@better-update/cli 0.41.0 → 0.41.2

package/dist/index.mjs

@@ -31,11 +31,11 @@ import { getFormattedSerialNumber, getX509Certificate, parsePKCS12 } from "@expo
 import qrcode from "qrcode-terminal";
 
 //#region \0rolldown/runtime.js
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
+var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.41.0";
+var version = "0.41.2";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -2404,10 +2404,27 @@ var Project = class extends Schema.Class("Project")({
 	lastActivityAt: DateTimeString,
 	/** ISO-8601 timestamp the project was archived (read-only); `null` when active. */
 	archivedAt: Schema.NullOr(DateTimeString),
+	/** Absolute public CDN URL of the project logo; `null` when none is set. */
+	logoUrl: Schema.NullOr(Schema.String),
 	branchCount: Schema.Number,
 	channelCount: Schema.Number,
 	updateCount: Schema.Number
 }) {};
+/** Image MIME types accepted for a project logo. */
+const ProjectLogoContentType = Schema.Literal("image/png", "image/jpeg", "image/webp", "image/svg+xml");
+/**
+* Request a presigned PUT to upload a project logo. The server builds the R2 key
+* itself (`logos/{projectId}`) — never trusting a client-sent key — and signs the
+* content type into the URL, so the direct upload must send the returned headers.
+*/
+const ProjectLogoUploadBody = Schema.Struct({ contentType: ProjectLogoContentType });
+const ProjectLogoUploadResult = Schema.Struct({
+	/** R2 object key the presigned URL targets (`logos/{projectId}`). */
+	key: Schema.String,
+	uploadUrl: Schema.String,
+	uploadExpiresAt: DateTimeString,
+	uploadHeaders: UploadHeaders
+});
 const ProjectSortColumn = Schema.Literal("lastActivityAt", "name", "createdAt", "branchCount", "channelCount", "updateCount");
 const ProjectSort = sortParam(ProjectSortColumn);
 const ListProjectsParams = Schema.Struct({
@@ -2441,6 +2458,15 @@ var ProjectsGroup = class extends HttpApiGroup.make("projects").add(HttpApiEndpo
 }))).add(HttpApiEndpoint.patch("rename")`/api/projects/${idParam}`.setPayload(UpdateProjectBody).addSuccess(Project).annotateContext(OpenApi.annotations({
 	title: "Rename project",
 	description: "Rename a project"
+}))).add(HttpApiEndpoint.post("createLogoUploadUrl")`/api/projects/${idParam}/logo/upload-url`.setPayload(ProjectLogoUploadBody).addSuccess(ProjectLogoUploadResult).annotateContext(OpenApi.annotations({
+	title: "Create project logo upload URL",
+	description: "Request a presigned PUT URL to upload a project logo directly to object storage. Send the returned headers with the upload, then call “Set project logo” to finalize."
+}))).add(HttpApiEndpoint.put("setLogo")`/api/projects/${idParam}/logo`.addSuccess(Project).annotateContext(OpenApi.annotations({
+	title: "Set project logo",
+	description: "Finalize a project logo after its bytes were uploaded via the presigned URL: validates the stored object and records its public CDN URL on the project."
+}))).add(HttpApiEndpoint.del("removeLogo")`/api/projects/${idParam}/logo`.addSuccess(Project).annotateContext(OpenApi.annotations({
+	title: "Remove project logo",
+	description: "Remove the project logo, clearing it back to the default avatar"
 }))).add(HttpApiEndpoint.del("delete")`/api/projects/${idParam}`.addSuccess(DeleteProjectResult).annotateContext(OpenApi.annotations({
 	title: "Delete project",
 	description: "Delete a project and all its branches, channels, and updates"
@@ -2450,7 +2476,7 @@ var ProjectsGroup = class extends HttpApiGroup.make("projects").add(HttpApiEndpo
 }))).add(HttpApiEndpoint.post("unarchive")`/api/projects/${idParam}/unarchive`.addSuccess(Project).annotateContext(OpenApi.annotations({
 	title: "Unarchive project",
 	description: "Restore an archived project to active, writable state"
-}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
 	title: "Projects",
 	description: "Project management endpoints"
 })) {};
@@ -4970,7 +4996,7 @@ const CODE_SIGNING_ALG = "rsa-v1_5-sha256";
 * `sig="<base64>", keyid="<id>", alg="rsa-v1_5-sha256"`. `alg` defaults to
 * {@link CODE_SIGNING_ALG} (the only value SDK56 verifies).
