@better-update/cli 0.31.1 → 0.33.0

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.31.1";
+var version = "0.33.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -1297,8 +1297,8 @@ var ChannelsGroup = class extends HttpApiGroup.make("channels").add(HttpApiEndpo
 //#endregion
 //#region ../../packages/api/src/domain/device.ts
 const DeviceClass = Schema.Literal("IPHONE", "IPAD", "MAC", "UNKNOWN");
-const IDENTIFIER_PATTERN = /^(?:[A-Fa-f0-9]{40}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{16}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12})$/u;
-const DeviceIdentifier = Schema.String.pipe(Schema.pattern(IDENTIFIER_PATTERN, { message: () => "Identifier must be an Apple UDID: 40 hex chars, 8-16 hex, or UUID (8-4-4-4-12 hex)" }));
+const IDENTIFIER_PATTERN$1 = /^(?:[A-Fa-f0-9]{40}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{16}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12})$/u;
+const DeviceIdentifier = Schema.String.pipe(Schema.pattern(IDENTIFIER_PATTERN$1, { message: () => "Identifier must be an Apple UDID: 40 hex chars, 8-16 hex, or UUID (8-4-4-4-12 hex)" }));
 var Device = class extends Schema.Class("Device")({
 	id: Id,
 	organizationId: Id,
@@ -1324,6 +1324,34 @@ const UpdateDeviceBody = Schema.Struct({
 	enabled: Schema.optional(Schema.Boolean),
 	appleTeamId: Schema.optional(Schema.NullOr(Id))
 });
+/**
+* One device in an App Store Connect snapshot, as reconciled by `syncDevices`.
+* `appleDevicePortalId` is the device's id on Apple's portal — its presence is
+* what the dashboard surfaces as "synced".
+*/
+const SyncDeviceEntry = Schema.Struct({
+	identifier: DeviceIdentifier,
+	name: Name120,
+	deviceClass: DeviceClass,
+	appleDevicePortalId: Schema.String
+});
+/**
+* Reconcile the org's device roster for one Apple team against a snapshot of
+* App Store Connect devices: link portal ids onto existing rows and import any
+* device that only exists on Apple. `appleTeamId` is the internal team Id (UUID).
+*/
+const SyncDevicesBody = Schema.Struct({
+	appleTeamId: Id,
+	devices: Schema.Array(SyncDeviceEntry)
+});
+const SyncDevicesResult = Schema.Struct({
+	/** Devices that existed only on Apple and were imported locally. */
+	created: Schema.Number,
+	/** Local devices that gained (or changed) their Apple portal id. */
+	linked: Schema.Number,
+	/** Local devices already in sync — nothing to do. */
+	unchanged: Schema.Number
+});
 const DeleteDeviceResult = DeletedResult;
 const DeviceSortColumn = Schema.Literal("name", "createdAt", "deviceClass");
 const DeviceSort = sortParam(DeviceSortColumn);
@@ -1374,6 +1402,9 @@ var DevicesGroup = class extends HttpApiGroup.make("devices").add(HttpApiEndpoin
 }))).add(HttpApiEndpoint.del("delete")`/api/devices/${idParam}`.addSuccess(DeleteDeviceResult).annotateContext(OpenApi.annotations({
 	title: "Delete device",
 	description: "Remove a registered device from the organization"
+}))).add(HttpApiEndpoint.post("syncDevices", "/api/devices/sync").setPayload(SyncDevicesBody).addSuccess(SyncDevicesResult).annotateContext(OpenApi.annotations({
+	title: "Sync devices with App Store Connect",
+	description: "Reconcile the org's device roster for one Apple team against an App Store Connect snapshot: link Apple portal ids onto existing devices and import devices that only exist on Apple"
 }))).add(HttpApiEndpoint.post("createRegistrationRequest", "/api/devices/registration-requests").setPayload(CreateRegistrationRequestBody).addSuccess(DeviceRegistrationRequest, { status: 201 }).annotateContext(OpenApi.annotations({
 	title: "Create device registration request",
 	description: "Generate a URL + QR code for self-service device enrollment via Safari on iOS"
@@ -3047,8 +3078,10 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 const defaultAppleUtils = {
 	Auth: AppleUtils.Auth,
 	Session: AppleUtils.Session,
+	Teams: AppleUtils.Teams,
 	CookieFileCache: AppleUtils.CookieFileCache
 };
+const TEN_CHAR_TEAM_ID = /^[A-Z0-9]{10}$/u;
 var AppleAuth = class extends Context.Tag("cli/AppleAuth")() {};
 const sessionFromAuthState = (state) => ({
 	username: state.username,
@@ -3062,11 +3095,19 @@ const sessionFromInfo = (username, info) => ({
 	teamName: info.provider.name,
 	providerId: info.provider.providerId
 });
-const sessionFromProvider = (username, provider) => ({
-	username,
-	teamId: provider.publicProviderId,
-	teamName: provider.name,
-	providerId: provider.providerId
+/**
+* Resolve the 10-char Developer Portal Team ID for a selected App Store Connect
+* provider. Uses the provider's `publicProviderId` directly when it already is a
+* Team ID; otherwise (UUID providers) looks it up from the Developer Portal team
+* list by name — the only field both surfaces share. Falls back to the
+* `publicProviderId` if no match, preserving prior behavior.
