@better-update/cli 0.41.1 → 0.42.0

package/dist/index.mjs

@@ -31,11 +31,11 @@ import { getFormattedSerialNumber, getX509Certificate, parsePKCS12 } from "@expo
 import qrcode from "qrcode-terminal";
 
 //#region \0rolldown/runtime.js
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
+var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.41.1";
+var version = "0.42.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -489,6 +489,8 @@ const RotateVaultBody = Schema.Struct({
 var AndroidUploadKeystore = class extends Schema.Class("AndroidUploadKeystore")({
 	id: Id,
 	organizationId: Id,
+	/** User-supplied label from `credentials upload --name`; null for keystores uploaded before names were stored or generated via keytool. */
+	name: Schema.NullOr(Schema.String),
 	keyAlias: Schema.String,
 	md5Fingerprint: Schema.NullOr(Schema.String),
 	sha1Fingerprint: Schema.NullOr(Schema.String),
@@ -505,6 +507,7 @@ var AndroidUploadKeystore = class extends Schema.Class("AndroidUploadKeystore")(
 const UploadAndroidUploadKeystoreBody = Schema.Struct({
 	id: Id,
 	...encryptedEnvelopeFields,
+	name: Schema.optional(Schema.String.pipe(Schema.maxLength(200))),
 	keyAlias: Schema.String.pipe(Schema.minLength(1), Schema.maxLength(200)),
 	md5Fingerprint: Schema.optional(Schema.String.pipe(Schema.maxLength(200))),
 	sha1Fingerprint: Schema.optional(Schema.String.pipe(Schema.maxLength(200))),
@@ -2404,10 +2407,27 @@ var Project = class extends Schema.Class("Project")({
 	lastActivityAt: DateTimeString,
 	/** ISO-8601 timestamp the project was archived (read-only); `null` when active. */
 	archivedAt: Schema.NullOr(DateTimeString),
+	/** Absolute public CDN URL of the project logo; `null` when none is set. */
+	logoUrl: Schema.NullOr(Schema.String),
 	branchCount: Schema.Number,
 	channelCount: Schema.Number,
 	updateCount: Schema.Number
 }) {};
+/** Image MIME types accepted for a project logo. */
+const ProjectLogoContentType = Schema.Literal("image/png", "image/jpeg", "image/webp", "image/svg+xml");
+/**
+* Request a presigned PUT to upload a project logo. The server builds the R2 key
+* itself (`logos/{projectId}`) — never trusting a client-sent key — and signs the
+* content type into the URL, so the direct upload must send the returned headers.
+*/
+const ProjectLogoUploadBody = Schema.Struct({ contentType: ProjectLogoContentType });
+const ProjectLogoUploadResult = Schema.Struct({
+	/** R2 object key the presigned URL targets (`logos/{projectId}`). */
+	key: Schema.String,
+	uploadUrl: Schema.String,
+	uploadExpiresAt: DateTimeString,
+	uploadHeaders: UploadHeaders
+});
 const ProjectSortColumn = Schema.Literal("lastActivityAt", "name", "createdAt", "branchCount", "channelCount", "updateCount");
 const ProjectSort = sortParam(ProjectSortColumn);
 const ListProjectsParams = Schema.Struct({
@@ -2441,6 +2461,15 @@ var ProjectsGroup = class extends HttpApiGroup.make("projects").add(HttpApiEndpo
 }))).add(HttpApiEndpoint.patch("rename")`/api/projects/${idParam}`.setPayload(UpdateProjectBody).addSuccess(Project).annotateContext(OpenApi.annotations({
 	title: "Rename project",
 	description: "Rename a project"
+}))).add(HttpApiEndpoint.post("createLogoUploadUrl")`/api/projects/${idParam}/logo/upload-url`.setPayload(ProjectLogoUploadBody).addSuccess(ProjectLogoUploadResult).annotateContext(OpenApi.annotations({
+	title: "Create project logo upload URL",
+	description: "Request a presigned PUT URL to upload a project logo directly to object storage. Send the returned headers with the upload, then call “Set project logo” to finalize."
