@better-update/cli 0.44.1 → 0.46.0

package/dist/index.mjs

@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.44.1";
+var version = "0.46.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -5055,6 +5055,27 @@ const writeEasJsonPatch = (projectRoot, patch) => Effect.gen(function* () {
 	return filePath;
 });
 /**
+* Set `submit.<profileName>.ios.ascApiKeyId` in `eas.json`, preserving every
+* other submit profile and key. Used after auto-resolving/creating an ASC API
+* key during `submit` so the next run reuses it instead of creating another.
+*/
+const setSubmitProfileAscApiKeyId = (projectRoot, profileName, ascApiKeyId) => Effect.gen(function* () {
+	const existing = (yield* readEasJsonRaw(projectRoot)) ?? {};
+	const submit = isRecord$1(existing["submit"]) ? existing["submit"] : {};
+	const profile = isRecord$1(submit[profileName]) ? submit[profileName] : {};
+	const ios = isRecord$1(profile["ios"]) ? profile["ios"] : {};
+	return yield* writeEasJsonPatch(projectRoot, { submit: {
+		...submit,
+		[profileName]: {
+			...profile,
+			ios: {
+				...ios,
+				ascApiKeyId
+			}
+		}
+	} });
+});
+/**
 * Default `build` profiles scaffolded by `init` / `build configure`. Mirrors the
 * EAS three-tier convention: `development` (dev-client, internal), `preview`
 * (internal QA) and `production` (store). Keep in sync with the build-profile
@@ -23861,7 +23882,7 @@ const wrapKeyCreate = (run) => Effect.tryPromise({
 		});
 	}
 });
-const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+const writeRescueP8$1 = (keyId, p8Pem) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = `AuthKey_${keyId}.p8`;
 	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
@@ -23892,7 +23913,7 @@ const generateAndUploadApnsKeyViaAppleId = (api, input) => Effect.gen(function*
 				...compact({ appleTeamName: toOptional(input.appleTeamName) })
 			} });
 		}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
-			const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const rescuePath = yield* writeRescueP8$1(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
 			const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials generate push-key --p8 ${rescuePath} --key-id ${key.id} --apple-team-id ${input.appleTeamIdentifier}\``;
 			return yield* new AppleIdGenerateFailedError({
 				step: "store-apns-key",
@@ -28373,6 +28394,107 @@ const androidMenu = (ctx) => Effect.gen(function* () {
 	yield* androidMenu(ctx);
 });
 
+//#endregion
+//#region src/lib/credentials-generator-asc-key.ts
+const toUserRole = (role) => role === "APP_MANAGER" ? AppleUtils.UserRole.APP_MANAGER : AppleUtils.UserRole.ADMIN;
+/** Default nickname shown in App Store Connect → Users and Access → Integrations. */
+const defaultAscApiKeyNickname = () => `[better-update] ${(/* @__PURE__ */ new Date()).toISOString()}`;
+const ASC_KEY_NOT_READY_PATTERN = /no resource of type|resource does not exist/iu;
+const ASC_KEY_DOWNLOAD_RETRY = Schedule.exponential("1 second", 2).pipe(Schedule.intersect(Schedule.recurs(6)));
+const downloadAscKeyWithRetry = (key) => Effect.tryPromise({
+	try: async () => key.downloadAsync(),
+	catch: (cause) => new AppleIdGenerateFailedError({
+		step: "apple-download-asc-key",
+		message: messageOf(cause)
+	})
+}).pipe(Effect.flatMap((pem) => pem === null || pem.length === 0 ? Effect.fail(new AppleIdGenerateFailedError({
+	step: "apple-download-asc-key",
+	message: "App Store Connect returned no private key for the new API key — it may already have been downloaded. A key can only be downloaded once; create a new one or upload the .p8 manually with `credentials upload-asc-key`."
+})) : Effect.succeed(pem)), Effect.retry({
+	while: (error) => ASC_KEY_NOT_READY_PATTERN.test(error.message),
+	schedule: ASC_KEY_DOWNLOAD_RETRY
+}), Effect.catchIf((error) => ASC_KEY_NOT_READY_PATTERN.test(error.message), () => Effect.fail(new AppleIdGenerateFailedError({
+	step: "apple-download-asc-key",
+	message: "App Store Connect is still provisioning the new API key (this can take up to a minute). The key was created — re-run shortly, or download the .p8 from App Store Connect → Users and Access → Integrations and import it with `credentials upload-asc-key`."