+*/
+const resolvePortalTeamId = (appleUtils, provider) => Effect.gen(function* () {
+	if (TEN_CHAR_TEAM_ID.test(provider.publicProviderId)) return provider.publicProviderId;
+	return (yield* Effect.tryPromise({
+		try: async () => appleUtils.Teams.getTeamsAsync(),
+		catch: (cause) => new AppleAuthError$1({ message: `Failed to list Apple Developer teams: ${formatCause(cause)}` })
+	})).find((team) => team.name === provider.name)?.teamId ?? provider.publicProviderId;
 });
 const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithCookiesAsync({ cookies }),
@@ -3081,10 +3122,16 @@ const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
 const resolveSessionTeam = (appleUtils, state) => Effect.gen(function* () {
 	const { availableProviders } = state.session;
 	const resolution = yield* resolveProvider(appleUtils, availableProviders, state.context.providerId ?? state.session.provider.providerId);
-	if (!resolution.switched || resolution.providerId === void 0) return sessionFromAuthState(state);
-	const picked = availableProviders.find((provider) => provider.providerId === resolution.providerId);
-	if (picked === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
-	return sessionFromProvider(state.username, picked);
+	const switched = resolution.switched && resolution.providerId !== void 0;
+	const provider = switched ? availableProviders.find((entry) => entry.providerId === resolution.providerId) : state.session.provider;
+	if (provider === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
+	const teamId = (!switched && state.context.teamId !== void 0 && TEN_CHAR_TEAM_ID.test(state.context.teamId) ? state.context.teamId : void 0) ?? (yield* resolvePortalTeamId(appleUtils, provider));
+	return {
+		username: state.username,
+		teamId,
+		teamName: provider.name,
+		providerId: provider.providerId
+	};
 });
 const loginWithCredentials = (appleUtils, credentials) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithUserCredentialsAsync(credentials, { autoResolveProvider: true }),
@@ -19357,12 +19404,13 @@ const toAscDevice = (value) => {
 	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
 	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { udid, name } = attributes;
+	const { udid, name, deviceClass } = attributes;
 	if (typeof udid !== "string" || typeof name !== "string") return null;
 	return {
 		id,
 		udid,
-		name
+		name,
+		deviceClass: typeof deviceClass === "string" ? deviceClass : null
 	};
 };
 const extractList = (body, map) => {
@@ -19373,6 +19421,18 @@ const extractSingle = (body, map) => {
 	if (!isRecord$1(body)) return null;
 	return map(body["data"]);
 };
+/**
+* App Store Connect paginates list responses (default 200/page) and returns the
+* absolute URL of the next page under `links.next`. Strip the base so it can be
+* fed back into `fetchRaw`; return null when there is no further page.
+*/
+const nextPagePath = (body) => {
+	if (!isRecord$1(body)) return null;
+	const { links } = body;
+	if (!isRecord$1(links) || typeof links["next"] !== "string") return null;
+	const { next } = links;
+	return next.startsWith(API_BASE) ? next.slice(37) : next;
+};
 const malformed = (resource) => new AscApiError({
 	status: 500,
 	message: `Malformed ${resource} response`,
@@ -19420,7 +19480,29 @@ const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Ef
 	return resource;
 }));
 const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, "/v1/devices?limit=200"), toAscDevice);
+	const devices = [];
+	let path = "/v1/devices?limit=200";
+	while (path !== null) {
+		const body = yield* fetchRaw(jwt, path);
+		devices.push(...extractList(body, toAscDevice));
+		path = nextPagePath(body);
+	}
+	return devices;
+}));
+const createDevice = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
+	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/devices", {
+		method: "POST",
+		body: JSON.stringify({ data: {
+			type: "devices",
+			attributes: {
+				name: params.name,
+				udid: params.udid,
+				platform: "IOS"
+			}
+		} })
+	}), toAscDevice);
+	if (resource === null) return yield* malformed("device");
+	return resource;
 }));
 const createProvisioningProfile = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
 	const relationships = {
@@ -20689,6 +20771,7 @@ const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
 	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
 };
 var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+var ApnsKeyLimitError = class extends Data.TaggedError("ApnsKeyLimitError") {};
 const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
 const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
 const wrap = (step, run) => Effect.tryPromise({
@@ -20833,6 +20916,86 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 		developerPortalIdentifier: created.developerPortalIdentifier
 	};
 });
+const APNS_SERVICE_ID = "U27F4V844T";
+const APNS_KEY_LIMIT_PATTERN = /maximum allowed number of .*keys/iu;
+const wrapKeyCreate = (run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => {
+		const message = messageOf(cause);
+		return cause instanceof AppleUtils.Keys.MaxKeysCreatedError || APNS_KEY_LIMIT_PATTERN.test(message) ? new ApnsKeyLimitError({ message }) : new AppleIdGenerateFailedError({
+			step: "apple-create-key",
+			message
+		});
+	}
+});
+const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = `AuthKey_${keyId}.p8`;
+	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
