@better-update/cli 0.16.0 → 0.18.0

package/dist/index.mjs

@@ -14,12 +14,13 @@ import { createServer } from "node:http";
 import { maxBy, uniqBy } from "es-toolkit";
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import forge from "node-forge";
-import { createReadStream, existsSync, readFileSync, writeFileSync } from "node:fs";
+import { createReadStream, existsSync, promises, readFileSync, writeFileSync } from "node:fs";
 import { spawn as spawn$1 } from "node-pty";
 import chalk from "chalk";
 import os from "node:os";
 import plistMod from "@expo/plist";
 import { ExpoRunFormatter } from "@expo/xcpretty";
+import ignore from "ignore";
 import { Buffer as Buffer$1 } from "node:buffer";
 import { getFormattedSerialNumber, getX509Certificate, parsePKCS12 } from "@expo/pkcs12";
 import qrcode from "qrcode-terminal";
@@ -30,7 +31,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.16.0";
+var version = "0.18.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -199,11 +200,11 @@ var NotAcceptable = class extends Schema.TaggedError()("NotAcceptable", { messag
 //#endregion
 //#region ../../packages/api/src/groups/android-application-identifiers.ts
 const idParam$16 = HttpApiSchema.param("id", Schema.String);
-const projectIdParam$3 = HttpApiSchema.param("projectId", Schema.String);
-var AndroidApplicationIdentifiersGroup = class extends HttpApiGroup.make("androidApplicationIdentifiers").add(HttpApiEndpoint.get("list")`/api/projects/${projectIdParam$3}/android-application-identifiers`.addSuccess(Schema.Struct({ items: Schema.Array(AndroidApplicationIdentifier) })).annotateContext(OpenApi.annotations({
+const projectIdParam$4 = HttpApiSchema.param("projectId", Schema.String);
+var AndroidApplicationIdentifiersGroup = class extends HttpApiGroup.make("androidApplicationIdentifiers").add(HttpApiEndpoint.get("list")`/api/projects/${projectIdParam$4}/android-application-identifiers`.addSuccess(Schema.Struct({ items: Schema.Array(AndroidApplicationIdentifier) })).annotateContext(OpenApi.annotations({
 	title: "List Android application identifiers",
 	description: "List all Android package identifiers for a project"
-}))).add(HttpApiEndpoint.post("create")`/api/projects/${projectIdParam$3}/android-application-identifiers`.setPayload(CreateAndroidApplicationIdentifierBody).addSuccess(AndroidApplicationIdentifier, { status: 201 }).annotateContext(OpenApi.annotations({
+}))).add(HttpApiEndpoint.post("create")`/api/projects/${projectIdParam$4}/android-application-identifiers`.setPayload(CreateAndroidApplicationIdentifierBody).addSuccess(AndroidApplicationIdentifier, { status: 201 }).annotateContext(OpenApi.annotations({
 	title: "Create Android application identifier",
 	description: "Register an Android package name for a project"
 }))).add(HttpApiEndpoint.del("delete")`/api/android-application-identifiers/${idParam$16}`.addSuccess(DeleteAndroidApplicationIdentifierResult).annotateContext(OpenApi.annotations({
@@ -611,11 +612,11 @@ const AssetUploadResult = Schema.Struct({
 
 //#endregion
 //#region ../../packages/api/src/groups/assets.ts
-const hashParam = HttpApiSchema.param("hash", Schema.String);
+const hashParam$1 = HttpApiSchema.param("hash", Schema.String);
 var AssetsGroup = class extends HttpApiGroup.make("assets").add(HttpApiEndpoint.post("upload", "/api/assets/upload").setPayload(AssetUploadBody).addSuccess(AssetUploadResult, { status: 201 }).annotateContext(OpenApi.annotations({
 	title: "Upload assets",
 	description: "Upload asset files to R2 storage (deduplicated by content hash)"
-}))).add(HttpApiEndpoint.post("finalize")`/api/assets/${hashParam}/finalize`.addSuccess(Asset).annotateContext(OpenApi.annotations({
+}))).add(HttpApiEndpoint.post("finalize")`/api/assets/${hashParam$1}/finalize`.addSuccess(Asset).annotateContext(OpenApi.annotations({
 	title: "Finalize asset upload",
 	description: "Verify a directly uploaded asset in R2 and mark it available for updates"
 }))).addError(BadRequest).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
@@ -720,7 +721,8 @@ const ResolveBuildCredentialsIosBody = Schema.Struct({
 });
 const ResolveBuildCredentialsAndroidBody = Schema.Struct({
