@better-update/cli 0.3.0 → 0.3.2

package/src/lib/credentials-manager.ts

@@ -1,354 +0,0 @@
-import { toBase64 } from "@better-update/encoding";
-import { FileSystem } from "@effect/platform";
-import { Effect, Match } from "effect";
-
-import { CredentialValidationError } from "./exit-codes";
-import { inspectP12 } from "./pkcs12";
-
-import type { ApiClient } from "../services/api-client";
-
-export type CliCredentialType =
-  | "distribution-certificate"
-  | "push-key"
-  | "asc-api-key"
-  | "provisioning-profile"
-  | "keystore"
-  | "google-service-account-key";
-
-export type CliCredentialPlatform = "ios" | "android";
-
-export interface CliCredentialRow {
-  readonly id: string;
-  readonly name: string;
-  readonly platform: CliCredentialPlatform;
-  readonly type: CliCredentialType;
-  readonly distribution: string | null;
-}
-
-const formatDistribution = (value: string): string => value.toLowerCase().replaceAll("_", "-");
-
-export const listAllCredentials = (api: ApiClient) =>
-  Effect.gen(function* () {
-    const [certs, pushKeys, ascKeys, profiles, keystores, googleKeys] = yield* Effect.all(
-      [
-        api.appleDistributionCertificates.list(),
-        api.applePushKeys.list(),
-        api.ascApiKeys.list(),
-        api.appleProvisioningProfiles.list({ urlParams: {} }),
-        api.androidUploadKeystores.list(),
-        api.googleServiceAccountKeys.list(),
-      ],
-      { concurrency: "unbounded" },
-    );
-
-    const rows: CliCredentialRow[] = [
-      ...certs.items.map(
-        (cert): CliCredentialRow => ({
-          id: cert.id,
-          name: cert.serialNumber,
-          platform: "ios",
-          type: "distribution-certificate",
-          distribution: null,
-        }),
-      ),
-      ...pushKeys.items.map(
-        (key): CliCredentialRow => ({
-          id: key.id,
-          name: key.keyId,
-          platform: "ios",
-          type: "push-key",
-          distribution: null,
-        }),
-      ),
-      ...ascKeys.items.map(
-        (key): CliCredentialRow => ({
-          id: key.id,
-          name: key.name,
-          platform: "ios",
-          type: "asc-api-key",
-          distribution: null,
-        }),
-      ),
-      ...profiles.items.map(
-        (profile): CliCredentialRow => ({
-          id: profile.id,
-          name: profile.profileName ?? profile.bundleIdentifier,
-          platform: "ios",
-          type: "provisioning-profile",
-          distribution: formatDistribution(profile.distributionType),
-        }),
-      ),
-      ...keystores.items.map(
-        (ks): CliCredentialRow => ({
-          id: ks.id,
-          name: ks.keyAlias,
-          platform: "android",
-          type: "keystore",
-          distribution: null,
-        }),
-      ),
-      ...googleKeys.items.map(
-        (key): CliCredentialRow => ({
-          id: key.id,
-          name: key.clientEmail,
-          platform: "android",
-          type: "google-service-account-key",
-          distribution: null,
-        }),
-      ),
-    ];
-
-    return rows;
-  });
-
-export const filterCredentials = (
-  rows: readonly CliCredentialRow[],
-  filter: {
-    readonly platform?: CliCredentialPlatform;
-    readonly type?: CliCredentialType;
-    readonly distribution?: string;
-  },
-): CliCredentialRow[] =>
-  rows.filter((row) => {
-    if (filter.platform && row.platform !== filter.platform) {
-      return false;
-    }
-    if (filter.type && row.type !== filter.type) {
-      return false;
-    }
-    if (filter.distribution && row.distribution !== filter.distribution) {
-      return false;
-    }
-    return true;
-  });
-
-export interface UploadCredentialInput {
-  readonly platform: CliCredentialPlatform;
-  readonly type: CliCredentialType;
-  readonly name: string;
-  readonly filePath: string;
-  readonly password?: string;
-  readonly distribution?: string;
-  readonly keyAlias?: string;
-  readonly keyPassword?: string;
-  readonly keyId?: string;
-  readonly issuerId?: string;
-  readonly appleTeamIdentifier?: string;
-}
-
-const toUtf8 = (bytes: Uint8Array): string => new TextDecoder().decode(bytes);
-
-const missing = (label: string) =>
-  new CredentialValidationError({
-    message: `Missing --${label} required for the selected credential type.`,
-  });
-
-const uploadIosDistributionCertificate = (
-  api: ApiClient,
-  input: UploadCredentialInput,
-  bytes: Uint8Array,
-) =>
-  Effect.gen(function* () {
-    if (input.password === undefined) {
-      return yield* missing("password");
-    }
-    const info = yield* inspectP12({ data: Buffer.from(bytes), password: input.password });
-    if (!info.teamId) {
-      return yield* new CredentialValidationError({
-        message:
-          "Could not derive Apple Team ID from certificate subject (expected OU=TEAMID or CN with (TEAMID)).",
-      });
-    }
-    if (!info.validFrom || !info.expiresAt) {
-      return yield* new CredentialValidationError({
-        message: "Certificate is missing notBefore/notAfter dates.",
-      });
-    }
-    const created = yield* api.appleDistributionCertificates.upload({
-      payload: {
-        p12Base64: toBase64(bytes),
-        p12Password: input.password,
-        serialNumber: info.serialNumber,
-        appleTeamIdentifier: info.teamId,
-        validFrom: info.validFrom.toISOString(),
-        validUntil: info.expiresAt.toISOString(),