+}))).add(HttpApiEndpoint.put("setLogo")`/api/projects/${idParam}/logo`.addSuccess(Project).annotateContext(OpenApi.annotations({
+	title: "Set project logo",
+	description: "Finalize a project logo after its bytes were uploaded via the presigned URL: validates the stored object and records its public CDN URL on the project."
+}))).add(HttpApiEndpoint.del("removeLogo")`/api/projects/${idParam}/logo`.addSuccess(Project).annotateContext(OpenApi.annotations({
+	title: "Remove project logo",
+	description: "Remove the project logo, clearing it back to the default avatar"
 }))).add(HttpApiEndpoint.del("delete")`/api/projects/${idParam}`.addSuccess(DeleteProjectResult).annotateContext(OpenApi.annotations({
 	title: "Delete project",
 	description: "Delete a project and all its branches, channels, and updates"
@@ -2450,7 +2479,7 @@ var ProjectsGroup = class extends HttpApiGroup.make("projects").add(HttpApiEndpo
 }))).add(HttpApiEndpoint.post("unarchive")`/api/projects/${idParam}/unarchive`.addSuccess(Project).annotateContext(OpenApi.annotations({
 	title: "Unarchive project",
 	description: "Restore an archived project to active, writable state"
-}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
 	title: "Projects",
 	description: "Project management endpoints"
 })) {};
@@ -4970,7 +4999,7 @@ const CODE_SIGNING_ALG = "rsa-v1_5-sha256";
 * `sig="<base64>", keyid="<id>", alg="rsa-v1_5-sha256"`. `alg` defaults to
 * {@link CODE_SIGNING_ALG} (the only value SDK56 verifies).
 */
-const buildExpoSignatureHeader = (params) => serializeDictionary(new Map([
+const buildExpoSignatureHeader = (params) => serializeDictionary(/* @__PURE__ */ new Map([
 	["sig", [params.sig, /* @__PURE__ */ new Map()]],
 	["keyid", [params.keyid, /* @__PURE__ */ new Map()]],
 	["alg", [params.alg ?? "rsa-v1_5-sha256", /* @__PURE__ */ new Map()]]
@@ -6791,7 +6820,7 @@ function wrapMacConstructor(keyLen, macCons, fromMsg) {
 	const mac = macCons;
 	const getArgs = fromMsg || (() => []);
 	const macC = (msg, key) => mac(key, ...getArgs(msg)).update(msg).digest();
-	const tmp = mac(new Uint8Array(keyLen), ...getArgs(new Uint8Array(0)));
+	const tmp = mac(new Uint8Array(keyLen), ...getArgs(/* @__PURE__ */ new Uint8Array(0)));
 	macC.outputLen = tmp.outputLen;
 	macC.blockLen = tmp.blockLen;
 	macC.create = (key, ...args) => mac(key, ...args);
@@ -6888,7 +6917,7 @@ function u64Lengths(dataLength, aadLength, isLE) {
 	anumber$4(dataLength);
 	anumber$4(aadLength);
 	abool$2(isLE);
-	const num = new Uint8Array(16);
+	const num = /* @__PURE__ */ new Uint8Array(16);
 	const view = createView$2(num);
 	view.setBigUint64(0, BigInt(aadLength), isLE);
 	view.setBigUint64(8, BigInt(dataLength), isLE);
@@ -7145,7 +7174,7 @@ function createCipher(core, opts) {
 			toClean.push(k = copyBytes$3(key));
 			sigma = sigma32_32;
 		} else if (l === 16 && allowShortKeys) {
-			k = new Uint8Array(32);
+			k = /* @__PURE__ */ new Uint8Array(32);
 			k.set(key);
 			k.set(key, 16);
 			sigma = sigma16_32;
@@ -7171,7 +7200,7 @@ function createCipher(core, opts) {