 	platform: Schema.Literal("android"),
-	applicationIdentifier: AndroidPackageName
+	applicationIdentifier: AndroidPackageName,
+	buildProfile: Schema.optional(Schema.String.pipe(Schema.minLength(1), Schema.maxLength(120)))
 });
 const ResolveBuildCredentialsBody = Schema.Union(ResolveBuildCredentialsIosBody, ResolveBuildCredentialsAndroidBody);
 const IosBuildDistributionCertificate = Schema.Struct({
@@ -776,8 +778,8 @@ const ResolveBuildCredentialsResult = Schema.Union(ResolveBuildCredentialsIosRes
 
 //#endregion
 //#region ../../packages/api/src/groups/build-credentials.ts
-const projectIdParam$2 = HttpApiSchema.param("projectId", Schema.String);
-var BuildCredentialsGroup = class extends HttpApiGroup.make("buildCredentials").add(HttpApiEndpoint.post("resolve")`/api/projects/${projectIdParam$2}/build-credentials/resolve`.setPayload(ResolveBuildCredentialsBody).addSuccess(ResolveBuildCredentialsResult).annotateContext(OpenApi.annotations({
+const projectIdParam$3 = HttpApiSchema.param("projectId", Schema.String);
+var BuildCredentialsGroup = class extends HttpApiGroup.make("buildCredentials").add(HttpApiEndpoint.post("resolve")`/api/projects/${projectIdParam$3}/build-credentials/resolve`.setPayload(ResolveBuildCredentialsBody).addSuccess(ResolveBuildCredentialsResult).annotateContext(OpenApi.annotations({
 	title: "Resolve build credentials",
 	description: "Return decrypted signing assets for a project build. Regenerates the iOS provisioning profile via Apple ASC when the registered device roster has changed since the profile was last generated."
 }))).addError(NotFound).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
@@ -788,6 +790,7 @@ var BuildCredentialsGroup = class extends HttpApiGroup.make("buildCredentials").
 //#endregion
 //#region ../../packages/api/src/domain/build.ts
 const Distribution = Schema.Literal("app-store", "ad-hoc", "development", "enterprise", "simulator", "play-store", "direct");
+const BuildAudience = Schema.Literal("internal", "store");
 const ArtifactFormat = Schema.Literal("ipa", "apk", "aab", "tar.gz");
 const Sha256Hex = Schema.String.pipe(Schema.pattern(/^[a-fA-F0-9]{64}$/u), Schema.maxLength(64));
 const CreateBuildCommonFields = {
@@ -804,6 +807,7 @@ const CreateBuildCommonFields = {
 		key: Schema.String,
 		value: Schema.Unknown
 	})),
+	fingerprintHash: Schema.optional(Schema.String.pipe(Schema.minLength(1))),
 	sha256: Sha256Hex,
 	byteSize: Schema.Number.pipe(Schema.nonNegative())
 };
@@ -821,6 +825,7 @@ var Build = class extends Schema.Class("Build")({
 	gitCommit: Schema.NullOr(Schema.String),
 	message: Schema.NullOr(Schema.String),
 	metadataJson: Schema.String,
+	fingerprintHash: Schema.NullOr(Schema.String),
 	createdAt: DateTimeString
 }) {};
 var BuildArtifact = class extends Schema.Class("BuildArtifact")({
@@ -872,6 +877,7 @@ const ListBuildsParams = Schema.Struct({
 	profile: Schema.optional(Schema.String),
 	runtimeVersion: Schema.optional(Schema.String),
 	distribution: Schema.optional(Distribution),
+	audience: Schema.optional(BuildAudience),
 	...PaginationParams.fields,
 	sort: Schema.optional(BuildSort)
 });
@@ -1244,6 +1250,108 @@ var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoi
 	description: "Manage environment variables for project builds and deployments"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/update.ts
+var Update = class extends Schema.Class("Update")({
+	id: Id,
+	branchId: Id,
+	runtimeVersion: Schema.String,
+	platform: Platform,
+	message: Schema.String,
+	metadataJson: Schema.String,
+	extraJson: Schema.NullOr(Schema.String),
+	groupId: Schema.String,
+	rolloutPercentage: Schema.Number,
+	isRollback: Schema.Boolean,
+	signature: Schema.NullOr(Schema.String),
+	certificateChain: Schema.NullOr(Schema.String),
+	manifestBody: Schema.NullOr(Schema.String),
+	directiveBody: Schema.NullOr(Schema.String),
+	fingerprintHash: Schema.NullOr(Schema.String),
+	totalAssetSize: Schema.Number,
+	createdAt: DateTimeString
+}) {};
+const UpdateSortColumn = Schema.Literal("createdAt", "runtimeVersion", "platform", "rolloutPercentage");
+/**
+* Sort param: column name optionally prefixed with `-` for descending.
