@better-update/cli 0.15.2 → 0.15.3

package/dist/index.mjs

@@ -28,7 +28,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.15.2";
+var version = "0.15.3";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -4497,1846 +4497,1858 @@ const runAndroidBuild = (input) => Effect.gen(function* () {
 });
 
 //#endregion
-//#region src/lib/ios-codesign-pbxproj.ts
-const loadXcodeModule$1 = () => __require("xcode");
-const findXcodeProjectDir$1 = (iosDir) => Effect.gen(function* () {
-	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
-	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}.` });
-	return path.join(iosDir, projectDir);
+//#region src/lib/credentials-generator-apple-id.ts
+const DISTRIBUTION_TO_PROFILE_TYPE = {
+	APP_STORE: AppleUtils.ProfileType.IOS_APP_STORE,
+	AD_HOC: AppleUtils.ProfileType.IOS_APP_ADHOC,
+	DEVELOPMENT: AppleUtils.ProfileType.IOS_APP_DEVELOPMENT,
+	ENTERPRISE: AppleUtils.ProfileType.IOS_APP_INHOUSE
+};
+const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
+	APP_STORE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	AD_HOC: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	ENTERPRISE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
+};
+var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
+const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
+const wrap = (step, run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => new AppleIdGenerateFailedError({
+		step,
+		message: messageOf(cause)
+	})
 });
-const parseProject$1 = (pbxprojPath) => Effect.try({
-	try: () => loadXcodeModule$1().project(pbxprojPath).parseSync(),
-	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+const wrapCertificateCreate = (run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => {
+		const message = messageOf(cause);
+		if (CERT_LIMIT_PATTERN.test(message)) return new CertificateLimitError({ message });
+		return new AppleIdGenerateFailedError({
+			step: "apple-create-certificate",
+			message
+		});
+	}
 });
-/**
-* Always wrap a value in double quotes for safe pbxproj serialization. The
-* `xcode` writer emits values verbatim (e.g. `KEY = %s;`), so any string with
-* spaces, brackets or non-identifier characters needs explicit quoting.
-*/
-const quote = (value) => `"${value.replaceAll("\"", String.raw`\"`)}"`;
-const SDK_CONDITIONAL_IDENTITY_KEYS = ["\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\"", "CODE_SIGN_IDENTITY[sdk=iphoneos*]"];
-const mutateConfig = (project, configUuid, settings) => {
-	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
-	if (!cfg || typeof cfg === "string") return false;
-	cfg.buildSettings["CODE_SIGN_STYLE"] = "Manual";
-	cfg.buildSettings["DEVELOPMENT_TEAM"] = quote(settings.teamId);
-	cfg.buildSettings["CODE_SIGN_IDENTITY"] = quote(settings.signingIdentity);
-	cfg.buildSettings["PROVISIONING_PROFILE_SPECIFIER"] = quote(settings.profileSpecifier);
-	delete cfg.buildSettings["PROVISIONING_PROFILE"];
-	for (const key of SDK_CONDITIONAL_IDENTITY_KEYS) delete cfg.buildSettings[key];
-	return true;
-};
-/**
-* Write `CODE_SIGN_STYLE=Manual`, `DEVELOPMENT_TEAM`, `CODE_SIGN_IDENTITY`, and
-* `PROVISIONING_PROFILE_SPECIFIER` into the specified XCBuildConfiguration
-* entries of the project under `iosDir`, then serialize back to disk.
-*
-* Only mutates the main app project — `Pods.xcodeproj` is left untouched. The
-* caller is responsible for ensuring each entry's `buildConfigurationUuids`
-* only includes configurations that belong to a signed target (see
-* `discoverSignedTargets`).
-*/
-const applyTargetSigning = (options) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
-	const pbxprojPath = path.join(projectDir, "project.pbxproj");
-	const project = yield* parseProject$1(pbxprojPath);
-	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
-	const serialized = yield* Effect.try({
-		try: () => project.writeSync(),
-		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
-	});
-	yield* fs.writeFileString(pbxprojPath, serialized).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to write ${pbxprojPath}: ${String(cause)}` })));
+const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const certificateType = input.certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
+	const result = yield* wrapCertificateCreate(async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
+	const metadata = yield* extractMetadataFromP12({
+		p12Base64: result.certificateP12,
+		password: result.password
+	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
+		step: "parse-p12",
+		message: cause.message
+	})));
+	const created = yield* api.appleDistributionCertificates.upload({ payload: {
+		p12Base64: result.certificateP12,
+		p12Password: result.password,
+		serialNumber: metadata.serialNumber,
+		appleTeamIdentifier: metadata.appleTeamId,
+		...metadata.appleTeamName === null ? {} : { appleTeamName: metadata.appleTeamName },
+		...metadata.developerIdIdentifier === null ? {} : { developerIdIdentifier: metadata.developerIdIdentifier },
+		validFrom: metadata.validFrom,
+		validUntil: metadata.validUntil
+	} });
+	return {
+		id: created.id,
+		serialNumber: metadata.serialNumber,
+		appleTeamId: created.appleTeamId,
+		appleTeamIdentifier: metadata.appleTeamId,
+		developerPortalIdentifier: result.certificate.id
+	};
+});
+const listDistributionCertsViaAppleId = (ctx, certificateType = "IOS_DISTRIBUTION") => Effect.gen(function* () {
+	const filter = certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
+	return (yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: filter } } }))).map((entry) => ({
+		developerPortalIdentifier: entry.id,
+		serialNumber: entry.attributes.serialNumber,
+		displayName: entry.attributes.displayName,
+		expirationDate: entry.attributes.expirationDate
+	}));
+});
+const revokeDistributionCertViaAppleId = (ctx, developerPortalIdentifier) => wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: developerPortalIdentifier }));
+const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
+	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
+	if (existing !== null) return existing.id;
+	return (yield* wrap("apple-create-bundle-id", async () => AppleUtils.BundleId.createAsync(ctx, {
+		identifier: bundleIdentifier,
+		name: bundleIdentifier,
+		platform: AppleUtils.BundleIdPlatform.IOS
+	}))).id;
+});
+const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
+	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
+	const upper = serialNumber.toUpperCase();
+	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
+	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "match-apple-certificate",
+		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
+	}));
+	return match.id;
+});
+const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
+	const devices = yield* wrap("apple-list-devices", async () => AppleUtils.Device.getAllIOSProfileDevicesAsync(ctx));
+	if (deviceIds === void 0) return devices.map((device) => device.id);
+	const allowed = new Set(deviceIds);
+	return devices.filter((device) => allowed.has(device.id)).map((device) => device.id);
+});
+const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new AppleIdGenerateFailedError({
+		step: "load-distribution-certificate",
+		message: `Distribution certificate ${input.distributionCertificateId} not found`
+	})) : Effect.succeed(match)));
+	const certificateType = DISTRIBUTION_TO_CERTIFICATE_TYPE[input.distributionType];
+	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
+	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
+	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
+	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "collect-devices",
+		message: "No registered devices to attach to the provisioning profile"
+	}));
+	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
+	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
+		bundleId: bundleIdAscId,
+		certificates: [certAscId],
+		devices: deviceIds,
+		name: profileName,
+		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
+	}))).attributes;
+	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
+		step: "extract-profile-content",
+		message: "Apple returned a profile with no content (likely expired/invalid)"
+	}));
+	const profileBytes = fromBase64(profileContent);
+	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
+	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
+		profileBase64: toBase64(profileBytes),
+		appleDistributionCertificateId: input.distributionCertificateId,
+		isManaged: true,
+		...rosterHash === void 0 ? {} : { deviceRosterHash: rosterHash }
+	} });
+	return {
+		id: created.id,
+		bundleIdentifier: created.bundleIdentifier,
+		distributionType: created.distributionType,
+		profileName: created.profileName,
+		validUntil: created.validUntil,
+		developerPortalIdentifier: created.developerPortalIdentifier
+	};
 });
 
 //#endregion
-//#region src/lib/ios-export-options.ts
-const escapeXml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&apos;");
-const boolTag = (value) => value ? "<true/>" : "<false/>";
+//#region src/lib/ios-bundle-config-upsert.ts
 /**
-* Render an Xcode `ExportOptions.plist` for `xcodebuild -exportArchive`.
-*
-* - `signingStyle` is always `manual` (ephemeral keychain + downloaded profile)
-* - `uploadSymbols` is emitted only for `app-store` exports
-* - `provisioningProfiles` dict maps each bundleId → profile name (one entry
-*   per signed target: main app + any extensions like notification service)
-* - `compileBitcode` defaults to `false`
+* Idempotent bind for an iOS bundle configuration. When the row already exists
+* (e.g. orphaned after a cert was deleted, since the FK is `ON DELETE SET NULL`),
+* rebind cert + profile in place instead of failing on the unique constraint.
+* Mirrors EAS's setup behavior where the setup step is rerunnable.
 */
-const renderExportOptionsPlist = ({ method, teamId, provisioningProfiles, compileBitcode = false }) => {
-	const lines = [
-		"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
-		"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">",
-		"<plist version=\"1.0\">",
-		"<dict>",
-		"	<key>method</key>",
-		`\t<string>${escapeXml(method)}</string>`,
-		"	<key>teamID</key>",
-		`\t<string>${escapeXml(teamId)}</string>`,
-		"	<key>signingStyle</key>",
-		"	<string>manual</string>",
-		"	<key>compileBitcode</key>",
-		`\t${boolTag(compileBitcode)}`,
-		"	<key>provisioningProfiles</key>",
-		"	<dict>"
-	];
-	for (const { bundleId, profileName } of provisioningProfiles) lines.push(`\t\t<key>${escapeXml(bundleId)}</key>`, `\t\t<string>${escapeXml(profileName)}</string>`);
-	lines.push("	</dict>");
-	if (method === "app-store") lines.push("	<key>uploadSymbols</key>", "	<true/>");
-	lines.push("</dict>", "</plist>", "");
-	return lines.join("\n");
-};
-
-//#endregion
-//#region src/lib/ios-keychain.ts
-const runOrFail = (cmd, step) => Command.string(cmd).pipe(Effect.mapError((cause) => new KeychainError({ message: `keychain ${step} failed: ${String(cause)}` })));
-const listCurrentKeychains = Effect.gen(function* () {
-	return (yield* runOrFail(Command.make("security", "list-keychains", "-d", "user"), "list-keychains")).split("\n").map((line) => line.trim().replace(/^"/u, "").replace(/"$/u, "")).filter((line) => line.length > 0);
-});
-const parseSigningIdentity = (output) => {
-	const lines = output.split("\n");
-	for (const line of lines) {
-		const match = /"([^"]+)"/u.exec(line);
-		if (match?.[1]) return match[1];
+const upsertIosBundleConfiguration = (api, input) => Effect.gen(function* () {
+	const existing = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((item) => item.bundleIdentifier === input.bundleIdentifier && item.distributionType === input.distributionType);
+	if (existing === void 0) {
+		yield* api.iosBundleConfigurations.create({
+			path: { projectId: input.projectId },
+			payload: {
+				bundleIdentifier: input.bundleIdentifier,
+				distributionType: input.distributionType,
+				appleTeamId: input.appleTeamId,
+				appleDistributionCertificateId: input.appleDistributionCertificateId,
+				appleProvisioningProfileId: input.appleProvisioningProfileId,
+				...input.ascApiKeyId === void 0 ? {} : { ascApiKeyId: input.ascApiKeyId }
+			}
+		});
+		yield* Console.log("iOS bundle configuration saved.");
+		return { action: "created" };
 	}
-};
-/**
-* Acquire an ephemeral macOS keychain, import a `.p12` into it, add it to the
-* user search list, and tear it all down on scope close. The keychain name is
-* namespaced as `better-update-<uuid>` and lives in `$tempDir`, so cleanup is
-* guaranteed under all termination paths.
-*/
-const acquireKeychain = ({ tempDir, p12Path, p12Password }) => {
-	const keychainName = `better-update-${randomUUID()}.keychain-db`;
-	const keychainPath = path.join(tempDir, keychainName);
-	const keychainPassword = randomBytes(32).toString("hex");
-	return Effect.acquireRelease(Effect.gen(function* () {
-		const priorKeychains = yield* listCurrentKeychains;
-		yield* runOrFail(Command.make("security", "create-keychain", "-p", keychainPassword, keychainPath), "create-keychain");
-		yield* runOrFail(Command.make("security", "unlock-keychain", "-p", keychainPassword, keychainPath), "unlock-keychain");
-		yield* runOrFail(Command.make("security", "set-keychain-settings", "-t", "3600", "-l", keychainPath), "set-keychain-settings");
-		yield* runOrFail(Command.make("security", "import", p12Path, "-k", keychainPath, "-P", p12Password, "-T", "/usr/bin/codesign"), "import");
-		yield* runOrFail(Command.make("security", "set-key-partition-list", "-S", "apple-tool:,apple:,codesign:", "-s", "-k", keychainPassword, keychainPath), "set-key-partition-list");
-		yield* runOrFail(Command.make("security", "list-keychains", "-d", "user", "-s", keychainPath, ...priorKeychains), "list-keychains -s (add)");
-		const signingIdentity = parseSigningIdentity(yield* runOrFail(Command.make("security", "find-identity", "-v", "-p", "codesigning", keychainPath), "find-identity"));
-		if (!signingIdentity) return yield* new KeychainError({ message: "No code signing identity found after importing .p12 into ephemeral keychain." });
-		return {
-			handle: {
-				keychainName,
-				keychainPath,
-				signingIdentity
-			},
-			priorKeychains
-		};
-	}), ({ priorKeychains }) => Effect.gen(function* () {
-		yield* Command.string(Command.make("security", "list-keychains", "-d", "user", "-s", ...priorKeychains)).pipe(Effect.catchAll(() => Effect.void));
-		yield* Command.string(Command.make("security", "delete-keychain", keychainPath)).pipe(Effect.catchAll(() => Effect.void));
-	})).pipe(Effect.map(({ handle }) => handle));
-};
-
-//#endregion
-//#region src/lib/plist.ts
-const plist = typeof plistMod.parse === "function" ? plistMod : plistMod.default;
-/**
-* Parse an XML plist string into a typed object.
-* Throws on malformed XML — callers should wrap in Effect.try.
-*/
-const parsePlistXml = (xml) => plist.parse(xml);
-/**
-* Parse a binary plist buffer into a typed object.
-* Uses bplist-parser for Apple's binary plist format.
-*/
-const parsePlistBinary = (buffer) => {
-	const [result] = __require("bplist-parser").parseBuffer(buffer);
-	return result;
-};
-const BPLIST_MAGIC = Buffer.from("bplist00");
-/**
-* Auto-detect plist format (binary vs XML) and parse accordingly.
-*/
-const parsePlist = (data) => data.subarray(0, 8).equals(BPLIST_MAGIC) ? parsePlistBinary(data) : parsePlistXml(data.toString("utf8"));
-
-//#endregion
-//#region src/lib/ios-provisioning.ts
-const getString = (obj, key) => {
-	const value = obj[key];
-	return typeof value === "string" ? value : void 0;
-};
-const getFirstArrayString = (obj, key) => {
-	const value = obj[key];
-	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
-};
-/**
-* Extract `UUID`, `Name`, and the first `TeamIdentifier` from the XML plist
-* output of `security cms -D -i <path>`. Returns `ProvisioningError` when any
-* of the three fields are missing.
-*/
-const extractProvisioningInfo = (plistXml) => Effect.gen(function* () {
-	const parsed = yield* Effect.try({
-		try: () => parsePlistXml(plistXml),
-		catch: (error) => new ProvisioningError({ message: `Failed to parse provisioning profile plist: ${error instanceof Error ? error.message : String(error)}` })
+	if (existing.appleTeamId !== input.appleTeamId) return yield* new MissingCredentialsError({
+		message: `Bundle "${input.bundleIdentifier}" (${input.distributionType}) is already bound to a different Apple team than the new credentials.`,
+		hint: "Delete the existing bundle configuration via the dashboard before retrying with a different team."
 	});
-	const uuid = getString(parsed, "UUID");
-	const name = getString(parsed, "Name");
-	const teamId = getFirstArrayString(parsed, "TeamIdentifier");
-	if (!uuid || !name || !teamId) return yield* new ProvisioningError({ message: `Failed to parse provisioning profile: missing ${uuid ? "" : "UUID "}${name ? "" : "Name "}${teamId ? "" : "TeamIdentifier "}`.trim() });
+	yield* api.iosBundleConfigurations.update({
+		path: { id: existing.id },
+		payload: {
+			appleDistributionCertificateId: input.appleDistributionCertificateId,
+			appleProvisioningProfileId: input.appleProvisioningProfileId,
+			...input.ascApiKeyId === void 0 ? {} : { ascApiKeyId: input.ascApiKeyId }
+		}
+	});
+	yield* Console.log("iOS bundle configuration rebound.");
 	return {
-		uuid,
-		name,
-		teamId
+		action: "updated",
+		id: existing.id
 	};
 });
-const userProvisioningProfilesDir = () => path.join(os.homedir(), "Library", "MobileDevice", "Provisioning Profiles");
-/**
-* Scoped installation of a provisioning profile: parses its metadata via
-* `security cms -D -i`, copies it into `~/Library/MobileDevice/Provisioning Profiles`
-* under `<uuid>.mobileprovision`, and removes the copy on scope close — but
-* only if we installed it. If the target file already existed when we arrived
-* (e.g., Xcode had it), we leave both the file and the contents untouched.
-*/
-const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const info = yield* extractProvisioningInfo(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)).pipe(Effect.mapError((cause) => new ProvisioningError({ message: `security cms -D failed for ${profilePath}: ${String(cause)}` }))));
-	const targetDir = userProvisioningProfilesDir();
-	const installedPath = path.join(targetDir, `${info.uuid}.mobileprovision`);
-	yield* fs.makeDirectory(targetDir, { recursive: true }).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to create provisioning profiles dir: ${String(cause)}` })));
-	if (yield* fs.exists(installedPath).pipe(Effect.orElseSucceed(() => false))) return {
-		...info,
-		installedPath,
-		ownsInstallation: false
-	};
-	yield* fs.copyFile(profilePath, installedPath).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to copy provisioning profile into ${installedPath}: ${String(cause)}` })));
-	return {
-		...info,
-		installedPath,
-		ownsInstallation: true
-	};
-}), (acquired) => Effect.gen(function* () {
-	if (!acquired.ownsInstallation) return;
-	yield* (yield* FileSystem.FileSystem).remove(acquired.installedPath).pipe(Effect.catchAll(() => Effect.void));
-})).pipe(Effect.map(({ uuid, name, teamId, installedPath }) => ({
-	uuid,
-	name,
-	teamId,
-	installedPath
-})));
 
