@better-update/cli 0.14.2 → 0.15.0

package/dist/index.mjs

@@ -13,11 +13,11 @@ import { once } from "node:events";
 import { createServer } from "node:http";
 import { maxBy, uniqBy } from "es-toolkit";
 import { createHash, randomBytes, randomUUID } from "node:crypto";
+import forge from "node-forge";
 import { createReadStream, existsSync, readFileSync, writeFileSync } from "node:fs";
 import os from "node:os";
-import plist from "@expo/plist";
+import plistMod from "@expo/plist";
 import { ExpoRunFormatter } from "@expo/xcpretty";
-import forge from "node-forge";
 import { Buffer as Buffer$1 } from "node:buffer";
 import { getFormattedSerialNumber, getX509Certificate, parsePKCS12 } from "@expo/pkcs12";
 import qrcode from "qrcode-terminal";
@@ -28,7 +28,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.14.2";
+var version = "0.15.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -738,13 +738,27 @@ const IosBuildPushKey = Schema.Struct({
 	keyId: Schema.String,
 	teamId: Schema.String
 });
+/**
+* Auto-provision context surfaced to the CLI. When `ascApiKeyId` is present,
+* the CLI may use it to generate missing provisioning profiles for extension
+* targets (auto-provision flow). `distributionCertificateId` + `appleTeamId`
+* are backend row ids; `appleTeamIdentifier` is the 10-char Apple portal team
+* id (e.g. "ABCDE12345").
+*/
+const IosBuildContext = Schema.Struct({
+	ascApiKeyId: Schema.NullOr(Schema.String),
+	distributionCertificateId: Schema.String,
+	appleTeamId: Schema.String,
+	appleTeamIdentifier: Schema.String
+});
 const ResolveBuildCredentialsIosResult = Schema.Struct({
 	platform: Schema.Literal("ios"),
 	distributionCertificate: IosBuildDistributionCertificate,
 	provisioningProfile: IosBuildProvisioningProfile,
 	pushKey: Schema.NullOr(IosBuildPushKey),
 	profileStale: Schema.Boolean,
-	currentDeviceRosterHash: Schema.NullOr(Schema.String)
+	currentDeviceRosterHash: Schema.NullOr(Schema.String),
+	context: IosBuildContext
 });
 const AndroidBuildKeystore = Schema.Struct({
 	keystoreBase64: Schema.String,
@@ -1638,6 +1652,7 @@ var PresignedUrlExpiredError = class extends Data.TaggedError("PresignedUrlExpir
 var ArtifactNotFoundError = class extends Data.TaggedError("ArtifactNotFoundError") {};
 var KeychainError = class extends Data.TaggedError("KeychainError") {};
 var ProvisioningError = class extends Data.TaggedError("ProvisioningError") {};
+var XcodeProjectError = class extends Data.TaggedError("XcodeProjectError") {};
 var EnvExportError = class extends Data.TaggedError("EnvExportError") {};
 var UpdatePublishError = class extends Data.TaggedError("UpdatePublishError") {};
 var UpdateRollbackError = class extends Data.TaggedError("UpdateRollbackError") {};
@@ -3310,2046 +3325,2441 @@ const fromHex = (hex) => {
 };
 
 //#endregion
-//#region src/lib/credentials-downloader.ts
-const IOS_DISTRIBUTION_TO_TYPE = {
-	"app-store": "APP_STORE",
-	"ad-hoc": "AD_HOC",
-	development: "DEVELOPMENT",
-	enterprise: "ENTERPRISE"
+//#region src/lib/android-keystore.ts
+const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
+const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
+const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
+	commonName: input.commonName,
+	organization: input.organization
+}), "-noprompt").pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step: "generate android keystore",
+	exitCode: 1,
+	message: `generate android keystore failed to spawn: ${String(cause)}`
+})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
+	step: "generate android keystore",
+	exitCode: code,
+	message: `generate android keystore exited with code ${code}`
+}))));
+
+//#endregion
+//#region src/lib/apple-pem.ts
+const PEM_HEADER = "-----BEGIN PRIVATE KEY-----";
+const PEM_FOOTER = "-----END PRIVATE KEY-----";
+const pemToPkcs8Der = (pem) => {
+	const normalized = pem.replaceAll("\r\n", "\n").trim();
+	const start = normalized.indexOf(PEM_HEADER);
+	const end = normalized.indexOf(PEM_FOOTER);
+	if (start === -1 || end === -1 || end <= start) return null;
+	const body = normalized.slice(start + 27, end).replaceAll(/\s+/gu, "").trim();
+	if (body.length === 0) return null;
+	try {
+		return fromBase64(body);
+	} catch {
+		return null;
+	}
 };
-const bindHint = "Bind the bundle via the dashboard (Credentials → iOS Bundle Configurations) and make sure a distribution certificate, provisioning profile, and ASC API key are attached.";
-const permissionHint = "Ask an org admin to grant the build-credentials download permission.";
-const androidBindHint = "Register the package in the dashboard (Credentials → Android Build Credentials) and bind a keystore to the default group.";
-const hasTag$1 = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
-const resolveErrorToMissingCredentials = (cause, platform) => {
-	const tag = hasTag$1(cause) ? cause._tag : null;
-	const message = hasTag$1(cause) && typeof cause.message === "string" ? cause.message : null;
-	const platformLabel = platform === "ios" ? "iOS" : "Android";
-	const bind = platform === "ios" ? bindHint : androidBindHint;
-	if (tag === "Forbidden") return new MissingCredentialsError({
-		message: message ?? `Permission denied when resolving ${platformLabel} build credentials`,
-		hint: permissionHint
-	});
-	if (tag === "NotFound") return new MissingCredentialsError({
-		message: message ?? `No ${platformLabel} build credentials configured`,
-		hint: bind
-	});
-	if (tag === "BadRequest") return new MissingCredentialsError({
-		message: message ?? `${platformLabel} build credentials are misconfigured`,
-		hint: bind
-	});
-	return new MissingCredentialsError({
-		message: message ?? `Failed to resolve ${platformLabel} build credentials`,
-		hint: bind
-	});
+
+//#endregion
+//#region src/lib/apple-asc-jwt.ts
+var AppleAuthError = class extends Data.TaggedError("AppleAuthError") {};
+const MAX_JWT_LIFETIME_SECONDS = 1200;
+const asArrayBuffer = (bytes) => {
+	const buffer = new ArrayBuffer(bytes.byteLength);
+	new Uint8Array(buffer).set(bytes);
+	return buffer;
 };
-const downloadIosCredentials = (api, options) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const resolved = yield* api.buildCredentials.resolve({
-		path: { projectId: options.projectId },
-		payload: {
-			platform: "ios",
-			bundleIdentifier: options.bundleIdentifier,
-			distributionType: IOS_DISTRIBUTION_TO_TYPE[options.distribution]
-		}
-	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "ios")));
-	if (resolved.platform !== "ios") return yield* Effect.fail(new MissingCredentialsError({
-		message: "Server returned non-iOS credentials for an iOS build request",
-		hint: bindHint
-	}));
-	const p12Path = path.join(options.tempDir, "signing.p12");
-	const profileFilename = `${resolved.provisioningProfile.uuid ?? "profile"}.mobileprovision`;
-	const profilePath = path.join(options.tempDir, profileFilename);
-	yield* fs.writeFile(p12Path, fromBase64(resolved.distributionCertificate.p12Base64));
-	yield* fs.writeFile(profilePath, fromBase64(resolved.provisioningProfile.mobileprovisionBase64));
-	return {
-		p12Path,
-		p12Password: resolved.distributionCertificate.p12Password,
-		profilePath,
-		profileFilename,
-		teamId: resolved.provisioningProfile.teamId
+const signAscJwt = (credentials) => Effect.gen(function* () {
+	const der = pemToPkcs8Der(credentials.p8Pem);
+	if (der === null) return yield* Effect.fail(new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") }));
+	const header = {
+		alg: "ES256",
+		kid: credentials.keyId,
+		typ: "JWT"
 	};
-});
-const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const resolved = yield* api.buildCredentials.resolve({
-		path: { projectId: options.projectId },
-		payload: {
-			platform: "android",
-			applicationIdentifier: options.applicationIdentifier
-		}
-	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
-	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
-		message: "Server returned non-Android credentials for an Android build request",
-		hint: androidBindHint
-	}));
-	const keystorePath = path.join(options.tempDir, "upload.keystore");
-	yield* fs.writeFile(keystorePath, fromBase64(resolved.keystore.keystoreBase64));
-	return {
-		keystorePath,
-		storePassword: resolved.keystore.storePassword,
-		keyAlias: resolved.keystore.keyAlias,
-		keyPassword: resolved.keystore.keyPassword
+	const now = Math.floor(Date.now() / 1e3);
+	const payload = {
+		iss: credentials.issuerId,
+		iat: now,
+		exp: now + MAX_JWT_LIFETIME_SECONDS,
+		aud: "appstoreconnect-v1"
 	};
+	const signingInput = `${toBase64Url(new TextEncoder().encode(JSON.stringify(header)))}.${toBase64Url(new TextEncoder().encode(JSON.stringify(payload)))}`;
+	const key = yield* Effect.tryPromise({
+		try: async () => crypto.subtle.importKey("pkcs8", asArrayBuffer(der), {
+			name: "ECDSA",
+			namedCurve: "P-256"
+		}, false, ["sign"]),
+		catch: (cause) => new AppleAuthError({ cause })
+	});
+	const signature = yield* Effect.tryPromise({
+		try: async () => crypto.subtle.sign({
+			name: "ECDSA",
+			hash: "SHA-256"
+		}, key, new TextEncoder().encode(signingInput)),
+		catch: (cause) => new AppleAuthError({ cause })
+	});
+	return `${signingInput}.${toBase64Url(new Uint8Array(signature))}`;
 });
 
 //#endregion
-//#region src/lib/credentials-json.ts
-const CREDENTIALS_JSON_FILENAME = "credentials.json";
-const asString$2 = (value, field) => typeof value === "string" && value.length > 0 ? Effect.succeed(value) : Effect.fail(new CredentialsJsonError({ message: `credentials.json: field "${field}" must be a non-empty string.` }));
-const parseIosDistributionCertificate = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.distributionCertificate must be an object." });
-	return {
-		path: yield* asString$2(record["path"], "ios.distributionCertificate.path"),
-		password: yield* asString$2(record["password"], "ios.distributionCertificate.password")
-	};
+//#region src/lib/apple-asc-client.ts
+var AscApiError = class extends Data.TaggedError("AscApiError") {};
+var AscNetworkError = class extends Data.TaggedError("AscNetworkError") {};
+const API_BASE = "https://api.appstoreconnect.apple.com";
+const extractErrors = (body) => {
+	if (!isRecord(body) || !Array.isArray(body["errors"])) return [];
+	return body["errors"].filter((value) => isRecord(value));
+};
+const parseApiError = (response, body, raw) => {
+	const [first] = extractErrors(body);
+	return new AscApiError({
+		status: response.status,
+		message: first?.detail ?? first?.title ?? response.statusText,
+		code: first?.code,
+		raw
+	});
+};
+const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
+	const response = yield* Effect.tryPromise({
+		try: async () => fetch(`${API_BASE}${path}`, {
+			method: init?.method ?? "GET",
+			...init?.body === void 0 ? {} : { body: init.body },
+			headers: {
+				authorization: `Bearer ${jwt}`,
+				"content-type": "application/json",
+				accept: "application/json"
+			}
+		}),
+		catch: (cause) => new AscNetworkError({ cause })
+	});
+	const text = yield* Effect.tryPromise({
+		try: async () => response.text(),
+		catch: (cause) => new AscNetworkError({ cause })
+	});
+	const body = text.length === 0 ? {} : JSON.parse(text);
+	if (!response.ok) return yield* Effect.fail(parseApiError(response, body, text));
+	return body;
 });
-const parseIosPushKey = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.pushKey must be an object." });
+const toAscCertificate = (value) => {
+	if (!isRecord(value)) return null;
+	const { id, attributes } = value;
+	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	const { serialNumber, certificateType, expirationDate, certificateContent, displayName } = attributes;
+	if (typeof serialNumber !== "string" || typeof certificateType !== "string" || typeof expirationDate !== "string") return null;
 	return {
-		path: yield* asString$2(record["path"], "ios.pushKey.path"),
-		keyId: yield* asString$2(record["keyId"], "ios.pushKey.keyId"),
-		teamId: yield* asString$2(record["teamId"], "ios.pushKey.teamId")
+		id,
+		serialNumber,
+		certificateType,
+		expirationDate,
+		certificateContent: typeof certificateContent === "string" ? certificateContent : null,
+		displayName: typeof displayName === "string" ? displayName : null
 	};
-});
-const parseIosAscApiKey = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.ascApiKey must be an object." });
+};
+const toAscBundleId = (value) => {
+	if (!isRecord(value)) return null;
+	const { id, attributes } = value;
+	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	const { identifier, name } = attributes;
+	if (typeof identifier !== "string" || typeof name !== "string") return null;
 	return {
-		path: yield* asString$2(record["path"], "ios.ascApiKey.path"),
-		keyId: yield* asString$2(record["keyId"], "ios.ascApiKey.keyId"),
-		issuerId: yield* asString$2(record["issuerId"], "ios.ascApiKey.issuerId")
+		id,
+		identifier,
+		name
 	};
-});
-const parseIos = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: \"ios\" must be an object." });
-	const provisioningProfilePath = yield* asString$2(record["provisioningProfilePath"], "ios.provisioningProfilePath");
-	const distributionCertificate = yield* parseIosDistributionCertificate(record["distributionCertificate"]);
-	const pushKey = record["pushKey"] === void 0 ? void 0 : yield* parseIosPushKey(record["pushKey"]);
-	const ascApiKey = record["ascApiKey"] === void 0 ? void 0 : yield* parseIosAscApiKey(record["ascApiKey"]);
+};
+const PROFILE_TYPES = [
+	"IOS_APP_ADHOC",
+	"IOS_APP_DEVELOPMENT",
+	"IOS_APP_STORE",
+	"IOS_APP_INHOUSE"
+];
+const asProfileType = (value) => {
+	const match = PROFILE_TYPES.find((entry) => entry === value);
+	return match === void 0 ? null : match;
+};
+const toAscProfile = (value) => {
+	if (!isRecord(value)) return null;
+	const { id, attributes } = value;
+	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	const { name, uuid, expirationDate, profileContent } = attributes;
+	const profileType = asProfileType(attributes["profileType"]);
+	if (typeof name !== "string" || typeof uuid !== "string" || typeof expirationDate !== "string" || typeof profileContent !== "string" || profileType === null) return null;
 	return {
-		provisioningProfilePath,
-		distributionCertificate,
-		...pushKey === void 0 ? {} : { pushKey },
-		...ascApiKey === void 0 ? {} : { ascApiKey }
+		id,
+		name,
+		uuid,
+		expirationDate,
+		profileContent,
+		profileType
 	};
-});
-const parseAndroidKeystore = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: android.keystore must be an object." });
+};
+const toAscDevice = (value) => {
+	if (!isRecord(value)) return null;
+	const { id, attributes } = value;
+	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	const { udid, name } = attributes;
+	if (typeof udid !== "string" || typeof name !== "string") return null;
 	return {
-		keystorePath: yield* asString$2(record["keystorePath"], "android.keystore.keystorePath"),
-		keystorePassword: yield* asString$2(record["keystorePassword"], "android.keystore.keystorePassword"),
-		keyAlias: yield* asString$2(record["keyAlias"], "android.keystore.keyAlias"),
-		keyPassword: yield* asString$2(record["keyPassword"], "android.keystore.keyPassword")
+		id,
+		udid,
+		name
 	};
+};
+const extractList = (body, map) => {
+	if (!isRecord(body) || !Array.isArray(body["data"])) return [];
+	return body["data"].map(map).filter((value) => value !== null);
+};
+const extractSingle = (body, map) => {
+	if (!isRecord(body)) return null;
+	return map(body["data"]);
+};
+const malformed = (resource) => new AscApiError({
+	status: 500,
+	message: `Malformed ${resource} response`,
+	code: void 0,
+	raw: ""
 });
-const parseGoogleServiceAccountKey = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: android.googleServiceAccountKey must be an object." });
-	return { path: yield* asString$2(record["path"], "android.googleServiceAccountKey.path") };
+const withJwt = (credentials, fn) => Effect.gen(function* () {
+	return yield* fn(yield* signAscJwt(credentials));
 });
-const parseAndroid = (raw) => Effect.gen(function* () {
-	const record = asRecord(raw);
-	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: \"android\" must be an object." });
-	const keystore = yield* parseAndroidKeystore(record["keystore"]);
-	const googleServiceAccountKey = record["googleServiceAccountKey"] === void 0 ? void 0 : yield* parseGoogleServiceAccountKey(record["googleServiceAccountKey"]);
-	return {
-		keystore,
-		...googleServiceAccountKey === void 0 ? {} : { googleServiceAccountKey }
+const listCertificates = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	return extractList(yield* fetchRaw(jwt, `/v1/certificates${params?.certificateType ? `?filter[certificateType]=${params.certificateType}&limit=200` : "?limit=200"}`), toAscCertificate);
+}));
+const createCertificate = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	const csrContent = params.csrPem.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "").replaceAll("-----END CERTIFICATE REQUEST-----", "").replaceAll(/\s+/gu, "");
+	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/certificates", {
+		method: "POST",
+		body: JSON.stringify({ data: {
+			type: "certificates",
+			attributes: {
+				csrContent,
+				certificateType: params.certificateType
+			}
+		} })
+	}), toAscCertificate);
+	if (resource === null) return yield* Effect.fail(malformed("certificate"));
+	return resource;
+}));
+const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	yield* fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" });
+}));
+const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
+}));
+const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/bundleIds", {
+		method: "POST",
+		body: JSON.stringify({ data: {
+			type: "bundleIds",
+			attributes: {
+				identifier: params.identifier,
+				name: params.name,
+				platform: "IOS"
+			}
+		} })
+	}), toAscBundleId);
+	if (resource === null) return yield* Effect.fail(malformed("bundleId"));
+	return resource;
+}));
+const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	return extractList(yield* fetchRaw(jwt, "/v1/devices?limit=200"), toAscDevice);
+}));
+const createProvisioningProfile = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	const relationships = {
+		bundleId: { data: {
+			type: "bundleIds",
+			id: params.bundleIdAscId
+		} },
+		certificates: { data: params.certificateAscIds.map((id) => ({
+			type: "certificates",
+			id
+		})) },
+		...params.deviceAscIds.length > 0 ? { devices: { data: params.deviceAscIds.map((id) => ({
+			type: "devices",
+			id
+		})) } } : {}
 	};
-});
-const parseCredentialsJson = (raw) => Effect.gen(function* () {
-	const root = asRecord(yield* Effect.try({
-		try: () => JSON.parse(raw),
-		catch: () => new CredentialsJsonError({ message: "credentials.json is not valid JSON." })
-	}));
-	if (!root) return yield* new CredentialsJsonError({ message: "credentials.json must be a JSON object at the top level." });
-	const ios = root["ios"] === void 0 ? void 0 : yield* parseIos(root["ios"]);
-	const android = root["android"] === void 0 ? void 0 : yield* parseAndroid(root["android"]);
-	if (!ios && !android) return yield* new CredentialsJsonError({ message: "credentials.json must contain at least one of \"ios\" or \"android\"." });
+	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/profiles", {
+		method: "POST",
+		body: JSON.stringify({ data: {
+			type: "profiles",
+			attributes: {
+				name: params.profileName,
+				profileType: params.profileType
+			},
+			relationships
+		} })
+	}), toAscProfile);
+	if (resource === null) return yield* Effect.fail(malformed("profile"));
+	return resource;
+}));
+const isCertificateLimitError = (error) => {
+	if (error._tag !== "AscApiError") return false;
+	return /already have a current.*certificate|pending certificate request/iu.test(error.message);
+};
+
+//#endregion
+//#region src/lib/apple-cert-to-p12.ts
+var CertParseError = class extends Data.TaggedError("CertParseError") {};
+const APPLE_TEAM_ID_RE$1 = /^[A-Z0-9]{10}$/u;
+const stringField = (cert, name) => {
+	const value = cert.subject.getField(name)?.value;
+	return typeof value === "string" ? value : null;
+};
+const matchTeamFromCommonName = (cn) => {
+	const match = /\(([A-Z0-9]{10})\)/u.exec(cn);
+	if (match === null) return null;
+	const [, captured] = match;
+	return captured === void 0 ? null : captured;
+};
+const extractTeamId$1 = (cert) => {
+	const ou = stringField(cert, "OU");
+	if (ou !== null && APPLE_TEAM_ID_RE$1.test(ou)) return ou;
+	const cn = stringField(cert, "CN");
+	if (cn === null) return null;
+	return matchTeamFromCommonName(cn);
+};
+const parseCert = (certDerBytes) => {
+	const asn1 = forge.asn1.fromDer(certDerBytes);
+	return forge.pki.certificateFromAsn1(asn1);
+};
+const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
+const extractCertMetadata = (cert) => Effect.gen(function* () {
+	const appleTeamId = extractTeamId$1(cert);
+	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
 	return {
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android }
+		serialNumber: cert.serialNumber.toUpperCase(),
+		validFrom: cert.validity.notBefore.toISOString(),
+		validUntil: cert.validity.notAfter.toISOString(),
+		appleTeamId,
+		appleTeamName: stringField(cert, "O"),
+		developerIdIdentifier: stringField(cert, "UID"),
+		commonName: stringField(cert, "CN")
 	};
 });
-const credentialsJsonPath = (projectRoot) => path.join(projectRoot, CREDENTIALS_JSON_FILENAME);
-const readCredentialsJson = (projectRoot) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const filePath = credentialsJsonPath(projectRoot);
-	if (!(yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false))))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
-	return yield* parseCredentialsJson(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to read credentials.json: ${String(cause)}` }))));
-});
-const writeCredentialsJson = (projectRoot, data) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const filePath = credentialsJsonPath(projectRoot);
-	const body = `${JSON.stringify(data, null, 2)}\n`;
-	yield* fs.writeFileString(filePath, body).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to write credentials.json: ${String(cause)}` })));
-	return filePath;
-});
 /**
-* Resolve a path that may be either absolute or relative to the project root.
+* Parse a PKCS#12 base64 bundle and extract certificate metadata. Used by the
+* Apple-ID flow which receives a P12 directly from `createCertificateAndP12Async`
+* and needs metadata before uploading to the better-update server.
 */
-const resolveCredentialPath = (projectRoot, candidate) => path.isAbsolute(candidate) ? candidate : path.join(projectRoot, candidate);
-
-//#endregion
-//#region src/lib/local-credentials.ts
-const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.catchAll(() => Effect.succeed(false)), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
-	message: `Local credentials.json: ${label} not found at ${absolutePath}.`,
-	hint: "Run `better-update credentials sync pull` to materialize files, or fix the path in credentials.json."
-}))));
-const loadLocalIosCredentials = (options) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const data = yield* readCredentialsJson(options.projectRoot).pipe(Effect.mapError((cause) => new MissingCredentialsError({
-		message: `Local credentials.json: ${cause.message}`,
-		hint: "Create credentials.json or switch the build profile's credentialsSource back to \"remote\"."
-	})));
-	if (!data.ios) return yield* new MissingCredentialsError({
-		message: "credentials.json has no `ios` section but the build is for iOS.",
-		hint: "Add an `ios` block to credentials.json or switch credentialsSource to remote."
+const extractMetadataFromP12 = (params) => Effect.gen(function* () {
+	const certBagOid = forge.pki.oids["certBag"];
+	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
+	const [first] = yield* Effect.try({
+		try: () => {
+			const p12Der = forge.util.decode64(params.p12Base64);
+			const p12Asn1 = forge.asn1.fromDer(p12Der);
+			return forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, params.password).getBags({ bagType: certBagOid })[certBagOid] ?? [];
+		},
+		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	const p12Path = resolveCredentialPath(options.projectRoot, data.ios.distributionCertificate.path);
-	const profilePath = resolveCredentialPath(options.projectRoot, data.ios.provisioningProfilePath);
-	yield* requirePath(fs, p12Path, "distribution certificate (.p12)");
-	yield* requirePath(fs, profilePath, "provisioning profile (.mobileprovision)");
-	return {
-		p12Path,
-		p12Password: data.ios.distributionCertificate.password,
-		profilePath,
-		profileFilename: path.basename(profilePath),
-		teamId: ""
-	};
+	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
+	return yield* extractCertMetadata(first.cert);
 });
-const loadLocalAndroidCredentials = (options) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const data = yield* readCredentialsJson(options.projectRoot).pipe(Effect.mapError((cause) => new MissingCredentialsError({
-		message: `Local credentials.json: ${cause.message}`,
-		hint: "Create credentials.json or switch the build profile's credentialsSource back to \"remote\"."
-	})));
-	if (!data.android) return yield* new MissingCredentialsError({
-		message: "credentials.json has no `android` section but the build is for Android.",
-		hint: "Add an `android` block to credentials.json or switch credentialsSource to remote."
+const buildDistributionCertP12 = (params) => Effect.gen(function* () {
+	const result = yield* Effect.try({
+		try: () => {
+			const cert = parseCert(forge.util.decode64(params.certificateContentBase64));
+			const password = generatePassword();
+			const p12Asn1 = forge.pkcs12.toPkcs12Asn1(params.privateKey, [cert], password, {
+				friendlyName: "key",
+				algorithm: "3des"
+			});
+			return {
+				cert,
+				p12Base64: forge.util.encode64(forge.asn1.toDer(p12Asn1).getBytes()),
+				password
+			};
+		},
+		catch: (error) => new CertParseError({ message: `Failed to assemble .p12: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	const keystorePath = resolveCredentialPath(options.projectRoot, data.android.keystore.keystorePath);
-	yield* requirePath(fs, keystorePath, "keystore");
+	const metadata = yield* extractCertMetadata(result.cert);
 	return {
-		keystorePath,
-		storePassword: data.android.keystore.keystorePassword,
-		keyAlias: data.android.keystore.keyAlias,
-		keyPassword: data.android.keystore.keyPassword
-	};
-});
+		p12Base64: result.p12Base64,
+		password: result.password,
+		metadata
+	};
+});
 
