@better-update/cli 0.46.0 → 0.47.0

package/dist/index.mjs

@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.46.0";
+var version = "0.47.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -3253,7 +3253,7 @@ var UpdateRollbackError = class extends Data.TaggedError("UpdateRollbackError")
 var UpdatePromoteError = class extends Data.TaggedError("UpdatePromoteError") {};
 var CredentialValidationError = class extends Data.TaggedError("CredentialValidationError") {};
 var IdentityError = class extends Data.TaggedError("IdentityError") {};
-var AppleAuthError$1 = class extends Data.TaggedError("AppleAuthError") {};
+var AppleAuthError = class extends Data.TaggedError("AppleAuthError") {};
 var InvalidArgumentError = class extends Data.TaggedError("InvalidArgumentError") {};
 var InteractiveProhibitedError = class extends Data.TaggedError("InteractiveProhibitedError") {};
 var CredentialsJsonError = class extends Data.TaggedError("CredentialsJsonError") {};
@@ -3485,7 +3485,7 @@ const readEnv = (name) => Effect.gen(function* () {
 });
 const parseProviderId = (raw) => {
 	const id = Number(raw);
-	return Number.isInteger(id) ? Effect.succeed(id) : Effect.fail(new AppleAuthError$1({ message: `${APPLE_PROVIDER_ID_ENV} must be a numeric provider ID, got "${raw}".` }));
+	return Number.isInteger(id) ? Effect.succeed(id) : Effect.fail(new AppleAuthError({ message: `${APPLE_PROVIDER_ID_ENV} must be a numeric provider ID, got "${raw}".` }));
 };
 const readEnvProviderId = Effect.gen(function* () {
 	const raw = yield* readEnv(APPLE_PROVIDER_ID_ENV);
@@ -3494,7 +3494,7 @@ const readEnvProviderId = Effect.gen(function* () {
 });
 const switchSessionProvider = (appleUtils, providerId) => Effect.tryPromise({
 	try: async () => appleUtils.Session.setSessionProviderIdAsync(providerId),
-	catch: (error) => new AppleAuthError$1({ message: `Failed to switch App Store Connect provider (${providerId}): ${String(error)}` })
+	catch: (error) => new AppleAuthError({ message: `Failed to switch App Store Connect provider (${providerId}): ${String(error)}` })
 }).pipe(Effect.asVoid);
 /**
 * Resolve App Store Connect provider for the current session.
@@ -3597,7 +3597,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			yield* fs.chmod(sessionDir, 448);
 			yield* fs.writeFileString(sessionFile, `${JSON.stringify(session, null, 2)}\n`);
 			yield* fs.chmod(sessionFile, 384);
-		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
+		}).pipe(Effect.mapError((cause) => new AppleAuthError({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
 		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void)),
 		loadLastUsername: Effect.gen(function* () {
 			const content = yield* fs.readFileString(usernameFile).pipe(Effect.orElseSucceed(() => null));
@@ -3611,7 +3611,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			yield* fs.chmod(sessionDir, 448);
 			yield* fs.writeFileString(usernameFile, `${JSON.stringify({ username }, null, 2)}\n`);
 			yield* fs.chmod(usernameFile, 384);
-		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple username: ${formatCause(cause)}` })))
+		}).pipe(Effect.mapError((cause) => new AppleAuthError({ message: `Failed to save Apple username: ${formatCause(cause)}` })))
 	};
 }));
 
@@ -3648,12 +3648,12 @@ const resolvePortalTeamId = (appleUtils, provider) => Effect.gen(function* () {
 	if (TEN_CHAR_TEAM_ID.test(provider.publicProviderId)) return provider.publicProviderId;
 	return (yield* Effect.tryPromise({
 		try: async () => appleUtils.Teams.getTeamsAsync(),
-		catch: (cause) => new AppleAuthError$1({ message: `Failed to list Apple Developer teams: ${formatCause(cause)}` })
+		catch: (cause) => new AppleAuthError({ message: `Failed to list Apple Developer teams: ${formatCause(cause)}` })
 	})).find((team) => team.name === provider.name)?.teamId ?? provider.publicProviderId;
 });
 const restoreFromCookies = (appleUtils, cookies) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithCookiesAsync({ cookies }),
-	catch: (cause) => new AppleAuthError$1({ message: `Failed to restore Apple session: ${formatCause(cause)}` })
+	catch: (cause) => new AppleAuthError({ message: `Failed to restore Apple session: ${formatCause(cause)}` })
 });
 /**
 * After a cookie restore or fresh credentials login, re-resolve the team via
@@ -3666,7 +3666,7 @@ const resolveSessionTeam = (appleUtils, state) => Effect.gen(function* () {
 	const resolution = yield* resolveProvider(appleUtils, availableProviders, state.context.providerId ?? state.session.provider.providerId);
 	const switched = resolution.switched && resolution.providerId !== void 0;
 	const provider = switched ? availableProviders.find((entry) => entry.providerId === resolution.providerId) : state.session.provider;
-	if (provider === void 0) return yield* new AppleAuthError$1({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
+	if (provider === void 0) return yield* new AppleAuthError({ message: `Selected provider ${String(resolution.providerId)} not in available providers list.` });
 	const teamId = (!switched && state.context.teamId !== void 0 && TEN_CHAR_TEAM_ID.test(state.context.teamId) ? state.context.teamId : void 0) ?? (yield* resolvePortalTeamId(appleUtils, provider));
 	return {
 		username: state.username,
@@ -3677,7 +3677,7 @@ const resolveSessionTeam = (appleUtils, state) => Effect.gen(function* () {
 });
 const loginWithCredentials = (appleUtils, credentials) => Effect.tryPromise({
 	try: async () => appleUtils.Auth.loginWithUserCredentialsAsync(credentials, { autoResolveProvider: true }),
-	catch: (cause) => new AppleAuthError$1({ message: `Apple login failed: ${formatCause(cause)}` })
+	catch: (cause) => new AppleAuthError({ message: `Apple login failed: ${formatCause(cause)}` })
 });
 const readJarCookies = (appleUtils) => appleUtils.CookieFileCache.getCookiesJSON();
 const promptCredentials = (defaultUsername) => Effect.gen(function* () {
@@ -3700,7 +3700,7 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 		username,
 		password
 	});
-	if (state === null) return yield* new AppleAuthError$1({ message: "Apple login returned no session (unexpected)." });
+	if (state === null) return yield* new AppleAuthError({ message: "Apple login returned no session (unexpected)." });
 	const session = yield* resolveSessionTeam(appleUtils, state);
 	yield* store.saveSession({
 		cookies: readJarCookies(appleUtils),
@@ -3726,7 +3726,7 @@ const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(Apple
 		}),
 		logout: store.clearSession.pipe(Effect.flatMap(() => Effect.tryPromise({
 			try: async () => appleUtils.Auth.logoutAsync(),
-			catch: (cause) => new AppleAuthError$1({ message: formatCause(cause) })
+			catch: (cause) => new AppleAuthError({ message: formatCause(cause) })
 		}).pipe(Effect.catchAll(() => Effect.void)))),
 		whoami: Effect.gen(function* () {
 			const stored = yield* store.loadSession;
@@ -5059,7 +5059,7 @@ const writeEasJsonPatch = (projectRoot, patch) => Effect.gen(function* () {
 * other submit profile and key. Used after auto-resolving/creating an ASC API
 * key during `submit` so the next run reuses it instead of creating another.