 */
-const buildExpoSignatureHeader = (params) => serializeDictionary(new Map([
+const buildExpoSignatureHeader = (params) => serializeDictionary(/* @__PURE__ */ new Map([
 	["sig", [params.sig, /* @__PURE__ */ new Map()]],
 	["keyid", [params.keyid, /* @__PURE__ */ new Map()]],
 	["alg", [params.alg ?? "rsa-v1_5-sha256", /* @__PURE__ */ new Map()]]
@@ -6791,7 +6817,7 @@ function wrapMacConstructor(keyLen, macCons, fromMsg) {
 	const mac = macCons;
 	const getArgs = fromMsg || (() => []);
 	const macC = (msg, key) => mac(key, ...getArgs(msg)).update(msg).digest();
-	const tmp = mac(new Uint8Array(keyLen), ...getArgs(new Uint8Array(0)));
+	const tmp = mac(new Uint8Array(keyLen), ...getArgs(/* @__PURE__ */ new Uint8Array(0)));
 	macC.outputLen = tmp.outputLen;
 	macC.blockLen = tmp.blockLen;
 	macC.create = (key, ...args) => mac(key, ...args);
@@ -6888,7 +6914,7 @@ function u64Lengths(dataLength, aadLength, isLE) {
 	anumber$4(dataLength);
 	anumber$4(aadLength);
 	abool$2(isLE);
-	const num = new Uint8Array(16);
+	const num = /* @__PURE__ */ new Uint8Array(16);
 	const view = createView$2(num);
 	view.setBigUint64(0, BigInt(aadLength), isLE);
 	view.setBigUint64(8, BigInt(dataLength), isLE);
@@ -7145,7 +7171,7 @@ function createCipher(core, opts) {
 			toClean.push(k = copyBytes$3(key));
 			sigma = sigma32_32;
 		} else if (l === 16 && allowShortKeys) {
-			k = new Uint8Array(32);
+			k = /* @__PURE__ */ new Uint8Array(32);
 			k.set(key);
 			k.set(key, 16);
 			sigma = sigma16_32;
@@ -7171,7 +7197,7 @@ function createCipher(core, opts) {
 		const nonceNcLen = 16 - counterLength;
 		if (nonceNcLen !== nonce.length) throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
 		if (nonceNcLen !== 12) {
-			const nc = new Uint8Array(12);
+			const nc = /* @__PURE__ */ new Uint8Array(12);
 			nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
 			nonce = nc;
 			toClean.push(nonce);
@@ -7229,10 +7255,10 @@ function u8to16(a, i) {
 var Poly1305 = class {
 	blockLen = 16;
 	outputLen = 16;
-	buffer = new Uint8Array(16);
-	r = new Uint16Array(10);
-	h = new Uint16Array(10);
-	pad = new Uint16Array(8);
+	buffer = /* @__PURE__ */ new Uint8Array(16);
+	r = /* @__PURE__ */ new Uint16Array(10);
+	h = /* @__PURE__ */ new Uint16Array(10);
+	pad = /* @__PURE__ */ new Uint16Array(8);
 	pos = 0;
 	finished = false;
 	destroyed = false;
@@ -7368,7 +7394,7 @@ var Poly1305 = class {
 	}
 	finalize() {
 		const { h, pad } = this;
-		const g = new Uint16Array(10);
+		const g = /* @__PURE__ */ new Uint16Array(10);
 		let c = h[1] >>> 13;
 		h[1] &= 8191;
 		for (let i = 2; i < 10; i++) {
@@ -9683,7 +9709,7 @@ function blamka(Ah, Al, Bh, Bl) {
 		l: Rll | 0
 	};
 }
-const A2_BUF = new Uint32Array(256);
+const A2_BUF = /* @__PURE__ */ new Uint32Array(256);
 function G(a, b, c, d) {
 	let Al = A2_BUF[2 * a], Ah = A2_BUF[2 * a + 1];
 	let Bl = A2_BUF[2 * b], Bh = A2_BUF[2 * b + 1];
@@ -9750,7 +9776,7 @@ function block(x, xPos, yPos, outPos, needXor) {
 }
 function Hp(A, dkLen) {
 	const A8 = u8(A);
-	const T = new Uint32Array(1);
+	const T = /* @__PURE__ */ new Uint32Array(1);
 	const T8 = u8(T);
 	T[0] = swap8IfBE(dkLen);
