@better-update/cli 0.32.0 → 0.33.0

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.32.0";
+var version = "0.33.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -3078,8 +3078,10 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 const defaultAppleUtils = {
 	Auth: AppleUtils.Auth,
 	Session: AppleUtils.Session,
+	Teams: AppleUtils.Teams,
 	CookieFileCache: AppleUtils.CookieFileCache
 };
+const TEN_CHAR_TEAM_ID = /^[A-Z0-9]{10}$/u;
 var AppleAuth = class extends Context.Tag("cli/AppleAuth")() {};
 const sessionFromAuthState = (state) => ({
 	username: state.username,
@@ -3093,11 +3095,19 @@ const sessionFromInfo = (username, info) => ({
 	teamName: info.provider.name,
 	providerId: info.provider.providerId
 });
-const sessionFromProvider = (username, provider) => ({
-	username,
-	teamId: provider.publicProviderId,
-	teamName: provider.name,
-	providerId: provider.providerId
+/**
+* Resolve the 10-char Developer Portal Team ID for a selected App Store Connect
+* provider. Uses the provider's `publicProviderId` directly when it already is a
+* Team ID; otherwise (UUID providers) looks it up from the Developer Portal team
+* list by name — the only field both surfaces share. Falls back to the
+* `publicProviderId` if no match, preserving prior behavior.
+*/
+const resolvePortalTeamId = (appleUtils, provider) => Effect.gen(function* () {
+	if (TEN_CHAR_TEAM_ID.test(provider.publicProviderId)) return provider.publicProviderId;
+	return (yield* Effect.tryPromise({
+		try: async () => appleUtils.Teams.getTeamsAsync(),
+		catch: (cause) => new AppleAuthError$1({ message: `Failed to list Apple Developer teams: ${formatCause(cause)}` })
+	})).find((team) => team.name === provider.name)?.teamId ?? provider.publicProviderId;
 });
 const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithCookiesAsync({ cookies }),
@@ -3112,10 +3122,16 @@ const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
 const resolveSessionTeam = (appleUtils, state) => Effect.gen(function* () {
 	const { availableProviders } = state.session;
 	const resolution = yield* resolveProvider(appleUtils, availableProviders, state.context.providerId ?? state.session.provider.providerId);
-	if (!resolution.switched || resolution.providerId === void 0) return sessionFromAuthState(state);
-	const picked = availableProviders.find((provider) => provider.providerId === resolution.providerId);
-	if (picked === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
-	return sessionFromProvider(state.username, picked);
+	const switched = resolution.switched && resolution.providerId !== void 0;
+	const provider = switched ? availableProviders.find((entry) => entry.providerId === resolution.providerId) : state.session.provider;
+	if (provider === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
+	const teamId = (!switched && state.context.teamId !== void 0 && TEN_CHAR_TEAM_ID.test(state.context.teamId) ? state.context.teamId : void 0) ?? (yield* resolvePortalTeamId(appleUtils, provider));
+	return {
+		username: state.username,
+		teamId,
+		teamName: provider.name,
+		providerId: provider.providerId
+	};
 });
 const loginWithCredentials = (appleUtils, credentials) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithUserCredentialsAsync(credentials, { autoResolveProvider: true }),
@@ -20755,6 +20771,7 @@ const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
 	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
 };
 var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+var ApnsKeyLimitError = class extends Data.TaggedError("ApnsKeyLimitError") {};
 const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
 const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
 const wrap = (step, run) => Effect.tryPromise({
@@ -20899,6 +20916,86 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 		developerPortalIdentifier: created.developerPortalIdentifier
 	};
 });
+const APNS_SERVICE_ID = "U27F4V844T";
+const APNS_KEY_LIMIT_PATTERN = /maximum allowed number of .*keys/iu;
+const wrapKeyCreate = (run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => {
+		const message = messageOf(cause);
+		return cause instanceof AppleUtils.Keys.MaxKeysCreatedError || APNS_KEY_LIMIT_PATTERN.test(message) ? new ApnsKeyLimitError({ message }) : new AppleIdGenerateFailedError({
+			step: "apple-create-key",
+			message
+		});
+	}
+});