+}))));
+const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = `AuthKey_${keyId}.p8`;
+	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
+	return filePath;
+});
+/**
+* Create an App Store Connect API key from the Apple ID cookie session, download
+* its one-shot `.p8`, resolve the issuer id, and store the sealed envelope in the
+* vault — the zero-knowledge equivalent of downloading a key from App Store Connect
+* and running `credentials upload-asc-key`, but without the manual round-trip.
+*/
+const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const key = yield* wrap("apple-create-asc-key", async () => AppleUtils.ApiKey.createAsync(ctx, {
+		nickname: input.nickname,
+		allAppsVisible: true,
+		roles: [toUserRole(input.role)],
+		keyType: AppleUtils.ApiKeyType.PUBLIC_API
+	}));
+	const p8Pem = yield* downloadAscKeyWithRetry(key);
+	const displayName = input.name ?? key.id;
+	const stored = yield* Effect.gen(function* () {
+		const issuerId = (yield* wrap("apple-fetch-asc-key", async () => AppleUtils.ApiKey.infoAsync(ctx, { id: key.id }))).attributes.provider?.id;
+		if (issuerId === void 0 || issuerId.length === 0) return yield* new AppleIdGenerateFailedError({
+			step: "resolve-issuer-id",
+			message: "App Store Connect did not return an issuer ID for the new key. Find it under Users and Access → Integrations and import the .p8 with `credentials upload-asc-key`."
+		});
+		const metadata = compact({
+			name: displayName,
+			keyId: key.id,
+			issuerId,
+			appleTeamIdentifier: input.appleTeamIdentifier
+		});
+		const envelope = yield* sealForUpload({
+			session: yield* openVaultSessionInteractive(api),
+			credentialType: "asc-api-key",
+			metadata,
+			secret: { p8Pem }
+		});
+		return {
+			id: (yield* api.ascApiKeys.upload({ payload: {
+				...toUploadEnvelope(envelope),
+				...metadata
+			} })).id,
+			issuerId
+		};
+	}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
+		const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+		const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials upload-asc-key --p8 ${rescuePath} --key-id ${key.id}\` (find the issuer ID under App Store Connect → Users and Access → Integrations)`;
+		return yield* new AppleIdGenerateFailedError({
+			step: "store-asc-key",
+			message: `Created App Store Connect API key ${key.id} on Apple but failed to store it (${messageOf(cause)}). The downloaded .p8 ${where}.`
+		});
+	})));
+	return {
+		id: stored.id,
+		keyId: key.id,
+		issuerId: stored.issuerId,
+		name: displayName,
+		role: input.role
+	};
+});
+/**
+* List the team's active App Store Connect API keys as seen on Apple (via the
+* cookie session). Used before auto-creating a key to avoid making a redundant
+* one — note a key's `.p8` is downloadable only once, so a key listed here is
+* usable for publishing only if its `.p8` was captured at creation (i.e. it is
+* already in the vault). Surfacing them lets the caller warn + respect Apple's
+* per-team key cap rather than blindly creating another.