 //#endregion
-//#region src/lib/sha256.ts
-const hashReadError = (message) => new BuildFailedError({
-	step: "sha256",
-	exitCode: 1,
-	message
-});
-const hashFile = (path, formatDigest) => Effect.async((resume) => {
-	const hash = createHash("sha256");
-	const stream = createReadStream(path);
-	let byteSize = 0;
-	stream.on("data", (chunk) => {
-		const buffer = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
-		byteSize += buffer.byteLength;
-		hash.update(buffer);
-	});
-	stream.on("error", (error) => {
-		resume(Effect.fail(hashReadError(`Failed to read file for SHA-256: ${error.message}`)));
-	});
-	stream.on("end", () => {
-		resume(Effect.succeed({
-			digest: formatDigest(hash.digest()),
-			byteSize
-		}));
+//#region src/lib/apple-csr.ts
+const generateRsaKeyPair = async () => new Promise((resolve) => {
+	forge.pki.rsa.generateKeyPair({
+		bits: 2048,
+		workers: 2
+	}, (_err, keyPair) => {
+		resolve(keyPair);
 	});
 });
-/**
-* Compute the SHA-256 digest and byte size of a file using Node's streaming
-* hash API. The file is never fully loaded into memory — chunks flow through
-* `createReadStream` into `crypto.createHash("sha256")`.
-*/
-const sha256File = (path) => hashFile(path, (digest) => digest.toString("hex")).pipe(Effect.map(({ digest, byteSize }) => ({
-	sha256: digest,
-	byteSize
-})));
-/**
-* Compute a content-type-namespaced hash: `SHA-256(contentType + '\0' + SHA-256_hex(fileBytes))`.
-*
-* This prevents hash collisions when identical bytes are served with different
-* MIME types (e.g. same file used as both `application/javascript` and `text/plain`).
-* The raw content hash is still needed separately for R2 upload verification.
-*/
-const sha256Namespaced = (contentType, contentSha256Hex) => {
-	const input = `${contentType}\0${contentSha256Hex}`;
-	return toBase64Url(createHash("sha256").update(input).digest());
+const generateCertificateSigningRequest = async () => {
+	const keyPair = await generateRsaKeyPair();
+	const csr = forge.pki.createCertificationRequest();
+	csr.publicKey = keyPair.publicKey;
+	csr.setSubject([{
+		name: "commonName",
+		shortName: "CN",
+		value: "PEM"
+	}]);
+	csr.sign(keyPair.privateKey, forge.md.sha1.create());
+	return {
+		csrPem: forge.pki.certificationRequestToPem(csr),
+		privateKeyPem: forge.pki.privateKeyToPem(keyPair.privateKey),
+		privateKey: keyPair.privateKey
+	};
 };
 
 //#endregion
-//#region src/commands/build/run-step.ts
-const runStep = (cmd, step) => Command.exitCode(cmd.pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
-	step,
-	exitCode: 1,
-	message: `${step} failed to spawn: ${String(cause)}`
-})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
-	step,
-	exitCode: code,
-	message: `${step} exited with code ${code}`
-}))));
+//#region src/lib/temp-dir.ts
 /**
-* Run a build step with stdout piped through a formatter (e.g., xcpretty).
-* stderr passes through to the terminal directly.
+* Create a scoped temp directory prefixed with "better-update-" and `chmod 0o700`
+* it so only the current user can read its contents. The directory and all files
+* inside it are removed when the enclosing scope closes.
 */
-const runStepFormatted = (cmd, step, formatter) => Effect.gen(function* () {
-	const proc = yield* Command.start(cmd.pipe(Command.stdout("pipe"), Command.stderr("pipe"))).pipe(Effect.mapError((cause) => new BuildFailedError({
-		step,
-		exitCode: 1,
-		message: `${step} failed to spawn: ${String(cause)}`
-	})));
-	const stdoutFiber = yield* proc.stdout.pipe(Stream.decodeText(), Stream.splitLines, Stream.runForEach((line) => {
-		const formatted = formatter.pipe(line);
-		return formatted.length > 0 ? Effect.sync(() => {
-			for (const output of formatted) process$1.stdout.write(`${output}\n`);
-		}) : Effect.void;
-	}), Effect.mapError((cause) => new BuildFailedError({
-		step,
-		exitCode: 1,
-		message: `${step} stdout stream error: ${String(cause)}`
-	})), Effect.fork);
-	const stderrFiber = yield* proc.stderr.pipe(Stream.decodeText(), Stream.splitLines, Stream.runForEach((line) => Effect.sync(() => process$1.stderr.write(`${line}\n`))), Effect.mapError((cause) => new BuildFailedError({
-		step,
-		exitCode: 1,
-		message: `${step} stderr stream error: ${String(cause)}`
-	})), Effect.fork);
-	yield* Effect.all([Fiber.join(stdoutFiber), Fiber.join(stderrFiber)], { concurrency: 2 }).pipe(Effect.catchAll(() => Effect.void));
-	const code = yield* proc.exitCode.pipe(Effect.mapError((cause) => new BuildFailedError({
-		step,
-		exitCode: 1,
-		message: `${step} exit code error: ${String(cause)}`
-	})));
-	if (code !== 0) {
-		const summary = formatter.getBuildSummary();
-		if (summary) process$1.stderr.write(`${summary}\n`);
-		return yield* new BuildFailedError({
-			step,
-			exitCode: code,
-			message: `${step} exited with code ${code}`
-		});
-	}
+const acquireBuildTempDir = Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const dir = yield* fs.makeTempDirectoryScoped({ prefix: "better-update-" });
+	yield* fs.chmod(dir, 448);
+	return dir;
 });
 
 //#endregion
-//#region src/commands/build/android.ts
-/**
-* Compose the Gradle task name from flavor, format, and buildType.
-*
-* Gradle naming convention: `<verb><Flavor><Variant>`, e.g.
-*   - no flavor + apk + release       → `assembleRelease`
-*   - no flavor + aab + release       → `bundleRelease`
-*   - flavor=prod + aab + release     → `bundleProdRelease`
-*   - flavor=prod + apk + debug       → `assembleProdDebug`
-*/
-const gradleTaskName = (format, flavor, buildType) => {
-	const verb = format === "aab" ? "bundle" : "assemble";
-	return flavor ? `${verb}${capitalize(flavor)}${capitalize(buildType)}` : `${verb}${capitalize(buildType)}`;
+//#region src/lib/credentials-generator.ts
+const DISTRIBUTION_TO_PROFILE_TYPE$1 = {
+	APP_STORE: "IOS_APP_STORE",
+	AD_HOC: "IOS_APP_ADHOC",
+	DEVELOPMENT: "IOS_APP_DEVELOPMENT",
+	ENTERPRISE: "IOS_APP_INHOUSE"
 };
-const runAndroidBuild = (input) => Effect.gen(function* () {
-	const { api, tempDir, projectRoot, androidProfile, applicationIdentifier, envVars, projectId } = input;
-	const runtime = yield* CliRuntime;
-	const buildStartMs = Date.now();
-	const { format } = androidProfile;
-	const { flavor } = androidProfile;
-	const buildType = androidProfile.buildType ?? "release";
-	const androidDir = path.join(projectRoot, "android");
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	const credentials = input.credentialsSource === "local" ? yield* loadLocalAndroidCredentials({ projectRoot }) : yield* downloadAndroidCredentials(api, {
-		projectId,
-		applicationIdentifier,
-		tempDir
+const computeDeviceRosterHashHex = (ascDeviceIds) => {
+	const sorted = [...ascDeviceIds].toSorted();
+	return createHash("sha256").update(sorted.join(","), "utf8").digest("hex");
+};
+var CertificateLimitError = class extends Data.TaggedError("CertificateLimitError") {};
+var GenerateFailedError = class extends Data.TaggedError("GenerateFailedError") {};
+const messageForAscCause = (cause) => {
+	if (cause._tag === "AscApiError") return cause.message;
+	if (cause._tag === "AppleAuthError") return "Apple JWT signing failed";
+	return "Network error talking to Apple";
+};
+const wrapAscError = (step) => (cause) => {
+	if (cause._tag === "AscApiError" && isCertificateLimitError(cause)) return new CertificateLimitError({ message: cause.message });
+	return new GenerateFailedError({
+		step,
+		message: messageForAscCause(cause)
 	});
-	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "android", "--clean").pipe(Command.workingDirectory(projectRoot), Command.env(commandEnv)), "expo prebuild android");
+};
+const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const signingGradlePath = path.join(tempDir, "signing.gradle");
-	yield* fs.writeFileString(signingGradlePath, renderSigningGradle({
-		keystorePath: credentials.keystorePath,
-		storePassword: credentials.storePassword,
-		keyAlias: credentials.keyAlias,
-		keyPassword: credentials.keyPassword
-	}));
-	const taskName = gradleTaskName(format, flavor, buildType);
-	yield* runStep(Command.make("./gradlew", "--init-script", signingGradlePath, `:app:${taskName}`).pipe(Command.workingDirectory(androidDir), Command.env(commandEnv)), "gradlew");
-	const artifactPath = yield* findAndroidArtifact({
-		projectRoot,
-		format,
-		...flavor === void 0 ? {} : { flavor },
-		buildType,
-		minMtimeMs: buildStartMs
+	const tempDir = yield* acquireBuildTempDir;
+	const keystorePath = path.join(tempDir, "release.keystore");
+	yield* generateAndroidKeystore({
+		outputPath: keystorePath,
+		keyAlias: input.keyAlias,
+		storePassword: input.storePassword,
+		keyPassword: input.keyPassword,
+		commonName: input.commonName,
+		organization: input.organization,
+		...input.validityDays === void 0 ? {} : { validityDays: input.validityDays }
 	});
-	const { sha256, byteSize } = yield* sha256File(artifactPath);
+	const bytes = yield* fs.readFile(keystorePath);
+	const created = yield* api.androidUploadKeystores.upload({ payload: {
+		keystoreBase64: toBase64(bytes),
+		keyAlias: input.keyAlias,
+		keystorePassword: input.storePassword,
+		keyPassword: input.keyPassword
+	} });
 	return {
-		artifactPath,
-		byteSize,
-		sha256
+		id: created.id,
+		keyAlias: created.keyAlias
 	};
-});
-
-//#endregion
-//#region src/lib/ios-export-options.ts
-const escapeXml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&apos;");
-const boolTag = (value) => value ? "<true/>" : "<false/>";
-/**
-* Render an Xcode `ExportOptions.plist` for `xcodebuild -exportArchive`.
-*
-* - `signingStyle` is always `manual` (ephemeral keychain + downloaded profile)
-* - `uploadSymbols` is emitted only for `app-store` exports
-* - `provisioningProfiles` dict maps bundleId → profile name
-* - `compileBitcode` defaults to `false`
-*/
-const renderExportOptionsPlist = ({ method, teamId, bundleId, provisioningProfileName, compileBitcode = false }) => {
-	const lines = [
-		"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-		"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">",
-		"<plist version=\"1.0\">",
-		"<dict>",
-		"	<key>method</key>",
-		`\t<string>${escapeXml(method)}</string>`,
-		"	<key>teamID</key>",
-		`\t<string>${escapeXml(teamId)}</string>`,
-		"	<key>signingStyle</key>",
-		"	<string>manual</string>",
-		"	<key>compileBitcode</key>",
-		`\t${boolTag(compileBitcode)}`,
-		"	<key>provisioningProfiles</key>",
-		"	<dict>",
-		`\t\t<key>${escapeXml(bundleId)}</key>`,
-		`\t\t<string>${escapeXml(provisioningProfileName)}</string>`,
-		"	</dict>"
-	];
-	if (method === "app-store") lines.push("	<key>uploadSymbols</key>", "	<true/>");
-	lines.push("</dict>", "</plist>", "");
-	return lines.join("\n");
-};
-
-//#endregion
-//#region src/lib/ios-keychain.ts
-const runOrFail = (cmd, step) => Command.string(cmd).pipe(Effect.mapError((cause) => new KeychainError({ message: `keychain ${step} failed: ${String(cause)}` })));
-const listCurrentKeychains = Effect.gen(function* () {
-	return (yield* runOrFail(Command.make("security", "list-keychains", "-d", "user"), "list-keychains")).split("\n").map((line) => line.trim().replace(/^"/u, "").replace(/"$/u, "")).filter((line) => line.length > 0);
-});
-const parseSigningIdentity = (output) => {
-	const lines = output.split("\n");
-	for (const line of lines) {
-		const match = /"([^"]+)"/u.exec(line);
-		if (match?.[1]) return match[1];
-	}
-};
-/**
-* Acquire an ephemeral macOS keychain, import a `.p12` into it, add it to the
-* user search list, and tear it all down on scope close. The keychain name is
-* namespaced as `better-update-<uuid>` and lives in `$tempDir`, so cleanup is
-* guaranteed under all termination paths.
-*/
-const acquireKeychain = ({ tempDir, p12Path, p12Password }) => {
-	const keychainName = `better-update-${randomUUID()}.keychain-db`;
-	const keychainPath = path.join(tempDir, keychainName);
-	const keychainPassword = randomBytes(32).toString("hex");
-	return Effect.acquireRelease(Effect.gen(function* () {
-		const priorKeychains = yield* listCurrentKeychains;
-		yield* runOrFail(Command.make("security", "create-keychain", "-p", keychainPassword, keychainPath), "create-keychain");
-		yield* runOrFail(Command.make("security", "unlock-keychain", "-p", keychainPassword, keychainPath), "unlock-keychain");
-		yield* runOrFail(Command.make("security", "set-keychain-settings", "-t", "3600", "-l", keychainPath), "set-keychain-settings");
-		yield* runOrFail(Command.make("security", "import", p12Path, "-k", keychainPath, "-P", p12Password, "-T", "/usr/bin/codesign"), "import");
-		yield* runOrFail(Command.make("security", "set-key-partition-list", "-S", "apple-tool:,apple:,codesign:", "-s", "-k", keychainPassword, keychainPath), "set-key-partition-list");
-		yield* runOrFail(Command.make("security", "list-keychains", "-d", "user", "-s", keychainPath, ...priorKeychains), "list-keychains -s (add)");
-		const signingIdentity = parseSigningIdentity(yield* runOrFail(Command.make("security", "find-identity", "-v", "-p", "codesigning", keychainPath), "find-identity"));
-		if (!signingIdentity) return yield* new KeychainError({ message: "No code signing identity found after importing .p12 into ephemeral keychain." });
-		return {
-			handle: {
-				keychainName,
-				keychainPath,
-				signingIdentity
-			},
-			priorKeychains
-		};
-	}), ({ priorKeychains }) => Effect.gen(function* () {
-		yield* Command.string(Command.make("security", "list-keychains", "-d", "user", "-s", ...priorKeychains)).pipe(Effect.catchAll(() => Effect.void));
-		yield* Command.string(Command.make("security", "delete-keychain", keychainPath)).pipe(Effect.catchAll(() => Effect.void));
-	})).pipe(Effect.map(({ handle }) => handle));
-};
-
-//#endregion
-//#region src/lib/plist.ts
-/**
-* Parse an XML plist string into a typed object.
-* Throws on malformed XML — callers should wrap in Effect.try.
-*/
-const parsePlistXml = (xml) => plist.parse(xml);
-/**
-* Parse a binary plist buffer into a typed object.
-* Uses bplist-parser for Apple's binary plist format.
-*/
-const parsePlistBinary = (buffer) => {
-	const [result] = __require("bplist-parser").parseBuffer(buffer);
-	return result;
-};
-const BPLIST_MAGIC = Buffer.from("bplist00");
-/**
-* Auto-detect plist format (binary vs XML) and parse accordingly.
-*/
-const parsePlist = (data) => data.subarray(0, 8).equals(BPLIST_MAGIC) ? parsePlistBinary(data) : parsePlistXml(data.toString("utf8"));
-
-//#endregion
-//#region src/lib/ios-provisioning.ts
-const getString = (obj, key) => {
-	const value = obj[key];
-	return typeof value === "string" ? value : void 0;
-};
-const getFirstArrayString = (obj, key) => {
-	const value = obj[key];
-	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
-};
-/**
-* Extract `UUID`, `Name`, and the first `TeamIdentifier` from the XML plist
-* output of `security cms -D -i <path>`. Returns `ProvisioningError` when any
-* of the three fields are missing.
-*/
-const extractProvisioningInfo = (plistXml) => Effect.gen(function* () {
-	const parsed = yield* Effect.try({
-		try: () => parsePlistXml(plistXml),
-		catch: (error) => new ProvisioningError({ message: `Failed to parse provisioning profile plist: ${error instanceof Error ? error.message : String(error)}` })
+}));
+const fetchAscCredentials = (api, ascApiKeyId) => api.ascApiKeys.getCredentials({ path: { id: ascApiKeyId } });
+const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(function* () {
+	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
+	const ascCreds = {
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
+	};
+	const csrResult = yield* Effect.tryPromise({
+		try: generateCertificateSigningRequest,
+		catch: (cause) => new GenerateFailedError({
+			step: "csr",
+			message: `CSR generation failed: ${cause instanceof Error ? cause.message : String(cause)}`
+		})
 	});
-	const uuid = getString(parsed, "UUID");
-	const name = getString(parsed, "Name");
-	const teamId = getFirstArrayString(parsed, "TeamIdentifier");
-	if (!uuid || !name || !teamId) return yield* new ProvisioningError({ message: `Failed to parse provisioning profile: missing ${uuid ? "" : "UUID "}${name ? "" : "Name "}${teamId ? "" : "TeamIdentifier "}`.trim() });
+	const certificateType = input.certificateType ?? "IOS_DISTRIBUTION";
+	const apple = yield* createCertificate(ascCreds, {
+		csrPem: csrResult.csrPem,
+		certificateType
+	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
+	if (apple.certificateContent === null) return yield* Effect.fail(new GenerateFailedError({
+		step: "apple-create-certificate",
+		message: "Apple response missing certificateContent"
+	}));
+	const bundle = yield* buildDistributionCertP12({
+		certificateContentBase64: apple.certificateContent,
+		privateKey: csrResult.privateKey
+	}).pipe(Effect.mapError((cause) => new GenerateFailedError({
+		step: "p12-build",
+		message: cause.message
+	})));
+	const created = yield* api.appleDistributionCertificates.upload({ payload: {
+		p12Base64: bundle.p12Base64,
+		p12Password: bundle.password,
+		serialNumber: bundle.metadata.serialNumber,
+		appleTeamIdentifier: bundle.metadata.appleTeamId,
+		...bundle.metadata.appleTeamName === null ? {} : { appleTeamName: bundle.metadata.appleTeamName },
+		...bundle.metadata.developerIdIdentifier === null ? {} : { developerIdIdentifier: bundle.metadata.developerIdIdentifier },
+		validFrom: bundle.metadata.validFrom,
+		validUntil: bundle.metadata.validUntil
+	} });
 	return {
-		uuid,
-		name,
-		teamId
+		id: created.id,
+		serialNumber: bundle.metadata.serialNumber,
+		appleTeamId: created.appleTeamId,
+		appleTeamIdentifier: bundle.metadata.appleTeamId,
+		developerPortalIdentifier: apple.id
 	};
 });
-const userProvisioningProfilesDir = () => path.join(os.homedir(), "Library", "MobileDevice", "Provisioning Profiles");
-/**
-* Scoped installation of a provisioning profile: parses its metadata via
-* `security cms -D -i`, copies it into `~/Library/MobileDevice/Provisioning Profiles`
-* under `<uuid>.mobileprovision`, and removes the copy on scope close — but
-* only if we installed it. If the target file already existed when we arrived
-* (e.g., Xcode had it), we leave both the file and the contents untouched.
-*/
-const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const info = yield* extractProvisioningInfo(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)).pipe(Effect.mapError((cause) => new ProvisioningError({ message: `security cms -D failed for ${profilePath}: ${String(cause)}` }))));
-	const targetDir = userProvisioningProfilesDir();
-	const installedPath = path.join(targetDir, `${info.uuid}.mobileprovision`);
-	yield* fs.makeDirectory(targetDir, { recursive: true }).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to create provisioning profiles dir: ${String(cause)}` })));
-	if (yield* fs.exists(installedPath).pipe(Effect.orElseSucceed(() => false))) return {
-		...info,
-		installedPath,
-		ownsInstallation: false
-	};
-	yield* fs.copyFile(profilePath, installedPath).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to copy provisioning profile into ${installedPath}: ${String(cause)}` })));
-	return {
-		...info,
-		installedPath,
-		ownsInstallation: true
-	};
-}), (acquired) => Effect.gen(function* () {
-	if (!acquired.ownsInstallation) return;
-	yield* (yield* FileSystem.FileSystem).remove(acquired.installedPath).pipe(Effect.catchAll(() => Effect.void));
-})).pipe(Effect.map(({ uuid, name, teamId, installedPath }) => ({
-	uuid,
-	name,
-	teamId,
-	installedPath
-})));
-
-//#endregion
-//#region src/lib/post-build-validation.ts
-/**
-* Validate an iOS build after xcodebuild completes. Checks:
-* 1. Bundle ID matches expected value
-* 2. Provisioning profile UUID matches
-* 3. Team ID matches
-*
-* All checks are non-blocking — returns warnings, never fails the build.
-*/
-const validateIosBuild = (params) => Effect.gen(function* () {
-	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	if (!appDir) return {
-		passed: false,
-		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
+const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
+	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
+	yield* deleteCertificate({
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
+	}, input.developerPortalIdentifier).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
+});
+const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
+	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
+	if (local === void 0) return yield* Effect.fail(new GenerateFailedError({
+		step: "load-distribution-certificate",
+		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
+	}));
+	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
+	const ascCreds = {
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
 	};
-	const bundleWarning = yield* checkBundleId(appDir, params.expectedBundleId).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	const profileWarnings = yield* checkEmbeddedProfile(appDir, params.expectedProfileUuid, params.expectedTeamId).pipe(Effect.catchAll(() => Effect.succeed([])));
-	const warnings = [...bundleWarning ? [bundleWarning] : [], ...profileWarnings];
-	if (warnings.length > 0) {
-		yield* Console.warn("Post-build validation warnings:");
-		for (const warning of warnings) yield* Console.warn(`  - ${warning}`);
+	const targetSerial = local.serialNumber.toUpperCase();
+	const matching = yield* Effect.all([listCertificates(ascCreds, { certificateType: "IOS_DISTRIBUTION" }), listCertificates(ascCreds, { certificateType: "IOS_DEVELOPMENT" })], { concurrency: 2 }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
+	const ascMatch = [...matching[0], ...matching[1]].find((entry) => entry.serialNumber.toUpperCase() === targetSerial);
+	let revokedOnApple = false;
+	if (ascMatch !== void 0) {
+		yield* deleteCertificate(ascCreds, ascMatch.id).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
+		revokedOnApple = true;
+	}
+	let deletedLocally = false;
+	if (input.keepLocal !== true) {
+		yield* api.appleDistributionCertificates.delete({ path: { id: input.distributionCertificateId } });
+		deletedLocally = true;
 	}
 	return {
-		passed: warnings.length === 0,
-		warnings
+		localId: input.distributionCertificateId,
+		serialNumber: local.serialNumber,
+		revokedOnApple,
+		deletedLocally
 	};
 });
-const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const productsDir = path.join(archivePath, "Products", "Applications");
-	const appEntry = (yield* fs.readDirectory(productsDir)).find((entry) => entry.endsWith(".app"));
-	if (!appEntry) return yield* Effect.fail("No .app found");
-	return path.join(productsDir, appEntry);
+const listAppleCertificates = (api, input) => Effect.gen(function* () {
+	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
+	return yield* listCertificates({
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
+	}, input.certificateType === void 0 ? {} : { certificateType: input.certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
 });
-const checkBundleId = (appDir, expectedBundleId) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const plistPath = path.join(appDir, "Info.plist");
-	const data = yield* fs.readFile(plistPath);
-	const actualBundleId = parsePlist(Buffer.from(data))["CFBundleIdentifier"];
-	if (typeof actualBundleId === "string" && actualBundleId !== expectedBundleId) return `Bundle ID mismatch: expected "${expectedBundleId}", got "${actualBundleId}"`;
+const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
+	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
+	if (match === void 0) return yield* Effect.fail(new GenerateFailedError({
+		step: "match-apple-certificate",
+		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
+	}));
+	return match.id;
 });
-const checkEmbeddedProfile = (appDir, expectedUuid, expectedTeamId) => Effect.gen(function* () {
-	const warnings = [];
-	const profilePath = path.join(appDir, "embedded.mobileprovision");
-	const parsed = parsePlistXml(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)));
-	const actualUuid = parsed["UUID"];
-	if (typeof actualUuid === "string" && actualUuid !== expectedUuid) warnings.push(`Profile UUID mismatch: expected "${expectedUuid}", got "${actualUuid}"`);
-	const teamIdentifiers = parsed["TeamIdentifier"];
-	if (Array.isArray(teamIdentifiers)) {
-		const [actualTeamId] = teamIdentifiers;
-		if (typeof actualTeamId === "string" && actualTeamId !== expectedTeamId) warnings.push(`Team ID mismatch: expected "${expectedTeamId}", got "${actualTeamId}"`);
-	}
-	const expirationDate = parsed["ExpirationDate"];
-	if (expirationDate instanceof Date && expirationDate.getTime() < Date.now()) warnings.push(`Embedded provisioning profile expired on ${expirationDate.toISOString()}`);
-	return warnings;
+const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
+	const existing = (yield* listBundleIds(creds).pipe(Effect.mapError(wrapAscError("apple-list-bundle-ids")))).find((entry) => entry.identifier === bundleIdentifier);
+	if (existing !== void 0) return existing.id;
+	return (yield* createBundleId(creds, {
+		identifier: bundleIdentifier,
+		name: bundleIdentifier
+	}).pipe(Effect.mapError(wrapAscError("apple-create-bundle-id")))).id;
+});
+const collectDeviceAscIds = (creds, appleTeamId, deviceIds) => Effect.gen(function* () {
+	const devices = yield* listDevices(creds).pipe(Effect.mapError(wrapAscError("apple-list-devices")));
+	return {
+		ids: deviceIds === void 0 ? devices.map((device) => device.id) : devices.filter((device) => new Set(deviceIds).has(device.id)).map((device) => device.id),
+		appleTeamId
+	};
+});
+const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function* () {
+	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
+	const ascCreds = {
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
+	};
+	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new GenerateFailedError({
+		step: "load-distribution-certificate",
+		message: `Distribution certificate ${input.distributionCertificateId} not found`
+	})) : Effect.succeed(match)));
+	const certificateType = input.distributionType === "DEVELOPMENT" ? "IOS_DEVELOPMENT" : "IOS_DISTRIBUTION";
+	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
+	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
+	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
+	if (useDevices && deviceAscIds.length === 0) return yield* Effect.fail(new GenerateFailedError({
+		step: "collect-devices",
+		message: "No registered devices to attach to the provisioning profile"
+	}));
+	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
+		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
+		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
+		bundleIdAscId,
+		certificateAscIds: [certAscId],
+		deviceAscIds
+	}).pipe(Effect.mapError(wrapAscError("apple-create-profile")))).profileContent);
+	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceAscIds) : void 0;
+	const profileBase64 = toBase64(profileBytes);
+	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
+		profileBase64,
+		appleDistributionCertificateId: input.distributionCertificateId,
+		isManaged: true,
+		...rosterHash === void 0 ? {} : { deviceRosterHash: rosterHash }
+	} });
+	return {
+		id: created.id,
+		bundleIdentifier: created.bundleIdentifier,
+		distributionType: created.distributionType,
+		profileName: created.profileName,
+		validUntil: created.validUntil,
+		developerPortalIdentifier: created.developerPortalIdentifier,
+		/** Raw .mobileprovision bytes (base64) — callers can install directly without re-downloading. */
+		profileBase64
+	};
 });
 