 */
-const setSubmitProfileAscApiKeyId = (projectRoot, profileName, ascApiKeyId) => Effect.gen(function* () {
+const setSubmitProfileIosField = (projectRoot, profileName, key, value) => Effect.gen(function* () {
 	const existing = (yield* readEasJsonRaw(projectRoot)) ?? {};
 	const submit = isRecord$1(existing["submit"]) ? existing["submit"] : {};
 	const profile = isRecord$1(submit[profileName]) ? submit[profileName] : {};
@@ -5070,11 +5070,18 @@ const setSubmitProfileAscApiKeyId = (projectRoot, profileName, ascApiKeyId) => E
 			...profile,
 			ios: {
 				...ios,
-				ascApiKeyId
+				[key]: value
 			}
 		}
 	} });
 });
+const setSubmitProfileAscApiKeyId = (projectRoot, profileName, ascApiKeyId) => setSubmitProfileIosField(projectRoot, profileName, "ascApiKeyId", ascApiKeyId);
+/**
+* Set `submit.<profileName>.ios.ascAppId` in `eas.json`, preserving every other
+* submit profile and key. Used after auto-resolving/creating the App Store
+* Connect app during `submit` so the next run reuses it instead of re-looking-up.
+*/
+const setSubmitProfileAscAppId = (projectRoot, profileName, ascAppId) => setSubmitProfileIosField(projectRoot, profileName, "ascAppId", ascAppId);
 /**
 * Default `build` profiles scaffolded by `init` / `build configure`. Mirrors the
 * EAS three-tier convention: `development` (dev-client, internal), `preview`
@@ -21024,7 +21031,7 @@ const TokenResponseSchema = Schema.Struct({
 	expires_in: Schema.optional(Schema.Number)
 });
 const stripPemHeaders = (pem) => pem.replace(/-----BEGIN [A-Z ]+-----/u, "").replace(/-----END [A-Z ]+-----/u, "").replaceAll(/\s+/gu, "");
-const asArrayBuffer$1 = (bytes) => {
+const asArrayBuffer = (bytes) => {
 	const buffer = new ArrayBuffer(bytes.byteLength);
 	new Uint8Array(buffer).set(bytes);
 	return buffer;
@@ -21032,7 +21039,7 @@ const asArrayBuffer$1 = (bytes) => {
 const importPrivateKey = (pem) => Effect.tryPromise({
 	try: async () => {
 		const pkcs8 = fromBase64(stripPemHeaders(pem));
-		return crypto.subtle.importKey("pkcs8", asArrayBuffer$1(pkcs8), {
+		return crypto.subtle.importKey("pkcs8", asArrayBuffer(pkcs8), {
 			name: "RSASSA-PKCS1-v1_5",
 			hash: "SHA-256"
 		}, false, ["sign"]);
@@ -21271,6 +21278,45 @@ const commitEdit = (params) => callJsonRaw({
 	label: "edits.commit"
 });
 
+//#endregion
+//#region src/lib/apple-asc-connect.ts
+/**
+* Shared bridge to the `@expo/apple-utils` App Store Connect entity layer for
+* the **headless** (JWT) path. apple-utils routes by `RequestContext`: a context
+* carrying a signed `Token` hits the public ASC REST API
+* (`api.appstoreconnect.apple.com/v1`) with no cookie session — the same surface
+* the CLI's vault `.p8` keys authenticate against. Interactive flows pass a
+* cookie context from `AppleAuth.buildRequestContext` instead; both drive the
+* same entity managers.
+*/
+var AppleConnectError = class extends Data.TaggedError("AppleConnectError") {};
+const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
+/**
+* Apple returns the same "current certificate already exists / pending request"
+* wording whether the call came from a JWT ASC request or the Apple ID session,
+* so cert-limit detection lives here, in the shared connect layer.
+*/
+const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
+const isCertificateLimitMessage = (message) => CERT_LIMIT_PATTERN.test(message);
+/**
+* Build a headless ASC `RequestContext` from a vault `.p8` key. The `Token`
+* signs ES256 JWTs on demand (apple-utils refreshes them); no `providerId`/
+* `teamId` is needed because the JWT's issuer selects the provider.
+*/
+const buildTokenRequestContext = (credentials) => ({ token: new AppleUtils.Token({
+	key: credentials.p8Pem,
+	keyId: credentials.keyId,
+	issuerId: credentials.issuerId
+}) });
+/** Run an apple-utils promise, tagging any rejection as an {@link AppleConnectError}. */
+const wrapConnect = (step, run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => new AppleConnectError({
+		step,
+		message: messageOf(cause)
+	})
+});
+
 //#endregion
 //#region src/lib/asc-credentials.ts
 /**
@@ -21304,367 +21350,28 @@ const fetchAscCredentials = (api, ascApiKeyId) => Effect.gen(function* () {
 });
 
 //#endregion
-//#region src/lib/apple-pem.ts
-const PEM_HEADER = "-----BEGIN PRIVATE KEY-----";
-const PEM_FOOTER = "-----END PRIVATE KEY-----";
-const pemToPkcs8Der = (pem) => {
-	const normalized = pem.replaceAll("\r\n", "\n").trim();
-	const start = normalized.indexOf(PEM_HEADER);
-	const end = normalized.indexOf(PEM_FOOTER);
-	if (start === -1 || end === -1 || end <= start) return null;
-	const body = normalized.slice(start + 27, end).replaceAll(/\s+/gu, "").trim();
-	if (body.length === 0) return null;
-	try {
-		return fromBase64(body);
-	} catch {
-		return null;
-	}
-};
-
-//#endregion
-//#region src/lib/apple-asc-jwt.ts
-var AppleAuthError = class extends Data.TaggedError("AppleAuthError") {};
-const MAX_JWT_LIFETIME_SECONDS = 1200;
-const asArrayBuffer = (bytes) => {
-	const buffer = new ArrayBuffer(bytes.byteLength);
-	new Uint8Array(buffer).set(bytes);
-	return buffer;
-};
-const signAscJwt = (credentials) => Effect.gen(function* () {
-	const der = pemToPkcs8Der(credentials.p8Pem);
-	if (der === null) return yield* new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") });
-	const header = {
-		alg: "ES256",
-		kid: credentials.keyId,
-		typ: "JWT"
-	};
-	const now = Math.floor(Date.now() / 1e3);
-	const payload = {
-		iss: credentials.issuerId,
-		iat: now,
-		exp: now + MAX_JWT_LIFETIME_SECONDS,
-		aud: "appstoreconnect-v1"
-	};
-	const signingInput = `${toBase64Url(new TextEncoder().encode(JSON.stringify(header)))}.${toBase64Url(new TextEncoder().encode(JSON.stringify(payload)))}`;
-	const key = yield* Effect.tryPromise({
-		try: async () => crypto.subtle.importKey("pkcs8", asArrayBuffer(der), {
-			name: "ECDSA",
-			namedCurve: "P-256"
-		}, false, ["sign"]),
-		catch: (cause) => new AppleAuthError({ cause })
-	});
-	const signature = yield* Effect.tryPromise({
-		try: async () => crypto.subtle.sign({
-			name: "ECDSA",
-			hash: "SHA-256"
-		}, key, new TextEncoder().encode(signingInput)),
-		catch: (cause) => new AppleAuthError({ cause })
-	});
-	return `${signingInput}.${toBase64Url(new Uint8Array(signature))}`;
-});
-
-//#endregion
-//#region src/lib/apple-asc-client.ts
+//#region src/application/ios-testflight-config.ts
 /**
-* App Store Connect REST client authenticated with an ASC **API key** — a JWT
-* signed from a `.p8` private key (see `apple-asc-jwt.ts`). Credentials are
-* resolved non-interactively from the server (`fetchAscCredentials`), so this
-* powers headless flows: build-credential resolution, provisioning-profile
-* generation, and device sync.
+* Post-upload TestFlight configuration for iOS submissions. After `altool`
+* uploads the `.ipa`, App Store Connect spends several minutes *processing* the
+* binary before it can be configured. This module waits for that processing to
+* finish, then sets the build's "What to Test" text and assigns it to internal
+* TestFlight groups — the same follow-up `eas submit` performs server-side.
 *
-* Intentionally NOT built on `@expo/apple-utils`: that library authenticates
-* via an interactive Apple-ID **cookie session** (username/password + 2FA, see
-* `services/apple-auth.ts`) and exposes a cookie-based `RequestContext`. That is
-* a different auth model that would force an interactive login here. The two
-* coexist by design — apple-utils backs `apple login`; this client backs
-* non-interactive ASC API-key access.