 		const nonceNcLen = 16 - counterLength;
 		if (nonceNcLen !== nonce.length) throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
 		if (nonceNcLen !== 12) {
-			const nc = new Uint8Array(12);
+			const nc = /* @__PURE__ */ new Uint8Array(12);
 			nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
 			nonce = nc;
 			toClean.push(nonce);
@@ -7229,10 +7258,10 @@ function u8to16(a, i) {
 var Poly1305 = class {
 	blockLen = 16;
 	outputLen = 16;
-	buffer = new Uint8Array(16);
-	r = new Uint16Array(10);
-	h = new Uint16Array(10);
-	pad = new Uint16Array(8);
+	buffer = /* @__PURE__ */ new Uint8Array(16);
+	r = /* @__PURE__ */ new Uint16Array(10);
+	h = /* @__PURE__ */ new Uint16Array(10);
+	pad = /* @__PURE__ */ new Uint16Array(8);
 	pos = 0;
 	finished = false;
 	destroyed = false;
@@ -7368,7 +7397,7 @@ var Poly1305 = class {
 	}
 	finalize() {
 		const { h, pad } = this;
-		const g = new Uint16Array(10);
+		const g = /* @__PURE__ */ new Uint16Array(10);
 		let c = h[1] >>> 13;
 		h[1] &= 8191;
 		for (let i = 2; i < 10; i++) {
@@ -9683,7 +9712,7 @@ function blamka(Ah, Al, Bh, Bl) {
 		l: Rll | 0
 	};
 }
-const A2_BUF = new Uint32Array(256);
+const A2_BUF = /* @__PURE__ */ new Uint32Array(256);
 function G(a, b, c, d) {
 	let Al = A2_BUF[2 * a], Ah = A2_BUF[2 * a + 1];
 	let Bl = A2_BUF[2 * b], Bh = A2_BUF[2 * b + 1];
@@ -9750,7 +9779,7 @@ function block(x, xPos, yPos, outPos, needXor) {
 }
 function Hp(A, dkLen) {
 	const A8 = u8(A);
-	const T = new Uint32Array(1);
+	const T = /* @__PURE__ */ new Uint32Array(1);
 	const T8 = u8(T);
 	T[0] = swap8IfBE(dkLen);
 	if (dkLen <= 64) return blake2b.create({ dkLen }).update(T8).update(A8).digest();
@@ -9811,7 +9840,7 @@ function argon2Init(password, salt, type, opts) {
 	key = abytesOrZero(key, "key");
 	personalization = abytesOrZero(personalization, "personalization");
 	const h = blake2b.create();
-	const BUF = new Uint32Array(1);
+	const BUF = /* @__PURE__ */ new Uint32Array(1);
 	const BUF8 = u8(BUF);
 	for (let item of [
 		p,
@@ -9833,7 +9862,7 @@ function argon2Init(password, salt, type, opts) {
 		BUF[0] = swap8IfBE(i.length);
 		h.update(BUF8).update(i);
 	}
-	const H0 = new Uint32Array(18);
+	const H0 = /* @__PURE__ */ new Uint32Array(18);
 	const H0_8 = u8(H0);
 	h.digestInto(H0_8);
 	const lanes = p;
@@ -9879,7 +9908,7 @@ function argon2Init(password, salt, type, opts) {
 	};
 }
 function argon2Output(B, p, laneLen, dkLen) {
-	const B_final = new Uint32Array(256);
+	const B_final = /* @__PURE__ */ new Uint32Array(256);
 	for (let l = 0; l < p; l++) for (let j = 0; j < 256; j++) B_final[j] ^= B[256 * (laneLen * l + laneLen - 1) + j];
 	const res = Hp(swap32IfBE$1(B_final), dkLen);
 	clean$1(B, B_final);
@@ -10689,7 +10718,7 @@ function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
 function pbkdf2(hash, password, salt, opts) {
 	const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
 	let prfW;
-	const arr = new Uint8Array(4);
+	const arr = /* @__PURE__ */ new Uint8Array(4);
 	const view = createView$1(arr);
 	const u = new Uint8Array(PRF.outputLen);
