stored === null) return null;
+	const restored = yield* restoreFromCookies(appleUtils, stored.cookies, stored.providerId, stored.teamId);
+	if (restored === null) return null;
+	return sessionFromAuthState(restored);
+});
+const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(AppleAuth, Effect.gen(function* () {
+	const store = yield* AppleSessionStore;
+	return {
+		ensureLoggedIn: (options = {}) => Effect.gen(function* () {
+			const restored = yield* tryRestore(appleUtils, store).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			if (restored !== null) return restored;
+			return yield* interactiveLogin(appleUtils, options, yield* store.loadLastUsername).pipe(Effect.provideService(AppleSessionStore, store));
+		}),
+		logout: store.clearSession.pipe(Effect.flatMap(() => Effect.tryPromise({
+			try: async () => appleUtils.Auth.logoutAsync(),
+			catch: (cause) => new AppleAuthError$1({ message: formatCause(cause) })
+		}).pipe(Effect.catchAll(() => Effect.void)))),
+		whoami: Effect.gen(function* () {
+			const stored = yield* store.loadSession;
+			if (stored === null) return null;
+			const restored = yield* restoreFromCookies(appleUtils, stored.cookies, stored.providerId, stored.teamId).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			if (restored !== null) return sessionFromAuthState(restored);
+			const info = appleUtils.Session.getAnySessionInfo();
+			return info === null ? {
+				username: stored.username,
+				teamId: stored.teamId,
+				teamName: null,
+				providerId: stored.providerId
+			} : sessionFromInfo(stored.username, info);
+		}),
+		buildRequestContext: (session) => ({
+			teamId: session.teamId,
+			...session.providerId === void 0 ? {} : { providerId: session.providerId }
+		})
 	};
 }));
+const AppleAuthLive = makeAppleAuthLive();
 
 //#endregion
 //#region src/services/presigned-upload.ts
@@ -1902,10 +2087,11 @@ const CliPlatformLayer = Layer.mergeAll(CliRuntimeLive, NodeContext.layer, Fetch
 const CliStoreLayer = Layer.mergeAll(AuthStoreLive, ConfigStoreLive, AppleSessionStoreLive).pipe(Layer.provide(CliPlatformLayer));
 const CliAdapterDependencies = Layer.mergeAll(CliPlatformLayer, CliStoreLayer);
 const ApiClientLayer = ApiClientLive.pipe(Layer.provide(CliAdapterDependencies));
+const AppleAuthLayer = AppleAuthLive.pipe(Layer.provide(CliAdapterDependencies));
 const PresignedUploadLayer = PresignedUploadClientLive.pipe(Layer.provide(CliPlatformLayer));
 const UpdateAssetUploaderLayer = UpdateAssetUploaderLive.pipe(Layer.provide(Layer.mergeAll(ApiClientLayer, PresignedUploadLayer)));
 const VersionCheckLayer = VersionCheckLive.pipe(Layer.provide(CliPlatformLayer));
-const makeCliLive = (options) => Layer.mergeAll(CliAdapterDependencies, ApiClientLayer, PresignedUploadLayer, UpdateAssetUploaderLayer, VersionCheckLayer, makeOutputModeLayer(options.json), makeInteractiveModeLayer(options.interactive));
+const makeCliLive = (options) => Layer.mergeAll(CliAdapterDependencies, ApiClientLayer, AppleAuthLayer, PresignedUploadLayer, UpdateAssetUploaderLayer, VersionCheckLayer, makeOutputModeLayer(options.json), makeInteractiveModeLayer(options.interactive));
 /** Default CLI layer: human-readable, interactive. Override via flags at the entrypoint. */
 const CliLive = makeCliLive({
 	json: false,
@@ -1913,55 +2099,256 @@ const CliLive = makeCliLive({
 });
 
 //#endregion
-//#region src/application/command-exit.ts
-const exitWith = (code, message) => Console.error(message).pipe(Effect.zipRight(Effect.gen(function* () {
-	yield* (yield* CliRuntime).setExitCode(code);
-})));
+//#region src/lib/browser-login.ts
+var BrowserLoginTimeoutError = class extends Data.TaggedError("BrowserLoginTimeoutError") {};
+var BrowserLoginSessionClosedError = class extends Data.TaggedError("BrowserLoginSessionClosedError") {};
+const CALLBACK_PAGE = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>better-update CLI Login</title>
+    <style>
+      :root { color-scheme: light dark; font-family: ui-sans-serif, system-ui, sans-serif; }
+      body { margin: 0; min-height: 100vh; display: grid; place-items: center; padding: 24px; }
+      main { max-width: 32rem; line-height: 1.5; }
+      code { font-family: ui-monospace, SFMono-Regular, monospace; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Completing CLI login...</h1>
+      <p id="message">Finalizing the local session. You can keep this tab open.</p>
+    </main>
+    <script>
+      const message = document.getElementById("message");
+      const render = (text) => {
+        if (message) message.textContent = text;
+      };
 
-//#endregion
-//#region src/lib/command-errors.ts
-const BASE_TAG_MAP = {
-	AuthRequiredError: 3,
-	ProjectNotLinkedError: 4,
-	NotFound: 1,
-	Conflict: 1,
-	Forbidden: 1,
-	BadRequest: 2,
-	InvalidArgumentError: 2,
-	InteractiveProhibitedError: 2
-};
-const SYSTEM_TAG_MESSAGE = {
-	SystemError: (error) => `Filesystem error: ${error.message}`,
-	BadArgument: (error) => `Invalid argument: ${error.message}`
+      const params = new URLSearchParams(window.location.hash.slice(1));
+      const token = params.get("token");
+
+      if (!token) {
+        render("Missing token. Return to the CLI and run login again.");
+      } else {
+        fetch("/callback/token", {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ token }),
+        })
+          .then(async (response) => {
+            if (!response.ok) {
+              const body = await response.text();
+              throw new Error(body || "Callback failed");
+            }
+            window.history.replaceState({}, document.title, window.location.pathname);
+            render("CLI login complete. You can close this tab.");
+            setTimeout(() => window.close(), 300);
+          })
+          .catch((error) => {
+            render(error instanceof Error ? error.message : "Callback failed.");
+          });
+      }
+    <\/script>
+  </body>
+</html>`;
+const createBrowserLoginSession = (options = {}) => {
+	const tokenDeferred = Effect.runSync(Deferred.make());
+	const waitForToken = Deferred.await(tokenDeferred).pipe(Effect.timeoutFail({
+		duration: options.timeoutMs === void 0 ? Duration.minutes(5) : Duration.millis(options.timeoutMs),
+		onTimeout: () => new BrowserLoginTimeoutError({ message: "Timed out waiting for browser login to complete." })
+	}));
+	const dispose = () => {
+		Effect.runSync(Deferred.fail(tokenDeferred, new BrowserLoginSessionClosedError({ message: "Browser login session closed." })));
+	};
+	return {
+		callbackPath: "/callback",
+		waitForToken,
+		handleRequest: async (request) => {
+			const url = new URL(request.url);
+			if (request.method === "GET" && url.pathname === "/callback") return new Response(CALLBACK_PAGE, { headers: { "content-type": "text/html; charset=utf-8" } });
+			if (request.method === "POST" && url.pathname === "/callback/token") try {
+				const body = await request.json();
+				if (!isRecord(body)) return new Response("Invalid callback payload", { status: 400 });
+				const token = typeof body["token"] === "string" ? body["token"].trim() : "";
+				if (token.length === 0) return new Response("Missing token", { status: 400 });
+				Effect.runSync(Deferred.succeed(tokenDeferred, token));
+				return Response.json({ ok: true });
+			} catch {
+				return new Response("Invalid callback payload", { status: 400 });
+			}
+			return new Response("Not found", { status: 404 });
+		},
+		dispose
+	};
 };
-const SYSTEM_TAG_CODE = {
-	SystemError: 6,
-	BadArgument: 6
+const readBody = async (req) => {
+	const chunks = [];
+	for await (const chunk of req) chunks.push(chunk);
+	return Buffer.concat(chunks);
 };
-const makeCommandErrorHandler = (extras = {}) => {
-	const combined = {
-		...BASE_TAG_MAP,
-		...extras
+const toFetchRequest = async (req, origin) => {
+	const url = new URL(req.url ?? "/", origin);
+	const method = req.method ?? "GET";
+	const headers = new Headers();
+	for (const [key, value] of Object.entries(req.headers)) {
+		if (value === void 0) continue;
+		if (Array.isArray(value)) for (const entry of value) headers.append(key, entry);
+		else headers.append(key, value);
+	}
+	const init = {
+		method,
+		headers
 	};
-	const handlers = {};
-	for (const [tag, code] of Object.entries(combined)) {
-		const systemFormat = SYSTEM_TAG_MESSAGE[tag];
-		const resolvedCode = SYSTEM_TAG_CODE[tag] ?? code;
-		handlers[tag] = (error) => exitWith(resolvedCode, systemFormat ? systemFormat(error) : error.message);
+	if (method !== "GET" && method !== "HEAD") {
+		const body = await readBody(req);
+		init.body = new Uint8Array(body);
 	}
-	return (effect) => {
-		return effect.pipe(Effect.catchTags(handlers), Effect.catchAll((cause) => exitWith(1, formatCause(cause))));
+	return new Request(url, init);
+};
+const writeFetchResponse = async (res, response) => {
+	res.statusCode = response.status;
+	response.headers.forEach((value, key) => {
+		res.setHeader(key, value);
+	});
+	const body = await response.arrayBuffer();
+	res.end(Buffer.from(body));
+};
+const handleIncoming = async (req, res, session) => {
+	try {
+		const request = await toFetchRequest(req, "http://127.0.0.1");
+		await writeFetchResponse(res, await session.handleRequest(request));
+	} catch {
+		res.statusCode = 500;
+		res.end("Local callback failed");
+	}
+};
+const createBrowserLoginServer = async (options = {}) => {
+	const session = createBrowserLoginSession(options);
+	const server = createServer((req, res) => {
+		handleIncoming(req, res, session).catch(() => void 0);
+	});
+	server.listen(0, "127.0.0.1");
+	await once(server, "listening");
+	const address = server.address();
+	return {
+		callbackUrl: `http://127.0.0.1:${address !== null && typeof address === "object" ? address.port : 0}${session.callbackPath}`,
+		waitForToken: session.waitForToken,
+		stop: () => {
+			session.dispose();
+			server.close();
+		}
 	};
 };
 
