npm - @better-update/cli - Versions diffs - 0.12.1 → 0.13.1 - Mend

@better-update/cli 0.12.1 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.mjs CHANGED Viewed

@@ -28,7 +28,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
 //#region package.json
-var version = "0.12.1";
+var version = "0.13.1";
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -1820,6 +1820,80 @@ const promptConfirm = (message, options) => Effect.gen(function* () {
 	})));
 });
+//#endregion
+//#region src/lib/apple-auth.ts
+const APPLE_PROVIDER_ID_ENV = "APPLE_PROVIDER_ID";
+const readEnv = (name) => Effect.gen(function* () {
+	return yield* (yield* CliRuntime).getEnv(name);
+});
+const parseProviderId = (raw) => {
+	const id = Number(raw);
+	return Number.isInteger(id) ? Effect.succeed(id) : Effect.fail(new AppleAuthError$1({ message: `${APPLE_PROVIDER_ID_ENV} must be a numeric provider ID, got "${raw}".` }));
+};
+const readEnvProviderId = Effect.gen(function* () {
+	const raw = yield* readEnv(APPLE_PROVIDER_ID_ENV);
+	if (!raw) return;
+	return yield* parseProviderId(raw);
+});
+const switchSessionProvider = (appleUtils, providerId) => Effect.tryPromise({
+	try: async () => appleUtils.Session.setSessionProviderIdAsync(providerId),
+	catch: (error) => new AppleAuthError$1({ message: `Failed to switch App Store Connect provider (${providerId}): ${String(error)}` })
+}).pipe(Effect.asVoid);
+/**
+* Resolve App Store Connect provider for the current session.
+*
+* Selection order: APPLE_PROVIDER_ID env → single available provider →
+* interactive prompt (always, when multi-team + interactive) → fall back to
+* apple-utils' currentProviderId (non-interactive only).
+*
+* Multi-team users are always re-prompted in interactive mode so a wrong pick
+* from a previous run can be corrected — we do NOT cache the team choice.
+*
+* `switched` flags that the apple-utils cookie jar was mutated.
+*
+* Non-interactive (CI): env or single-team paths still work; multi-team falls
+* back to whatever apple-utils auto-resolved from cookies. Fails with
+* InteractiveProhibitedError when multi-team and no signal at all.
+*/
+const resolveProvider = (appleUtils, availableProviders, currentProviderId) => Effect.gen(function* () {
+	let switched = false;
+	const applyChoice = (picked) => Effect.gen(function* () {
+		if (currentProviderId !== picked) {
+			yield* switchSessionProvider(appleUtils, picked);
+			switched = true;
+		}
+		return picked;
+	});
+	const envId = yield* readEnvProviderId;
+	if (envId !== void 0) return {
+		providerId: yield* applyChoice(envId),
+		switched
+	};
+	if (availableProviders.length === 0) return {
+		providerId: currentProviderId,
+		switched
+	};
+	const [firstProvider] = availableProviders;
+	if (availableProviders.length === 1 && firstProvider) return {
+		providerId: yield* applyChoice(firstProvider.providerId),
+		switched
+	};
+	if (!(yield* InteractiveMode).allow) {
+		if (currentProviderId !== void 0) return {
+			providerId: currentProviderId,
+			switched
+		};
+		return yield* new InteractiveProhibitedError({ message: "Multiple App Store Connect providers are available but no APPLE_PROVIDER_ID is set; re-run interactively or set the env var." });
+	}
+	return {
+		providerId: yield* applyChoice(yield* promptSelect("Select App Store Connect provider:", availableProviders.map((provider) => ({
+			value: provider.providerId,
+			label: `${provider.name} [${provider.subType}] (${provider.providerId})`
+		})))),
+		switched
+	};
+});
 //#endregion
 //#region ../../packages/safe-json/src/index.ts
 const parseJsonResult = (text) => {
@@ -1852,14 +1926,10 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
 			if (!isRecord(parsed)) return null;
-			if (typeof parsed["teamId"] !== "string" || typeof parsed["username"] !== "string" || !parsed["cookies"]) return null;
-			const providerIdRaw = parsed["providerId"];
-			const hasProviderId = typeof providerIdRaw === "number" && Number.isInteger(providerIdRaw);
+			if (typeof parsed["username"] !== "string" || !parsed["cookies"]) return null;
 			return {
 				cookies: parsed["cookies"],
-				teamId: parsed["teamId"],
-				username: parsed["username"],
-				...hasProviderId ? { providerId: providerIdRaw } : {}
+				username: parsed["username"]
 			};
 		}),
 		saveSession: (session) => Effect.gen(function* () {
@@ -1905,17 +1975,30 @@ const sessionFromInfo = (username, info) => ({
 	teamName: info.provider.name,
 	providerId: info.provider.providerId
 });
-const restoreFromCookies = (appleUtils, cookies, providerId, teamId) => Effect.tryPromise({
-	try: async () => {
-		const input = {
-			cookies,
-			...providerId === void 0 ? {} : { providerId },
-			...teamId === void 0 ? {} : { teamId }
-		};
-		return appleUtils.Auth.loginWithCookiesAsync(input);