+	return filePath;
+});
+const generateAndUploadApnsKeyViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const key = yield* wrapKeyCreate(async () => AppleUtils.Keys.createKeyAsync(ctx, {
+		name: input.name,
+		isApns: true
+	}));
+	const p8Pem = yield* wrap("apple-download-key", async () => AppleUtils.Keys.downloadKeyAsync(ctx, { id: key.id }));
+	const metadata = {
+		keyId: key.id,
+		appleTeamIdentifier: input.appleTeamIdentifier
+	};
+	return {
+		id: (yield* Effect.gen(function* () {
+			const envelope = yield* sealForUpload({
+				session: yield* openVaultSessionInteractive(api),
+				credentialType: "push-key",
+				metadata,
+				secret: { p8Pem }
+			});
+			return yield* api.applePushKeys.upload({ payload: {
+				...toUploadEnvelope(envelope),
+				...metadata
+			} });
+		}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
+			const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials generate push-key --p8 ${rescuePath} --key-id ${key.id} --apple-team-id ${input.appleTeamIdentifier}\``;
+			return yield* new AppleIdGenerateFailedError({
+				step: "store-apns-key",
+				message: `Created APNs key ${key.id} on Apple but failed to store it (${messageOf(cause)}). The downloaded .p8 ${where}.`
+			});
+		})))).id,
+		keyId: key.id,
+		appleTeamIdentifier: input.appleTeamIdentifier,
+		name: key.name
+	};
+});
+const listApnsKeysViaAppleId = (ctx) => Effect.gen(function* () {
+	const keys = yield* wrap("apple-list-keys", async () => AppleUtils.Keys.getKeysAsync(ctx));
+	return (yield* Effect.forEach(keys, (key) => wrap("apple-get-key-info", async () => AppleUtils.Keys.getKeyInfoAsync(ctx, { id: key.id })), { concurrency: 4 })).filter((info) => info.services.some((service) => service.id === APNS_SERVICE_ID)).map((info) => ({
+		developerPortalKeyId: info.id,
+		name: info.name,
+		canRevoke: info.canRevoke
+	}));
+});
+const revokeApnsKeyViaAppleId = (ctx, developerPortalKeyId) => wrap("apple-revoke-key", async () => AppleUtils.Keys.revokeKeyAsync(ctx, { id: developerPortalKeyId }));
+/**
+* Revoke an APNs key on Apple and (optionally) delete the stored copy. Only keys
+* still present on the portal are revoked — one already gone upstream is treated
+* as `revokedOnApple: false` and still deleted locally, so cleanup never wedges.
+* Shared by the `revoke push-key` command and the interactive wizard.
+*/
+const revokeLocalApnsKey = (api, input) => Effect.gen(function* () {
+	const present = (yield* listApnsKeysViaAppleId(input.context)).some((entry) => entry.developerPortalKeyId === input.keyId);
+	if (present) yield* revokeApnsKeyViaAppleId(input.context, input.keyId);
+	if (!input.keepLocal) yield* api.applePushKeys.delete({ path: { id: input.pushKeyId } });
+	return {
+		localId: input.pushKeyId,
+		keyId: input.keyId,
+		revokedOnApple: present,
+		deletedLocally: !input.keepLocal
+	};
+});
 
 //#endregion
 //#region src/lib/ios-bundle-config-upsert.ts
@@ -20905,6 +21068,36 @@ const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
 	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
 	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
+const defaultApnsKeyName = () => `better-update APNs (${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)})`;
+const apnsKeyLimitRecover = (ctx) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log("Apple reports the APNs key limit was hit (max 2 keys per team).");
+	const revocable = (yield* listApnsKeysViaAppleId(ctx)).filter((entry) => entry.canRevoke);
+	if (revocable.length === 0) return yield* new CredentialValidationError({ message: "Apple says the APNs key limit is hit but no revocable keys were returned." });
+	const toRevoke = yield* promptMultiSelect("Select one or more APNs keys to revoke before retrying", revocable.map((entry) => ({
+		value: entry.developerPortalKeyId,
+		label: `${entry.name} (${entry.developerPortalKeyId})`
+	})), { required: true });
+	yield* Effect.forEach(toRevoke, (id) => revokeApnsKeyViaAppleId(ctx, id), { concurrency: "inherit" });
+	yield* Console.log(`Revoked ${toRevoke.length} key(s); retrying creation...`);
+});
+/**
+* Log in with Apple ID, create a fresh APNs `.p8` on the portal, download it, and
+* upload it end-to-end encrypted — recovering interactively from the key limit.
+* Returns the stored credential; callers render their own success output. Shared
+* by the `generate push-key` command and the interactive wizard.
+*/
+const createApnsKeyViaAppleId = (api, name) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	const generate = generateAndUploadApnsKeyViaAppleId(api, {
+		context: ctx,
+		appleTeamIdentifier: session.teamId,
+		name
+	});
+	return yield* generate.pipe(Effect.catchTag("ApnsKeyLimitError", () => apnsKeyLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
+});
 const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
 	yield* Console.log("Generating distribution certificate via Apple ID...");
 	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
@@ -26926,6 +27119,39 @@ const revokeIosDistributionCert = (ctx) => Effect.gen(function* () {
 		["Deleted locally", result.deletedLocally ? "yes" : "no (kept)"]
 	]);
 });
+const revokeIosPushKey = (ctx) => Effect.gen(function* () {
+	const { items } = yield* ctx.api.applePushKeys.list();
+	if (items.length === 0) return yield* new MissingCredentialsError({
+		message: "No APNs push keys in this account.",
+		hint: "Run 'Add a new push key' to create one first."