-*/
-var AscApiError = class extends Data.TaggedError("AscApiError") {};
-var AscNetworkError = class extends Data.TaggedError("AscNetworkError") {};
-const API_BASE = "https://api.appstoreconnect.apple.com";
-const extractErrors = (body) => {
-	if (!isRecord$1(body) || !Array.isArray(body["errors"])) return [];
-	return body["errors"].filter((value) => isRecord$1(value));
-};
-const parseApiError = (response, body, raw) => {
-	const [first] = extractErrors(body);
-	return new AscApiError({
-		status: response.status,
-		message: first?.detail ?? first?.title ?? response.statusText,
-		code: first?.code,
-		raw
-	});
-};
-const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
-	const response = yield* Effect.tryPromise({
-		try: async () => fetch(`${API_BASE}${path}`, compact({
-			method: init?.method ?? "GET",
-			body: init?.body,
-			headers: {
-				authorization: `Bearer ${jwt}`,
-				"content-type": "application/json",
-				accept: "application/json"
-			}
-		})),
-		catch: (cause) => new AscNetworkError({ cause })
-	});
-	const text = yield* Effect.tryPromise({
-		try: async () => response.text(),
-		catch: (cause) => new AscNetworkError({ cause })
-	});
-	const body = yield* Effect.try({
-		try: () => text.length === 0 ? {} : JSON.parse(text),
-		catch: (cause) => new AscNetworkError({ cause })
-	});
-	if (!response.ok) return yield* parseApiError(response, body, text);
-	return body;
-});
-const toAscCertificate = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { serialNumber, certificateType, expirationDate, certificateContent, displayName } = attributes;
-	if (typeof serialNumber !== "string" || typeof certificateType !== "string" || typeof expirationDate !== "string") return null;
-	return {
-		id,
-		serialNumber,
-		certificateType,
-		expirationDate,
-		certificateContent: typeof certificateContent === "string" ? certificateContent : null,
-		displayName: typeof displayName === "string" ? displayName : null
-	};
-};
-const toAscBundleId = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { identifier, name } = attributes;
-	if (typeof identifier !== "string" || typeof name !== "string") return null;
-	return {
-		id,
-		identifier,
-		name
-	};
-};
-const PROFILE_TYPES = [
-	"IOS_APP_ADHOC",
-	"IOS_APP_DEVELOPMENT",
-	"IOS_APP_STORE",
-	"IOS_APP_INHOUSE"
-];
-const asProfileType = (value) => {
-	const match = PROFILE_TYPES.find((entry) => entry === value);
-	return match === void 0 ? null : match;
-};
-const toAscProfile = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { name, uuid, expirationDate, profileContent } = attributes;
-	const profileType = asProfileType(attributes["profileType"]);
-	if (typeof name !== "string" || typeof uuid !== "string" || typeof expirationDate !== "string" || typeof profileContent !== "string" || profileType === null) return null;
-	return {
-		id,
-		name,
-		uuid,
-		expirationDate,
-		profileContent,
-		profileType
-	};
-};
-const toAscDevice = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { udid, name, deviceClass } = attributes;
-	if (typeof udid !== "string" || typeof name !== "string") return null;
-	return {
-		id,
-		udid,
-		name,
-		deviceClass: typeof deviceClass === "string" ? deviceClass : null
-	};
-};
-const extractList = (body, map) => {
-	if (!isRecord$1(body) || !Array.isArray(body["data"])) return [];
-	return body["data"].map(map).filter((value) => value !== null);
-};
-const extractSingle = (body, map) => {
-	if (!isRecord$1(body)) return null;
-	return map(body["data"]);
-};
-/**
-* App Store Connect paginates list responses (default 200/page) and returns the
-* absolute URL of the next page under `links.next`. Strip the base so it can be
-* fed back into `fetchRaw`; return null when there is no further page.
+* Auth reuses the ASC **API key** already decrypted for the upload via a headless
+* `@expo/apple-utils` JWT context (no second credential prompt, no cookie login).
+* Failures surface as {@link TestFlightConfigError} so the caller can mark the
+* submission ERRORED with a precise reason.
 */
-const nextPagePath = (body) => {
-	if (!isRecord$1(body)) return null;
-	const { links } = body;
-	if (!isRecord$1(links) || typeof links["next"] !== "string") return null;
-	const { next } = links;
-	return next.startsWith(API_BASE) ? next.slice(37) : next;
-};
-const malformed = (resource) => new AscApiError({
-	status: 500,
-	message: `Malformed ${resource} response`,
-	code: void 0,
-	raw: ""
-});
-const withJwt = (credentials, fn) => Effect.gen(function* () {
-	return yield* fn(yield* signAscJwt(credentials));
-});
-const listCertificates = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, `/v1/certificates${params?.certificateType ? `?filter[certificateType]=${params.certificateType}&limit=200` : "?limit=200"}`), toAscCertificate);
-}));
-const createCertificate = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const csrContent = params.csrPem.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "").replaceAll("-----END CERTIFICATE REQUEST-----", "").replaceAll(/\s+/gu, "");
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/certificates", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "certificates",
-			attributes: {
-				csrContent,
-				certificateType: params.certificateType
-			}
-		} })
-	}), toAscCertificate);
-	if (resource === null) return yield* malformed("certificate");
-	return resource;
-}));
-const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" })));
-const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
-}));
-const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/bundleIds", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "bundleIds",
-			attributes: {
-				identifier: params.identifier,
-				name: params.name,
-				platform: "IOS"
-			}
-		} })
-	}), toAscBundleId);
-	if (resource === null) return yield* malformed("bundleId");
-	return resource;
-}));
-const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const devices = [];
-	let path = "/v1/devices?limit=200";
-	while (path !== null) {
-		const body = yield* fetchRaw(jwt, path);
-		devices.push(...extractList(body, toAscDevice));
-		path = nextPagePath(body);
-	}
-	return devices;
-}));
-const createDevice = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/devices", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "devices",
-			attributes: {
-				name: params.name,
-				udid: params.udid,
-				platform: "IOS"
-			}
-		} })
-	}), toAscDevice);
-	if (resource === null) return yield* malformed("device");
-	return resource;
-}));
-const createProvisioningProfile = (credentials, params) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const relationships = {
-		bundleId: { data: {
-			type: "bundleIds",
-			id: params.bundleIdAscId
-		} },
-		certificates: { data: params.certificateAscIds.map((id) => ({
-			type: "certificates",
-			id
-		})) },
-		...params.deviceAscIds.length > 0 ? { devices: { data: params.deviceAscIds.map((id) => ({
-			type: "devices",
-			id
-		})) } } : {}
-	};
-	const resource = extractSingle(yield* fetchRaw(jwt, "/v1/profiles", {
-		method: "POST",
-		body: JSON.stringify({ data: {
-			type: "profiles",
-			attributes: {
-				name: params.profileName,
-				profileType: params.profileType
-			},
-			relationships
-		} })
-	}), toAscProfile);
-	if (resource === null) return yield* malformed("profile");
-	return resource;
-}));
-const isCertificateLimitError = (error) => {
-	if (error._tag !== "AscApiError") return false;
-	return /already have a current.*certificate|pending certificate request/iu.test(error.message);
-};
-
-//#endregion
-//#region src/lib/apple-asc-testflight.ts
-/**
-* App Store Connect TestFlight operations layered on the ASC API-key client
-* ({@link ./apple-asc-client}). Used by the iOS submit flow to configure a build
-* *after* `altool` uploads it: set the "What to Test" text and assign the build
-* to internal beta groups — matching `eas submit`'s post-upload behaviour.
