@better-update/cli 0.45.0 → 0.46.1

package/dist/index.mjs

@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.45.0";
+var version = "0.46.1";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -5055,6 +5055,27 @@ const writeEasJsonPatch = (projectRoot, patch) => Effect.gen(function* () {
 	return filePath;
 });
 /**
+* Set `submit.<profileName>.ios.ascApiKeyId` in `eas.json`, preserving every
+* other submit profile and key. Used after auto-resolving/creating an ASC API
+* key during `submit` so the next run reuses it instead of creating another.
+*/
+const setSubmitProfileAscApiKeyId = (projectRoot, profileName, ascApiKeyId) => Effect.gen(function* () {
+	const existing = (yield* readEasJsonRaw(projectRoot)) ?? {};
+	const submit = isRecord$1(existing["submit"]) ? existing["submit"] : {};
+	const profile = isRecord$1(submit[profileName]) ? submit[profileName] : {};
+	const ios = isRecord$1(profile["ios"]) ? profile["ios"] : {};
+	return yield* writeEasJsonPatch(projectRoot, { submit: {
+		...submit,
+		[profileName]: {
+			...profile,
+			ios: {
+				...ios,
+				ascApiKeyId
+			}
+		}
+	} });
+});
+/**
 * Default `build` profiles scaffolded by `init` / `build configure`. Mirrors the
 * EAS three-tier convention: `development` (dev-client, internal), `preview`
 * (internal QA) and `production` (store). Keep in sync with the build-profile
@@ -28376,8 +28397,10 @@ const androidMenu = (ctx) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/credentials-generator-asc-key.ts
 const toUserRole = (role) => role === "APP_MANAGER" ? AppleUtils.UserRole.APP_MANAGER : AppleUtils.UserRole.ADMIN;
+const ASC_API_KEY_NICKNAME_MAX_LENGTH = 30;
+const clampAscApiKeyNickname = (nickname) => nickname.slice(0, ASC_API_KEY_NICKNAME_MAX_LENGTH);
 /** Default nickname shown in App Store Connect → Users and Access → Integrations. */
-const defaultAscApiKeyNickname = () => `[better-update] ${(/* @__PURE__ */ new Date()).toISOString()}`;
+const defaultAscApiKeyNickname = () => `[better-update] ${Date.now().toString(36)}`;
 const ASC_KEY_NOT_READY_PATTERN = /no resource of type|resource does not exist/iu;
 const ASC_KEY_DOWNLOAD_RETRY = Schedule.exponential("1 second", 2).pipe(Schedule.intersect(Schedule.recurs(6)));
 const downloadAscKeyWithRetry = (key) => Effect.tryPromise({
@@ -28411,7 +28434,7 @@ const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
 const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function* () {
 	const ctx = input.context;
 	const key = yield* wrap("apple-create-asc-key", async () => AppleUtils.ApiKey.createAsync(ctx, {
-		nickname: input.nickname,
+		nickname: clampAscApiKeyNickname(input.nickname),
 		allAppsVisible: true,
 		roles: [toUserRole(input.role)],
 		keyType: AppleUtils.ApiKeyType.PUBLIC_API
@@ -28459,6 +28482,20 @@ const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function
 		role: input.role
 	};
 });
+/**
+* List the team's active App Store Connect API keys as seen on Apple (via the
+* cookie session). Used before auto-creating a key to avoid making a redundant
+* one — note a key's `.p8` is downloadable only once, so a key listed here is
+* usable for publishing only if its `.p8` was captured at creation (i.e. it is
+* already in the vault). Surfacing them lets the caller warn + respect Apple's
+* per-team key cap rather than blindly creating another.
+*/
+const listAscApiKeysViaAppleId = (ctx) => Effect.gen(function* () {
+	return (yield* wrap("apple-list-asc-keys", async () => AppleUtils.ApiKey.getAsync(ctx))).filter((key) => key.attributes.isActive).map((key) => ({
+		keyId: key.id,
+		nickname: key.attributes.nickname
+	}));
+});
 