 //#endregion
-//#region src/lib/xcpretty-formatter.ts
+//#region src/lib/auto-provision-extension-profiles.ts
 /**
-* Create a stateful xcodebuild output formatter backed by `@expo/xcpretty`.
-* Each `pipe(line)` call may return zero or more formatted lines — zero means
-* the line was suppressed (e.g., intermediate compiler invocations).
+* Mint a fresh provisioning profile for an extension bundle that has no
+* registered IosBundleConfiguration yet:
+*   1. Generate the profile via Apple ASC (reusing the main app's dist cert).
+*   2. Upload the .mobileprovision bytes to the backend so future resolves work.
+*   3. Create an IosBundleConfiguration binding so the new profile is wired up.
+*
+* Returns the profile bytes in-line so the build can install + sign immediately
+* without a follow-up resolve round-trip.
 */
-const createXcodebuildFormatter = (projectRoot) => {
-	const formatter = ExpoRunFormatter.create(projectRoot);
+const autoProvisionExtensionProfile = (api, input) => Effect.gen(function* () {
+	const generated = yield* generateAndUploadProvisioningProfile(api, {
+		ascApiKeyId: input.ascApiKeyId,
+		distributionCertificateId: input.distributionCertificateId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType: input.distributionType
+	});
+	const binding = yield* api.iosBundleConfigurations.create({
+		path: { projectId: input.projectId },
+		payload: {
+			bundleIdentifier: input.bundleIdentifier,
+			distributionType: input.distributionType,
+			appleTeamId: input.appleTeamId,
+			appleDistributionCertificateId: input.distributionCertificateId,
+			appleProvisioningProfileId: generated.id,
+			ascApiKeyId: input.ascApiKeyId
+		}
+	});
 	return {
-		pipe: (line) => formatter.pipe(line),
-		getBuildSummary: () => formatter.getBuildSummary()
+		bundleIdentifier: input.bundleIdentifier,
+		profileBase64: generated.profileBase64,
+		profileUuid: generated.developerPortalIdentifier ?? input.bundleIdentifier,
+		profileName: generated.profileName,
+		appleProvisioningProfileId: generated.id,
+		iosBundleConfigurationId: binding.id
 	};
-};
+});
 
 //#endregion
-//#region src/commands/build/ios.ts
-const findXcworkspace = (iosDir) => Effect.gen(function* () {
-	const workspace = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir)).find((entry) => entry.endsWith(".xcworkspace"));
-	if (!workspace) return yield* new BuildFailedError({
-		step: "detect xcworkspace",
-		exitCode: 1,
-		message: `No .xcworkspace found under ${iosDir}. Did "pod install" run?`
+//#region src/lib/credentials-downloader.ts
+const IOS_DISTRIBUTION_TO_TYPE = {
+	"app-store": "APP_STORE",
+	"ad-hoc": "AD_HOC",
+	development: "DEVELOPMENT",
+	enterprise: "ENTERPRISE"
+};
+const bindHint = "Bind the bundle via the dashboard (Credentials → iOS Bundle Configurations) and make sure a distribution certificate, provisioning profile, and ASC API key are attached.";
+const permissionHint = "Ask an org admin to grant the build-credentials download permission.";
+const androidBindHint = "Register the package in the dashboard (Credentials → Android Build Credentials) and bind a keystore to the default group.";
+const hasTag$1 = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
+const resolveErrorToMissingCredentials = (cause, platform, bundleIdentifier) => {
+	const tag = hasTag$1(cause) ? cause._tag : null;
+	const message = hasTag$1(cause) && typeof cause.message === "string" ? cause.message : null;
+	const platformLabel = platform === "ios" ? "iOS" : "Android";
+	const bind = platform === "ios" ? bindHint : androidBindHint;
+	const bundleSuffix = bundleIdentifier ? ` (bundle "${bundleIdentifier}")` : "";
+	if (tag === "Forbidden") return new MissingCredentialsError({
+		message: message ?? `Permission denied when resolving ${platformLabel} build credentials${bundleSuffix}`,
+		hint: permissionHint
 	});
-	return workspace;
-});
-const prebuildAndPods = (params) => Effect.gen(function* () {
-	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "ios", "--clean").pipe(Command.workingDirectory(params.projectRoot), Command.env(params.commandEnv)), "expo prebuild ios");
-	yield* runStep(Command.make("pod", "install").pipe(Command.workingDirectory(params.iosDir), Command.env(params.commandEnv)), "pod install");
-});
-const findAppDirectory = (root) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const stack = [root];
-	let depth = 0;
-	while (stack.length > 0 && depth < 6) {
-		const layer = stack.splice(0);
-		depth += 1;
-		for (const dir of layer) {
-			const entries = yield* fs.readDirectory(dir).pipe(Effect.orElseSucceed(() => []));
-			for (const entry of entries) {
-				const full = path.join(dir, entry);
-				if (entry.endsWith(".app")) return full;
-				const stat = yield* fs.stat(full).pipe(Effect.option);
-				if (stat._tag === "Some" && stat.value.type === "Directory") stack.push(full);
-			}
-		}
+	if (tag === "NotFound") return new MissingCredentialsError({
+		message: message ?? `No ${platformLabel} build credentials configured${bundleSuffix}`,
+		hint: bind
+	});
+	if (tag === "BadRequest") return new MissingCredentialsError({
+		message: message ?? `${platformLabel} build credentials are misconfigured${bundleSuffix}`,
+		hint: bind
+	});
+	return new MissingCredentialsError({
+		message: message ?? `Failed to resolve ${platformLabel} build credentials${bundleSuffix}`,
+		hint: bind
+	});
+};
+const resolveOneBundleSettled = (api, options) => api.buildCredentials.resolve({
+	path: { projectId: options.projectId },
+	payload: {
+		platform: "ios",
+		bundleIdentifier: options.bundleIdentifier,
+		distributionType: IOS_DISTRIBUTION_TO_TYPE[options.distribution]
 	}
-	return yield* new ArtifactNotFoundError({ message: `No .app bundle found under "${root}".` });
-});
-const runIosSimulatorBuild = (input) => Effect.gen(function* () {
-	const { projectRoot, iosProfile, envVars, tempDir } = input;
-	const runtime = yield* CliRuntime;
-	const iosDir = path.join(projectRoot, "ios");
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* prebuildAndPods({
-		projectRoot,
-		iosDir,
-		commandEnv
+}).pipe(Effect.flatMap((resolved) => {
+	if (resolved.platform !== "ios") return Effect.succeed({
+		status: "failed",
+		bundleIdentifier: options.bundleIdentifier,
+		error: new MissingCredentialsError({
+			message: `Server returned non-iOS credentials for iOS bundle "${options.bundleIdentifier}"`,
+			hint: bindHint
+		})
 	});
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
-	const configuration = iosProfile.buildConfiguration ?? "Release";
-	const derivedDataPath = path.join(tempDir, "derived-data");
-	const buildCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-sdk", "iphonesimulator", "-destination", "generic/platform=iOS Simulator", "-derivedDataPath", derivedDataPath, "build", "CODE_SIGNING_ALLOWED=NO", "CODE_SIGNING_REQUIRED=NO", "CODE_SIGN_IDENTITY=").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
-	yield* formatter ? runStepFormatted(buildCmd, "xcodebuild build (simulator)", formatter) : runStep(buildCmd, "xcodebuild build (simulator)");
-	const appDir = yield* findAppDirectory(path.join(derivedDataPath, "Build", "Products", `${configuration}-iphonesimulator`));
-	const archiveName = `${path.basename(appDir, ".app")}-simulator.tar.gz`;
-	const archivePath = path.join(tempDir, archiveName);
-	yield* runStep(Command.make("tar", "-czf", archivePath, "-C", path.dirname(appDir), path.basename(appDir)).pipe(Command.env(commandEnv)), "tar simulator .app");
-	const { sha256, byteSize } = yield* sha256File(archivePath);
-	return {
-		artifactPath: archivePath,
-		byteSize,
-		sha256
-	};
-});
-const runIosDeviceBuild = (input) => Effect.gen(function* () {
-	const { api, tempDir, projectRoot, iosProfile, bundleId, envVars, projectId } = input;
-	const runtime = yield* CliRuntime;
-	const iosDir = path.join(projectRoot, "ios");
-	const { distribution } = iosProfile;
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	const credentials = input.credentialsSource === "local" ? yield* loadLocalIosCredentials({ projectRoot }) : yield* downloadIosCredentials(api, {
-		projectId,
-		bundleIdentifier: bundleId,
-		distribution,
-		tempDir
+	return Effect.succeed({
+		status: "ok",
+		bundleIdentifier: options.bundleIdentifier,
+		value: {
+			bundleIdentifier: options.bundleIdentifier,
+			p12Base64: resolved.distributionCertificate.p12Base64,
+			p12Password: resolved.distributionCertificate.p12Password,
+			mobileprovisionBase64: resolved.provisioningProfile.mobileprovisionBase64,
+			profileUuid: resolved.provisioningProfile.uuid,
+			context: resolved.context
+		}
 	});
-	yield* prebuildAndPods({
-		projectRoot,
-		iosDir,
-		commandEnv
+}), Effect.catchAll((cause) => {
+	if ((hasTag$1(cause) ? cause._tag : null) === "NotFound") return Effect.succeed({
+		status: "not-registered",
+		bundleIdentifier: options.bundleIdentifier
 	});
-	const keychain = yield* acquireKeychain({
-		tempDir,
-		p12Path: credentials.p12Path,
-		p12Password: credentials.p12Password
+	return Effect.succeed({
+		status: "failed",
+		bundleIdentifier: options.bundleIdentifier,
+		error: resolveErrorToMissingCredentials(cause, "ios", options.bundleIdentifier)
 	});
-	const provisioning = yield* installProvisioningProfile({ profilePath: credentials.profilePath });
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
-	const configuration = iosProfile.buildConfiguration ?? "Release";
-	const archivePath = path.join(tempDir, "build.xcarchive");
-	const archiveCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-archivePath", archivePath, "-allowProvisioningUpdates", "archive", "CODE_SIGN_STYLE=Manual", `DEVELOPMENT_TEAM=${provisioning.teamId}`, `CODE_SIGN_IDENTITY=${keychain.signingIdentity}`, `PROVISIONING_PROFILE_SPECIFIER=${provisioning.name}`).pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
-	yield* formatter ? runStepFormatted(archiveCmd, "xcodebuild archive", formatter) : runStep(archiveCmd, "xcodebuild archive");
+}));
+const autoProvisionHint = "Bind an ASC API key to the main app bundle in the dashboard so missing extension bundles can be auto-provisioned, or register them manually.";
+const downloadIosCredentials = (api, options) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const exportOptionsPath = path.join(tempDir, "ExportOptions.plist");
-	yield* fs.writeFileString(exportOptionsPath, renderExportOptionsPlist({
-		method: distribution,
-		teamId: provisioning.teamId,
-		bundleId,
-		provisioningProfileName: provisioning.name
+	if (options.bundleIdentifiers.length === 0) return yield* new MissingCredentialsError({
+		message: "downloadIosCredentials called with an empty bundleIdentifiers list.",
+		hint: bindHint
+	});
+	if (!options.bundleIdentifiers.includes(options.mainBundleIdentifier)) return yield* new MissingCredentialsError({
+		message: `Main bundle "${options.mainBundleIdentifier}" missing from bundleIdentifiers list.`,
+		hint: bindHint
+	});
+	const settled = yield* Effect.forEach(options.bundleIdentifiers, (bundleIdentifier) => resolveOneBundleSettled(api, {
+		projectId: options.projectId,
+		bundleIdentifier,
+		distribution: options.distribution
+	}), { concurrency: 4 });
+	const hardFailure = settled.find((entry) => entry.status === "failed");
+	if (hardFailure) return yield* hardFailure.error;
+	const mainEntry = settled.find((entry) => entry.bundleIdentifier === options.mainBundleIdentifier);
+	if (mainEntry?.status !== "ok") return yield* new MissingCredentialsError({
+		message: `Main app bundle "${options.mainBundleIdentifier}" is not registered on the backend.`,
+		hint: bindHint
+	});
+	const resolved = settled.filter((entry) => entry.status === "ok");
+	const missing = settled.filter((entry) => entry.status === "not-registered").map((entry) => entry.bundleIdentifier);
+	const provisioned = yield* maybeAutoProvision(api, {
+		mainContext: mainEntry.value.context,
+		missing,
+		projectId: options.projectId,
+		distributionType: IOS_DISTRIBUTION_TO_TYPE[options.distribution]
+	});
+	const p12Path = path.join(options.tempDir, "signing.p12");
+	yield* fs.writeFile(p12Path, fromBase64(mainEntry.value.p12Base64));
+	const profiles = [];
+	for (const entry of resolved) profiles.push(yield* writeProfile(fs, options.tempDir, {
+		bundleIdentifier: entry.value.bundleIdentifier,
+		base64: entry.value.mobileprovisionBase64,
+		uuid: entry.value.profileUuid
 	}));
-	const exportPath = path.join(tempDir, "export");
-	const exportCmd = Command.make("xcodebuild", "-exportArchive", "-archivePath", archivePath, "-exportPath", exportPath, "-exportOptionsPlist", exportOptionsPath, "-allowProvisioningUpdates").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	yield* formatter ? runStepFormatted(exportCmd, "xcodebuild exportArchive", formatter) : runStep(exportCmd, "xcodebuild exportArchive");
-	yield* validateIosBuild({
-		archivePath,
-		expectedBundleId: bundleId,
-		expectedTeamId: provisioning.teamId,
-		expectedProfileUuid: provisioning.uuid
+	for (const entry of provisioned) profiles.push(yield* writeProfile(fs, options.tempDir, {
+		bundleIdentifier: entry.bundleIdentifier,
+		base64: entry.profileBase64,
+		uuid: entry.profileUuid
+	}));
+	return {
+		p12Path,
+		p12Password: mainEntry.value.p12Password,
+		profiles
+	};
+});
+const maybeAutoProvision = (api, params) => Effect.gen(function* () {
+	if (params.missing.length === 0) return [];
+	const { ascApiKeyId } = params.mainContext;
+	if (ascApiKeyId === null) return yield* new MissingCredentialsError({
+		message: `No iOS bundle configuration for extension bundle(s) ${params.missing.map((id) => `"${id}"`).join(", ")}, and the main bundle has no ASC API key bound for auto-provisioning.`,
+		hint: autoProvisionHint
 	});
-	const artifactPath = yield* findIosArtifact({ exportPath });
-	const { sha256, byteSize } = yield* sha256File(artifactPath);
+	yield* Console.log(`Auto-provisioning ${params.missing.length} missing extension profile(s) via Apple ASC...`);
+	return yield* Effect.forEach(params.missing, (bundleIdentifier) => autoProvisionExtensionProfile(api, {
+		projectId: params.projectId,
+		bundleIdentifier,
+		distributionType: params.distributionType,
+		ascApiKeyId,
+		distributionCertificateId: params.mainContext.distributionCertificateId,
+		appleTeamId: params.mainContext.appleTeamId
+	}).pipe(Effect.map((created) => ({
+		bundleIdentifier: created.bundleIdentifier,
+		profileBase64: created.profileBase64,
+		profileUuid: created.profileUuid
+	})), Effect.mapError((cause) => {
+		const tag = hasTag$1(cause) ? cause._tag : "AutoProvisionError";
+		return new MissingCredentialsError({
+			message: `Auto-provision failed for "${bundleIdentifier}": ${hasTag$1(cause) && typeof cause.message === "string" ? cause.message : `Failed to auto-provision profile for "${bundleIdentifier}" (${tag})`}`,
+			hint: autoProvisionHint
+		});
+	})), { concurrency: 2 });
+});
+const writeProfile = (fs, tempDir, params) => Effect.gen(function* () {
+	const profileFilename = `${params.uuid ?? params.bundleIdentifier}.mobileprovision`;
+	const profilePath = path.join(tempDir, profileFilename);
+	yield* fs.writeFile(profilePath, fromBase64(params.base64));
 	return {
-		artifactPath,
-		byteSize,
-		sha256
+		bundleIdentifier: params.bundleIdentifier,
+		profilePath,
+		profileFilename
+	};
+});
+const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const resolved = yield* api.buildCredentials.resolve({
+		path: { projectId: options.projectId },
+		payload: {
+			platform: "android",
+			applicationIdentifier: options.applicationIdentifier
+		}
+	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
+	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
+		message: "Server returned non-Android credentials for an Android build request",
+		hint: androidBindHint
+	}));
+	const keystorePath = path.join(options.tempDir, "upload.keystore");
+	yield* fs.writeFile(keystorePath, fromBase64(resolved.keystore.keystoreBase64));
+	return {
+		keystorePath,
+		storePassword: resolved.keystore.storePassword,
+		keyAlias: resolved.keystore.keyAlias,
+		keyPassword: resolved.keystore.keyPassword
 	};
 });
-const runIosBuild = (input) => input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
 