 //#endregion
-//#region src/lib/citty-effect.ts
-let activeCliLayer = CliLive;
+//#region src/application/login.ts
+const buildOpenBrowserCommand = (platform, url) => {
+	if (platform === "darwin") return Command.make("open", url);
+	if (platform === "win32") return Command.make("cmd", "/c", "start", "", url);
+	return Command.make("xdg-open", url);
+};
+const openBrowser = (url) => Effect.gen(function* () {
+	const command = buildOpenBrowserCommand((yield* CliRuntime).platform, url);
+	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.catchAll(() => Effect.succeed(false))))) yield* Console.log(`Open this URL manually:\n${url}`);
+});
+const browserLogin = Effect.scoped(Effect.gen(function* () {
+	const configStore = yield* ConfigStore;
+	const authStore = yield* AuthStore;
+	const webUrl = yield* configStore.getWebUrl;
+	const loginServer = yield* Effect.acquireRelease(Effect.promise(async () => createBrowserLoginServer()), (server) => Effect.sync(server.stop));
+	const loginUrl = `${webUrl}/auth/cli-login?callbackUrl=${encodeURIComponent(loginServer.callbackUrl)}`;
+	yield* Console.log("Opening browser for better-update login...");
+	yield* Console.log("");
+	yield* openBrowser(loginUrl);
+	const token = yield* loginServer.waitForToken;
+	yield* authStore.saveToken(token);
+	yield* Console.log("");
+	yield* Console.log("Logged in successfully. Token saved to ~/.better-update/auth.json");
+}));
+const manualLogin = Effect.gen(function* () {
+	yield* Console.log("Log in to better-update with an existing API key");
+	yield* Console.log("Get your API key from the dashboard > API Keys page");
+	yield* Console.log("");
+	const token = yield* promptPassword("Paste your API key (from dashboard > API Keys):");
+	yield* (yield* AuthStore).saveToken(token);
+	yield* Console.log("");
+	yield* Console.log("Logged in successfully. Token saved to ~/.better-update/auth.json");
+});
+const runLogin = (options) => Effect.gen(function* () {
+	if (options.manualApiKey) {
+		yield* manualLogin;
+		return;
+	}
+	yield* browserLogin;
+});
+
+//#endregion
+//#region src/application/command-exit.ts
+const exitWith = (code, message) => Console.error(message).pipe(Effect.zipRight(Effect.gen(function* () {
+	yield* (yield* CliRuntime).setExitCode(code);
+})));
+
+//#endregion
+//#region src/lib/command-errors.ts
+const BASE_TAG_MAP = {
+	AuthRequiredError: 3,
+	ProjectNotLinkedError: 4,
+	NotFound: 1,
+	Conflict: 1,
+	Forbidden: 1,
+	BadRequest: 2,
+	InvalidArgumentError: 2,
+	InteractiveProhibitedError: 2
+};
+const SYSTEM_TAG_MESSAGE = {
+	SystemError: (error) => `Filesystem error: ${error.message}`,
+	BadArgument: (error) => `Invalid argument: ${error.message}`
+};
+const SYSTEM_TAG_CODE = {
+	SystemError: 6,
+	BadArgument: 6
+};
+const makeCommandErrorHandler = (extras = {}) => {
+	const combined = {
+		...BASE_TAG_MAP,
+		...extras
+	};
+	const handlers = {};
+	for (const [tag, code] of Object.entries(combined)) {
+		const systemFormat = SYSTEM_TAG_MESSAGE[tag];
+		const resolvedCode = SYSTEM_TAG_CODE[tag] ?? code;
+		handlers[tag] = (error) => exitWith(resolvedCode, systemFormat ? systemFormat(error) : error.message);
+	}
+	return (effect) => {
+		return effect.pipe(Effect.catchTags(handlers), Effect.catchAll((cause) => exitWith(1, formatCause(cause))));
+	};
+};
+
+//#endregion
+//#region src/lib/citty-effect.ts
+let activeCliLayer = CliLive;
 const setActiveCliLayer = (layer) => {
 	activeCliLayer = layer;
 };
+const isAuthRequiredError = (error) => typeof error === "object" && error !== null && "_tag" in error && error._tag === "AuthRequiredError";
+const wrapWithAutoLogin = (effect) => {
+	const attempt = (depth) => effect.pipe(Effect.catchAll((cause) => {
+		if (depth >= 1 || !isAuthRequiredError(cause)) return Effect.fail(cause);
+		return Effect.gen(function* () {
+			if (!(yield* InteractiveMode).allow) return yield* Effect.fail(cause);
+			yield* Console.log("");
+			yield* Console.log("Authentication required.");
+			yield* runLogin({ manualApiKey: false });
+			yield* Console.log("");
+			return yield* attempt(depth + 1);
+		});
+	}));
+	return attempt(0);
+};
 const runEffect = async (effect, extras = {}) => {
-	const provided = makeCommandErrorHandler(extras)(effect).pipe(Effect.provide(activeCliLayer));
+	const provided = makeCommandErrorHandler(extras)(wrapWithAutoLogin(effect)).pipe(Effect.provide(activeCliLayer));
 	return Effect.runPromise(provided.pipe(Effect.asVoid));
 };
 
@@ -2007,7 +2394,7 @@ const getConfigFilePaths = (projectRoot) => Effect.try({
 });
 const extractProjectId = (config) => Effect.gen(function* () {
 	const projectId = config.extra?.betterUpdate?.projectId;
-	if (typeof projectId !== "string") return yield* new ProjectNotLinkedError({ message: "Project not linked. Run `better-update link` to connect this project, or set extra.betterUpdate.projectId in your Expo config." });
+	if (typeof projectId !== "string") return yield* new ProjectNotLinkedError({ message: "Project not linked. Run `better-update init` to connect this project, or set extra.betterUpdate.projectId in your Expo config." });
 	return projectId;
 });
 const extractSlug = (config) => Effect.gen(function* () {
@@ -2320,6 +2707,73 @@ const analyticsCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/commands/apple/login.ts
+const LOGIN_EXIT_EXTRAS = {
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
+};
+const appleLoginCommand = defineCommand({
+	meta: {
+		name: "login",
+		description: "Log in to your Apple Developer account (used to issue iOS certificates)"
+	},
+	args: { username: {
+		type: "string",
+		description: "Pre-fill the Apple ID prompt (defaults to last-used Apple ID)"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const session = yield* (yield* AppleAuth).ensureLoggedIn(args.username === void 0 ? {} : { username: args.username });
+		yield* Console.log(`Logged in as ${session.username}. Team: ${session.teamName ?? session.teamId} (${session.teamId}).`);
+	}), LOGIN_EXIT_EXTRAS)
+});
+
+//#endregion
+//#region src/commands/apple/logout.ts
+const appleLogoutCommand = defineCommand({
+	meta: {
+		name: "logout",
+		description: "Clear the cached Apple Developer session (cookies only; ASC API keys unaffected)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		yield* (yield* AppleAuth).logout;
+		yield* Console.log("Cleared Apple Developer session.");
+	}))
+});
+
+//#endregion
+//#region src/commands/apple/whoami.ts
+const appleWhoamiCommand = defineCommand({
+	meta: {
+		name: "whoami",
+		description: "Show the currently-cached Apple Developer session"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const session = yield* (yield* AppleAuth).whoami;
+		if (session === null) {
+			yield* Console.log("Not logged in to Apple. Run `better-update apple login` to start.");
+			return;
+		}
+		yield* Console.log(`Apple ID: ${session.username}`);
+		yield* Console.log(`Team:     ${session.teamName ?? "(unknown)"} (${session.teamId})`);
+		if (session.providerId !== void 0) yield* Console.log(`Provider: ${String(session.providerId)}`);
+	}))
+});
+
+//#endregion
+//#region src/commands/apple/index.ts
+const appleCommand = defineCommand({
+	meta: {
+		name: "apple",
+		description: "Manage your Apple Developer session (used for issuing iOS credentials)"
+	},
+	subCommands: {
+		login: appleLoginCommand,
+		logout: appleLogoutCommand,
+		whoami: appleWhoamiCommand
+	}
+});
+
 //#endregion
 //#region src/lib/cli-schemas.ts
 const RolloutPercentage = Schema.Number.pipe(Schema.int(), Schema.between(1, 100)).annotations({
@@ -3587,6 +4041,80 @@ const reserveAndUpload = (api, input) => Effect.gen(function* () {
 	};
 });
 