-*/
-const toAscApp = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string") return null;
-	const attrs = isRecord$1(attributes) ? attributes : {};
-	return {
-		id,
-		bundleId: typeof attrs["bundleId"] === "string" ? attrs["bundleId"] : null,
-		name: typeof attrs["name"] === "string" ? attrs["name"] : null
-	};
-};
-const toAscBuild = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string") return null;
-	const attrs = isRecord$1(attributes) ? attributes : {};
-	return {
-		id,
-		version: typeof attrs["version"] === "string" ? attrs["version"] : null,
-		uploadedDate: typeof attrs["uploadedDate"] === "string" ? attrs["uploadedDate"] : null,
-		processingState: typeof attrs["processingState"] === "string" ? attrs["processingState"] : null
-	};
-};
-const toAscBetaGroup = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { name, isInternalGroup } = attributes;
-	if (typeof name !== "string") return null;
-	return {
-		id,
-		name,
-		isInternal: isInternalGroup === true
-	};
-};
-const toAscBetaBuildLocalization = (value) => {
-	if (!isRecord$1(value)) return null;
-	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
-	const { locale, whatsNew } = attributes;
-	if (typeof locale !== "string") return null;
-	return {
-		id,
-		locale,
-		whatsNew: typeof whatsNew === "string" ? whatsNew : null
-	};
-};
+var TestFlightConfigError = class extends Data.TaggedError("TestFlightConfigError") {};
+const DEFAULT_POLL_TIMEOUT_MS = 15 * 6e4;
+const DEFAULT_POLL_INTERVAL_MS = 3e4;
+const DEFAULT_LOCALE$1 = "en-US";
+/** Run an apple-utils call, mapping any failure to a coded {@link TestFlightConfigError}. */
+const call = (code, step, run) => wrapConnect(step, run).pipe(Effect.mapError((error) => new TestFlightConfigError({
+	code,
+	message: error.message
+})));
 /** Classify a raw `processingState`. Unknown/absent states stay `processing`
 * so the poller keeps waiting rather than failing early. */
 const classifyProcessingState = (state) => {
@@ -21673,10 +21380,10 @@ const classifyProcessingState = (state) => {
 	return "processing";
 };
 /**
-* Identify the build produced by *our* upload. `listRecentBuilds` returns builds
-* newest-first; the freshly-uploaded build is the newest one whose id differs
-* from the baseline captured before upload. Comparing ids (not timestamps) avoids
-* both clock-skew misses and accidentally matching a pre-existing build.
+* Identify the build produced by *our* upload. `Build.getAsync` (sorted newest
+* first) returns builds newest-first; the freshly-uploaded build is the newest
+* one whose id differs from the baseline captured before upload. Comparing ids
+* (not timestamps) avoids both clock-skew misses and matching a pre-existing build.
 */
 const pickNewBuild = (builds, baselineLatestBuildId) => {
 	const [newest] = builds;
@@ -21697,92 +21404,15 @@ const matchBetaGroupsByName = (groups, names) => {
 		missing
 	};
 };
-/** Resolve the ASC app record for a bundle identifier, or null when none exists. */
-const getAppByBundleId = (credentials, bundleId) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const [first] = extractList(yield* fetchRaw(jwt, `/v1/apps?filter[bundleId]=${encodeURIComponent(bundleId)}&limit=1`), toAscApp);
-	return first === void 0 ? null : first;
-}));
-/** Builds for an app, newest upload first. */
-const listRecentBuilds = (credentials, appId, limit = 20) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, `/v1/builds?filter[app]=${encodeURIComponent(appId)}&sort=-uploadedDate&limit=${String(limit)}`), toAscBuild);
-}));
-const listBetaGroups = (credentials, appId) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	const groups = [];
-	let path = `/v1/betaGroups?filter[app]=${encodeURIComponent(appId)}&limit=200`;
-	while (path !== null) {
-		const body = yield* fetchRaw(jwt, path);
-		groups.push(...extractList(body, toAscBetaGroup));
-		path = nextPagePath(body);
-	}
-	return groups;
-}));
-const listBuildBetaLocalizations = (credentials, buildId) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	return extractList(yield* fetchRaw(jwt, `/v1/builds/${encodeURIComponent(buildId)}/betaBuildLocalizations?limit=200`), toAscBetaBuildLocalization);
-}));
-const createBetaBuildLocalization = (credentials, params) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, "/v1/betaBuildLocalizations", {
-	method: "POST",
-	body: JSON.stringify({ data: {
-		type: "betaBuildLocalizations",
-		attributes: {
-			locale: params.locale,
-			whatsNew: params.whatsNew
-		},
-		relationships: { build: { data: {
-			type: "builds",
-			id: params.buildId
-		} } }
-	} })
-})));
-const updateBetaBuildLocalization = (credentials, params) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/betaBuildLocalizations/${encodeURIComponent(params.id)}`, {
-	method: "PATCH",
-	body: JSON.stringify({ data: {
-		type: "betaBuildLocalizations",
-		id: params.id,
-		attributes: { whatsNew: params.whatsNew }
-	} })
-})));
-const addBuildToBetaGroups = (credentials, buildId, groupIds) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/builds/${encodeURIComponent(buildId)}/relationships/betaGroups`, {
-	method: "POST",
-	body: JSON.stringify({ data: groupIds.map((id) => ({
-		type: "betaGroups",
-		id
-	})) })
-})));
-
-//#endregion
-//#region src/application/ios-testflight-config.ts
-/**
-* Post-upload TestFlight configuration for iOS submissions. After `altool`
-* uploads the `.ipa`, App Store Connect spends several minutes *processing* the
-* binary before it can be configured. This module waits for that processing to
-* finish, then sets the build's "What to Test" text and assigns it to internal
-* TestFlight groups — the same follow-up `eas submit` performs server-side.
-*
-* Auth reuses the ASC **API key** already decrypted for the upload (no second
-* credential prompt). Failures surface as {@link TestFlightConfigError} so the
-* caller can mark the submission ERRORED with a precise reason.
-*/
-var TestFlightConfigError = class extends Data.TaggedError("TestFlightConfigError") {};
-const DEFAULT_POLL_TIMEOUT_MS = 15 * 6e4;
-const DEFAULT_POLL_INTERVAL_MS = 3e4;
-const DEFAULT_LOCALE = "en-US";
-const ascErrorMessage$1 = (error) => {
-	if (error._tag === "AscApiError") return `App Store Connect API error ${String(error.status)}: ${error.message}`;
-	if (error._tag === "AscNetworkError") return `App Store Connect network error: ${String(error.cause)}`;
-	return `App Store Connect auth error: ${String(error.cause)}`;
-};
-const wrapAsc = (code) => (error) => new TestFlightConfigError({
-	code,
-	message: ascErrorMessage$1(error)
-});
 /**
 * Resolve the ASC app id (preferring the explicit `ascAppId`) and snapshot the
 * latest existing build. Run this *before* `altool` so the freshly-uploaded
 * build can be distinguished from prior ones.