+	});
+	const localId = yield* promptSelect("Select a push key to revoke", items.map((key) => ({
+		value: key.id,
+		label: `${key.keyId} (team ${key.appleTeamId})`
+	})));
+	const target = items.find((entry) => entry.id === localId);
+	if (target === void 0) return yield* new MissingCredentialsError({
+		message: `Selected push key ${localId} not found.`,
+		hint: "Re-run and pick again."
+	});
+	const keepLocal = yield* promptConfirm("Keep the key in this account after revoking?", { initialValue: false });
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	yield* Console.log("Logging in to Apple and revoking the push key...");
+	const result = yield* revokeLocalApnsKey(ctx.api, {
+		context: auth.buildRequestContext(session),
+		pushKeyId: target.id,
+		keyId: target.keyId,
+		keepLocal
+	});
+	yield* Console.log("Revoke complete.");
+	yield* printKeyValue([
+		["Local ID", result.localId],
+		["Key ID", result.keyId],
+		["Revoked on Apple", result.revokedOnApple ? "yes" : "no (not present on portal)"],
+		["Deleted locally", result.deletedLocally ? "yes" : "no (kept)"]
+	]);
+});
 
 //#endregion
 //#region src/application/credentials-manager-ios.ts
@@ -26990,8 +27216,26 @@ const generateNewIosDistributionCert = (ctx) => Effect.gen(function* () {
 		["Apple team", created.appleTeamIdentifier]
 	]);
 });
+const promptPushKeyMethod = () => promptSelect("How do you want to provide the APNs auth key?", [{
+	value: "apple-id",
+	label: "Create a new key by logging in with your Apple ID (recommended)"
+}, {
+	value: "upload",
+	label: "Upload a .p8 you already downloaded from the Apple portal"
+}]);
 const addIosPushKey = (ctx) => Effect.gen(function* () {
-	yield* printHuman("Apple does not expose APNs key creation via API.");
+	if ((yield* promptPushKeyMethod()) === "apple-id") {
+		const created = yield* createApnsKeyViaAppleId(ctx.api, defaultApnsKeyName());
+		yield* Console.log("APNs push key created and registered.");
+		yield* printKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Apple team", created.appleTeamIdentifier],
+			["Name", created.name]
+		]);
+		return;
+	}
+	yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
 	yield* printHuman(`Create one here, download .p8, then return: ${APPLE_PUSH_KEY_PORTAL_URL$1}`);
 	const keyId = (yield* promptText("APNs key ID (10 uppercase alphanumeric)")).trim().toUpperCase();
 	if (!APPLE_TEN_CHARS.test(keyId)) return yield* new CredentialValidationError({ message: `Push key ID "${keyId}" must be 10 uppercase alphanumeric characters.` });
@@ -27053,7 +27297,12 @@ const setupProjectPushNotifications = (ctx) => Effect.gen(function* () {
 	yield* Console.log(`Push notifications set up: key ${pushKeyId} bound to ${config.bundleIdentifier} (${config.distributionType}).`);
 });
 const createNewPushKeyForBundle = (ctx, fallbackTeamId) => Effect.gen(function* () {
-	yield* printHuman("Apple does not expose APNs key creation via API.");
+	if ((yield* promptPushKeyMethod()) === "apple-id") {
+		const created = yield* createApnsKeyViaAppleId(ctx.api, defaultApnsKeyName());
+		yield* Console.log(`APNs push key ${created.keyId} created.`);
+		return created.id;
+	}
+	yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
 	yield* printHuman(`Create one here, download .p8, then return: ${APPLE_PUSH_KEY_PORTAL_URL$1}`);
 	const rawKeyId = (yield* promptText("APNs key ID (10 uppercase alphanumeric)")).trim().toUpperCase();
 	if (!APPLE_TEN_CHARS.test(rawKeyId)) return yield* new CredentialValidationError({ message: `Push key ID "${rawKeyId}" must be 10 uppercase alphanumeric characters.` });
@@ -27140,9 +27389,13 @@ const iosPushKeysMenu = (ctx) => Effect.gen(function* () {
 			value: "bind",
 			label: "Use an existing push key"
 		},
+		{
+			value: "revoke",
+			label: "Revoke a push key (Apple Developer Portal)"
+		},
 		{
 			value: "remove",
-			label: "Remove a push key"
+			label: "Remove a push key (local only)"
 		},
 		{
 			value: BACK,
@@ -27153,6 +27406,7 @@ const iosPushKeysMenu = (ctx) => Effect.gen(function* () {
 	if (choice === "setup") yield* safely("set up push notifications", setupProjectPushNotifications(ctx));
 	else if (choice === "add") yield* safely("add push key", addIosPushKey(ctx));
 	else if (choice === "bind") yield* safely("bind push key", bindIosPushKey(ctx));
+	else if (choice === "revoke") yield* safely("revoke push key", revokeIosPushKey(ctx));
 	else if (choice === "remove") yield* safely("remove push key", pickAndDelete(ctx, "push-key", "APNs push key"));
 	yield* iosPushKeysMenu(ctx);
 });