-      },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "ios" as const,
-      type: "distribution-certificate" as const,
-    };
-  });
-
-const uploadIosPushKey = (api: ApiClient, input: UploadCredentialInput, bytes: Uint8Array) =>
-  Effect.gen(function* () {
-    if (!input.keyId) {
-      return yield* missing("key-id");
-    }
-    if (!input.appleTeamIdentifier) {
-      return yield* missing("apple-team-identifier");
-    }
-    const created = yield* api.applePushKeys.upload({
-      payload: {
-        keyId: input.keyId,
-        p8Pem: toUtf8(bytes),
-        appleTeamIdentifier: input.appleTeamIdentifier,
-      },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "ios" as const,
-      type: "push-key" as const,
-    };
-  });
-
-const uploadIosAscApiKey = (api: ApiClient, input: UploadCredentialInput, bytes: Uint8Array) =>
-  Effect.gen(function* () {
-    if (!input.keyId) {
-      return yield* missing("key-id");
-    }
-    if (!input.issuerId) {
-      return yield* missing("issuer-id");
-    }
-    const created = yield* api.ascApiKeys.upload({
-      payload: {
-        name: input.name,
-        keyId: input.keyId,
-        issuerId: input.issuerId,
-        p8Pem: toUtf8(bytes),
-        ...(input.appleTeamIdentifier === undefined
-          ? {}
-          : { appleTeamIdentifier: input.appleTeamIdentifier }),
-      },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "ios" as const,
-      type: "asc-api-key" as const,
-    };
-  });
-
-const uploadIosProvisioningProfile = (
-  api: ApiClient,
-  input: UploadCredentialInput,
-  bytes: Uint8Array,
-) =>
-  Effect.gen(function* () {
-    const created = yield* api.appleProvisioningProfiles.upload({
-      payload: { profileBase64: toBase64(bytes) },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "ios" as const,
-      type: "provisioning-profile" as const,
-    };
-  });
-
-const uploadAndroidKeystore = (api: ApiClient, input: UploadCredentialInput, bytes: Uint8Array) =>
-  Effect.gen(function* () {
-    if (input.password === undefined) {
-      return yield* missing("password");
-    }
-    if (!input.keyAlias) {
-      return yield* missing("key-alias");
-    }
-    if (!input.keyPassword) {
-      return yield* missing("key-password");
-    }
-    const created = yield* api.androidUploadKeystores.upload({
-      payload: {
-        keystoreBase64: toBase64(bytes),
-        keyAlias: input.keyAlias,
-        keystorePassword: input.password,
-        keyPassword: input.keyPassword,
-      },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "android" as const,
-      type: "keystore" as const,
-    };
-  });
-
-const uploadAndroidGoogleServiceAccountKey = (
-  api: ApiClient,
-  input: UploadCredentialInput,
-  bytes: Uint8Array,
-) =>
-  Effect.gen(function* () {
-    const created = yield* api.googleServiceAccountKeys.upload({
-      payload: { json: toUtf8(bytes) },
-    });
-    return {
-      id: created.id,
-      name: input.name,
-      platform: "android" as const,
-      type: "google-service-account-key" as const,
-    };
-  });
-
-const uploadHandlers = {
-  "ios:distribution-certificate": uploadIosDistributionCertificate,
-  "ios:push-key": uploadIosPushKey,
-  "ios:asc-api-key": uploadIosAscApiKey,
-  "ios:provisioning-profile": uploadIosProvisioningProfile,
-  "android:keystore": uploadAndroidKeystore,
-  "android:google-service-account-key": uploadAndroidGoogleServiceAccountKey,
-};
-
-export const uploadCredential = (api: ApiClient, input: UploadCredentialInput) =>
-  Effect.gen(function* () {
-    const fs = yield* FileSystem.FileSystem;
-    const bytes = yield* fs.readFile(input.filePath);
-    const key = `${input.platform}:${input.type}`;
-    type HandlerKey = keyof typeof uploadHandlers;
-    const hasKey = (candidate: string): candidate is HandlerKey =>
-      Object.hasOwn(uploadHandlers, candidate);
-    const handler = hasKey(key) ? uploadHandlers[key] : undefined;
-    if (!handler) {
-      return yield* new CredentialValidationError({
-        message: `Unsupported credential combination: platform=${input.platform} type=${input.type}`,
-      });
-    }
-    return yield* handler(api, input, bytes);
-  });
-
-export const deleteCredential = (
-  api: ApiClient,
-  input: {
-    readonly id: string;
-    readonly platform: CliCredentialPlatform;
-    readonly type: CliCredentialType;
-  },
-) => {
-  const path = { id: input.id };
-  return Match.value({ platform: input.platform, type: input.type }).pipe(
-    Match.when({ platform: "ios", type: "distribution-certificate" }, () =>
-      api.appleDistributionCertificates.delete({ path }),
-    ),
-    Match.when({ platform: "ios", type: "push-key" }, () => api.applePushKeys.delete({ path })),
-    Match.when({ platform: "ios", type: "asc-api-key" }, () => api.ascApiKeys.delete({ path })),
-    Match.when({ platform: "ios", type: "provisioning-profile" }, () =>
-      api.appleProvisioningProfiles.delete({ path }),
-    ),
-    Match.when({ platform: "android", type: "keystore" }, () =>
-      api.androidUploadKeystores.delete({ path }),
-    ),
-    Match.when({ platform: "android", type: "google-service-account-key" }, () =>
-      api.googleServiceAccountKeys.delete({ path }),
-    ),
-    Match.orElse(() =>
-      Effect.fail(
-        new CredentialValidationError({
-          message: `Unsupported credential combination: platform=${input.platform} type=${input.type}`,
-        }),
-      ),
-    ),
-  );
-};