 //#endregion
-//#region src/commands/build/reserve-and-upload.ts
-const buildReserveCommon = (input) => ({
-	projectId: input.projectId,
-	profile: input.profileName,
-	runtimeVersion: input.runtimeVersion,
-	bundleId: input.bundleId,
-	sha256: input.sha256,
-	byteSize: input.byteSize,
-	...input.appVersion === void 0 ? {} : { appVersion: input.appVersion },
-	...input.buildNumber === void 0 ? {} : { buildNumber: input.buildNumber },
-	...input.gitContext.ref === void 0 ? {} : { gitRef: input.gitContext.ref },
-	...input.gitContext.commit === void 0 ? {} : { gitCommit: input.gitContext.commit },
-	...input.message === void 0 ? {} : { message: input.message }
-});
-const callReserve = (api, input) => {
-	const common = buildReserveCommon(input);
-	const { target } = input;
-	if (target.platform === "ios") return target.distribution === "simulator" ? api.builds.reserve({ payload: {
-		...common,
-		platform: "ios",
-		distribution: "simulator",
-		artifactFormat: "tar.gz"
-	} }) : api.builds.reserve({ payload: {
-		...common,
-		platform: "ios",
-		distribution: target.distribution,
-		artifactFormat: "ipa"
-	} });
-	return target.distribution === "play-store" ? api.builds.reserve({ payload: {
-		...common,
-		platform: "android",
-		distribution: "play-store",
-		artifactFormat: "aab"
-	} }) : api.builds.reserve({ payload: {
-		...common,
-		platform: "android",
-		distribution: "direct",
-		artifactFormat: "apk"
-	} });
-};
-/**
-* Reserve a build record on the server, upload the artifact to the returned
-* presigned URL, and finalize the build with its sha256 + byteSize.
-*/
-const reserveAndUpload = (api, input) => Effect.gen(function* () {
-	const presignedUploadClient = yield* PresignedUploadClient;
-	const reserveResult = yield* callReserve(api, input).pipe(Effect.mapError((cause) => new ReserveError({ message: `Failed to reserve build: ${formatCause(cause)}` })));
-	yield* presignedUploadClient.putToPresignedUrl({
-		url: reserveResult.uploadUrl,
-		filePath: input.artifactPath,
-		byteSize: input.byteSize,
-		expiresAt: reserveResult.uploadExpiresAt,
-		headers: reserveResult.uploadHeaders
-	});
-	const completed = yield* api.builds.complete({
-		path: { id: reserveResult.id },
-		payload: {
-			sha256: input.sha256,
-			byteSize: input.byteSize
-		}
-	}).pipe(Effect.mapError((cause) => new CompleteError({ message: `Failed to complete build ${reserveResult.id}: ${formatCause(cause)}` })));
-	if (!completed.artifact) return yield* new CompleteError({ message: `Build ${completed.id} completed but server returned no artifact record.` });
+//#region src/lib/credentials-json.ts
+const CREDENTIALS_JSON_FILENAME = "credentials.json";
+const asString$2 = (value, field) => typeof value === "string" && value.length > 0 ? Effect.succeed(value) : Effect.fail(new CredentialsJsonError({ message: `credentials.json: field "${field}" must be a non-empty string.` }));
+const parseIosDistributionCertificate = (raw) => Effect.gen(function* () {
+	const record = asRecord(raw);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.distributionCertificate must be an object." });
 	return {
-		id: completed.id,
-		status: "uploaded"
+		path: yield* asString$2(record["path"], "ios.distributionCertificate.path"),
+		password: yield* asString$2(record["password"], "ios.distributionCertificate.password")
 	};
 });
-
-//#endregion
-//#region src/lib/auto-increment.ts
-const bumpBuildNumber = (current) => Effect.gen(function* () {
-	const raw = current ?? "0";
-	const parsed = Number.parseInt(raw, 10);
-	if (Number.isNaN(parsed)) return yield* new BuildProfileError({ message: `Cannot autoIncrement ios.buildNumber: current value "${raw}" is not a base-10 integer.` });
-	return String(parsed + 1);
-});
-const bumpVersionCode = (current) => Effect.gen(function* () {
-	const value = current ?? 0;
-	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
-	return value + 1;
-});
-const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
-const bumpVersion = (current) => Effect.gen(function* () {
-	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
-	const match = SEMVER_PATCH.exec(current);
-	if (!match) return yield* new BuildProfileError({ message: `Cannot autoIncrement version: "${current}" is not a semver string like "1.2.3".` });
-	const [, major, minor, patch, suffix] = match;
-	const nextPatch = Number.parseInt(patch ?? "0", 10) + 1;
-	return `${major ?? "0"}.${minor ?? "0"}.${String(nextPatch)}${suffix ?? ""}`;
+const parseIosPushKey = (raw) => Effect.gen(function* () {
+	const record = asRecord(raw);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.pushKey must be an object." });
+	return {
+		path: yield* asString$2(record["path"], "ios.pushKey.path"),
+		keyId: yield* asString$2(record["keyId"], "ios.pushKey.keyId"),
+		teamId: yield* asString$2(record["teamId"], "ios.pushKey.teamId")
+	};
 });
-const computeIosBumps = (config, mode) => Effect.gen(function* () {
-	if (mode === "buildNumber") return { nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber) };
+const parseIosAscApiKey = (raw) => Effect.gen(function* () {
+	const record = asRecord(raw);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: ios.ascApiKey must be an object." });
 	return {
-		nextVersion: yield* bumpVersion(config.version),
-		nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber)
+		path: yield* asString$2(record["path"], "ios.ascApiKey.path"),
+		keyId: yield* asString$2(record["keyId"], "ios.ascApiKey.keyId"),
+		issuerId: yield* asString$2(record["issuerId"], "ios.ascApiKey.issuerId")
 	};
 });
-const computeAndroidBumps = (config, mode) => Effect.gen(function* () {
-	if (mode === "versionCode") return { nextVersionCode: yield* bumpVersionCode(config.android?.versionCode) };
+const parseIosAdditionalProvisioningProfile = (raw, index) => Effect.gen(function* () {
+	const record = asRecord(raw);
+	if (!record) return yield* new CredentialsJsonError({ message: `credentials.json: ios.additionalProvisioningProfiles[${index}] must be an object.` });
 	return {
-		nextVersion: yield* bumpVersion(config.version),
-		nextVersionCode: yield* bumpVersionCode(config.android?.versionCode)
+		bundleIdentifier: yield* asString$2(record["bundleIdentifier"], `ios.additionalProvisioningProfiles[${index}].bundleIdentifier`),
+		path: yield* asString$2(record["path"], `ios.additionalProvisioningProfiles[${index}].path`)
 	};
 });
-const buildPatch = (platform, bumps) => {
-	const patch = {};
-	if (bumps.nextVersion !== void 0) patch["version"] = bumps.nextVersion;
-	if (platform === "ios" && bumps.nextBuildNumber !== void 0) patch["ios"] = { buildNumber: bumps.nextBuildNumber };
-	if (platform === "android" && bumps.nextVersionCode !== void 0) patch["android"] = { versionCode: bumps.nextVersionCode };
-	return patch;
-};
-const describeBumps = (platform, bumps) => {
-	const parts = [];
-	if (bumps.nextVersion !== void 0) parts.push(`version=${bumps.nextVersion}`);
-	if (platform === "ios" && bumps.nextBuildNumber !== void 0) parts.push(`ios.buildNumber=${bumps.nextBuildNumber}`);
-	if (platform === "android" && bumps.nextVersionCode !== void 0) parts.push(`android.versionCode=${String(bumps.nextVersionCode)}`);
-	return parts.join(", ");
-};
-const computeBumps = (input) => {
-	if (input.platform === "ios") return input.iosMode === void 0 ? Effect.succeed({}) : computeIosBumps(input.config, input.iosMode);
-	return input.androidMode === void 0 ? Effect.succeed({}) : computeAndroidBumps(input.config, input.androidMode);
-};
-const hasAnyBump = (bumps) => bumps.nextVersion !== void 0 || bumps.nextBuildNumber !== void 0 || bumps.nextVersionCode !== void 0;
-/**
-* Bump `version` / `ios.buildNumber` / `android.versionCode` per the resolved
-* autoIncrement mode, persist via `@expo/config.modifyConfigAsync`, and log a
-* Human-readable summary. No-op when the mode is undefined. Returns the new
-* Bumped values so callers can refresh their in-memory ExpoConfig.
-*/
-const applyAutoIncrement = (input) => Effect.gen(function* () {
-	const bumps = yield* computeBumps(input);
-	if (!hasAnyBump(bumps)) return bumps;
-	const patch = buildPatch(input.platform, bumps);
-	const result = yield* writeExpoConfigPatch(input.projectRoot, patch).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to persist autoIncrement: ${cause.message}` })));
-	if (result.type === "warn" && result.configPath === null) {
-		yield* Console.log(`autoIncrement: dynamic Expo config detected, cannot write back. Update manually: ${describeBumps(input.platform, bumps)}`);
-		return bumps;
-	}
-	yield* Console.log(`autoIncrement: bumped ${describeBumps(input.platform, bumps)}`);
-	return bumps;
+const parseIosAdditionalProvisioningProfiles = (raw) => Effect.gen(function* () {
+	if (!Array.isArray(raw)) return yield* new CredentialsJsonError({ message: "credentials.json: ios.additionalProvisioningProfiles must be an array." });
+	const entries = [];
+	for (const [index, item] of raw.entries()) entries.push(yield* parseIosAdditionalProvisioningProfile(item, index));
+	return entries;
 });
-
-//#endregion
-//#region src/lib/eas-config.ts
-const MAX_EXTENDS_DEPTH = 10;
-const asStringValue = (value) => typeof value === "string" ? value : void 0;
-const asBooleanValue = (value) => typeof value === "boolean" ? value : void 0;
-const asEnv = (value) => {
-	const record = asRecord(value);
-	if (!record) return;
-	const env = {};
-	for (const [key, raw] of Object.entries(record)) if (typeof raw === "string") env[key] = raw;
-	return Object.keys(env).length === 0 ? void 0 : env;
-};
-const asIosDistribution = (raw) => {
-	const value = asStringValue(raw);
-	if (value === "app-store" || value === "ad-hoc" || value === "development" || value === "enterprise") return value;
-};
-const asEnterpriseProvisioning = (raw) => {
-	const value = asStringValue(raw);
-	return value === "adhoc" || value === "universal" ? value : void 0;
-};
-const asAndroidBuildType = (raw) => {
-	const value = asStringValue(raw);
-	return value === "debug" || value === "release" ? value : void 0;
-};
-const asAndroidFormat = (raw) => {
-	const value = asStringValue(raw);
-	return value === "apk" || value === "aab" ? value : void 0;
-};
-const asAndroidDistribution = (raw) => {
-	const value = asStringValue(raw);
-	return value === "play-store" || value === "direct" ? value : void 0;
-};
-const asIosAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "buildNumber" || value === "version" ? value : void 0;
-};
-const asAndroidAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "versionCode" || value === "version" ? value : void 0;
-};
-const asAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "buildNumber" || value === "versionCode" || value === "version" ? value : void 0;
-};
-const asEasDistribution = (raw) => {
-	const value = asStringValue(raw);
-	return value === "internal" || value === "store" ? value : void 0;
-};
-const asCredentialsSource = (raw) => {
-	const value = asStringValue(raw);
-	return value === "remote" || value === "local" ? value : void 0;
-};
-const parseIosProfile = (raw) => {
+const parseIos = (raw) => Effect.gen(function* () {
 	const record = asRecord(raw);
-	if (!record) return;
-	const distribution = asIosDistribution(record["distribution"]);
-	const buildConfiguration = asStringValue(record["buildConfiguration"]);
-	const scheme = asStringValue(record["scheme"]);
-	const simulator = asBooleanValue(record["simulator"]);
-	const enterpriseProvisioning = asEnterpriseProvisioning(record["enterpriseProvisioning"]);
-	const autoIncrement = asIosAutoIncrement(record["autoIncrement"]);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: \"ios\" must be an object." });
+	const provisioningProfilePath = yield* asString$2(record["provisioningProfilePath"], "ios.provisioningProfilePath");
+	const distributionCertificate = yield* parseIosDistributionCertificate(record["distributionCertificate"]);
+	const additionalProvisioningProfiles = record["additionalProvisioningProfiles"] === void 0 ? void 0 : yield* parseIosAdditionalProvisioningProfiles(record["additionalProvisioningProfiles"]);
+	const pushKey = record["pushKey"] === void 0 ? void 0 : yield* parseIosPushKey(record["pushKey"]);
+	const ascApiKey = record["ascApiKey"] === void 0 ? void 0 : yield* parseIosAscApiKey(record["ascApiKey"]);
 	return {
-		...distribution === void 0 ? {} : { distribution },
-		...buildConfiguration === void 0 ? {} : { buildConfiguration },
-		...scheme === void 0 ? {} : { scheme },
-		...simulator === void 0 ? {} : { simulator },
-		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
+		provisioningProfilePath,
+		distributionCertificate,
+		...additionalProvisioningProfiles === void 0 ? {} : { additionalProvisioningProfiles },
+		...pushKey === void 0 ? {} : { pushKey },
+		...ascApiKey === void 0 ? {} : { ascApiKey }
 	};
-};
-const parseAndroidProfile = (raw) => {
+});
+const parseAndroidKeystore = (raw) => Effect.gen(function* () {
 	const record = asRecord(raw);
-	if (!record) return;
-	const buildType = asAndroidBuildType(record["buildType"]);
-	const flavor = asStringValue(record["flavor"]);
-	const gradleCommand = asStringValue(record["gradleCommand"]);
-	const format = asAndroidFormat(record["format"]);
-	const distribution = asAndroidDistribution(record["distribution"]);
-	const autoIncrement = asAndroidAutoIncrement(record["autoIncrement"]);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: android.keystore must be an object." });
 	return {
-		...buildType === void 0 ? {} : { buildType },
-		...flavor === void 0 ? {} : { flavor },
-		...gradleCommand === void 0 ? {} : { gradleCommand },
-		...format === void 0 ? {} : { format },
-		...distribution === void 0 ? {} : { distribution },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
+		keystorePath: yield* asString$2(record["keystorePath"], "android.keystore.keystorePath"),
+		keystorePassword: yield* asString$2(record["keystorePassword"], "android.keystore.keystorePassword"),
+		keyAlias: yield* asString$2(record["keyAlias"], "android.keystore.keyAlias"),
+		keyPassword: yield* asString$2(record["keyPassword"], "android.keystore.keyPassword")
 	};
-};
-const parseBuildProfile = (raw) => {
+});
+const parseGoogleServiceAccountKey = (raw) => Effect.gen(function* () {
 	const record = asRecord(raw);
-	if (!record) return;
-	const extendsName = asStringValue(record["extends"]);
-	const developmentClient = asBooleanValue(record["developmentClient"]);
-	const distribution = asEasDistribution(record["distribution"]);
-	const channel = asStringValue(record["channel"]);
-	const environment = asStringValue(record["environment"]);
-	const env = asEnv(record["env"]);
-	const ios = parseIosProfile(record["ios"]);
-	const android = parseAndroidProfile(record["android"]);
-	const credentialsSource = asCredentialsSource(record["credentialsSource"]);
-	const autoIncrement = asAutoIncrement(record["autoIncrement"]);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: android.googleServiceAccountKey must be an object." });
+	return { path: yield* asString$2(record["path"], "android.googleServiceAccountKey.path") };
+});
+const parseAndroid = (raw) => Effect.gen(function* () {
+	const record = asRecord(raw);
+	if (!record) return yield* new CredentialsJsonError({ message: "credentials.json: \"android\" must be an object." });
+	const keystore = yield* parseAndroidKeystore(record["keystore"]);
+	const googleServiceAccountKey = record["googleServiceAccountKey"] === void 0 ? void 0 : yield* parseGoogleServiceAccountKey(record["googleServiceAccountKey"]);
 	return {
-		...extendsName === void 0 ? {} : { extends: extendsName },
-		...developmentClient === void 0 ? {} : { developmentClient },
-		...distribution === void 0 ? {} : { distribution },
-		...channel === void 0 ? {} : { channel },
-		...environment === void 0 ? {} : { environment },
-		...env === void 0 ? {} : { env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
+		keystore,
+		...googleServiceAccountKey === void 0 ? {} : { googleServiceAccountKey }
 	};
-};
-const parseEasConfig = (text) => Effect.gen(function* () {
+});
+const parseCredentialsJson = (raw) => Effect.gen(function* () {
 	const root = asRecord(yield* Effect.try({
-		try: () => JSON.parse(text),
-		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
+		try: () => JSON.parse(raw),
+		catch: () => new CredentialsJsonError({ message: "credentials.json is not valid JSON." })
 	}));
-	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
-	const buildRecord = asRecord(root["build"]);
-	if (!buildRecord) return asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {};
-	const profiles = {};
-	for (const [name, value] of Object.entries(buildRecord)) {
-		const profile = parseBuildProfile(value);
-		if (profile) profiles[name] = profile;
-	}
+	if (!root) return yield* new CredentialsJsonError({ message: "credentials.json must be a JSON object at the top level." });
+	const ios = root["ios"] === void 0 ? void 0 : yield* parseIos(root["ios"]);
+	const android = root["android"] === void 0 ? void 0 : yield* parseAndroid(root["android"]);
+	if (!ios && !android) return yield* new CredentialsJsonError({ message: "credentials.json must contain at least one of \"ios\" or \"android\"." });
 	return {
-		...asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {},
-		build: profiles
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android }
 	};
 });
-const parseCli = (raw) => {
-	const record = asRecord(raw);
-	if (!record) return {};
-	const version = asStringValue(record["version"]);
-	return version === void 0 ? {} : { version };
-};
-const easJsonPath = (projectRoot) => Effect.gen(function* () {
-	return (yield* Path.Path).join(projectRoot, "eas.json");
+const credentialsJsonPath = (projectRoot) => path.join(projectRoot, CREDENTIALS_JSON_FILENAME);
+const readCredentialsJson = (projectRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = credentialsJsonPath(projectRoot);
+	if (!(yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false))))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
+	return yield* parseCredentialsJson(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to read credentials.json: ${String(cause)}` }))));
 });
-const readEasJson = (projectRoot) => Effect.gen(function* () {
+const writeCredentialsJson = (projectRoot, data) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const filePath = yield* easJsonPath(projectRoot);
-	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+	const filePath = credentialsJsonPath(projectRoot);
+	const body = `${JSON.stringify(data, null, 2)}\n`;
+	yield* fs.writeFileString(filePath, body).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to write credentials.json: ${String(cause)}` })));
+	return filePath;
 });
-const mergeIos = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
-	return {
-		...base,
-		...overlay
-	};
-};
-const mergeAndroid = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
-	return {
-		...base,
-		...overlay
-	};
-};
-const mergeEnv = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
+/**
+* Resolve a path that may be either absolute or relative to the project root.
+*/
+const resolveCredentialPath = (projectRoot, candidate) => path.isAbsolute(candidate) ? candidate : path.join(projectRoot, candidate);
+
+//#endregion
+//#region src/lib/local-credentials.ts
+const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.catchAll(() => Effect.succeed(false)), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
+	message: `Local credentials.json: ${label} not found at ${absolutePath}.`,
+	hint: "Run `better-update credentials sync pull` to materialize files, or fix the path in credentials.json."
+}))));
+const loadLocalIosCredentials = (options) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const data = yield* readCredentialsJson(options.projectRoot).pipe(Effect.mapError((cause) => new MissingCredentialsError({
+		message: `Local credentials.json: ${cause.message}`,
+		hint: "Create credentials.json or switch the build profile's credentialsSource back to \"remote\"."
+	})));
+	if (!data.ios) return yield* new MissingCredentialsError({
+		message: "credentials.json has no `ios` section but the build is for iOS.",
+		hint: "Add an `ios` block to credentials.json or switch credentialsSource to remote."
+	});
+	const p12Path = resolveCredentialPath(options.projectRoot, data.ios.distributionCertificate.path);
+	yield* requirePath(fs, p12Path, "distribution certificate (.p12)");
+	const mainProfilePath = resolveCredentialPath(options.projectRoot, data.ios.provisioningProfilePath);
+	yield* requirePath(fs, mainProfilePath, "provisioning profile (.mobileprovision)");
+	const profiles = [{
+		bundleIdentifier: options.mainBundleIdentifier,
+		profilePath: mainProfilePath,
+		profileFilename: path.basename(mainProfilePath)
+	}];
+	for (const extra of data.ios.additionalProvisioningProfiles ?? []) {
+		const extraPath = resolveCredentialPath(options.projectRoot, extra.path);
+		yield* requirePath(fs, extraPath, `provisioning profile for ${extra.bundleIdentifier} (.mobileprovision)`);
+		profiles.push({
+			bundleIdentifier: extra.bundleIdentifier,
+			profilePath: extraPath,
+			profileFilename: path.basename(extraPath)
+		});
+	}
 	return {
-		...base,
-		...overlay
+		p12Path,
+		p12Password: data.ios.distributionCertificate.password,
+		profiles
 	};
-};
-const mergeProfile = (base, overlay) => {
-	const ios = mergeIos(base.ios, overlay.ios);
-	const android = mergeAndroid(base.android, overlay.android);
-	const env = mergeEnv(base.env, overlay.env);
-	const developmentClient = overlay.developmentClient ?? base.developmentClient;
-	const distribution = overlay.distribution ?? base.distribution;
-	const channel = overlay.channel ?? base.channel;
-	const environment = overlay.environment ?? base.environment;
-	const credentialsSource = overlay.credentialsSource ?? base.credentialsSource;
-	const autoIncrement = overlay.autoIncrement ?? base.autoIncrement;
+});
+const loadLocalAndroidCredentials = (options) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const data = yield* readCredentialsJson(options.projectRoot).pipe(Effect.mapError((cause) => new MissingCredentialsError({
+		message: `Local credentials.json: ${cause.message}`,
+		hint: "Create credentials.json or switch the build profile's credentialsSource back to \"remote\"."
+	})));
+	if (!data.android) return yield* new MissingCredentialsError({
+		message: "credentials.json has no `android` section but the build is for Android.",
+		hint: "Add an `android` block to credentials.json or switch credentialsSource to remote."
+	});
+	const keystorePath = resolveCredentialPath(options.projectRoot, data.android.keystore.keystorePath);
+	yield* requirePath(fs, keystorePath, "keystore");
 	return {
-		...overlay.extends === void 0 ? {} : { extends: overlay.extends },
-		...developmentClient === void 0 ? {} : { developmentClient },
-		...distribution === void 0 ? {} : { distribution },
-		...channel === void 0 ? {} : { channel },
-		...environment === void 0 ? {} : { environment },
-		...env === void 0 ? {} : { env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
+		keystorePath,
+		storePassword: data.android.keystore.keystorePassword,
+		keyAlias: data.android.keystore.keyAlias,
+		keyPassword: data.android.keystore.keyPassword
 	};
-};
-const collectExtendsChain = (profiles, profileName) => Effect.gen(function* () {
-	const chain = [];
-	const visited = /* @__PURE__ */ new Set();
-	let current = profileName;
-	let depth = 0;
-	while (current !== void 0) {
-		if (visited.has(current)) return yield* new BuildProfileError({ message: `Cycle detected in eas.json build.${profileName} extends chain at "${current}".` });
-		visited.add(current);
-		const profile = profiles[current];
-		if (!profile) return yield* new BuildProfileError({ message: current === profileName ? `Build profile "${profileName}" not found in eas.json.` : `Build profile "${profileName}" extends missing profile "${current}".` });
-		chain.unshift(profile);
-		current = profile.extends;
-		depth += 1;
-		if (depth > MAX_EXTENDS_DEPTH) return yield* new BuildProfileError({ message: `Too many "extends" levels (max ${String(MAX_EXTENDS_DEPTH)}) in eas.json build.${profileName}.` });
-	}
-	return chain;
-});
-const stripExtends = (profile) => {
-	if (profile.extends === void 0) return profile;
-	const { extends: _omit, ...rest } = profile;
-	return rest;
-};
-const resolveEasBuildProfile = (config, profileName) => Effect.gen(function* () {
-	const profiles = config.build;
-	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"build\" section. Add at least one profile." });
-	return stripExtends((yield* collectExtendsChain(profiles, profileName)).reduce((acc, next, index) => index === 0 ? next : mergeProfile(acc, next), {}));
 });
 