 	if (dkLen <= 64) return blake2b.create({ dkLen }).update(T8).update(A8).digest();
@@ -9811,7 +9837,7 @@ function argon2Init(password, salt, type, opts) {
 	key = abytesOrZero(key, "key");
 	personalization = abytesOrZero(personalization, "personalization");
 	const h = blake2b.create();
-	const BUF = new Uint32Array(1);
+	const BUF = /* @__PURE__ */ new Uint32Array(1);
 	const BUF8 = u8(BUF);
 	for (let item of [
 		p,
@@ -9833,7 +9859,7 @@ function argon2Init(password, salt, type, opts) {
 		BUF[0] = swap8IfBE(i.length);
 		h.update(BUF8).update(i);
 	}
-	const H0 = new Uint32Array(18);
+	const H0 = /* @__PURE__ */ new Uint32Array(18);
 	const H0_8 = u8(H0);
 	h.digestInto(H0_8);
 	const lanes = p;
@@ -9879,7 +9905,7 @@ function argon2Init(password, salt, type, opts) {
 	};
 }
 function argon2Output(B, p, laneLen, dkLen) {
-	const B_final = new Uint32Array(256);
+	const B_final = /* @__PURE__ */ new Uint32Array(256);
 	for (let l = 0; l < p; l++) for (let j = 0; j < 256; j++) B_final[j] ^= B[256 * (laneLen * l + laneLen - 1) + j];
 	const res = Hp(swap32IfBE$1(B_final), dkLen);
 	clean$1(B, B_final);
@@ -10689,7 +10715,7 @@ function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
 function pbkdf2(hash, password, salt, opts) {
 	const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
 	let prfW;
-	const arr = new Uint8Array(4);
+	const arr = /* @__PURE__ */ new Uint8Array(4);
 	const view = createView$1(arr);
 	const u = new Uint8Array(PRF.outputLen);
 	for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
@@ -13841,7 +13867,7 @@ const rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
 const rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
 /** `keccakf1600` internal function, additionally allows to adjust round count. */
 function keccakP(s, rounds = 24) {
-	const B = new Uint32Array(10);
+	const B = /* @__PURE__ */ new Uint32Array(10);
 	for (let round = 24 - rounds; round < 24; round++) {
 		for (let x = 0; x < 10; x++) B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
 		for (let x = 0; x < 10; x += 2) {
@@ -13898,7 +13924,7 @@ var Keccak = class Keccak {
 		this.rounds = rounds;
 		anumber$1(outputLen, "outputLen");
 		if (!(0 < blockLen && blockLen < 200)) throw new Error("only keccak-f1600 function is supported");
-		this.state = new Uint8Array(200);
+		this.state = /* @__PURE__ */ new Uint8Array(200);
 		this.state32 = u32(this.state);
 	}
 	clone() {
@@ -14454,7 +14480,7 @@ const genKPKE = (opts) => {
 		},
 		keygen: (seed) => {
 			abytes$1(seed, 32, "seed");
-			const seedDst = new Uint8Array(33);
+			const seedDst = /* @__PURE__ */ new Uint8Array(33);
 			seedDst.set(seed);
 			seedDst[32] = K;
 			const seedHash = HASH512(seedDst);
@@ -18298,7 +18324,7 @@ function domBuffer(arr) {
 var LineReader = class {
 	s;
 	transcript = [];
-	buf = new Uint8Array(0);
+	buf = /* @__PURE__ */ new Uint8Array(0);
 	constructor(stream) {
 		this.s = stream.getReader();
 	}
@@ -18569,20 +18595,20 @@ const hpkeMLKEM768P256 = 80;
 const hpkeDHKEMP256 = 16;
 function hpkeContext(kemID, sharedSecret, info) {
 	const suiteID = hpkeSuiteID(kemID);
-	const pskIDHash = hpkeLabeledExtract(suiteID, void 0, "psk_id_hash", new Uint8Array(0));