+//#endregion
+//#region src/lib/auto-increment.ts
+const bumpBuildNumber = (current) => Effect.gen(function* () {
+	const raw = current ?? "0";
+	const parsed = Number.parseInt(raw, 10);
+	if (Number.isNaN(parsed)) return yield* new BuildProfileError({ message: `Cannot autoIncrement ios.buildNumber: current value "${raw}" is not a base-10 integer.` });
+	return String(parsed + 1);
+});
+const bumpVersionCode = (current) => Effect.gen(function* () {
+	const value = current ?? 0;
+	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
+	return value + 1;
+});
+const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
+const bumpVersion = (current) => Effect.gen(function* () {
+	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
+	const match = SEMVER_PATCH.exec(current);
+	if (!match) return yield* new BuildProfileError({ message: `Cannot autoIncrement version: "${current}" is not a semver string like "1.2.3".` });
+	const [, major, minor, patch, suffix] = match;
+	const nextPatch = Number.parseInt(patch ?? "0", 10) + 1;
+	return `${major ?? "0"}.${minor ?? "0"}.${String(nextPatch)}${suffix ?? ""}`;
+});
+const computeIosBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "buildNumber") return { nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber)
+	};
+});
+const computeAndroidBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "versionCode") return { nextVersionCode: yield* bumpVersionCode(config.android?.versionCode) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextVersionCode: yield* bumpVersionCode(config.android?.versionCode)
+	};
+});
+const buildPatch = (platform, bumps) => {
+	const patch = {};
+	if (bumps.nextVersion !== void 0) patch["version"] = bumps.nextVersion;
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) patch["ios"] = { buildNumber: bumps.nextBuildNumber };
+	if (platform === "android" && bumps.nextVersionCode !== void 0) patch["android"] = { versionCode: bumps.nextVersionCode };
+	return patch;
+};
+const describeBumps = (platform, bumps) => {
+	const parts = [];
+	if (bumps.nextVersion !== void 0) parts.push(`version=${bumps.nextVersion}`);
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) parts.push(`ios.buildNumber=${bumps.nextBuildNumber}`);
+	if (platform === "android" && bumps.nextVersionCode !== void 0) parts.push(`android.versionCode=${String(bumps.nextVersionCode)}`);
+	return parts.join(", ");
+};
+const computeBumps = (input) => {
+	if (input.platform === "ios") return input.iosMode === void 0 ? Effect.succeed({}) : computeIosBumps(input.config, input.iosMode);
+	return input.androidMode === void 0 ? Effect.succeed({}) : computeAndroidBumps(input.config, input.androidMode);
+};
+const hasAnyBump = (bumps) => bumps.nextVersion !== void 0 || bumps.nextBuildNumber !== void 0 || bumps.nextVersionCode !== void 0;
+/**
+* Bump `version` / `ios.buildNumber` / `android.versionCode` per the resolved
+* autoIncrement mode, persist via `@expo/config.modifyConfigAsync`, and log a
+* Human-readable summary. No-op when the mode is undefined. Returns the new
+* Bumped values so callers can refresh their in-memory ExpoConfig.
+*/
+const applyAutoIncrement = (input) => Effect.gen(function* () {
+	const bumps = yield* computeBumps(input);
+	if (!hasAnyBump(bumps)) return bumps;
+	const patch = buildPatch(input.platform, bumps);
+	const result = yield* writeExpoConfigPatch(input.projectRoot, patch).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to persist autoIncrement: ${cause.message}` })));
+	if (result.type === "warn" && result.configPath === null) {
+		yield* Console.log(`autoIncrement: dynamic Expo config detected, cannot write back. Update manually: ${describeBumps(input.platform, bumps)}`);
+		return bumps;
+	}
+	yield* Console.log(`autoIncrement: bumped ${describeBumps(input.platform, bumps)}`);
+	return bumps;
+});
+
 //#endregion
 //#region src/lib/eas-config.ts
 const MAX_EXTENDS_DEPTH = 10;
@@ -3619,6 +4147,21 @@ const asAndroidDistribution = (raw) => {
 	const value = asStringValue(raw);
 	return value === "play-store" || value === "direct" ? value : void 0;
 };
+const asIosAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "version" ? value : void 0;
+};
+const asAndroidAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "versionCode" || value === "version" ? value : void 0;
+};
+const asAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "versionCode" || value === "version" ? value : void 0;
+};
 const asEasDistribution = (raw) => {
 	const value = asStringValue(raw);
 	return value === "internal" || value === "store" ? value : void 0;
@@ -3635,12 +4178,14 @@ const parseIosProfile = (raw) => {
 	const scheme = asStringValue(record["scheme"]);
 	const simulator = asBooleanValue(record["simulator"]);
 	const enterpriseProvisioning = asEnterpriseProvisioning(record["enterpriseProvisioning"]);
+	const autoIncrement = asIosAutoIncrement(record["autoIncrement"]);
 	return {
 		...distribution === void 0 ? {} : { distribution },
 		...buildConfiguration === void 0 ? {} : { buildConfiguration },
 		...scheme === void 0 ? {} : { scheme },
 		...simulator === void 0 ? {} : { simulator },
-		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning }
+		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const parseAndroidProfile = (raw) => {
@@ -3651,12 +4196,14 @@ const parseAndroidProfile = (raw) => {
 	const gradleCommand = asStringValue(record["gradleCommand"]);
 	const format = asAndroidFormat(record["format"]);
 	const distribution = asAndroidDistribution(record["distribution"]);
+	const autoIncrement = asAndroidAutoIncrement(record["autoIncrement"]);
 	return {
 		...buildType === void 0 ? {} : { buildType },
 		...flavor === void 0 ? {} : { flavor },
 		...gradleCommand === void 0 ? {} : { gradleCommand },
 		...format === void 0 ? {} : { format },
-		...distribution === void 0 ? {} : { distribution }
+		...distribution === void 0 ? {} : { distribution },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const parseBuildProfile = (raw) => {
@@ -3671,6 +4218,7 @@ const parseBuildProfile = (raw) => {
 	const ios = parseIosProfile(record["ios"]);
 	const android = parseAndroidProfile(record["android"]);
 	const credentialsSource = asCredentialsSource(record["credentialsSource"]);
+	const autoIncrement = asAutoIncrement(record["autoIncrement"]);
 	return {
 		...extendsName === void 0 ? {} : { extends: extendsName },
 		...developmentClient === void 0 ? {} : { developmentClient },
@@ -3680,7 +4228,8 @@ const parseBuildProfile = (raw) => {
 		...env === void 0 ? {} : { env },
 		...ios === void 0 ? {} : { ios },
 		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource }
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const parseEasConfig = (text) => Effect.gen(function* () {
@@ -3748,6 +4297,7 @@ const mergeProfile = (base, overlay) => {
 	const channel = overlay.channel ?? base.channel;
 	const environment = overlay.environment ?? base.environment;
 	const credentialsSource = overlay.credentialsSource ?? base.credentialsSource;
+	const autoIncrement = overlay.autoIncrement ?? base.autoIncrement;
 	return {
 		...overlay.extends === void 0 ? {} : { extends: overlay.extends },
 		...developmentClient === void 0 ? {} : { developmentClient },
@@ -3757,7 +4307,8 @@ const mergeProfile = (base, overlay) => {
 		...env === void 0 ? {} : { env },
 		...ios === void 0 ? {} : { ios },
 		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource }
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const collectExtendsChain = (profiles, profileName) => Effect.gen(function* () {
@@ -3811,16 +4362,36 @@ const deriveAndroidDistribution = (eas, format) => {
 };
 const hasIosIntent = (eas) => eas.ios !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
 const hasAndroidIntent = (eas) => eas.android !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
+const resolveIosAutoIncrement = (eas) => {
+	const override = eas.ios?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "buildNumber";
+	if (override === "buildNumber" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "buildNumber") return "buildNumber";
+	if (top === "version") return "version";
+};
+const resolveAndroidAutoIncrement = (eas) => {
+	const override = eas.android?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "versionCode";
+	if (override === "versionCode" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "versionCode") return "versionCode";
+	if (top === "version") return "version";
+};
 const toIosProfile = (eas) => {
 	if (!hasIosIntent(eas)) return;
 	const distribution = deriveIosDistribution(eas);
 	if (!distribution) return;
 	const ios = eas.ios ?? {};
+	const autoIncrement = resolveIosAutoIncrement(eas);
 	return {
 		distribution,
 		...ios.buildConfiguration === void 0 ? {} : { buildConfiguration: ios.buildConfiguration },
 		...ios.scheme === void 0 ? {} : { scheme: ios.scheme },
-		...ios.simulator === void 0 ? {} : { simulator: ios.simulator }
+		...ios.simulator === void 0 ? {} : { simulator: ios.simulator },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const toAndroidProfile = (eas) => {
@@ -3828,12 +4399,15 @@ const toAndroidProfile = (eas) => {
 	const format = deriveAndroidFormat(eas);
 	if (!format) return;
 	const android = eas.android ?? {};
+	const distribution = deriveAndroidDistribution(eas, format);
+	const autoIncrement = resolveAndroidAutoIncrement(eas);
 	return {
 		format,
-		distribution: deriveAndroidDistribution(eas, format),
+		distribution,
 		...android.buildType === void 0 ? {} : { buildType: android.buildType },
 		...android.flavor === void 0 ? {} : { flavor: android.flavor },
-		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand }
+		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
 };
 const fromEasProfile = (eas, profileName) => {
@@ -3891,14 +4465,19 @@ const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
 
 //#endregion
 //#region src/lib/env-exporter.ts
+const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
 /**
 * Pull environment variables for a project + environment and flatten them into
 * a key/value map. Returns an empty map when the project has no variables.
 */
-const pullEnvVars = (api, { projectId, environment }) => api["env-vars"].export({ urlParams: {
-	projectId,
-	environment
-} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+const pullEnvVars = (api, { projectId, environment }) => {
+	const validated = coerceEnvironment(environment);
+	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
+	return api["env-vars"].export({ urlParams: {
+		projectId,
+		environment: validated
+	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+};
 
 //#endregion
 //#region src/lib/git-context.ts
@@ -3982,53 +4561,6 @@ const extractGradleConfig = (parsed) => {
 };
 const unquote = (input) => input.startsWith("\"") && input.endsWith("\"") ? input.slice(1, -1) : input;
 
-//#endregion
-//#region src/lib/prompts.ts
-const ensureInteractive = (promptName) => Effect.gen(function* () {
-	if (!(yield* InteractiveMode).allow) return yield* new InteractiveProhibitedError({ message: `Interactive prompt "${promptName}" requested while running non-interactively. Provide the value via a flag, run with --interactive, or unset CI.` });
-});
-const handleCancel = (value) => {
-	if (isCancel(value)) {
-		cancel("Operation cancelled.");
-		process.exit(130);
-	}
-	return value;
-};
-const promptPassword = (message) => Effect.gen(function* () {
-	yield* ensureInteractive(message);
-	return handleCancel(yield* Effect.promise(async () => password({ message })));
-});
-const promptSelect = (message, options) => Effect.gen(function* () {
-	yield* ensureInteractive(message);
-	return handleCancel(yield* Effect.promise(async () => select({
-		message,
-		options: [...options]
-	})));
-});
-const promptMultiSelect = (message, options, config) => Effect.gen(function* () {
-	yield* ensureInteractive(message);
-	return handleCancel(yield* Effect.promise(async () => multiselect({
-		message,
-		options: [...options],
-		required: config?.required ?? false
-	})));
-});
-const promptText = (message, options) => Effect.gen(function* () {
-	yield* ensureInteractive(message);
-	return handleCancel(yield* Effect.promise(async () => text({
-		message,
-		...options?.placeholder === void 0 ? {} : { placeholder: options.placeholder },
-		...options?.defaultValue === void 0 ? {} : { defaultValue: options.defaultValue }
-	})));
-});
-const promptConfirm = (message, options) => Effect.gen(function* () {
-	yield* ensureInteractive(message);
-	return handleCancel(yield* Effect.promise(async () => confirm({
-		message,
-		...options?.initialValue === void 0 ? {} : { initialValue: options.initialValue }
-	})));
-});
-
 //#endregion
 //#region src/lib/platform-detect.ts
 const PLATFORMS = ["ios", "android"];
@@ -4435,6 +4967,38 @@ const parseCert = (certDerBytes) => {
 	return forge.pki.certificateFromAsn1(asn1);
 };
 const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
+const extractCertMetadata = (cert) => Effect.gen(function* () {
+	const appleTeamId = extractTeamId$1(cert);
+	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+	return {
+		serialNumber: cert.serialNumber.toUpperCase(),
+		validFrom: cert.validity.notBefore.toISOString(),
+		validUntil: cert.validity.notAfter.toISOString(),
+		appleTeamId,
+		appleTeamName: stringField(cert, "O"),
+		developerIdIdentifier: stringField(cert, "UID"),
+		commonName: stringField(cert, "CN")
+	};
+});
+/**
+* Parse a PKCS#12 base64 bundle and extract certificate metadata. Used by the
+* Apple-ID flow which receives a P12 directly from `createCertificateAndP12Async`
+* and needs metadata before uploading to the better-update server.
+*/
+const extractMetadataFromP12 = (params) => Effect.gen(function* () {
+	const certBagOid = forge.pki.oids["certBag"];
+	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
+	const [first] = yield* Effect.try({
+		try: () => {
+			const p12Der = forge.util.decode64(params.p12Base64);
+			const p12Asn1 = forge.asn1.fromDer(p12Der);
+			return forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, params.password).getBags({ bagType: certBagOid })[certBagOid] ?? [];
+		},
+		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
+	});
+	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
+	return yield* extractCertMetadata(first.cert);
+});
 const buildDistributionCertP12 = (params) => Effect.gen(function* () {
 	const result = yield* Effect.try({
 		try: () => {
@@ -4452,20 +5016,11 @@ const buildDistributionCertP12 = (params) => Effect.gen(function* () {
 		},
 		catch: (error) => new CertParseError({ message: `Failed to assemble .p12: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	const appleTeamId = extractTeamId$1(result.cert);
-	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+	const metadata = yield* extractCertMetadata(result.cert);
 	return {
 		p12Base64: result.p12Base64,
 		password: result.password,
-		metadata: {
-			serialNumber: result.cert.serialNumber.toUpperCase(),
-			validFrom: result.cert.validity.notBefore.toISOString(),
-			validUntil: result.cert.validity.notAfter.toISOString(),
-			appleTeamId,
-			appleTeamName: stringField(result.cert, "O"),
-			developerIdIdentifier: stringField(result.cert, "UID"),
-			commonName: stringField(result.cert, "CN")
-		}
+		metadata
 	};
 });
 