 */
 const captureTestFlightContext = (params) => Effect.gen(function* () {
+	const ctx = buildTokenRequestContext(params.credentials);
 	const appId = params.ascAppId ?? (yield* Effect.gen(function* () {
-		const app = yield* getAppByBundleId(params.credentials, params.bundleIdentifier).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_APP_LOOKUP_FAILED")));
+		const app = yield* call("TESTFLIGHT_APP_LOOKUP_FAILED", "apple-find-app", async () => AppleUtils.App.findAsync(ctx, { bundleId: params.bundleIdentifier }));
 		if (app === null) return yield* new TestFlightConfigError({
 			code: "TESTFLIGHT_APP_NOT_FOUND",
 			message: `No App Store Connect app found for bundle id ${params.bundleIdentifier}. Set ascAppId in the eas.json submit profile.`
@@ -21791,7 +21421,11 @@ const captureTestFlightContext = (params) => Effect.gen(function* () {
 	}));
 	return {
 		appId,
-		baselineLatestBuildId: toDbNull((yield* listRecentBuilds(params.credentials, appId, 1).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_LIST_BUILDS_FAILED"))))[0]?.id)
+		baselineLatestBuildId: toDbNull((yield* call("TESTFLIGHT_LIST_BUILDS_FAILED", "apple-list-builds", async () => AppleUtils.Build.getAsync(ctx, { query: {
+			filter: { app: appId },
+			sort: "-uploadedDate",
+			limit: 1
+		} })))[0]?.id)
 	};
 });
 const pollForProcessedBuild = (params) => Effect.gen(function* () {
@@ -21803,12 +21437,16 @@ const pollForProcessedBuild = (params) => Effect.gen(function* () {
 		while: (state) => state.build === null,
 		body: (state) => Effect.gen(function* () {
 			if (state.attempt > 0) yield* Effect.sleep(Duration.millis(params.pollIntervalMs));
-			const candidate = pickNewBuild(yield* listRecentBuilds(params.credentials, params.context.appId, 20).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_LIST_BUILDS_FAILED"))), params.context.baselineLatestBuildId);
+			const candidate = pickNewBuild(yield* call("TESTFLIGHT_LIST_BUILDS_FAILED", "apple-list-builds", async () => AppleUtils.Build.getAsync(params.ctx, { query: {
+				filter: { app: params.context.appId },
+				sort: "-uploadedDate",
+				limit: 20
+			} })), params.context.baselineLatestBuildId);
 			if (candidate !== null) {
-				const processing = classifyProcessingState(candidate.processingState);
+				const processing = classifyProcessingState(candidate.attributes.processingState);
 				if (processing === "failed") return yield* new TestFlightConfigError({
 					code: "TESTFLIGHT_BUILD_PROCESSING_FAILED",
-					message: `App Store Connect rejected build ${candidate.version ?? candidate.id} during processing (state ${candidate.processingState ?? "unknown"}).`
+					message: `App Store Connect rejected build ${candidate.attributes.version} during processing (state ${candidate.attributes.processingState}).`
 				});
 				if (processing === "valid") return {
 					build: candidate,
@@ -21833,59 +21471,65 @@ const pollForProcessedBuild = (params) => Effect.gen(function* () {
 	return final.build;
 });
 const applyWhatToTest = (params) => Effect.gen(function* () {
-	const existing = (yield* listBuildBetaLocalizations(params.credentials, params.buildId).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_LIST_LOCALIZATIONS_FAILED")))).find((loc) => loc.locale === params.locale);
-	yield* (existing === void 0 ? createBetaBuildLocalization(params.credentials, {
-		buildId: params.buildId,
-		locale: params.locale,
-		whatsNew: params.whatToTest
-	}) : updateBetaBuildLocalization(params.credentials, {
-		id: existing.id,
-		whatsNew: params.whatToTest
-	})).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_SET_WHAT_TO_TEST_FAILED")));
+	const existing = (yield* call("TESTFLIGHT_LIST_LOCALIZATIONS_FAILED", "apple-list-localizations", async () => params.build.getBetaBuildLocalizationsAsync())).find((loc) => loc.attributes.locale === params.locale);
+	yield* call("TESTFLIGHT_SET_WHAT_TO_TEST_FAILED", "apple-set-what-to-test", async () => {
+		if (existing === void 0) {
+			await (await AppleUtils.BetaBuildLocalization.createAsync(params.ctx, {
+				id: params.build.id,
+				locale: params.locale
+			})).updateAsync({ whatsNew: params.whatToTest });
+			return;
+		}
+		await existing.updateAsync({ whatsNew: params.whatToTest });
+	});
 });
 const applyGroups = (params) => Effect.gen(function* () {
-	const allGroups = yield* listBetaGroups(params.credentials, params.appId).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_LIST_GROUPS_FAILED")));
-	const { matched, missing } = matchBetaGroupsByName(allGroups, params.groups);
+	const named = (yield* call("TESTFLIGHT_LIST_GROUPS_FAILED", "apple-list-groups", async () => AppleUtils.BetaGroup.getAsync(params.ctx, { query: { filter: { app: params.appId } } }))).map((group) => ({
+		id: group.id,
+		name: group.attributes.name
+	}));
+	const { matched, missing } = matchBetaGroupsByName(named, params.groups);
 	if (missing.length > 0) {
-		const available = allGroups.map((group) => group.name).join(", ") || "(none)";
+		const available = named.map((group) => group.name).join(", ") || "(none)";
 		return yield* new TestFlightConfigError({
 			code: "TESTFLIGHT_GROUP_NOT_FOUND",
 			message: `TestFlight group(s) not found: ${missing.join(", ")}. Available groups: ${available}.`
 		});
 	}
-	yield* addBuildToBetaGroups(params.credentials, params.buildId, matched.map((group) => group.id)).pipe(Effect.mapError(wrapAsc("TESTFLIGHT_ADD_TO_GROUPS_FAILED")));
+	yield* call("TESTFLIGHT_ADD_TO_GROUPS_FAILED", "apple-add-to-groups", async () => params.build.addBetaGroupsAsync({ betaGroups: matched.map((group) => group.id) }));
 });
 /** Whether a profile has any TestFlight config that warrants the processing wait. */
 const needsTestFlightConfig = (params) => params.whatToTest !== void 0 || params.groups.length > 0;
 const applyTestFlightConfig = (inputs) => Effect.gen(function* () {
+	const ctx = buildTokenRequestContext(inputs.credentials);
 	yield* printHuman("Configuring TestFlight (waiting for build processing)...");
 	const build = yield* pollForProcessedBuild({
-		credentials: inputs.credentials,
+		ctx,
 		context: inputs.context,
 		pollTimeoutMs: inputs.pollTimeoutMs ?? DEFAULT_POLL_TIMEOUT_MS,
 		pollIntervalMs: inputs.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS
 	});
 	if (inputs.whatToTest !== void 0) {
 		yield* applyWhatToTest({
-			credentials: inputs.credentials,
-			buildId: build.id,
-			locale: inputs.language ?? DEFAULT_LOCALE,
+			ctx,
+			build,
+			locale: inputs.language ?? DEFAULT_LOCALE$1,
 			whatToTest: inputs.whatToTest
 		});
-		yield* printHuman(`Set "What to Test" on build ${build.version ?? build.id}.`);
+		yield* printHuman(`Set "What to Test" on build ${build.attributes.version}.`);
 	}
 	if (inputs.groups.length > 0) {
 		yield* applyGroups({
-			credentials: inputs.credentials,
+			ctx,
 			appId: inputs.context.appId,
-			buildId: build.id,
+			build,
 			groups: inputs.groups
 		});
 		yield* printHuman(`Assigned build to TestFlight group(s): ${inputs.groups.join(", ")}.`);
 	}
 	return {
 		buildId: build.id,
-		buildVersion: build.version
+		buildVersion: build.attributes.version
 	};
 });
 
@@ -22034,10 +21678,21 @@ const resolveIosUploadAuth = (params) => {
 	};
 	return null;
 };
-const resolveAscCredentials = (api, ascApiKeyId) => fetchAscCredentials(api, ascApiKeyId).pipe(Effect.mapError(() => new CliSubmitError({
-	code: "SUBMISSION_ASC_KEY_FETCH_FAILED",
-	message: `Failed to fetch or decrypt ASC API key ${ascApiKeyId}`
-})));
+/**
+* Decrypt the ASC `.p8` once for a submit: needed for an asc-api-key upload, and
+* for post-upload TestFlight config regardless of upload auth. Returns null when
+* none is required or available; a decrypt failure logs a note and degrades to
+* null so the caller can queue-and-instruct rather than crash.