 //#endregion
-//#region src/lib/build-profile.ts
-const asString$1 = (value) => typeof value === "string" ? value : void 0;
-const deriveIosDistribution = (eas) => {
-	const override = eas.ios?.distribution;
-	if (override) return override;
-	if (eas.developmentClient === true) return "development";
-	if (eas.distribution === "internal") return "ad-hoc";
-	if (eas.distribution === "store") return "app-store";
-};
-const deriveAndroidFormat = (eas) => {
-	if (eas.android?.format) return eas.android.format;
-	if (eas.distribution === "store") return "aab";
-	if (eas.distribution === "internal") return "apk";
-	if (eas.developmentClient === true) return "apk";
-};
-const deriveAndroidDistribution = (eas, format) => {
-	if (eas.android?.distribution) return eas.android.distribution;
-	if (format === "aab") return "play-store";
-	return "direct";
-};
-const hasIosIntent = (eas) => eas.ios !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
-const hasAndroidIntent = (eas) => eas.android !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
-const resolveIosAutoIncrement = (eas) => {
-	const override = eas.ios?.autoIncrement;
-	if (override === false) return;
-	if (override === true) return "buildNumber";
-	if (override === "buildNumber" || override === "version") return override;
-	const top = eas.autoIncrement;
-	if (top === true || top === "buildNumber") return "buildNumber";
-	if (top === "version") return "version";
-};
-const resolveAndroidAutoIncrement = (eas) => {
-	const override = eas.android?.autoIncrement;
-	if (override === false) return;
-	if (override === true) return "versionCode";
-	if (override === "versionCode" || override === "version") return override;
-	const top = eas.autoIncrement;
-	if (top === true || top === "versionCode") return "versionCode";
-	if (top === "version") return "version";
-};
-const toIosProfile = (eas) => {
-	if (!hasIosIntent(eas)) return;
-	const distribution = deriveIosDistribution(eas);
-	if (!distribution) return;
-	const ios = eas.ios ?? {};
-	const autoIncrement = resolveIosAutoIncrement(eas);
-	return {
-		distribution,
-		...ios.buildConfiguration === void 0 ? {} : { buildConfiguration: ios.buildConfiguration },
-		...ios.scheme === void 0 ? {} : { scheme: ios.scheme },
-		...ios.simulator === void 0 ? {} : { simulator: ios.simulator },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const toAndroidProfile = (eas) => {
-	if (!hasAndroidIntent(eas)) return;
-	const format = deriveAndroidFormat(eas);
-	if (!format) return;
-	const android = eas.android ?? {};
-	const distribution = deriveAndroidDistribution(eas, format);
-	const autoIncrement = resolveAndroidAutoIncrement(eas);
-	return {
-		format,
-		distribution,
-		...android.buildType === void 0 ? {} : { buildType: android.buildType },
-		...android.flavor === void 0 ? {} : { flavor: android.flavor },
-		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const fromEasProfile = (eas, profileName) => {
-	const ios = toIosProfile(eas);
-	const android = toAndroidProfile(eas);
-	return {
-		name: profileName,
-		environment: eas.environment ?? "production",
-		...eas.channel === void 0 ? {} : { channel: eas.channel },
-		...eas.env === void 0 ? {} : { env: eas.env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...eas.credentialsSource === void 0 ? {} : { credentialsSource: eas.credentialsSource }
-	};
-};
-const readBuildProfile = (projectRoot, profileName) => Effect.gen(function* () {
-	return fromEasProfile(yield* resolveEasBuildProfile(yield* readEasJson(projectRoot), profileName), profileName);
-});
-const readRuntimeVersionMeta = (config) => ({
-	appVersion: config.version,
-	rawRuntimeVersion: readRawRuntimeVersion(config.runtimeVersion)
-});
-const readRawRuntimeVersion = (value) => {
-	if (typeof value === "string") return value;
-	const policy = asString$1(asRecord(value)?.["policy"]);
-	if (policy) return { policy };
+//#region src/lib/sha256.ts
+const hashReadError = (message) => new BuildFailedError({
+	step: "sha256",
+	exitCode: 1,
+	message
+});
+const hashFile = (path, formatDigest) => Effect.async((resume) => {
+	const hash = createHash("sha256");
+	const stream = createReadStream(path);
+	let byteSize = 0;
+	stream.on("data", (chunk) => {
+		const buffer = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
+		byteSize += buffer.byteLength;
+		hash.update(buffer);
+	});
+	stream.on("error", (error) => {
+		resume(Effect.fail(hashReadError(`Failed to read file for SHA-256: ${error.message}`)));
+	});
+	stream.on("end", () => {
+		resume(Effect.succeed({
+			digest: formatDigest(hash.digest()),
+			byteSize
+		}));
+	});
+});
+/**
+* Compute the SHA-256 digest and byte size of a file using Node's streaming
+* hash API. The file is never fully loaded into memory — chunks flow through
+* `createReadStream` into `crypto.createHash("sha256")`.
+*/
+const sha256File = (path) => hashFile(path, (digest) => digest.toString("hex")).pipe(Effect.map(({ digest, byteSize }) => ({
+	sha256: digest,
+	byteSize
+})));
+/**
+* Compute a content-type-namespaced hash: `SHA-256(contentType + '\0' + SHA-256_hex(fileBytes))`.
+*
+* This prevents hash collisions when identical bytes are served with different
+* MIME types (e.g. same file used as both `application/javascript` and `text/plain`).
+* The raw content hash is still needed separately for R2 upload verification.
+*/
+const sha256Namespaced = (contentType, contentSha256Hex) => {
+	const input = `${contentType}\0${contentSha256Hex}`;
+	return toBase64Url(createHash("sha256").update(input).digest());
 };
 
 //#endregion
-//#region src/lib/clear-cache.ts
+//#region src/commands/build/run-step.ts
+const runStep = (cmd, step) => Command.exitCode(cmd.pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step,
+	exitCode: 1,
+	message: `${step} failed to spawn: ${String(cause)}`
+})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
+	step,
+	exitCode: code,
+	message: `${step} exited with code ${code}`
+}))));
 /**
-* Project-scoped build cache directories to remove when --clear-cache is passed.
-* Intentionally avoids `~/.gradle/caches` (global) and `ios/Pods/` (requires
-* pod install rebuild — leave to the user).
+* Run a build step with stdout piped through a formatter (e.g., xcpretty).
+* stderr passes through to the terminal directly.
 */
-const CACHE_DIRS = [
-	"android/.gradle",
-	"android/app/build",
-	"android/build",
-	"ios/build",
-	".expo",
-	"node_modules/.cache"
-];
-const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const removed = [];
-	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
-		const target = path.join(projectRoot, rel);
-		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
-		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-		removed.push(rel);
-	}), { concurrency: 4 });
-	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
+const runStepFormatted = (cmd, step, formatter) => Effect.gen(function* () {
+	const proc = yield* Command.start(cmd.pipe(Command.stdout("pipe"), Command.stderr("pipe"))).pipe(Effect.mapError((cause) => new BuildFailedError({
+		step,
+		exitCode: 1,
+		message: `${step} failed to spawn: ${String(cause)}`
+	})));
+	const stdoutFiber = yield* proc.stdout.pipe(Stream.decodeText(), Stream.splitLines, Stream.runForEach((line) => {
+		const formatted = formatter.pipe(line);
+		return formatted.length > 0 ? Effect.sync(() => {
+			for (const output of formatted) process$1.stdout.write(`${output}\n`);
+		}) : Effect.void;
+	}), Effect.mapError((cause) => new BuildFailedError({
+		step,
+		exitCode: 1,
+		message: `${step} stdout stream error: ${String(cause)}`
+	})), Effect.fork);
+	const stderrFiber = yield* proc.stderr.pipe(Stream.decodeText(), Stream.splitLines, Stream.runForEach((line) => Effect.sync(() => process$1.stderr.write(`${line}\n`))), Effect.mapError((cause) => new BuildFailedError({
+		step,
+		exitCode: 1,
+		message: `${step} stderr stream error: ${String(cause)}`
+	})), Effect.fork);
+	yield* Effect.all([Fiber.join(stdoutFiber), Fiber.join(stderrFiber)], { concurrency: 2 }).pipe(Effect.catchAll(() => Effect.void));
+	const code = yield* proc.exitCode.pipe(Effect.mapError((cause) => new BuildFailedError({
+		step,
+		exitCode: 1,
+		message: `${step} exit code error: ${String(cause)}`
+	})));
+	if (code !== 0) {
+		const summary = formatter.getBuildSummary();
+		if (summary) process$1.stderr.write(`${summary}\n`);
+		return yield* new BuildFailedError({
+			step,
+			exitCode: code,
+			message: `${step} exited with code ${code}`
+		});
+	}
 });
 
 //#endregion
-//#region src/lib/env-exporter.ts
-const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+//#region src/commands/build/android.ts
 /**
-* Pull environment variables for a project + environment and flatten them into
-* a key/value map. Returns an empty map when the project has no variables.
+* Compose the Gradle task name from flavor, format, and buildType.
+*
+* Gradle naming convention: `<verb><Flavor><Variant>`, e.g.
+*   - no flavor + apk + release       → `assembleRelease`
+*   - no flavor + aab + release       → `bundleRelease`
+*   - flavor=prod + aab + release     → `bundleProdRelease`
+*   - flavor=prod + apk + debug       → `assembleProdDebug`
 */
-const pullEnvVars = (api, { projectId, environment }) => {
-	const validated = coerceEnvironment(environment);
-	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
-	return api["env-vars"].export({ urlParams: {
-		projectId,
-		environment: validated
-	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+const gradleTaskName = (format, flavor, buildType) => {
+	const verb = format === "aab" ? "bundle" : "assemble";
+	return flavor ? `${verb}${capitalize(flavor)}${capitalize(buildType)}` : `${verb}${capitalize(buildType)}`;
 };
-
-//#endregion
-//#region src/lib/git-context.ts
-const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd));
-/**
-* Best-effort git context extraction. If git is missing, the directory isn't
-* a repo, or any command fails, we silently return undefined fields so the
-* build can still proceed. This is intentional — git context is metadata,
-* not a requirement.
-*/
-const readGitContext = (projectRoot) => Effect.gen(function* () {
-	const [commit, ref, commitMessage, status] = yield* Effect.all([
-		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
-	], { concurrency: "unbounded" });
+const runAndroidBuild = (input) => Effect.gen(function* () {
+	const { api, tempDir, projectRoot, androidProfile, applicationIdentifier, envVars, projectId } = input;
+	const runtime = yield* CliRuntime;
+	const buildStartMs = Date.now();
+	const { format } = androidProfile;
+	const { flavor } = androidProfile;
+	const buildType = androidProfile.buildType ?? "release";
+	const androidDir = path.join(projectRoot, "android");
+	const commandEnv = yield* runtime.commandEnvironment(envVars);
+	const credentials = input.credentialsSource === "local" ? yield* loadLocalAndroidCredentials({ projectRoot }) : yield* downloadAndroidCredentials(api, {
+		projectId,
+		applicationIdentifier,
+		tempDir
+	});
+	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "android", "--clean").pipe(Command.workingDirectory(projectRoot), Command.env(commandEnv)), "expo prebuild android");
+	const fs = yield* FileSystem.FileSystem;
+	const signingGradlePath = path.join(tempDir, "signing.gradle");
+	yield* fs.writeFileString(signingGradlePath, renderSigningGradle({
+		keystorePath: credentials.keystorePath,
+		storePassword: credentials.storePassword,
+		keyAlias: credentials.keyAlias,
+		keyPassword: credentials.keyPassword
+	}));
+	const taskName = gradleTaskName(format, flavor, buildType);
+	yield* runStep(Command.make("./gradlew", "--init-script", signingGradlePath, `:app:${taskName}`).pipe(Command.workingDirectory(androidDir), Command.env(commandEnv)), "gradlew");
+	const artifactPath = yield* findAndroidArtifact({
+		projectRoot,
+		format,
+		...flavor === void 0 ? {} : { flavor },
+		buildType,
+		minMtimeMs: buildStartMs
+	});
+	const { sha256, byteSize } = yield* sha256File(artifactPath);
 	return {
-		ref: ref.length > 0 ? ref : void 0,
-		commit: commit.length > 0 ? commit : void 0,
-		commitMessage: commitMessage.length > 0 ? commitMessage : void 0,
-		dirty: status.trim().length > 0
+		artifactPath,
+		byteSize,
+		sha256
 	};
 });
 
 //#endregion
-//#region src/lib/gradle-config.ts
+//#region src/lib/ios-codesign-pbxproj.ts
+const loadXcodeModule$1 = () => __require("xcode");
+const findXcodeProjectDir$1 = (iosDir) => Effect.gen(function* () {
+	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
+	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}.` });
+	return path.join(iosDir, projectDir);
+});
+const parseProject$1 = (pbxprojPath) => Effect.try({
+	try: () => loadXcodeModule$1().project(pbxprojPath).parseSync(),
+	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+});
 /**
-* Parse Groovy `build.gradle` to extract key Android config values.
-* Returns `undefined` if:
-* - Only `build.gradle.kts` exists (Kotlin DSL not supported by gradle-to-js)
-* - No build.gradle found at all
-* - Parse fails
+* Always wrap a value in double quotes for safe pbxproj serialization. The
+* `xcode` writer emits values verbatim (e.g. `KEY = %s;`), so any string with
+* spaces, brackets or non-identifier characters needs explicit quoting.
+*/
+const quote = (value) => `"${value.replaceAll("\"", String.raw`\"`)}"`;
+const SDK_CONDITIONAL_IDENTITY_KEYS = ["\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\"", "CODE_SIGN_IDENTITY[sdk=iphoneos*]"];
+const mutateConfig = (project, configUuid, settings) => {
+	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
+	if (!cfg || typeof cfg === "string") return false;
+	cfg.buildSettings["CODE_SIGN_STYLE"] = "Manual";
+	cfg.buildSettings["DEVELOPMENT_TEAM"] = quote(settings.teamId);
+	cfg.buildSettings["CODE_SIGN_IDENTITY"] = quote(settings.signingIdentity);
+	cfg.buildSettings["PROVISIONING_PROFILE_SPECIFIER"] = quote(settings.profileSpecifier);
+	delete cfg.buildSettings["PROVISIONING_PROFILE"];
+	for (const key of SDK_CONDITIONAL_IDENTITY_KEYS) delete cfg.buildSettings[key];
+	return true;
+};
+/**
+* Write `CODE_SIGN_STYLE=Manual`, `DEVELOPMENT_TEAM`, `CODE_SIGN_IDENTITY`, and
+* `PROVISIONING_PROFILE_SPECIFIER` into the specified XCBuildConfiguration
+* entries of the project under `iosDir`, then serialize back to disk.
 *
-* Informational only — never blocks the build.
+* Only mutates the main app project — `Pods.xcodeproj` is left untouched. The
+* caller is responsible for ensuring each entry's `buildConfigurationUuids`
+* only includes configurations that belong to a signed target (see
+* `discoverSignedTargets`).
 */
-const readGradleConfig = (androidDir) => Effect.gen(function* () {
+const applyTargetSigning = (options) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const gradlePath = path.join(androidDir, "app", "build.gradle");
-	const ktsPath = path.join(androidDir, "app", "build.gradle.kts");
-	const hasGroovy = yield* fs.exists(gradlePath).pipe(Effect.orElseSucceed(() => false));
-	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
-	if (!hasGroovy && hasKts) return;
-	if (!hasGroovy) return;
-	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	if (!content) return;
-	return yield* Effect.tryPromise({
-		try: async () => {
-			return __require("gradle-to-js").parseText(stripGroovyComments(content));
-		},
-		catch: () => void 0
-	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
+	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
+	const pbxprojPath = path.join(projectDir, "project.pbxproj");
+	const project = yield* parseProject$1(pbxprojPath);
+	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
+	const serialized = yield* Effect.try({
+		try: () => project.writeSync(),
+		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+	});
+	yield* fs.writeFileString(pbxprojPath, serialized).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to write ${pbxprojPath}: ${String(cause)}` })));
 });
+
+//#endregion
+//#region src/lib/ios-export-options.ts
+const escapeXml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&apos;");
+const boolTag = (value) => value ? "<true/>" : "<false/>";
 /**
-* Log a warning if Gradle applicationId differs from app.json package name.
+* Render an Xcode `ExportOptions.plist` for `xcodebuild -exportArchive`.
+*
+* - `signingStyle` is always `manual` (ephemeral keychain + downloaded profile)
+* - `uploadSymbols` is emitted only for `app-store` exports
+* - `provisioningProfiles` dict maps each bundleId → profile name (one entry
+*   per signed target: main app + any extensions like notification service)
+* - `compileBitcode` defaults to `false`
 */
-const warnOnGradleMismatch = (gradleConfig, expectedPackage) => {
-	if (!gradleConfig?.applicationId) return Effect.void;
-	if (gradleConfig.applicationId === expectedPackage) return Effect.void;
-	return Console.warn(`Gradle applicationId "${gradleConfig.applicationId}" differs from app.json package "${expectedPackage}". The Gradle value will be used in the built APK/AAB.`);
-};
-/**
-* Strip Groovy single-line and block comments.
-* gradle-to-js chokes on comments — EAS CLI does this same pre-processing.
-*/
-const stripGroovyComments = (text) => text.replaceAll(/\/\/.*$/gmu, "").replaceAll(/\/\*[\s\S]*?\*\//gu, "");
-const parseVersionCode = (raw) => {
-	if (typeof raw === "number") return raw;
-	if (typeof raw === "string") return Number.parseInt(raw, 10) || void 0;
-};
-const extractGradleConfig = (parsed) => {
-	const defaultConfig = asRecord(asRecord(parsed["android"])?.["defaultConfig"]);
-	const applicationId = typeof defaultConfig?.["applicationId"] === "string" ? unquote(defaultConfig["applicationId"]) : void 0;
-	const versionCode = parseVersionCode(defaultConfig?.["versionCode"]);
-	const versionName = typeof defaultConfig?.["versionName"] === "string" ? unquote(defaultConfig["versionName"]) : void 0;
-	return {
-		...applicationId === void 0 ? {} : { applicationId },
-		...versionCode === void 0 ? {} : { versionCode },
-		...versionName === void 0 ? {} : { versionName }
-	};
+const renderExportOptionsPlist = ({ method, teamId, provisioningProfiles, compileBitcode = false }) => {
+	const lines = [
+		"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+		"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">",
+		"<plist version=\"1.0\">",
+		"<dict>",
+		"	<key>method</key>",
+		`\t<string>${escapeXml(method)}</string>`,
+		"	<key>teamID</key>",
+		`\t<string>${escapeXml(teamId)}</string>`,
+		"	<key>signingStyle</key>",
+		"	<string>manual</string>",
+		"	<key>compileBitcode</key>",
+		`\t${boolTag(compileBitcode)}`,
+		"	<key>provisioningProfiles</key>",
+		"	<dict>"
+	];
+	for (const { bundleId, profileName } of provisioningProfiles) lines.push(`\t\t<key>${escapeXml(bundleId)}</key>`, `\t\t<string>${escapeXml(profileName)}</string>`);
+	lines.push("	</dict>");
+	if (method === "app-store") lines.push("	<key>uploadSymbols</key>", "	<true/>");
+	lines.push("</dict>", "</plist>", "");
+	return lines.join("\n");
 };
-const unquote = (input) => input.startsWith("\"") && input.endsWith("\"") ? input.slice(1, -1) : input;
 
 //#endregion
-//#region src/lib/platform-detect.ts
-const PLATFORMS = ["ios", "android"];
-const inferPlatforms = (config) => {
-	const fromConfig = config["platforms"];
-	if (Array.isArray(fromConfig)) return fromConfig.filter((entry) => entry === "ios" || entry === "android");
-	const present = [];
-	if (config.ios !== void 0) present.push("ios");
-	if (config.android !== void 0) present.push("android");
-	return present;
+//#region src/lib/ios-keychain.ts
+const runOrFail = (cmd, step) => Command.string(cmd).pipe(Effect.mapError((cause) => new KeychainError({ message: `keychain ${step} failed: ${String(cause)}` })));
+const listCurrentKeychains = Effect.gen(function* () {
+	return (yield* runOrFail(Command.make("security", "list-keychains", "-d", "user"), "list-keychains")).split("\n").map((line) => line.trim().replace(/^"/u, "").replace(/"$/u, "")).filter((line) => line.length > 0);
+});
+const parseSigningIdentity = (output) => {
+	const lines = output.split("\n");
+	for (const line of lines) {
+		const match = /"([^"]+)"/u.exec(line);
+		if (match?.[1]) return match[1];
+	}
 };
 /**
-* Resolve a build platform from an explicit flag, or fall back to the Expo
-* config (`expo.platforms` or the presence of `ios`/`android` sections). Prompts
-* when the config declares both platforms; fails when ambiguous and prompts are
-* disallowed.
+* Acquire an ephemeral macOS keychain, import a `.p12` into it, add it to the
+* user search list, and tear it all down on scope close. The keychain name is
+* namespaced as `better-update-<uuid>` and lives in `$tempDir`, so cleanup is
+* guaranteed under all termination paths.
 */
-const detectPlatform = (explicit, config) => Effect.gen(function* () {
-	if (explicit !== void 0) return explicit;
-	const candidates = inferPlatforms(config);
-	if (candidates.length === 0) return yield* new BuildProfileError({ message: "Cannot infer build platform. Add an `ios` or `android` section to your Expo config, or pass --platform." });
-	if (candidates.length === 1) {
-		const [only] = candidates;
-		if (only === void 0) return yield* new BuildProfileError({ message: "Internal: empty platform candidate list." });
-		return only;
-	}
-	if (!(yield* InteractiveMode).allow) return yield* new BuildProfileError({ message: `Multiple platforms detected (${candidates.join(", ")}). Pass --platform explicitly when running non-interactively.` });
-	return yield* promptSelect("Which platform to build?", PLATFORMS.filter((entry) => candidates.includes(entry)).map((entry) => ({
-		value: entry,
-		label: entry
-	})));
-});
+const acquireKeychain = ({ tempDir, p12Path, p12Password }) => {
+	const keychainName = `better-update-${randomUUID()}.keychain-db`;
+	const keychainPath = path.join(tempDir, keychainName);
+	const keychainPassword = randomBytes(32).toString("hex");
+	return Effect.acquireRelease(Effect.gen(function* () {
+		const priorKeychains = yield* listCurrentKeychains;
+		yield* runOrFail(Command.make("security", "create-keychain", "-p", keychainPassword, keychainPath), "create-keychain");
+		yield* runOrFail(Command.make("security", "unlock-keychain", "-p", keychainPassword, keychainPath), "unlock-keychain");
+		yield* runOrFail(Command.make("security", "set-keychain-settings", "-t", "3600", "-l", keychainPath), "set-keychain-settings");
+		yield* runOrFail(Command.make("security", "import", p12Path, "-k", keychainPath, "-P", p12Password, "-T", "/usr/bin/codesign"), "import");
+		yield* runOrFail(Command.make("security", "set-key-partition-list", "-S", "apple-tool:,apple:,codesign:", "-s", "-k", keychainPassword, keychainPath), "set-key-partition-list");
+		yield* runOrFail(Command.make("security", "list-keychains", "-d", "user", "-s", keychainPath, ...priorKeychains), "list-keychains -s (add)");
+		const signingIdentity = parseSigningIdentity(yield* runOrFail(Command.make("security", "find-identity", "-v", "-p", "codesigning", keychainPath), "find-identity"));
+		if (!signingIdentity) return yield* new KeychainError({ message: "No code signing identity found after importing .p12 into ephemeral keychain." });
+		return {
+			handle: {
+				keychainName,
+				keychainPath,
+				signingIdentity
+			},
+			priorKeychains
+		};
+	}), ({ priorKeychains }) => Effect.gen(function* () {
+		yield* Command.string(Command.make("security", "list-keychains", "-d", "user", "-s", ...priorKeychains)).pipe(Effect.catchAll(() => Effect.void));
+		yield* Command.string(Command.make("security", "delete-keychain", keychainPath)).pipe(Effect.catchAll(() => Effect.void));
+	})).pipe(Effect.map(({ handle }) => handle));
+};
 