 //#endregion
-//#region src/lib/post-build-validation.ts
-const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
-	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	if (!bundleId) return {
-		bundleId: void 0,
-		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
-	};
-	const expected = expectedByBundleId.get(bundleId);
-	if (!expected) return {
-		bundleId,
-		warnings: [`Unexpected signed bundle "${bundleId}" found in archive at ${bundleDir}`]
-	};
-	return {
-		bundleId,
-		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
-	};
+//#region src/application/credentials-interactive-apple-id.ts
+const chooseIosSetupPath = (api) => Effect.gen(function* () {
+	if (!(yield* api.ascApiKeys.list()).items.some((key) => key.appleTeamId !== null)) return "apple-id";
+	return yield* promptSelect("How would you like to provide your iOS credentials?", [{
+		value: "apple-id",
+		label: "Login with Apple ID (recommended for interactive use)"
+	}, {
+		value: "asc-key",
+		label: "Use an App Store Connect API key"
+	}]);
 });
-const validateIosBuild = (params) => Effect.gen(function* () {
-	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	if (!appDir) return {
-		passed: false,
-		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
-	};
-	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
-	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
-	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
-	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
-	const validatedBundleIds = new Set(perBundle.map((entry) => entry.bundleId).filter((id) => id !== void 0));
-	for (const expected of params.expectedTargets) if (!validatedBundleIds.has(expected.bundleId)) warnings.push(`Expected signed target "${expected.bundleId}" was not found in the archive.`);
-	if (warnings.length > 0) {
-		yield* Console.warn("Post-build validation warnings:");
-		for (const warning of warnings) yield* Console.warn(`  - ${warning}`);
+const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
+	const certs = yield* listDistributionCertsViaAppleId(ctx, "IOS_DISTRIBUTION");
+	if (certs.length === 0) return yield* new AppleIdGenerateFailedError({
+		step: "limit-recover",
+		message: "Apple says the certificate limit is hit but no existing certificates were returned."
+	});
+	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
+		value: entry.developerPortalIdentifier,
+		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName}, exp ${entry.expirationDate.slice(0, 10)})`
+	})), { required: true });
+	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
+	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
+});
+const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
+	yield* Console.log("Generating distribution certificate via Apple ID...");
+	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
+	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveAppleIdCertLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
+});
+const GENERATE_NEW = "__generate__";
+const chooseDistributionCertViaAppleId = (api, ctx, appleTeamIdentifier) => Effect.gen(function* () {
+	const [teams, all] = yield* Effect.all([api.appleTeams.list(), api.appleDistributionCertificates.list()], { concurrency: 2 });
+	const team = teams.items.find((entry) => entry.appleTeamId === appleTeamIdentifier);
+	const items = team === void 0 ? [] : all.items.filter((cert) => cert.appleTeamId === team.id);
+	if (items.length === 0) {
+		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
+		return {
+			id: created.id,
+			appleTeamId: created.appleTeamId
+		};
+	}
+	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
+		value: GENERATE_NEW,
+		label: "Generate a new distribution certificate"
+	}, ...items.map((cert) => ({
+		value: cert.id,
+		label: `${cert.serialNumber.slice(0, 12)}… (team ${appleTeamIdentifier})`
+	}))]);
+	if (choice === GENERATE_NEW) {
+		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
+		return {
+			id: created.id,
+			appleTeamId: created.appleTeamId
+		};
 	}
+	const cert = items.find((entry) => entry.id === choice);
+	if (cert === void 0) return yield* new AppleIdGenerateFailedError({
+		step: "pick-certificate",
+		message: `Selected certificate ${choice} not found after listing`
+	});
 	return {
-		passed: warnings.length === 0,
-		warnings
+		id: cert.id,
+		appleTeamId: cert.appleTeamId
 	};
 });
-const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const productsDir = path.join(archivePath, "Products", "Applications");
-	const appEntry = (yield* fs.readDirectory(productsDir)).find((entry) => entry.endsWith(".app"));
-	if (!appEntry) return yield* Effect.fail("No .app found");
-	return path.join(productsDir, appEntry);
+const setupIosViaAppleId = (api, input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	yield* Console.log(`Logged in as ${session.username}. Team: ${session.teamName ?? session.teamId} (${session.teamId}).`);
+	const cert = yield* chooseDistributionCertViaAppleId(api, ctx, session.teamId);
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	yield* Console.log("Generating provisioning profile via Apple ID...");
+	const profile = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+		context: ctx,
+		distributionCertificateId: cert.id,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType
+	});
+	yield* upsertIosBundleConfiguration(api, {
+		projectId: input.projectId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType,
+		appleTeamId: cert.appleTeamId,
+		appleDistributionCertificateId: cert.id,
+		appleProvisioningProfileId: profile.id
+	});
 });
-/**
-* Return the main `.app` plus every `.appex` extension under `<app>/PlugIns/`.
-* Each returned path is a signed bundle that should carry its own embedded
-* provisioning profile + Info.plist with CFBundleIdentifier.
-*/
-const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const plugInsDir = path.join(appDir, "PlugIns");
-	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
-	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
-});
-const readBundleId = (bundleDir) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const plistPath = path.join(bundleDir, "Info.plist");
-	const data = yield* fs.readFile(plistPath);
-	const bundleId = parsePlist(Buffer.from(data))["CFBundleIdentifier"];
-	return typeof bundleId === "string" ? bundleId : void 0;
-});
-const validateEmbeddedProfile = (bundleDir, expectedUuid, expectedTeamId, bundleId) => Effect.gen(function* () {
-	const warnings = [];
-	const profilePath = path.join(bundleDir, "embedded.mobileprovision");
-	const parsed = parsePlistXml(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)));
-	const actualUuid = parsed["UUID"];
-	if (typeof actualUuid === "string" && actualUuid !== expectedUuid) warnings.push(`[${bundleId}] Profile UUID mismatch: expected "${expectedUuid}", got "${actualUuid}"`);
-	const teamIdentifiers = parsed["TeamIdentifier"];
-	if (Array.isArray(teamIdentifiers)) {
-		const [actualTeamId] = teamIdentifiers;
-		if (typeof actualTeamId === "string" && actualTeamId !== expectedTeamId) warnings.push(`[${bundleId}] Team ID mismatch: expected "${expectedTeamId}", got "${actualTeamId}"`);
-	}
-	const expirationDate = parsed["ExpirationDate"];
-	if (expirationDate instanceof Date && expirationDate.getTime() < Date.now()) warnings.push(`[${bundleId}] Embedded provisioning profile expired on ${expirationDate.toISOString()}`);
-	return warnings;
-});
-
-//#endregion
-//#region src/lib/xcode-targets.ts
-/** Product types whose targets require code-signing with a provisioning profile. */
-const SIGNED_PRODUCT_TYPES = new Set([
-	"com.apple.product-type.application",
-	"com.apple.product-type.app-extension",
-	"com.apple.product-type.messages-extension",
-	"com.apple.product-type.tv-app-extension",
-	"com.apple.product-type.watchapp2",
-	"com.apple.product-type.watchkit2-extension"
-]);
-const loadXcodeModule = () => __require("xcode");
-/**
-* Strip surrounding quotes from a pbxproj string value. `xcode` returns values
-* verbatim from the project file, so identifiers like productType are usually
-* wrapped in double quotes (e.g. `"com.apple.product-type.application"`).
-*/
-const unquote$1 = (value) => value.length >= 2 && value.startsWith("\"") && value.endsWith("\"") ? value.slice(1, -1) : value;
-const findXcodeProjectDir = (iosDir) => Effect.gen(function* () {
-	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
-	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}. Did "expo prebuild" run?` });
-	return path.join(iosDir, projectDir);
-});
-const parseProject = (pbxprojPath) => Effect.try({
-	try: () => loadXcodeModule().project(pbxprojPath).parseSync(),
-	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
-});
-const collectConfigUuidsForTarget = (project, target, configurationName) => {
-	const configList = project.pbxXCConfigurationList()[target.buildConfigurationList];
-	if (!configList || typeof configList === "string") return [];
-	const buildConfigSection = project.pbxXCBuildConfigurationSection();
-	return configList.buildConfigurations.map((entry) => entry.value).filter((uuid) => {
-		const cfg = buildConfigSection[uuid];
-		if (!cfg || typeof cfg === "string") return false;
-		return unquote$1(cfg.name) === configurationName;
+const regenerateProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	yield* Console.log("Regenerating provisioning profile via Apple ID...");
+	const created = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+		context: auth.buildRequestContext(session),
+		distributionCertificateId: input.distributionCertificateId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType: input.distributionType
 	});
-};
-const extractBundleIdForConfig = (project, configUuid) => {
-	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
-	if (!cfg || typeof cfg === "string") return;
-	const raw = cfg.buildSettings["PRODUCT_BUNDLE_IDENTIFIER"];
-	if (typeof raw !== "string") return;
-	return unquote$1(raw);
-};
-const collectSignedTargets = (project, pbxprojPath, configurationName) => Effect.gen(function* () {
-	const results = [];
-	const nativeTargets = project.pbxNativeTargetSection();
-	for (const [uuid, entry] of Object.entries(nativeTargets)) {
-		if (uuid.endsWith("_comment") || typeof entry === "string") continue;
-		const productType = unquote$1(entry.productType);
-		if (!SIGNED_PRODUCT_TYPES.has(productType)) continue;
-		const configUuids = collectConfigUuidsForTarget(project, entry, configurationName);
-		const [firstConfigUuid] = configUuids;
-		if (!firstConfigUuid) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" has no "${configurationName}" build configuration in ${pbxprojPath}.` });
-		const bundleId = extractBundleIdForConfig(project, firstConfigUuid);
-		if (!bundleId) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" is missing PRODUCT_BUNDLE_IDENTIFIER in the "${configurationName}" configuration.` });
-		results.push({
-			targetName: unquote$1(entry.name),
-			bundleId,
-			productType,
-			buildConfigurationUuids: configUuids
-		});
-	}
-	return results;
-});
-/**
-* Enumerate code-signed native targets (main app + extensions) declared in the
-* single `.xcodeproj` under `iosDir`, restricted to a given build configuration
-* (e.g. "Release"). Pod targets and other library product types are excluded.
-*
-* The returned `buildConfigurationUuids` list is the set of XCBuildConfiguration
-* UUIDs that belong to this target *and* match `configurationName` — the
-* per-target signing mutator writes settings into exactly those configurations.
-*/
-const discoverSignedTargets = (options) => Effect.gen(function* () {
-	const projectDir = yield* findXcodeProjectDir(options.iosDir);
-	const pbxprojPath = path.join(projectDir, "project.pbxproj");
-	const results = yield* collectSignedTargets(yield* parseProject(pbxprojPath), pbxprojPath, options.configurationName);
-	if (results.length === 0) return yield* new XcodeProjectError({ message: `No signed native targets found in ${pbxprojPath} for configuration "${options.configurationName}".` });
-	return results;
+	yield* api.iosBundleConfigurations.update({
+		path: { id: input.bundleConfigurationId },
+		payload: { appleProvisioningProfileId: created.id }
+	});
+	return created;
 });
 
 //#endregion
-//#region src/lib/xcpretty-formatter.ts
-/**
-* Create a stateful xcodebuild output formatter backed by `@expo/xcpretty`.
-* Each `pipe(line)` call may return zero or more formatted lines — zero means
-* the line was suppressed (e.g., intermediate compiler invocations).
-*/
-const createXcodebuildFormatter = (projectRoot) => {
-	const formatter = ExpoRunFormatter.create(projectRoot);
-	return {
-		pipe: (line) => formatter.pipe(line),
-		getBuildSummary: () => formatter.getBuildSummary()
-	};
-};
-
-//#endregion
-//#region src/commands/build/ios.ts
-const findXcworkspace = (iosDir) => Effect.gen(function* () {
-	const workspace = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir)).find((entry) => entry.endsWith(".xcworkspace"));
-	if (!workspace) return yield* new BuildFailedError({
-		step: "detect xcworkspace",
-		exitCode: 1,
-		message: `No .xcworkspace found under ${iosDir}. Did "pod install" run?`
+//#region src/application/credentials-interactive-ios-asc.ts
+const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
+	const certs = yield* listAppleCertificates(api, {
+		ascApiKeyId,
+		certificateType: "IOS_DISTRIBUTION"
 	});
-	return workspace;
+	if (certs.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
+		hint: "Try again later or check the Apple Developer portal."
+	}));
+	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
+		value: entry.id,
+		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
+	})), { required: true });
+	yield* Effect.forEach(toRevoke, (id) => revokeAppleCertificate(api, {
+		ascApiKeyId,
+		developerPortalIdentifier: id
+	}), { concurrency: "inherit" });
+	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
-const prebuildAndPods = (params) => Effect.gen(function* () {
-	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "ios", "--clean").pipe(Command.workingDirectory(params.projectRoot), Command.env(params.commandEnv)), "expo prebuild ios");
-	yield* runStep(Command.make("pod", "install").pipe(Command.workingDirectory(params.iosDir), Command.env(params.commandEnv)), "pod install");
+const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
+	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null);
+	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: "No ASC API key linked to an Apple team in this organization.",
+		hint: "Upload an ASC API key with a team assignment via the dashboard, then retry."
+	}));
+	const ascKeyId = yield* promptSelect("Select an ASC API key to issue the certificate against", teamAscKeys.map((key) => ({
+		value: key.id,
+		label: `${key.name} (${key.keyId})`
+	})));
+	yield* Console.log("Generating CSR and requesting certificate from Apple...");
+	const generate = generateAndUploadDistributionCertificate(api, { ascApiKeyId: ascKeyId });
+	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveCertLimitRecover(api, ascKeyId).pipe(Effect.flatMap(() => generate))));
 });
-const findAppDirectory = (root) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const stack = [root];
-	let depth = 0;
-	while (stack.length > 0 && depth < 6) {
-		const layer = stack.splice(0);
-		depth += 1;
-		for (const dir of layer) {
-			const entries = yield* fs.readDirectory(dir).pipe(Effect.orElseSucceed(() => []));
-			for (const entry of entries) {
-				const full = path.join(dir, entry);
-				if (entry.endsWith(".app")) return full;
-				const stat = yield* fs.stat(full).pipe(Effect.option);
-				if (stat._tag === "Some" && stat.value.type === "Directory") stack.push(full);
-			}
-		}
+const chooseIosCertificateId = (api) => Effect.gen(function* () {
+	const certs = yield* api.appleDistributionCertificates.list();
+	if (certs.items.length === 0) {
+		yield* Console.log("No distribution certificate found in this organization.");
+		if ((yield* promptSelect("How would you like to proceed?", [{
+			value: "generate",
+			label: "Generate a new distribution certificate"
+		}, {
+			value: "abort",
+			label: "Abort — I'll upload one manually"
+		}])) === "abort") return yield* Effect.fail(new MissingCredentialsError({
+			message: "Build aborted — no distribution certificate available.",
+			hint: "Run `better-update credentials generate distribution-certificate --asc-key-id <id>` or upload via the dashboard."
+		}));
+		return (yield* generateDistributionCertInteractive(api)).id;
 	}
-	return yield* new ArtifactNotFoundError({ message: `No .app bundle found under "${root}".` });
+	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
+		value: "__generate__",
+		label: "Generate a new distribution certificate"
+	}, ...certs.items.map((cert) => ({
+		value: cert.id,
+		label: `${cert.serialNumber.slice(0, 12)}… (team ${cert.appleTeamId})`
+	}))]);
+	if (choice === "__generate__") return (yield* generateDistributionCertInteractive(api)).id;
+	return choice;
 });
-const runIosSimulatorBuild = (input) => Effect.gen(function* () {
-	const { projectRoot, iosProfile, envVars, tempDir } = input;
-	const runtime = yield* CliRuntime;
-	const iosDir = path.join(projectRoot, "ios");
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* prebuildAndPods({
-		projectRoot,
-		iosDir,
-		commandEnv
-	});
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
-	const configuration = iosProfile.buildConfiguration ?? "Release";
-	const derivedDataPath = path.join(tempDir, "derived-data");
-	const buildCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-sdk", "iphonesimulator", "-destination", "generic/platform=iOS Simulator", "-derivedDataPath", derivedDataPath, "build", "CODE_SIGNING_ALLOWED=NO", "CODE_SIGNING_REQUIRED=NO", "CODE_SIGN_IDENTITY=").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
-	yield* formatter ? runStepFormatted(buildCmd, "xcodebuild build (simulator)", formatter) : runStep(buildCmd, "xcodebuild build (simulator)");
-	const appDir = yield* findAppDirectory(path.join(derivedDataPath, "Build", "Products", `${configuration}-iphonesimulator`));
-	const archiveName = `${path.basename(appDir, ".app")}-simulator.tar.gz`;
-	const archivePath = path.join(tempDir, archiveName);
-	yield* runStep(Command.make("tar", "-czf", archivePath, "-C", path.dirname(appDir), path.basename(appDir)).pipe(Command.env(commandEnv)), "tar simulator .app");
-	const { sha256, byteSize } = yield* sha256File(archivePath);
+const pickIosCertificate = (api) => Effect.gen(function* () {
+	const chosenId = yield* chooseIosCertificateId(api);
+	const cert = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === chosenId);
+	if (cert === void 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: "Selected certificate not found after generation.",
+		hint: "Retry."
+	}));
 	return {
-		artifactPath: archivePath,
-		byteSize,
-		sha256
+		certId: chosenId,
+		cert
 	};
 });
-const fetchAllCredentials = (params) => params.input.credentialsSource === "local" ? loadLocalIosCredentials({
-	projectRoot: params.input.projectRoot,
-	mainBundleIdentifier: params.mainBundleIdentifier
-}) : downloadIosCredentials(params.api, {
-	projectId: params.input.projectId,
-	mainBundleIdentifier: params.mainBundleIdentifier,
-	bundleIdentifiers: params.allBundleIdentifiers,
-	distribution: params.input.iosProfile.distribution,
-	tempDir: params.input.tempDir
+const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
+	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null && key.appleTeamId === appleTeamId);
+	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: `No ASC API key linked to Apple team ${appleTeamId}.`,
+		hint: "Upload an ASC API key for that team via the dashboard, then retry."
+	}));
+	return yield* promptSelect("Select an ASC API key", teamAscKeys.map((key) => ({
+		value: key.id,
+		label: `${key.name} (${key.keyId})`
+	})));
 });
-const installPerTarget = (signedTargets, credentials, credentialsSource) => Effect.gen(function* () {
-	const profileByBundle = new Map(credentials.profiles.map((profile) => [profile.bundleIdentifier, profile]));
-	const missing = signedTargets.filter((target) => !profileByBundle.has(target.bundleId));
-	if (missing.length > 0) {
-		const list = missing.map((target) => `"${target.targetName}" (${target.bundleId})`).join(", ");
-		const hint = credentialsSource === "local" ? "Add the missing entries to credentials.json under ios.additionalProvisioningProfiles." : "Register the bundle identifier(s) in the dashboard and bind a provisioning profile.";
-		return yield* new MissingCredentialsError({
-			message: `Missing provisioning profile for signed target(s): ${list}.`,
-			hint
-		});
-	}
-	return yield* Effect.forEach(signedTargets, (target) => installProfileForTarget(target, profileByBundle));
+const generateProvisioningProfileForBundle = (api, input, ctx) => Effect.gen(function* () {
+	yield* Console.log("Generating provisioning profile via App Store Connect API...");
+	return (yield* generateAndUploadProvisioningProfile(api, {
+		ascApiKeyId: ctx.ascKeyId,
+		distributionCertificateId: ctx.certId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType: ctx.distributionType
+	})).id;
 });
-const installProfileForTarget = (target, profileByBundle) => {
-	const profile = profileByBundle.get(target.bundleId);
-	if (!profile) return Effect.fail(new ProvisioningError({ message: `Internal: no profile for ${target.bundleId} after pre-check.` }));
-	return installProvisioningProfile({ profilePath: profile.profilePath }).pipe(Effect.map((installed) => ({
-		target,
-		profile,
-		installed
+const resolveIosProfileId = (api, input, ctx) => Effect.gen(function* () {
+	const matching = (yield* api.appleProvisioningProfiles.list({ urlParams: {} })).items.filter((profile) => profile.bundleIdentifier === input.bundleIdentifier && profile.distributionType === ctx.distributionType && profile.appleTeamId === ctx.cert.appleTeamId);
+	if (matching.length === 0) return yield* generateProvisioningProfileForBundle(api, input, ctx);
+	if (!(yield* promptConfirm(`Reuse an existing ${input.distribution} profile for ${input.bundleIdentifier}?`, { initialValue: true }))) return yield* generateProvisioningProfileForBundle(api, input, ctx);
+	return yield* promptSelect("Select a provisioning profile", matching.map((profile) => ({
+		value: profile.id,
+		label: profile.profileName ?? profile.developerPortalIdentifier ?? profile.id
 	})));
-};
-const pickMainTarget = (signedTargets) => signedTargets.find((target) => target.productType === "com.apple.product-type.application") ?? signedTargets[0];
-const runIosDeviceBuild = (input) => Effect.gen(function* () {
-	const { api, tempDir, projectRoot, iosProfile, envVars } = input;
-	const runtime = yield* CliRuntime;
-	const fs = yield* FileSystem.FileSystem;
-	const iosDir = path.join(projectRoot, "ios");
-	const { distribution } = iosProfile;
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* prebuildAndPods({
-		projectRoot,
-		iosDir,
-		commandEnv
-	});
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
-	const configuration = iosProfile.buildConfiguration ?? "Release";
-	const signedTargets = yield* discoverSignedTargets({
-		iosDir,
-		configurationName: configuration
-	});
-	const mainTarget = pickMainTarget(signedTargets);
-	if (!mainTarget) return yield* new BuildFailedError({
-		step: "discover signed targets",
-		exitCode: 1,
-		message: `No signed iOS targets found in the Xcode project for configuration "${configuration}".`
-	});
-	const credentials = yield* fetchAllCredentials({
-		api,
-		input,
-		mainBundleIdentifier: mainTarget.bundleId,
-		allBundleIdentifiers: signedTargets.map((target) => target.bundleId)
-	});
-	const keychain = yield* acquireKeychain({
-		tempDir,
-		p12Path: credentials.p12Path,
-		p12Password: credentials.p12Password
-	});
-	const installedTargets = yield* installPerTarget(signedTargets, credentials, input.credentialsSource);
-	yield* applyTargetSigning({
-		iosDir,
-		entries: installedTargets.map(({ target, installed }) => ({
-			targetName: target.targetName,
-			buildConfigurationUuids: target.buildConfigurationUuids,
-			settings: {
-				teamId: installed.teamId,
-				signingIdentity: keychain.signingIdentity,
-				profileSpecifier: installed.name
-			}
-		}))
-	});
-	const archivePath = path.join(tempDir, "build.xcarchive");
-	const archiveCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-archivePath", archivePath, "-allowProvisioningUpdates", "archive").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
-	yield* formatter ? runStepFormatted(archiveCmd, "xcodebuild archive", formatter) : runStep(archiveCmd, "xcodebuild archive");
-	const exportOptionsPath = path.join(tempDir, "ExportOptions.plist");
-	const mainInstall = installedTargets.find((entry) => entry.target.targetName === mainTarget.targetName);
-	if (!mainInstall) return yield* new BuildFailedError({
-		step: "resolve main target signing",
-		exitCode: 1,
-		message: `Internal: main target "${mainTarget.targetName}" was not in the installed list.`
+});
+const setupIosViaAscKey = (api, input) => Effect.gen(function* () {
+	const { certId, cert } = yield* pickIosCertificate(api);
+	const ascKeyId = yield* pickIosAscKey(api, cert.appleTeamId);
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	const profileId = yield* resolveIosProfileId(api, input, {
+		certId,
+		cert,
+		ascKeyId,
+		distributionType
 	});
-	const { teamId } = mainInstall.installed;
-	yield* fs.writeFileString(exportOptionsPath, renderExportOptionsPlist({
-		method: distribution,
-		teamId,
-		provisioningProfiles: installedTargets.map(({ target, installed }) => ({
-			bundleId: target.bundleId,
-			profileName: installed.name
-		}))
-	}));
-	const exportPath = path.join(tempDir, "export");
-	const exportCmd = Command.make("xcodebuild", "-exportArchive", "-archivePath", archivePath, "-exportPath", exportPath, "-exportOptionsPlist", exportOptionsPath, "-allowProvisioningUpdates").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
-	yield* formatter ? runStepFormatted(exportCmd, "xcodebuild exportArchive", formatter) : runStep(exportCmd, "xcodebuild exportArchive");
-	yield* validateIosBuild({
-		archivePath,
-		expectedTeamId: teamId,
-		expectedTargets: installedTargets.map(({ target, installed }) => ({
-			bundleId: target.bundleId,
-			profileUuid: installed.uuid
-		}))
+	yield* upsertIosBundleConfiguration(api, {
+		projectId: input.projectId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType,
+		appleTeamId: cert.appleTeamId,
+		appleDistributionCertificateId: certId,
+		appleProvisioningProfileId: profileId,
+		ascApiKeyId: ascKeyId
 	});
-	const artifactPath = yield* findIosArtifact({ exportPath });
-	const { sha256, byteSize } = yield* sha256File(artifactPath);
-	return {
-		artifactPath,
-		byteSize,
-		sha256
-	};
 });
-const runIosBuild = (input) => input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
 