+	const pskIDHash = hpkeLabeledExtract(suiteID, void 0, "psk_id_hash", /* @__PURE__ */ new Uint8Array(0));
 	const infoHash = hpkeLabeledExtract(suiteID, void 0, "info_hash", info);
 	const ksContext = new Uint8Array(1 + pskIDHash.length + infoHash.length);
 	ksContext[0] = 0;
 	ksContext.set(pskIDHash, 1);
 	ksContext.set(infoHash, 1 + pskIDHash.length);
-	const secret = hpkeLabeledExtract(suiteID, sharedSecret, "secret", new Uint8Array(0));
+	const secret = hpkeLabeledExtract(suiteID, sharedSecret, "secret", /* @__PURE__ */ new Uint8Array(0));
 	return {
 		key: hpkeLabeledExpand(suiteID, secret, "key", ksContext, 32),
 		nonce: hpkeLabeledExpand(suiteID, secret, "base_nonce", ksContext, 12)
 	};
 }
 function hpkeSuiteID(kemID) {
-	const suiteID = new Uint8Array(10);
+	const suiteID = /* @__PURE__ */ new Uint8Array(10);
 	suiteID.set(new TextEncoder().encode("HPKE"), 0);
 	suiteID[4] = kemID >> 8 & 255;
 	suiteID[5] = kemID & 255;
@@ -18627,7 +18653,7 @@ function hpkeDHKEMP256Encapsulate(recipient) {
 	const kemContext = new Uint8Array(encapsulatedKey.length + recipient.length);
 	kemContext.set(encapsulatedKey, 0);
 	kemContext.set(recipient, encapsulatedKey.length);
-	const suiteID = new Uint8Array(5);
+	const suiteID = /* @__PURE__ */ new Uint8Array(5);
 	suiteID.set(new TextEncoder().encode("KEM"), 0);
 	suiteID[3] = 0;
 	suiteID[4] = 16;
@@ -18748,7 +18774,7 @@ var ScryptRecipient = class {
 	wrapFileKey(fileKey) {
 		const salt = randomBytes$4(16);
 		const label = "age-encryption.org/v1/scrypt";
-		const labelAndSalt = new Uint8Array(44);
+		const labelAndSalt = /* @__PURE__ */ new Uint8Array(44);
 		labelAndSalt.set(new TextEncoder().encode(label));
 		labelAndSalt.set(salt, 28);
 		const key = scrypt(this.passphrase, labelAndSalt, {
@@ -18780,7 +18806,7 @@ var ScryptIdentity = class {
 			const logN = Number(s.args[2]);
 			if (logN > 20) throw Error("scrypt work factor is too high");
 			const label = "age-encryption.org/v1/scrypt";
-			const labelAndSalt = new Uint8Array(44);
+			const labelAndSalt = /* @__PURE__ */ new Uint8Array(44);
 			labelAndSalt.set(new TextEncoder().encode(label));
 			labelAndSalt.set(salt, 28);
 			const key = scrypt(this.passphrase, labelAndSalt, {
@@ -18796,11 +18822,11 @@ var ScryptIdentity = class {
 	}
 };
 function encryptFileKey(fileKey, key) {
-	return chacha20poly1305(key, new Uint8Array(12)).encrypt(fileKey);
+	return chacha20poly1305(key, /* @__PURE__ */ new Uint8Array(12)).encrypt(fileKey);
 }
 function decryptFileKey(body, key) {
 	if (body.length !== 32) throw Error("invalid stanza");
-	const nonce = new Uint8Array(12);
+	const nonce = /* @__PURE__ */ new Uint8Array(12);
 	try {
 		return chacha20poly1305(key, nonce).decrypt(body);
 	} catch {
@@ -18817,7 +18843,7 @@ const chacha20poly1305Overhead = 16;
 const chunkSize = /* @__PURE__ */ (() => 64 * 1024)();
 const chunkSizeWithOverhead = /* @__PURE__ */ (() => chunkSize + chacha20poly1305Overhead)();
 function decryptSTREAM(key) {
-	const streamNonce = new Uint8Array(12);
+	const streamNonce = /* @__PURE__ */ new Uint8Array(12);
 	const incNonce = () => {
 		for (let i = streamNonce.length - 2; i >= 0; i--) {