+const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = `AuthKey_${keyId}.p8`;
+	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
+	return filePath;
+});
+const generateAndUploadApnsKeyViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const key = yield* wrapKeyCreate(async () => AppleUtils.Keys.createKeyAsync(ctx, {
+		name: input.name,
+		isApns: true
+	}));
+	const p8Pem = yield* wrap("apple-download-key", async () => AppleUtils.Keys.downloadKeyAsync(ctx, { id: key.id }));
+	const metadata = {
+		keyId: key.id,
+		appleTeamIdentifier: input.appleTeamIdentifier
+	};
+	return {
+		id: (yield* Effect.gen(function* () {
+			const envelope = yield* sealForUpload({
+				session: yield* openVaultSessionInteractive(api),
+				credentialType: "push-key",
+				metadata,
+				secret: { p8Pem }
+			});
+			return yield* api.applePushKeys.upload({ payload: {
+				...toUploadEnvelope(envelope),
+				...metadata
+			} });
+		}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
+			const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials generate push-key --p8 ${rescuePath} --key-id ${key.id} --apple-team-id ${input.appleTeamIdentifier}\``;
+			return yield* new AppleIdGenerateFailedError({
+				step: "store-apns-key",
+				message: `Created APNs key ${key.id} on Apple but failed to store it (${messageOf(cause)}). The downloaded .p8 ${where}.`
+			});
+		})))).id,
+		keyId: key.id,
+		appleTeamIdentifier: input.appleTeamIdentifier,
+		name: key.name
+	};
+});
+const listApnsKeysViaAppleId = (ctx) => Effect.gen(function* () {
+	const keys = yield* wrap("apple-list-keys", async () => AppleUtils.Keys.getKeysAsync(ctx));
+	return (yield* Effect.forEach(keys, (key) => wrap("apple-get-key-info", async () => AppleUtils.Keys.getKeyInfoAsync(ctx, { id: key.id })), { concurrency: 4 })).filter((info) => info.services.some((service) => service.id === APNS_SERVICE_ID)).map((info) => ({
+		developerPortalKeyId: info.id,
+		name: info.name,
+		canRevoke: info.canRevoke
+	}));
+});
+const revokeApnsKeyViaAppleId = (ctx, developerPortalKeyId) => wrap("apple-revoke-key", async () => AppleUtils.Keys.revokeKeyAsync(ctx, { id: developerPortalKeyId }));
+/**
+* Revoke an APNs key on Apple and (optionally) delete the stored copy. Only keys
+* still present on the portal are revoked — one already gone upstream is treated
+* as `revokedOnApple: false` and still deleted locally, so cleanup never wedges.
+* Shared by the `revoke push-key` command and the interactive wizard.
+*/
+const revokeLocalApnsKey = (api, input) => Effect.gen(function* () {
+	const present = (yield* listApnsKeysViaAppleId(input.context)).some((entry) => entry.developerPortalKeyId === input.keyId);
+	if (present) yield* revokeApnsKeyViaAppleId(input.context, input.keyId);
+	if (!input.keepLocal) yield* api.applePushKeys.delete({ path: { id: input.pushKeyId } });
+	return {
+		localId: input.pushKeyId,
+		keyId: input.keyId,
+		revokedOnApple: present,
+		deletedLocally: !input.keepLocal
+	};
+});
 
 //#endregion
 //#region src/lib/ios-bundle-config-upsert.ts
@@ -20971,6 +21068,36 @@ const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
 	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
 	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
+const defaultApnsKeyName = () => `better-update APNs (${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)})`;
+const apnsKeyLimitRecover = (ctx) => Effect.gen(function* () {
+	yield* Console.log("");
+	yield* Console.log("Apple reports the APNs key limit was hit (max 2 keys per team).");
+	const revocable = (yield* listApnsKeysViaAppleId(ctx)).filter((entry) => entry.canRevoke);
+	if (revocable.length === 0) return yield* new CredentialValidationError({ message: "Apple says the APNs key limit is hit but no revocable keys were returned." });
+	const toRevoke = yield* promptMultiSelect("Select one or more APNs keys to revoke before retrying", revocable.map((entry) => ({
+		value: entry.developerPortalKeyId,
+		label: `${entry.name} (${entry.developerPortalKeyId})`
+	})), { required: true });
+	yield* Effect.forEach(toRevoke, (id) => revokeApnsKeyViaAppleId(ctx, id), { concurrency: "inherit" });
+	yield* Console.log(`Revoked ${toRevoke.length} key(s); retrying creation...`);
+});
+/**
+* Log in with Apple ID, create a fresh APNs `.p8` on the portal, download it, and
+* upload it end-to-end encrypted — recovering interactively from the key limit.