 //#endregion
-//#region src/commands/build/reserve-and-upload.ts
-const buildReserveCommon = (input) => ({
-	projectId: input.projectId,
-	profile: input.profileName,
-	runtimeVersion: input.runtimeVersion,
-	bundleId: input.bundleId,
-	sha256: input.sha256,
-	byteSize: input.byteSize,
-	...input.appVersion === void 0 ? {} : { appVersion: input.appVersion },
-	...input.buildNumber === void 0 ? {} : { buildNumber: input.buildNumber },
-	...input.gitContext.ref === void 0 ? {} : { gitRef: input.gitContext.ref },
-	...input.gitContext.commit === void 0 ? {} : { gitCommit: input.gitContext.commit },
-	...input.message === void 0 ? {} : { message: input.message }
+//#region src/application/credentials-interactive.ts
+const hasTag = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
+const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFound" || cause._tag === "BadRequest");
+const generateKeystoreInteractive = (api) => Effect.gen(function* () {
+	const alias = yield* promptText("Key alias", { placeholder: "upload-key" });
+	const storePassword = yield* promptPassword("Keystore password");
+	const keyPassword = yield* promptPassword("Key password");
+	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
+	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
+	yield* Console.log("Generating keystore with keytool...");
+	return (yield* generateAndUploadKeystore(api, {
+		keyAlias: alias,
+		storePassword,
+		keyPassword,
+		commonName,
+		organization
+	})).id;
 });
-const callReserve = (api, input) => {
-	const common = buildReserveCommon(input);
-	const { target } = input;
-	if (target.platform === "ios") return target.distribution === "simulator" ? api.builds.reserve({ payload: {
-		...common,
-		platform: "ios",
-		distribution: "simulator",
-		artifactFormat: "tar.gz"
-	} }) : api.builds.reserve({ payload: {
-		...common,
-		platform: "ios",
-		distribution: target.distribution,
-		artifactFormat: "ipa"
-	} });
-	return target.distribution === "play-store" ? api.builds.reserve({ payload: {
-		...common,
-		platform: "android",
-		distribution: "play-store",
-		artifactFormat: "aab"
-	} }) : api.builds.reserve({ payload: {
-		...common,
-		platform: "android",
-		distribution: "direct",
-		artifactFormat: "apk"
-	} });
-};
-/**
-* Reserve a build record on the server, upload the artifact to the returned
-* presigned URL, and finalize the build with its sha256 + byteSize.
-*/
-const reserveAndUpload = (api, input) => Effect.gen(function* () {
-	const presignedUploadClient = yield* PresignedUploadClient;
-	const reserveResult = yield* callReserve(api, input).pipe(Effect.mapError((cause) => new ReserveError({ message: `Failed to reserve build: ${formatCause(cause)}` })));
-	yield* presignedUploadClient.putToPresignedUrl({
-		url: reserveResult.uploadUrl,
-		filePath: input.artifactPath,
-		byteSize: input.byteSize,
-		expiresAt: reserveResult.uploadExpiresAt,
-		headers: reserveResult.uploadHeaders
-	});
-	const completed = yield* api.builds.complete({
-		path: { id: reserveResult.id },
-		payload: {
-			sha256: input.sha256,
-			byteSize: input.byteSize
-		}
-	}).pipe(Effect.mapError((cause) => new CompleteError({ message: `Failed to complete build ${reserveResult.id}: ${formatCause(cause)}` })));
-	if (!completed.artifact) return yield* new CompleteError({ message: `Build ${completed.id} completed but server returned no artifact record.` });
-	return {
-		id: completed.id,
-		status: "uploaded"
-	};
+const pickExistingKeystore = (api) => Effect.gen(function* () {
+	const keystores = yield* api.androidUploadKeystores.list();
+	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: "No existing keystores in this organization.",
+		hint: "Re-run and choose 'Generate new keystore'."
+	}));
+	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
+		value: item.id,
+		label: item.keyAlias
+	})));
 });
-
-//#endregion
-//#region src/lib/auto-increment.ts
-const bumpBuildNumber = (current) => Effect.gen(function* () {
-	const raw = current ?? "0";
-	const parsed = Number.parseInt(raw, 10);
-	if (Number.isNaN(parsed)) return yield* new BuildProfileError({ message: `Cannot autoIncrement ios.buildNumber: current value "${raw}" is not a base-10 integer.` });
-	return String(parsed + 1);
-});
-const bumpVersionCode = (current) => Effect.gen(function* () {
-	const value = current ?? 0;
-	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
-	return value + 1;
-});
-const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
-const bumpVersion = (current) => Effect.gen(function* () {
-	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
-	const match = SEMVER_PATCH.exec(current);
-	if (!match) return yield* new BuildProfileError({ message: `Cannot autoIncrement version: "${current}" is not a semver string like "1.2.3".` });
-	const [, major, minor, patch, suffix] = match;
-	const nextPatch = Number.parseInt(patch ?? "0", 10) + 1;
-	return `${major ?? "0"}.${minor ?? "0"}.${String(nextPatch)}${suffix ?? ""}`;
-});
-const computeIosBumps = (config, mode) => Effect.gen(function* () {
-	if (mode === "buildNumber") return { nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber) };
-	return {
-		nextVersion: yield* bumpVersion(config.version),
-		nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber)
-	};
+const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
+	const existing = (yield* api.androidApplicationIdentifiers.list({ path: { projectId: input.projectId } })).items.find((item) => item.packageName === input.applicationIdentifier);
+	if (existing !== void 0) return existing.id;
+	return (yield* api.androidApplicationIdentifiers.create({
+		path: { projectId: input.projectId },
+		payload: { packageName: input.applicationIdentifier }
+	})).id;
 });
-const computeAndroidBumps = (config, mode) => Effect.gen(function* () {
-	if (mode === "versionCode") return { nextVersionCode: yield* bumpVersionCode(config.android?.versionCode) };
-	return {
-		nextVersion: yield* bumpVersion(config.version),
-		nextVersionCode: yield* bumpVersionCode(config.android?.versionCode)
-	};
+const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
+const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
+	const appId = yield* resolveAndroidAppId(api, input);
+	const choice = yield* promptSelect("How would you like to provide a keystore?", [
+		{
+			value: "generate",
+			label: "Generate new keystore"
+		},
+		{
+			value: "existing",
+			label: "Pick an existing keystore"
+		},
+		{
+			value: "abort",
+			label: "Abort — I'll configure it in the dashboard"
+		}
+	]);
+	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
+		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
+		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
+	}));
+	const keystoreId = yield* resolveAndroidKeystoreId(api, choice);
+	yield* api.androidBuildCredentials.create({
+		path: { applicationIdentifierId: appId },
+		payload: {
+			name: "Default",
+			isDefault: true,
+			androidUploadKeystoreId: keystoreId
+		}
+	});
+	yield* Console.log("Android build credentials configured.");
 });
-const buildPatch = (platform, bumps) => {
-	const patch = {};
-	if (bumps.nextVersion !== void 0) patch["version"] = bumps.nextVersion;
-	if (platform === "ios" && bumps.nextBuildNumber !== void 0) patch["ios"] = { buildNumber: bumps.nextBuildNumber };
-	if (platform === "android" && bumps.nextVersionCode !== void 0) patch["android"] = { versionCode: bumps.nextVersionCode };
-	return patch;
-};
-const describeBumps = (platform, bumps) => {
-	const parts = [];
-	if (bumps.nextVersion !== void 0) parts.push(`version=${bumps.nextVersion}`);
-	if (platform === "ios" && bumps.nextBuildNumber !== void 0) parts.push(`ios.buildNumber=${bumps.nextBuildNumber}`);
-	if (platform === "android" && bumps.nextVersionCode !== void 0) parts.push(`android.versionCode=${String(bumps.nextVersionCode)}`);
-	return parts.join(", ");
-};
-const computeBumps = (input) => {
-	if (input.platform === "ios") return input.iosMode === void 0 ? Effect.succeed({}) : computeIosBumps(input.config, input.iosMode);
-	return input.androidMode === void 0 ? Effect.succeed({}) : computeAndroidBumps(input.config, input.androidMode);
-};
-const hasAnyBump = (bumps) => bumps.nextVersion !== void 0 || bumps.nextBuildNumber !== void 0 || bumps.nextVersionCode !== void 0;
-/**
-* Bump `version` / `ios.buildNumber` / `android.versionCode` per the resolved
-* autoIncrement mode, persist via `@expo/config.modifyConfigAsync`, and log a
-* Human-readable summary. No-op when the mode is undefined. Returns the new
-* Bumped values so callers can refresh their in-memory ExpoConfig.
-*/
-const applyAutoIncrement = (input) => Effect.gen(function* () {
-	const bumps = yield* computeBumps(input);
-	if (!hasAnyBump(bumps)) return bumps;
-	const patch = buildPatch(input.platform, bumps);
-	const result = yield* writeExpoConfigPatch(input.projectRoot, patch).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to persist autoIncrement: ${cause.message}` })));
-	if (result.type === "warn" && result.configPath === null) {
-		yield* Console.log(`autoIncrement: dynamic Expo config detected, cannot write back. Update manually: ${describeBumps(input.platform, bumps)}`);
-		return bumps;
+const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
+	path: { projectId: input.projectId },
+	payload: {
+		platform: "android",
+		applicationIdentifier: input.applicationIdentifier
 	}
-	yield* Console.log(`autoIncrement: bumped ${describeBumps(input.platform, bumps)}`);
-	return bumps;
-});
-
-//#endregion
-//#region src/lib/eas-config.ts
-const MAX_EXTENDS_DEPTH = 10;
-const asStringValue = (value) => typeof value === "string" ? value : void 0;
-const asBooleanValue = (value) => typeof value === "boolean" ? value : void 0;
-const asEnv = (value) => {
-	const record = asRecord(value);
-	if (!record) return;
-	const env = {};
-	for (const [key, raw] of Object.entries(record)) if (typeof raw === "string") env[key] = raw;
-	return Object.keys(env).length === 0 ? void 0 : env;
-};
-const asIosDistribution = (raw) => {
-	const value = asStringValue(raw);
-	if (value === "app-store" || value === "ad-hoc" || value === "development" || value === "enterprise") return value;
-};
-const asEnterpriseProvisioning = (raw) => {
-	const value = asStringValue(raw);
-	return value === "adhoc" || value === "universal" ? value : void 0;
-};
-const asAndroidBuildType = (raw) => {
-	const value = asStringValue(raw);
-	return value === "debug" || value === "release" ? value : void 0;
-};
-const asAndroidFormat = (raw) => {
-	const value = asStringValue(raw);
-	return value === "apk" || value === "aab" ? value : void 0;
-};
-const asAndroidDistribution = (raw) => {
-	const value = asStringValue(raw);
-	return value === "play-store" || value === "direct" ? value : void 0;
-};
-const asIosAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "buildNumber" || value === "version" ? value : void 0;
-};
-const asAndroidAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "versionCode" || value === "version" ? value : void 0;
-};
-const asAutoIncrement = (raw) => {
-	if (typeof raw === "boolean") return raw;
-	const value = asStringValue(raw);
-	return value === "buildNumber" || value === "versionCode" || value === "version" ? value : void 0;
-};
-const asEasDistribution = (raw) => {
-	const value = asStringValue(raw);
-	return value === "internal" || value === "store" ? value : void 0;
-};
-const asCredentialsSource = (raw) => {
-	const value = asStringValue(raw);
-	return value === "remote" || value === "local" ? value : void 0;
-};
-const parseIosProfile = (raw) => {
-	const record = asRecord(raw);
-	if (!record) return;
-	const distribution = asIosDistribution(record["distribution"]);
-	const buildConfiguration = asStringValue(record["buildConfiguration"]);
-	const scheme = asStringValue(record["scheme"]);
-	const simulator = asBooleanValue(record["simulator"]);
-	const enterpriseProvisioning = asEnterpriseProvisioning(record["enterpriseProvisioning"]);
-	const autoIncrement = asIosAutoIncrement(record["autoIncrement"]);
-	return {
-		...distribution === void 0 ? {} : { distribution },
-		...buildConfiguration === void 0 ? {} : { buildConfiguration },
-		...scheme === void 0 ? {} : { scheme },
-		...simulator === void 0 ? {} : { simulator },
-		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const parseAndroidProfile = (raw) => {
-	const record = asRecord(raw);
-	if (!record) return;
-	const buildType = asAndroidBuildType(record["buildType"]);
-	const flavor = asStringValue(record["flavor"]);
-	const gradleCommand = asStringValue(record["gradleCommand"]);
-	const format = asAndroidFormat(record["format"]);
-	const distribution = asAndroidDistribution(record["distribution"]);
-	const autoIncrement = asAndroidAutoIncrement(record["autoIncrement"]);
-	return {
-		...buildType === void 0 ? {} : { buildType },
-		...flavor === void 0 ? {} : { flavor },
-		...gradleCommand === void 0 ? {} : { gradleCommand },
-		...format === void 0 ? {} : { format },
-		...distribution === void 0 ? {} : { distribution },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const parseBuildProfile = (raw) => {
-	const record = asRecord(raw);
-	if (!record) return;
-	const extendsName = asStringValue(record["extends"]);
-	const developmentClient = asBooleanValue(record["developmentClient"]);
-	const distribution = asEasDistribution(record["distribution"]);
-	const channel = asStringValue(record["channel"]);
-	const environment = asStringValue(record["environment"]);
-	const env = asEnv(record["env"]);
-	const ios = parseIosProfile(record["ios"]);
-	const android = parseAndroidProfile(record["android"]);
-	const credentialsSource = asCredentialsSource(record["credentialsSource"]);
-	const autoIncrement = asAutoIncrement(record["autoIncrement"]);
-	return {
-		...extendsName === void 0 ? {} : { extends: extendsName },
-		...developmentClient === void 0 ? {} : { developmentClient },
-		...distribution === void 0 ? {} : { distribution },
-		...channel === void 0 ? {} : { channel },
-		...environment === void 0 ? {} : { environment },
-		...env === void 0 ? {} : { env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const parseEasConfig = (text) => Effect.gen(function* () {
-	const root = asRecord(yield* Effect.try({
-		try: () => JSON.parse(text),
-		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
+}).pipe(Effect.asVoid);
+const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
+	const mode = yield* InteractiveMode;
+	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+		message: `No Android build credentials for ${input.applicationIdentifier}.`,
+		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
 	}));
-	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
-	const buildRecord = asRecord(root["build"]);
-	if (!buildRecord) return asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {};
-	const profiles = {};
-	for (const [name, value] of Object.entries(buildRecord)) {
-		const profile = parseBuildProfile(value);
-		if (profile) profiles[name] = profile;
-	}
-	return {
-		...asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {},
-		build: profiles
-	};
-});
-const parseCli = (raw) => {
-	const record = asRecord(raw);
-	if (!record) return {};
-	const version = asStringValue(record["version"]);
-	return version === void 0 ? {} : { version };
-};
-const easJsonPath = (projectRoot) => Effect.gen(function* () {
-	return (yield* Path.Path).join(projectRoot, "eas.json");
-});
-const readEasJson = (projectRoot) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const filePath = yield* easJsonPath(projectRoot);
-	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+	yield* setupAndroidInteractive(api, input);
+	return yield* ensureAndroidCredentialsAvailable(api, input);
+})));
+const setupIosInteractive = (api, input) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log(`No iOS bundle configuration for ${input.bundleIdentifier} (${input.distribution}).`);
+	if ((yield* chooseIosSetupPath(api)) === "apple-id") return yield* setupIosViaAppleId(api, input);
+	return yield* setupIosViaAscKey(api, input);
 });
-const mergeIos = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
-	return {
-		...base,
-		...overlay
-	};
-};
-const mergeAndroid = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
-	return {
-		...base,
-		...overlay
-	};
-};
-const mergeEnv = (base, overlay) => {
-	if (!base) return overlay;
-	if (!overlay) return base;
-	return {
-		...base,
-		...overlay
-	};
-};
-const mergeProfile = (base, overlay) => {
-	const ios = mergeIos(base.ios, overlay.ios);
-	const android = mergeAndroid(base.android, overlay.android);
-	const env = mergeEnv(base.env, overlay.env);
-	const developmentClient = overlay.developmentClient ?? base.developmentClient;
-	const distribution = overlay.distribution ?? base.distribution;
-	const channel = overlay.channel ?? base.channel;
-	const environment = overlay.environment ?? base.environment;
-	const credentialsSource = overlay.credentialsSource ?? base.credentialsSource;
-	const autoIncrement = overlay.autoIncrement ?? base.autoIncrement;
-	return {
-		...overlay.extends === void 0 ? {} : { extends: overlay.extends },
-		...developmentClient === void 0 ? {} : { developmentClient },
-		...distribution === void 0 ? {} : { distribution },
-		...channel === void 0 ? {} : { channel },
-		...environment === void 0 ? {} : { environment },
-		...env === void 0 ? {} : { env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...credentialsSource === void 0 ? {} : { credentialsSource },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const collectExtendsChain = (profiles, profileName) => Effect.gen(function* () {
-	const chain = [];
-	const visited = /* @__PURE__ */ new Set();
-	let current = profileName;
-	let depth = 0;
-	while (current !== void 0) {
-		if (visited.has(current)) return yield* new BuildProfileError({ message: `Cycle detected in eas.json build.${profileName} extends chain at "${current}".` });
-		visited.add(current);
-		const profile = profiles[current];
-		if (!profile) return yield* new BuildProfileError({ message: current === profileName ? `Build profile "${profileName}" not found in eas.json.` : `Build profile "${profileName}" extends missing profile "${current}".` });
-		chain.unshift(profile);
-		current = profile.extends;
-		depth += 1;
-		if (depth > MAX_EXTENDS_DEPTH) return yield* new BuildProfileError({ message: `Too many "extends" levels (max ${String(MAX_EXTENDS_DEPTH)}) in eas.json build.${profileName}.` });
+const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve({
+	path: { projectId: input.projectId },
+	payload: {
+		platform: "ios",
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType: IOS_DISTRIBUTION_TO_TYPE[input.distribution]
 	}
-	return chain;
 });
-const stripExtends = (profile) => {
-	if (profile.extends === void 0) return profile;
-	const { extends: _omit, ...rest } = profile;
-	return rest;
-};
-const resolveEasBuildProfile = (config, profileName) => Effect.gen(function* () {
-	const profiles = config.build;
-	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"build\" section. Add at least one profile." });
-	return stripExtends((yield* collectExtendsChain(profiles, profileName)).reduce((acc, next, index) => index === 0 ? next : mergeProfile(acc, next), {}));
+const findBoundIosConfig = (api, input) => Effect.gen(function* () {
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	const match = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((config) => config.bundleIdentifier === input.bundleIdentifier && config.distributionType === distributionType);
+	if (match === void 0) return yield* Effect.fail(new MissingCredentialsError({
+		message: `iOS bundle configuration vanished while regenerating stale profile for ${input.bundleIdentifier}`,
+		hint: "Retry; the configuration must exist before regeneration"
+	}));
+	return match;
+});
+const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
+	const config = yield* findBoundIosConfig(api, input);
+	if (config.appleDistributionCertificateId === null) return yield* new MissingCredentialsError({
+		message: "Profile cannot be regenerated: bundle configuration is missing the distribution certificate",
+		hint: "Re-bind credentials via `better-update credentials generate` or the dashboard"
+	});
+	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
+	if (config.ascApiKeyId === null) return yield* regenerateProvisioningProfileViaAppleId(api, {
+		bundleIdentifier: input.bundleIdentifier,
+		distributionCertificateId: config.appleDistributionCertificateId,
+		distributionType,
+		bundleConfigurationId: config.id
+	});
+	yield* Console.log("Regenerating provisioning profile via App Store Connect API...");
+	const created = yield* generateAndUploadProvisioningProfile(api, {
+		ascApiKeyId: config.ascApiKeyId,
+		distributionCertificateId: config.appleDistributionCertificateId,
+		bundleIdentifier: input.bundleIdentifier,
+		distributionType
+	});
+	yield* api.iosBundleConfigurations.update({
+		path: { id: config.id },
+		payload: { appleProvisioningProfileId: created.id }
+	});
+	return created;
 });
+const ensureIosCredentials = (api, input, options) => resolveIosBuildCredentials(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
+	const mode = yield* InteractiveMode;
+	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+		message: `No iOS build credentials for ${input.bundleIdentifier} (${input.distribution}).`,
+		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
+	}));
+	yield* setupIosInteractive(api, input);
+	return yield* resolveIosBuildCredentials(api, input);
+})), Effect.flatMap((resolved) => Effect.gen(function* () {
+	if (resolved.platform !== "ios" || !resolved.profileStale) return;
+	const mode = yield* InteractiveMode;
+	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+		message: `Stale provisioning profile for ${input.bundleIdentifier}; cannot regenerate without an interactive session.`,
+		hint: options.freezeCredentials ? "Run a build without --freeze-credentials once to refresh the profile, or run `better-update credentials regenerate-profile`." : "Run `better-update credentials regenerate-profile --bundle <id> --distribution <type>` from an interactive terminal."
+	}));
+	yield* Console.log(`Stale provisioning profile for ${input.bundleIdentifier} (device roster changed). Regenerating...`);
+	yield* regenerateProvisioningProfile(api, input);
+})));
 