 	for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
@@ -13841,7 +13870,7 @@ const rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
 const rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
 /** `keccakf1600` internal function, additionally allows to adjust round count. */
 function keccakP(s, rounds = 24) {
-	const B = new Uint32Array(10);
+	const B = /* @__PURE__ */ new Uint32Array(10);
 	for (let round = 24 - rounds; round < 24; round++) {
 		for (let x = 0; x < 10; x++) B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
 		for (let x = 0; x < 10; x += 2) {
@@ -13898,7 +13927,7 @@ var Keccak = class Keccak {
 		this.rounds = rounds;
 		anumber$1(outputLen, "outputLen");
 		if (!(0 < blockLen && blockLen < 200)) throw new Error("only keccak-f1600 function is supported");
-		this.state = new Uint8Array(200);
+		this.state = /* @__PURE__ */ new Uint8Array(200);
 		this.state32 = u32(this.state);
 	}
 	clone() {
@@ -14454,7 +14483,7 @@ const genKPKE = (opts) => {
 		},
 		keygen: (seed) => {
 			abytes$1(seed, 32, "seed");
-			const seedDst = new Uint8Array(33);
+			const seedDst = /* @__PURE__ */ new Uint8Array(33);
 			seedDst.set(seed);
 			seedDst[32] = K;
 			const seedHash = HASH512(seedDst);
@@ -18298,7 +18327,7 @@ function domBuffer(arr) {
 var LineReader = class {
 	s;
 	transcript = [];
-	buf = new Uint8Array(0);
+	buf = /* @__PURE__ */ new Uint8Array(0);
 	constructor(stream) {
 		this.s = stream.getReader();
 	}
@@ -18569,20 +18598,20 @@ const hpkeMLKEM768P256 = 80;
 const hpkeDHKEMP256 = 16;
 function hpkeContext(kemID, sharedSecret, info) {
 	const suiteID = hpkeSuiteID(kemID);
-	const pskIDHash = hpkeLabeledExtract(suiteID, void 0, "psk_id_hash", new Uint8Array(0));
+	const pskIDHash = hpkeLabeledExtract(suiteID, void 0, "psk_id_hash", /* @__PURE__ */ new Uint8Array(0));
 	const infoHash = hpkeLabeledExtract(suiteID, void 0, "info_hash", info);
 	const ksContext = new Uint8Array(1 + pskIDHash.length + infoHash.length);
 	ksContext[0] = 0;
 	ksContext.set(pskIDHash, 1);
 	ksContext.set(infoHash, 1 + pskIDHash.length);
-	const secret = hpkeLabeledExtract(suiteID, sharedSecret, "secret", new Uint8Array(0));
+	const secret = hpkeLabeledExtract(suiteID, sharedSecret, "secret", /* @__PURE__ */ new Uint8Array(0));
 	return {
 		key: hpkeLabeledExpand(suiteID, secret, "key", ksContext, 32),
 		nonce: hpkeLabeledExpand(suiteID, secret, "base_nonce", ksContext, 12)
 	};
 }
 function hpkeSuiteID(kemID) {
-	const suiteID = new Uint8Array(10);
+	const suiteID = /* @__PURE__ */ new Uint8Array(10);
 	suiteID.set(new TextEncoder().encode("HPKE"), 0);
 	suiteID[4] = kemID >> 8 & 255;
 	suiteID[5] = kemID & 255;
@@ -18627,7 +18656,7 @@ function hpkeDHKEMP256Encapsulate(recipient) {
 	const kemContext = new Uint8Array(encapsulatedKey.length + recipient.length);
 	kemContext.set(encapsulatedKey, 0);
 	kemContext.set(recipient, encapsulatedKey.length);
-	const suiteID = new Uint8Array(5);
+	const suiteID = /* @__PURE__ */ new Uint8Array(5);
 	suiteID.set(new TextEncoder().encode("KEM"), 0);
 	suiteID[3] = 0;
 	suiteID[4] = 16;