@@ -4498,7 +5053,7 @@ const generateCertificateSigningRequest = async () => {
 
 //#endregion
 //#region src/lib/credentials-generator.ts
-const DISTRIBUTION_TO_PROFILE_TYPE = {
+const DISTRIBUTION_TO_PROFILE_TYPE$1 = {
 	APP_STORE: "IOS_APP_STORE",
 	AD_HOC: "IOS_APP_ADHOC",
 	DEVELOPMENT: "IOS_APP_DEVELOPMENT",
@@ -4686,7 +5241,7 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 	}));
 	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
 		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
-		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType],
+		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
 		bundleIdAscId,
 		certificateAscIds: [certAscId],
 		deviceAscIds
@@ -4709,93 +5264,181 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 });
 
 //#endregion
-//#region src/application/credentials-interactive.ts
-const hasTag = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
-const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFound" || cause._tag === "BadRequest");
-const generateKeystoreInteractive = (api) => Effect.gen(function* () {
-	const alias = yield* promptText("Key alias", { placeholder: "upload-key" });
-	const storePassword = yield* promptPassword("Keystore password");
-	const keyPassword = yield* promptPassword("Key password");
-	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
-	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
-	yield* Console.log("Generating keystore with keytool...");
-	return (yield* generateAndUploadKeystore(api, {
-		keyAlias: alias,
-		storePassword,
-		keyPassword,
-		commonName,
-		organization
-	})).id;
+//#region src/lib/credentials-generator-apple-id.ts
+const DISTRIBUTION_TO_PROFILE_TYPE = {
+	APP_STORE: AppleUtils.ProfileType.IOS_APP_STORE,
+	AD_HOC: AppleUtils.ProfileType.IOS_APP_ADHOC,
+	DEVELOPMENT: AppleUtils.ProfileType.IOS_APP_DEVELOPMENT,
+	ENTERPRISE: AppleUtils.ProfileType.IOS_APP_INHOUSE
+};
+const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
+	APP_STORE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	AD_HOC: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	ENTERPRISE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
+};
+var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+const wrap = (step, run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => new AppleIdGenerateFailedError({
+		step,
+		message: cause instanceof Error ? cause.message : String(cause)
+	})
 });
-const pickExistingKeystore = (api) => Effect.gen(function* () {
-	const keystores = yield* api.androidUploadKeystores.list();
-	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: "No existing keystores in this organization.",
-		hint: "Re-run and choose 'Generate new keystore'."
-	}));
-	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
-		value: item.id,
-		label: item.keyAlias
+const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const certificateType = input.certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
+	const result = yield* wrap("apple-create-certificate", async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
+	const metadata = yield* extractMetadataFromP12({
+		p12Base64: result.certificateP12,
+		password: result.password
+	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
+		step: "parse-p12",
+		message: cause.message
 	})));
+	return {
+		id: (yield* api.appleDistributionCertificates.upload({ payload: {
+			p12Base64: result.certificateP12,
+			p12Password: result.password,
+			serialNumber: metadata.serialNumber,
+			appleTeamIdentifier: metadata.appleTeamId,
+			...metadata.appleTeamName === null ? {} : { appleTeamName: metadata.appleTeamName },
+			...metadata.developerIdIdentifier === null ? {} : { developerIdIdentifier: metadata.developerIdIdentifier },
+			validFrom: metadata.validFrom,
+			validUntil: metadata.validUntil
+		} })).id,
+		serialNumber: metadata.serialNumber,
+		appleTeamId: metadata.appleTeamId,
+		developerPortalIdentifier: result.certificate.id
+	};
 });
-const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
-	const existing = (yield* api.androidApplicationIdentifiers.list({ path: { projectId: input.projectId } })).items.find((item) => item.packageName === input.applicationIdentifier);
-	if (existing !== void 0) return existing.id;
-	return (yield* api.androidApplicationIdentifiers.create({
-		path: { projectId: input.projectId },
-		payload: { packageName: input.applicationIdentifier }
-	})).id;
+const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
+	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
+	if (existing !== null) return existing.id;
+	return (yield* wrap("apple-create-bundle-id", async () => AppleUtils.BundleId.createAsync(ctx, {
+		identifier: bundleIdentifier,
+		name: bundleIdentifier,
+		platform: AppleUtils.BundleIdPlatform.IOS
+	}))).id;
+});
+const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
+	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
+	const upper = serialNumber.toUpperCase();
+	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
+	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "match-apple-certificate",
+		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
+	}));
+	return match.id;
 });
-const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
-const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
-	const appId = yield* resolveAndroidAppId(api, input);
-	const choice = yield* promptSelect("How would you like to provide a keystore?", [
-		{
-			value: "generate",
-			label: "Generate new keystore"
-		},
-		{
-			value: "existing",
-			label: "Pick an existing keystore"
-		},
-		{
-			value: "abort",
-			label: "Abort — I'll configure it in the dashboard"
-		}
-	]);
-	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
-		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
-		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
+const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
+	const devices = yield* wrap("apple-list-devices", async () => AppleUtils.Device.getAllIOSProfileDevicesAsync(ctx));
+	if (deviceIds === void 0) return devices.map((device) => device.id);
+	const allowed = new Set(deviceIds);
+	return devices.filter((device) => allowed.has(device.id)).map((device) => device.id);
+});
+const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new AppleIdGenerateFailedError({
+		step: "load-distribution-certificate",
+		message: `Distribution certificate ${input.distributionCertificateId} not found`
+	})) : Effect.succeed(match)));
+	const certificateType = DISTRIBUTION_TO_CERTIFICATE_TYPE[input.distributionType];
+	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
+	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
+	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
+	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "collect-devices",
+		message: "No registered devices to attach to the provisioning profile"
 	}));
-	const keystoreId = yield* resolveAndroidKeystoreId(api, choice);
-	yield* api.androidBuildCredentials.create({
-		path: { applicationIdentifierId: appId },
+	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
+	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
+		bundleId: bundleIdAscId,
+		certificates: [certAscId],
+		devices: deviceIds,
+		name: profileName,
+		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
+	}))).attributes;
+	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "extract-profile-content",
+		message: "Apple returned a profile with no content (likely expired/invalid)"
+	}));
+	const profileBytes = fromBase64(profileContent);
+	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
+	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
+		profileBase64: toBase64(profileBytes),
+		appleDistributionCertificateId: input.distributionCertificateId,
+		isManaged: true,
+		...rosterHash === void 0 ? {} : { deviceRosterHash: rosterHash }
+	} });
+	return {
+		id: created.id,
+		bundleIdentifier: created.bundleIdentifier,
+		distributionType: created.distributionType,
+		profileName: created.profileName,
+		validUntil: created.validUntil,
+		developerPortalIdentifier: created.developerPortalIdentifier
+	};
+});
+
+//#endregion
+//#region src/application/credentials-interactive-apple-id.ts
+const chooseIosSetupPath = (api) => Effect.gen(function* () {
+	if (!(yield* api.ascApiKeys.list()).items.some((key) => key.appleTeamId !== null)) return "apple-id";
+	return yield* promptSelect("How would you like to provide your iOS credentials?", [{
+		value: "apple-id",
+		label: "Login with Apple ID (recommended for interactive use)"
+	}, {
+		value: "asc-key",
+		label: "Use an App Store Connect API key"
+	}]);
+});
+const setupIosViaAppleId = (api, input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	yield* Console.log(`Logged in as ${session.username}. Team: ${session.teamName ?? session.teamId} (${session.teamId}).`);
+	yield* Console.log("Generating distribution certificate via Apple ID...");
+	const cert = yield* generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	yield* Console.log("Generating provisioning profile via Apple ID...");
+	const profile = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+		context: ctx,
+		distributionCertificateId: cert.id,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType
+	});
+	yield* api.iosBundleConfigurations.create({
+		path: { projectId: input.projectId },
 		payload: {
-			name: "Default",
-			isDefault: true,
-			androidUploadKeystoreId: keystoreId
+			bundleIdentifier: input.bundleIdentifier,
+			distributionType,
+			appleTeamId: cert.appleTeamId,
+			appleDistributionCertificateId: cert.id,
+			appleProvisioningProfileId: profile.id
 		}
 	});
-	yield* Console.log("Android build credentials configured.");
+	yield* Console.log("iOS bundle configuration saved.");
 });
-const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
-	path: { projectId: input.projectId },
-	payload: {
-		platform: "android",
-		applicationIdentifier: input.applicationIdentifier
-	}
-}).pipe(Effect.asVoid);
-const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