package/src/lib/env-exporter.test.ts

@@ -1,96 +0,0 @@
-import { it } from "@effect/vitest";
-import { Effect, Exit } from "effect";
-
-import { pullEnvVars } from "./env-exporter";
-import { EnvExportError } from "./exit-codes";
-import { failureError } from "./test-utils";
-
-import type { ApiClient } from "../services/api-client";
-
-// ── helpers ───────────────────────────────────────────────────────
-
-interface ExportResult {
-  readonly environment: string;
-  readonly items: readonly {
-    readonly key: string;
-    readonly value: string;
-    readonly visibility: "plaintext" | "sensitive" | "secret";
-  }[];
-}
-
-const makeApiStub = (
-  exportFn: (args: {
-    urlParams: { projectId: string; environment: string };
-  }) => Effect.Effect<ExportResult, unknown>,
-): ApiClient =>
-  ({
-    "env-vars": {
-      export: exportFn,
-    },
-  }) as unknown as ApiClient;
-
-// ── tests ─────────────────────────────────────────────────────────
-
-describe(pullEnvVars, () => {
-  it.effect("flattens items into a Record<string,string>", () =>
-    Effect.gen(function* () {
-      const api = makeApiStub(() =>
-        Effect.succeed({
-          environment: "production",
-          items: [
-            { key: "API_URL", value: "https://api.example.com", visibility: "plaintext" as const },
-            { key: "SECRET", value: "xyz", visibility: "secret" as const },
-          ],
-        }),
-      );
-      const result = yield* pullEnvVars(api, {
-        projectId: "proj_123",
-        environment: "production",
-      });
-      expect(result).toStrictEqual({
-        API_URL: "https://api.example.com",
-        SECRET: "xyz",
-      });
-    }),
-  );
-
-  it.effect("returns empty object when no items", () =>
-    Effect.gen(function* () {
-      const api = makeApiStub(() => Effect.succeed({ environment: "development", items: [] }));
-      const result = yield* pullEnvVars(api, {
-        projectId: "proj_123",
-        environment: "development",
-      });
-      expect(result).toStrictEqual({});
-    }),
-  );
-
-  it.effect("wraps API errors as EnvExportError", () =>
-    Effect.gen(function* () {
-      const api = makeApiStub(() => Effect.fail(new Error("boom")));
-      const exit = yield* pullEnvVars(api, {
-        projectId: "proj_123",
-        environment: "production",
-      }).pipe(Effect.exit);
-      expect(Exit.isFailure(exit)).toBe(true);
-      if (Exit.isFailure(exit)) {
-        const error = failureError(exit);
-        expect(error).toBeInstanceOf(EnvExportError);
-      }
-    }),
-  );
-
-  it.effect("forwards projectId and environment via urlParams", () =>
-    Effect.gen(function* () {
-      let receivedArgs: { urlParams: { projectId: string; environment: string } } | undefined;
-      const api = makeApiStub((args) => {
-        receivedArgs = args;
-        return Effect.succeed({ environment: args.urlParams.environment, items: [] });
-      });
-      yield* pullEnvVars(api, { projectId: "p_1", environment: "staging" });
-      expect(receivedArgs).toStrictEqual({
-        urlParams: { projectId: "p_1", environment: "staging" },
-      });
-    }),
-  );
-});