@@ -18748,7 +18777,7 @@ var ScryptRecipient = class {
 	wrapFileKey(fileKey) {
 		const salt = randomBytes$4(16);
 		const label = "age-encryption.org/v1/scrypt";
-		const labelAndSalt = new Uint8Array(44);
+		const labelAndSalt = /* @__PURE__ */ new Uint8Array(44);
 		labelAndSalt.set(new TextEncoder().encode(label));
 		labelAndSalt.set(salt, 28);
 		const key = scrypt(this.passphrase, labelAndSalt, {
@@ -18780,7 +18809,7 @@ var ScryptIdentity = class {
 			const logN = Number(s.args[2]);
 			if (logN > 20) throw Error("scrypt work factor is too high");
 			const label = "age-encryption.org/v1/scrypt";
-			const labelAndSalt = new Uint8Array(44);
+			const labelAndSalt = /* @__PURE__ */ new Uint8Array(44);
 			labelAndSalt.set(new TextEncoder().encode(label));
 			labelAndSalt.set(salt, 28);
 			const key = scrypt(this.passphrase, labelAndSalt, {
@@ -18796,11 +18825,11 @@ var ScryptIdentity = class {
 	}
 };
 function encryptFileKey(fileKey, key) {
-	return chacha20poly1305(key, new Uint8Array(12)).encrypt(fileKey);
+	return chacha20poly1305(key, /* @__PURE__ */ new Uint8Array(12)).encrypt(fileKey);
 }
 function decryptFileKey(body, key) {
 	if (body.length !== 32) throw Error("invalid stanza");
-	const nonce = new Uint8Array(12);
+	const nonce = /* @__PURE__ */ new Uint8Array(12);
 	try {
 		return chacha20poly1305(key, nonce).decrypt(body);
 	} catch {
@@ -18817,7 +18846,7 @@ const chacha20poly1305Overhead = 16;
 const chunkSize = /* @__PURE__ */ (() => 64 * 1024)();
 const chunkSizeWithOverhead = /* @__PURE__ */ (() => chunkSize + chacha20poly1305Overhead)();
 function decryptSTREAM(key) {
-	const streamNonce = new Uint8Array(12);
+	const streamNonce = /* @__PURE__ */ new Uint8Array(12);
 	const incNonce = () => {
 		for (let i = streamNonce.length - 2; i >= 0; i--) {
 			streamNonce[i]++;
@@ -18863,7 +18892,7 @@ function plaintextSize(ciphertextSize) {
 	return size;
 }
 function encryptSTREAM(key) {
-	const streamNonce = new Uint8Array(12);
+	const streamNonce = /* @__PURE__ */ new Uint8Array(12);
 	const incNonce = () => {
 		for (let i = streamNonce.length - 2; i >= 0; i--) {
 			streamNonce[i]++;
@@ -21952,6 +21981,7 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 	});
 	const session = yield* openVaultSessionInteractive(api);
 	const metadata = compact({
+		name: input.name,
 		keyAlias: input.keyAlias,
 		md5Fingerprint: fingerprints.md5,
 		sha1Fingerprint: fingerprints.sha1,
@@ -22928,15 +22958,17 @@ const makeAppleTeamLabeler = (teams) => {
 	return (internalTeamId) => byId.get(internalTeamId) ?? internalTeamId;
 };
 /**
-* Keystore aliases are often cryptic, so surface the type + creation date in the
-* label and the SHA-1 fingerprint (which matches the Play Console upload key) on
-* the active-row hint.
+* Aliases collide across white-label apps (many keystores share `jmango`), so
+* lead with the user-supplied name when present and keep the alias alongside it;
+* surface the type + creation date in the label and the SHA-1 fingerprint (which
+* matches the Play Console upload key) on the active-row hint.