+* Example: `runtimeVersion` (asc), `-createdAt` (desc).
+*/
+const UpdateSort = Schema.Union(UpdateSortColumn, Schema.TemplateLiteral("-", UpdateSortColumn));
+const ListUpdatesParams = Schema.Struct({
+	projectId: Id,
+	branchId: Schema.optional(Id),
+	platform: Schema.optional(Platform),
+	runtimeVersion: Schema.optional(Schema.String),
+	...PaginationParams.fields,
+	sort: Schema.optional(UpdateSort)
+});
+const AssetRef = Schema.Struct({
+	hash: Schema.String,
+	key: Schema.String,
+	isLaunch: Schema.Boolean,
+	contentChecksum: Schema.optional(Schema.String)
+});
+const UpdateAssetEntry = Schema.Struct({
+	hash: Schema.String,
+	key: Schema.String,
+	isLaunch: Schema.Boolean,
+	contentChecksum: Schema.NullOr(Schema.String)
+});
+const CreateUpdateBody = Schema.Struct({
+	branch: Schema.String.pipe(Schema.minLength(1)),
+	slug: Schema.String.pipe(Schema.minLength(1)),
+	runtimeVersion: Schema.String.pipe(Schema.minLength(1)),
+	platform: Platform,
+	message: Schema.String,
+	groupId: Schema.String.pipe(Schema.minLength(1)),
+	metadata: Schema.Record({
+		key: Schema.String,
+		value: Schema.Unknown
+	}),
+	extra: Schema.optional(Schema.Record({
+		key: Schema.String,
+		value: Schema.Unknown
+	})),
+	assets: Schema.Array(AssetRef),
+	manifestBody: Schema.optional(Schema.String),
+	directiveBody: Schema.optional(Schema.String),
+	isRollback: Schema.optional(Schema.Boolean),
+	signature: Schema.optional(Schema.String),
+	certificateChain: Schema.optional(Schema.String),
+	rolloutPercentage: Schema.optional(Schema.Number.pipe(Schema.int(), Schema.between(1, 100))),
+	fingerprintHash: Schema.optional(Schema.String.pipe(Schema.minLength(1)))
+});
+const RepublishBody = Schema.Struct({
+	sourceUpdateId: Schema.optional(Id),
+	sourceGroupId: Schema.optional(Schema.String.pipe(Schema.minLength(1))),
+	destinationBranchId: Schema.optional(Id),
+	destinationChannel: Schema.optional(Schema.String.pipe(Schema.minLength(1))),
+	message: Schema.optional(Schema.String),
+	signedUpdates: Schema.optional(Schema.Array(Schema.Struct({
+		sourceUpdateId: Id,
+		manifestBody: Schema.String.pipe(Schema.minLength(1)),
+		signature: Schema.String.pipe(Schema.minLength(1)),
+		certificateChain: Schema.String.pipe(Schema.minLength(1))
+	})))
+});
+const RepublishResult = Schema.Struct({ updates: Schema.Array(Update) });
+const DeleteUpdateResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/fingerprints.ts
+const projectIdParam$2 = HttpApiSchema.param("projectId", Id);
+const hashParam = HttpApiSchema.param("hash", Schema.String.pipe(Schema.minLength(1)));
+const FingerprintDetail = Schema.Struct({
+	hash: Schema.String,
+	projectId: Id,
+	builds: Schema.Array(BuildWithArtifact),
+	updates: Schema.Array(Update)
+});
+var FingerprintsGroup = class extends HttpApiGroup.make("fingerprints").add(HttpApiEndpoint.get("get")`/api/projects/${projectIdParam$2}/fingerprints/${hashParam}`.addSuccess(FingerprintDetail).annotateContext(OpenApi.annotations({
+	title: "Get fingerprint",
+	description: "Fetch builds and updates compatible with a given fingerprint hash within a project."