package/src/lib/env-exporter.ts

@@ -1,28 +0,0 @@
-import { Effect } from "effect";
-
-import { EnvExportError } from "./exit-codes";
-
-import type { ApiClient } from "../services/api-client";
-
-export interface PullEnvVarsOptions {
-  readonly projectId: string;
-  readonly environment: string;
-}
-
-/**
- * Pull environment variables for a project + environment and flatten them into
- * a key/value map. Returns an empty map when the project has no variables.
- */
-export const pullEnvVars = (
-  api: ApiClient,
-  { projectId, environment }: PullEnvVarsOptions,
-): Effect.Effect<Record<string, string>, EnvExportError> =>
-  api["env-vars"].export({ urlParams: { projectId, environment } }).pipe(
-    Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))),
-    Effect.mapError(
-      (cause) =>
-        new EnvExportError({
-          message: `Failed to export environment variables for "${environment}": ${String(cause)}`,
-        }),
-    ),
-  );

package/src/lib/exit-codes.ts

@@ -1,82 +0,0 @@
-/* eslint-disable eslint/max-classes-per-file -- dedicated error-taxonomy module: each error class is a small, purpose-built tag used across the CLI for Effect.catchTag */
-
-import { Data } from "effect";
-
-export class AuthRequiredError extends Data.TaggedError("AuthRequiredError")<{
-  readonly message: string;
-}> {}
-
-export class ProjectNotLinkedError extends Data.TaggedError("ProjectNotLinkedError")<{
-  readonly message: string;
-}> {}
-
-export class UploadFailedError extends Data.TaggedError("UploadFailedError")<{
-  readonly message: string;
-}> {}
-
-export class BuildProfileError extends Data.TaggedError("BuildProfileError")<{
-  readonly message: string;
-}> {}
-
-export class RuntimeVersionError extends Data.TaggedError("RuntimeVersionError")<{
-  readonly message: string;
-}> {}
-
-export class MissingCredentialsError extends Data.TaggedError("MissingCredentialsError")<{
-  readonly message: string;
-  readonly hint: string;
-}> {}
-
-export class BuildFailedError extends Data.TaggedError("BuildFailedError")<{
-  readonly step: string;
-  readonly exitCode: number;
-  readonly message: string;
-}> {}
-
-export class ReserveError extends Data.TaggedError("ReserveError")<{
-  readonly message: string;
-}> {}
-
-export class CompleteError extends Data.TaggedError("CompleteError")<{
-  readonly message: string;
-}> {}
-
-export class PresignedUrlExpiredError extends Data.TaggedError("PresignedUrlExpiredError")<{
-  readonly message: string;
-}> {}
-
-export class ArtifactNotFoundError extends Data.TaggedError("ArtifactNotFoundError")<{
-  readonly message: string;
-}> {}
-
-export class KeychainError extends Data.TaggedError("KeychainError")<{
-  readonly message: string;
-}> {}
-
-export class ProvisioningError extends Data.TaggedError("ProvisioningError")<{
-  readonly message: string;
-}> {}
-
-export class EnvExportError extends Data.TaggedError("EnvExportError")<{
-  readonly message: string;
-}> {}
-
-export class UpdatePublishError extends Data.TaggedError("UpdatePublishError")<{
-  readonly message: string;
-}> {}
-
-export class UpdateRollbackError extends Data.TaggedError("UpdateRollbackError")<{
-  readonly message: string;
-}> {}
-
-export class UpdatePromoteError extends Data.TaggedError("UpdatePromoteError")<{
-  readonly message: string;
-}> {}
-
-export class CredentialValidationError extends Data.TaggedError("CredentialValidationError")<{
-  readonly message: string;
-}> {}
-
-export class AppleAuthError extends Data.TaggedError("AppleAuthError")<{
-  readonly message: string;
-}> {}