@@ -28127,6 +28381,129 @@ const downloadCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/commands/credentials/generate-push-key.ts
+const PUSH_KEY_EXIT_EXTRAS = {
+	CredentialValidationError: 2,
+	AppleIdGenerateFailedError: 6,
+	ApnsKeyLimitError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
+};
+const APPLE_PUSH_KEY_PORTAL_URL = "https://developer.apple.com/account/resources/authkeys/list";
+const KEY_ID_PATTERN = /^[A-Z0-9]{10}$/u;
+const APPLE_TEAM_ID_PATTERN = /^[A-Z0-9]{10}$/u;
+const resolveAppleTeamFromAscKey = (api, ascApiKeyId) => Effect.gen(function* () {
+	if (ascApiKeyId === void 0) return;
+	const teamId = (yield* api.ascApiKeys.list()).items.find((entry) => entry.id === ascApiKeyId)?.appleTeamId;
+	return typeof teamId === "string" ? teamId : void 0;
+});
+const validateKeyId = (value) => KEY_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Push key ID "${value}" must be 10 uppercase alphanumeric characters.` }));
+const validateAppleTeamId = (value) => APPLE_TEAM_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Apple Team ID "${value}" must be 10 uppercase alphanumeric characters.` }));
+const resolvePushKeyInput = (api, args) => Effect.gen(function* () {
+	const derivedTeamId = yield* resolveAppleTeamFromAscKey(api, args["asc-key-id"]);
+	const keyId = yield* validateKeyId((args["key-id"] ?? (yield* promptText("APNs key ID (10 uppercase alphanumeric)"))).trim().toUpperCase());
+	const appleTeamIdentifier = yield* validateAppleTeamId((args["apple-team-id"] ?? derivedTeamId ?? (yield* promptText("Apple Team identifier (10 uppercase alphanumeric)"))).trim().toUpperCase());
+	const p8Path = args.p8 ?? (yield* promptText("Path to the AuthKey_XXXXXXXXXX.p8 file you downloaded"));
+	if (p8Path.trim().length === 0) return yield* new CredentialValidationError({ message: "Missing --p8 path" });
+	return {
+		keyId,
+		appleTeamIdentifier,
+		p8Path,
+		name: args.name ?? keyId
+	};
+});
+const resolvePushKeyMethod = (args) => Effect.gen(function* () {
+	if (args.p8 !== void 0 && args.p8.trim().length > 0) return "upload";
+	if (args.method === "upload" || args.method === "apple-id") return args.method;
+	return yield* promptSelect("How do you want to provide the APNs auth key?", [{
+		value: "apple-id",
+		label: "Create a new key by logging in with your Apple ID (recommended)"
+	}, {
+		value: "upload",
+		label: "Upload a .p8 you already downloaded from the Apple portal"
+	}]);
+});
+const uploadPushKeyFromFile = (api, args) => Effect.gen(function* () {
+	if (args["skip-portal-hint"] !== true) {
+		yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
+		yield* printHuman("Create the key here, download the .p8, then come back:");
+		yield* printHuman(`  ${APPLE_PUSH_KEY_PORTAL_URL}`);
+		yield* printHuman("");
+	}
+	const resolved = yield* resolvePushKeyInput(api, args);
+	yield* printHuman("Uploading APNs auth key...");
+	const credential = yield* uploadCredential(api, {
+		platform: "ios",
+		type: "push-key",
+		name: resolved.name,
+		filePath: resolved.p8Path,
+		keyId: resolved.keyId,
+		appleTeamIdentifier: resolved.appleTeamIdentifier
+	});
+	yield* printHuman("APNs push key registered.");
+	yield* printHumanKeyValue([
+		["ID", credential.id],
+		["Key ID", resolved.keyId],
+		["Apple team", resolved.appleTeamIdentifier]
+	]);
+	return credential;
+});
+const pushKeyCommand$1 = defineCommand({
+	meta: {
+		name: "push-key",
+		description: "Create an APNs auth key (.p8) by logging in with your Apple ID, or upload one you downloaded; the key is end-to-end encrypted before upload"
+	},
+	args: {
+		method: {
+			type: "enum",
+			options: ["apple-id", "upload"],
+			description: "How to obtain the key: 'apple-id' (create via login) or 'upload' (provide --p8)"
+		},
+		"key-id": {
+			type: "string",
+			description: "APNs key ID — upload only (10 uppercase alphanumeric)"
+		},
+		"apple-team-id": {
+			type: "string",
+			description: "Apple Team identifier — upload only"
+		},
+		p8: {
+			type: "string",
+			description: "Path to the AuthKey_XXXXXXXXXX.p8 file (forces upload)"
+		},
+		"asc-key-id": {
+			type: "string",
+			description: "ASC API key ID to derive --apple-team-id automatically (upload only)"
+		},
+		name: {
+			type: "string",
+			description: "Display name (Apple ID: key name; upload: defaults to key ID)"
+		},
+		"skip-portal-hint": {
+			type: "boolean",
+			description: "Skip the Apple Developer portal URL hint (upload only)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		if ((yield* resolvePushKeyMethod(args)) === "upload") return yield* uploadPushKeyFromFile(api, args);