+}))).addError(Forbidden, { status: 403 }).addError(NotFound, { status: 404 }).addError(BadRequest, { status: 400 }) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/google-service-account-key.ts
 var GoogleServiceAccountKey = class extends Schema.Class("GoogleServiceAccountKey")({
@@ -1432,83 +1540,6 @@ var ProjectsGroup = class extends HttpApiGroup.make("projects").add(HttpApiEndpo
 	description: "Project management endpoints"
 })) {};
 
-//#endregion
-//#region ../../packages/api/src/domain/update.ts
-var Update = class extends Schema.Class("Update")({
-	id: Id,
-	branchId: Id,
-	runtimeVersion: Schema.String,
-	platform: Platform,
-	message: Schema.String,
-	metadataJson: Schema.String,
-	extraJson: Schema.NullOr(Schema.String),
-	groupId: Schema.String,
-	rolloutPercentage: Schema.Number,
-	isRollback: Schema.Boolean,
-	signature: Schema.NullOr(Schema.String),
-	certificateChain: Schema.NullOr(Schema.String),
-	manifestBody: Schema.NullOr(Schema.String),
-	directiveBody: Schema.NullOr(Schema.String),
-	createdAt: DateTimeString
-}) {};
-const UpdateSortColumn = Schema.Literal("createdAt", "runtimeVersion", "platform", "rolloutPercentage");
-/**
-* Sort param: column name optionally prefixed with `-` for descending.
-* Example: `runtimeVersion` (asc), `-createdAt` (desc).
-*/
-const UpdateSort = Schema.Union(UpdateSortColumn, Schema.TemplateLiteral("-", UpdateSortColumn));
-const ListUpdatesParams = Schema.Struct({
-	projectId: Id,
-	branchId: Schema.optional(Id),
-	platform: Schema.optional(Platform),
-	...PaginationParams.fields,
-	sort: Schema.optional(UpdateSort)
-});
-const AssetRef = Schema.Struct({
-	hash: Schema.String,
-	key: Schema.String,
-	isLaunch: Schema.Boolean,
-	contentChecksum: Schema.optional(Schema.String)
-});
-const CreateUpdateBody = Schema.Struct({
-	branch: Schema.String.pipe(Schema.minLength(1)),
-	slug: Schema.String.pipe(Schema.minLength(1)),
-	runtimeVersion: Schema.String.pipe(Schema.minLength(1)),
-	platform: Platform,
-	message: Schema.String,
-	groupId: Schema.String.pipe(Schema.minLength(1)),
-	metadata: Schema.Record({
-		key: Schema.String,
-		value: Schema.Unknown
-	}),
-	extra: Schema.optional(Schema.Record({
-		key: Schema.String,
-		value: Schema.Unknown
-	})),
-	assets: Schema.Array(AssetRef),
-	manifestBody: Schema.optional(Schema.String),
-	directiveBody: Schema.optional(Schema.String),
-	isRollback: Schema.optional(Schema.Boolean),
-	signature: Schema.optional(Schema.String),
-	certificateChain: Schema.optional(Schema.String),
-	rolloutPercentage: Schema.optional(Schema.Number.pipe(Schema.int(), Schema.between(1, 100)))
-});
-const RepublishBody = Schema.Struct({
-	sourceUpdateId: Schema.optional(Id),
-	sourceGroupId: Schema.optional(Schema.String.pipe(Schema.minLength(1))),
-	destinationBranchId: Schema.optional(Id),
-	destinationChannel: Schema.optional(Schema.String.pipe(Schema.minLength(1))),
-	message: Schema.optional(Schema.String),
-	signedUpdates: Schema.optional(Schema.Array(Schema.Struct({
-		sourceUpdateId: Id,
-		manifestBody: Schema.String.pipe(Schema.minLength(1)),
-		signature: Schema.String.pipe(Schema.minLength(1)),
-		certificateChain: Schema.String.pipe(Schema.minLength(1))
-	})))
-});
-const RepublishResult = Schema.Struct({ updates: Schema.Array(Update) });
-const DeleteUpdateResult = Schema.Struct({ deleted: Schema.Number });
-
 //#endregion
 //#region ../../packages/api/src/groups/updates.ts
 const idParam$1 = HttpApiSchema.param("id", Schema.String);
@@ -1527,6 +1558,12 @@ var UpdatesGroup = class extends HttpApiGroup.make("updates").add(HttpApiEndpoin
 }))).add(HttpApiEndpoint.get("get")`/api/updates/${idParam$1}`.addSuccess(Update).annotateContext(OpenApi.annotations({
 	title: "Get update",
 	description: "Fetch a single update by ID"
+}))).add(HttpApiEndpoint.get("getGroup")`/api/update-groups/${groupIdParam}`.addSuccess(Schema.Struct({ items: Schema.Array(Update) })).annotateContext(OpenApi.annotations({
+	title: "Get update group",
+	description: "Fetch all updates in a group (paired iOS + Android variants)"