+*/
+const resolveAscUploadCredentials = (params) => Effect.gen(function* () {
+	const credsKeyId = params.auth.kind === "asc-api-key" ? params.auth.ascApiKeyId : params.ascApiKeyId;
+	if (!(params.auth.kind === "asc-api-key" || params.wantsConfig) || credsKeyId === void 0) return null;
+	return yield* fetchAscCredentials(params.api, credsKeyId).pipe(Effect.map((creds) => ({
+		keyId: creds.keyId,
+		issuerId: creds.issuerId,
+		p8Pem: creds.p8Pem
+	})), Effect.catchAll((error) => printHuman(`Could not prepare ASC API key ${credsKeyId} (${messageOf(error)}).`).pipe(Effect.as(null))));
+});
 /** `altool` reads the API key from `--apiKeyDir`; write the decrypted `.p8` there. */
 const writeP8ForAltool = (credentials) => Effect.gen(function* () {
 	const target = path.join(tmpdir(), `better-update-submit-AuthKey_${credentials.keyId}.p8`);
@@ -22083,8 +21738,7 @@ const runIosSubmit = (inputs) => Effect.gen(function* () {
 		whatToTest: inputs.config.whatToTest,
 		groups: inputs.config.groups
 	});
-	const credsKeyId = inputs.auth.kind === "asc-api-key" ? inputs.auth.ascApiKeyId : inputs.ascApiKeyId;
-	const ascCredentials = (inputs.auth.kind === "asc-api-key" || wantsConfig) && credsKeyId !== void 0 ? yield* resolveAscCredentials(inputs.api, credsKeyId) : null;
+	const { ascCredentials } = inputs;
 	const ipaPath = yield* resolveLocalArchivePath(inputs.archive, ".ipa");
 	let tfContext = null;
 	if (wantsConfig && ascCredentials !== null) tfContext = yield* captureTestFlightContext({
@@ -22325,24 +21979,38 @@ const runAutoSubmit = (input) => Effect.gen(function* () {
 		});
 		if (auth === null) yield* printHuman("Skipping iOS upload: configure ascApiKeyId or set EXPO_APPLE_APP_SPECIFIC_PASSWORD (+ appleId).");
 		else {
-			yield* printHuman(auth.kind === "app-specific-password" ? "Running xcrun altool upload (Apple ID app-specific password)..." : "Running xcrun altool upload (ASC API key)...");
-			yield* runIosSubmit({
+			const groups = easProfile.ios?.groups ?? [];
+			const wantsConfig = needsTestFlightConfig({
+				whatToTest: input.whatToTest,
+				groups
+			});
+			const ascCredentials = yield* resolveAscUploadCredentials({
 				api: input.api,
-				submissionId: submission.id,
-				archive: {
-					source: "build",
-					value: archiveUrl
-				},
 				auth,
 				ascApiKeyId: easProfile.ios?.ascApiKeyId,
-				config: {
-					bundleIdentifier: iosConfig.bundleIdentifier,
-					ascAppId: easProfile.ios?.ascAppId,
-					language: easProfile.ios?.language,
-					whatToTest: input.whatToTest,
-					groups: easProfile.ios?.groups ?? []
-				}
+				wantsConfig
 			});
+			if (auth.kind === "asc-api-key" && ascCredentials === null) yield* printHuman("Skipping iOS upload: the ASC API key could not be prepared for upload.");
+			else {
+				yield* printHuman(auth.kind === "app-specific-password" ? "Running xcrun altool upload (Apple ID app-specific password)..." : "Running xcrun altool upload (ASC API key)...");
+				yield* runIosSubmit({
+					api: input.api,
+					submissionId: submission.id,
+					archive: {
+						source: "build",
+						value: archiveUrl
+					},
+					auth,
+					ascCredentials,
+					config: {
+						bundleIdentifier: iosConfig.bundleIdentifier,
+						ascAppId: easProfile.ios?.ascAppId,
+						language: easProfile.ios?.language,
+						whatToTest: input.whatToTest,
+						groups
+					}
+				});
+			}
 		}
 	}
 	if (input.platform === "android" && androidConfig !== void 0 && easProfile.android !== void 0) {
@@ -22472,60 +22140,6 @@ const findAndroidArtifact = ({ projectRoot, format, flavor, buildType, minMtimeM
 	return pickedFallback.path;
 });
 
-//#endregion
-//#region src/lib/android-keystore.ts
-const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
-const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
-const FINGERPRINT_PATTERNS = {
-	md5: /MD5:\s*(?<value>[0-9A-F:]+)/iu,
-	sha1: /SHA-?1:\s*(?<value>[0-9A-F:]+)/iu,
-	sha256: /SHA-?256:\s*(?<value>[0-9A-F:]+)/iu
-};
-/**
-* Parse certificate fingerprints out of `keytool -list -v` output. The fingerprint
-* labels (`MD5:`, `SHA1:`, `SHA256:`) are stable across keytool locales — only the
-* surrounding prose is translated — so label-anchored regexes are robust. MD5 is
-* absent on modern JDKs (dropped from `-v` output); that field stays `undefined`.
-* keytool already emits the canonical uppercase, colon-separated form the dashboard
-* displays verbatim, so no normalization is needed.
-*/
-const parseKeystoreFingerprints = (output) => ({
-	md5: output.match(FINGERPRINT_PATTERNS.md5)?.groups?.["value"],
-	sha1: output.match(FINGERPRINT_PATTERNS.sha1)?.groups?.["value"],
-	sha256: output.match(FINGERPRINT_PATTERNS.sha256)?.groups?.["value"]
-});
-/**
-* Run `keytool -list -v` against an on-disk keystore and extract its certificate
-* fingerprints. Only the store password is required to read a certificate. Used at
-* upload/generate time to populate the public, server-visible fingerprint metadata
-* the dashboard renders.
-*/
-const extractKeystoreFingerprints = (params) => Command.string(Command.make("keytool", "-list", "-v", "-keystore", params.keystorePath, "-alias", params.keyAlias, "-storepass", params.storePassword).pipe(Command.env({ LC_ALL: "C" }))).pipe(Effect.mapError((cause) => new BuildFailedError({
-	step: "extract keystore fingerprints",
-	exitCode: 1,
-	message: `keytool -list failed to run (is the JDK installed?): ${String(cause)}`
-})), Effect.flatMap((output) => {
-	const fingerprints = parseKeystoreFingerprints(output);
-	if (fingerprints.sha1 === void 0 && fingerprints.sha256 === void 0) return Effect.fail(new BuildFailedError({
-		step: "extract keystore fingerprints",
-		exitCode: 1,
-		message: "keytool produced no SHA-1/SHA-256 fingerprints — verify the key alias and keystore password"
-	}));
-	return Effect.succeed(fingerprints);
-}));
-const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
-	commonName: input.commonName,
-	organization: input.organization
-}), "-noprompt").pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
-	step: "generate android keystore",
-	exitCode: 1,
-	message: `generate android keystore failed to spawn: ${String(cause)}`
-})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
-	step: "generate android keystore",
-	exitCode: code,
-	message: `generate android keystore exited with code ${code}`
-}))));
-
 //#endregion
 //#region src/lib/apple-cert-to-p12.ts
 var CertParseError = class extends Data.TaggedError("CertParseError") {};
@@ -22547,11 +22161,6 @@ const extractTeamId$1 = (cert) => {
 	if (cn === null) return null;
 	return matchTeamFromCommonName(cn);
 };
-const parseCert = (certDerBytes) => {
-	const asn1 = forge.asn1.fromDer(certDerBytes);
-	return forge.pki.certificateFromAsn1(asn1);
-};
-const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
 /**
 * Normalize an Apple certificate serial number for comparison.