 */
 const keystoreChoice = (item) => {
 	const details = [item.keystoreType, `created ${isoDate(item.createdAt)}`].filter((part) => part !== null);
+	const title = item.name ? `${item.name} (alias ${item.keyAlias})` : item.keyAlias;
 	return {
 		value: item.id,
-		label: `${item.keyAlias} (${details.join(", ")})`,
+		label: `${title} (${details.join(", ")})`,
 		hint: item.sha1Fingerprint ? `SHA-1 ${item.sha1Fingerprint}` : `id ${item.id.slice(0, 8)}…`
 	};
 };
@@ -23973,7 +24005,7 @@ const validateEmbeddedProfile = (bundleDir, expectedUuid, expectedTeamId, bundle
 //#endregion
 //#region src/lib/xcode-targets.ts
 /** Product types whose targets require code-signing with a provisioning profile. */
-const SIGNED_PRODUCT_TYPES = new Set([
+const SIGNED_PRODUCT_TYPES = /* @__PURE__ */ new Set([
 	"com.apple.product-type.application",
 	"com.apple.product-type.app-extension",
 	"com.apple.product-type.messages-extension",
@@ -26828,6 +26860,13 @@ const uploadIosPushCertificate = (api, input, bytes) => Effect.gen(function* ()
 
 //#endregion
 //#region src/lib/credentials-manager.ts
+/** Build a list row, defaulting the optional columns most credential types lack. */
+const makeRow = (fields) => ({
+	name: null,
+	distribution: null,
+	sha1Fingerprint: null,
+	...fields
+});
 const formatDistribution = (value) => value.toLowerCase().replaceAll("_", "-");
 const listAllCredentials = (api) => Effect.gen(function* () {
 	const [certs, pushKeys, pushCerts, payCerts, passCerts, ascKeys, profiles, keystores, googleKeys] = yield* Effect.all([
@@ -26842,68 +26881,72 @@ const listAllCredentials = (api) => Effect.gen(function* () {
 		api.googleServiceAccountKeys.list()
 	], { concurrency: "unbounded" });
 	return [
-		...certs.items.map((cert) => ({
+		...certs.items.map((cert) => makeRow({
 			id: cert.id,
-			name: cert.serialNumber,
+			identifier: cert.serialNumber,
 			platform: "ios",
 			type: "distribution-certificate",
-			distribution: null
+			createdAt: cert.createdAt
 		})),
-		...pushKeys.items.map((key) => ({
+		...pushKeys.items.map((key) => makeRow({
 			id: key.id,
-			name: key.keyId,
+			identifier: key.keyId,
 			platform: "ios",
 			type: "push-key",
-			distribution: null
+			createdAt: key.createdAt
 		})),
-		...pushCerts.items.map((cert) => ({
+		...pushCerts.items.map((cert) => makeRow({
 			id: cert.id,
-			name: cert.bundleIdentifier,
+			identifier: cert.bundleIdentifier,
 			platform: "ios",
 			type: "push-certificate",
-			distribution: null
+			createdAt: cert.createdAt
 		})),
-		...payCerts.items.map((cert) => ({
+		...payCerts.items.map((cert) => makeRow({
 			id: cert.id,
-			name: cert.merchantIdentifier,
+			identifier: cert.merchantIdentifier,
 			platform: "ios",
 			type: "apple-pay-certificate",
-			distribution: null
+			createdAt: cert.createdAt
 		})),
-		...passCerts.items.map((cert) => ({
+		...passCerts.items.map((cert) => makeRow({
 			id: cert.id,
-			name: cert.passTypeIdentifier,
+			identifier: cert.passTypeIdentifier,
 			platform: "ios",
 			type: "pass-type-certificate",
-			distribution: null
+			createdAt: cert.createdAt
 		})),
-		...ascKeys.items.map((key) => ({
+		...ascKeys.items.map((key) => makeRow({
 			id: key.id,
 			name: key.name,
+			identifier: key.keyId,
 			platform: "ios",
 			type: "asc-api-key",
-			distribution: null
+			createdAt: key.createdAt
 		})),
-		...profiles.items.map((profile) => ({
+		...profiles.items.map((profile) => makeRow({