+*/
+const listAscApiKeysViaAppleId = (ctx) => Effect.gen(function* () {
+	return (yield* wrap("apple-list-asc-keys", async () => AppleUtils.ApiKey.getAsync(ctx))).filter((key) => key.attributes.isActive).map((key) => ({
+		keyId: key.id,
+		nickname: key.attributes.nickname
+	}));
+});
+
 //#endregion
 //#region src/application/credentials-manager-ios-asc.ts
 const uploadIosAscKey = (ctx) => Effect.gen(function* () {
@@ -28392,6 +28514,33 @@ const uploadIosAscKey = (ctx) => Effect.gen(function* () {
 	yield* Console.log("ASC API key uploaded.");
 	yield* printKeyValue([["ID", created.id], ["Key ID", keyId]]);
 });
+const generateAscKeyViaAppleId = (ctx) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const role = yield* promptSelect("Select a role for the generated API key", [{
+		value: "ADMIN",
+		label: "ADMIN (default)"
+	}, {
+		value: "APP_MANAGER",
+		label: "APP_MANAGER (least privilege for app management)"
+	}]);
+	yield* Console.log("Creating an App Store Connect API key via your Apple ID...");
+	return yield* generateAndUploadAscApiKeyViaAppleId(ctx.api, {
+		context: auth.buildRequestContext(session),
+		appleTeamIdentifier: session.teamId,
+		nickname: defaultAscApiKeyNickname(),
+		role
+	});
+});
+const createIosAscKeyViaAppleId = (ctx) => Effect.gen(function* () {
+	const created = yield* generateAscKeyViaAppleId(ctx);
+	yield* Console.log(`Created and stored ASC API key ${created.keyId}.`);
+	yield* printKeyValue([
+		["ID", created.id],
+		["Key ID", created.keyId],
+		["Issuer ID", created.issuerId]
+	]);
+});
 const bindIosAscKey = (ctx) => Effect.gen(function* () {
 	const keys = yield* ctx.api.ascApiKeys.list();
 	if (keys.items.length === 0) return yield* new MissingCredentialsError({
@@ -28428,18 +28577,26 @@ const uploadNewAscKey = (ctx) => Effect.gen(function* () {
 });
 const setupProjectAscApiKey = (ctx) => Effect.gen(function* () {
 	const keys = yield* ctx.api.ascApiKeys.list();
-	const choice = keys.items.length === 0 ? "upload" : yield* promptSelect("How would you like to set up the ASC key?", [{
-		value: "existing",
-		label: `Use an existing ASC API key (${String(keys.items.length)})`
+	const baseChoices = [{
+		value: "generate",
+		label: "Create a new ASC API key from your Apple ID (no .p8 needed)"
 	}, {
 		value: "upload",
-		label: "Upload a new ASC API key"
-	}]);
+		label: "Upload an existing .p8 key"
+	}];
+	const choice = keys.items.length === 0 ? yield* promptSelect("How would you like to set up the ASC key?", baseChoices) : yield* promptSelect("How would you like to set up the ASC key?", [{
+		value: "existing",
+		label: `Use an existing ASC API key (${String(keys.items.length)})`
+	}, ...baseChoices]);
 	const config = yield* promptForBundleConfig(ctx);
-	const ascKeyId = choice === "upload" ? yield* uploadNewAscKey(ctx) : yield* promptSelect("Select an ASC API key to bind", keys.items.map((key) => ({
-		value: key.id,
-		label: `${key.name} (${key.keyId})`
-	})));
+	const ascKeyId = yield* Effect.gen(function* () {
+		if (choice === "generate") return (yield* generateAscKeyViaAppleId(ctx)).id;
+		if (choice === "upload") return yield* uploadNewAscKey(ctx);
+		return yield* promptSelect("Select an ASC API key to bind", keys.items.map((key) => ({
+			value: key.id,
+			label: `${key.name} (${key.keyId})`
+		})));
+	});
 	yield* ctx.api.iosBundleConfigurations.update({
 		path: { id: config.id },
 		payload: { ascApiKeyId: ascKeyId }
@@ -28453,6 +28610,10 @@ const iosAscKeysMenu = (ctx) => Effect.gen(function* () {
 			value: "setup",
 			label: "Set up your project to use an ASC API Key"
 		},
+		{
+			value: "create",
+			label: "Create a new ASC API key from your Apple ID (no .p8 needed)"
+		},
 		{
 			value: "upload",
 			label: "Add a new ASC API key"
@@ -28472,6 +28633,7 @@ const iosAscKeysMenu = (ctx) => Effect.gen(function* () {
 	]));
 	if (choice === "__back__") return;
 	if (choice === "setup") yield* safely("set up ASC key", setupProjectAscApiKey(ctx));
+	else if (choice === "create") yield* safely("create ASC key", createIosAscKeyViaAppleId(ctx));
 	else if (choice === "upload") yield* safely("upload ASC key", uploadIosAscKey(ctx));
 	else if (choice === "bind") yield* safely("bind ASC key", bindIosAscKey(ctx));
 	else if (choice === "delete") yield* safely("delete ASC key", pickAndDelete(ctx, "asc-api-key", "ASC API key"));
@@ -30353,6 +30515,66 @@ const envVaultCommand = defineCommand({
 	default: "status"
 });
 
+//#endregion
+//#region src/commands/credentials/generate-asc-key.ts
+const ASC_KEY_EXIT_EXTRAS = {
+	CredentialValidationError: 2,
+	AppleIdGenerateFailedError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
+};
+const normalizeRole = (raw) => {
+	if (raw === void 0) return Effect.succeed("ADMIN");
+	const upper = raw.trim().toUpperCase();
+	if (upper === "ADMIN" || upper === "APP_MANAGER") return Effect.succeed(upper);
+	return Effect.fail(new CredentialValidationError({ message: `Unknown ASC API key role "${raw}". Use ADMIN or APP_MANAGER.` }));
+};
+const ascKeyCommand = defineCommand({
+	meta: {
+		name: "asc-key",
+		description: "Create an App Store Connect API key (.p8) directly from your Apple ID login — no manual download. Stored encrypted in your vault, it can issue certificates, sync devices, and upload builds. Requires the Account Holder to have agreed to the API Terms once under Users and Access → Integrations."