-	},
+const sessionFromProvider = (username, provider) => ({
+	username,
+	teamId: provider.publicProviderId,
+	teamName: provider.name,
+	providerId: provider.providerId
+});
+const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
+	try: async () => appleUtils.Auth.loginWithCookiesAsync({ cookies }),
 	catch: (cause) => new AppleAuthError$1({ message: `Failed to restore Apple session: ${formatCause(cause)}` })
 });
+/**
+* After a cookie restore or fresh credentials login, re-resolve the team via
+* {@link resolveProvider}. The cookies are accepted as-is (auth state) but the
+* team is treated as a per-run choice — we never trust a previously-cached team,
+* so a wrong pick can always be corrected on the next run.
+*/
+const resolveSessionTeam = (appleUtils, state) => Effect.gen(function* () {
+	const { availableProviders } = state.session;
+	const resolution = yield* resolveProvider(appleUtils, availableProviders, state.context.providerId ?? state.session.provider.providerId);
+	if (!resolution.switched || resolution.providerId === void 0) return sessionFromAuthState(state);
+	const picked = availableProviders.find((provider) => provider.providerId === resolution.providerId);
+	if (picked === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
+	return sessionFromProvider(state.username, picked);
+});
 const loginWithCredentials = (appleUtils, credentials) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithUserCredentialsAsync(credentials, { autoResolveProvider: true }),
 	catch: (cause) => new AppleAuthError$1({ message: `Apple login failed: ${formatCause(cause)}` })
@@ -1942,12 +2025,10 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 		password
 	});
 	if (state === null) return yield* new AppleAuthError$1({ message: "Apple login returned no session (unexpected)." });
-	const session = sessionFromAuthState(state);
+	const session = yield* resolveSessionTeam(appleUtils, state);
 	yield* store.saveSession({
 		cookies: readJarCookies(appleUtils),
-		username: session.username,
-		teamId: session.teamId,
-		...session.providerId === void 0 ? {} : { providerId: session.providerId }
+		username: session.username
 	});
 	yield* store.saveLastUsername(session.username);
 	return session;
@@ -1955,15 +2036,15 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 const tryRestore = (appleUtils, store) => Effect.gen(function* () {
 	const stored = yield* store.loadSession;
 	if (stored === null) return null;
-	const restored = yield* restoreFromCookies(appleUtils, stored.cookies, stored.providerId, stored.teamId);
+	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
 	if (restored === null) return null;
-	return sessionFromAuthState(restored);
+	return yield* resolveSessionTeam(appleUtils, restored);
 });
 const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(AppleAuth, Effect.gen(function* () {
 	const store = yield* AppleSessionStore;
 	return {
 		ensureLoggedIn: (options = {}) => Effect.gen(function* () {
-			const restored = yield* tryRestore(appleUtils, store).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const restored = yield* tryRestore(appleUtils, store);
 			if (restored !== null) return restored;
 			return yield* interactiveLogin(appleUtils, options, yield* store.loadLastUsername).pipe(Effect.provideService(AppleSessionStore, store));
 		}),
@@ -1974,15 +2055,10 @@ const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(Apple
 		whoami: Effect.gen(function* () {
 			const stored = yield* store.loadSession;
 			if (stored === null) return null;
-			const restored = yield* restoreFromCookies(appleUtils, stored.cookies, stored.providerId, stored.teamId).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
 			if (restored !== null) return sessionFromAuthState(restored);
 			const info = appleUtils.Session.getAnySessionInfo();
-			return info === null ? {
-				username: stored.username,
-				teamId: stored.teamId,
-				teamName: null,
-				providerId: stored.providerId
-			} : sessionFromInfo(stored.username, info);
+			return info === null ? null : sessionFromInfo(stored.username, info);
 		}),
 		buildRequestContext: (session) => ({
 			teamId: session.teamId,
@@ -5278,17 +5354,30 @@ const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
 	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
 };
 var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
+const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
 const wrap = (step, run) => Effect.tryPromise({
 	try: run,
 	catch: (cause) => new AppleIdGenerateFailedError({
 		step,
-		message: cause instanceof Error ? cause.message : String(cause)
+		message: messageOf(cause)
 	})
 });
+const wrapCertificateCreate = (run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => {
+		const message = messageOf(cause);