 			id: profile.id,
-			name: profile.profileName ?? profile.bundleIdentifier,
+			identifier: profile.profileName ?? profile.bundleIdentifier,
 			platform: "ios",
 			type: "provisioning-profile",
-			distribution: formatDistribution(profile.distributionType)
+			distribution: formatDistribution(profile.distributionType),
+			createdAt: profile.createdAt
 		})),
-		...keystores.items.map((ks) => ({
+		...keystores.items.map((ks) => makeRow({
 			id: ks.id,
-			name: ks.keyAlias,
+			name: ks.name,
+			identifier: ks.keyAlias,
 			platform: "android",
 			type: "keystore",
-			distribution: null
+			sha1Fingerprint: ks.sha1Fingerprint,
+			createdAt: ks.createdAt
 		})),
-		...googleKeys.items.map((key) => ({
+		...googleKeys.items.map((key) => makeRow({
 			id: key.id,
-			name: key.clientEmail,
+			identifier: key.clientEmail,
 			platform: "android",
 			type: "google-service-account-key",
-			distribution: null
+			createdAt: key.createdAt
 		}))
 	];
 });
@@ -27020,6 +27063,7 @@ const uploadAndroidKeystore = (api, input, bytes) => Effect.gen(function* () {
 		storePassword: input.password
 	});
 	const metadata = compact({
+		name: input.name,
 		keyAlias: parsed.keyAlias,
 		md5Fingerprint: fingerprints.md5,
 		sha1Fingerprint: fingerprints.sha1,
@@ -27198,7 +27242,7 @@ const TYPE_LABELS = {
 	keystore: "Android keystore",
 	"google-service-account-key": "Google service account key"
 };
-const formatRowLabel$1 = (row) => `${row.name} (${row.id.slice(0, 8)}…)`;
+const formatRowLabel$1 = (row) => `${row.name ?? row.identifier} (${row.id.slice(0, 8)}…)`;
 const pickAndDelete = (ctx, type, humanLabel) => Effect.gen(function* () {
 	const matches = filterCredentials(yield* listAllCredentials(ctx.api), { type });
 	if (matches.length === 0) return yield* Console.log(`No ${humanLabel} entries found.`);
@@ -27363,6 +27407,7 @@ const setupAndroidProjectCredentials = (ctx) => Effect.gen(function* () {
 });
 const generateAndroidKeystoreInteractive = (ctx) => Effect.gen(function* () {
 	const alias = yield* promptText("Key alias", { placeholder: "upload-key" });
+	const name = yield* promptText("Display name (label shown in lists)", { placeholder: alias });
 	const storePassword = yield* promptPassword("Keystore password");
 	const keyPassword = yield* promptPassword("Key password");
 	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
@@ -27370,6 +27415,7 @@ const generateAndroidKeystoreInteractive = (ctx) => Effect.gen(function* () {
 	yield* Console.log("Generating keystore with keytool...");
 	const created = yield* generateAndUploadKeystore(ctx.api, {
 		keyAlias: alias,
+		name: name.trim().length > 0 ? name : alias,
 		storePassword,
 		keyPassword,
 		commonName,
@@ -27381,12 +27427,13 @@ const generateAndroidKeystoreInteractive = (ctx) => Effect.gen(function* () {
 const uploadAndroidKeystoreInteractive = (ctx) => Effect.gen(function* () {
 	const filePath = yield* promptText("Path to the keystore (.jks/.keystore) file");
 	const keyAlias = yield* promptText("Key alias");
+	const name = yield* promptText("Display name (label shown in lists)", { placeholder: keyAlias });
 	const storePassword = yield* promptPassword("Keystore password");
 	const keyPassword = yield* promptPassword("Key password");
 	const created = yield* uploadCredential(ctx.api, {
 		platform: "android",
 		type: "keystore",
-		name: keyAlias,
+		name: name.trim().length > 0 ? name : keyAlias,
 		filePath,
 		keyAlias,