+		yield* printHuman("Creating an APNs auth key via your Apple ID...");
+		const created = yield* createApnsKeyViaAppleId(api, args.name ?? defaultApnsKeyName());
+		yield* printHuman("APNs push key created and registered.");
+		yield* printHumanKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Apple team", created.appleTeamIdentifier],
+			["Name", created.name]
+		]);
+		return created;
+	}), {
+		exits: PUSH_KEY_EXIT_EXTRAS,
+		json: "value"
+	})
+});
+
 //#endregion
 //#region src/commands/credentials/generate.ts
 const GENERATE_EXIT_EXTRAS = {
@@ -28335,90 +28712,6 @@ const parseDeviceIds = (raw) => {
 	const ids = raw.split(",").map((id) => id.trim()).filter((id) => id.length > 0);
 	return ids.length === 0 ? void 0 : ids;
 };
-const APPLE_PUSH_KEY_PORTAL_URL = "https://developer.apple.com/account/resources/authkeys/list";
-const KEY_ID_PATTERN = /^[A-Z0-9]{10}$/u;
-const APPLE_TEAM_ID_PATTERN = /^[A-Z0-9]{10}$/u;
-const resolveAppleTeamFromAscKey = (api, ascApiKeyId) => Effect.gen(function* () {
-	if (ascApiKeyId === void 0) return;
-	const teamId = (yield* api.ascApiKeys.list()).items.find((entry) => entry.id === ascApiKeyId)?.appleTeamId;
-	return typeof teamId === "string" ? teamId : void 0;
-});
-const validateKeyId = (value) => KEY_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Push key ID "${value}" must be 10 uppercase alphanumeric characters.` }));
-const validateAppleTeamId = (value) => APPLE_TEAM_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Apple Team ID "${value}" must be 10 uppercase alphanumeric characters.` }));
-const pushKeyCommand = defineCommand({
-	meta: {
-		name: "push-key",
-		description: "Register an APNs auth key (.p8) — guides you through creating one in the Apple Developer portal, then uploads it"
-	},
-	args: {
-		"key-id": {
-			type: "string",
-			description: "APNs key ID (10 uppercase alphanumeric)"
-		},
-		"apple-team-id": {
-			type: "string",
-			description: "Apple Team identifier"
-		},
-		p8: {
-			type: "string",
-			description: "Path to the AuthKey_XXXXXXXXXX.p8 file"
-		},
-		"asc-key-id": {
-			type: "string",
-			description: "ASC API key ID to derive --apple-team-id automatically"
-		},
-		name: {
-			type: "string",
-			description: "Display name (defaults to the key ID)"
-		},
-		"skip-portal-hint": {
-			type: "boolean",
-			description: "Skip the Apple Developer portal URL hint (already created the key)"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const api = yield* apiClient;
-		if (args["skip-portal-hint"] !== true) {
-			yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
-			yield* printHuman("Create the key here, download the .p8, then come back:");
-			yield* printHuman(`  ${APPLE_PUSH_KEY_PORTAL_URL}`);
-			yield* printHuman("");
-		}
-		const resolved = yield* resolvePushKeyInput(api, args);
-		yield* printHuman("Uploading APNs auth key...");
-		const credential = yield* uploadCredential(api, {
-			platform: "ios",
-			type: "push-key",
-			name: resolved.name,
-			filePath: resolved.p8Path,
-			keyId: resolved.keyId,
-			appleTeamIdentifier: resolved.appleTeamIdentifier
-		});
-		yield* printHuman("APNs push key registered.");
-		yield* printHumanKeyValue([
-			["ID", credential.id],
-			["Key ID", resolved.keyId],
-			["Apple team", resolved.appleTeamIdentifier]
-		]);
-		return credential;
-	}), {
-		exits: GENERATE_EXIT_EXTRAS,
-		json: "value"
-	})
-});
-const resolvePushKeyInput = (api, args) => Effect.gen(function* () {
-	const derivedTeamId = yield* resolveAppleTeamFromAscKey(api, args["asc-key-id"]);
-	const keyId = yield* validateKeyId((args["key-id"] ?? (yield* promptText("APNs key ID (10 uppercase alphanumeric)"))).trim().toUpperCase());
-	const appleTeamIdentifier = yield* validateAppleTeamId((args["apple-team-id"] ?? derivedTeamId ?? (yield* promptText("Apple Team identifier (10 uppercase alphanumeric)"))).trim().toUpperCase());
-	const p8Path = args.p8 ?? (yield* promptText("Path to the AuthKey_XXXXXXXXXX.p8 file you downloaded"));
-	if (p8Path.trim().length === 0) return yield* new CredentialValidationError({ message: "Missing --p8 path" });
-	return {
-		keyId,
-		appleTeamIdentifier,
-		p8Path,
-		name: args.name ?? keyId
-	};
-});
 const GSA_FIREBASE_URL = "https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk";
 const GSA_GCP_URL = "https://console.cloud.google.com/iam-admin/serviceaccounts";
 const gsaKeyCommand = defineCommand({
@@ -28485,7 +28778,7 @@ const generateCommand$1 = defineCommand({
 		keystore: keystoreCommand,
 		"distribution-certificate": distributionCertificateCommand$1,