 //#endregion
-//#region src/lib/build-profile.ts
-const asString$1 = (value) => typeof value === "string" ? value : void 0;
-const deriveIosDistribution = (eas) => {
-	const override = eas.ios?.distribution;
-	if (override) return override;
-	if (eas.developmentClient === true) return "development";
-	if (eas.distribution === "internal") return "ad-hoc";
-	if (eas.distribution === "store") return "app-store";
-};
-const deriveAndroidFormat = (eas) => {
-	if (eas.android?.format) return eas.android.format;
-	if (eas.distribution === "store") return "aab";
-	if (eas.distribution === "internal") return "apk";
-	if (eas.developmentClient === true) return "apk";
-};
-const deriveAndroidDistribution = (eas, format) => {
-	if (eas.android?.distribution) return eas.android.distribution;
-	if (format === "aab") return "play-store";
-	return "direct";
-};
-const hasIosIntent = (eas) => eas.ios !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
-const hasAndroidIntent = (eas) => eas.android !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
-const resolveIosAutoIncrement = (eas) => {
-	const override = eas.ios?.autoIncrement;
-	if (override === false) return;
-	if (override === true) return "buildNumber";
-	if (override === "buildNumber" || override === "version") return override;
-	const top = eas.autoIncrement;
-	if (top === true || top === "buildNumber") return "buildNumber";
-	if (top === "version") return "version";
-};
-const resolveAndroidAutoIncrement = (eas) => {
-	const override = eas.android?.autoIncrement;
-	if (override === false) return;
-	if (override === true) return "versionCode";
-	if (override === "versionCode" || override === "version") return override;
-	const top = eas.autoIncrement;
-	if (top === true || top === "versionCode") return "versionCode";
-	if (top === "version") return "version";
-};
-const toIosProfile = (eas) => {
-	if (!hasIosIntent(eas)) return;
-	const distribution = deriveIosDistribution(eas);
-	if (!distribution) return;
-	const ios = eas.ios ?? {};
-	const autoIncrement = resolveIosAutoIncrement(eas);
-	return {
-		distribution,
-		...ios.buildConfiguration === void 0 ? {} : { buildConfiguration: ios.buildConfiguration },
-		...ios.scheme === void 0 ? {} : { scheme: ios.scheme },
-		...ios.simulator === void 0 ? {} : { simulator: ios.simulator },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const toAndroidProfile = (eas) => {
-	if (!hasAndroidIntent(eas)) return;
-	const format = deriveAndroidFormat(eas);
-	if (!format) return;
-	const android = eas.android ?? {};
-	const distribution = deriveAndroidDistribution(eas, format);
-	const autoIncrement = resolveAndroidAutoIncrement(eas);
-	return {
-		format,
-		distribution,
-		...android.buildType === void 0 ? {} : { buildType: android.buildType },
-		...android.flavor === void 0 ? {} : { flavor: android.flavor },
-		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand },
-		...autoIncrement === void 0 ? {} : { autoIncrement }
-	};
-};
-const fromEasProfile = (eas, profileName) => {
-	const ios = toIosProfile(eas);
-	const android = toAndroidProfile(eas);
-	return {
-		name: profileName,
-		environment: eas.environment ?? "production",
-		...eas.channel === void 0 ? {} : { channel: eas.channel },
-		...eas.env === void 0 ? {} : { env: eas.env },
-		...ios === void 0 ? {} : { ios },
-		...android === void 0 ? {} : { android },
-		...eas.credentialsSource === void 0 ? {} : { credentialsSource: eas.credentialsSource }
-	};
+//#region src/lib/ios-codesign-pbxproj.ts
+const loadXcodeModule$1 = () => __require("xcode");
+const findXcodeProjectDir$1 = (iosDir) => Effect.gen(function* () {
+	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
+	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}.` });
+	return path.join(iosDir, projectDir);
+});
+const parseProject$1 = (pbxprojPath) => Effect.try({
+	try: () => loadXcodeModule$1().project(pbxprojPath).parseSync(),
+	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+});
+/**
+* Always wrap a value in double quotes for safe pbxproj serialization. The
+* `xcode` writer emits values verbatim (e.g. `KEY = %s;`), so any string with
+* spaces, brackets or non-identifier characters needs explicit quoting.
+*/
+const quote = (value) => `"${value.replaceAll("\"", String.raw`\"`)}"`;
+const SDK_CONDITIONAL_IDENTITY_KEYS = ["\"CODE_SIGN_IDENTITY[sdk=iphoneos*]\"", "CODE_SIGN_IDENTITY[sdk=iphoneos*]"];
+const mutateConfig = (project, configUuid, settings) => {
+	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
+	if (!cfg || typeof cfg === "string") return false;
+	cfg.buildSettings["CODE_SIGN_STYLE"] = "Manual";
+	cfg.buildSettings["DEVELOPMENT_TEAM"] = quote(settings.teamId);
+	cfg.buildSettings["CODE_SIGN_IDENTITY"] = quote(settings.signingIdentity);
+	cfg.buildSettings["PROVISIONING_PROFILE_SPECIFIER"] = quote(settings.profileSpecifier);
+	delete cfg.buildSettings["PROVISIONING_PROFILE"];
+	for (const key of SDK_CONDITIONAL_IDENTITY_KEYS) delete cfg.buildSettings[key];
+	return true;
 };
-const readBuildProfile = (projectRoot, profileName) => Effect.gen(function* () {
-	return fromEasProfile(yield* resolveEasBuildProfile(yield* readEasJson(projectRoot), profileName), profileName);
+/**
+* Write `CODE_SIGN_STYLE=Manual`, `DEVELOPMENT_TEAM`, `CODE_SIGN_IDENTITY`, and
+* `PROVISIONING_PROFILE_SPECIFIER` into the specified XCBuildConfiguration
+* entries of the project under `iosDir`, then serialize back to disk.
+*
+* Only mutates the main app project — `Pods.xcodeproj` is left untouched. The
+* caller is responsible for ensuring each entry's `buildConfigurationUuids`
+* only includes configurations that belong to a signed target (see
+* `discoverSignedTargets`).
+*/
+const applyTargetSigning = (options) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
+	const pbxprojPath = path.join(projectDir, "project.pbxproj");
+	const project = yield* parseProject$1(pbxprojPath);
+	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
+	const serialized = yield* Effect.try({
+		try: () => project.writeSync(),
+		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+	});
+	yield* fs.writeFileString(pbxprojPath, serialized).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to write ${pbxprojPath}: ${String(cause)}` })));
 });
-const readRuntimeVersionMeta = (config) => ({
-	appVersion: config.version,
-	rawRuntimeVersion: readRawRuntimeVersion(config.runtimeVersion)
+
+//#endregion
+//#region src/lib/ios-export-options.ts
+const escapeXml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&apos;");
+const boolTag = (value) => value ? "<true/>" : "<false/>";
+/**
+* Render an Xcode `ExportOptions.plist` for `xcodebuild -exportArchive`.
+*
+* - `signingStyle` is always `manual` (ephemeral keychain + downloaded profile)
+* - `uploadSymbols` is emitted only for `app-store` exports
+* - `provisioningProfiles` dict maps each bundleId → profile name (one entry
+*   per signed target: main app + any extensions like notification service)
+* - `compileBitcode` defaults to `false`
+*/
+const renderExportOptionsPlist = ({ method, teamId, provisioningProfiles, compileBitcode = false }) => {
+	const lines = [
+		"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+		"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">",
+		"<plist version=\"1.0\">",
+		"<dict>",
+		"	<key>method</key>",
+		`\t<string>${escapeXml(method)}</string>`,
+		"	<key>teamID</key>",
+		`\t<string>${escapeXml(teamId)}</string>`,
+		"	<key>signingStyle</key>",
+		"	<string>manual</string>",
+		"	<key>compileBitcode</key>",
+		`\t${boolTag(compileBitcode)}`,
+		"	<key>provisioningProfiles</key>",
+		"	<dict>"
+	];
+	for (const { bundleId, profileName } of provisioningProfiles) lines.push(`\t\t<key>${escapeXml(bundleId)}</key>`, `\t\t<string>${escapeXml(profileName)}</string>`);
+	lines.push("	</dict>");
+	if (method === "app-store") lines.push("	<key>uploadSymbols</key>", "	<true/>");
+	lines.push("</dict>", "</plist>", "");
+	return lines.join("\n");
+};
+
+//#endregion
+//#region src/lib/ios-keychain.ts
+const runOrFail = (cmd, step) => Command.string(cmd).pipe(Effect.mapError((cause) => new KeychainError({ message: `keychain ${step} failed: ${String(cause)}` })));
+const listCurrentKeychains = Effect.gen(function* () {
+	return (yield* runOrFail(Command.make("security", "list-keychains", "-d", "user"), "list-keychains")).split("\n").map((line) => line.trim().replace(/^"/u, "").replace(/"$/u, "")).filter((line) => line.length > 0);
 });
-const readRawRuntimeVersion = (value) => {
-	if (typeof value === "string") return value;
-	const policy = asString$1(asRecord(value)?.["policy"]);
-	if (policy) return { policy };
+const parseSigningIdentity = (output) => {
+	const lines = output.split("\n");
+	for (const line of lines) {
+		const match = /"([^"]+)"/u.exec(line);
+		if (match?.[1]) return match[1];
+	}
+};
+/**
+* Acquire an ephemeral macOS keychain, import a `.p12` into it, add it to the
+* user search list, and tear it all down on scope close. The keychain name is
+* namespaced as `better-update-<uuid>` and lives in `$tempDir`, so cleanup is
+* guaranteed under all termination paths.
+*/
+const acquireKeychain = ({ tempDir, p12Path, p12Password }) => {
+	const keychainName = `better-update-${randomUUID()}.keychain-db`;
+	const keychainPath = path.join(tempDir, keychainName);
+	const keychainPassword = randomBytes(32).toString("hex");
+	return Effect.acquireRelease(Effect.gen(function* () {
+		const priorKeychains = yield* listCurrentKeychains;
+		yield* runOrFail(Command.make("security", "create-keychain", "-p", keychainPassword, keychainPath), "create-keychain");
+		yield* runOrFail(Command.make("security", "unlock-keychain", "-p", keychainPassword, keychainPath), "unlock-keychain");
+		yield* runOrFail(Command.make("security", "set-keychain-settings", "-t", "3600", "-l", keychainPath), "set-keychain-settings");
+		yield* runOrFail(Command.make("security", "import", p12Path, "-k", keychainPath, "-P", p12Password, "-T", "/usr/bin/codesign"), "import");
+		yield* runOrFail(Command.make("security", "set-key-partition-list", "-S", "apple-tool:,apple:,codesign:", "-s", "-k", keychainPassword, keychainPath), "set-key-partition-list");
+		yield* runOrFail(Command.make("security", "list-keychains", "-d", "user", "-s", keychainPath, ...priorKeychains), "list-keychains -s (add)");
+		const signingIdentity = parseSigningIdentity(yield* runOrFail(Command.make("security", "find-identity", "-v", "-p", "codesigning", keychainPath), "find-identity"));
+		if (!signingIdentity) return yield* new KeychainError({ message: "No code signing identity found after importing .p12 into ephemeral keychain." });
+		return {
+			handle: {
+				keychainName,
+				keychainPath,
+				signingIdentity
+			},
+			priorKeychains
+		};
+	}), ({ priorKeychains }) => Effect.gen(function* () {
+		yield* Command.string(Command.make("security", "list-keychains", "-d", "user", "-s", ...priorKeychains)).pipe(Effect.catchAll(() => Effect.void));
+		yield* Command.string(Command.make("security", "delete-keychain", keychainPath)).pipe(Effect.catchAll(() => Effect.void));
+	})).pipe(Effect.map(({ handle }) => handle));
 };
 
 //#endregion
-//#region src/lib/clear-cache.ts
+//#region src/lib/plist.ts
+const plist = typeof plistMod.parse === "function" ? plistMod : plistMod.default;
 /**
-* Project-scoped build cache directories to remove when --clear-cache is passed.
-* Intentionally avoids `~/.gradle/caches` (global) and `ios/Pods/` (requires
-* pod install rebuild — leave to the user).
+* Parse an XML plist string into a typed object.
+* Throws on malformed XML — callers should wrap in Effect.try.
 */
-const CACHE_DIRS = [
-	"android/.gradle",
-	"android/app/build",
-	"android/build",
-	"ios/build",
-	".expo",
-	"node_modules/.cache"
-];
-const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
-	const fs = yield* FileSystem.FileSystem;
-	const removed = [];
-	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
-		const target = path.join(projectRoot, rel);
-		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
-		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-		removed.push(rel);
-	}), { concurrency: 4 });
-	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
-});
-
-//#endregion
-//#region src/lib/env-exporter.ts
-const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+const parsePlistXml = (xml) => plist.parse(xml);
 /**
-* Pull environment variables for a project + environment and flatten them into
-* a key/value map. Returns an empty map when the project has no variables.
+* Parse a binary plist buffer into a typed object.
+* Uses bplist-parser for Apple's binary plist format.
 */
-const pullEnvVars = (api, { projectId, environment }) => {
-	const validated = coerceEnvironment(environment);
-	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
-	return api["env-vars"].export({ urlParams: {
-		projectId,
-		environment: validated
-	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+const parsePlistBinary = (buffer) => {
+	const [result] = __require("bplist-parser").parseBuffer(buffer);
+	return result;
 };
+const BPLIST_MAGIC = Buffer.from("bplist00");
+/**
+* Auto-detect plist format (binary vs XML) and parse accordingly.
+*/
+const parsePlist = (data) => data.subarray(0, 8).equals(BPLIST_MAGIC) ? parsePlistBinary(data) : parsePlistXml(data.toString("utf8"));
 