+	},
+	args: {
+		role: {
+			type: "string",
+			description: "ADMIN (default) or APP_MANAGER (least privilege)"
+		},
+		name: {
+			type: "string",
+			description: "Display name for the stored key (defaults to the key ID)"
+		},
+		nickname: {
+			type: "string",
+			description: "Nickname shown in App Store Connect (defaults to a timestamped name)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const role = yield* normalizeRole(args.role);
+		const api = yield* apiClient;
+		const auth = yield* AppleAuth;
+		const session = yield* auth.ensureLoggedIn();
+		yield* printHuman("Creating an App Store Connect API key via your Apple ID...");
+		const created = yield* generateAndUploadAscApiKeyViaAppleId(api, {
+			context: auth.buildRequestContext(session),
+			appleTeamIdentifier: session.teamId,
+			nickname: args.nickname ?? defaultAscApiKeyNickname(),
+			role,
+			...compact({ name: args.name })
+		});
+		yield* printHuman("App Store Connect API key created and stored.");
+		yield* printHumanKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Issuer ID", created.issuerId],
+			["Role", created.role]
+		]);
+		return created;
+	}), {
+		exits: ASC_KEY_EXIT_EXTRAS,
+		json: "value"
+	})
+});
+
 //#endregion
 //#region src/lib/credentials-generator-merchant.ts
 /**
@@ -30856,6 +31078,7 @@ const generateCommand$1 = defineCommand({
 		"provisioning-profile": provisioningProfileCommand,
 		"push-key": pushKeyCommand$1,
 		"merchant-id": merchantIdCommand,
+		"asc-key": ascKeyCommand,
 		"gsa-key": gsaKeyCommand
 	}
 });
@@ -35330,6 +35553,78 @@ const statusCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/application/submit-asc-key.ts
+const ROLE_CHOICES = [{
+	value: "ADMIN",
+	label: "ADMIN (default)"
+}, {
+	value: "APP_MANAGER",
+	label: "APP_MANAGER (least privilege for app management)"
+}];
+const CREATE_CHOICE = "__create__";
+/** Best-effort: write the resolved id back to eas.json so the next run reuses it. */
+const persist = (input, keyId) => setSubmitProfileAscApiKeyId(input.projectRoot, input.profileName, keyId).pipe(Effect.flatMap((path) => printHuman(`Saved ascApiKeyId to ${path} (submit profile "${input.profileName}") for reuse.`)), Effect.catchAll((error) => printHuman(`Note: could not write ascApiKeyId to eas.json (${error.message}). Add it manually to reuse this key.`)));
+/** Log in, warn about any existing team keys, then (with consent) create + persist. */
+const createAndPersist = (input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	const teamKeys = yield* listAscApiKeysViaAppleId(ctx).pipe(Effect.orElseSucceed(() => []));
+	const hasTeamKeys = teamKeys.length > 0;
+	if (hasTeamKeys) {
+		yield* printHuman(`Your Apple team already has ${String(teamKeys.length)} App Store Connect API key(s): ${teamKeys.map((key) => key.nickname).join(", ")}.`);
+		yield* printHuman("A key's .p8 is downloadable only once at creation, so an existing key is reusable only if you still have its .p8 (import it with `credentials upload-asc-key`). Apple also caps the number of keys per team.");
+	}
+	if (!(yield* promptConfirm(hasTeamKeys ? "Create a new ASC API key anyway?" : "No App Store Connect API key found. Create one now from your Apple ID?", { initialValue: !hasTeamKeys }))) return null;
+	const role = yield* promptSelect("Select a role for the generated API key", ROLE_CHOICES);
+	yield* printHuman("Creating an App Store Connect API key via your Apple ID...");
+	const created = yield* generateAndUploadAscApiKeyViaAppleId(input.api, {
+		context: ctx,
+		appleTeamIdentifier: session.teamId,
+		nickname: defaultAscApiKeyNickname(),
+		role
+	});
+	yield* printHuman(`Created and stored ASC API key ${created.keyId}.`);
+	yield* persist(input, created.id);
+	return created.id;
+});
+/**
+* Resolve an ASC API key id to upload a `submit` build with when none is set in
+* the submit profile. Reuses a stored vault key when possible (the only keys we
+* hold a usable `.p8` for), else offers to create one from the Apple ID session.