 		keyPassword,
@@ -29422,13 +29469,17 @@ const resolveKeystoreInput = (args) => Effect.gen(function* () {
 	const commonName = args["common-name"] !== void 0 && args["common-name"].trim().length > 0 ? args["common-name"] : yield* promptText("Common name (CN)", { placeholder: "Your App" });
 	const organization = args.organization !== void 0 && args.organization.trim().length > 0 ? args.organization : yield* promptText("Organization (O)", { placeholder: "Your Company" });
 	const validityDays = yield* parseValidityDays(args["validity-days"]);
+	const name = args.name !== void 0 && args.name.trim().length > 0 ? args.name : void 0;
 	return {
 		alias: yield* ensureNonEmpty(alias, "alias"),
 		storePassword: yield* ensureNonEmpty(storePassword, "store-password"),
 		keyPassword: yield* ensureNonEmpty(keyPassword, "key-password"),
 		commonName: yield* ensureNonEmpty(commonName, "common-name"),
 		organization: yield* ensureNonEmpty(organization, "organization"),
-		...compact({ validityDays })
+		...compact({
+			validityDays,
+			name
+		})
 	};
 });
 const keystoreCommand = defineCommand({
@@ -29437,6 +29488,10 @@ const keystoreCommand = defineCommand({
 		description: "Generate a new Android upload keystore via keytool and store it server-side"
 	},
 	args: {
+		name: {
+			type: "string",
+			description: "Display name (label shown in `credentials list`)"
+		},
 		alias: {
 			type: "string",
 			description: "Key alias"
@@ -29472,7 +29527,10 @@ const keystoreCommand = defineCommand({
 			keyPassword: resolved.keyPassword,
 			commonName: resolved.commonName,
 			organization: resolved.organization,
-			...compact({ validityDays: resolved.validityDays })
+			...compact({
+				validityDays: resolved.validityDays,
+				name: resolved.name
+			})
 		});
 		yield* printHuman("");
 		yield* printHuman("Keystore generated and uploaded.");
@@ -29867,15 +29925,19 @@ const listCommand$4 = defineCommand({
 		yield* printList([
 			"ID",
 			"Name",
+			"Identifier",
 			"Platform",
 			"Type",
-			"Distribution"
+			"Created",
+			"SHA-1"
 		], filterCredentials(yield* listAllCredentials(yield* apiClient), args.platform ? { platform: args.platform } : {}).map((row) => [
 			row.id,
-			row.name,
+			row.name ?? "-",
+			row.identifier,
 			row.platform,
 			row.type,
-			row.distribution ?? "-"
+			isoDate(row.createdAt),
+			row.sha1Fingerprint ?? "-"
 		]), "No credentials found.");
 	}))
 });
@@ -29986,8 +30048,9 @@ const CREDENTIAL_TYPES$2 = [
 const isPlatform = (value) => value === "ios" || value === "android";
 const isType = (value) => CREDENTIAL_TYPES$2.includes(value);
 const formatRowLabel = (row) => {
+	const label = row.name ? `${row.name} (${row.identifier})` : row.identifier;
 	const distro = row.distribution ? ` (${row.distribution})` : "";
-	return `${row.type}: ${row.name}${distro} — ${row.id.slice(0, 8)}…`;
+	return `${row.type}: ${label}${distro} — ${row.id.slice(0, 8)}…`;
 };
 const removeCommand = defineCommand({
 	meta: {
@@ -31157,7 +31220,12 @@ const viewKeystore = (api, id) => Effect.gen(function* () {
 		pairs: [
 			["ID", item.id],
 			["Type", "Android upload keystore"],
+			["Name", item.name ?? "-"],
 			["Key alias", item.keyAlias],
+			["Keystore type", item.keystoreType ?? "-"],
+			["SHA-1", item.sha1Fingerprint ?? "-"],
+			["SHA-256", item.sha256Fingerprint ?? "-"],
+			["MD5", item.md5Fingerprint ?? "-"],
 			["Created", item.createdAt],
 			["Updated", item.updatedAt]
 		],