 		"provisioning-profile": provisioningProfileCommand,
-		"push-key": pushKeyCommand,
+		"push-key": pushKeyCommand$1,
 		"gsa-key": gsaKeyCommand
 	}
 });
@@ -28890,7 +29183,10 @@ const resolveType = (raw, available) => Effect.gen(function* () {
 //#region src/commands/credentials/revoke.ts
 const REVOKE_EXIT_EXTRAS = {
 	CredentialValidationError: 2,
-	GenerateFailedError: 6
+	GenerateFailedError: 6,
+	AppleIdGenerateFailedError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
 };
 const resolveAscKeyId = (api, raw) => Effect.gen(function* () {
 	if (raw !== void 0 && raw.length > 0) return raw;
@@ -28945,12 +29241,74 @@ const distributionCertificateCommand = defineCommand({
 		json: "value"
 	})
 });
+const resolvePushKeyTarget = (api, idArg) => Effect.gen(function* () {
+	const { items } = yield* api.applePushKeys.list();
+	if (items.length === 0) return yield* new CredentialValidationError({ message: "No APNs push keys stored. Nothing to revoke." });
+	if (idArg !== void 0 && idArg.length > 0) {
+		const match = items.find((entry) => entry.id === idArg);
+		if (match === void 0) return yield* new CredentialValidationError({ message: `Push key ${idArg} not found.` });
+		return match;
+	}
+	if (items.length === 1) {
+		const [only] = items;
+		if (only !== void 0) return only;
+	}
+	const chosen = yield* promptSelect("Select a push key to revoke", items.map((entry) => ({
+		value: entry.id,
+		label: `${entry.keyId} (team ${entry.appleTeamId})`
+	})));
+	const match = items.find((entry) => entry.id === chosen);
+	if (match === void 0) return yield* new CredentialValidationError({ message: `Selected push key ${chosen} not found after listing.` });
+	return match;
+});
+const pushKeyCommand = defineCommand({
+	meta: {
+		name: "push-key",
+		description: "Revoke an APNs auth key on the Apple Developer Portal (via Apple ID login) and delete it from this account"
+	},
+	args: {
+		id: {
+			type: "string",
+			description: "Local push key ID (prompts if omitted)"
+		},
+		"keep-local": {
+			type: "boolean",
+			description: "Revoke on Apple but keep the credential in this account"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const target = yield* resolvePushKeyTarget(api, args.id);
+		const auth = yield* AppleAuth;
+		const session = yield* auth.ensureLoggedIn();
+		const result = yield* revokeLocalApnsKey(api, {
+			context: auth.buildRequestContext(session),
+			pushKeyId: target.id,
+			keyId: target.keyId,
+			keepLocal: args["keep-local"] ?? false
+		});
+		yield* printHuman("APNs push key revoke complete.");
+		yield* printHumanKeyValue([
+			["Local ID", result.localId],
+			["Key ID", result.keyId],
+			["Revoked on Apple", result.revokedOnApple ? "yes" : "no (not present on portal)"],
+			["Deleted locally", result.deletedLocally ? "yes" : "no (--keep-local)"]
+		]);
+		return result;
+	}), {
+		exits: REVOKE_EXIT_EXTRAS,
+		json: "value"
+	})
+});
 const revokeCommand = defineCommand({
 	meta: {
 		name: "revoke",
 		description: "Revoke credentials on the upstream provider"
 	},
-	subCommands: { "distribution-certificate": distributionCertificateCommand }
+	subCommands: {
+		"distribution-certificate": distributionCertificateCommand,
+		"push-key": pushKeyCommand
+	}
 });
 
 //#endregion
@@ -30143,6 +30501,7 @@ const listDevicesCommand = defineCommand({
 			"Class",
 			"UDID",
 			"Team",
+			"Synced",
 			"Enabled"
 		], items.map((device) => [
 			device.id,
@@ -30150,6 +30509,7 @@ const listDevicesCommand = defineCommand({
 			device.deviceClass,
 			device.identifier,
 			device.appleTeamId ?? "—",
+			device.appleDevicePortalId === null ? "no" : "yes",
 			device.enabled ? "yes" : "no"
 		]));
 		return {
@@ -30190,6 +30550,150 @@ const renameDeviceCommand = defineCommand({
 	}))
 });
 
+//#endregion
+//#region src/commands/devices/sync.ts
+const IDENTIFIER_PATTERN = /^(?:[A-Fa-f0-9]{40}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{16}|[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12})$/u;
+const APPLE_DEVICE_CLASS = {
+	IPHONE: "IPHONE",
+	IPAD: "IPAD",
+	MAC: "MAC"
+};
+const toDeviceClass = (raw) => raw === null ? "UNKNOWN" : APPLE_DEVICE_CLASS[raw] ?? "UNKNOWN";
+const ascErrorMessage = (error) => error._tag === "AscApiError" ? error.message : `Apple request failed: ${String(error.cause)}`;
+const LIST_LIMIT = 100;
+/**
+* Resolve which ASC key authenticates the sync and which internal team it
+* targets. Either flag suffices: an ASC key already carries its team, and a team
+* resolves to the ASC key uploaded for it.