 *
@@ -22595,84 +22204,69 @@ const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 	if (first?.cert === void 0) return yield* new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" });
 	return yield* extractCertMetadata(first.cert);
 });
-const buildDistributionCertP12 = (params) => Effect.gen(function* () {
-	const result = yield* Effect.try({
-		try: () => {
-			const cert = parseCert(forge.util.decode64(params.certificateContentBase64));
-			const password = generatePassword();
-			const p12Asn1 = forge.pkcs12.toPkcs12Asn1(params.privateKey, [cert], password, {
-				friendlyName: "key",
-				algorithm: "3des"
-			});
-			return {
-				cert,
-				p12Base64: forge.util.encode64(forge.asn1.toDer(p12Asn1).getBytes()),
-				password
-			};
-		},
-		catch: (error) => new CertParseError({ message: `Failed to assemble .p12: ${error instanceof Error ? error.message : String(error)}` })
-	});
-	const metadata = yield* extractCertMetadata(result.cert);
-	return {
-		p12Base64: result.p12Base64,
-		password: result.password,
-		metadata
-	};
-});
 
 //#endregion
-//#region src/lib/apple-csr.ts
-const generateRsaKeyPair = async () => new Promise((resolve) => {
-	forge.pki.rsa.generateKeyPair({
-		bits: 2048,
-		workers: 2
-	}, (_err, keyPair) => {
-		resolve(keyPair);
-	});
-});
-const generateCertificateSigningRequest = async () => {
-	const keyPair = await generateRsaKeyPair();
-	const csr = forge.pki.createCertificationRequest();
-	csr.publicKey = keyPair.publicKey;
-	csr.setSubject([{
-		name: "commonName",
-		shortName: "CN",
-		value: "PEM"
-	}]);
-	csr.sign(keyPair.privateKey, forge.md.sha1.create());
-	return {
-		csrPem: forge.pki.certificationRequestToPem(csr),
-		privateKeyPem: forge.pki.privateKeyToPem(keyPair.privateKey),
-		privateKey: keyPair.privateKey
-	};
+//#region src/lib/android-keystore.ts
+const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
+const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
+const FINGERPRINT_PATTERNS = {
+	md5: /MD5:\s*(?<value>[0-9A-F:]+)/iu,
+	sha1: /SHA-?1:\s*(?<value>[0-9A-F:]+)/iu,
+	sha256: /SHA-?256:\s*(?<value>[0-9A-F:]+)/iu
 };
+/**
+* Parse certificate fingerprints out of `keytool -list -v` output. The fingerprint
+* labels (`MD5:`, `SHA1:`, `SHA256:`) are stable across keytool locales — only the
+* surrounding prose is translated — so label-anchored regexes are robust. MD5 is
+* absent on modern JDKs (dropped from `-v` output); that field stays `undefined`.
+* keytool already emits the canonical uppercase, colon-separated form the dashboard
+* displays verbatim, so no normalization is needed.
+*/
+const parseKeystoreFingerprints = (output) => ({
+	md5: output.match(FINGERPRINT_PATTERNS.md5)?.groups?.["value"],
+	sha1: output.match(FINGERPRINT_PATTERNS.sha1)?.groups?.["value"],
+	sha256: output.match(FINGERPRINT_PATTERNS.sha256)?.groups?.["value"]
+});
+/**
+* Run `keytool -list -v` against an on-disk keystore and extract its certificate
+* fingerprints. Only the store password is required to read a certificate. Used at
+* upload/generate time to populate the public, server-visible fingerprint metadata
+* the dashboard renders.
+*/
+const extractKeystoreFingerprints = (params) => Command.string(Command.make("keytool", "-list", "-v", "-keystore", params.keystorePath, "-alias", params.keyAlias, "-storepass", params.storePassword).pipe(Command.env({ LC_ALL: "C" }))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step: "extract keystore fingerprints",
+	exitCode: 1,
+	message: `keytool -list failed to run (is the JDK installed?): ${String(cause)}`
+})), Effect.flatMap((output) => {
+	const fingerprints = parseKeystoreFingerprints(output);
+	if (fingerprints.sha1 === void 0 && fingerprints.sha256 === void 0) return Effect.fail(new BuildFailedError({
+		step: "extract keystore fingerprints",
+		exitCode: 1,
+		message: "keytool produced no SHA-1/SHA-256 fingerprints — verify the key alias and keystore password"
+	}));
+	return Effect.succeed(fingerprints);
+}));
+const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
+	commonName: input.commonName,
+	organization: input.organization
+}), "-noprompt").pipe(Command.stdout("inherit"), Command.stderr("inherit"))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step: "generate android keystore",
+	exitCode: 1,
+	message: `generate android keystore failed to spawn: ${String(cause)}`
+})), Effect.flatMap((code) => code === 0 ? Effect.void : Effect.fail(new BuildFailedError({
+	step: "generate android keystore",
+	exitCode: code,
+	message: `generate android keystore exited with code ${code}`
+}))));
 
 //#endregion
 //#region src/lib/credentials-generator.ts
-const DISTRIBUTION_TO_PROFILE_TYPE$1 = {
-	APP_STORE: "IOS_APP_STORE",
-	AD_HOC: "IOS_APP_ADHOC",
-	DEVELOPMENT: "IOS_APP_DEVELOPMENT",
-	ENTERPRISE: "IOS_APP_INHOUSE"
-};
+/** Stable hash of an Apple device-id roster, used to detect profile drift. */
 const computeDeviceRosterHashHex = (ascDeviceIds) => {
 	const sorted = [...ascDeviceIds].toSorted();
 	return createHash("sha256").update(sorted.join(","), "utf8").digest("hex");
 };
 var CertificateLimitError = class extends Data.TaggedError("CertificateLimitError") {};
-var GenerateFailedError = class extends Data.TaggedError("GenerateFailedError") {};
-const messageForAscCause = (cause) => {
-	if (cause._tag === "AscApiError") return cause.message;
-	if (cause._tag === "AppleAuthError") return "Apple JWT signing failed";
-	return "Network error talking to Apple";
-};
-const wrapAscError = (step) => (cause) => {
-	if (cause._tag === "AscApiError" && isCertificateLimitError(cause)) return new CertificateLimitError({ message: cause.message });
-	return new GenerateFailedError({
-		step,
-		message: messageForAscCause(cause)
-	});
-};
 const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const tempDir = yield* acquireBuildTempDir;
@@ -22720,94 +22314,129 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 		keyAlias: created.keyAlias
 	};
 }));
+
+//#endregion
+//#region src/lib/credentials-generator-apple.ts
+/**
+* iOS signing-credential generation on `@expo/apple-utils`, parameterized by the
+* App Store Connect `RequestContext`: a headless JWT `Token` context (built from a
+* vault `.p8` via {@link buildTokenRequestContext}) or an interactive Apple ID
+* cookie session (`AppleAuth.buildRequestContext`). Both drive the same entity
+* managers — apple-utils routes to the public ASC API or the developer portal by
+* which context is supplied. This is the single home for cert/bundle-id/device/
+* profile generation; the JWT REST client it replaced is gone.
+*/
+const DISTRIBUTION_TO_PROFILE_TYPE = {
+	APP_STORE: AppleUtils.ProfileType.IOS_APP_STORE,
+	AD_HOC: AppleUtils.ProfileType.IOS_APP_ADHOC,
+	DEVELOPMENT: AppleUtils.ProfileType.IOS_APP_DEVELOPMENT,
+	ENTERPRISE: AppleUtils.ProfileType.IOS_APP_INHOUSE
+};
+const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
+	APP_STORE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	AD_HOC: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	ENTERPRISE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
+	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
+};
+var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
+const wrap = (step, run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => new AppleIdGenerateFailedError({
+		step,
+		message: messageOf(cause)
+	})
+});
+/**
+* Build a headless ASC `RequestContext` by decrypting a stored ASC `.p8` key.
+* Used by the non-interactive (build/manager) callers that hold an `ascApiKeyId`
+* rather than an Apple ID cookie session.