 //#endregion
-//#region src/lib/git-context.ts
-const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd));
+//#region src/lib/ios-provisioning.ts
+const getString = (obj, key) => {
+	const value = obj[key];
+	return typeof value === "string" ? value : void 0;
+};
+const getFirstArrayString = (obj, key) => {
+	const value = obj[key];
+	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
+};
 /**
-* Best-effort git context extraction. If git is missing, the directory isn't
-* a repo, or any command fails, we silently return undefined fields so the
-* build can still proceed. This is intentional — git context is metadata,
-* not a requirement.
+* Extract `UUID`, `Name`, and the first `TeamIdentifier` from the XML plist
+* output of `security cms -D -i <path>`. Returns `ProvisioningError` when any
+* of the three fields are missing.
 */
-const readGitContext = (projectRoot) => Effect.gen(function* () {
-	const [commit, ref, commitMessage, status] = yield* Effect.all([
-		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
-	], { concurrency: "unbounded" });
+const extractProvisioningInfo = (plistXml) => Effect.gen(function* () {
+	const parsed = yield* Effect.try({
+		try: () => parsePlistXml(plistXml),
+		catch: (error) => new ProvisioningError({ message: `Failed to parse provisioning profile plist: ${error instanceof Error ? error.message : String(error)}` })
+	});
+	const uuid = getString(parsed, "UUID");
+	const name = getString(parsed, "Name");
+	const teamId = getFirstArrayString(parsed, "TeamIdentifier");
+	if (!uuid || !name || !teamId) return yield* new ProvisioningError({ message: `Failed to parse provisioning profile: missing ${uuid ? "" : "UUID "}${name ? "" : "Name "}${teamId ? "" : "TeamIdentifier "}`.trim() });
 	return {
-		ref: ref.length > 0 ? ref : void 0,
-		commit: commit.length > 0 ? commit : void 0,
-		commitMessage: commitMessage.length > 0 ? commitMessage : void 0,
-		dirty: status.trim().length > 0
+		uuid,
+		name,
+		teamId
 	};
 });
-
-//#endregion
-//#region src/lib/gradle-config.ts
+const userProvisioningProfilesDir = () => path.join(os.homedir(), "Library", "MobileDevice", "Provisioning Profiles");
 /**
-* Parse Groovy `build.gradle` to extract key Android config values.
-* Returns `undefined` if:
-* - Only `build.gradle.kts` exists (Kotlin DSL not supported by gradle-to-js)
-* - No build.gradle found at all
-* - Parse fails
-*
-* Informational only — never blocks the build.
+* Scoped installation of a provisioning profile: parses its metadata via
+* `security cms -D -i`, copies it into `~/Library/MobileDevice/Provisioning Profiles`
+* under `<uuid>.mobileprovision`, and removes the copy on scope close — but
+* only if we installed it. If the target file already existed when we arrived
+* (e.g., Xcode had it), we leave both the file and the contents untouched.
 */
-const readGradleConfig = (androidDir) => Effect.gen(function* () {
+const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
-	const gradlePath = path.join(androidDir, "app", "build.gradle");
-	const ktsPath = path.join(androidDir, "app", "build.gradle.kts");
-	const hasGroovy = yield* fs.exists(gradlePath).pipe(Effect.orElseSucceed(() => false));
-	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
-	if (!hasGroovy && hasKts) return;
-	if (!hasGroovy) return;
-	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	if (!content) return;
-	return yield* Effect.tryPromise({
-		try: async () => {
-			return __require("gradle-to-js").parseText(stripGroovyComments(content));
-		},
-		catch: () => void 0
-	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
-});
-/**
-* Log a warning if Gradle applicationId differs from app.json package name.
-*/
-const warnOnGradleMismatch = (gradleConfig, expectedPackage) => {
-	if (!gradleConfig?.applicationId) return Effect.void;
-	if (gradleConfig.applicationId === expectedPackage) return Effect.void;
-	return Console.warn(`Gradle applicationId "${gradleConfig.applicationId}" differs from app.json package "${expectedPackage}". The Gradle value will be used in the built APK/AAB.`);
-};
-/**
-* Strip Groovy single-line and block comments.
-* gradle-to-js chokes on comments — EAS CLI does this same pre-processing.
-*/
-const stripGroovyComments = (text) => text.replaceAll(/\/\/.*$/gmu, "").replaceAll(/\/\*[\s\S]*?\*\//gu, "");
-const parseVersionCode = (raw) => {
-	if (typeof raw === "number") return raw;
-	if (typeof raw === "string") return Number.parseInt(raw, 10) || void 0;
-};
-const extractGradleConfig = (parsed) => {
-	const defaultConfig = asRecord(asRecord(parsed["android"])?.["defaultConfig"]);
-	const applicationId = typeof defaultConfig?.["applicationId"] === "string" ? unquote(defaultConfig["applicationId"]) : void 0;
-	const versionCode = parseVersionCode(defaultConfig?.["versionCode"]);
-	const versionName = typeof defaultConfig?.["versionName"] === "string" ? unquote(defaultConfig["versionName"]) : void 0;
+	const info = yield* extractProvisioningInfo(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)).pipe(Effect.mapError((cause) => new ProvisioningError({ message: `security cms -D failed for ${profilePath}: ${String(cause)}` }))));
+	const targetDir = userProvisioningProfilesDir();
+	const installedPath = path.join(targetDir, `${info.uuid}.mobileprovision`);
+	yield* fs.makeDirectory(targetDir, { recursive: true }).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to create provisioning profiles dir: ${String(cause)}` })));
+	if (yield* fs.exists(installedPath).pipe(Effect.orElseSucceed(() => false))) return {
+		...info,
+		installedPath,
+		ownsInstallation: false
+	};
+	yield* fs.copyFile(profilePath, installedPath).pipe(Effect.catchAll((cause) => new ProvisioningError({ message: `Failed to copy provisioning profile into ${installedPath}: ${String(cause)}` })));
 	return {
-		...applicationId === void 0 ? {} : { applicationId },
-		...versionCode === void 0 ? {} : { versionCode },
-		...versionName === void 0 ? {} : { versionName }
+		...info,
+		installedPath,
+		ownsInstallation: true
 	};
-};
-const unquote = (input) => input.startsWith("\"") && input.endsWith("\"") ? input.slice(1, -1) : input;
+}), (acquired) => Effect.gen(function* () {
+	if (!acquired.ownsInstallation) return;
+	yield* (yield* FileSystem.FileSystem).remove(acquired.installedPath).pipe(Effect.catchAll(() => Effect.void));
+})).pipe(Effect.map(({ uuid, name, teamId, installedPath }) => ({
+	uuid,
+	name,
+	teamId,
+	installedPath
+})));
 
 //#endregion
-//#region src/lib/platform-detect.ts
-const PLATFORMS = ["ios", "android"];
-const inferPlatforms = (config) => {
-	const fromConfig = config["platforms"];
-	if (Array.isArray(fromConfig)) return fromConfig.filter((entry) => entry === "ios" || entry === "android");
-	const present = [];
-	if (config.ios !== void 0) present.push("ios");
-	if (config.android !== void 0) present.push("android");
-	return present;
-};
+//#region src/lib/post-build-validation.ts
+const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
+	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!bundleId) return {
+		bundleId: void 0,
+		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
+	};
+	const expected = expectedByBundleId.get(bundleId);
+	if (!expected) return {
+		bundleId,
+		warnings: [`Unexpected signed bundle "${bundleId}" found in archive at ${bundleDir}`]
+	};
+	return {
+		bundleId,
+		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
+	};
+});
+const validateIosBuild = (params) => Effect.gen(function* () {
+	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!appDir) return {
+		passed: false,
+		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
+	};
+	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
+	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
+	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
+	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
+	const validatedBundleIds = new Set(perBundle.map((entry) => entry.bundleId).filter((id) => id !== void 0));
+	for (const expected of params.expectedTargets) if (!validatedBundleIds.has(expected.bundleId)) warnings.push(`Expected signed target "${expected.bundleId}" was not found in the archive.`);
+	if (warnings.length > 0) {
+		yield* Console.warn("Post-build validation warnings:");
+		for (const warning of warnings) yield* Console.warn(`  - ${warning}`);
+	}
+	return {
+		passed: warnings.length === 0,
+		warnings
+	};
+});
+const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const productsDir = path.join(archivePath, "Products", "Applications");
+	const appEntry = (yield* fs.readDirectory(productsDir)).find((entry) => entry.endsWith(".app"));
+	if (!appEntry) return yield* Effect.fail("No .app found");
+	return path.join(productsDir, appEntry);
+});
 /**
-* Resolve a build platform from an explicit flag, or fall back to the Expo
-* config (`expo.platforms` or the presence of `ios`/`android` sections). Prompts
-* when the config declares both platforms; fails when ambiguous and prompts are
-* disallowed.
+* Return the main `.app` plus every `.appex` extension under `<app>/PlugIns/`.
+* Each returned path is a signed bundle that should carry its own embedded
+* provisioning profile + Info.plist with CFBundleIdentifier.
 */
-const detectPlatform = (explicit, config) => Effect.gen(function* () {
-	if (explicit !== void 0) return explicit;
-	const candidates = inferPlatforms(config);
-	if (candidates.length === 0) return yield* new BuildProfileError({ message: "Cannot infer build platform. Add an `ios` or `android` section to your Expo config, or pass --platform." });
-	if (candidates.length === 1) {
-		const [only] = candidates;
-		if (only === void 0) return yield* new BuildProfileError({ message: "Internal: empty platform candidate list." });
-		return only;
+const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const plugInsDir = path.join(appDir, "PlugIns");
+	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
+	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
+});
+const readBundleId = (bundleDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const plistPath = path.join(bundleDir, "Info.plist");
+	const data = yield* fs.readFile(plistPath);
+	const bundleId = parsePlist(Buffer.from(data))["CFBundleIdentifier"];
+	return typeof bundleId === "string" ? bundleId : void 0;
+});
+const validateEmbeddedProfile = (bundleDir, expectedUuid, expectedTeamId, bundleId) => Effect.gen(function* () {
+	const warnings = [];
+	const profilePath = path.join(bundleDir, "embedded.mobileprovision");
+	const parsed = parsePlistXml(yield* Command.string(Command.make("security", "cms", "-D", "-i", profilePath)));
+	const actualUuid = parsed["UUID"];
+	if (typeof actualUuid === "string" && actualUuid !== expectedUuid) warnings.push(`[${bundleId}] Profile UUID mismatch: expected "${expectedUuid}", got "${actualUuid}"`);
+	const teamIdentifiers = parsed["TeamIdentifier"];
+	if (Array.isArray(teamIdentifiers)) {
+		const [actualTeamId] = teamIdentifiers;
+		if (typeof actualTeamId === "string" && actualTeamId !== expectedTeamId) warnings.push(`[${bundleId}] Team ID mismatch: expected "${expectedTeamId}", got "${actualTeamId}"`);
 	}
-	if (!(yield* InteractiveMode).allow) return yield* new BuildProfileError({ message: `Multiple platforms detected (${candidates.join(", ")}). Pass --platform explicitly when running non-interactively.` });
-	return yield* promptSelect("Which platform to build?", PLATFORMS.filter((entry) => candidates.includes(entry)).map((entry) => ({
-		value: entry,
-		label: entry
-	})));
+	const expirationDate = parsed["ExpirationDate"];
+	if (expirationDate instanceof Date && expirationDate.getTime() < Date.now()) warnings.push(`[${bundleId}] Embedded provisioning profile expired on ${expirationDate.toISOString()}`);
+	return warnings;
 });
 
 //#endregion
-//#region src/lib/repo-clean.ts
-const MAX_FILES_SHOWN = 10;
-const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+//#region src/lib/xcode-targets.ts
+/** Product types whose targets require code-signing with a provisioning profile. */
+const SIGNED_PRODUCT_TYPES = new Set([
+	"com.apple.product-type.application",
+	"com.apple.product-type.app-extension",
+	"com.apple.product-type.messages-extension",
+	"com.apple.product-type.tv-app-extension",
+	"com.apple.product-type.watchapp2",
+	"com.apple.product-type.watchkit2-extension"
+]);
+const loadXcodeModule = () => __require("xcode");
 /**
-* Refuse to proceed when the working tree has uncommitted changes. Skipped when
-* `allowDirty` is true. In interactive mode, prompts the user to confirm; in
-* non-interactive mode, fails with `DirtyRepoError`.
+* Strip surrounding quotes from a pbxproj string value. `xcode` returns values
+* verbatim from the project file, so identifiers like productType are usually
+* wrapped in double quotes (e.g. `"com.apple.product-type.application"`).
 */
-const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(function* () {
-	if (allowDirty) return;
-	const dirty = yield* readPorcelain(projectRoot);
-	if (dirty.length === 0) return;
-	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
-	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
-	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
-	if (!(yield* InteractiveMode).allow) {
-		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
-		return;
+const unquote$1 = (value) => value.length >= 2 && value.startsWith("\"") && value.endsWith("\"") ? value.slice(1, -1) : value;
+const findXcodeProjectDir = (iosDir) => Effect.gen(function* () {
+	const projectDir = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.mapError((cause) => new XcodeProjectError({ message: `Failed to read ${iosDir}: ${String(cause)}` })))).find((entry) => entry.endsWith(".xcodeproj"));
+	if (!projectDir) return yield* new XcodeProjectError({ message: `No .xcodeproj directory found under ${iosDir}. Did "expo prebuild" run?` });
+	return path.join(iosDir, projectDir);
+});
+const parseProject = (pbxprojPath) => Effect.try({
+	try: () => loadXcodeModule().project(pbxprojPath).parseSync(),
+	catch: (cause) => new XcodeProjectError({ message: `Failed to parse ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
+});
+const collectConfigUuidsForTarget = (project, target, configurationName) => {
+	const configList = project.pbxXCConfigurationList()[target.buildConfigurationList];
+	if (!configList || typeof configList === "string") return [];
+	const buildConfigSection = project.pbxXCBuildConfigurationSection();
+	return configList.buildConfigurations.map((entry) => entry.value).filter((uuid) => {
+		const cfg = buildConfigSection[uuid];
+		if (!cfg || typeof cfg === "string") return false;
+		return unquote$1(cfg.name) === configurationName;
+	});
+};
+const extractBundleIdForConfig = (project, configUuid) => {
+	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
+	if (!cfg || typeof cfg === "string") return;
+	const raw = cfg.buildSettings["PRODUCT_BUNDLE_IDENTIFIER"];
+	if (typeof raw !== "string") return;
+	return unquote$1(raw);
+};
+const collectSignedTargets = (project, pbxprojPath, configurationName) => Effect.gen(function* () {
+	const results = [];
+	const nativeTargets = project.pbxNativeTargetSection();
+	for (const [uuid, entry] of Object.entries(nativeTargets)) {
+		if (uuid.endsWith("_comment") || typeof entry === "string") continue;
+		const productType = unquote$1(entry.productType);
+		if (!SIGNED_PRODUCT_TYPES.has(productType)) continue;
+		const configUuids = collectConfigUuidsForTarget(project, entry, configurationName);
+		const [firstConfigUuid] = configUuids;
+		if (!firstConfigUuid) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" has no "${configurationName}" build configuration in ${pbxprojPath}.` });
+		const bundleId = extractBundleIdForConfig(project, firstConfigUuid);
+		if (!bundleId) return yield* new XcodeProjectError({ message: `Target "${unquote$1(entry.name)}" is missing PRODUCT_BUNDLE_IDENTIFIER in the "${configurationName}" configuration.` });
+		results.push({
+			targetName: unquote$1(entry.name),
+			bundleId,
+			productType,
+			buildConfigurationUuids: configUuids
+		});
 	}
-	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
+	return results;
+});
+/**
+* Enumerate code-signed native targets (main app + extensions) declared in the
+* single `.xcodeproj` under `iosDir`, restricted to a given build configuration
+* (e.g. "Release"). Pod targets and other library product types are excluded.
+*
+* The returned `buildConfigurationUuids` list is the set of XCBuildConfiguration
+* UUIDs that belong to this target *and* match `configurationName` — the
+* per-target signing mutator writes settings into exactly those configurations.
+*/
+const discoverSignedTargets = (options) => Effect.gen(function* () {
+	const projectDir = yield* findXcodeProjectDir(options.iosDir);
+	const pbxprojPath = path.join(projectDir, "project.pbxproj");
+	const results = yield* collectSignedTargets(yield* parseProject(pbxprojPath), pbxprojPath, options.configurationName);
+	if (results.length === 0) return yield* new XcodeProjectError({ message: `No signed native targets found in ${pbxprojPath} for configuration "${options.configurationName}".` });
+	return results;
 });
 
 //#endregion
-//#region src/lib/fingerprint.ts
-var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
-const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
-	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
-	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
-	const parsed = yield* Effect.try({
-		try: () => JSON.parse(stdout),
-		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
-	});
-	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
-	const { hash } = parsed;
-	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
-	const sourcesRaw = parsed["sources"];
+//#region src/lib/xcpretty-formatter.ts
+/**
+* Create a stateful xcodebuild output formatter backed by `@expo/xcpretty`.
+* Each `pipe(line)` call may return zero or more formatted lines — zero means
+* the line was suppressed (e.g., intermediate compiler invocations).
+*/
+const createXcodebuildFormatter = (projectRoot) => {
+	const formatter = ExpoRunFormatter.create(projectRoot);
 	return {
-		hash,
-		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
+		pipe: (line) => formatter.pipe(line),
+		getBuildSummary: () => formatter.getBuildSummary()
 	};
-});
+};
 