+}))).add(HttpApiEndpoint.get("listAssets")`/api/updates/${idParam$1}/assets`.addSuccess(Schema.Array(UpdateAssetEntry)).annotateContext(OpenApi.annotations({
+	title: "List update assets",
+	description: "Fetch the asset references (key + hash + launch flag) for an update"
 }))).add(HttpApiEndpoint.del("deleteGroup")`/api/updates/${groupIdParam}`.addSuccess(DeleteUpdateResult).annotateContext(OpenApi.annotations({
 	title: "Delete update group",
 	description: "Delete all updates in a group (paired iOS + Android updates)"
@@ -1604,7 +1641,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(MeGroup).add(WebhooksGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(MeGroup).add(WebhooksGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -1665,6 +1702,7 @@ var InvalidArgumentError = class extends Data.TaggedError("InvalidArgumentError"
 var InteractiveProhibitedError = class extends Data.TaggedError("InteractiveProhibitedError") {};
 var CredentialsJsonError = class extends Data.TaggedError("CredentialsJsonError") {};
 var DirtyRepoError = class extends Data.TaggedError("DirtyRepoError") {};
+var StagingError = class extends Data.TaggedError("StagingError") {};
 
 //#endregion
 //#region src/lib/format-error.ts
@@ -4148,7 +4186,8 @@ const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
 		path: { projectId: options.projectId },
 		payload: {
 			platform: "android",
-			applicationIdentifier: options.applicationIdentifier
+			applicationIdentifier: options.applicationIdentifier,
+			...options.buildProfile === void 0 ? {} : { buildProfile: options.buildProfile }
 		}
 	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
 	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
@@ -4592,7 +4631,8 @@ const runAndroidBuild = (input) => Effect.gen(function* () {
 	const credentials = input.credentialsSource === "local" ? yield* loadLocalAndroidCredentials({ projectRoot }) : yield* downloadAndroidCredentials(api, {
 		projectId,
 		applicationIdentifier,
-		tempDir
+		tempDir,
+		buildProfile: input.profileName
 	});
 	yield* runStep({
 		command: "bunx",
@@ -5911,7 +5951,8 @@ const buildReserveCommon = (input) => ({
 	...input.buildNumber === void 0 ? {} : { buildNumber: input.buildNumber },
 	...input.gitContext.ref === void 0 ? {} : { gitRef: input.gitContext.ref },
 	...input.gitContext.commit === void 0 ? {} : { gitCommit: input.gitContext.commit },
-	...input.message === void 0 ? {} : { message: input.message }
+	...input.message === void 0 ? {} : { message: input.message },
+	...input.fingerprintHash === void 0 ? {} : { fingerprintHash: input.fingerprintHash }
 });
 const callReserve = (api, input) => {
 	const common = buildReserveCommon(input);
@@ -6405,6 +6446,26 @@ const pullEnvVars = (api, { projectId, environment }) => {
 	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
 };
 
+//#endregion
+//#region src/lib/fingerprint.ts
+var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
+const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
+	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
+	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
+	const parsed = yield* Effect.try({
+		try: () => JSON.parse(stdout),
+		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
+	});
+	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
+	const { hash } = parsed;
+	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
+	const sourcesRaw = parsed["sources"];
+	return {
+		hash,
+		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
+	};
+});
+
 //#endregion
 //#region src/lib/git-context.ts
 const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd));
@@ -6520,6 +6581,131 @@ const detectPlatform = (explicit, config) => Effect.gen(function* () {
 	})));
 });
 
+//#endregion
+//#region src/lib/project-staging.ts
+const LOCKFILES = [
+	["bun.lock", "bun"],
+	["bun.lockb", "bun"],
+	["pnpm-lock.yaml", "pnpm"],
+	["yarn.lock", "yarn"],
+	["package-lock.json", "npm"]
+];
+/**
+* Paths never copied into staging — covers generated native build outputs and
+* dependency dirs that must be reinstalled fresh in staging.