-	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
-		message: `No Android build credentials for ${input.applicationIdentifier}.`,
-		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
-	yield* setupAndroidInteractive(api, input);
-	return yield* ensureAndroidCredentialsAvailable(api, input);
-})));
+const regenerateProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	yield* Console.log("Regenerating provisioning profile via Apple ID...");
+	const created = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+		context: auth.buildRequestContext(session),
+		distributionCertificateId: input.distributionCertificateId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType: input.distributionType
+	});
+	yield* api.iosBundleConfigurations.update({
+		path: { id: input.bundleConfigurationId },
+		payload: { appleProvisioningProfileId: created.id }
+	});
+	return created;
+});
+
+//#endregion
+//#region src/application/credentials-interactive-ios-asc.ts
 const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
@@ -4898,9 +5541,7 @@ const resolveIosProfileId = (api, input, ctx) => Effect.gen(function* () {
 		label: profile.profileName ?? profile.developerPortalIdentifier ?? profile.id
 	})));
 });
-const setupIosInteractive = (api, input) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log(`No iOS bundle configuration for ${input.bundleIdentifier} (${input.distribution}).`);
+const setupIosViaAscKey = (api, input) => Effect.gen(function* () {
 	const { certId, cert } = yield* pickIosCertificate(api);
 	const ascKeyId = yield* pickIosAscKey(api, cert.appleTeamId);
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
@@ -4923,6 +5564,101 @@ const setupIosInteractive = (api, input) => Effect.gen(function* () {
 	});
 	yield* Console.log("iOS bundle configuration saved.");
 });
+
+//#endregion
+//#region src/application/credentials-interactive.ts
+const hasTag = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
+const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFound" || cause._tag === "BadRequest");
+const generateKeystoreInteractive = (api) => Effect.gen(function* () {
+	const alias = yield* promptText("Key alias", { placeholder: "upload-key" });
+	const storePassword = yield* promptPassword("Keystore password");
+	const keyPassword = yield* promptPassword("Key password");
+	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
+	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
+	yield* Console.log("Generating keystore with keytool...");
+	return (yield* generateAndUploadKeystore(api, {
+		keyAlias: alias,
+		storePassword,
+		keyPassword,
+		commonName,
+		organization
+	})).id;
+});
+const pickExistingKeystore = (api) => Effect.gen(function* () {
+	const keystores = yield* api.androidUploadKeystores.list();
+	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: "No existing keystores in this organization.",
+		hint: "Re-run and choose 'Generate new keystore'."
+	}));
+	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
+		value: item.id,
+		label: item.keyAlias
+	})));
+});
+const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
+	const existing = (yield* api.androidApplicationIdentifiers.list({ path: { projectId: input.projectId } })).items.find((item) => item.packageName === input.applicationIdentifier);
+	if (existing !== void 0) return existing.id;
+	return (yield* api.androidApplicationIdentifiers.create({
+		path: { projectId: input.projectId },
+		payload: { packageName: input.applicationIdentifier }
+	})).id;
+});
+const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
+const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
+	const appId = yield* resolveAndroidAppId(api, input);
+	const choice = yield* promptSelect("How would you like to provide a keystore?", [
+		{
+			value: "generate",
+			label: "Generate new keystore"
+		},
+		{
+			value: "existing",
+			label: "Pick an existing keystore"
+		},
+		{
+			value: "abort",
+			label: "Abort — I'll configure it in the dashboard"
+		}
+	]);
+	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
+		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
+		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
+	}));
+	const keystoreId = yield* resolveAndroidKeystoreId(api, choice);
+	yield* api.androidBuildCredentials.create({
+		path: { applicationIdentifierId: appId },
+		payload: {
+			name: "Default",
+			isDefault: true,
+			androidUploadKeystoreId: keystoreId
+		}
+	});
+	yield* Console.log("Android build credentials configured.");
+});
+const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
+	path: { projectId: input.projectId },
+	payload: {
+		platform: "android",
+		applicationIdentifier: input.applicationIdentifier
+	}
+}).pipe(Effect.asVoid);
+const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
+	const mode = yield* InteractiveMode;
+	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+		message: `No Android build credentials for ${input.applicationIdentifier}.`,
+		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
+	}));
+	yield* setupAndroidInteractive(api, input);
+	return yield* ensureAndroidCredentialsAvailable(api, input);
+})));
+const setupIosInteractive = (api, input) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log(`No iOS bundle configuration for ${input.bundleIdentifier} (${input.distribution}).`);
+	if ((yield* chooseIosSetupPath(api)) === "apple-id") return yield* setupIosViaAppleId(api, input);
+	return yield* setupIosViaAscKey(api, input);
+});
 const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve({
 	path: { projectId: input.projectId },
 	payload: {
@@ -4942,16 +5678,23 @@ const findBoundIosConfig = (api, input) => Effect.gen(function* () {
 });
 const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
 	const config = yield* findBoundIosConfig(api, input);
-	if (config.ascApiKeyId === null || config.appleDistributionCertificateId === null) return yield* new MissingCredentialsError({
-		message: "Profile cannot be regenerated: bundle configuration is missing ASC key or distribution certificate",
+	if (config.appleDistributionCertificateId === null) return yield* new MissingCredentialsError({
+		message: "Profile cannot be regenerated: bundle configuration is missing the distribution certificate",
 		hint: "Re-bind credentials via `better-update credentials generate` or the dashboard"
 	});
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	if (config.ascApiKeyId === null) return yield* regenerateProvisioningProfileViaAppleId(api, {
+		bundleIdentifier: input.bundleIdentifier,
+		distributionCertificateId: config.appleDistributionCertificateId,
+		distributionType,
+		bundleConfigurationId: config.id
+	});
 	yield* Console.log("Regenerating provisioning profile via App Store Connect API...");
 	const created = yield* generateAndUploadProvisioningProfile(api, {
 		ascApiKeyId: config.ascApiKeyId,
 		distributionCertificateId: config.appleDistributionCertificateId,
 		bundleIdentifier: input.bundleIdentifier,
-		distributionType: IOS_DISTRIBUTION_TO_TYPE[input.distribution]
+		distributionType
 	});
 	yield* api.iosBundleConfigurations.update({
 		path: { id: config.id },
@@ -5055,6 +5798,17 @@ const runAndroidPlatformBuild = (input) => Effect.gen(function* () {
 	};
 });
 const runPlatformBuild = (input) => input.platform === "ios" ? runIosPlatformBuild(input) : runAndroidPlatformBuild(input);
+const resolveProfileName = (projectRoot, requested) => Effect.gen(function* () {
+	const easConfig = yield* readEasJson(projectRoot);
+	const available = Object.keys(easConfig.build ?? {});
+	if (available.includes(requested)) return requested;
+	if (!(yield* InteractiveMode).allow || available.length === 0) return requested;
+	yield* Console.log(`Build profile "${requested}" not found in eas.json.`);
+	return yield* promptSelect("Pick a build profile:", available.map((name) => ({
+		value: name,
+		label: name
+	})));
+});
 const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 	const api = yield* apiClient;
 	const projectRoot = yield* (yield* CliRuntime).cwd;
@@ -5066,11 +5820,18 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 	const baseConfig = yield* readExpoConfig(projectRoot);
 	const projectId = yield* extractProjectId(baseConfig);
 	const platform = yield* detectPlatform(options.platform, baseConfig);
-	const profile = yield* readBuildProfile(projectRoot, options.profileName);
+	const profile = yield* readBuildProfile(projectRoot, yield* resolveProfileName(projectRoot, options.profileName));
 	const envVars = yield* pullEnvVars(api, {
 		projectId,
 		environment: profile.environment
 	});
+	yield* applyAutoIncrement({
+		projectRoot,
+		platform,
+		config: yield* readExpoConfig(projectRoot, envVars),
+		...platform === "ios" && profile.ios?.autoIncrement !== void 0 ? { iosMode: profile.ios.autoIncrement } : {},
+		...platform === "android" && profile.android?.autoIncrement !== void 0 ? { androidMode: profile.android.autoIncrement } : {}
+	});
 	const appMeta = yield* readAppMeta(yield* readExpoConfig(projectRoot, envVars), platform);
 	const runtimeVersion = yield* resolveRuntimeVersion({
 		raw: appMeta.rawRuntimeVersion,
@@ -10058,36 +10819,45 @@ const envErrorExtras = {
 	SystemError: 6,
 	BadArgument: 6
 };
+const isEnvironmentName = (value) => value === "development" || value === "preview" || value === "production";
+const parseEnvironmentsArg = (raw) => Effect.gen(function* () {
+	const tokens = raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
+	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (development, preview, production)." });
+	const seen = /* @__PURE__ */ new Set();
+	yield* Effect.forEach(tokens, (token) => Effect.gen(function* () {
+		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
+		seen.add(token);
+	}), { discard: true });
+	return [...seen];
+});
+const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
+	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
+	return raw;
+});
+const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
 