+* Returns the stored credential; callers render their own success output. Shared
+* by the `generate push-key` command and the interactive wizard.
+*/
+const createApnsKeyViaAppleId = (api, name) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	const generate = generateAndUploadApnsKeyViaAppleId(api, {
+		context: ctx,
+		appleTeamIdentifier: session.teamId,
+		name
+	});
+	return yield* generate.pipe(Effect.catchTag("ApnsKeyLimitError", () => apnsKeyLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
+});
 const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
 	yield* Console.log("Generating distribution certificate via Apple ID...");
 	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
@@ -26992,6 +27119,39 @@ const revokeIosDistributionCert = (ctx) => Effect.gen(function* () {
 		["Deleted locally", result.deletedLocally ? "yes" : "no (kept)"]
 	]);
 });
+const revokeIosPushKey = (ctx) => Effect.gen(function* () {
+	const { items } = yield* ctx.api.applePushKeys.list();
+	if (items.length === 0) return yield* new MissingCredentialsError({
+		message: "No APNs push keys in this account.",
+		hint: "Run 'Add a new push key' to create one first."
+	});
+	const localId = yield* promptSelect("Select a push key to revoke", items.map((key) => ({
+		value: key.id,
+		label: `${key.keyId} (team ${key.appleTeamId})`
+	})));
+	const target = items.find((entry) => entry.id === localId);
+	if (target === void 0) return yield* new MissingCredentialsError({
+		message: `Selected push key ${localId} not found.`,
+		hint: "Re-run and pick again."
+	});
+	const keepLocal = yield* promptConfirm("Keep the key in this account after revoking?", { initialValue: false });
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	yield* Console.log("Logging in to Apple and revoking the push key...");
+	const result = yield* revokeLocalApnsKey(ctx.api, {
+		context: auth.buildRequestContext(session),
+		pushKeyId: target.id,
+		keyId: target.keyId,
+		keepLocal
+	});
+	yield* Console.log("Revoke complete.");
+	yield* printKeyValue([
+		["Local ID", result.localId],
+		["Key ID", result.keyId],
+		["Revoked on Apple", result.revokedOnApple ? "yes" : "no (not present on portal)"],
+		["Deleted locally", result.deletedLocally ? "yes" : "no (kept)"]
+	]);
+});
 
 //#endregion
 //#region src/application/credentials-manager-ios.ts
@@ -27056,8 +27216,26 @@ const generateNewIosDistributionCert = (ctx) => Effect.gen(function* () {
 		["Apple team", created.appleTeamIdentifier]
 	]);
 });
+const promptPushKeyMethod = () => promptSelect("How do you want to provide the APNs auth key?", [{
+	value: "apple-id",
+	label: "Create a new key by logging in with your Apple ID (recommended)"
+}, {
+	value: "upload",
+	label: "Upload a .p8 you already downloaded from the Apple portal"
+}]);
 const addIosPushKey = (ctx) => Effect.gen(function* () {
-	yield* printHuman("Apple does not expose APNs key creation via API.");
+	if ((yield* promptPushKeyMethod()) === "apple-id") {
+		const created = yield* createApnsKeyViaAppleId(ctx.api, defaultApnsKeyName());
+		yield* Console.log("APNs push key created and registered.");
+		yield* printKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Apple team", created.appleTeamIdentifier],
+			["Name", created.name]
+		]);
+		return;
+	}
+	yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
 	yield* printHuman(`Create one here, download .p8, then return: ${APPLE_PUSH_KEY_PORTAL_URL$1}`);
 	const keyId = (yield* promptText("APNs key ID (10 uppercase alphanumeric)")).trim().toUpperCase();
 	if (!APPLE_TEN_CHARS.test(keyId)) return yield* new CredentialValidationError({ message: `Push key ID "${keyId}" must be 10 uppercase alphanumeric characters.` });