+*/
+const ALWAYS_IGNORE = [
+	"node_modules",
+	".git",
+	"ios/build",
+	"ios/Pods",
+	"ios/DerivedData",
+	"android/build",
+	"android/app/build",
+	"android/.gradle",
+	"android/.kotlin",
+	".expo",
+	".gradle",
+	".turbo",
+	"dist"
+];
+const findLockfile = (fs, dir) => Effect.gen(function* () {
+	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.catchAll(() => Effect.succeed(false)))) return pm;
+});
+const walkUpForLockfile = (startCwd, dir) => Effect.gen(function* () {
+	const pm = yield* findLockfile(yield* FileSystem.FileSystem, dir);
+	if (pm !== void 0) return {
+		workspaceRoot: dir,
+		packageManager: pm
+	};
+	const parent = path.dirname(dir);
+	if (parent === dir) return {
+		workspaceRoot: startCwd,
+		packageManager: "bun"
+	};
+	return yield* walkUpForLockfile(startCwd, parent);
+});
+/**
+* Walk up from `cwd` to the first ancestor directory containing a lockfile.
+* That directory is the install root (monorepo workspace root or the app dir
+* itself in single-app layouts). Defaults to `cwd` + bun when no lockfile is
+* found anywhere up to the volume root.
+*/
+const detectWorkspaceRoot = (cwd) => walkUpForLockfile(cwd, cwd);
+/**
+* Build an `Ignore` matcher for the workspace root. `.easignore` REPLACES
+* `.gitignore` when present (matches EAS semantics); otherwise `.gitignore`
+* is layered on top of the always-ignore baseline.
+*/
+const buildIgnoreInstance = (workspaceRoot) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const ig = ignore();
+	ig.add([...ALWAYS_IGNORE]);
+	const easignorePath = path.join(workspaceRoot, ".easignore");
+	if (yield* fs.exists(easignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
+		const content = yield* fs.readFileString(easignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+		ig.add(content);
+		return ig;
+	}
+	const gitignorePath = path.join(workspaceRoot, ".gitignore");
+	if (yield* fs.exists(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
+		const content = yield* fs.readFileString(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+		ig.add(content);
+	}
+	return ig;
+});
+const copyProjectTree = (params) => Effect.tryPromise({
+	try: async () => {
+		await promises.cp(params.source, params.dest, {
+			recursive: true,
+			dereference: false,
+			filter: (src) => {
+				const rel = path.relative(params.source, src);
+				if (rel === "") return true;
+				const posixRel = rel.split(path.sep).join("/");
+				return !params.ig.ignores(posixRel);
+			}
+		});
+	},
+	catch: (cause) => new StagingError({ message: `Failed to copy project to staging dir: ${formatCause(cause)}` })
+});
+const runInstall = (params) => runStep({
+	command: params.packageManager,
+	args: ["install"],
+	cwd: params.stagingRoot,
+	env: params.env
+}, `${params.packageManager} install`);
+/**
+* Copy the user's project (or workspace root, for monorepos) into a fresh
+* directory inside `tempDir`, then run `<pm> install` there. The build then
+* runs entirely against the staged copy — the user's working tree stays clean
+* regardless of what `expo prebuild`, `pod install`, or `gradlew` write.