package/src/lib/expo-config.ts

@@ -1,130 +0,0 @@
-import process from "node:process";
-
-import { Effect } from "effect";
-
-import { BuildProfileError } from "./exit-codes";
-
-import type { AppMeta, Platform, RawRuntimeVersion } from "./build-profile";
-
-interface ExpoConfig {
-  readonly name?: string;
-  readonly slug?: string;
-  readonly version?: string;
-  readonly runtimeVersion?: string | { readonly policy: string };
-  readonly ios?: {
-    readonly bundleIdentifier?: string;
-    readonly buildNumber?: string;
-  };
-  readonly android?: {
-    readonly package?: string;
-    readonly versionCode?: number;
-  };
-  readonly [key: string]: unknown;
-}
-
-/**
- * Resolve the full Expo config using `@expo/config`, which handles
- * `app.json`, `app.config.js`, and `app.config.ts` with plugin evaluation.
- *
- * `envVars` are applied as a scoped overlay on `process.env` for the duration
- * of the call (restored afterwards) so dynamic configs (`app.config.js`)
- * can read them without leaking server-side secrets to child processes.
- *
- * Falls back to undefined if `@expo/config` is not available or fails.
- */
-export const readExpoConfig = (
-  projectRoot: string,
-  envVars: Record<string, string> = {},
-): Effect.Effect<ExpoConfig | undefined> =>
-  Effect.acquireUseRelease(
-    Effect.sync(() => {
-      const previous: Record<string, string | undefined> = {};
-      for (const [key, value] of Object.entries(envVars)) {
-        previous[key] = process.env[key];
-        process.env[key] = value;
-      }
-      return previous;
-    }),
-    () =>
-      Effect.try({
-        try: () => {
-          const expoConfigCjs =
-            // eslint-disable-next-line typescript/no-unsafe-type-assertion -- CJS require returns `any`; narrow to @expo/config's shape at this boundary
-            require("@expo/config") as {
-              getConfig: (
-                projectRoot: string,
-                options?: { skipSDKVersionRequirement?: boolean },
-              ) => { exp: ExpoConfig };
-            };
-          const { getConfig } = expoConfigCjs;
-
-          const { exp } = getConfig(projectRoot, {
-            skipSDKVersionRequirement: true,
-          });
-
-          return exp;
-        },
-        catch: () => undefined,
-      }).pipe(Effect.catchAll(() => Effect.succeed<ExpoConfig | undefined>(undefined))),
-    (previous) =>
-      Effect.sync(() => {
-        for (const [key, value] of Object.entries(previous)) {
-          if (value === undefined) {
-            // eslint-disable-next-line typescript/no-dynamic-delete -- restoring previous process.env snapshot; keys are arbitrary env var names we captured earlier
-            delete process.env[key];
-          } else {
-            process.env[key] = value;
-          }
-        }
-      }),
-  );
-
-const extractBuildNumber = (config: ExpoConfig, platform: Platform): string | undefined => {
-  if (platform === "ios") {
-    return config.ios?.buildNumber;
-  }
-  if (config.android?.versionCode === undefined) {
-    return undefined;
-  }
-  return String(config.android.versionCode);
-};
-
-const extractRawRuntimeVersion = (config: ExpoConfig): RawRuntimeVersion | undefined => {
-  if (typeof config.runtimeVersion === "string") {
-    return config.runtimeVersion;
-  }
-  if (typeof config.runtimeVersion === "object") {
-    return config.runtimeVersion;
-  }
-  return undefined;
-};
-
-/**
- * Extract AppMeta from a resolved ExpoConfig (from `@expo/config`).
- * Mirrors `readAppMeta` from build-profile.ts but uses the resolved config
- * which handles dynamic configs (`app.config.js`, `app.config.ts`).
- */
-export const readAppMetaFromConfig = (
-  config: ExpoConfig,
-  platform: Platform,
-): Effect.Effect<AppMeta, BuildProfileError> =>
-  Effect.gen(function* () {
-    if (platform === "ios" && !config.ios) {
-      return yield* new BuildProfileError({
-        message: "Missing expo.ios section in config. Required for iOS builds (bundleIdentifier).",
-      });
-    }
-    if (platform === "android" && !config.android) {
-      return yield* new BuildProfileError({
-        message: "Missing expo.android section in config. Required for Android builds (package).",
-      });
-    }
-
-    return {
-      bundleId: config.ios?.bundleIdentifier,
-      androidPackage: config.android?.package,
-      appVersion: config.version,
-      buildNumber: extractBuildNumber(config, platform),
-      rawRuntimeVersion: extractRawRuntimeVersion(config),
-    };
-  });