+		if (CERT_LIMIT_PATTERN.test(message)) return new CertificateLimitError({ message });
+		return new AppleIdGenerateFailedError({
+			step: "apple-create-certificate",
+			message
+		});
+	}
+});
 const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effect.gen(function* () {
 	const ctx = input.context;
 	const certificateType = input.certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
-	const result = yield* wrap("apple-create-certificate", async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
+	const result = yield* wrapCertificateCreate(async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
 	const metadata = yield* extractMetadataFromP12({
 		p12Base64: result.certificateP12,
 		password: result.password
@@ -5312,6 +5401,16 @@ const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effec
 		developerPortalIdentifier: result.certificate.id
 	};
 });
+const listDistributionCertsViaAppleId = (ctx, certificateType = "IOS_DISTRIBUTION") => Effect.gen(function* () {
+	const filter = certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
+	return (yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: filter } } }))).map((entry) => ({
+		developerPortalIdentifier: entry.id,
+		serialNumber: entry.attributes.serialNumber,
+		displayName: entry.attributes.displayName,
+		expirationDate: entry.attributes.expirationDate
+	}));
+});
+const revokeDistributionCertViaAppleId = (ctx, developerPortalIdentifier) => wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: developerPortalIdentifier }));
 const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
 	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
 	if (existing !== null) return existing.id;
@@ -5393,13 +5492,66 @@ const chooseIosSetupPath = (api) => Effect.gen(function* () {
 		label: "Use an App Store Connect API key"
 	}]);
 });
+const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
+	const certs = yield* listDistributionCertsViaAppleId(ctx, "IOS_DISTRIBUTION");
+	if (certs.length === 0) return yield* new AppleIdGenerateFailedError({
+		step: "limit-recover",
+		message: "Apple says the certificate limit is hit but no existing certificates were returned."
+	});
+	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
+		value: entry.developerPortalIdentifier,
+		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName}, exp ${entry.expirationDate.slice(0, 10)})`
+	})), { required: true });
+	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
+	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
+});
+const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
+	yield* Console.log("Generating distribution certificate via Apple ID...");
+	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
+	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveAppleIdCertLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
+});
+const GENERATE_NEW = "__generate__";
+const chooseDistributionCertViaAppleId = (api, ctx, appleTeamId) => Effect.gen(function* () {
+	const items = (yield* api.appleDistributionCertificates.list()).items.filter((cert) => cert.appleTeamId === appleTeamId);
+	if (items.length === 0) {
+		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
+		return {
+			id: created.id,
+			appleTeamId: created.appleTeamId
+		};
+	}
+	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
+		value: GENERATE_NEW,
+		label: "Generate a new distribution certificate"
+	}, ...items.map((cert) => ({
+		value: cert.id,
+		label: `${cert.serialNumber.slice(0, 12)}… (team ${cert.appleTeamId})`
+	}))]);
+	if (choice === GENERATE_NEW) {
+		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
+		return {
+			id: created.id,
+			appleTeamId: created.appleTeamId
+		};
+	}
+	const cert = items.find((entry) => entry.id === choice);
+	if (cert === void 0) return yield* new AppleIdGenerateFailedError({
+		step: "pick-certificate",
+		message: `Selected certificate ${choice} not found after listing`
+	});
+	return {
+		id: cert.id,
+		appleTeamId: cert.appleTeamId
+	};
+});
 const setupIosViaAppleId = (api, input) => Effect.gen(function* () {
 	const auth = yield* AppleAuth;
 	const session = yield* auth.ensureLoggedIn();
 	const ctx = auth.buildRequestContext(session);
 	yield* Console.log(`Logged in as ${session.username}. Team: ${session.teamName ?? session.teamId} (${session.teamId}).`);
-	yield* Console.log("Generating distribution certificate via Apple ID...");
-	const cert = yield* generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
+	const cert = yield* chooseDistributionCertViaAppleId(api, ctx, session.teamId);
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
 	yield* Console.log("Generating provisioning profile via Apple ID...");
 	const profile = yield* generateAndUploadProvisioningProfileViaAppleId(api, {