 //#endregion
 //#region src/application/credentials-manager-ios-asc.ts
@@ -30510,7 +30547,7 @@ const ascKeyCommand = defineCommand({
 		},
 		nickname: {
 			type: "string",
-			description: "Nickname shown in App Store Connect (defaults to a timestamped name)"
+			description: "Nickname shown in App Store Connect (defaults to a timestamped name; Apple caps it at 30 chars, longer values are truncated)"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
@@ -35518,6 +35555,78 @@ const statusCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/application/submit-asc-key.ts
+const ROLE_CHOICES = [{
+	value: "ADMIN",
+	label: "ADMIN (default)"
+}, {
+	value: "APP_MANAGER",
+	label: "APP_MANAGER (least privilege for app management)"
+}];
+const CREATE_CHOICE = "__create__";
+/** Best-effort: write the resolved id back to eas.json so the next run reuses it. */
+const persist = (input, keyId) => setSubmitProfileAscApiKeyId(input.projectRoot, input.profileName, keyId).pipe(Effect.flatMap((path) => printHuman(`Saved ascApiKeyId to ${path} (submit profile "${input.profileName}") for reuse.`)), Effect.catchAll((error) => printHuman(`Note: could not write ascApiKeyId to eas.json (${error.message}). Add it manually to reuse this key.`)));
+/** Log in, warn about any existing team keys, then (with consent) create + persist. */
+const createAndPersist = (input) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const ctx = auth.buildRequestContext(session);
+	const teamKeys = yield* listAscApiKeysViaAppleId(ctx).pipe(Effect.orElseSucceed(() => []));
+	const hasTeamKeys = teamKeys.length > 0;
+	if (hasTeamKeys) {
+		yield* printHuman(`Your Apple team already has ${String(teamKeys.length)} App Store Connect API key(s): ${teamKeys.map((key) => key.nickname).join(", ")}.`);
+		yield* printHuman("A key's .p8 is downloadable only once at creation, so an existing key is reusable only if you still have its .p8 (import it with `credentials upload-asc-key`). Apple also caps the number of keys per team.");
+	}
+	if (!(yield* promptConfirm(hasTeamKeys ? "Create a new ASC API key anyway?" : "No App Store Connect API key found. Create one now from your Apple ID?", { initialValue: !hasTeamKeys }))) return null;
+	const role = yield* promptSelect("Select a role for the generated API key", ROLE_CHOICES);
+	yield* printHuman("Creating an App Store Connect API key via your Apple ID...");
+	const created = yield* generateAndUploadAscApiKeyViaAppleId(input.api, {
+		context: ctx,
+		appleTeamIdentifier: session.teamId,
+		nickname: defaultAscApiKeyNickname(),
+		role
+	});
+	yield* printHuman(`Created and stored ASC API key ${created.keyId}.`);
+	yield* persist(input, created.id);
+	return created.id;
+});
+/**
+* Resolve an ASC API key id to upload a `submit` build with when none is set in
+* the submit profile. Reuses a stored vault key when possible (the only keys we
+* hold a usable `.p8` for), else offers to create one from the Apple ID session.
+* Returns the resolved id, or `null` when none could be resolved — non-interactive
+* runs, a declined prompt, or any failure (login/create/network) degrade to `null`
+* so the caller falls back to queuing the submission with guidance rather than
+* crashing. Persists the resolved id to `eas.json` for reuse.
+*/
+const ensureAscApiKeyForSubmit = (input) => Effect.gen(function* () {
+	if (!(yield* InteractiveMode).allow) return null;
+	const stored = yield* input.api.ascApiKeys.list();
+	if (stored.items.length === 1) {
+		const [only] = stored.items;
+		if (only !== void 0) {
+			yield* printHuman(`Using your stored ASC API key "${only.name}" (${only.keyId}).`);
+			yield* persist(input, only.id);
+			return only.id;
+		}
+	}
+	if (stored.items.length > 1) {
+		const picked = yield* promptSelect("No ASC API key in this submit profile. Pick one to use, or create a new one:", [...stored.items.map((key) => ({
+			value: key.id,
+			label: `${key.name} (${key.keyId})`
+		})), {
+			value: CREATE_CHOICE,
+			label: "Create a new ASC API key from my Apple ID"
+		}]);
+		if (picked !== CREATE_CHOICE) {
+			yield* persist(input, picked);
+			return picked;
+		}
+	}
+	return yield* createAndPersist(input);
+}).pipe(Effect.catchAll((error) => printHuman(`Could not set up an App Store Connect API key (${messageOf(error)}). The submission was queued — create one with \`credentials generate asc-key\` and re-run.`).pipe(Effect.as(null))));
+
 //#endregion
 //#region src/commands/submit/index.ts
 const PLATFORMS = ["ios", "android"];
@@ -35604,7 +35713,17 @@ const runFlow = (api, projectId, args) => Effect.gen(function* () {
 			appleId: iosProfile?.appleId,
 			ascApiKeyId: iosProfile?.ascApiKeyId,
 			hasAppSpecificPassword: hasAppleAppSpecificPassword()
-		});
+		}) ?? (yield* Effect.gen(function* () {
+			const resolvedKeyId = yield* ensureAscApiKeyForSubmit({
+				api,
+				projectRoot: args.projectRoot,
+				profileName: args.profile
+			});
+			return resolvedKeyId === null ? null : {
+				kind: "asc-api-key",
+				ascApiKeyId: resolvedKeyId
+			};
+		}));
 		if (auth === null) {
 			yield* printHuman("iOS submission queued. Add ascApiKeyId to the eas.json submit profile, or set appleId + the EXPO_APPLE_APP_SPECIFIC_PASSWORD env var, to enable client-side altool upload.");
 			return submission;
@@ -35618,7 +35737,7 @@ const runFlow = (api, projectId, args) => Effect.gen(function* () {
 				value: args.archive.archiveUrl
 			},
 			auth,
-			ascApiKeyId: iosProfile?.ascApiKeyId,
+			ascApiKeyId: auth.kind === "asc-api-key" ? auth.ascApiKeyId : iosProfile?.ascApiKeyId,
 			config: {
 				bundleIdentifier: iosConfig.bundleIdentifier,
 				ascAppId: iosProfile?.ascAppId,
@@ -35702,7 +35821,8 @@ const submitCommand = defineCommand({
 		}
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
-		const easProfile = yield* readSubmitProfile(yield* (yield* CliRuntime).cwd, args.profile);
+		const projectRoot = yield* (yield* CliRuntime).cwd;
+		const easProfile = yield* readSubmitProfile(projectRoot, args.profile);
 		const archive = yield* resolveArchive(api, projectId, platform, {
 			id: args.id,
 			path: args.path,
@@ -35716,6 +35836,7 @@ const submitCommand = defineCommand({
 		yield* runFlow(api, projectId, {
 			platform,
 			profile: args.profile,
+			projectRoot,
 			easProfile,
 			archive,
 			wait: args.wait,