 //#endregion
 //#region src/commands/env/delete.ts
 const deleteCommand$2 = defineCommand({
 	meta: {
 		name: "delete",
-		description: "Delete an environment variable by key"
-	},
-	args: {
-		key: {
-			type: "positional",
-			required: true,
-			description: "Env var key"
-		},
-		environment: {
-			type: "string",
-			default: "production",
-			description: "Target environment"
-		}
+		description: "Delete a project env var by key"
 	},
+	args: { key: {
+		type: "positional",
+		required: true,
+		description: "Env var key"
+	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
 		const match = (yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			environment: args.environment
+			scope: "project"
 		} })).items.find((item) => item.key === args.key);
-		if (!match) return yield* new EnvResourceNotFoundError({ message: `Environment variable ${args.key} not found in ${args.environment}` });
+		if (!match) return yield* new EnvResourceNotFoundError({ message: `Project env var "${args.key}" not found.` });
 		yield* api["env-vars"].delete({ path: { id: match.id } });
-		yield* Console.log(`Deleted ${args.key} from ${args.environment}`);
+		yield* Console.log(`Deleted ${args.key}`);
 	}), envErrorExtras)
 });
 
@@ -10139,11 +10909,12 @@ const execCommand = defineCommand({
 	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const [bin, rest] = yield* splitTrailing(getExecTrailingArgv());
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
 		const runtime = yield* CliRuntime;
 		const baseEnv = yield* runtime.commandEnvironment();
-		const pulled = yield* pullForExec(api, projectId, args.environment);
+		const pulled = yield* pullForExec(api, projectId, environment);
 		const cmd = Command.make(bin, ...rest).pipe(Command.env({
 			...baseEnv,
 			...pulled
@@ -10163,13 +10934,14 @@ const exportCommand = defineCommand({
 	args: { environment: {
 		type: "string",
 		default: "production",
-		description: "Target environment"
+		description: "Target environment (development, preview, production)"
 	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
 		const result = yield* (yield* apiClient)["env-vars"].export({ urlParams: {
 			projectId,
-			environment: args.environment
+			environment
 		} });
 		for (const item of result.items) {
 			const escaped = item.value.replaceAll("'", String.raw`'\''`);
@@ -10180,24 +10952,59 @@ const exportCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/get.ts
+const resolveByKey = (api, key, environment) => Effect.gen(function* () {
+	const env = environment === void 0 ? void 0 : yield* parseSingleEnvironmentArg(environment);
+	const urlParams = {
+		projectId: yield* readProjectId,
+		scope: "all",
+		search: key,
+		...env === void 0 ? {} : { environments: env }
+	};
+	const { items } = yield* api["env-vars"].list({ urlParams });
+	const matches = items.filter((item) => item.key === key);
+	if (matches.length === 0) return yield* new EnvResourceNotFoundError({ message: `No env var with key "${key}" found${env === void 0 ? "" : ` for environment "${env}"`}.` });
+	if (matches.length > 1) return yield* new EnvResourceNotFoundError({ message: `Multiple env vars match key "${key}". Disambiguate with --environment <${[...new Set(matches.flatMap((entry) => entry.environments))].join(", ")}>.` });
+	return matches[0];
+});
+const renderValue$1 = (envVar, includeSensitive) => {
+	if (envVar.visibility === "plaintext") return envVar.value ?? "";
+	if (includeSensitive) return envVar.value ?? "";
+	return "******";
+};
 const getCommand$1 = defineCommand({
 	meta: {
 		name: "get",
-		description: "Show an environment variable"
+		description: "Show an environment variable by KEY (or --by-id)"
+	},
+	args: {
+		key: {
+			type: "positional",
+			required: true,
+			description: "Env var KEY (uppercase) — or ID when used with --by-id"
+		},
+		environment: {
+			type: "string",
+			description: "Filter by environment when looking up by KEY"
+		},
+		"by-id": {
+			type: "boolean",
+			description: "Treat the argument as an ID instead of KEY"
+		},
+		"include-sensitive": {
+			type: "boolean",
+			description: "Reveal masked sensitive values"
+		}
 	},
-	args: { id: {
-		type: "positional",
-		required: true,
-		description: "Env var ID"
-	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const envVar = yield* (yield* apiClient)["env-vars"].get({ path: { id: args.id } });
+		const api = yield* apiClient;
+		const envVar = args["by-id"] ? yield* api["env-vars"].get({ path: { id: args.key } }) : yield* resolveByKey(api, args.key, args.environment);
 		yield* printKeyValue([
 			["ID", envVar.id],
 			["Key", envVar.key],
-			["Environment", envVar.environment],
+			["Scope", envVar.scope],
+			["Environments", formatEnvironments(envVar.environments)],
 			["Visibility", envVar.visibility],
-			["Value", envVar.visibility === "plaintext" ? envVar.value ?? "" : "******"],
+			["Value", renderValue$1(envVar, args["include-sensitive"] ?? false)],
 			["Created", envVar.createdAt],
 			["Updated", envVar.updatedAt]
 		]);
@@ -10220,25 +11027,23 @@ const importCommand = defineCommand({
 		environment: {
 			type: "string",
 			default: "production",
-			description: "Target environment"
+			description: "Target environments (comma-separated, e.g. development,production). Default: production"
 		},
 		visibility: {
 			type: "enum",
-			options: [
-				"plaintext",
-				"sensitive",
-				"secret"
-			],
+			options: ["plaintext", "sensitive"],
 			default: "plaintext",
 			description: "Visibility applied to all imported values"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const content = yield* (yield* FileSystem.FileSystem).readFileString(args.file);
+		const environments = yield* parseEnvironmentsArg(args.environment);
 		const projectId = yield* readProjectId;
 		const result = yield* (yield* apiClient)["env-vars"].bulkImport({ payload: {
+			scope: "project",
 			projectId,
-			environment: args.environment,
+			environments,
 			content,
 			visibility: args.visibility
 		} });
@@ -10248,58 +11053,126 @@ const importCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/list.ts
+const renderValue = (item, includeSensitive) => {
+	if (item.visibility === "plaintext") return item.value ?? "";
+	if (includeSensitive) return item.value ?? "";
+	return "••••••";
+};
 const listCommand$2 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List environment variables"
 	},
-	args: { environment: {
-		type: "string",
-		description: "Filter by environment"
-	} },
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const envFilter = args.environment ? { environment: args.environment } : {};
-		yield* printList([
+	args: {
+		environments: {
+			type: "string",
+			description: "Filter by environments (comma-separated, e.g. development,production). Default: all"
+		},
+		scope: {
+			type: "enum",
+			options: [
+				"all",
+				"project",
+				"global"
+			],
+			description: "Filter by scope (default: all — merged with global override resolution)"
+		},
+		search: {
+			type: "string",
+			description: "Filter by key substring (case-insensitive)"
+		},
+		"include-sensitive": {
+			type: "boolean",
+			description: "Reveal masked sensitive values (default: masked)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const urlParams = {
+			projectId,
+			...args.scope ? { scope: args.scope } : {},
+			...args.environments ? { environments: args.environments } : {},
+			...args.search ? { search: args.search } : {}
+		};
+		const result = yield* api["env-vars"].list({ urlParams });
+		const includeSensitive = args["include-sensitive"] ?? false;
+		yield* printList([
 			"Key",
-			"Environment",
+			"Environments",
+			"Scope",
 			"Visibility",
 			"Value"
-		], (yield* api["env-vars"].list({ urlParams: {
-			projectId,
-			...envFilter
-		} })).items.map((item) => [
+		], result.items.map((item) => [
 			item.key,
-			item.environment,
+			formatEnvironments(item.environments),
+			item.overridesGlobal ? `${item.scope} (overrides global)` : item.scope,
 			item.visibility,
-			item.visibility === "plaintext" ? item.value ?? "" : "••••••"
+			renderValue(item, includeSensitive)
 		]), "No environment variables found.");
 	}), envErrorExtras)
 });
 
 //#endregion
 //#region src/commands/env/pull.ts
+const DEFAULT_PATH = ".env.local";
+const escapeShellSingleQuoted = (value) => value.replaceAll("'", String.raw`'\''`);
+const escapeDotenvDoubleQuoted = (value) => `"${value.replaceAll("\\", String.raw`\\`).replaceAll("\"", String.raw`\"`).replaceAll("$", String.raw`\$`).replaceAll("\n", String.raw`\n`).replaceAll("\r", String.raw`\r`)}"`;
+const printStdout = (items) => Effect.forEach(items, (item) => Console.log(`export ${item.key}='${escapeShellSingleQuoted(item.value)}'`), { discard: true });
+const writeDotenvFile = (params) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	if ((yield* fs.exists(params.targetPath).pipe(Effect.orElseSucceed(() => false))) && !params.force) {
+		if (!(yield* InteractiveMode).allow) return yield* new InvalidArgumentError({ message: `${params.targetPath} already exists. Pass --force to overwrite, or --stdout to print instead.` });
+		if (!(yield* promptConfirm(`Overwrite ${params.targetPath}?`, { initialValue: false }))) {
+			yield* Console.log("Aborted.");
+			return;
+		}
+	}
+	const body = `${params.items.map((item) => `${item.key}=${escapeDotenvDoubleQuoted(item.value)}`).join("\n")}\n`;
+	yield* fs.writeFileString(params.targetPath, body);
+	yield* Console.log(`Wrote ${String(params.items.length)} env vars to ${params.targetPath}`);
+});
 const pullCommand = defineCommand({
 	meta: {
 		name: "pull",
-		description: "Print env vars in `export KEY='value'` format"
+		description: `Write env vars to a dotenv file (default: ${DEFAULT_PATH}) — or pipe to stdout with --stdout`
+	},
+	args: {
+		environment: {
+			type: "string",
+			default: "production",
+			description: "Target environment (development, preview, production)"
+		},
+		path: {
+			type: "string",
+			description: `Output file path (default: ${DEFAULT_PATH})`
+		},
+		stdout: {
+			type: "boolean",
+			description: "Print `export KEY='value'` lines to stdout instead of writing a file"
+		},
+		force: {
+			type: "boolean",
+			description: "Overwrite the target file without prompting"
+		}
 	},
-	args: { environment: {
-		type: "string",
-		default: "production",
-		description: "Target environment"
-	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
 		const result = yield* (yield* apiClient)["env-vars"].export({ urlParams: {
 			projectId,
-			environment: args.environment
+			environment
 		} });
-		for (const item of result.items) {
-			const escaped = item.value.replaceAll("'", String.raw`'\''`);
-			yield* Console.log(`export ${item.key}='${escaped}'`);
+		if (args.stdout) {
+			yield* printStdout(result.items);
+			return;
 		}
+		const cwd = yield* (yield* CliRuntime).cwd;
+		yield* writeDotenvFile({
+			targetPath: path.resolve(cwd, args.path ?? DEFAULT_PATH),
+			items: result.items,
+			force: args.force ?? false
+		});
 	}), envErrorExtras)
 });
 
@@ -10342,7 +11215,7 @@ const pushCommand = defineCommand({
 		environment: {
 			type: "string",
 			default: "production",
-			description: "Target environment"
+			description: "Target environments (comma-separated, e.g. development,production). Default: production"
 		},
 		force: {
 			type: "boolean",
@@ -10355,11 +11228,12 @@ const pushCommand = defineCommand({
 			yield* printHuman(`No valid KEY=VALUE entries found in ${args.file}.`);
 			return;
 		}
+		const environments = yield* parseEnvironmentsArg(args.environment);
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
 		const existingResp = yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			environment: args.environment
+			scope: "project"
 		} });
 		const existingByKey = new Map(existingResp.items.map((item) => [item.key, item]));
 		const conflicts = parsed.filter((entry) => existingByKey.has(entry.key));
@@ -10379,8 +11253,9 @@ const pushCommand = defineCommand({
 		});
 		const skipped = conflicts.length - entriesToOverwrite.length;
 		yield* Effect.forEach(newEntries, (entry) => api["env-vars"].create({ payload: {
+			scope: "project",
 			projectId,
-			environment: args.environment,
+			environments,
 			key: entry.key,
 			value: entry.value,
 			visibility: entry.visibility
@@ -10392,11 +11267,12 @@ const pushCommand = defineCommand({
 				path: { id: existing.id },
 				payload: {
 					value: entry.value,
-					visibility: entry.visibility
+					visibility: entry.visibility,
+					environments
 				}
 			});
 		}, { concurrency: 4 });
-		yield* printHuman(`Pushed to ${args.environment}: ${String(newEntries.length)} created, ${String(entriesToOverwrite.length)} updated${skipped > 0 ? `, ${String(skipped)} skipped` : ""}.`);
+		yield* printHuman(`Pushed to ${formatEnvironments(environments)}: ${String(newEntries.length)} created, ${String(entriesToOverwrite.length)} updated${skipped > 0 ? `, ${String(skipped)} skipped` : ""}.`);
 	}), envErrorExtras)
 });
 