 //#endregion
-//#region src/lib/repo-clean.ts
-const MAX_FILES_SHOWN = 10;
-const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+//#region src/lib/plist.ts
+const plist = typeof plistMod.parse === "function" ? plistMod : plistMod.default;
 /**
-* Refuse to proceed when the working tree has uncommitted changes. Skipped when
-* `allowDirty` is true. In interactive mode, prompts the user to confirm; in
-* non-interactive mode, fails with `DirtyRepoError`.
+* Parse an XML plist string into a typed object.
+* Throws on malformed XML — callers should wrap in Effect.try.
 */
-const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(function* () {
-	if (allowDirty) return;
-	const dirty = yield* readPorcelain(projectRoot);
-	if (dirty.length === 0) return;
-	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
-	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
-	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
-	if (!(yield* InteractiveMode).allow) {
-		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
-		return;
-	}
-	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
-});
+const parsePlistXml = (xml) => plist.parse(xml);
+/**
+* Parse a binary plist buffer into a typed object.
+* Uses bplist-parser for Apple's binary plist format.
+*/
+const parsePlistBinary = (buffer) => {
+	const [result] = __require("bplist-parser").parseBuffer(buffer);
+	return result;
+};
+const BPLIST_MAGIC = Buffer.from("bplist00");
+/**
+* Auto-detect plist format (binary vs XML) and parse accordingly.
+*/
+const parsePlist = (data) => data.subarray(0, 8).equals(BPLIST_MAGIC) ? parsePlistBinary(data) : parsePlistXml(data.toString("utf8"));
 
 //#endregion
-//#region src/lib/fingerprint.ts
-var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
-const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
-	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
-	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
+//#region src/lib/ios-provisioning.ts
+const getString = (obj, key) => {
+	const value = obj[key];
+	return typeof value === "string" ? value : void 0;
+};
+const getFirstArrayString = (obj, key) => {
+	const value = obj[key];
+	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
+};
+/**
+* Extract `UUID`, `Name`, and the first `TeamIdentifier` from the XML plist
+* output of `security cms -D -i <path>`. Returns `ProvisioningError` when any
+* of the three fields are missing.
+*/
+const extractProvisioningInfo = (plistXml) => Effect.gen(function* () {
 	const parsed = yield* Effect.try({
-		try: () => JSON.parse(stdout),
-		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
+		try: () => parsePlistXml(plistXml),
+		catch: (error) => new ProvisioningError({ message: `Failed to parse provisioning profile plist: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
-	const { hash } = parsed;
-	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
-	const sourcesRaw = parsed["sources"];
+	const uuid = getString(parsed, "UUID");
+	const name = getString(parsed, "Name");
+	const teamId = getFirstArrayString(parsed, "TeamIdentifier");
+	if (!uuid || !name || !teamId) return yield* new ProvisioningError({ message: `Failed to parse provisioning profile: missing ${uuid ? "" : "UUID "}${name ? "" : "Name "}${teamId ? "" : "TeamIdentifier "}`.trim() });
 	return {
-		hash,
-		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
+		uuid,
+		name,
+		teamId
 	};
 });
-
-//#endregion
-//#region src/lib/runtime-version.ts
-const resolveRuntimeVersion = ({ raw, appVersion, projectRoot }) => Effect.gen(function* () {
-	if (typeof raw === "string") return raw;
-	if (raw === void 0) return yield* new RuntimeVersionError({ message: "No runtimeVersion configured in expo section of app.json." });
-	const { policy } = raw;
-	if (policy === "appVersion") {
-		if (appVersion === void 0) return yield* new RuntimeVersionError({ message: "runtimeVersion policy is \"appVersion\" but expo.version is missing in app.json." });
-		return appVersion;
-	}
-	if (policy === "fingerprint") return yield* runFingerprintFull(projectRoot).pipe(Effect.map((result) => result.hash), Effect.mapError((cause) => new RuntimeVersionError({ message: cause.message })));
-	if (policy === "nativeVersion") return yield* new RuntimeVersionError({ message: "runtimeVersion policy \"nativeVersion\" is not supported. Set a static runtimeVersion string in your Expo config." });
-	return yield* new RuntimeVersionError({ message: `Unsupported runtimeVersion policy "${policy}". Use a static string, "appVersion", or "fingerprint".` });
-});
-
-//#endregion
-//#region src/lib/temp-dir.ts
+const userProvisioningProfilesDir = () => path.join(os.homedir(), "Library", "MobileDevice", "Provisioning Profiles");
 /**
-* Create a scoped temp directory prefixed with "better-update-" and `chmod 0o700`
-* it so only the current user can read its contents. The directory and all files
-* inside it are removed when the enclosing scope closes.
+* Scoped installation of a provisioning profile: parses its metadata via
+* `security cms -D -i`, copies it into `~/Library/MobileDevice/Provisioning Profiles`
+* under `<uuid>.mobileprovision`, and removes the copy on scope close — but
+* only if we installed it. If the target file already existed when we arrived
+* (e.g., Xcode had it), we leave both the file and the contents untouched.
 */
-const acquireBuildTempDir = Effect.gen(function* () {
+const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const dir = yield* fs.makeTempDirectoryScoped({ prefix: "better-update-" });
-	yield* fs.chmod(dir, 448);
-	return dir;
-});
-
-//#endregion
-//#region src/lib/android-keystore.ts
-const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
-const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
-const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
-	commonName: input.commonName,
-	organization: input.organization
-}), "-noprompt").pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
-	step: "generate android keystore",
-	exitCode: 1,
-	message: `generate android keystore failed to spawn: ${String(cause)}`
-})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
-	step: "generate android keystore",
-	exitCode: code,
-	message: `generate android keystore exited with code ${code}`
-}))));
+	const info = yield* extractProvisioningInfo(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)).pipe(Effect.mapError((cause) => new ProvisioningError({ message: `security cms -D failed for ${profilePath}: ${String(cause)}` }))));
+	const targetDir = userProvisioningProfilesDir();
+	const installedPath = path.join(targetDir, `${info.uuid}.mobileprovision`);
+	yield* fs.makeDirectory(targetDir, { recursive: true }).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to create provisioning profiles dir: ${String(cause)}` })));
+	if (yield* fs.exists(installedPath).pipe(Effect.orElseSucceed(() => false))) return {
+		...info,
+		installedPath,
+		ownsInstallation: false
+	};
+	yield* fs.copyFile(profilePath, installedPath).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to copy provisioning profile into ${installedPath}: ${String(cause)}` })));
+	return {
+		...info,
+		installedPath,
+		ownsInstallation: true
+	};
+}), (acquired) => Effect.gen(function* () {
+	if (!acquired.ownsInstallation) return;
+	yield* (yield* FileSystem.FileSystem).remove(acquired.installedPath).pipe(Effect.catchAll(() => Effect.void));
+})).pipe(Effect.map(({ uuid, name, teamId, installedPath }) => ({
+	uuid,
+	name,
+	teamId,
+	installedPath
+})));
 
 //#endregion
-//#region src/lib/apple-pem.ts
-const PEM_HEADER = "-----BEGIN PRIVATE KEY-----";
-const PEM_FOOTER = "-----END PRIVATE KEY-----";
-const pemToPkcs8Der = (pem) => {
-	const normalized = pem.replaceAll("\r\n", "\n").trim();
-	const start = normalized.indexOf(PEM_HEADER);
-	const end = normalized.indexOf(PEM_FOOTER);
-	if (start === -1 || end === -1 || end <= start) return null;
-	const body = normalized.slice(start + 27, end).replaceAll(/\s+/gu, "").trim();
-	if (body.length === 0) return null;
-	try {
-		return fromBase64(body);
-	} catch {
-		return null;
+//#region src/lib/post-build-validation.ts
+const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
+	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!bundleId) return {
+		bundleId: void 0,
+		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
+	};
+	const expected = expectedByBundleId.get(bundleId);
+	if (!expected) return {
+		bundleId,
+		warnings: [`Unexpected signed bundle "${bundleId}" found in archive at ${bundleDir}`]
+	};
+	return {
+		bundleId,
+		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
+	};
+});
+const validateIosBuild = (params) => Effect.gen(function* () {
+	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!appDir) return {
+		passed: false,
+		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
+	};
+	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
+	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
+	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
+	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
+	const validatedBundleIds = new Set(perBundle.map((entry) => entry.bundleId).filter((id) => id !== void 0));
+	for (const expected of params.expectedTargets) if (!validatedBundleIds.has(expected.bundleId)) warnings.push(`Expected signed target "${expected.bundleId}" was not found in the archive.`);
+	if (warnings.length > 0) {
+		yield* Console.warn("Post-build validation warnings:");
+		for (const warning of warnings) yield* Console.warn(`  - ${warning}`);
 	}
-};
+	return {
+		passed: warnings.length === 0,
+		warnings
+	};
+});
+const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const productsDir = path.join(archivePath, "Products", "Applications");
+	const appEntry = (yield* fs.readDirectory(productsDir)).find((entry) => entry.endsWith(".app"));
+	if (!appEntry) return yield* Effect.fail("No .app found");
+	return path.join(productsDir, appEntry);
+});
+/**
+* Return the main `.app` plus every `.appex` extension under `<app>/PlugIns/`.
+* Each returned path is a signed bundle that should carry its own embedded
+* provisioning profile + Info.plist with CFBundleIdentifier.
+*/
+const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const plugInsDir = path.join(appDir, "PlugIns");
+	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
+	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
+});
+const readBundleId = (bundleDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const plistPath = path.join(bundleDir, "Info.plist");
+	const data = yield* fs.readFile(plistPath);
+	const bundleId = parsePlist(Buffer.from(data))["CFBundleIdentifier"];
+	return typeof bundleId === "string" ? bundleId : void 0;
+});
+const validateEmbeddedProfile = (bundleDir, expectedUuid, expectedTeamId, bundleId) => Effect.gen(function* () {
+	const warnings = [];
+	const profilePath = path.join(bundleDir, "embedded.mobileprovision");
+	const parsed = parsePlistXml(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)));
+	const actualUuid = parsed["UUID"];
+	if (typeof actualUuid === "string" && actualUuid !== expectedUuid) warnings.push(`[${bundleId}] Profile UUID mismatch: expected "${expectedUuid}", got "${actualUuid}"`);
+	const teamIdentifiers = parsed["TeamIdentifier"];
+	if (Array.isArray(teamIdentifiers)) {
+		const [actualTeamId] = teamIdentifiers;
+		if (typeof actualTeamId === "string" && actualTeamId !== expectedTeamId) warnings.push(`[${bundleId}] Team ID mismatch: expected "${expectedTeamId}", got "${actualTeamId}"`);
+	}
+	const expirationDate = parsed["ExpirationDate"];
+	if (expirationDate instanceof Date && expirationDate.getTime() < Date.now()) warnings.push(`[${bundleId}] Embedded provisioning profile expired on ${expirationDate.toISOString()}`);
+	return warnings;
+});
 
 //#endregion
-//#region src/lib/apple-asc-jwt.ts
-var AppleAuthError = class extends Data.TaggedError("AppleAuthError") {};
-const MAX_JWT_LIFETIME_SECONDS = 1200;
-const asArrayBuffer = (bytes) => {
-	const buffer = new ArrayBuffer(bytes.byteLength);
-	new Uint8Array(buffer).set(bytes);
-	return buffer;
-};
-const signAscJwt = (credentials) => Effect.gen(function* () {
-	const der = pemToPkcs8Der(credentials.p8Pem);
-	if (der === null) return yield* Effect.fail(new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") }));
-	const header = {
-		alg: "ES256",
-		kid: credentials.keyId,
-		typ: "JWT"
-	};
-	const now = Math.floor(Date.now() / 1e3);
-	const payload = {
-		iss: credentials.issuerId,
-		iat: now,
-		exp: now + MAX_JWT_LIFETIME_SECONDS,
-		aud: "appstoreconnect-v1"
-	};
-	const signingInput = `${toBase64Url(new TextEncoder().encode(JSON.stringify(header)))}.${toBase64Url(new TextEncoder().encode(JSON.stringify(payload)))}`;
-	const key = yield* Effect.tryPromise({
-		try: async () => crypto.subtle.importKey("pkcs8", asArrayBuffer(der), {
-			name: "ECDSA",
-			namedCurve: "P-256"
-		}, false, ["sign"]),
-		catch: (cause) => new AppleAuthError({ cause })
-	});
-	const signature = yield* Effect.tryPromise({
-		try: async () => crypto.subtle.sign({
-			name: "ECDSA",
-			hash: "SHA-256"
-		}, key, new TextEncoder().encode(signingInput)),
-		catch: (cause) => new AppleAuthError({ cause })
-	});
-	return `${signingInput}.${toBase64Url(new Uint8Array(signature))}`;
+//#region src/lib/xcode-targets.ts
+/** Product types whose targets require code-signing with a provisioning profile. */
+const SIGNED_PRODUCT_TYPES = new Set([
+	"com.apple.product-type.application",
+	"com.apple.product-type.app-extension",
+	"com.apple.product-type.messages-extension",
+	"com.apple.product-type.tv-app-extension",
+	"com.apple.product-type.watchapp2",
+	"com.apple.product-type.watchkit2-extension"
+]);
+const loadXcodeModule = () => __require("xcode");
+/**
+* Strip surrounding quotes from a pbxproj string value. `xcode` returns values
+* verbatim from the project file, so identifiers like productType are usually
+* wrapped in double quotes (e.g. `"com.apple.product-type.application"`).
+*/
+const unquote$1 = (value) => value.length >= 2 && value.startsWith("\"") && value.endsWith("\"") ? value.slice(1, -1) : value;
+const findXcodeProjectDir = (iosDir) => Effect.gen(function* () {
+	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
+	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}. Did "expo prebuild" run?` });
+	return path.join(iosDir, projectDir);
+});
+const parseProject = (pbxprojPath) => Effect.try({
+	try: () => loadXcodeModule().project(pbxprojPath).parseSync(),
+	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+});
+const collectConfigUuidsForTarget = (project, target, configurationName) => {
+	const configList = project.pbxXCConfigurationList()[target.buildConfigurationList];
+	if (!configList || typeof configList === "string") return [];
+	const buildConfigSection = project.pbxXCBuildConfigurationSection();
+	return configList.buildConfigurations.map((entry) => entry.value).filter((uuid) => {
+		const cfg = buildConfigSection[uuid];
+		if (!cfg || typeof cfg === "string") return false;
+		return unquote$1(cfg.name) === configurationName;
+	});
+};
+const extractBundleIdForConfig = (project, configUuid) => {
+	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
+	if (!cfg || typeof cfg === "string") return;
+	const raw = cfg.buildSettings["PRODUCT_BUNDLE_IDENTIFIER"];
+	if (typeof raw !== "string") return;
+	return unquote$1(raw);
+};
+const collectSignedTargets = (project, pbxprojPath, configurationName) => Effect.gen(function* () {
+	const results = [];
+	const nativeTargets = project.pbxNativeTargetSection();
+	for (const [uuid, entry] of Object.entries(nativeTargets)) {
+		if (uuid.endsWith("_comment") || typeof entry === "string") continue;
+		const productType = unquote$1(entry.productType);
+		if (!SIGNED_PRODUCT_TYPES.has(productType)) continue;
+		const configUuids = collectConfigUuidsForTarget(project, entry, configurationName);
+		const [firstConfigUuid] = configUuids;
+		if (!firstConfigUuid) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" has no "${configurationName}" build configuration in ${pbxprojPath}.` });
+		const bundleId = extractBundleIdForConfig(project, firstConfigUuid);
+		if (!bundleId) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" is missing PRODUCT_BUNDLE_IDENTIFIER in the "${configurationName}" configuration.` });
+		results.push({
+			targetName: unquote$1(entry.name),
+			bundleId,
+			productType,
+			buildConfigurationUuids: configUuids
+		});
+	}
+	return results;
+});
+/**
+* Enumerate code-signed native targets (main app + extensions) declared in the
+* single `.xcodeproj` under `iosDir`, restricted to a given build configuration
+* (e.g. "Release"). Pod targets and other library product types are excluded.
+*
+* The returned `buildConfigurationUuids` list is the set of XCBuildConfiguration
+* UUIDs that belong to this target *and* match `configurationName` — the
+* per-target signing mutator writes settings into exactly those configurations.
+*/
+const discoverSignedTargets = (options) => Effect.gen(function* () {
+	const projectDir = yield* findXcodeProjectDir(options.iosDir);
+	const pbxprojPath = path.join(projectDir, "project.pbxproj");
+	const results = yield* collectSignedTargets(yield* parseProject(pbxprojPath), pbxprojPath, options.configurationName);
+	if (results.length === 0) return yield* new XcodeProjectError({ message: `No signed native targets found in ${pbxprojPath} for configuration "${options.configurationName}".` });
+	return results;
 });
 