 //#endregion
-//#region src/lib/runtime-version.ts
-const resolveRuntimeVersion = ({ raw, appVersion, projectRoot }) => Effect.gen(function* () {
-	if (typeof raw === "string") return raw;
-	if (raw === void 0) return yield* new RuntimeVersionError({ message: "No runtimeVersion configured in expo section of app.json." });
-	const { policy } = raw;
-	if (policy === "appVersion") {
-		if (appVersion === void 0) return yield* new RuntimeVersionError({ message: "runtimeVersion policy is \"appVersion\" but expo.version is missing in app.json." });
-		return appVersion;
+//#region src/commands/build/ios.ts
+const findXcworkspace = (iosDir) => Effect.gen(function* () {
+	const workspace = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir)).find((entry) => entry.endsWith(".xcworkspace"));
+	if (!workspace) return yield* new BuildFailedError({
+		step: "detect xcworkspace",
+		exitCode: 1,
+		message: `No .xcworkspace found under ${iosDir}. Did "pod install" run?`
+	});
+	return workspace;
+});
+const prebuildAndPods = (params) => Effect.gen(function* () {
+	yield* runStep(Command.make("bunx", "expo", "prebuild", "--platform", "ios", "--clean").pipe(Command.workingDirectory(params.projectRoot), Command.env(params.commandEnv)), "expo prebuild ios");
+	yield* runStep(Command.make("pod", "install").pipe(Command.workingDirectory(params.iosDir), Command.env(params.commandEnv)), "pod install");
+});
+const findAppDirectory = (root) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const stack = [root];
+	let depth = 0;
+	while (stack.length > 0 && depth < 6) {
+		const layer = stack.splice(0);
+		depth += 1;
+		for (const dir of layer) {
+			const entries = yield* fs.readDirectory(dir).pipe(Effect.orElseSucceed(() => []));
+			for (const entry of entries) {
+				const full = path.join(dir, entry);
+				if (entry.endsWith(".app")) return full;
+				const stat = yield* fs.stat(full).pipe(Effect.option);
+				if (stat._tag === "Some" && stat.value.type === "Directory") stack.push(full);
+			}
+		}
 	}
-	if (policy === "fingerprint") return yield* runFingerprintFull(projectRoot).pipe(Effect.map((result) => result.hash), Effect.mapError((cause) => new RuntimeVersionError({ message: cause.message })));
-	if (policy === "nativeVersion") return yield* new RuntimeVersionError({ message: "runtimeVersion policy \"nativeVersion\" is not supported. Set a static runtimeVersion string in your Expo config." });
-	return yield* new RuntimeVersionError({ message: `Unsupported runtimeVersion policy "${policy}". Use a static string, "appVersion", or "fingerprint".` });
+	return yield* new ArtifactNotFoundError({ message: `No .app bundle found under "${root}".` });
 });
-
-//#endregion
-//#region src/lib/credentials-generator-apple-id.ts
-const DISTRIBUTION_TO_PROFILE_TYPE = {
-	APP_STORE: AppleUtils.ProfileType.IOS_APP_STORE,
-	AD_HOC: AppleUtils.ProfileType.IOS_APP_ADHOC,
-	DEVELOPMENT: AppleUtils.ProfileType.IOS_APP_DEVELOPMENT,
-	ENTERPRISE: AppleUtils.ProfileType.IOS_APP_INHOUSE
-};
-const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
-	APP_STORE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	AD_HOC: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	ENTERPRISE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
-};
-var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
-const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
-const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
-const wrap = (step, run) => Effect.tryPromise({
-	try: run,
-	catch: (cause) => new AppleIdGenerateFailedError({
-		step,
-		message: messageOf(cause)
-	})
+const runIosSimulatorBuild = (input) => Effect.gen(function* () {
+	const { projectRoot, iosProfile, envVars, tempDir } = input;
+	const runtime = yield* CliRuntime;
+	const iosDir = path.join(projectRoot, "ios");
+	const commandEnv = yield* runtime.commandEnvironment(envVars);
+	yield* prebuildAndPods({
+		projectRoot,
+		iosDir,
+		commandEnv
+	});
+	const workspaceFilename = yield* findXcworkspace(iosDir);
+	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const configuration = iosProfile.buildConfiguration ?? "Release";
+	const derivedDataPath = path.join(tempDir, "derived-data");
+	const buildCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-sdk", "iphonesimulator", "-destination", "generic/platform=iOS Simulator", "-derivedDataPath", derivedDataPath, "build", "CODE_SIGNING_ALLOWED=NO", "CODE_SIGNING_REQUIRED=NO", "CODE_SIGN_IDENTITY=").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
+	yield* formatter ? runStepFormatted(buildCmd, "xcodebuild build (simulator)", formatter) : runStep(buildCmd, "xcodebuild build (simulator)");
+	const appDir = yield* findAppDirectory(path.join(derivedDataPath, "Build", "Products", `${configuration}-iphonesimulator`));
+	const archiveName = `${path.basename(appDir, ".app")}-simulator.tar.gz`;
+	const archivePath = path.join(tempDir, archiveName);
+	yield* runStep(Command.make("tar", "-czf", archivePath, "-C", path.dirname(appDir), path.basename(appDir)).pipe(Command.env(commandEnv)), "tar simulator .app");
+	const { sha256, byteSize } = yield* sha256File(archivePath);
+	return {
+		artifactPath: archivePath,
+		byteSize,
+		sha256
+	};
 });
-const wrapCertificateCreate = (run) => Effect.tryPromise({
-	try: run,
-	catch: (cause) => {
-		const message = messageOf(cause);
-		if (CERT_LIMIT_PATTERN.test(message)) return new CertificateLimitError({ message });
-		return new AppleIdGenerateFailedError({
-			step: "apple-create-certificate",
-			message
+const ensurePerTargetCredentials = (params) => Effect.forEach(params.signedTargets, (target) => ensureIosCredentials(params.api, {
+	projectId: params.projectId,
+	bundleIdentifier: target.bundleId,
+	distribution: params.distribution
+}, { freezeCredentials: params.freezeCredentials }), { concurrency: 1 });
+const fetchAllCredentials = (params) => params.input.credentialsSource === "local" ? loadLocalIosCredentials({
+	projectRoot: params.input.projectRoot,
+	mainBundleIdentifier: params.mainBundleIdentifier
+}) : downloadIosCredentials(params.api, {
+	projectId: params.input.projectId,
+	mainBundleIdentifier: params.mainBundleIdentifier,
+	bundleIdentifiers: params.allBundleIdentifiers,
+	distribution: params.input.iosProfile.distribution,
+	tempDir: params.input.tempDir
+});
+const installPerTarget = (signedTargets, credentials, credentialsSource) => Effect.gen(function* () {
+	const profileByBundle = new Map(credentials.profiles.map((profile) => [profile.bundleIdentifier, profile]));
+	const missing = signedTargets.filter((target) => !profileByBundle.has(target.bundleId));
+	if (missing.length > 0) {
+		const list = missing.map((target) => `"${target.targetName}" (${target.bundleId})`).join(", ");
+		const hint = credentialsSource === "local" ? "Add the missing entries to credentials.json under ios.additionalProvisioningProfiles." : "Register the bundle identifier(s) in the dashboard and bind a provisioning profile.";
+		return yield* new MissingCredentialsError({
+			message: `Missing provisioning profile for signed target(s): ${list}.`,
+			hint
 		});
 	}
+	return yield* Effect.forEach(signedTargets, (target) => installProfileForTarget(target, profileByBundle));
 });
-const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effect.gen(function* () {
-	const ctx = input.context;
-	const certificateType = input.certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
-	const result = yield* wrapCertificateCreate(async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
-	const metadata = yield* extractMetadataFromP12({
-		p12Base64: result.certificateP12,
-		password: result.password
-	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
-		step: "parse-p12",
-		message: cause.message
+const installProfileForTarget = (target, profileByBundle) => {
+	const profile = profileByBundle.get(target.bundleId);
+	if (!profile) return Effect.fail(new ProvisioningError({ message: `Internal: no profile for ${target.bundleId} after pre-check.` }));
+	return installProvisioningProfile({ profilePath: profile.profilePath }).pipe(Effect.map((installed) => ({
+		target,
+		profile,
+		installed
 	})));
-	const created = yield* api.appleDistributionCertificates.upload({ payload: {
-		p12Base64: result.certificateP12,
-		p12Password: result.password,
-		serialNumber: metadata.serialNumber,
-		appleTeamIdentifier: metadata.appleTeamId,
-		...metadata.appleTeamName === null ? {} : { appleTeamName: metadata.appleTeamName },
-		...metadata.developerIdIdentifier === null ? {} : { developerIdIdentifier: metadata.developerIdIdentifier },
-		validFrom: metadata.validFrom,
-		validUntil: metadata.validUntil
-	} });
+};
+const pickMainTarget = (signedTargets) => signedTargets.find((target) => target.productType === "com.apple.product-type.application") ?? signedTargets[0];
+const runIosDeviceBuild = (input) => Effect.gen(function* () {
+	const { api, tempDir, projectRoot, iosProfile, envVars } = input;
+	const runtime = yield* CliRuntime;
+	const fs = yield* FileSystem.FileSystem;
+	const iosDir = path.join(projectRoot, "ios");
+	const { distribution } = iosProfile;
+	const commandEnv = yield* runtime.commandEnvironment(envVars);
+	yield* prebuildAndPods({
+		projectRoot,
+		iosDir,
+		commandEnv
+	});
+	const workspaceFilename = yield* findXcworkspace(iosDir);
+	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const configuration = iosProfile.buildConfiguration ?? "Release";
+	const signedTargets = yield* discoverSignedTargets({
+		iosDir,
+		configurationName: configuration
+	});
+	const mainTarget = pickMainTarget(signedTargets);
+	if (!mainTarget) return yield* new BuildFailedError({
+		step: "discover signed targets",
+		exitCode: 1,
+		message: `No signed iOS targets found in the Xcode project for configuration "${configuration}".`
+	});
+	if (input.credentialsSource === "remote") yield* ensurePerTargetCredentials({
+		api,
+		projectId: input.projectId,
+		distribution: iosProfile.distribution,
+		signedTargets,
+		freezeCredentials: input.freezeCredentials ?? false
+	});
+	const credentials = yield* fetchAllCredentials({
+		api,
+		input,
+		mainBundleIdentifier: mainTarget.bundleId,
+		allBundleIdentifiers: signedTargets.map((target) => target.bundleId)
+	});
+	const keychain = yield* acquireKeychain({
+		tempDir,
+		p12Path: credentials.p12Path,
+		p12Password: credentials.p12Password
+	});
+	const installedTargets = yield* installPerTarget(signedTargets, credentials, input.credentialsSource);
+	yield* applyTargetSigning({
+		iosDir,
+		entries: installedTargets.map(({ target, installed }) => ({
+			targetName: target.targetName,
+			buildConfigurationUuids: target.buildConfigurationUuids,
+			settings: {
+				teamId: installed.teamId,
+				signingIdentity: keychain.signingIdentity,
+				profileSpecifier: installed.name
+			}
+		}))
+	});
+	const archivePath = path.join(tempDir, "build.xcarchive");
+	const archiveCmd = Command.make("xcodebuild", "-workspace", workspaceFilename, "-scheme", scheme, "-configuration", configuration, "-archivePath", archivePath, "-allowProvisioningUpdates", "archive").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	const formatter = input.rawOutput ? void 0 : createXcodebuildFormatter(projectRoot);
+	yield* formatter ? runStepFormatted(archiveCmd, "xcodebuild archive", formatter) : runStep(archiveCmd, "xcodebuild archive");
+	const exportOptionsPath = path.join(tempDir, "ExportOptions.plist");
+	const mainInstall = installedTargets.find((entry) => entry.target.targetName === mainTarget.targetName);
+	if (!mainInstall) return yield* new BuildFailedError({
+		step: "resolve main target signing",
+		exitCode: 1,
+		message: `Internal: main target "${mainTarget.targetName}" was not in the installed list.`
+	});
+	const { teamId } = mainInstall.installed;
+	yield* fs.writeFileString(exportOptionsPath, renderExportOptionsPlist({
+		method: distribution,
+		teamId,
+		provisioningProfiles: installedTargets.map(({ target, installed }) => ({
+			bundleId: target.bundleId,
+			profileName: installed.name
+		}))
+	}));
+	const exportPath = path.join(tempDir, "export");
+	const exportCmd = Command.make("xcodebuild", "-exportArchive", "-archivePath", archivePath, "-exportPath", exportPath, "-exportOptionsPlist", exportOptionsPath, "-allowProvisioningUpdates").pipe(Command.workingDirectory(iosDir), Command.env(commandEnv));
+	yield* formatter ? runStepFormatted(exportCmd, "xcodebuild exportArchive", formatter) : runStep(exportCmd, "xcodebuild exportArchive");
+	yield* validateIosBuild({
+		archivePath,
+		expectedTeamId: teamId,
+		expectedTargets: installedTargets.map(({ target, installed }) => ({
+			bundleId: target.bundleId,
+			profileUuid: installed.uuid
+		}))
+	});
+	const artifactPath = yield* findIosArtifact({ exportPath });
+	const { sha256, byteSize } = yield* sha256File(artifactPath);
 	return {
-		id: created.id,
-		serialNumber: metadata.serialNumber,
-		appleTeamId: created.appleTeamId,
-		appleTeamIdentifier: metadata.appleTeamId,
-		developerPortalIdentifier: result.certificate.id
+		artifactPath,
+		byteSize,
+		sha256
 	};
 });
-const listDistributionCertsViaAppleId = (ctx, certificateType = "IOS_DISTRIBUTION") => Effect.gen(function* () {
-	const filter = certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
-	return (yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: filter } } }))).map((entry) => ({
-		developerPortalIdentifier: entry.id,
-		serialNumber: entry.attributes.serialNumber,
-		displayName: entry.attributes.displayName,
-		expirationDate: entry.attributes.expirationDate
-	}));
-});
-const revokeDistributionCertViaAppleId = (ctx, developerPortalIdentifier) => wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: developerPortalIdentifier }));
-const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
-	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
-	if (existing !== null) return existing.id;
-	return (yield* wrap("apple-create-bundle-id", async () => AppleUtils.BundleId.createAsync(ctx, {
-		identifier: bundleIdentifier,
-		name: bundleIdentifier,
-		platform: AppleUtils.BundleIdPlatform.IOS
-	}))).id;
-});
-const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
-	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
-	const upper = serialNumber.toUpperCase();
-	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
-	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
-		step: "match-apple-certificate",
-		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
-	return match.id;
-});
-const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
-	const devices = yield* wrap("apple-list-devices", async () => AppleUtils.Device.getAllIOSProfileDevicesAsync(ctx));
-	if (deviceIds === void 0) return devices.map((device) => device.id);
-	const allowed = new Set(deviceIds);
-	return devices.filter((device) => allowed.has(device.id)).map((device) => device.id);
+const runIosBuild = (input) => input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
+
+//#endregion
+//#region src/commands/build/reserve-and-upload.ts
+const buildReserveCommon = (input) => ({
+	projectId: input.projectId,
+	profile: input.profileName,
+	runtimeVersion: input.runtimeVersion,
+	bundleId: input.bundleId,
+	sha256: input.sha256,
+	byteSize: input.byteSize,
+	...input.appVersion === void 0 ? {} : { appVersion: input.appVersion },
+	...input.buildNumber === void 0 ? {} : { buildNumber: input.buildNumber },
+	...input.gitContext.ref === void 0 ? {} : { gitRef: input.gitContext.ref },
+	...input.gitContext.commit === void 0 ? {} : { gitCommit: input.gitContext.commit },
+	...input.message === void 0 ? {} : { message: input.message }
 });
-const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
-	const ctx = input.context;
-	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new AppleIdGenerateFailedError({
-		step: "load-distribution-certificate",
-		message: `Distribution certificate ${input.distributionCertificateId} not found`
-	})) : Effect.succeed(match)));
-	const certificateType = DISTRIBUTION_TO_CERTIFICATE_TYPE[input.distributionType];
-	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
-	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
-	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
-	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
-		step: "collect-devices",
-		message: "No registered devices to attach to the provisioning profile"
-	}));
-	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
-	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
-		bundleId: bundleIdAscId,
-		certificates: [certAscId],
-		devices: deviceIds,
-		name: profileName,
-		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
-	}))).attributes;
-	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
-		step: "extract-profile-content",
-		message: "Apple returned a profile with no content (likely expired/invalid)"
-	}));
-	const profileBytes = fromBase64(profileContent);
-	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
-	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
-		profileBase64: toBase64(profileBytes),
-		appleDistributionCertificateId: input.distributionCertificateId,
-		isManaged: true,
-		...rosterHash === void 0 ? {} : { deviceRosterHash: rosterHash }
+const callReserve = (api, input) => {
+	const common = buildReserveCommon(input);
+	const { target } = input;
+	if (target.platform === "ios") return target.distribution === "simulator" ? api.builds.reserve({ payload: {
+		...common,
+		platform: "ios",
+		distribution: "simulator",
+		artifactFormat: "tar.gz"
+	} }) : api.builds.reserve({ payload: {
+		...common,
+		platform: "ios",
+		distribution: target.distribution,
+		artifactFormat: "ipa"
+	} });
+	return target.distribution === "play-store" ? api.builds.reserve({ payload: {
+		...common,
+		platform: "android",
+		distribution: "play-store",
+		artifactFormat: "aab"
+	} }) : api.builds.reserve({ payload: {
+		...common,
+		platform: "android",
+		distribution: "direct",
+		artifactFormat: "apk"
 	} });
+};
+/**
+* Reserve a build record on the server, upload the artifact to the returned
+* presigned URL, and finalize the build with its sha256 + byteSize.
+*/
+const reserveAndUpload = (api, input) => Effect.gen(function* () {
+	const presignedUploadClient = yield* PresignedUploadClient;
+	const reserveResult = yield* callReserve(api, input).pipe(Effect.mapError((cause) => new ReserveError({ message: `Failed to reserve build: ${formatCause(cause)}` })));
+	yield* presignedUploadClient.putToPresignedUrl({
+		url: reserveResult.uploadUrl,
+		filePath: input.artifactPath,
+		byteSize: input.byteSize,
+		expiresAt: reserveResult.uploadExpiresAt,
+		headers: reserveResult.uploadHeaders
+	});
+	const completed = yield* api.builds.complete({
+		path: { id: reserveResult.id },
+		payload: {
+			sha256: input.sha256,
+			byteSize: input.byteSize
+		}
+	}).pipe(Effect.mapError((cause) => new CompleteError({ message: `Failed to complete build ${reserveResult.id}: ${formatCause(cause)}` })));
+	if (!completed.artifact) return yield* new CompleteError({ message: `Build ${completed.id} completed but server returned no artifact record.` });
 	return {
-		id: created.id,
-		bundleIdentifier: created.bundleIdentifier,
-		distributionType: created.distributionType,
-		profileName: created.profileName,
-		validUntil: created.validUntil,
-		developerPortalIdentifier: created.developerPortalIdentifier
+		id: completed.id,
+		status: "uploaded"
 	};
 });
 