@@ -27119,7 +27297,12 @@ const setupProjectPushNotifications = (ctx) => Effect.gen(function* () {
 	yield* Console.log(`Push notifications set up: key ${pushKeyId} bound to ${config.bundleIdentifier} (${config.distributionType}).`);
 });
 const createNewPushKeyForBundle = (ctx, fallbackTeamId) => Effect.gen(function* () {
-	yield* printHuman("Apple does not expose APNs key creation via API.");
+	if ((yield* promptPushKeyMethod()) === "apple-id") {
+		const created = yield* createApnsKeyViaAppleId(ctx.api, defaultApnsKeyName());
+		yield* Console.log(`APNs push key ${created.keyId} created.`);
+		return created.id;
+	}
+	yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
 	yield* printHuman(`Create one here, download .p8, then return: ${APPLE_PUSH_KEY_PORTAL_URL$1}`);
 	const rawKeyId = (yield* promptText("APNs key ID (10 uppercase alphanumeric)")).trim().toUpperCase();
 	if (!APPLE_TEN_CHARS.test(rawKeyId)) return yield* new CredentialValidationError({ message: `Push key ID "${rawKeyId}" must be 10 uppercase alphanumeric characters.` });
@@ -27206,9 +27389,13 @@ const iosPushKeysMenu = (ctx) => Effect.gen(function* () {
 			value: "bind",
 			label: "Use an existing push key"
 		},
+		{
+			value: "revoke",
+			label: "Revoke a push key (Apple Developer Portal)"
+		},
 		{
 			value: "remove",
-			label: "Remove a push key"
+			label: "Remove a push key (local only)"
 		},
 		{
 			value: BACK,
@@ -27219,6 +27406,7 @@ const iosPushKeysMenu = (ctx) => Effect.gen(function* () {
 	if (choice === "setup") yield* safely("set up push notifications", setupProjectPushNotifications(ctx));
 	else if (choice === "add") yield* safely("add push key", addIosPushKey(ctx));
 	else if (choice === "bind") yield* safely("bind push key", bindIosPushKey(ctx));
+	else if (choice === "revoke") yield* safely("revoke push key", revokeIosPushKey(ctx));
 	else if (choice === "remove") yield* safely("remove push key", pickAndDelete(ctx, "push-key", "APNs push key"));
 	yield* iosPushKeysMenu(ctx);
 });
@@ -28193,6 +28381,129 @@ const downloadCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/commands/credentials/generate-push-key.ts
+const PUSH_KEY_EXIT_EXTRAS = {
+	CredentialValidationError: 2,
+	AppleIdGenerateFailedError: 6,
+	ApnsKeyLimitError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
+};
+const APPLE_PUSH_KEY_PORTAL_URL = "https://developer.apple.com/account/resources/authkeys/list";
+const KEY_ID_PATTERN = /^[A-Z0-9]{10}$/u;
+const APPLE_TEAM_ID_PATTERN = /^[A-Z0-9]{10}$/u;
+const resolveAppleTeamFromAscKey = (api, ascApiKeyId) => Effect.gen(function* () {
+	if (ascApiKeyId === void 0) return;
+	const teamId = (yield* api.ascApiKeys.list()).items.find((entry) => entry.id === ascApiKeyId)?.appleTeamId;
+	return typeof teamId === "string" ? teamId : void 0;
+});
+const validateKeyId = (value) => KEY_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Push key ID "${value}" must be 10 uppercase alphanumeric characters.` }));
+const validateAppleTeamId = (value) => APPLE_TEAM_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Apple Team ID "${value}" must be 10 uppercase alphanumeric characters.` }));
+const resolvePushKeyInput = (api, args) => Effect.gen(function* () {
+	const derivedTeamId = yield* resolveAppleTeamFromAscKey(api, args["asc-key-id"]);
+	const keyId = yield* validateKeyId((args["key-id"] ?? (yield* promptText("APNs key ID (10 uppercase alphanumeric)"))).trim().toUpperCase());
+	const appleTeamIdentifier = yield* validateAppleTeamId((args["apple-team-id"] ?? derivedTeamId ?? (yield* promptText("Apple Team identifier (10 uppercase alphanumeric)"))).trim().toUpperCase());