 //#endregion
-//#region src/lib/apple-asc-client.ts
-var AscApiError = class extends Data.TaggedError("AscApiError") {};
-var AscNetworkError = class extends Data.TaggedError("AscNetworkError") {};
-const API_BASE = "https://api.appstoreconnect.apple.com";
-const extractErrors = (body) => {
-	if (!isRecord(body) || !Array.isArray(body["errors"])) return [];
-	return body["errors"].filter((value) => isRecord(value));
+//#region src/lib/xcpretty-formatter.ts
+/**
+* Create a stateful xcodebuild output formatter backed by `@expo/xcpretty`.
+* Each `pipe(line)` call may return zero or more formatted lines — zero means
+* the line was suppressed (e.g., intermediate compiler invocations).
+*/
+const createXcodebuildFormatter = (projectRoot) => {
+	const formatter = ExpoRunFormatter.create(projectRoot);
+	return {
+		pipe: (line) => formatter.pipe(line),
+		getBuildSummary: () => formatter.getBuildSummary()
+	};
 };
-const parseApiError = (response, body, raw) => {
-	const [first] = extractErrors(body);
-	return new AscApiError({
-		status: response.status,
-		message: first?.detail ?? first?.title ?? response.statusText,
-		code: first?.code,
-		raw
+
+//#endregion
+//#region src/commands/build/ios.ts
+const findXcworkspace = (iosDir) => Effect.gen(function* () {
+	const workspace = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir)).find((entry) => entry.endsWith(".xcworkspace"));
+	if (!workspace) return yield* new BuildFailedError({
+		step: "detect xcworkspace",
+		exitCode: 1,
+		message: `No .xcworkspace found under ${iosDir}. Did "pod install" run?`
 	});
-};
-const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
-	const response = yield* Effect.tryPromise({
-		try: async () => fetch(`${API_BASE}${path}`, {
-			method: init?.method ?? "GET",
-			...init?.body === void 0 ? {} : { body: init.body },
-			headers: {
-				authorization: `Bearer ${jwt}`,
-				"content-type": "application/json",
-				accept: "application/json"
+	return workspace;
+});
+const prebuildAndPods = (params) => Effect.gen(function* () {
+	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "ios", "--clean").pipe(Command.workingDirectory(params.projectRoot), Command.env(params.commandEnv)), "expo prebuild ios");
+	yield* runStep(Command.make("pod", "install").pipe(Command.workingDirectory(params.iosDir), Command.env(params.commandEnv)), "pod install");
+});
+const findAppDirectory = (root) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const stack = [root];
+	let depth = 0;
+	while (stack.length > 0 && depth < 6) {
+		const layer = stack.splice(0);
+		depth += 1;
+		for (const dir of layer) {
+			const entries = yield* fs.readDirectory(dir).pipe(Effect.orElseSucceed(() => []));
+			for (const entry of entries) {
+				const full = path.join(dir, entry);
+				if (entry.endsWith(".app")) return full;
+				const stat = yield* fs.stat(full).pipe(Effect.option);
+				if (stat._tag === "Some" && stat.value.type === "Directory") stack.push(full);
 			}
-		}),
-		catch: (cause) => new AscNetworkError({ cause })
-	});
-	const text = yield* Effect.tryPromise({
-		try: async () => response.text(),
-		catch: (cause) => new AscNetworkError({ cause })
-	});
-	const body = text.length === 0 ? {} : JSON.parse(text);
-	if (!response.ok) return yield* Effect.fail(parseApiError(response, body, text));
-	return body;
+		}
+	}
+	return yield* new ArtifactNotFoundError({ message: `No .app bundle found under "${root}".` });
 });
-const toAscCertificate = (value) => {
-	if (!isRecord(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
-	const { serialNumber, certificateType, expirationDate, certificateContent, displayName } = attributes;
-	if (typeof serialNumber !== "string" || typeof certificateType !== "string" || typeof expirationDate !== "string") return null;
-	return {
-		id,
-		serialNumber,
-		certificateType,
-		expirationDate,
-		certificateContent: typeof certificateContent === "string" ? certificateContent : null,
-		displayName: typeof displayName === "string" ? displayName : null
-	};
-};
-const toAscBundleId = (value) => {
-	if (!isRecord(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
-	const { identifier, name } = attributes;
-	if (typeof identifier !== "string" || typeof name !== "string") return null;
+const runIosSimulatorBuild = (input) => Effect.gen(function* () {
+	const { projectRoot, iosProfile, envVars, tempDir } = input;
+	const runtime = yield* CliRuntime;
+	const iosDir = path.join(projectRoot, "ios");
+	const commandEnv = yield* runtime.commandEnvironment(envVars);
+	yield* prebuildAndPods({
+		projectRoot,
+		iosDir,
+		commandEnv
+	});
+	const workspaceFilename = yield* findXcworkspace(iosDir);
+	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const configuration = iosProfile.buildConfiguration ?? "Release";
+	const derivedDataPath = path.join(tempDir, "derived-data");
+	const buildCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-sdk", "iphonesimulator", "-destination", "generic/platform=iOS Simulator", "-derivedDataPath", derivedDataPath, "build", "CODE_SIGNING_ALLOWED=NO", "CODE_SIGNING_REQUIRED=NO", "CODE_SIGN_IDENTITY=").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
+	yield* formatter ? runStepFormatted(buildCmd, "xcodebuild build (simulator)", formatter) : runStep(buildCmd, "xcodebuild build (simulator)");
+	const appDir = yield* findAppDirectory(path.join(derivedDataPath, "Build", "Products", `${configuration}-iphonesimulator`));
+	const archiveName = `${path.basename(appDir, ".app")}-simulator.tar.gz`;
+	const archivePath = path.join(tempDir, archiveName);
+	yield* runStep(Command.make("tar", "-czf", archivePath, "-C", path.dirname(appDir), path.basename(appDir)).pipe(Command.env(commandEnv)), "tar simulator .app");
+	const { sha256, byteSize } = yield* sha256File(archivePath);
 	return {
-		id,
-		identifier,
-		name
+		artifactPath: archivePath,
+		byteSize,
+		sha256
 	};
+});
+const fetchAllCredentials = (params) => params.input.credentialsSource === "local" ? loadLocalIosCredentials({
+	projectRoot: params.input.projectRoot,
+	mainBundleIdentifier: params.mainBundleIdentifier
+}) : downloadIosCredentials(params.api, {
+	projectId: params.input.projectId,
+	mainBundleIdentifier: params.mainBundleIdentifier,
+	bundleIdentifiers: params.allBundleIdentifiers,
+	distribution: params.input.iosProfile.distribution,
+	tempDir: params.input.tempDir
+});
+const installPerTarget = (signedTargets, credentials, credentialsSource) => Effect.gen(function* () {
+	const profileByBundle = new Map(credentials.profiles.map((profile) => [profile.bundleIdentifier, profile]));
+	const missing = signedTargets.filter((target) => !profileByBundle.has(target.bundleId));
+	if (missing.length > 0) {
+		const list = missing.map((target) => `"${target.targetName}" (${target.bundleId})`).join(", ");
+		const hint = credentialsSource === "local" ? "Add the missing entries to credentials.json under ios.additionalProvisioningProfiles." : "Register the bundle identifier(s) in the dashboard and bind a provisioning profile.";
+		return yield* new MissingCredentialsError({
+			message: `Missing provisioning profile for signed target(s): ${list}.`,
+			hint
+		});
+	}
+	return yield* Effect.forEach(signedTargets, (target) => installProfileForTarget(target, profileByBundle));
+});
+const installProfileForTarget = (target, profileByBundle) => {
+	const profile = profileByBundle.get(target.bundleId);
+	if (!profile) return Effect.fail(new ProvisioningError({ message: `Internal: no profile for ${target.bundleId} after pre-check.` }));
+	return installProvisioningProfile({ profilePath: profile.profilePath }).pipe(Effect.map((installed) => ({
+		target,
+		profile,
+		installed
+	})));
 };
-const PROFILE_TYPES = [
-	"IOS_APP_ADHOC",
-	"IOS_APP_DEVELOPMENT",
-	"IOS_APP_STORE",
-	"IOS_APP_INHOUSE"
-];
-const asProfileType = (value) => {
-	const match = PROFILE_TYPES.find((entry) => entry === value);
-	return match === void 0 ? null : match;
-};
-const toAscProfile = (value) => {
-	if (!isRecord(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
-	const { name, uuid, expirationDate, profileContent } = attributes;
-	const profileType = asProfileType(attributes["profileType"]);
-	if (typeof name !== "string" || typeof uuid !== "string" || typeof expirationDate !== "string" || typeof profileContent !== "string" || profileType === null) return null;
+const pickMainTarget = (signedTargets) => signedTargets.find((target) => target.productType === "com.apple.product-type.application") ?? signedTargets[0];
+const runIosDeviceBuild = (input) => Effect.gen(function* () {
+	const { api, tempDir, projectRoot, iosProfile, envVars } = input;
+	const runtime = yield* CliRuntime;
+	const fs = yield* FileSystem.FileSystem;
+	const iosDir = path.join(projectRoot, "ios");
+	const { distribution } = iosProfile;
+	const commandEnv = yield* runtime.commandEnvironment(envVars);
+	yield* prebuildAndPods({
+		projectRoot,
+		iosDir,
+		commandEnv
+	});
+	const workspaceFilename = yield* findXcworkspace(iosDir);
+	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const configuration = iosProfile.buildConfiguration ?? "Release";
+	const signedTargets = yield* discoverSignedTargets({
+		iosDir,
+		configurationName: configuration
+	});
+	const mainTarget = pickMainTarget(signedTargets);
+	if (!mainTarget) return yield* new BuildFailedError({
+		step: "discover signed targets",
+		exitCode: 1,
+		message: `No signed iOS targets found in the Xcode project for configuration "${configuration}".`
+	});
+	const credentials = yield* fetchAllCredentials({
+		api,
+		input,
+		mainBundleIdentifier: mainTarget.bundleId,
+		allBundleIdentifiers: signedTargets.map((target) => target.bundleId)
+	});
+	const keychain = yield* acquireKeychain({
+		tempDir,
+		p12Path: credentials.p12Path,
+		p12Password: credentials.p12Password
+	});
+	const installedTargets = yield* installPerTarget(signedTargets, credentials, input.credentialsSource);
+	yield* applyTargetSigning({
+		iosDir,
+		entries: installedTargets.map(({ target, installed }) => ({
+			targetName: target.targetName,
+			buildConfigurationUuids: target.buildConfigurationUuids,
+			settings: {
+				teamId: installed.teamId,
+				signingIdentity: keychain.signingIdentity,
+				profileSpecifier: installed.name
+			}
+		}))
+	});
+	const archivePath = path.join(tempDir, "build.xcarchive");
+	const archiveCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-archivePath", archivePath, "-allowProvisioningUpdates", "archive").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
+	yield* formatter ? runStepFormatted(archiveCmd, "xcodebuild archive", formatter) : runStep(archiveCmd, "xcodebuild archive");
+	const exportOptionsPath = path.join(tempDir, "ExportOptions.plist");
+	const mainInstall = installedTargets.find((entry) => entry.target.targetName === mainTarget.targetName);
+	if (!mainInstall) return yield* new BuildFailedError({
+		step: "resolve main target signing",
+		exitCode: 1,
+		message: `Internal: main target "${mainTarget.targetName}" was not in the installed list.`
+	});
+	const { teamId } = mainInstall.installed;
+	yield* fs.writeFileString(exportOptionsPath, renderExportOptionsPlist({
+		method: distribution,
+		teamId,
+		provisioningProfiles: installedTargets.map(({ target, installed }) => ({
+			bundleId: target.bundleId,
+			profileName: installed.name
+		}))
+	}));
+	const exportPath = path.join(tempDir, "export");
+	const exportCmd = Command.make("xcodebuild", "-exportArchive", "-archivePath", archivePath, "-exportPath", exportPath, "-exportOptionsPlist", exportOptionsPath, "-allowProvisioningUpdates").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	yield* formatter ? runStepFormatted(exportCmd, "xcodebuild exportArchive", formatter) : runStep(exportCmd, "xcodebuild exportArchive");
+	yield* validateIosBuild({
+		archivePath,
+		expectedTeamId: teamId,
+		expectedTargets: installedTargets.map(({ target, installed }) => ({
+			bundleId: target.bundleId,
+			profileUuid: installed.uuid
+		}))
+	});
+	const artifactPath = yield* findIosArtifact({ exportPath });
+	const { sha256, byteSize } = yield* sha256File(artifactPath);
+	return {
+		artifactPath,
+		byteSize,
+		sha256
+	};
+});
+const runIosBuild = (input) => input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
+
+//#endregion
+//#region src/commands/build/reserve-and-upload.ts
+const buildReserveCommon = (input) => ({
+	projectId: input.projectId,
+	profile: input.profileName,
+	runtimeVersion: input.runtimeVersion,
+	bundleId: input.bundleId,
+	sha256: input.sha256,
+	byteSize: input.byteSize,
+	...input.appVersion === void 0 ? {} : { appVersion: input.appVersion },
+	...input.buildNumber === void 0 ? {} : { buildNumber: input.buildNumber },
+	...input.gitContext.ref === void 0 ? {} : { gitRef: input.gitContext.ref },
+	...input.gitContext.commit === void 0 ? {} : { gitCommit: input.gitContext.commit },
+	...input.message === void 0 ? {} : { message: input.message }
+});
+const callReserve = (api, input) => {
+	const common = buildReserveCommon(input);
+	const { target } = input;
+	if (target.platform === "ios") return target.distribution === "simulator" ? api.builds.reserve({ payload: {
+		...common,
+		platform: "ios",
+		distribution: "simulator",
+		artifactFormat: "tar.gz"
+	} }) : api.builds.reserve({ payload: {
+		...common,
+		platform: "ios",
+		distribution: target.distribution,
+		artifactFormat: "ipa"
+	} });
+	return target.distribution === "play-store" ? api.builds.reserve({ payload: {
+		...common,
+		platform: "android",
+		distribution: "play-store",
+		artifactFormat: "aab"
+	} }) : api.builds.reserve({ payload: {
+		...common,
+		platform: "android",
+		distribution: "direct",
+		artifactFormat: "apk"
+	} });
+};
+/**
+* Reserve a build record on the server, upload the artifact to the returned
+* presigned URL, and finalize the build with its sha256 + byteSize.
+*/
+const reserveAndUpload = (api, input) => Effect.gen(function* () {
+	const presignedUploadClient = yield* PresignedUploadClient;
+	const reserveResult = yield* callReserve(api, input).pipe(Effect.mapError((cause) => new ReserveError({ message: `Failed to reserve build: ${formatCause(cause)}` })));
+	yield* presignedUploadClient.putToPresignedUrl({
+		url: reserveResult.uploadUrl,
+		filePath: input.artifactPath,
+		byteSize: input.byteSize,
+		expiresAt: reserveResult.uploadExpiresAt,
+		headers: reserveResult.uploadHeaders
+	});
+	const completed = yield* api.builds.complete({
+		path: { id: reserveResult.id },
+		payload: {
+			sha256: input.sha256,
+			byteSize: input.byteSize
+		}
+	}).pipe(Effect.mapError((cause) => new CompleteError({ message: `Failed to complete build ${reserveResult.id}: ${formatCause(cause)}` })));
+	if (!completed.artifact) return yield* new CompleteError({ message: `Build ${completed.id} completed but server returned no artifact record.` });
+	return {
+		id: completed.id,
+		status: "uploaded"
+	};
+});
+
+//#endregion
+//#region src/lib/auto-increment.ts
+const bumpBuildNumber = (current) => Effect.gen(function* () {
+	const raw = current ?? "0";
+	const parsed = Number.parseInt(raw, 10);
+	if (Number.isNaN(parsed)) return yield* new BuildProfileError({ message: `Cannot autoIncrement ios.buildNumber: current value "${raw}" is not a base-10 integer.` });
+	return String(parsed + 1);
+});
+const bumpVersionCode = (current) => Effect.gen(function* () {
+	const value = current ?? 0;
+	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
+	return value + 1;
+});
+const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
+const bumpVersion = (current) => Effect.gen(function* () {
+	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
+	const match = SEMVER_PATCH.exec(current);
+	if (!match) return yield* new BuildProfileError({ message: `Cannot autoIncrement version: "${current}" is not a semver string like "1.2.3".` });
+	const [, major, minor, patch, suffix] = match;
+	const nextPatch = Number.parseInt(patch ?? "0", 10) + 1;
+	return `${major ?? "0"}.${minor ?? "0"}.${String(nextPatch)}${suffix ?? ""}`;
+});
+const computeIosBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "buildNumber") return { nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber)
+	};
+});
+const computeAndroidBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "versionCode") return { nextVersionCode: yield* bumpVersionCode(config.android?.versionCode) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextVersionCode: yield* bumpVersionCode(config.android?.versionCode)
+	};
+});
+const buildPatch = (platform, bumps) => {
+	const patch = {};
+	if (bumps.nextVersion !== void 0) patch["version"] = bumps.nextVersion;
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) patch["ios"] = { buildNumber: bumps.nextBuildNumber };
+	if (platform === "android" && bumps.nextVersionCode !== void 0) patch["android"] = { versionCode: bumps.nextVersionCode };
+	return patch;
+};
+const describeBumps = (platform, bumps) => {
+	const parts = [];
+	if (bumps.nextVersion !== void 0) parts.push(`version=${bumps.nextVersion}`);
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) parts.push(`ios.buildNumber=${bumps.nextBuildNumber}`);
+	if (platform === "android" && bumps.nextVersionCode !== void 0) parts.push(`android.versionCode=${String(bumps.nextVersionCode)}`);
+	return parts.join(", ");
+};
+const computeBumps = (input) => {
+	if (input.platform === "ios") return input.iosMode === void 0 ? Effect.succeed({}) : computeIosBumps(input.config, input.iosMode);
+	return input.androidMode === void 0 ? Effect.succeed({}) : computeAndroidBumps(input.config, input.androidMode);
+};
+const hasAnyBump = (bumps) => bumps.nextVersion !== void 0 || bumps.nextBuildNumber !== void 0 || bumps.nextVersionCode !== void 0;
+/**
+* Bump `version` / `ios.buildNumber` / `android.versionCode` per the resolved
+* autoIncrement mode, persist via `@expo/config.modifyConfigAsync`, and log a
+* Human-readable summary. No-op when the mode is undefined. Returns the new
+* Bumped values so callers can refresh their in-memory ExpoConfig.
+*/
+const applyAutoIncrement = (input) => Effect.gen(function* () {
+	const bumps = yield* computeBumps(input);
+	if (!hasAnyBump(bumps)) return bumps;
+	const patch = buildPatch(input.platform, bumps);
+	const result = yield* writeExpoConfigPatch(input.projectRoot, patch).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to persist autoIncrement: ${cause.message}` })));
+	if (result.type === "warn" && result.configPath === null) {
+		yield* Console.log(`autoIncrement: dynamic Expo config detected, cannot write back. Update manually: ${describeBumps(input.platform, bumps)}`);
+		return bumps;
+	}
+	yield* Console.log(`autoIncrement: bumped ${describeBumps(input.platform, bumps)}`);
+	return bumps;
+});
+
+//#endregion
+//#region src/lib/eas-config.ts
+const MAX_EXTENDS_DEPTH = 10;
+const asStringValue = (value) => typeof value === "string" ? value : void 0;
+const asBooleanValue = (value) => typeof value === "boolean" ? value : void 0;
+const asEnv = (value) => {
+	const record = asRecord(value);
+	if (!record) return;
+	const env = {};
+	for (const [key, raw] of Object.entries(record)) if (typeof raw === "string") env[key] = raw;
+	return Object.keys(env).length === 0 ? void 0 : env;
+};
+const asIosDistribution = (raw) => {
+	const value = asStringValue(raw);
+	if (value === "app-store" || value === "ad-hoc" || value === "development" || value === "enterprise") return value;
+};
+const asEnterpriseProvisioning = (raw) => {
+	const value = asStringValue(raw);
+	return value === "adhoc" || value === "universal" ? value : void 0;
+};
+const asAndroidBuildType = (raw) => {
+	const value = asStringValue(raw);
+	return value === "debug" || value === "release" ? value : void 0;
+};
+const asAndroidFormat = (raw) => {
+	const value = asStringValue(raw);
+	return value === "apk" || value === "aab" ? value : void 0;
+};
+const asAndroidDistribution = (raw) => {
+	const value = asStringValue(raw);
+	return value === "play-store" || value === "direct" ? value : void 0;
+};
+const asIosAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "version" ? value : void 0;
+};
+const asAndroidAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "versionCode" || value === "version" ? value : void 0;
+};
+const asAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "versionCode" || value === "version" ? value : void 0;
+};
+const asEasDistribution = (raw) => {
+	const value = asStringValue(raw);
+	return value === "internal" || value === "store" ? value : void 0;
+};
+const asCredentialsSource = (raw) => {
+	const value = asStringValue(raw);
+	return value === "remote" || value === "local" ? value : void 0;
+};
+const parseIosProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const distribution = asIosDistribution(record["distribution"]);
+	const buildConfiguration = asStringValue(record["buildConfiguration"]);
+	const scheme = asStringValue(record["scheme"]);
+	const simulator = asBooleanValue(record["simulator"]);
+	const enterpriseProvisioning = asEnterpriseProvisioning(record["enterpriseProvisioning"]);
+	const autoIncrement = asIosAutoIncrement(record["autoIncrement"]);
+	return {
+		...distribution === void 0 ? {} : { distribution },
+		...buildConfiguration === void 0 ? {} : { buildConfiguration },
+		...scheme === void 0 ? {} : { scheme },
+		...simulator === void 0 ? {} : { simulator },
+		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseAndroidProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const buildType = asAndroidBuildType(record["buildType"]);
+	const flavor = asStringValue(record["flavor"]);
+	const gradleCommand = asStringValue(record["gradleCommand"]);
+	const format = asAndroidFormat(record["format"]);
+	const distribution = asAndroidDistribution(record["distribution"]);
+	const autoIncrement = asAndroidAutoIncrement(record["autoIncrement"]);
+	return {
+		...buildType === void 0 ? {} : { buildType },
+		...flavor === void 0 ? {} : { flavor },
+		...gradleCommand === void 0 ? {} : { gradleCommand },
+		...format === void 0 ? {} : { format },
+		...distribution === void 0 ? {} : { distribution },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseBuildProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const extendsName = asStringValue(record["extends"]);
+	const developmentClient = asBooleanValue(record["developmentClient"]);
+	const distribution = asEasDistribution(record["distribution"]);
+	const channel = asStringValue(record["channel"]);
+	const environment = asStringValue(record["environment"]);
+	const env = asEnv(record["env"]);
+	const ios = parseIosProfile(record["ios"]);
+	const android = parseAndroidProfile(record["android"]);
+	const credentialsSource = asCredentialsSource(record["credentialsSource"]);
+	const autoIncrement = asAutoIncrement(record["autoIncrement"]);
+	return {
+		...extendsName === void 0 ? {} : { extends: extendsName },
+		...developmentClient === void 0 ? {} : { developmentClient },
+		...distribution === void 0 ? {} : { distribution },
+		...channel === void 0 ? {} : { channel },
+		...environment === void 0 ? {} : { environment },
+		...env === void 0 ? {} : { env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseEasConfig = (text) => Effect.gen(function* () {
+	const root = asRecord(yield* Effect.try({
+		try: () => JSON.parse(text),
+		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
+	}));
+	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
+	const buildRecord = asRecord(root["build"]);
+	if (!buildRecord) return asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {};
+	const profiles = {};
+	for (const [name, value] of Object.entries(buildRecord)) {
+		const profile = parseBuildProfile(value);
+		if (profile) profiles[name] = profile;
+	}
 	return {
-		id,
-		name,
-		uuid,
-		expirationDate,
-		profileContent,
-		profileType
+		...asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {},
+		build: profiles
 	};
+});
+const parseCli = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return {};
+	const version = asStringValue(record["version"]);
+	return version === void 0 ? {} : { version };
 };
-const toAscDevice = (value) => {
-	if (!isRecord(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
-	const { udid, name } = attributes;
-	if (typeof udid !== "string" || typeof name !== "string") return null;
+const easJsonPath = (projectRoot) => Effect.gen(function* () {
+	return (yield* Path.Path).join(projectRoot, "eas.json");
+});
+const readEasJson = (projectRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = yield* easJsonPath(projectRoot);
+	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+});
+const mergeIos = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
 	return {
-		id,
-		udid,
-		name
+		...base,
+		...overlay
 	};
 };
-const extractList = (body, map) => {
-	if (!isRecord(body) || !Array.isArray(body["data"])) return [];
-	return body["data"].map(map).filter((value) => value !== null);
+const mergeAndroid = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
+	return {
+		...base,
+		...overlay
+	};
 };
-const extractSingle = (body, map) => {
-	if (!isRecord(body)) return null;
-	return map(body["data"]);
+const mergeEnv = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
+	return {
+		...base,
+		...overlay
+	};
 };
-const malformed = (resource) => new AscApiError({
-	status: 500,
-	message: `Malformed ${resource} response`,
-	code: void 0,
-	raw: ""
-});
-const withJwt = (credentials, fn) => Effect.gen(function* () {
-	return yield* fn(yield* signAscJwt(credentials));
-});
-const listCertificates = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, `/v1/certificates${params?.certificateType ? `?filter[certificateType]=${params.certificateType}&limit=200` : "?limit=200"}`), toAscCertificate);
-}));
-const createCertificate = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const csrContent = params.csrPem.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "").replaceAll("-----END CERTIFICATE REQUEST-----", "").replaceAll(/\s+/gu, "");
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/certificates", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "certificates",
-			attributes: {
-				csrContent,
-				certificateType: params.certificateType
-			}
-		} })
-	}), toAscCertificate);
-	if (resource === null) return yield* Effect.fail(malformed("certificate"));
-	return resource;
-}));
-const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	yield* fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" });
-}));
-const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
-}));
-const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/bundleIds", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "bundleIds",
-			attributes: {
-				identifier: params.identifier,
-				name: params.name,
-				platform: "IOS"
-			}
-		} })
-	}), toAscBundleId);
-	if (resource === null) return yield* Effect.fail(malformed("bundleId"));
-	return resource;
-}));
-const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, "/v1/devices?limit=200"), toAscDevice);
-}));
-const createProvisioningProfile = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const relationships = {
-		bundleId: { data: {
-			type: "bundleIds",
-			id: params.bundleIdAscId
-		} },
-		certificates: { data: params.certificateAscIds.map((id) => ({
-			type: "certificates",
-			id
-		})) },
-		...params.deviceAscIds.length > 0 ? { devices: { data: params.deviceAscIds.map((id) => ({
-			type: "devices",
-			id
-		})) } } : {}
+const mergeProfile = (base, overlay) => {
+	const ios = mergeIos(base.ios, overlay.ios);
+	const android = mergeAndroid(base.android, overlay.android);
+	const env = mergeEnv(base.env, overlay.env);
+	const developmentClient = overlay.developmentClient ?? base.developmentClient;
+	const distribution = overlay.distribution ?? base.distribution;
+	const channel = overlay.channel ?? base.channel;
+	const environment = overlay.environment ?? base.environment;
+	const credentialsSource = overlay.credentialsSource ?? base.credentialsSource;
+	const autoIncrement = overlay.autoIncrement ?? base.autoIncrement;
+	return {
+		...overlay.extends === void 0 ? {} : { extends: overlay.extends },
+		...developmentClient === void 0 ? {} : { developmentClient },
+		...distribution === void 0 ? {} : { distribution },
+		...channel === void 0 ? {} : { channel },
+		...environment === void 0 ? {} : { environment },
+		...env === void 0 ? {} : { env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/profiles", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "profiles",
-			attributes: {
-				name: params.profileName,
-				profileType: params.profileType
-			},
-			relationships
-		} })
-	}), toAscProfile);
-	if (resource === null) return yield* Effect.fail(malformed("profile"));
-	return resource;
-}));
-const isCertificateLimitError = (error) => {
-	if (error._tag !== "AscApiError") return false;
-	return /already have a current.*certificate|pending certificate request/iu.test(error.message);
 };
+const collectExtendsChain = (profiles, profileName) => Effect.gen(function* () {
+	const chain = [];
+	const visited = /* @__PURE__ */ new Set();
+	let current = profileName;
+	let depth = 0;
+	while (current !== void 0) {
+		if (visited.has(current)) return yield* new BuildProfileError({ message: `Cycle detected in eas.json build.${profileName} extends chain at "${current}".` });
+		visited.add(current);
+		const profile = profiles[current];
+		if (!profile) return yield* new BuildProfileError({ message: current === profileName ? `Build profile "${profileName}" not found in eas.json.` : `Build profile "${profileName}" extends missing profile "${current}".` });
+		chain.unshift(profile);
+		current = profile.extends;
+		depth += 1;
+		if (depth > MAX_EXTENDS_DEPTH) return yield* new BuildProfileError({ message: `Too many "extends" levels (max ${String(MAX_EXTENDS_DEPTH)}) in eas.json build.${profileName}.` });
+	}
+	return chain;
+});
+const stripExtends = (profile) => {
+	if (profile.extends === void 0) return profile;
+	const { extends: _omit, ...rest } = profile;
+	return rest;
+};
+const resolveEasBuildProfile = (config, profileName) => Effect.gen(function* () {
+	const profiles = config.build;
+	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"build\" section. Add at least one profile." });
+	return stripExtends((yield* collectExtendsChain(profiles, profileName)).reduce((acc, next, index) => index === 0 ? next : mergeProfile(acc, next), {}));
+});
 