 			streamNonce[i]++;
@@ -18863,7 +18889,7 @@ function plaintextSize(ciphertextSize) {
 	return size;
 }
 function encryptSTREAM(key) {
-	const streamNonce = new Uint8Array(12);
+	const streamNonce = /* @__PURE__ */ new Uint8Array(12);
 	const incNonce = () => {
 		for (let i = streamNonce.length - 2; i >= 0; i--) {
 			streamNonce[i]++;
@@ -20081,6 +20107,50 @@ const initGitRepo = (stagingRoot) => Effect.tryPromise({
 	catch: (cause) => new StagingError({ message: `Failed to init git repo in staging dir: ${formatCause(cause)}` })
 }).pipe(Effect.asVoid);
 /**
+* Snapshot the staged tree as a single commit so its working tree reads CLEAN.
+*
+* EAS stages via `git clone` + checkout, so the tree it hands to
+* `expo prebuild --clean` is a clean checkout. Our `cp` + `git init` leaves
+* every staged file UNTRACKED, which `expo prebuild`'s git check reads as
+* "dirty" (`git status --porcelain` is non-empty). Because the native build
+* runs inside a PTY, Expo's `isInteractive()` is true even with no real
+* controlling TTY, so it prompts `Continue with uncommitted changes?` and then
+* blocks on stdin we never write — hanging CI / backgrounded / piped builds.
+*
+* Committing once here makes `git status` clean, so Expo's check passes on
+* EVERY Expo version — the `EXPO_NO_GIT_STATUS` env gate the build sets only
+* exists in newer Expo — with no global `CI=1` side effects. The real
+* dirty-tree decision already ran against the user's *actual* working tree in
+* `ensureRepoClean` (honoring `--allow-dirty`). Best-effort: hooks are disabled
+* and a failure is non-fatal — the build proceeds and `EXPO_NO_GIT_STATUS`
+* still covers newer Expo.
+*/
+const commitStagingSnapshot = (stagingRoot) => Effect.tryPromise(async () => {
+	const run = async (args) => execFileAsync$1("git", [...args], {
+		cwd: stagingRoot,
+		env: {
+			...process.env,
+			LEFTHOOK: "0",
+			HUSKY: "0"
+		}
+	});
+	await run(["add", "-A"]);
+	await run([
+		"-c",
+		"user.name=better-update",
+		"-c",
+		"user.email=build@better-update.dev",
+		"-c",
+		"commit.gpgsign=false",
+		"commit",
+		"--no-verify",
+		"--allow-empty",
+		"-q",
+		"-m",
+		"better-update staging snapshot"
+	]);
+}).pipe(Effect.ignore);
+/**
 * Install args per package manager, frozen-lockfile variants matching EAS
 * (`bun install --frozen-lockfile` / `npm ci --include=dev` / etc.) so the
 * staged install resolves exactly what the user's lockfile pins.
@@ -20136,6 +20206,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 			env: commandEnv
 		});
 	} else yield* printHuman("No package.json at the staging root — skipping dependency install.");
+	yield* commitStagingSnapshot(stagingRoot);
 	return {
 		stagingRoot,
 		projectRoot,
@@ -23928,7 +23999,7 @@ const validateEmbeddedProfile = (bundleDir, expectedUuid, expectedTeamId, bundle
 //#endregion
 //#region src/lib/xcode-targets.ts
 /** Product types whose targets require code-signing with a provisioning profile. */
-const SIGNED_PRODUCT_TYPES = new Set([
+const SIGNED_PRODUCT_TYPES = /* @__PURE__ */ new Set([
 	"com.apple.product-type.application",
 	"com.apple.product-type.app-extension",
 	"com.apple.product-type.messages-extension",