+* Returns the resolved id, or `null` when none could be resolved — non-interactive
+* runs, a declined prompt, or any failure (login/create/network) degrade to `null`
+* so the caller falls back to queuing the submission with guidance rather than
+* crashing. Persists the resolved id to `eas.json` for reuse.
+*/
+const ensureAscApiKeyForSubmit = (input) => Effect.gen(function* () {
+	if (!(yield* InteractiveMode).allow) return null;
+	const stored = yield* input.api.ascApiKeys.list();
+	if (stored.items.length === 1) {
+		const [only] = stored.items;
+		if (only !== void 0) {
+			yield* printHuman(`Using your stored ASC API key "${only.name}" (${only.keyId}).`);
+			yield* persist(input, only.id);
+			return only.id;
+		}
+	}
+	if (stored.items.length > 1) {
+		const picked = yield* promptSelect("No ASC API key in this submit profile. Pick one to use, or create a new one:", [...stored.items.map((key) => ({
+			value: key.id,
+			label: `${key.name} (${key.keyId})`
+		})), {
+			value: CREATE_CHOICE,
+			label: "Create a new ASC API key from my Apple ID"
+		}]);
+		if (picked !== CREATE_CHOICE) {
+			yield* persist(input, picked);
+			return picked;
+		}
+	}
+	return yield* createAndPersist(input);
+}).pipe(Effect.catchAll((error) => printHuman(`Could not set up an App Store Connect API key (${messageOf(error)}). The submission was queued — create one with \`credentials generate asc-key\` and re-run.`).pipe(Effect.as(null))));
+
 //#endregion
 //#region src/commands/submit/index.ts
 const PLATFORMS = ["ios", "android"];
@@ -35416,7 +35711,17 @@ const runFlow = (api, projectId, args) => Effect.gen(function* () {
 			appleId: iosProfile?.appleId,
 			ascApiKeyId: iosProfile?.ascApiKeyId,
 			hasAppSpecificPassword: hasAppleAppSpecificPassword()
-		});
+		}) ?? (yield* Effect.gen(function* () {
+			const resolvedKeyId = yield* ensureAscApiKeyForSubmit({
+				api,
+				projectRoot: args.projectRoot,
+				profileName: args.profile
+			});
+			return resolvedKeyId === null ? null : {
+				kind: "asc-api-key",
+				ascApiKeyId: resolvedKeyId
+			};
+		}));
 		if (auth === null) {
 			yield* printHuman("iOS submission queued. Add ascApiKeyId to the eas.json submit profile, or set appleId + the EXPO_APPLE_APP_SPECIFIC_PASSWORD env var, to enable client-side altool upload.");
 			return submission;
@@ -35430,7 +35735,7 @@ const runFlow = (api, projectId, args) => Effect.gen(function* () {
 				value: args.archive.archiveUrl
 			},
 			auth,
-			ascApiKeyId: iosProfile?.ascApiKeyId,
+			ascApiKeyId: auth.kind === "asc-api-key" ? auth.ascApiKeyId : iosProfile?.ascApiKeyId,
 			config: {
 				bundleIdentifier: iosConfig.bundleIdentifier,
 				ascAppId: iosProfile?.ascAppId,
@@ -35514,7 +35819,8 @@ const submitCommand = defineCommand({
 		}
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
-		const easProfile = yield* readSubmitProfile(yield* (yield* CliRuntime).cwd, args.profile);
+		const projectRoot = yield* (yield* CliRuntime).cwd;
+		const easProfile = yield* readSubmitProfile(projectRoot, args.profile);
 		const archive = yield* resolveArchive(api, projectId, platform, {
 			id: args.id,
 			path: args.path,
@@ -35528,6 +35834,7 @@ const submitCommand = defineCommand({
 		yield* runFlow(api, projectId, {
 			platform,
 			profile: args.profile,
+			projectRoot,
 			easProfile,
 			archive,
 			wait: args.wait,