@@ -10405,7 +11281,7 @@ const pushCommand = defineCommand({
 const setCommand$1 = defineCommand({
 	meta: {
 		name: "set",
-		description: "Create or update an environment variable"
+		description: "Create or update a project-scoped environment variable"
 	},
 	args: {
 		keyValue: {
@@ -10416,47 +11292,46 @@ const setCommand$1 = defineCommand({
 		environment: {
 			type: "string",
 			default: "production",
-			description: "Target environment"
+			description: "Target environments (comma-separated, e.g. development,production). Default: production"
 		},
 		visibility: {
 			type: "enum",
-			options: [
-				"plaintext",
-				"sensitive",
-				"secret"
-			],
+			options: ["plaintext", "sensitive"],
 			default: "plaintext",
 			description: "Value visibility"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const { key, value } = yield* parseKeyValue(args.keyValue);
-		const { environment } = args;
+		const environments = yield* parseEnvironmentsArg(args.environment);
 		const { visibility } = args;
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
 		const match = (yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			environment
+			scope: "project"
 		} })).items.find((item) => item.key === key);
+		const label = formatEnvironments(environments);
 		if (match) {
 			yield* api["env-vars"].update({
 				path: { id: match.id },
 				payload: {
 					value,
-					visibility
+					visibility,
+					environments
 				}
 			});
-			yield* Console.log(`Updated ${key} in ${environment}`);
+			yield* Console.log(`Updated ${key} (environments: ${label})`);
 		} else {
 			yield* api["env-vars"].create({ payload: {
+				scope: "project",
 				projectId,
-				environment,
+				environments,
 				key,
 				value,
 				visibility
 			} });
-			yield* Console.log(`Created ${key} in ${environment}`);
+			yield* Console.log(`Created ${key} (environments: ${label})`);
 		}
 	}), envErrorExtras)
 });
@@ -10466,7 +11341,7 @@ const setCommand$1 = defineCommand({
 const updateCommand$1 = defineCommand({
 	meta: {
 		name: "update",
-		description: "Update an env var's value or visibility"
+		description: "Update a project env var's value, visibility, or environments"
 	},
 	args: {
 		key: {
@@ -10480,32 +11355,29 @@ const updateCommand$1 = defineCommand({
 		},
 		visibility: {
 			type: "enum",
-			options: [
-				"plaintext",
-				"sensitive",
-				"secret"
-			],
+			options: ["plaintext", "sensitive"],
 			description: "New visibility (leave unset to keep current)"
 		},
-		environment: {
+		environments: {
 			type: "string",
-			default: "production",
-			description: "Target environment"
+			description: "New environments assignment (comma-separated, e.g. development,production). Leave unset to keep current."
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const { key, value, visibility, environment } = args;
-		if (value === void 0 && visibility === void 0) return yield* new InvalidArgumentError({ message: "Pass --value, --visibility, or both. Nothing to update otherwise." });
+		const { key, value, visibility, environments } = args;
+		if (value === void 0 && visibility === void 0 && environments === void 0) return yield* new InvalidArgumentError({ message: "Pass --value, --visibility, --environments (or any combination). Nothing to update otherwise." });
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
 		const match = (yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			environment
+			scope: "project"
 		} })).items.find((item) => item.key === key);
-		if (!match) return yield* new EnvResourceNotFoundError({ message: `Env var "${key}" not found in environment "${environment}".` });
+		if (!match) return yield* new EnvResourceNotFoundError({ message: `Env var "${key}" not found in project.` });
+		const envList = environments ? yield* parseEnvironmentsArg(environments) : void 0;
 		const payload = {
 			...value === void 0 ? {} : { value },
-			...visibility === void 0 ? {} : { visibility }
+			...visibility === void 0 ? {} : { visibility },
+			...envList ? { environments: envList } : {}
 		};
 		yield* api["env-vars"].update({
 			path: { id: match.id },
@@ -10514,7 +11386,8 @@ const updateCommand$1 = defineCommand({
 		const changed = [];
 		if (value !== void 0) changed.push("value");
 		if (visibility !== void 0) changed.push("visibility");
-		yield* printHuman(`Updated ${changed.join(" + ")} for ${key} in ${environment}.`);
+		if (envList) changed.push("environments");
+		yield* printHuman(`Updated ${changed.join(" + ")} for ${key}.`);
 	}), envErrorExtras)
 });
 
@@ -10612,18 +11485,34 @@ const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 	}
 	return (yield* promptConfirm("Overwrite local projectId with a fresh link by slug?", { initialValue: false })) ? "mismatch-overwrite" : "mismatch-abort";
 });
+const writeAndAnnounce = (projectRoot, projectId) => Effect.gen(function* () {
+	const writeResult = yield* writeProjectId(projectRoot, projectId);
+	const target = writeResult.configPath ? path.relative(projectRoot, writeResult.configPath) : "your Expo config";
+	yield* Console.log(`Project linked successfully. ID saved to ${target}.`);
+	if (writeResult.type === "warn" && writeResult.message) yield* Console.log(`Note: ${writeResult.message}`);
+});
 const initCommand = defineCommand({
 	meta: {
 		name: "init",
 		description: "Link the local Expo project to a better-update project"
 	},
-	run: async () => runEffect(Effect.gen(function* () {
+	args: { id: {
+		type: "string",
+		description: "Link by explicit project ID (skips slug lookup / project creation)"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const projectRoot = yield* (yield* CliRuntime).cwd;
 		const config = yield* readExpoConfig(projectRoot);
 		const name = config.name ?? config.slug ?? "untitled";
+		const api = yield* apiClient;
+		if (args.id !== void 0 && args.id.length > 0) {
+			const project = yield* api.projects.get({ path: { id: args.id } });
+			yield* Console.log(`Linking project: ${project.name} (${project.id})`);
+			yield* writeAndAnnounce(projectRoot, project.id);
+			return;
+		}
 		const slug = yield* extractSlug(config);
 		yield* Console.log(`Linking project: ${name} (${slug})`);
-		const api = yield* apiClient;
 		const linkState = yield* checkExistingLink(api, config, slug);
 		if (linkState === "matched" || linkState === "mismatch-abort") return;
 		const { items } = yield* api.projects.list({ urlParams: {
@@ -10631,7 +11520,7 @@ const initCommand = defineCommand({
 			limit: 100
 		} });
 		const existing = items.find((project) => project.slug === slug);
-		const writeResult = yield* writeProjectId(projectRoot, yield* Effect.gen(function* () {
+		yield* writeAndAnnounce(projectRoot, yield* Effect.gen(function* () {
 			if (existing) {
 				yield* Console.log(`Found existing project: ${existing.name} (${existing.id})`);
 				return existing.id;
@@ -10644,198 +11533,9 @@ const initCommand = defineCommand({
 			yield* Console.log(`Created project: ${created.name} (${created.id})`);
 			return created.id;
 		}));
-		const target = writeResult.configPath ? path.relative(projectRoot, writeResult.configPath) : "your Expo config";
-		yield* Console.log(`Project linked successfully. ID saved to ${target}.`);
-		if (writeResult.type === "warn" && writeResult.message) yield* Console.log(`Note: ${writeResult.message}`);
 	}))
 });
 
-//#endregion
-//#region src/lib/browser-login.ts
-var BrowserLoginTimeoutError = class extends Data.TaggedError("BrowserLoginTimeoutError") {};
-var BrowserLoginSessionClosedError = class extends Data.TaggedError("BrowserLoginSessionClosedError") {};
-const CALLBACK_PAGE = `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>better-update CLI Login</title>
-    <style>
-      :root { color-scheme: light dark; font-family: ui-sans-serif, system-ui, sans-serif; }
-      body { margin: 0; min-height: 100vh; display: grid; place-items: center; padding: 24px; }
-      main { max-width: 32rem; line-height: 1.5; }
-      code { font-family: ui-monospace, SFMono-Regular, monospace; }
-    </style>
-  </head>
-  <body>
-    <main>
-      <h1>Completing CLI login...</h1>
-      <p id="message">Finalizing the local session. You can keep this tab open.</p>
-    </main>
-    <script>
-      const message = document.getElementById("message");
-      const render = (text) => {
-        if (message) message.textContent = text;
-      };
-
-      const params = new URLSearchParams(window.location.hash.slice(1));
-      const token = params.get("token");
-
-      if (!token) {
-        render("Missing token. Return to the CLI and run login again.");
-      } else {
-        fetch("/callback/token", {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: JSON.stringify({ token }),
-        })
-          .then(async (response) => {
-            if (!response.ok) {
-              const body = await response.text();
-              throw new Error(body || "Callback failed");
-            }
-            window.history.replaceState({}, document.title, window.location.pathname);
-            render("CLI login complete. You can close this tab.");
-            setTimeout(() => window.close(), 300);
-          })
-          .catch((error) => {
-            render(error instanceof Error ? error.message : "Callback failed.");
-          });
-      }
-    <\/script>
-  </body>
-</html>`;
-const createBrowserLoginSession = (options = {}) => {
-	const tokenDeferred = Effect.runSync(Deferred.make());
-	const waitForToken = Deferred.await(tokenDeferred).pipe(Effect.timeoutFail({
-		duration: options.timeoutMs === void 0 ? Duration.minutes(5) : Duration.millis(options.timeoutMs),
-		onTimeout: () => new BrowserLoginTimeoutError({ message: "Timed out waiting for browser login to complete." })
-	}));
-	const dispose = () => {
-		Effect.runSync(Deferred.fail(tokenDeferred, new BrowserLoginSessionClosedError({ message: "Browser login session closed." })));
-	};
-	return {
-		callbackPath: "/callback",
-		waitForToken,
-		handleRequest: async (request) => {
-			const url = new URL(request.url);
-			if (request.method === "GET" && url.pathname === "/callback") return new Response(CALLBACK_PAGE, { headers: { "content-type": "text/html; charset=utf-8" } });
-			if (request.method === "POST" && url.pathname === "/callback/token") try {
-				const body = await request.json();
-				if (!isRecord(body)) return new Response("Invalid callback payload", { status: 400 });
-				const token = typeof body["token"] === "string" ? body["token"].trim() : "";
-				if (token.length === 0) return new Response("Missing token", { status: 400 });
-				Effect.runSync(Deferred.succeed(tokenDeferred, token));
-				return Response.json({ ok: true });
-			} catch {
-				return new Response("Invalid callback payload", { status: 400 });
-			}
-			return new Response("Not found", { status: 404 });
-		},
-		dispose
-	};
-};
-const readBody = async (req) => {
-	const chunks = [];
-	for await (const chunk of req) chunks.push(chunk);
-	return Buffer.concat(chunks);
-};
-const toFetchRequest = async (req, origin) => {
-	const url = new URL(req.url ?? "/", origin);
-	const method = req.method ?? "GET";
-	const headers = new Headers();
-	for (const [key, value] of Object.entries(req.headers)) {
-		if (value === void 0) continue;
-		if (Array.isArray(value)) for (const entry of value) headers.append(key, entry);
-		else headers.append(key, value);
-	}
-	const init = {
-		method,
-		headers
-	};
-	if (method !== "GET" && method !== "HEAD") {
-		const body = await readBody(req);
-		init.body = new Uint8Array(body);
-	}
-	return new Request(url, init);
-};
-const writeFetchResponse = async (res, response) => {
-	res.statusCode = response.status;
-	response.headers.forEach((value, key) => {
-		res.setHeader(key, value);
-	});
-	const body = await response.arrayBuffer();
-	res.end(Buffer.from(body));
-};
-const handleIncoming = async (req, res, session) => {
-	try {
-		const request = await toFetchRequest(req, "http://127.0.0.1");
-		await writeFetchResponse(res, await session.handleRequest(request));
-	} catch {
-		res.statusCode = 500;
-		res.end("Local callback failed");
-	}
-};
-const createBrowserLoginServer = async (options = {}) => {
-	const session = createBrowserLoginSession(options);
-	const server = createServer((req, res) => {
-		handleIncoming(req, res, session).catch(() => void 0);
-	});
-	server.listen(0, "127.0.0.1");
-	await once(server, "listening");
-	const address = server.address();
-	return {
-		callbackUrl: `http://127.0.0.1:${address !== null && typeof address === "object" ? address.port : 0}${session.callbackPath}`,
-		waitForToken: session.waitForToken,
-		stop: () => {
-			session.dispose();
-			server.close();
-		}
-	};
-};
-
-//#endregion
-//#region src/application/login.ts
-const buildOpenBrowserCommand = (platform, url) => {
-	if (platform === "darwin") return Command.make("open", url);
-	if (platform === "win32") return Command.make("cmd", "/c", "start", "", url);
-	return Command.make("xdg-open", url);
-};
-const openBrowser = (url) => Effect.gen(function* () {
-	const command = buildOpenBrowserCommand((yield* CliRuntime).platform, url);
-	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.catchAll(() => Effect.succeed(false))))) yield* Console.log(`Open this URL manually:\n${url}`);
-});
-const browserLogin = Effect.scoped(Effect.gen(function* () {
-	const configStore = yield* ConfigStore;
-	const authStore = yield* AuthStore;
-	const webUrl = yield* configStore.getWebUrl;
-	const loginServer = yield* Effect.acquireRelease(Effect.promise(async () => createBrowserLoginServer()), (server) => Effect.sync(server.stop));
-	const loginUrl = `${webUrl}/auth/cli-login?callbackUrl=${encodeURIComponent(loginServer.callbackUrl)}`;
-	yield* Console.log("Opening browser for better-update login...");
-	yield* Console.log("");
-	yield* openBrowser(loginUrl);
-	const token = yield* loginServer.waitForToken;
-	yield* authStore.saveToken(token);
-	yield* Console.log("");
-	yield* Console.log("Logged in successfully. Token saved to ~/.better-update/auth.json");
-}));
-const manualLogin = Effect.gen(function* () {
-	yield* Console.log("Log in to better-update with an existing API key");
-	yield* Console.log("Get your API key from the dashboard > API Keys page");
-	yield* Console.log("");
-	const token = yield* promptPassword("Paste your API key (from dashboard > API Keys):");
-	yield* (yield* AuthStore).saveToken(token);
-	yield* Console.log("");
-	yield* Console.log("Logged in successfully. Token saved to ~/.better-update/auth.json");
-});
-const runLogin = (options) => Effect.gen(function* () {
-	if (options.manualApiKey) {
-		yield* manualLogin;
-		return;
-	}
-	yield* browserLogin;
-});
-
 //#endregion
 //#region src/commands/login.ts
 const loginCommand = defineCommand({
@@ -10857,9 +11557,17 @@ const logoutCommand = defineCommand({
 		name: "logout",
 		description: "Remove the stored auth token"
 	},
-	run: async () => runEffect(Effect.gen(function* () {
+	args: { all: {
+		type: "boolean",
+		description: "Also clear cached Apple Developer session (cookies)"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		yield* (yield* AuthStore).clearToken;
 		yield* Console.log("Logged out. Auth token removed.");
+		if (args.all) {
+			yield* (yield* AppleSessionStore).clearSession;
+			yield* Console.log("Cleared Apple Developer session.");
+		}
 	}))
 });
 