+*/
+const resolveTarget = (api, args) => Effect.gen(function* () {
+	const keyArg = args["asc-api-key-id"];
+	const teamArg = args["apple-team-id"];
+	const ascKeys = yield* api.ascApiKeys.list();
+	if (keyArg !== void 0) {
+		const match = ascKeys.items.find((key) => key.id === keyArg);
+		if (match === void 0) return yield* new InvalidArgumentError({ message: `ASC API key "${keyArg}" not found in this organization.` });
+		const appleTeamId = teamArg ?? match.appleTeamId;
+		if (!appleTeamId) return yield* new InvalidArgumentError({ message: `ASC API key "${keyArg}" is not linked to an Apple team; pass --apple-team-id <uuid>.` });
+		return {
+			ascApiKeyId: keyArg,
+			appleTeamId
+		};
+	}
+	if (teamArg !== void 0) {
+		const match = ascKeys.items.find((key) => key.appleTeamId === teamArg);
+		if (match === void 0) return yield* new InvalidArgumentError({ message: `No ASC API key found for team "${teamArg}". Upload one with \`better-update credentials upload-asc-key\`.` });
+		return {
+			ascApiKeyId: match.id,
+			appleTeamId: teamArg
+		};
+	}
+	return yield* new InvalidArgumentError({ message: "Pass --apple-team-id <uuid> or --asc-api-key-id <id> to choose what to sync." });
+});
+const listAllLocalDevices = (api, appleTeamId) => Effect.gen(function* () {
+	const items = [];
+	let page = 1;
+	let total = Number.POSITIVE_INFINITY;
+	while (items.length < total) {
+		const result = yield* api.devices.list({ urlParams: {
+			appleTeamId,
+			page,
+			limit: LIST_LIMIT
+		} });
+		({total} = result);
+		if (result.items.length === 0) break;
+		items.push(...result.items);
+		page += 1;
+	}
+	return items;
+});
+const syncDeviceCommand = defineCommand({
+	meta: {
+		name: "sync",
+		description: "Sync devices with Apple App Store Connect: register local-only devices on Apple and import devices already registered there"
+	},
+	args: {
+		"apple-team-id": {
+			type: "string",
+			description: "Internal team Id (UUID) to sync; derived from --asc-api-key-id if omitted"
+		},
+		"asc-api-key-id": {
+			type: "string",
+			description: "ASC API key to authenticate with; derived from --apple-team-id if omitted"
+		},
+		push: {
+			type: "boolean",
+			default: true,
+			description: "Register local-only devices on Apple",
+			negativeDescription: "Skip registering local devices on Apple (--no-push)"
+		},
+		pull: {
+			type: "boolean",
+			default: true,
+			description: "Import Apple-registered devices into better-update",
+			negativeDescription: "Skip importing Apple devices (--no-pull)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const target = yield* resolveTarget(api, args);
+		const creds = yield* fetchAscCredentials(api, target.ascApiKeyId);
+		const ascCreds = {
+			keyId: creds.keyId,
+			issuerId: creds.issuerId,
+			p8Pem: creds.p8Pem
+		};
+		const appleDevices = yield* listDevices(ascCreds);
+		const local = yield* listAllLocalDevices(api, target.appleTeamId);
+		const localUdids = new Set(local.map((device) => device.identifier.toLowerCase()));
+		const pushed = [];
+		const pushFailures = [];
+		if (args.push) {
+			const appleUdids = new Set(appleDevices.map((device) => device.udid.toLowerCase()));
+			const toPush = local.filter((device) => !appleUdids.has(device.identifier.toLowerCase()));
+			for (const device of toPush) {
+				const result = yield* Effect.either(createDevice(ascCreds, {
+					name: device.name,
+					udid: device.identifier
+				}));
+				if (Either.isRight(result)) pushed.push(result.right);
+				else pushFailures.push({
+					identifier: device.identifier,
+					message: ascErrorMessage(result.left)
+				});
+			}
+		}
+		const reconcileEntries = [...appleDevices, ...pushed].filter((device) => args.pull || localUdids.has(device.udid.toLowerCase())).filter((device) => IDENTIFIER_PATTERN.test(device.udid) && device.name.length > 0).map((device) => ({
+			identifier: device.udid,
+			name: device.name.slice(0, 120),
+			deviceClass: toDeviceClass(device.deviceClass),
+			appleDevicePortalId: device.id
+		}));
+		const summary = reconcileEntries.length > 0 ? yield* api.devices.syncDevices({ payload: {
+			appleTeamId: target.appleTeamId,
+			devices: reconcileEntries
+		} }) : {
+			created: 0,
+			linked: 0,
+			unchanged: 0
+		};
+		yield* printHumanKeyValue([
+			["Apple devices", String(appleDevices.length + pushed.length)],
+			["Pushed to Apple", String(pushed.length)],
+			["Imported locally", String(summary.created)],
+			["Linked (portal id set)", String(summary.linked)],
+			["Already synced", String(summary.unchanged)]
+		]);
+		for (const failure of pushFailures) yield* printHuman(`⚠ Could not push ${failure.identifier} to Apple: ${failure.message}`);
+		return {
+			appleTeamId: target.appleTeamId,
+			pushed: pushed.length,
+			...summary,
+			pushFailures
+		};
+	}), { json: "value" })
+});
+
 //#endregion
 //#region src/commands/devices/view.ts
 const viewDeviceCommand = defineCommand({
@@ -30230,6 +30734,7 @@ const devicesCommand = defineCommand({
 		add: addDeviceCommand,
 		list: listDevicesCommand,
 		view: viewDeviceCommand,
+		sync: syncDeviceCommand,
 		rename: renameDeviceCommand,
 		enable: enableDeviceCommand,
 		disable: disableDeviceCommand,