+	const p8Path = args.p8 ?? (yield* promptText("Path to the AuthKey_XXXXXXXXXX.p8 file you downloaded"));
+	if (p8Path.trim().length === 0) return yield* new CredentialValidationError({ message: "Missing --p8 path" });
+	return {
+		keyId,
+		appleTeamIdentifier,
+		p8Path,
+		name: args.name ?? keyId
+	};
+});
+const resolvePushKeyMethod = (args) => Effect.gen(function* () {
+	if (args.p8 !== void 0 && args.p8.trim().length > 0) return "upload";
+	if (args.method === "upload" || args.method === "apple-id") return args.method;
+	return yield* promptSelect("How do you want to provide the APNs auth key?", [{
+		value: "apple-id",
+		label: "Create a new key by logging in with your Apple ID (recommended)"
+	}, {
+		value: "upload",
+		label: "Upload a .p8 you already downloaded from the Apple portal"
+	}]);
+});
+const uploadPushKeyFromFile = (api, args) => Effect.gen(function* () {
+	if (args["skip-portal-hint"] !== true) {
+		yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
+		yield* printHuman("Create the key here, download the .p8, then come back:");
+		yield* printHuman(`  ${APPLE_PUSH_KEY_PORTAL_URL}`);
+		yield* printHuman("");
+	}
+	const resolved = yield* resolvePushKeyInput(api, args);
+	yield* printHuman("Uploading APNs auth key...");
+	const credential = yield* uploadCredential(api, {
+		platform: "ios",
+		type: "push-key",
+		name: resolved.name,
+		filePath: resolved.p8Path,
+		keyId: resolved.keyId,
+		appleTeamIdentifier: resolved.appleTeamIdentifier
+	});
+	yield* printHuman("APNs push key registered.");
+	yield* printHumanKeyValue([
+		["ID", credential.id],
+		["Key ID", resolved.keyId],
+		["Apple team", resolved.appleTeamIdentifier]
+	]);
+	return credential;
+});
+const pushKeyCommand$1 = defineCommand({
+	meta: {
+		name: "push-key",
+		description: "Create an APNs auth key (.p8) by logging in with your Apple ID, or upload one you downloaded; the key is end-to-end encrypted before upload"
+	},
+	args: {
+		method: {
+			type: "enum",
+			options: ["apple-id", "upload"],
+			description: "How to obtain the key: 'apple-id' (create via login) or 'upload' (provide --p8)"
+		},
+		"key-id": {
+			type: "string",
+			description: "APNs key ID — upload only (10 uppercase alphanumeric)"
+		},
+		"apple-team-id": {
+			type: "string",
+			description: "Apple Team identifier — upload only"
+		},
+		p8: {
+			type: "string",
+			description: "Path to the AuthKey_XXXXXXXXXX.p8 file (forces upload)"
+		},
+		"asc-key-id": {
+			type: "string",
+			description: "ASC API key ID to derive --apple-team-id automatically (upload only)"
+		},
+		name: {
+			type: "string",
+			description: "Display name (Apple ID: key name; upload: defaults to key ID)"
+		},
+		"skip-portal-hint": {
+			type: "boolean",
+			description: "Skip the Apple Developer portal URL hint (upload only)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		if ((yield* resolvePushKeyMethod(args)) === "upload") return yield* uploadPushKeyFromFile(api, args);
+		yield* printHuman("Creating an APNs auth key via your Apple ID...");
+		const created = yield* createApnsKeyViaAppleId(api, args.name ?? defaultApnsKeyName());
+		yield* printHuman("APNs push key created and registered.");
+		yield* printHumanKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Apple team", created.appleTeamIdentifier],
+			["Name", created.name]
+		]);
+		return created;
+	}), {
+		exits: PUSH_KEY_EXIT_EXTRAS,
+		json: "value"
+	})
+});
+
 //#endregion
 //#region src/commands/credentials/generate.ts
 const GENERATE_EXIT_EXTRAS = {
@@ -28401,90 +28712,6 @@ const parseDeviceIds = (raw) => {