 //#endregion
-//#region src/lib/apple-cert-to-p12.ts
-var CertParseError = class extends Data.TaggedError("CertParseError") {};
-const APPLE_TEAM_ID_RE$1 = /^[A-Z0-9]{10}$/u;
-const stringField = (cert, name) => {
-	const value = cert.subject.getField(name)?.value;
-	return typeof value === "string" ? value : null;
+//#region src/lib/build-profile.ts
+const asString$1 = (value) => typeof value === "string" ? value : void 0;
+const deriveIosDistribution = (eas) => {
+	const override = eas.ios?.distribution;
+	if (override) return override;
+	if (eas.developmentClient === true) return "development";
+	if (eas.distribution === "internal") return "ad-hoc";
+	if (eas.distribution === "store") return "app-store";
 };
-const matchTeamFromCommonName = (cn) => {
-	const match = /\(([A-Z0-9]{10})\)/u.exec(cn);
-	if (match === null) return null;
-	const [, captured] = match;
-	return captured === void 0 ? null : captured;
+const deriveAndroidFormat = (eas) => {
+	if (eas.android?.format) return eas.android.format;
+	if (eas.distribution === "store") return "aab";
+	if (eas.distribution === "internal") return "apk";
+	if (eas.developmentClient === true) return "apk";
 };
-const extractTeamId$1 = (cert) => {
-	const ou = stringField(cert, "OU");
-	if (ou !== null && APPLE_TEAM_ID_RE$1.test(ou)) return ou;
-	const cn = stringField(cert, "CN");
-	if (cn === null) return null;
-	return matchTeamFromCommonName(cn);
+const deriveAndroidDistribution = (eas, format) => {
+	if (eas.android?.distribution) return eas.android.distribution;
+	if (format === "aab") return "play-store";
+	return "direct";
+};
+const hasIosIntent = (eas) => eas.ios !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
+const hasAndroidIntent = (eas) => eas.android !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
+const resolveIosAutoIncrement = (eas) => {
+	const override = eas.ios?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "buildNumber";
+	if (override === "buildNumber" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "buildNumber") return "buildNumber";
+	if (top === "version") return "version";
+};
+const resolveAndroidAutoIncrement = (eas) => {
+	const override = eas.android?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "versionCode";
+	if (override === "versionCode" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "versionCode") return "versionCode";
+	if (top === "version") return "version";
+};
+const toIosProfile = (eas) => {
+	if (!hasIosIntent(eas)) return;
+	const distribution = deriveIosDistribution(eas);
+	if (!distribution) return;
+	const ios = eas.ios ?? {};
+	const autoIncrement = resolveIosAutoIncrement(eas);
+	return {
+		distribution,
+		...ios.buildConfiguration === void 0 ? {} : { buildConfiguration: ios.buildConfiguration },
+		...ios.scheme === void 0 ? {} : { scheme: ios.scheme },
+		...ios.simulator === void 0 ? {} : { simulator: ios.simulator },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
 };
-const parseCert = (certDerBytes) => {
-	const asn1 = forge.asn1.fromDer(certDerBytes);
-	return forge.pki.certificateFromAsn1(asn1);
+const toAndroidProfile = (eas) => {
+	if (!hasAndroidIntent(eas)) return;
+	const format = deriveAndroidFormat(eas);
+	if (!format) return;
+	const android = eas.android ?? {};
+	const distribution = deriveAndroidDistribution(eas, format);
+	const autoIncrement = resolveAndroidAutoIncrement(eas);
+	return {
+		format,
+		distribution,
+		...android.buildType === void 0 ? {} : { buildType: android.buildType },
+		...android.flavor === void 0 ? {} : { flavor: android.flavor },
+		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
 };
-const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
-const extractCertMetadata = (cert) => Effect.gen(function* () {
-	const appleTeamId = extractTeamId$1(cert);
-	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+const fromEasProfile = (eas, profileName) => {
+	const ios = toIosProfile(eas);
+	const android = toAndroidProfile(eas);
 	return {
-		serialNumber: cert.serialNumber.toUpperCase(),
-		validFrom: cert.validity.notBefore.toISOString(),
-		validUntil: cert.validity.notAfter.toISOString(),
-		appleTeamId,
-		appleTeamName: stringField(cert, "O"),
-		developerIdIdentifier: stringField(cert, "UID"),
-		commonName: stringField(cert, "CN")
+		name: profileName,
+		environment: eas.environment ?? "production",
+		...eas.channel === void 0 ? {} : { channel: eas.channel },
+		...eas.env === void 0 ? {} : { env: eas.env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...eas.credentialsSource === void 0 ? {} : { credentialsSource: eas.credentialsSource }
 	};
+};
+const readBuildProfile = (projectRoot, profileName) => Effect.gen(function* () {
+	return fromEasProfile(yield* resolveEasBuildProfile(yield* readEasJson(projectRoot), profileName), profileName);
+});
+const readRuntimeVersionMeta = (config) => ({
+	appVersion: config.version,
+	rawRuntimeVersion: readRawRuntimeVersion(config.runtimeVersion)
 });
+const readRawRuntimeVersion = (value) => {
+	if (typeof value === "string") return value;
+	const policy = asString$1(asRecord(value)?.["policy"]);
+	if (policy) return { policy };
+};
+
+//#endregion
+//#region src/lib/clear-cache.ts
 /**
-* Parse a PKCS#12 base64 bundle and extract certificate metadata. Used by the
-* Apple-ID flow which receives a P12 directly from `createCertificateAndP12Async`
-* and needs metadata before uploading to the better-update server.
+* Project-scoped build cache directories to remove when --clear-cache is passed.
+* Intentionally avoids `~/.gradle/caches` (global) and `ios/Pods/` (requires
+* pod install rebuild — leave to the user).
 */
-const extractMetadataFromP12 = (params) => Effect.gen(function* () {
-	const certBagOid = forge.pki.oids["certBag"];
-	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
-	const [first] = yield* Effect.try({
-		try: () => {
-			const p12Der = forge.util.decode64(params.p12Base64);
-			const p12Asn1 = forge.asn1.fromDer(p12Der);
-			return forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, params.password).getBags({ bagType: certBagOid })[certBagOid] ?? [];
-		},
-		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
-	});
-	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
-	return yield* extractCertMetadata(first.cert);
-});
-const buildDistributionCertP12 = (params) => Effect.gen(function* () {
-	const result = yield* Effect.try({
-		try: () => {
-			const cert = parseCert(forge.util.decode64(params.certificateContentBase64));
-			const password = generatePassword();
-			const p12Asn1 = forge.pkcs12.toPkcs12Asn1(params.privateKey, [cert], password, {
-				friendlyName: "key",
-				algorithm: "3des"
-			});
-			return {
-				cert,
-				p12Base64: forge.util.encode64(forge.asn1.toDer(p12Asn1).getBytes()),
-				password
-			};
-		},
-		catch: (error) => new CertParseError({ message: `Failed to assemble .p12: ${error instanceof Error ? error.message : String(error)}` })
-	});
-	const metadata = yield* extractCertMetadata(result.cert);
-	return {
-		p12Base64: result.p12Base64,
-		password: result.password,
-		metadata
-	};
+const CACHE_DIRS = [
+	"android/.gradle",
+	"android/app/build",
+	"android/build",
+	"ios/build",
+	".expo",
+	"node_modules/.cache"
+];
+const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const removed = [];
+	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
+		const target = path.join(projectRoot, rel);
+		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
+		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		removed.push(rel);
+	}), { concurrency: 4 });
+	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
 });
 
 //#endregion
-//#region src/lib/apple-csr.ts
-const generateRsaKeyPair = async () => new Promise((resolve) => {
-	forge.pki.rsa.generateKeyPair({
-		bits: 2048,
-		workers: 2
-	}, (_err, keyPair) => {
-		resolve(keyPair);
-	});
-});
-const generateCertificateSigningRequest = async () => {
-	const keyPair = await generateRsaKeyPair();
-	const csr = forge.pki.createCertificationRequest();
-	csr.publicKey = keyPair.publicKey;
-	csr.setSubject([{
-		name: "commonName",
-		shortName: "CN",
-		value: "PEM"
-	}]);
-	csr.sign(keyPair.privateKey, forge.md.sha1.create());
-	return {
-		csrPem: forge.pki.certificationRequestToPem(csr),
-		privateKeyPem: forge.pki.privateKeyToPem(keyPair.privateKey),
-		privateKey: keyPair.privateKey
-	};
+//#region src/lib/env-exporter.ts
+const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+/**
+* Pull environment variables for a project + environment and flatten them into
+* a key/value map. Returns an empty map when the project has no variables.
+*/
+const pullEnvVars = (api, { projectId, environment }) => {
+	const validated = coerceEnvironment(environment);
+	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
+	return api["env-vars"].export({ urlParams: {
+		projectId,
+		environment: validated
+	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
 };
 
 //#endregion
-//#region src/lib/credentials-generator.ts
-const DISTRIBUTION_TO_PROFILE_TYPE$1 = {
-	APP_STORE: "IOS_APP_STORE",
-	AD_HOC: "IOS_APP_ADHOC",
-	DEVELOPMENT: "IOS_APP_DEVELOPMENT",
-	ENTERPRISE: "IOS_APP_INHOUSE"
-};
-const computeDeviceRosterHashHex = (ascDeviceIds) => {
-	const sorted = [...ascDeviceIds].toSorted();
-	return createHash("sha256").update(sorted.join(","), "utf8").digest("hex");
-};
-var CertificateLimitError = class extends Data.TaggedError("CertificateLimitError") {};
-var GenerateFailedError = class extends Data.TaggedError("GenerateFailedError") {};
-const messageForAscCause = (cause) => {
-	if (cause._tag === "AscApiError") return cause.message;
-	if (cause._tag === "AppleAuthError") return "Apple JWT signing failed";
-	return "Network error talking to Apple";
-};
-const wrapAscError = (step) => (cause) => {
-	if (cause._tag === "AscApiError" && isCertificateLimitError(cause)) return new CertificateLimitError({ message: cause.message });
-	return new GenerateFailedError({
-		step,
-		message: messageForAscCause(cause)
-	});
-};
-const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const tempDir = yield* acquireBuildTempDir;
-	const keystorePath = path.join(tempDir, "release.keystore");
-	yield* generateAndroidKeystore({
-		outputPath: keystorePath,
-		keyAlias: input.keyAlias,
-		storePassword: input.storePassword,
-		keyPassword: input.keyPassword,
-		commonName: input.commonName,
-		organization: input.organization,
-		...input.validityDays === void 0 ? {} : { validityDays: input.validityDays }
-	});
-	const bytes = yield* fs.readFile(keystorePath);
-	const created = yield* api.androidUploadKeystores.upload({ payload: {
-		keystoreBase64: toBase64(bytes),
-		keyAlias: input.keyAlias,
-		keystorePassword: input.storePassword,
-		keyPassword: input.keyPassword
-	} });
-	return {
-		id: created.id,
-		keyAlias: created.keyAlias
-	};
-}));
-const fetchAscCredentials = (api, ascApiKeyId) => api.ascApiKeys.getCredentials({ path: { id: ascApiKeyId } });
-const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
-	const csrResult = yield* Effect.tryPromise({
-		try: generateCertificateSigningRequest,
-		catch: (cause) => new GenerateFailedError({
-			step: "csr",
-			message: `CSR generation failed: ${cause instanceof Error ? cause.message : String(cause)}`
-		})
-	});
-	const certificateType = input.certificateType ?? "IOS_DISTRIBUTION";
-	const apple = yield* createCertificate(ascCreds, {
-		csrPem: csrResult.csrPem,
-		certificateType
-	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
-	if (apple.certificateContent === null) return yield* Effect.fail(new GenerateFailedError({
-		step: "apple-create-certificate",
-		message: "Apple response missing certificateContent"
-	}));
-	const bundle = yield* buildDistributionCertP12({
-		certificateContentBase64: apple.certificateContent,
-		privateKey: csrResult.privateKey
-	}).pipe(Effect.mapError((cause) => new GenerateFailedError({
-		step: "p12-build",
-		message: cause.message
-	})));
-	const created = yield* api.appleDistributionCertificates.upload({ payload: {
-		p12Base64: bundle.p12Base64,
-		p12Password: bundle.password,
-		serialNumber: bundle.metadata.serialNumber,
-		appleTeamIdentifier: bundle.metadata.appleTeamId,
-		...bundle.metadata.appleTeamName === null ? {} : { appleTeamName: bundle.metadata.appleTeamName },
-		...bundle.metadata.developerIdIdentifier === null ? {} : { developerIdIdentifier: bundle.metadata.developerIdIdentifier },
-		validFrom: bundle.metadata.validFrom,
-		validUntil: bundle.metadata.validUntil
-	} });
+//#region src/lib/git-context.ts
+const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd));
+/**
+* Best-effort git context extraction. If git is missing, the directory isn't
+* a repo, or any command fails, we silently return undefined fields so the
+* build can still proceed. This is intentional — git context is metadata,
+* not a requirement.
+*/
+const readGitContext = (projectRoot) => Effect.gen(function* () {
+	const [commit, ref, commitMessage, status] = yield* Effect.all([
+		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
+	], { concurrency: "unbounded" });
 	return {
-		id: created.id,
-		serialNumber: bundle.metadata.serialNumber,
-		appleTeamId: created.appleTeamId,
-		appleTeamIdentifier: bundle.metadata.appleTeamId,
-		developerPortalIdentifier: apple.id
+		ref: ref.length > 0 ? ref : void 0,
+		commit: commit.length > 0 ? commit : void 0,
+		commitMessage: commitMessage.length > 0 ? commitMessage : void 0,
+		dirty: status.trim().length > 0
 	};
 });
-const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	yield* deleteCertificate({
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	}, input.developerPortalIdentifier).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
+
+//#endregion
+//#region src/lib/gradle-config.ts
+/**
+* Parse Groovy `build.gradle` to extract key Android config values.
+* Returns `undefined` if:
+* - Only `build.gradle.kts` exists (Kotlin DSL not supported by gradle-to-js)
+* - No build.gradle found at all
+* - Parse fails
+*
+* Informational only — never blocks the build.
+*/
+const readGradleConfig = (androidDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const gradlePath = path.join(androidDir, "app", "build.gradle");
+	const ktsPath = path.join(androidDir, "app", "build.gradle.kts");
+	const hasGroovy = yield* fs.exists(gradlePath).pipe(Effect.orElseSucceed(() => false));
+	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
+	if (!hasGroovy && hasKts) return;
+	if (!hasGroovy) return;
+	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!content) return;
+	return yield* Effect.tryPromise({
+		try: async () => {
+			return __require("gradle-to-js").parseText(stripGroovyComments(content));
+		},
+		catch: () => void 0
+	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
 });
-const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
-	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
-	if (local === void 0) return yield* Effect.fail(new GenerateFailedError({
-		step: "load-distribution-certificate",
-		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
-	}));
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
-	const targetSerial = local.serialNumber.toUpperCase();
-	const matching = yield* Effect.all([listCertificates(ascCreds, { certificateType: "IOS_DISTRIBUTION" }), listCertificates(ascCreds, { certificateType: "IOS_DEVELOPMENT" })], { concurrency: 2 }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
-	const ascMatch = [...matching[0], ...matching[1]].find((entry) => entry.serialNumber.toUpperCase() === targetSerial);
-	let revokedOnApple = false;
-	if (ascMatch !== void 0) {
-		yield* deleteCertificate(ascCreds, ascMatch.id).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
-		revokedOnApple = true;
-	}
-	let deletedLocally = false;
-	if (input.keepLocal !== true) {
-		yield* api.appleDistributionCertificates.delete({ path: { id: input.distributionCertificateId } });
-		deletedLocally = true;
-	}
+/**
+* Log a warning if Gradle applicationId differs from app.json package name.
+*/
+const warnOnGradleMismatch = (gradleConfig, expectedPackage) => {
+	if (!gradleConfig?.applicationId) return Effect.void;
+	if (gradleConfig.applicationId === expectedPackage) return Effect.void;
+	return Console.warn(`Gradle applicationId "${gradleConfig.applicationId}" differs from app.json package "${expectedPackage}". The Gradle value will be used in the built APK/AAB.`);
+};
+/**
+* Strip Groovy single-line and block comments.
+* gradle-to-js chokes on comments — EAS CLI does this same pre-processing.
+*/
+const stripGroovyComments = (text) => text.replaceAll(/\/\/.*$/gmu, "").replaceAll(/\/\*[\s\S]*?\*\//gu, "");
+const parseVersionCode = (raw) => {
+	if (typeof raw === "number") return raw;
+	if (typeof raw === "string") return Number.parseInt(raw, 10) || void 0;
+};
+const extractGradleConfig = (parsed) => {
+	const defaultConfig = asRecord(asRecord(parsed["android"])?.["defaultConfig"]);
+	const applicationId = typeof defaultConfig?.["applicationId"] === "string" ? unquote(defaultConfig["applicationId"]) : void 0;
+	const versionCode = parseVersionCode(defaultConfig?.["versionCode"]);
+	const versionName = typeof defaultConfig?.["versionName"] === "string" ? unquote(defaultConfig["versionName"]) : void 0;
 	return {
-		localId: input.distributionCertificateId,
-		serialNumber: local.serialNumber,
-		revokedOnApple,
-		deletedLocally
+		...applicationId === void 0 ? {} : { applicationId },
+		...versionCode === void 0 ? {} : { versionCode },
+		...versionName === void 0 ? {} : { versionName }
 	};
+};
+const unquote = (input) => input.startsWith("\"") && input.endsWith("\"") ? input.slice(1, -1) : input;
+
+//#endregion
+//#region src/lib/platform-detect.ts
+const PLATFORMS = ["ios", "android"];
+const inferPlatforms = (config) => {
+	const fromConfig = config["platforms"];
+	if (Array.isArray(fromConfig)) return fromConfig.filter((entry) => entry === "ios" || entry === "android");
+	const present = [];
+	if (config.ios !== void 0) present.push("ios");
+	if (config.android !== void 0) present.push("android");
+	return present;
+};
+/**
+* Resolve a build platform from an explicit flag, or fall back to the Expo
+* config (`expo.platforms` or the presence of `ios`/`android` sections). Prompts
+* when the config declares both platforms; fails when ambiguous and prompts are
+* disallowed.
+*/
+const detectPlatform = (explicit, config) => Effect.gen(function* () {
+	if (explicit !== void 0) return explicit;
+	const candidates = inferPlatforms(config);
+	if (candidates.length === 0) return yield* new BuildProfileError({ message: "Cannot infer build platform. Add an `ios` or `android` section to your Expo config, or pass --platform." });
+	if (candidates.length === 1) {
+		const [only] = candidates;
+		if (only === void 0) return yield* new BuildProfileError({ message: "Internal: empty platform candidate list." });
+		return only;
+	}
+	if (!(yield* InteractiveMode).allow) return yield* new BuildProfileError({ message: `Multiple platforms detected (${candidates.join(", ")}). Pass --platform explicitly when running non-interactively.` });
+	return yield* promptSelect("Which platform to build?", PLATFORMS.filter((entry) => candidates.includes(entry)).map((entry) => ({
+		value: entry,
+		label: entry
+	})));
 });
-const listAppleCertificates = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	return yield* listCertificates({
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	}, input.certificateType === void 0 ? {} : { certificateType: input.certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
-});
-const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
-	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
-	if (match === void 0) return yield* Effect.fail(new GenerateFailedError({
-		step: "match-apple-certificate",
-		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
-	return match.id;
-});
-const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
-	const existing = (yield* listBundleIds(creds).pipe(Effect.mapError(wrapAscError("apple-list-bundle-ids")))).find((entry) => entry.identifier === bundleIdentifier);
-	if (existing !== void 0) return existing.id;
-	return (yield* createBundleId(creds, {
-		identifier: bundleIdentifier,
-		name: bundleIdentifier
-	}).pipe(Effect.mapError(wrapAscError("apple-create-bundle-id")))).id;
+
+//#endregion
+//#region src/lib/repo-clean.ts
+const MAX_FILES_SHOWN = 10;
+const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+/**
+* Refuse to proceed when the working tree has uncommitted changes. Skipped when
+* `allowDirty` is true. In interactive mode, prompts the user to confirm; in
+* non-interactive mode, fails with `DirtyRepoError`.
+*/
+const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(function* () {
+	if (allowDirty) return;
+	const dirty = yield* readPorcelain(projectRoot);
+	if (dirty.length === 0) return;
+	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
+	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
+	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
+	if (!(yield* InteractiveMode).allow) {
+		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
+		return;
+	}
+	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
-const collectDeviceAscIds = (creds, appleTeamId, deviceIds) => Effect.gen(function* () {
-	const devices = yield* listDevices(creds).pipe(Effect.mapError(wrapAscError("apple-list-devices")));
+
+//#endregion
+//#region src/lib/fingerprint.ts
+var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
+const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
+	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
+	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
+	const parsed = yield* Effect.try({
+		try: () => JSON.parse(stdout),
+		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
+	});
+	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
+	const { hash } = parsed;
+	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
+	const sourcesRaw = parsed["sources"];
 	return {
-		ids: deviceIds === void 0 ? devices.map((device) => device.id) : devices.filter((device) => new Set(deviceIds).has(device.id)).map((device) => device.id),
-		appleTeamId
+		hash,
+		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
 	};
 });
-const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
-	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new GenerateFailedError({
-		step: "load-distribution-certificate",
-		message: `Distribution certificate ${input.distributionCertificateId} not found`
-	})) : Effect.succeed(match)));
-	const certificateType = input.distributionType === "DEVELOPMENT" ? "IOS_DEVELOPMENT" : "IOS_DISTRIBUTION";
-	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
-	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
-	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
-	if (useDevices && deviceAscIds.length === 0) return yield* Effect.fail(new GenerateFailedError({
-		step: "collect-devices",
-		message: "No registered devices to attach to the provisioning profile"
-	}));
-	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
-		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
-		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
-		bundleIdAscId,
-		certificateAscIds: [certAscId],
-		deviceAscIds
-	}).pipe(Effect.mapError(wrapAscError("apple-create-profile")))).profileContent);
-	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceAscIds) : void 0;
-	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
-		profileBase64: toBase64(profileBytes),
-		appleDistributionCertificateId: input.distributionCertificateId,
-		isManaged: true,
-		...rosterHash === void 0 ? {} : { deviceRosterHash: rosterHash }
-	} });
-	return {
-		id: created.id,
-		bundleIdentifier: created.bundleIdentifier,
-		distributionType: created.distributionType,
-		profileName: created.profileName,
-		validUntil: created.validUntil,
-		developerPortalIdentifier: created.developerPortalIdentifier
-	};
+
+//#endregion
+//#region src/lib/runtime-version.ts
+const resolveRuntimeVersion = ({ raw, appVersion, projectRoot }) => Effect.gen(function* () {
+	if (typeof raw === "string") return raw;
+	if (raw === void 0) return yield* new RuntimeVersionError({ message: "No runtimeVersion configured in expo section of app.json." });
+	const { policy } = raw;
+	if (policy === "appVersion") {
+		if (appVersion === void 0) return yield* new RuntimeVersionError({ message: "runtimeVersion policy is \"appVersion\" but expo.version is missing in app.json." });
+		return appVersion;
+	}
+	if (policy === "fingerprint") return yield* runFingerprintFull(projectRoot).pipe(Effect.map((result) => result.hash), Effect.mapError((cause) => new RuntimeVersionError({ message: cause.message })));
+	if (policy === "nativeVersion") return yield* new RuntimeVersionError({ message: "runtimeVersion policy \"nativeVersion\" is not supported. Set a static runtimeVersion string in your Expo config." });
+	return yield* new RuntimeVersionError({ message: `Unsupported runtimeVersion policy "${policy}". Use a static string, "appVersion", or "fingerprint".` });
 });
 
 //#endregion