@@ -11733,6 +12441,86 @@ const resolveChannelToBranch = (client, projectId, channelName) => Effect.gen(fu
 	if (!branch) return yield* new UpdatePublishError({ message: `Channel "${channelName}" maps to a branch (${match.branchId}) not in the project's branch list.` });
 	return branch.name;
 });
+const CREATE_NEW_BRANCH_SENTINEL = "__better_update_create_new_branch__";
+const promptBranchName$1 = Effect.gen(function* () {
+	const trimmed = (yield* promptText("Branch name to create", { placeholder: "e.g. main, staging, release" })).trim();
+	if (trimmed.length === 0) return yield* new UpdatePublishError({ message: "Branch name cannot be empty." });
+	return trimmed;
+});
+/**
+* Interactive branch picker: lists existing branches with a "+ Create new..."
+* Sentinel option. When the user picks the sentinel (or there are no
+* Existing branches), prompts for a new branch name.
+*/
+const promptForBranch = (client, projectId) => Effect.gen(function* () {
+	const branches = yield* drainPages((page) => client.branches.list({ urlParams: {
+		projectId,
+		limit: 100,
+		page
+	} })).pipe(Effect.mapError((cause) => new UpdatePublishError({ message: `Failed to list branches: ${formatCause(cause)}` })));
+	if (branches.length === 0) return yield* promptBranchName$1;
+	const choice = yield* promptSelect("Which branch to publish to?", [...branches.map((branch) => ({
+		value: branch.name,
+		label: branch.name
+	})), {
+		value: CREATE_NEW_BRANCH_SENTINEL,
+		label: "+ Create new branch..."
+	}]);
+	if (choice === CREATE_NEW_BRANCH_SENTINEL) return yield* promptBranchName$1;
+	return choice;
+});
+/**
+* Interactive message prompt with the git commit subject as default.
+* Returns `undefined` if the user entered an empty value, so the caller
+* Can fall back to its own default.
+*/
+const promptForMessage = (commitMessage) => Effect.gen(function* () {
+	const fallback = commitMessage ?? "Publish via better-update CLI";
+	const trimmed = (yield* promptText("Update message", {
+		placeholder: fallback,
+		defaultValue: fallback
+	})).trim();
+	return trimmed.length === 0 ? void 0 : trimmed;
+});
+/**
+* Apply the full branch/message resolution chain in priority order:
+* Explicit args → git context (when --auto) → channel lookup → env fallback →
+* Interactive picker. Returns the final values or fails with a helpful error
+* When everything is exhausted in non-interactive mode.
+*/
+const resolveBranchAndMessage = (input) => Effect.gen(function* () {
+	let branch = input.branchArg;
+	let message = input.messageArg;
+	if (input.auto) {
+		if (branch === void 0 && input.gitCtx.ref !== void 0) branch = input.gitCtx.ref;
+		if (message === void 0 && input.gitCtx.commitMessage !== void 0) message = input.gitCtx.commitMessage;
+	}
+	if (branch === void 0 && input.channelArg !== void 0) branch = yield* resolveChannelToBranch(input.client, input.projectId, input.channelArg);
+	if (branch === void 0 && input.envBranch !== void 0 && input.envBranch.length > 0) branch = input.envBranch;
+	const interactive = yield* InteractiveMode;
+	if (branch === void 0) {
+		if (!interactive.allow) return yield* new UpdatePublishError({ message: "Missing --branch or --channel. Provide one explicitly, set BETTER_UPDATE_BRANCH, use --auto to infer from git, or run interactively." });
+		branch = yield* promptForBranch(input.client, input.projectId);
+	}
+	if (message === void 0 && interactive.allow && !input.auto) message = yield* promptForMessage(input.gitCtx.commitMessage);
+	return {
+		branch,
+		message
+	};
+});
+/**
+* Show a pre-publish preview and ask for confirmation. Returns `false`
+* If the user declines so the caller can abort gracefully.
+*/
+const confirmPublishPreview = (preview) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log(`Branch:      ${preview.branch}`);
+	yield* Console.log(`Platforms:   ${[...preview.platforms].join(", ")}`);
+	yield* Console.log(`Environment: ${preview.environment}`);
+	yield* Console.log(`Message:     ${preview.message}`);
+	yield* Console.log("");
+	return yield* promptConfirm("Proceed with publish?", { initialValue: true });
+});
 const emitMetadataFile = (input) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	yield* fs.makeDirectory(input.dir, { recursive: true }).pipe(Effect.mapError((cause) => new UpdatePublishError({ message: `Failed to prepare metadata directory: ${formatCause(cause)}` })));
@@ -11847,7 +12635,8 @@ const publishPlatform = (params) => Effect.gen(function* () {
 	};
 });
 const runUpdatePublish = (options) => Effect.scoped(Effect.gen(function* () {
-	const projectRoot = yield* (yield* CliRuntime).cwd;
+	const runtime = yield* CliRuntime;
+	const projectRoot = yield* runtime.cwd;
 	const api = yield* apiClient;
 	yield* ensureRepoClean({
 		projectRoot,
@@ -11868,23 +12657,30 @@ const runUpdatePublish = (options) => Effect.scoped(Effect.gen(function* () {
 		envVars: environmentVars
 	});
 	const tempDir = yield* acquireBuildTempDir.pipe(Effect.mapError((cause) => new UpdatePublishError({ message: `Failed to create a temporary export directory: ${formatCause(cause)}` })));
-	let resolvedBranch = options.branch;
-	let resolvedMessage = options.message;
-	if (options.auto) {
-		const gitContext = yield* readGitContext(projectRoot);
-		if (!resolvedBranch) {
-			if (!gitContext.ref) return yield* new UpdatePublishError({ message: "Cannot infer branch from git. Ensure you are in a git repo with a checked-out branch, or provide --branch explicitly." });
-			resolvedBranch = gitContext.ref;
-		}
-		if (!resolvedMessage && gitContext.commitMessage) resolvedMessage = gitContext.commitMessage;
-	}
-	if (!resolvedBranch && options.channel !== void 0) resolvedBranch = yield* resolveChannelToBranch(api, projectId, options.channel);
-	if (!resolvedBranch) return yield* new UpdatePublishError({ message: "Missing --branch or --channel. Provide one explicitly or use --auto to infer from git." });
+	const gitCtx = yield* readGitContext(projectRoot);
+	const envBranch = (yield* runtime.getEnv("BETTER_UPDATE_BRANCH"))?.trim();
+	const { branch, message: resolvedMessage } = yield* resolveBranchAndMessage({
+		client: api,
+		projectId,
+		branchArg: options.branch,
+		messageArg: options.message,
+		channelArg: options.channel,
+		auto: options.auto,
+		gitCtx,
+		envBranch
+	});
 	if (options.skipBundler && options.inputDir === void 0) return yield* new UpdatePublishError({ message: "--skip-bundler requires --input-dir <path> pointing to a pre-bundled export." });
 	const sharedExportDir = options.inputDir === void 0 ? void 0 : path.resolve(projectRoot, options.inputDir);
-	const branch = resolvedBranch;
 	const groupId = randomUUID();
 	const message = resolvedMessage ?? "Publish via better-update CLI";
+	if ((yield* InteractiveMode).allow && !options.auto) {
+		if (!(yield* confirmPublishPreview({
+			branch,
+			platforms,
+			message,
+			environment: options.environment
+		}))) return yield* new UpdatePublishError({ message: "Publish cancelled." });
+	}
 	const signedPayloads = yield* loadSignedPublishPayloads({
 		platforms,
 		globalFiles: {
@@ -13152,7 +13948,8 @@ await runMain(defineCommand({
 		devices: devicesCommand,
 		webhooks: webhooksCommand,
 		autocomplete: autocompleteCommand,
-		"migrate-config": migrateConfigCommand
+		"migrate-config": migrateConfigCommand,
+		apple: appleCommand
 	}
 }));