 	const ids = raw.split(",").map((id) => id.trim()).filter((id) => id.length > 0);
 	return ids.length === 0 ? void 0 : ids;
 };
-const APPLE_PUSH_KEY_PORTAL_URL = "https://developer.apple.com/account/resources/authkeys/list";
-const KEY_ID_PATTERN = /^[A-Z0-9]{10}$/u;
-const APPLE_TEAM_ID_PATTERN = /^[A-Z0-9]{10}$/u;
-const resolveAppleTeamFromAscKey = (api, ascApiKeyId) => Effect.gen(function* () {
-	if (ascApiKeyId === void 0) return;
-	const teamId = (yield* api.ascApiKeys.list()).items.find((entry) => entry.id === ascApiKeyId)?.appleTeamId;
-	return typeof teamId === "string" ? teamId : void 0;
-});
-const validateKeyId = (value) => KEY_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Push key ID "${value}" must be 10 uppercase alphanumeric characters.` }));
-const validateAppleTeamId = (value) => APPLE_TEAM_ID_PATTERN.test(value) ? Effect.succeed(value) : Effect.fail(new CredentialValidationError({ message: `Apple Team ID "${value}" must be 10 uppercase alphanumeric characters.` }));
-const pushKeyCommand = defineCommand({
-	meta: {
-		name: "push-key",
-		description: "Register an APNs auth key (.p8) — guides you through creating one in the Apple Developer portal, then uploads it"
-	},
-	args: {
-		"key-id": {
-			type: "string",
-			description: "APNs key ID (10 uppercase alphanumeric)"
-		},
-		"apple-team-id": {
-			type: "string",
-			description: "Apple Team identifier"
-		},
-		p8: {
-			type: "string",
-			description: "Path to the AuthKey_XXXXXXXXXX.p8 file"
-		},
-		"asc-key-id": {
-			type: "string",
-			description: "ASC API key ID to derive --apple-team-id automatically"
-		},
-		name: {
-			type: "string",
-			description: "Display name (defaults to the key ID)"
-		},
-		"skip-portal-hint": {
-			type: "boolean",
-			description: "Skip the Apple Developer portal URL hint (already created the key)"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const api = yield* apiClient;
-		if (args["skip-portal-hint"] !== true) {
-			yield* printHuman("Apple does not expose APNs key creation via the public ASC API.");
-			yield* printHuman("Create the key here, download the .p8, then come back:");
-			yield* printHuman(`  ${APPLE_PUSH_KEY_PORTAL_URL}`);
-			yield* printHuman("");
-		}
-		const resolved = yield* resolvePushKeyInput(api, args);
-		yield* printHuman("Uploading APNs auth key...");
-		const credential = yield* uploadCredential(api, {
-			platform: "ios",
-			type: "push-key",
-			name: resolved.name,
-			filePath: resolved.p8Path,
-			keyId: resolved.keyId,
-			appleTeamIdentifier: resolved.appleTeamIdentifier
-		});
-		yield* printHuman("APNs push key registered.");
-		yield* printHumanKeyValue([
-			["ID", credential.id],
-			["Key ID", resolved.keyId],
-			["Apple team", resolved.appleTeamIdentifier]
-		]);
-		return credential;
-	}), {
-		exits: GENERATE_EXIT_EXTRAS,
-		json: "value"
-	})
-});
-const resolvePushKeyInput = (api, args) => Effect.gen(function* () {
-	const derivedTeamId = yield* resolveAppleTeamFromAscKey(api, args["asc-key-id"]);
-	const keyId = yield* validateKeyId((args["key-id"] ?? (yield* promptText("APNs key ID (10 uppercase alphanumeric)"))).trim().toUpperCase());
-	const appleTeamIdentifier = yield* validateAppleTeamId((args["apple-team-id"] ?? derivedTeamId ?? (yield* promptText("Apple Team identifier (10 uppercase alphanumeric)"))).trim().toUpperCase());
-	const p8Path = args.p8 ?? (yield* promptText("Path to the AuthKey_XXXXXXXXXX.p8 file you downloaded"));
-	if (p8Path.trim().length === 0) return yield* new CredentialValidationError({ message: "Missing --p8 path" });
-	return {
-		keyId,
-		appleTeamIdentifier,
-		p8Path,
-		name: args.name ?? keyId