+*/
+const prepareStagingProject = (input) => Effect.gen(function* () {
+	const runtime = yield* CliRuntime;
+	const { workspaceRoot, packageManager } = yield* detectWorkspaceRoot(input.userCwd);
+	const relAppPath = path.relative(workspaceRoot, input.userCwd);
+	const stagingRoot = path.join(input.tempDir, "project");
+	const projectRoot = relAppPath === "" ? stagingRoot : path.join(stagingRoot, relAppPath);
+	yield* Console.log(`Staging build into ${stagingRoot}${relAppPath === "" ? "" : ` (app: ${relAppPath})`}`);
+	yield* copyProjectTree({
+		source: workspaceRoot,
+		dest: stagingRoot,
+		ig: yield* buildIgnoreInstance(workspaceRoot)
+	});
+	yield* runInstall({
+		stagingRoot,
+		packageManager,
+		env: yield* runtime.commandEnvironment(input.envVars)
+	});
+	return {
+		stagingRoot,
+		projectRoot,
+		packageManager,
+		relAppPath
+	};
+});
+
 //#endregion
 //#region src/lib/repo-clean.ts
 const MAX_FILES_SHOWN = 10;
@@ -6543,26 +6729,6 @@ const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(funct
 	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
 
-//#endregion
-//#region src/lib/fingerprint.ts
-var FingerprintError = class extends Data.TaggedError("FingerprintError") {};
-const runFingerprintFull = (projectRoot) => Effect.gen(function* () {
-	const cmd = Command.make("bunx", "@expo/fingerprint", projectRoot).pipe(Command.workingDirectory(projectRoot));
-	const stdout = yield* Command.string(cmd).pipe(Effect.mapError((cause) => new FingerprintError({ message: `Failed to run "@expo/fingerprint": ${cause.message}` })));
-	const parsed = yield* Effect.try({
-		try: () => JSON.parse(stdout),
-		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
-	});
-	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
-	const { hash } = parsed;
-	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
-	const sourcesRaw = parsed["sources"];
-	return {
-		hash,
-		sources: Array.isArray(sourcesRaw) ? sourcesRaw : []
-	};
-});
-
 //#endregion
 //#region src/lib/runtime-version.ts
 const resolveRuntimeVersion = ({ raw, appVersion, projectRoot }) => Effect.gen(function* () {
@@ -6641,7 +6807,8 @@ const runAndroidPlatformBuild = (input) => Effect.gen(function* () {
 			applicationIdentifier,
 			envVars,
 			projectId,
-			credentialsSource
+			credentialsSource,
+			profileName: profile.name
 		}),
 		target: androidProfile.format === "aab" ? {
 			platform: "android",
@@ -6669,35 +6836,40 @@ const resolveProfileName = (projectRoot, requested) => Effect.gen(function* () {
 });
 const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 	const api = yield* apiClient;
-	const projectRoot = yield* (yield* CliRuntime).cwd;
+	const userCwd = yield* (yield* CliRuntime).cwd;
 	yield* ensureRepoClean({
-		projectRoot,
+		projectRoot: userCwd,
 		allowDirty: options.allowDirty ?? false,
 		label: "build"
 	});
-	const baseConfig = yield* readExpoConfig(projectRoot);
+	const baseConfig = yield* readExpoConfig(userCwd);
 	const projectId = yield* extractProjectId(baseConfig);
 	const platform = yield* detectPlatform(options.platform, baseConfig);
-	const profile = yield* readBuildProfile(projectRoot, yield* resolveProfileName(projectRoot, options.profileName));
+	const profile = yield* readBuildProfile(userCwd, yield* resolveProfileName(userCwd, options.profileName));
 	const envVars = yield* pullEnvVars(api, {
 		projectId,
 		environment: profile.environment
 	});
 	yield* applyAutoIncrement({
-		projectRoot,
+		projectRoot: userCwd,
 		platform,
-		config: yield* readExpoConfig(projectRoot, envVars),
+		config: yield* readExpoConfig(userCwd, envVars),
 		...platform === "ios" && profile.ios?.autoIncrement !== void 0 ? { iosMode: profile.ios.autoIncrement } : {},
 		...platform === "android" && profile.android?.autoIncrement !== void 0 ? { androidMode: profile.android.autoIncrement } : {}
 	});
-	const appMeta = yield* readAppMeta(yield* readExpoConfig(projectRoot, envVars), platform);
+	const appMeta = yield* readAppMeta(yield* readExpoConfig(userCwd, envVars), platform);
 	const runtimeVersion = yield* resolveRuntimeVersion({
 		raw: appMeta.rawRuntimeVersion,
 		appVersion: appMeta.appVersion,
-		projectRoot
+		projectRoot: userCwd
 	});
-	if (options.clearCache) yield* clearBuildCaches(projectRoot);
+	if (options.clearCache) yield* clearBuildCaches(userCwd);
 	const tempDir = yield* acquireBuildTempDir;
+	const staging = yield* prepareStagingProject({
+		userCwd,
+		tempDir,
+		envVars
+	});