 //#endregion
-//#region src/lib/ios-bundle-config-upsert.ts
+//#region src/lib/auto-increment.ts
+const bumpBuildNumber = (current) => Effect.gen(function* () {
+	const raw = current ?? "0";
+	const parsed = Number.parseInt(raw, 10);
+	if (Number.isNaN(parsed)) return yield* new BuildProfileError({ message: `Cannot autoIncrement ios.buildNumber: current value "${raw}" is not a base-10 integer.` });
+	return String(parsed + 1);
+});
+const bumpVersionCode = (current) => Effect.gen(function* () {
+	const value = current ?? 0;
+	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
+	return value + 1;
+});
+const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
+const bumpVersion = (current) => Effect.gen(function* () {
+	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
+	const match = SEMVER_PATCH.exec(current);
+	if (!match) return yield* new BuildProfileError({ message: `Cannot autoIncrement version: "${current}" is not a semver string like "1.2.3".` });
+	const [, major, minor, patch, suffix] = match;
+	const nextPatch = Number.parseInt(patch ?? "0", 10) + 1;
+	return `${major ?? "0"}.${minor ?? "0"}.${String(nextPatch)}${suffix ?? ""}`;
+});
+const computeIosBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "buildNumber") return { nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextBuildNumber: yield* bumpBuildNumber(config.ios?.buildNumber)
+	};
+});
+const computeAndroidBumps = (config, mode) => Effect.gen(function* () {
+	if (mode === "versionCode") return { nextVersionCode: yield* bumpVersionCode(config.android?.versionCode) };
+	return {
+		nextVersion: yield* bumpVersion(config.version),
+		nextVersionCode: yield* bumpVersionCode(config.android?.versionCode)
+	};
+});
+const buildPatch = (platform, bumps) => {
+	const patch = {};
+	if (bumps.nextVersion !== void 0) patch["version"] = bumps.nextVersion;
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) patch["ios"] = { buildNumber: bumps.nextBuildNumber };
+	if (platform === "android" && bumps.nextVersionCode !== void 0) patch["android"] = { versionCode: bumps.nextVersionCode };
+	return patch;
+};
+const describeBumps = (platform, bumps) => {
+	const parts = [];
+	if (bumps.nextVersion !== void 0) parts.push(`version=${bumps.nextVersion}`);
+	if (platform === "ios" && bumps.nextBuildNumber !== void 0) parts.push(`ios.buildNumber=${bumps.nextBuildNumber}`);
+	if (platform === "android" && bumps.nextVersionCode !== void 0) parts.push(`android.versionCode=${String(bumps.nextVersionCode)}`);
+	return parts.join(", ");
+};
+const computeBumps = (input) => {
+	if (input.platform === "ios") return input.iosMode === void 0 ? Effect.succeed({}) : computeIosBumps(input.config, input.iosMode);
+	return input.androidMode === void 0 ? Effect.succeed({}) : computeAndroidBumps(input.config, input.androidMode);
+};
+const hasAnyBump = (bumps) => bumps.nextVersion !== void 0 || bumps.nextBuildNumber !== void 0 || bumps.nextVersionCode !== void 0;
 /**
-* Idempotent bind for an iOS bundle configuration. When the row already exists
-* (e.g. orphaned after a cert was deleted, since the FK is `ON DELETE SET NULL`),
-* rebind cert + profile in place instead of failing on the unique constraint.
-* Mirrors EAS's setup behavior where the setup step is rerunnable.
+* Bump `version` / `ios.buildNumber` / `android.versionCode` per the resolved
+* autoIncrement mode, persist via `@expo/config.modifyConfigAsync`, and log a
+* Human-readable summary. No-op when the mode is undefined. Returns the new
+* Bumped values so callers can refresh their in-memory ExpoConfig.
 */
-const upsertIosBundleConfiguration = (api, input) => Effect.gen(function* () {
-	const existing = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((item) => item.bundleIdentifier === input.bundleIdentifier && item.distributionType === input.distributionType);
-	if (existing === void 0) {
-		yield* api.iosBundleConfigurations.create({
-			path: { projectId: input.projectId },
-			payload: {
-				bundleIdentifier: input.bundleIdentifier,
-				distributionType: input.distributionType,
-				appleTeamId: input.appleTeamId,
-				appleDistributionCertificateId: input.appleDistributionCertificateId,
-				appleProvisioningProfileId: input.appleProvisioningProfileId,
-				...input.ascApiKeyId === void 0 ? {} : { ascApiKeyId: input.ascApiKeyId }
-			}
-		});
-		yield* Console.log("iOS bundle configuration saved.");
-		return { action: "created" };
+const applyAutoIncrement = (input) => Effect.gen(function* () {
+	const bumps = yield* computeBumps(input);
+	if (!hasAnyBump(bumps)) return bumps;
+	const patch = buildPatch(input.platform, bumps);
+	const result = yield* writeExpoConfigPatch(input.projectRoot, patch).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to persist autoIncrement: ${cause.message}` })));
+	if (result.type === "warn" && result.configPath === null) {
+		yield* Console.log(`autoIncrement: dynamic Expo config detected, cannot write back. Update manually: ${describeBumps(input.platform, bumps)}`);
+		return bumps;
+	}
+	yield* Console.log(`autoIncrement: bumped ${describeBumps(input.platform, bumps)}`);
+	return bumps;
+});
+
+//#endregion
+//#region src/lib/eas-config.ts
+const MAX_EXTENDS_DEPTH = 10;
+const asStringValue = (value) => typeof value === "string" ? value : void 0;
+const asBooleanValue = (value) => typeof value === "boolean" ? value : void 0;
+const asEnv = (value) => {
+	const record = asRecord(value);
+	if (!record) return;
+	const env = {};
+	for (const [key, raw] of Object.entries(record)) if (typeof raw === "string") env[key] = raw;
+	return Object.keys(env).length === 0 ? void 0 : env;
+};
+const asIosDistribution = (raw) => {
+	const value = asStringValue(raw);
+	if (value === "app-store" || value === "ad-hoc" || value === "development" || value === "enterprise") return value;
+};
+const asEnterpriseProvisioning = (raw) => {
+	const value = asStringValue(raw);
+	return value === "adhoc" || value === "universal" ? value : void 0;
+};
+const asAndroidBuildType = (raw) => {
+	const value = asStringValue(raw);
+	return value === "debug" || value === "release" ? value : void 0;
+};
+const asAndroidFormat = (raw) => {
+	const value = asStringValue(raw);
+	return value === "apk" || value === "aab" ? value : void 0;
+};
+const asAndroidDistribution = (raw) => {
+	const value = asStringValue(raw);
+	return value === "play-store" || value === "direct" ? value : void 0;
+};
+const asIosAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "version" ? value : void 0;
+};
+const asAndroidAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "versionCode" || value === "version" ? value : void 0;
+};
+const asAutoIncrement = (raw) => {
+	if (typeof raw === "boolean") return raw;
+	const value = asStringValue(raw);
+	return value === "buildNumber" || value === "versionCode" || value === "version" ? value : void 0;
+};
+const asEasDistribution = (raw) => {
+	const value = asStringValue(raw);
+	return value === "internal" || value === "store" ? value : void 0;
+};
+const asCredentialsSource = (raw) => {
+	const value = asStringValue(raw);
+	return value === "remote" || value === "local" ? value : void 0;
+};
+const parseIosProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const distribution = asIosDistribution(record["distribution"]);
+	const buildConfiguration = asStringValue(record["buildConfiguration"]);
+	const scheme = asStringValue(record["scheme"]);
+	const simulator = asBooleanValue(record["simulator"]);
+	const enterpriseProvisioning = asEnterpriseProvisioning(record["enterpriseProvisioning"]);
+	const autoIncrement = asIosAutoIncrement(record["autoIncrement"]);
+	return {
+		...distribution === void 0 ? {} : { distribution },
+		...buildConfiguration === void 0 ? {} : { buildConfiguration },
+		...scheme === void 0 ? {} : { scheme },
+		...simulator === void 0 ? {} : { simulator },
+		...enterpriseProvisioning === void 0 ? {} : { enterpriseProvisioning },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseAndroidProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const buildType = asAndroidBuildType(record["buildType"]);
+	const flavor = asStringValue(record["flavor"]);
+	const gradleCommand = asStringValue(record["gradleCommand"]);
+	const format = asAndroidFormat(record["format"]);
+	const distribution = asAndroidDistribution(record["distribution"]);
+	const autoIncrement = asAndroidAutoIncrement(record["autoIncrement"]);
+	return {
+		...buildType === void 0 ? {} : { buildType },
+		...flavor === void 0 ? {} : { flavor },
+		...gradleCommand === void 0 ? {} : { gradleCommand },
+		...format === void 0 ? {} : { format },
+		...distribution === void 0 ? {} : { distribution },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseBuildProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const extendsName = asStringValue(record["extends"]);
+	const developmentClient = asBooleanValue(record["developmentClient"]);
+	const distribution = asEasDistribution(record["distribution"]);
+	const channel = asStringValue(record["channel"]);
+	const environment = asStringValue(record["environment"]);
+	const env = asEnv(record["env"]);
+	const ios = parseIosProfile(record["ios"]);
+	const android = parseAndroidProfile(record["android"]);
+	const credentialsSource = asCredentialsSource(record["credentialsSource"]);
+	const autoIncrement = asAutoIncrement(record["autoIncrement"]);
+	return {
+		...extendsName === void 0 ? {} : { extends: extendsName },
+		...developmentClient === void 0 ? {} : { developmentClient },
+		...distribution === void 0 ? {} : { distribution },
+		...channel === void 0 ? {} : { channel },
+		...environment === void 0 ? {} : { environment },
+		...env === void 0 ? {} : { env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const parseEasConfig = (text) => Effect.gen(function* () {
+	const root = asRecord(yield* Effect.try({
+		try: () => JSON.parse(text),
+		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
+	}));
+	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
+	const buildRecord = asRecord(root["build"]);
+	if (!buildRecord) return asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {};
+	const profiles = {};
+	for (const [name, value] of Object.entries(buildRecord)) {
+		const profile = parseBuildProfile(value);
+		if (profile) profiles[name] = profile;
 	}
-	if (existing.appleTeamId !== input.appleTeamId) return yield* new MissingCredentialsError({
-		message: `Bundle "${input.bundleIdentifier}" (${input.distributionType}) is already bound to a different Apple team than the new credentials.`,
-		hint: "Delete the existing bundle configuration via the dashboard before retrying with a different team."
-	});
-	yield* api.iosBundleConfigurations.update({
-		path: { id: existing.id },
-		payload: {
-			appleDistributionCertificateId: input.appleDistributionCertificateId,
-			appleProvisioningProfileId: input.appleProvisioningProfileId,
-			...input.ascApiKeyId === void 0 ? {} : { ascApiKeyId: input.ascApiKeyId }
-		}
-	});
-	yield* Console.log("iOS bundle configuration rebound.");
 	return {
-		action: "updated",
-		id: existing.id
+		...asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {},
+		build: profiles
 	};
 });
-
-//#endregion
-//#region src/application/credentials-interactive-apple-id.ts
-const chooseIosSetupPath = (api) => Effect.gen(function* () {
-	if (!(yield* api.ascApiKeys.list()).items.some((key) => key.appleTeamId !== null)) return "apple-id";
-	return yield* promptSelect("How would you like to provide your iOS credentials?", [{
-		value: "apple-id",
-		label: "Login with Apple ID (recommended for interactive use)"
-	}, {
-		value: "asc-key",
-		label: "Use an App Store Connect API key"
-	}]);
-});
-const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
-	const certs = yield* listDistributionCertsViaAppleId(ctx, "IOS_DISTRIBUTION");
-	if (certs.length === 0) return yield* new AppleIdGenerateFailedError({
-		step: "limit-recover",
-		message: "Apple says the certificate limit is hit but no existing certificates were returned."
-	});
-	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
-		value: entry.developerPortalIdentifier,
-		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName}, exp ${entry.expirationDate.slice(0, 10)})`
-	})), { required: true });
-	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
-	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
+const parseCli = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return {};
+	const version = asStringValue(record["version"]);
+	return version === void 0 ? {} : { version };
+};
+const easJsonPath = (projectRoot) => Effect.gen(function* () {
+	return (yield* Path.Path).join(projectRoot, "eas.json");
 });
-const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
-	yield* Console.log("Generating distribution certificate via Apple ID...");
-	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
-	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveAppleIdCertLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
+const readEasJson = (projectRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = yield* easJsonPath(projectRoot);
+	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
 });
-const GENERATE_NEW = "__generate__";
-const chooseDistributionCertViaAppleId = (api, ctx, appleTeamIdentifier) => Effect.gen(function* () {
-	const [teams, all] = yield* Effect.all([api.appleTeams.list(), api.appleDistributionCertificates.list()], { concurrency: 2 });
-	const team = teams.items.find((entry) => entry.appleTeamId === appleTeamIdentifier);
-	const items = team === void 0 ? [] : all.items.filter((cert) => cert.appleTeamId === team.id);
-	if (items.length === 0) {
-		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
-		return {
-			id: created.id,
-			appleTeamId: created.appleTeamId
-		};
-	}
-	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
-		value: GENERATE_NEW,
-		label: "Generate a new distribution certificate"
-	}, ...items.map((cert) => ({
-		value: cert.id,
-		label: `${cert.serialNumber.slice(0, 12)}… (team ${appleTeamIdentifier})`
-	}))]);
-	if (choice === GENERATE_NEW) {
-		const created = yield* generateDistributionCertViaAppleIdInteractive(api, ctx);
-		return {
-			id: created.id,
-			appleTeamId: created.appleTeamId
-		};
-	}
-	const cert = items.find((entry) => entry.id === choice);
-	if (cert === void 0) return yield* new AppleIdGenerateFailedError({
-		step: "pick-certificate",
-		message: `Selected certificate ${choice} not found after listing`
-	});
+const mergeIos = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
 	return {
-		id: cert.id,
-		appleTeamId: cert.appleTeamId
+		...base,
+		...overlay
 	};
+};
+const mergeAndroid = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
+	return {
+		...base,
+		...overlay
+	};
+};
+const mergeEnv = (base, overlay) => {
+	if (!base) return overlay;
+	if (!overlay) return base;
+	return {
+		...base,
+		...overlay
+	};
+};
+const mergeProfile = (base, overlay) => {
+	const ios = mergeIos(base.ios, overlay.ios);
+	const android = mergeAndroid(base.android, overlay.android);
+	const env = mergeEnv(base.env, overlay.env);
+	const developmentClient = overlay.developmentClient ?? base.developmentClient;
+	const distribution = overlay.distribution ?? base.distribution;
+	const channel = overlay.channel ?? base.channel;
+	const environment = overlay.environment ?? base.environment;
+	const credentialsSource = overlay.credentialsSource ?? base.credentialsSource;
+	const autoIncrement = overlay.autoIncrement ?? base.autoIncrement;
+	return {
+		...overlay.extends === void 0 ? {} : { extends: overlay.extends },
+		...developmentClient === void 0 ? {} : { developmentClient },
+		...distribution === void 0 ? {} : { distribution },
+		...channel === void 0 ? {} : { channel },
+		...environment === void 0 ? {} : { environment },
+		...env === void 0 ? {} : { env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...credentialsSource === void 0 ? {} : { credentialsSource },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const collectExtendsChain = (profiles, profileName) => Effect.gen(function* () {
+	const chain = [];
+	const visited = /* @__PURE__ */ new Set();
+	let current = profileName;
+	let depth = 0;
+	while (current !== void 0) {
+		if (visited.has(current)) return yield* new BuildProfileError({ message: `Cycle detected in eas.json build.${profileName} extends chain at "${current}".` });
+		visited.add(current);
+		const profile = profiles[current];
+		if (!profile) return yield* new BuildProfileError({ message: current === profileName ? `Build profile "${profileName}" not found in eas.json.` : `Build profile "${profileName}" extends missing profile "${current}".` });
+		chain.unshift(profile);
+		current = profile.extends;
+		depth += 1;
+		if (depth > MAX_EXTENDS_DEPTH) return yield* new BuildProfileError({ message: `Too many "extends" levels (max ${String(MAX_EXTENDS_DEPTH)}) in eas.json build.${profileName}.` });
+	}
+	return chain;
 });
-const setupIosViaAppleId = (api, input) => Effect.gen(function* () {
-	const auth = yield* AppleAuth;
-	const session = yield* auth.ensureLoggedIn();
-	const ctx = auth.buildRequestContext(session);
-	yield* Console.log(`Logged in as ${session.username}. Team: ${session.teamName ?? session.teamId} (${session.teamId}).`);
-	const cert = yield* chooseDistributionCertViaAppleId(api, ctx, session.teamId);
-	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
-	yield* Console.log("Generating provisioning profile via Apple ID...");
-	const profile = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
-		context: ctx,
-		distributionCertificateId: cert.id,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType
-	});
-	yield* upsertIosBundleConfiguration(api, {
-		projectId: input.projectId,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType,
-		appleTeamId: cert.appleTeamId,
-		appleDistributionCertificateId: cert.id,
-		appleProvisioningProfileId: profile.id
-	});
-});
-const regenerateProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
-	const auth = yield* AppleAuth;
-	const session = yield* auth.ensureLoggedIn();
-	yield* Console.log("Regenerating provisioning profile via Apple ID...");
-	const created = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
-		context: auth.buildRequestContext(session),
-		distributionCertificateId: input.distributionCertificateId,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType: input.distributionType
-	});
-	yield* api.iosBundleConfigurations.update({
-		path: { id: input.bundleConfigurationId },
-		payload: { appleProvisioningProfileId: created.id }
-	});
-	return created;
-});
-
-//#endregion
-//#region src/application/credentials-interactive-ios-asc.ts
-const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
-	const certs = yield* listAppleCertificates(api, {
-		ascApiKeyId,
-		certificateType: "IOS_DISTRIBUTION"
-	});
-	if (certs.length === 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
-		hint: "Try again later or check the Apple Developer portal."
-	}));
-	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
-		value: entry.id,
-		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
-	})), { required: true });
-	yield* Effect.forEach(toRevoke, (id) => revokeAppleCertificate(api, {
-		ascApiKeyId,
-		developerPortalIdentifier: id
-	}), { concurrency: "inherit" });
-	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
-});
-const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
-	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: "No ASC API key linked to an Apple team in this organization.",
-		hint: "Upload an ASC API key with a team assignment via the dashboard, then retry."
-	}));
-	const ascKeyId = yield* promptSelect("Select an ASC API key to issue the certificate against", teamAscKeys.map((key) => ({
-		value: key.id,
-		label: `${key.name} (${key.keyId})`
-	})));
-	yield* Console.log("Generating CSR and requesting certificate from Apple...");
-	const generate = generateAndUploadDistributionCertificate(api, { ascApiKeyId: ascKeyId });
-	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveCertLimitRecover(api, ascKeyId).pipe(Effect.flatMap(() => generate))));
-});
-const chooseIosCertificateId = (api) => Effect.gen(function* () {
-	const certs = yield* api.appleDistributionCertificates.list();
-	if (certs.items.length === 0) {
-		yield* Console.log("No distribution certificate found in this organization.");
-		if ((yield* promptSelect("How would you like to proceed?", [{
-			value: "generate",
-			label: "Generate a new distribution certificate"
-		}, {
-			value: "abort",
-			label: "Abort — I'll upload one manually"
-		}])) === "abort") return yield* Effect.fail(new MissingCredentialsError({
-			message: "Build aborted — no distribution certificate available.",
-			hint: "Run `better-update credentials generate distribution-certificate --asc-key-id <id>` or upload via the dashboard."
-		}));
-		return (yield* generateDistributionCertInteractive(api)).id;
-	}
-	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
-		value: "__generate__",
-		label: "Generate a new distribution certificate"
-	}, ...certs.items.map((cert) => ({
-		value: cert.id,
-		label: `${cert.serialNumber.slice(0, 12)}… (team ${cert.appleTeamId})`
-	}))]);
-	if (choice === "__generate__") return (yield* generateDistributionCertInteractive(api)).id;
-	return choice;
-});
-const pickIosCertificate = (api) => Effect.gen(function* () {
-	const chosenId = yield* chooseIosCertificateId(api);
-	const cert = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === chosenId);
-	if (cert === void 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: "Selected certificate not found after generation.",
-		hint: "Retry."
-	}));
+const stripExtends = (profile) => {
+	if (profile.extends === void 0) return profile;
+	const { extends: _omit, ...rest } = profile;
+	return rest;
+};
+const resolveEasBuildProfile = (config, profileName) => Effect.gen(function* () {
+	const profiles = config.build;
+	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"build\" section. Add at least one profile." });
+	return stripExtends((yield* collectExtendsChain(profiles, profileName)).reduce((acc, next, index) => index === 0 ? next : mergeProfile(acc, next), {}));
+});
+
+//#endregion
+//#region src/lib/build-profile.ts
+const asString$1 = (value) => typeof value === "string" ? value : void 0;
+const deriveIosDistribution = (eas) => {
+	const override = eas.ios?.distribution;
+	if (override) return override;
+	if (eas.developmentClient === true) return "development";
+	if (eas.distribution === "internal") return "ad-hoc";
+	if (eas.distribution === "store") return "app-store";
+};
+const deriveAndroidFormat = (eas) => {
+	if (eas.android?.format) return eas.android.format;
+	if (eas.distribution === "store") return "aab";
+	if (eas.distribution === "internal") return "apk";
+	if (eas.developmentClient === true) return "apk";
+};
+const deriveAndroidDistribution = (eas, format) => {
+	if (eas.android?.distribution) return eas.android.distribution;
+	if (format === "aab") return "play-store";
+	return "direct";
+};
+const hasIosIntent = (eas) => eas.ios !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
+const hasAndroidIntent = (eas) => eas.android !== void 0 || eas.distribution !== void 0 || eas.developmentClient === true;
+const resolveIosAutoIncrement = (eas) => {
+	const override = eas.ios?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "buildNumber";
+	if (override === "buildNumber" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "buildNumber") return "buildNumber";
+	if (top === "version") return "version";
+};
+const resolveAndroidAutoIncrement = (eas) => {
+	const override = eas.android?.autoIncrement;
+	if (override === false) return;
+	if (override === true) return "versionCode";
+	if (override === "versionCode" || override === "version") return override;
+	const top = eas.autoIncrement;
+	if (top === true || top === "versionCode") return "versionCode";
+	if (top === "version") return "version";
+};
+const toIosProfile = (eas) => {
+	if (!hasIosIntent(eas)) return;
+	const distribution = deriveIosDistribution(eas);
+	if (!distribution) return;
+	const ios = eas.ios ?? {};
+	const autoIncrement = resolveIosAutoIncrement(eas);
 	return {
-		certId: chosenId,
-		cert
+		distribution,
+		...ios.buildConfiguration === void 0 ? {} : { buildConfiguration: ios.buildConfiguration },
+		...ios.scheme === void 0 ? {} : { scheme: ios.scheme },
+		...ios.simulator === void 0 ? {} : { simulator: ios.simulator },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
 	};
+};
+const toAndroidProfile = (eas) => {
+	if (!hasAndroidIntent(eas)) return;
+	const format = deriveAndroidFormat(eas);
+	if (!format) return;
+	const android = eas.android ?? {};
+	const distribution = deriveAndroidDistribution(eas, format);
+	const autoIncrement = resolveAndroidAutoIncrement(eas);
+	return {
+		format,
+		distribution,
+		...android.buildType === void 0 ? {} : { buildType: android.buildType },
+		...android.flavor === void 0 ? {} : { flavor: android.flavor },
+		...android.gradleCommand === void 0 ? {} : { gradleCommand: android.gradleCommand },
+		...autoIncrement === void 0 ? {} : { autoIncrement }
+	};
+};
+const fromEasProfile = (eas, profileName) => {
+	const ios = toIosProfile(eas);
+	const android = toAndroidProfile(eas);
+	return {
+		name: profileName,
+		environment: eas.environment ?? "production",
+		...eas.channel === void 0 ? {} : { channel: eas.channel },
+		...eas.env === void 0 ? {} : { env: eas.env },
+		...ios === void 0 ? {} : { ios },
+		...android === void 0 ? {} : { android },
+		...eas.credentialsSource === void 0 ? {} : { credentialsSource: eas.credentialsSource }
+	};
+};
+const readBuildProfile = (projectRoot, profileName) => Effect.gen(function* () {
+	return fromEasProfile(yield* resolveEasBuildProfile(yield* readEasJson(projectRoot), profileName), profileName);
 });
-const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
-	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null && key.appleTeamId === appleTeamId);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: `No ASC API key linked to Apple team ${appleTeamId}.`,
-		hint: "Upload an ASC API key for that team via the dashboard, then retry."
-	}));
-	return yield* promptSelect("Select an ASC API key", teamAscKeys.map((key) => ({
-		value: key.id,
-		label: `${key.name} (${key.keyId})`
-	})));
-});
-const generateProvisioningProfileForBundle = (api, input, ctx) => Effect.gen(function* () {
-	yield* Console.log("Generating provisioning profile via App Store Connect API...");
-	return (yield* generateAndUploadProvisioningProfile(api, {
-		ascApiKeyId: ctx.ascKeyId,
-		distributionCertificateId: ctx.certId,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType: ctx.distributionType
-	})).id;
-});
-const resolveIosProfileId = (api, input, ctx) => Effect.gen(function* () {
-	const matching = (yield* api.appleProvisioningProfiles.list({ urlParams: {} })).items.filter((profile) => profile.bundleIdentifier === input.bundleIdentifier && profile.distributionType === ctx.distributionType && profile.appleTeamId === ctx.cert.appleTeamId);
-	if (matching.length === 0) return yield* generateProvisioningProfileForBundle(api, input, ctx);
-	if (!(yield* promptConfirm(`Reuse an existing ${input.distribution} profile for ${input.bundleIdentifier}?`, { initialValue: true }))) return yield* generateProvisioningProfileForBundle(api, input, ctx);
-	return yield* promptSelect("Select a provisioning profile", matching.map((profile) => ({
-		value: profile.id,
-		label: profile.profileName ?? profile.developerPortalIdentifier ?? profile.id
-	})));
-});
-const setupIosViaAscKey = (api, input) => Effect.gen(function* () {
-	const { certId, cert } = yield* pickIosCertificate(api);
-	const ascKeyId = yield* pickIosAscKey(api, cert.appleTeamId);
-	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
-	const profileId = yield* resolveIosProfileId(api, input, {
-		certId,
-		cert,
-		ascKeyId,
-		distributionType
-	});
-	yield* upsertIosBundleConfiguration(api, {
-		projectId: input.projectId,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType,
-		appleTeamId: cert.appleTeamId,
-		appleDistributionCertificateId: certId,
-		appleProvisioningProfileId: profileId,
-		ascApiKeyId: ascKeyId
-	});
+const readRuntimeVersionMeta = (config) => ({
+	appVersion: config.version,
+	rawRuntimeVersion: readRawRuntimeVersion(config.runtimeVersion)
 });
+const readRawRuntimeVersion = (value) => {
+	if (typeof value === "string") return value;
+	const policy = asString$1(asRecord(value)?.["policy"]);
+	if (policy) return { policy };
+};
 