-	};
-});
 const GSA_FIREBASE_URL = "https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk";
 const GSA_GCP_URL = "https://console.cloud.google.com/iam-admin/serviceaccounts";
 const gsaKeyCommand = defineCommand({
@@ -28551,7 +28778,7 @@ const generateCommand$1 = defineCommand({
 		keystore: keystoreCommand,
 		"distribution-certificate": distributionCertificateCommand$1,
 		"provisioning-profile": provisioningProfileCommand,
-		"push-key": pushKeyCommand,
+		"push-key": pushKeyCommand$1,
 		"gsa-key": gsaKeyCommand
 	}
 });
@@ -28956,7 +29183,10 @@ const resolveType = (raw, available) => Effect.gen(function* () {
 //#region src/commands/credentials/revoke.ts
 const REVOKE_EXIT_EXTRAS = {
 	CredentialValidationError: 2,
-	GenerateFailedError: 6
+	GenerateFailedError: 6,
+	AppleIdGenerateFailedError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
 };
 const resolveAscKeyId = (api, raw) => Effect.gen(function* () {
 	if (raw !== void 0 && raw.length > 0) return raw;
@@ -29011,12 +29241,74 @@ const distributionCertificateCommand = defineCommand({
 		json: "value"
 	})
 });
+const resolvePushKeyTarget = (api, idArg) => Effect.gen(function* () {
+	const { items } = yield* api.applePushKeys.list();
+	if (items.length === 0) return yield* new CredentialValidationError({ message: "No APNs push keys stored. Nothing to revoke." });
+	if (idArg !== void 0 && idArg.length > 0) {
+		const match = items.find((entry) => entry.id === idArg);
+		if (match === void 0) return yield* new CredentialValidationError({ message: `Push key ${idArg} not found.` });
+		return match;
+	}
+	if (items.length === 1) {
+		const [only] = items;
+		if (only !== void 0) return only;
+	}
+	const chosen = yield* promptSelect("Select a push key to revoke", items.map((entry) => ({
+		value: entry.id,
+		label: `${entry.keyId} (team ${entry.appleTeamId})`
+	})));
+	const match = items.find((entry) => entry.id === chosen);
+	if (match === void 0) return yield* new CredentialValidationError({ message: `Selected push key ${chosen} not found after listing.` });
+	return match;
+});
+const pushKeyCommand = defineCommand({
+	meta: {
+		name: "push-key",
+		description: "Revoke an APNs auth key on the Apple Developer Portal (via Apple ID login) and delete it from this account"
+	},
+	args: {
+		id: {
+			type: "string",
+			description: "Local push key ID (prompts if omitted)"
+		},
+		"keep-local": {
+			type: "boolean",
+			description: "Revoke on Apple but keep the credential in this account"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const target = yield* resolvePushKeyTarget(api, args.id);
+		const auth = yield* AppleAuth;
+		const session = yield* auth.ensureLoggedIn();
+		const result = yield* revokeLocalApnsKey(api, {
+			context: auth.buildRequestContext(session),
+			pushKeyId: target.id,
+			keyId: target.keyId,
+			keepLocal: args["keep-local"] ?? false
+		});
+		yield* printHuman("APNs push key revoke complete.");
+		yield* printHumanKeyValue([
+			["Local ID", result.localId],
+			["Key ID", result.keyId],
+			["Revoked on Apple", result.revokedOnApple ? "yes" : "no (not present on portal)"],
+			["Deleted locally", result.deletedLocally ? "yes" : "no (--keep-local)"]
+		]);
+		return result;
+	}), {
+		exits: REVOKE_EXIT_EXTRAS,
+		json: "value"
+	})
+});
 const revokeCommand = defineCommand({
 	meta: {
 		name: "revoke",
 		description: "Revoke credentials on the upstream provider"
 	},
-	subCommands: { "distribution-certificate": distributionCertificateCommand }
+	subCommands: {
+		"distribution-certificate": distributionCertificateCommand,
+		"push-key": pushKeyCommand
+	}
 });
 
 //#endregion