 	yield* Console.log(`Building ${platform} artifact for profile "${profile.name}" (runtimeVersion=${runtimeVersion})`);
 	const { build, target, bundleId } = yield* runPlatformBuild({
 		api,
@@ -6707,14 +6879,14 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		appMeta,
 		envVars,
 		projectId,
-		projectRoot,
+		projectRoot: staging.projectRoot,
 		tempDir
 	});
 	yield* Console.log(`Artifact produced: ${build.artifactPath}`);
 	let exportedArtifactPath = void 0;
 	if (options.output !== void 0) {
 		const fs = yield* FileSystem.FileSystem;
-		const outputPath = path.resolve(projectRoot, options.output);
+		const outputPath = path.resolve(userCwd, options.output);
 		const outputDir = path.dirname(outputPath);
 		yield* fs.makeDirectory(outputDir, { recursive: true }).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to create output directory: ${formatCause(cause)}` })));
 		yield* fs.copyFile(build.artifactPath, outputPath).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to copy artifact to ${outputPath}: ${formatCause(cause)}` })));
@@ -6731,12 +6903,13 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		]);
 		return;
 	}
-	const rawGitContext = yield* readGitContext(projectRoot);
+	const rawGitContext = yield* readGitContext(userCwd);
 	const gitContext = {
 		...rawGitContext.ref === void 0 ? {} : { ref: rawGitContext.ref },
 		...rawGitContext.commit === void 0 ? {} : { commit: rawGitContext.commit },
 		dirty: rawGitContext.dirty
 	};
+	const fingerprintHash = yield* runFingerprintFull(userCwd).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0)));
 	const result = yield* reserveAndUpload(api, {
 		target,
 		projectId,
@@ -6747,6 +6920,7 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		bundleId,
 		gitContext,
 		...options.message === void 0 ? {} : { message: options.message },
+		...fingerprintHash === void 0 ? {} : { fingerprintHash },
 		artifactPath: build.artifactPath,
 		sha256: build.sha256,
 		byteSize: build.byteSize
@@ -6875,7 +7049,8 @@ const BUILD_EXIT_EXTRAS = {
 	PresignedUrlExpiredError: 7,
 	CompleteError: 7,
 	EnvExportError: 7,
-	DirtyRepoError: 3
+	DirtyRepoError: 3,
+	StagingError: 6
 };
 const buildCommand = defineCommand({
 	meta: {
@@ -7633,6 +7808,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		...rawGitContext.commit === void 0 ? {} : { commit: rawGitContext.commit },
 		dirty: rawGitContext.dirty
 	};
+	const fingerprintHash = yield* runFingerprintFull(projectRoot).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0)));
 	const result = yield* reserveAndUpload(api, {
 		target,
 		projectId,
@@ -7643,6 +7819,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		bundleId,
 		gitContext,
 		...options.message === void 0 ? {} : { message: options.message },
+		...fingerprintHash === void 0 ? {} : { fingerprintHash },
 		artifactPath: options.artifactPath,
 		sha256,
 		byteSize
@@ -13482,7 +13659,8 @@ const publishPlatform = (params) => Effect.gen(function* () {
 			signature: params.signedPayload.signature,
 			certificateChain: params.signedPayload.certificateChain
 		} : {},
-		...params.rolloutPercentage === void 0 ? {} : { rolloutPercentage: params.rolloutPercentage }
+		...params.rolloutPercentage === void 0 ? {} : { rolloutPercentage: params.rolloutPercentage },
+		...params.fingerprintHash === void 0 ? {} : { fingerprintHash: params.fingerprintHash }
 	} }).pipe(Effect.mapError((cause) => new UpdatePublishError({ message: `Failed to publish ${params.platform} update: ${formatCause(cause)}` })));
 	return {
 		platform: params.platform,
@@ -13531,6 +13709,7 @@ const runUpdatePublish = (options) => Effect.scoped(Effect.gen(function* () {
 	const sharedExportDir = options.inputDir === void 0 ? void 0 : path.resolve(projectRoot, options.inputDir);
 	const groupId = randomUUID();
 	const message = resolvedMessage ?? "Publish via better-update CLI";
+	const fingerprintHash = yield* runFingerprintFull(projectRoot).pipe(Effect.map((result) => result.hash), Effect.catchAll(() => Effect.succeed(void 0)));
 	if ((yield* InteractiveMode).allow && !options.auto) {
 		if (!(yield* confirmPublishPreview({
 			branch,
@@ -13576,6 +13755,7 @@ const runUpdatePublish = (options) => Effect.scoped(Effect.gen(function* () {
 		platform,
 		signedPayload: signedPayloads[platform] ?? null,
 		rolloutPercentage: options.rolloutPercentage,
+		fingerprintHash,
 		skipBundler: options.skipBundler,
 		noBytecode: options.noBytecode,
 		sourceMaps: options.sourceMaps