 //#endregion
-//#region src/application/credentials-interactive.ts
-const hasTag = (cause) => typeof cause === "object" && cause !== null && "_tag" in cause;
-const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFound" || cause._tag === "BadRequest");
-const generateKeystoreInteractive = (api) => Effect.gen(function* () {
-	const alias = yield* promptText("Key alias", { placeholder: "upload-key" });
-	const storePassword = yield* promptPassword("Keystore password");
-	const keyPassword = yield* promptPassword("Key password");
-	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
-	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
-	yield* Console.log("Generating keystore with keytool...");
-	return (yield* generateAndUploadKeystore(api, {
-		keyAlias: alias,
-		storePassword,
-		keyPassword,
-		commonName,
-		organization
-	})).id;
-});
-const pickExistingKeystore = (api) => Effect.gen(function* () {
-	const keystores = yield* api.androidUploadKeystores.list();
-	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: "No existing keystores in this organization.",
-		hint: "Re-run and choose 'Generate new keystore'."
-	}));
-	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
-		value: item.id,
-		label: item.keyAlias
-	})));
+//#region src/lib/clear-cache.ts
+/**
+* Project-scoped build cache directories to remove when --clear-cache is passed.
+* Intentionally avoids `~/.gradle/caches` (global) and `ios/Pods/` (requires
+* pod install rebuild — leave to the user).
+*/
+const CACHE_DIRS = [
+	"android/.gradle",
+	"android/app/build",
+	"android/build",
+	"ios/build",
+	".expo",
+	"node_modules/.cache"
+];
+const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const removed = [];
+	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
+		const target = path.join(projectRoot, rel);
+		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
+		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		removed.push(rel);
+	}), { concurrency: 4 });
+	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
 });
-const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
-	const existing = (yield* api.androidApplicationIdentifiers.list({ path: { projectId: input.projectId } })).items.find((item) => item.packageName === input.applicationIdentifier);
-	if (existing !== void 0) return existing.id;
-	return (yield* api.androidApplicationIdentifiers.create({
-		path: { projectId: input.projectId },
-		payload: { packageName: input.applicationIdentifier }
-	})).id;
+
+//#endregion
+//#region src/lib/env-exporter.ts
+const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+/**
+* Pull environment variables for a project + environment and flatten them into
+* a key/value map. Returns an empty map when the project has no variables.
+*/
+const pullEnvVars = (api, { projectId, environment }) => {
+	const validated = coerceEnvironment(environment);
+	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
+	return api["env-vars"].export({ urlParams: {
+		projectId,
+		environment: validated
+	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+};
+
+//#endregion
+//#region src/lib/git-context.ts
+const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd));
+/**
+* Best-effort git context extraction. If git is missing, the directory isn't
+* a repo, or any command fails, we silently return undefined fields so the
+* build can still proceed. This is intentional — git context is metadata,
+* not a requirement.
+*/
+const readGitContext = (projectRoot) => Effect.gen(function* () {
+	const [commit, ref, commitMessage, status] = yield* Effect.all([
+		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
+		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
+	], { concurrency: "unbounded" });
+	return {
+		ref: ref.length > 0 ? ref : void 0,
+		commit: commit.length > 0 ? commit : void 0,
+		commitMessage: commitMessage.length > 0 ? commitMessage : void 0,
+		dirty: status.trim().length > 0
+	};
 });
-const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
-const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
-	const appId = yield* resolveAndroidAppId(api, input);
-	const choice = yield* promptSelect("How would you like to provide a keystore?", [
-		{
-			value: "generate",
-			label: "Generate new keystore"
-		},
-		{
-			value: "existing",
-			label: "Pick an existing keystore"
+
+//#endregion
+//#region src/lib/gradle-config.ts
+/**
+* Parse Groovy `build.gradle` to extract key Android config values.
+* Returns `undefined` if:
+* - Only `build.gradle.kts` exists (Kotlin DSL not supported by gradle-to-js)
+* - No build.gradle found at all
+* - Parse fails
+*
+* Informational only — never blocks the build.
+*/
+const readGradleConfig = (androidDir) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const gradlePath = path.join(androidDir, "app", "build.gradle");
+	const ktsPath = path.join(androidDir, "app", "build.gradle.kts");
+	const hasGroovy = yield* fs.exists(gradlePath).pipe(Effect.orElseSucceed(() => false));
+	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
+	if (!hasGroovy && hasKts) return;
+	if (!hasGroovy) return;
+	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	if (!content) return;
+	return yield* Effect.tryPromise({
+		try: async () => {
+			return __require("gradle-to-js").parseText(stripGroovyComments(content));
 		},
-		{
-			value: "abort",
-			label: "Abort — I'll configure it in the dashboard"
-		}
-	]);
-	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
-		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
-		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
-	}));
-	const keystoreId = yield* resolveAndroidKeystoreId(api, choice);
-	yield* api.androidBuildCredentials.create({
-		path: { applicationIdentifierId: appId },
-		payload: {
-			name: "Default",
-			isDefault: true,
-			androidUploadKeystoreId: keystoreId
-		}
-	});
-	yield* Console.log("Android build credentials configured.");
+		catch: () => void 0
+	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
 });
-const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
-	path: { projectId: input.projectId },
-	payload: {
-		platform: "android",
-		applicationIdentifier: input.applicationIdentifier
+/**
+* Log a warning if Gradle applicationId differs from app.json package name.
+*/
+const warnOnGradleMismatch = (gradleConfig, expectedPackage) => {
+	if (!gradleConfig?.applicationId) return Effect.void;
+	if (gradleConfig.applicationId === expectedPackage) return Effect.void;
+	return Console.warn(`Gradle applicationId "${gradleConfig.applicationId}" differs from app.json package "${expectedPackage}". The Gradle value will be used in the built APK/AAB.`);
+};
+/**
+* Strip Groovy single-line and block comments.
+* gradle-to-js chokes on comments — EAS CLI does this same pre-processing.
+*/
+const stripGroovyComments = (text) => text.replaceAll(/\/\/.*$/gmu, "").replaceAll(/\/\*[\s\S]*?\*\//gu, "");
+const parseVersionCode = (raw) => {
+	if (typeof raw === "number") return raw;
+	if (typeof raw === "string") return Number.parseInt(raw, 10) || void 0;
+};
+const extractGradleConfig = (parsed) => {
+	const defaultConfig = asRecord(asRecord(parsed["android"])?.["defaultConfig"]);
+	const applicationId = typeof defaultConfig?.["applicationId"] === "string" ? unquote(defaultConfig["applicationId"]) : void 0;
+	const versionCode = parseVersionCode(defaultConfig?.["versionCode"]);
+	const versionName = typeof defaultConfig?.["versionName"] === "string" ? unquote(defaultConfig["versionName"]) : void 0;
+	return {
+		...applicationId === void 0 ? {} : { applicationId },
+		...versionCode === void 0 ? {} : { versionCode },
+		...versionName === void 0 ? {} : { versionName }
+	};
+};
+const unquote = (input) => input.startsWith("\"") && input.endsWith("\"") ? input.slice(1, -1) : input;
+
+//#endregion
+//#region src/lib/platform-detect.ts
+const PLATFORMS = ["ios", "android"];
+const inferPlatforms = (config) => {
+	const fromConfig = config["platforms"];
+	if (Array.isArray(fromConfig)) return fromConfig.filter((entry) => entry === "ios" || entry === "android");
+	const present = [];
+	if (config.ios !== void 0) present.push("ios");
+	if (config.android !== void 0) present.push("android");
+	return present;
+};
+/**
+* Resolve a build platform from an explicit flag, or fall back to the Expo
+* config (`expo.platforms` or the presence of `ios`/`android` sections). Prompts
+* when the config declares both platforms; fails when ambiguous and prompts are
+* disallowed.
+*/
+const detectPlatform = (explicit, config) => Effect.gen(function* () {
+	if (explicit !== void 0) return explicit;
+	const candidates = inferPlatforms(config);
+	if (candidates.length === 0) return yield* new BuildProfileError({ message: "Cannot infer build platform. Add an `ios` or `android` section to your Expo config, or pass --platform." });
+	if (candidates.length === 1) {
+		const [only] = candidates;
+		if (only === void 0) return yield* new BuildProfileError({ message: "Internal: empty platform candidate list." });
+		return only;
 	}
-}).pipe(Effect.asVoid);
-const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
-	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
-		message: `No Android build credentials for ${input.applicationIdentifier}.`,
-		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
-	yield* setupAndroidInteractive(api, input);
-	return yield* ensureAndroidCredentialsAvailable(api, input);
-})));
-const setupIosInteractive = (api, input) => Effect.gen(function* () {
-	yield* Console.log("");
-	yield* Console.log(`No iOS bundle configuration for ${input.bundleIdentifier} (${input.distribution}).`);
-	if ((yield* chooseIosSetupPath(api)) === "apple-id") return yield* setupIosViaAppleId(api, input);
-	return yield* setupIosViaAscKey(api, input);
+	if (!(yield* InteractiveMode).allow) return yield* new BuildProfileError({ message: `Multiple platforms detected (${candidates.join(", ")}). Pass --platform explicitly when running non-interactively.` });
+	return yield* promptSelect("Which platform to build?", PLATFORMS.filter((entry) => candidates.includes(entry)).map((entry) => ({
+		value: entry,
+		label: entry
+	})));
 });
-const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve({
-	path: { projectId: input.projectId },
-	payload: {
-		platform: "ios",
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType: IOS_DISTRIBUTION_TO_TYPE[input.distribution]
+
+//#endregion
+//#region src/lib/repo-clean.ts
+const MAX_FILES_SHOWN = 10;
+const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+/**
+* Refuse to proceed when the working tree has uncommitted changes. Skipped when
+* `allowDirty` is true. In interactive mode, prompts the user to confirm; in
+* non-interactive mode, fails with `DirtyRepoError`.
+*/
+const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(function* () {
+	if (allowDirty) return;
+	const dirty = yield* readPorcelain(projectRoot);
+	if (dirty.length === 0) return;
+	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
+	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
+	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
+	if (!(yield* InteractiveMode).allow) {
+		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
+		return;
 	}
+	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
-const findBoundIosConfig = (api, input) => Effect.gen(function* () {
-	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
-	const match = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((config) => config.bundleIdentifier === input.bundleIdentifier && config.distributionType === distributionType);
-	if (match === void 0) return yield* Effect.fail(new MissingCredentialsError({
-		message: `iOS bundle configuration vanished while regenerating stale profile for ${input.bundleIdentifier}`,
-		hint: "Retry; the configuration must exist before regeneration"
-	}));
-	return match;
-});
-const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
-	const config = yield* findBoundIosConfig(api, input);
-	if (config.appleDistributionCertificateId === null) return yield* new MissingCredentialsError({
-		message: "Profile cannot be regenerated: bundle configuration is missing the distribution certificate",
-		hint: "Re-bind credentials via `better-update credentials generate` or the dashboard"
-	});
-	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
-	if (config.ascApiKeyId === null) return yield* regenerateProvisioningProfileViaAppleId(api, {
-		bundleIdentifier: input.bundleIdentifier,
-		distributionCertificateId: config.appleDistributionCertificateId,
-		distributionType,
-		bundleConfigurationId: config.id
-	});
-	yield* Console.log("Regenerating provisioning profile via App Store Connect API...");
-	const created = yield* generateAndUploadProvisioningProfile(api, {
-		ascApiKeyId: config.ascApiKeyId,
-		distributionCertificateId: config.appleDistributionCertificateId,
-		bundleIdentifier: input.bundleIdentifier,
-		distributionType
-	});
-	yield* api.iosBundleConfigurations.update({
-		path: { id: config.id },
-		payload: { appleProvisioningProfileId: created.id }
+
+//#endregion
+//#region src/lib/fingerprint.ts
+var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
+const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
+	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
+	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
+	const parsed = yield* Effect.try({
+		try: () => JSON.parse(stdout),
+		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
 	});
-	return created;
+	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
+	const { hash } = parsed;
+	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
+	const sourcesRaw = parsed["sources"];
+	return {
+		hash,
+		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
+	};
+});
+
+//#endregion
+//#region src/lib/runtime-version.ts
+const resolveRuntimeVersion = ({ raw, appVersion, projectRoot }) => Effect.gen(function* () {
+	if (typeof raw === "string") return raw;
+	if (raw === void 0) return yield* new RuntimeVersionError({ message: "No runtimeVersion configured in expo section of app.json." });
+	const { policy } = raw;
+	if (policy === "appVersion") {
+		if (appVersion === void 0) return yield* new RuntimeVersionError({ message: "runtimeVersion policy is \"appVersion\" but expo.version is missing in app.json." });
+		return appVersion;
+	}
+	if (policy === "fingerprint") return yield* runFingerprintFull(projectRoot).pipe(Effect.map((result) => result.hash), Effect.mapError((cause) => new RuntimeVersionError({ message: cause.message })));
+	if (policy === "nativeVersion") return yield* new RuntimeVersionError({ message: "runtimeVersion policy \"nativeVersion\" is not supported. Set a static runtimeVersion string in your Expo config." });
+	return yield* new RuntimeVersionError({ message: `Unsupported runtimeVersion policy "${policy}". Use a static string, "appVersion", or "fingerprint".` });
 });
-const ensureIosCredentials = (api, input, options) => resolveIosBuildCredentials(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
-	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
-		message: `No iOS build credentials for ${input.bundleIdentifier} (${input.distribution}).`,
-		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
-	yield* setupIosInteractive(api, input);
-	return yield* resolveIosBuildCredentials(api, input);
-})), Effect.flatMap((resolved) => Effect.gen(function* () {
-	if (resolved.platform !== "ios" || !resolved.profileStale) return;
-	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
-		message: `Stale provisioning profile for ${input.bundleIdentifier}; cannot regenerate without an interactive session.`,
-		hint: options.freezeCredentials ? "Run a build without --freeze-credentials once to refresh the profile, or run `better-update credentials regenerate-profile`." : "Run `better-update credentials regenerate-profile --bundle <id> --distribution <type>` from an interactive terminal."
-	}));
-	yield* Console.log(`Stale provisioning profile for ${input.bundleIdentifier} (device roster changed). Regenerating...`);
-	yield* regenerateProvisioningProfile(api, input);
-})));
 
 //#endregion
 //#region src/application/build-workflow.ts
@@ -6363,7 +6375,8 @@ const runIosPlatformBuild = (input) => Effect.gen(function* () {
 			envVars,
 			projectId,
 			credentialsSource,
-			rawOutput: options.rawOutput
+			rawOutput: options.rawOutput,
+			freezeCredentials: options.freezeCredentials ?? false
 		}),
 		target: isSimulator ? {
 			platform: "ios",