+*/
+const ascKeyRequestContext = (api, ascApiKeyId) => fetchAscCredentials(api, ascApiKeyId).pipe(Effect.map(buildTokenRequestContext));
+const wrapCertificateCreate = (run) => Effect.tryPromise({
+	try: run,
+	catch: (cause) => {
+		const message = messageOf(cause);
+		if (isCertificateLimitMessage(message)) return new CertificateLimitError({ message });
+		return new AppleIdGenerateFailedError({
+			step: "apple-create-certificate",
+			message
+		});
+	}
+});
+const certificateTypeOf = (certificateType) => certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
 const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
-	const csrResult = yield* Effect.tryPromise({
-		try: generateCertificateSigningRequest,
-		catch: (cause) => new GenerateFailedError({
-			step: "csr",
-			message: `CSR generation failed: ${cause instanceof Error ? cause.message : String(cause)}`
-		})
-	});
-	const certificateType = input.certificateType ?? "IOS_DISTRIBUTION";
-	const apple = yield* createCertificate(ascCreds, {
-		csrPem: csrResult.csrPem,
-		certificateType
-	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
-	if (apple.certificateContent === null) return yield* new GenerateFailedError({
-		step: "apple-create-certificate",
-		message: "Apple response missing certificateContent"
-	});
-	const bundle = yield* buildDistributionCertP12({
-		certificateContentBase64: apple.certificateContent,
-		privateKey: csrResult.privateKey
-	}).pipe(Effect.mapError((cause) => new GenerateFailedError({
-		step: "p12-build",
+	const ctx = input.context;
+	const result = yield* wrapCertificateCreate(async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType: certificateTypeOf(input.certificateType) }));
+	const metadata = yield* extractMetadataFromP12({
+		p12Base64: result.certificateP12,
+		password: result.password
+	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
+		step: "parse-p12",
 		message: cause.message
 	})));
 	const session = yield* openVaultSessionInteractive(api);
-	const metadata = {
-		serialNumber: bundle.metadata.serialNumber,
-		appleTeamIdentifier: bundle.metadata.appleTeamId,
-		validFrom: bundle.metadata.validFrom,
-		validUntil: bundle.metadata.validUntil
+	const envelopeMetadata = {
+		serialNumber: metadata.serialNumber,
+		appleTeamIdentifier: metadata.appleTeamId,
+		validFrom: metadata.validFrom,
+		validUntil: metadata.validUntil
 	};
 	const envelope = yield* sealForUpload({
 		session,
 		credentialType: "distribution-certificate",
-		metadata,
+		metadata: envelopeMetadata,
 		secret: {
-			p12Base64: bundle.p12Base64,
-			p12Password: bundle.password
+			p12Base64: result.certificateP12,
+			p12Password: result.password
 		}
-	});
+	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
+		step: "encrypt-p12",
+		message: cause.message
+	})));
 	const created = yield* api.appleDistributionCertificates.upload({ payload: {
 		...toUploadEnvelope(envelope),
-		...metadata,
+		...envelopeMetadata,
 		...compact({
-			appleTeamName: toOptional(bundle.metadata.appleTeamName),
-			developerIdIdentifier: toOptional(bundle.metadata.developerIdIdentifier)
+			appleTeamName: toOptional(metadata.appleTeamName),
+			developerIdIdentifier: toOptional(metadata.developerIdIdentifier)
 		})
 	} });
 	return {
 		id: created.id,
-		serialNumber: bundle.metadata.serialNumber,
+		serialNumber: metadata.serialNumber,
 		appleTeamId: created.appleTeamId,
-		appleTeamIdentifier: bundle.metadata.appleTeamId,
-		developerPortalIdentifier: apple.id
+		appleTeamIdentifier: metadata.appleTeamId,
+		developerPortalIdentifier: result.certificate.id
 	};
 });
-const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	yield* deleteCertificate({
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	}, input.developerPortalIdentifier).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
+const listDistributionCerts = (ctx, certificateType = "IOS_DISTRIBUTION") => Effect.gen(function* () {
+	return (yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: certificateTypeOf(certificateType) } } }))).map((entry) => ({
+		developerPortalIdentifier: entry.id,
+		serialNumber: entry.attributes.serialNumber,
+		displayName: entry.attributes.displayName,
+		certificateType: entry.attributes.certificateType,
+		expirationDate: entry.attributes.expirationDate
+	}));
 });
+const revokeDistributionCert = (ctx, developerPortalIdentifier) => wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: developerPortalIdentifier }));
+/**
+* Revoke the distribution certificate behind a stored row: match it on Apple by
+* serial (across distribution + development), delete it there, and optionally
+* delete the local row. Builds a headless Token context from the ASC key.
+*/
 const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
 	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
-	if (local === void 0) return yield* new GenerateFailedError({
+	if (local === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "load-distribution-certificate",
 		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
 	});
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
+	const ctx = buildTokenRequestContext(yield* fetchAscCredentials(api, input.ascApiKeyId));
 	const targetSerial = normalizeAppleSerial(local.serialNumber);
-	const matching = yield* Effect.all([listCertificates(ascCreds, { certificateType: "IOS_DISTRIBUTION" }), listCertificates(ascCreds, { certificateType: "IOS_DEVELOPMENT" })], { concurrency: 2 }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
-	const ascMatch = [...matching[0], ...matching[1]].find((entry) => normalizeAppleSerial(entry.serialNumber) === targetSerial);
+	const matching = yield* Effect.all([wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: AppleUtils.CertificateType.IOS_DISTRIBUTION } } })), wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: AppleUtils.CertificateType.IOS_DEVELOPMENT } } }))], { concurrency: 2 });
+	const ascMatch = [...matching[0], ...matching[1]].find((entry) => normalizeAppleSerial(entry.attributes.serialNumber) === targetSerial);
 	let revokedOnApple = false;
 	if (ascMatch !== void 0) {
-		yield* deleteCertificate(ascCreds, ascMatch.id).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
+		yield* wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: ascMatch.id }));
 		revokedOnApple = true;
 	}
 	let deletedLocally = false;
@@ -22822,67 +22451,59 @@ const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function*
 		deletedLocally
 	};
 });
-const listAppleCertificates = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	return yield* listCertificates({
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	}, compact({ certificateType: input.certificateType })).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
+const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
+	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
+	if (existing !== null) return existing.id;
+	return (yield* wrap("apple-create-bundle-id", async () => AppleUtils.BundleId.createAsync(ctx, {
+		identifier: bundleIdentifier,
+		name: bundleIdentifier,
+		platform: AppleUtils.BundleIdPlatform.IOS
+	}))).id;
 });
-const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
-	const certs = yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
+const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
+	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
 	const target = normalizeAppleSerial(serialNumber);
-	const match = certs.find((entry) => normalizeAppleSerial(entry.serialNumber) === target);
-	if (match === void 0) return yield* new GenerateFailedError({
+	const match = certs.find((entry) => normalizeAppleSerial(entry.attributes.serialNumber) === target);
+	if (match === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
 	});
 	return match.id;
 });
-const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
-	const existing = (yield* listBundleIds(creds).pipe(Effect.mapError(wrapAscError("apple-list-bundle-ids")))).find((entry) => entry.identifier === bundleIdentifier);
-	if (existing !== void 0) return existing.id;
-	return (yield* createBundleId(creds, {
-		identifier: bundleIdentifier,
-		name: bundleIdentifier
-	}).pipe(Effect.mapError(wrapAscError("apple-create-bundle-id")))).id;
-});
-const collectDeviceAscIds = (creds, appleTeamId, deviceIds) => Effect.gen(function* () {
-	const devices = yield* listDevices(creds).pipe(Effect.mapError(wrapAscError("apple-list-devices")));
-	return {
-		ids: deviceIds === void 0 ? devices.map((device) => device.id) : devices.filter((device) => new Set(deviceIds).has(device.id)).map((device) => device.id),
-		appleTeamId
-	};
+const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
+	const devices = yield* wrap("apple-list-devices", async () => AppleUtils.Device.getAllIOSProfileDevicesAsync(ctx));
+	if (deviceIds === void 0) return devices.map((device) => device.id);
+	const allowed = new Set(deviceIds);
+	return devices.filter((device) => allowed.has(device.id)).map((device) => device.id);
 });
 const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function* () {
-	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
-	const ascCreds = {
-		keyId: creds.keyId,
-		issuerId: creds.issuerId,
-		p8Pem: creds.p8Pem
-	};
-	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new GenerateFailedError({
+	const ctx = input.context;
+	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new AppleIdGenerateFailedError({
 		step: "load-distribution-certificate",
 		message: `Distribution certificate ${input.distributionCertificateId} not found`
 	})) : Effect.succeed(match)));
-	const certificateType = input.distributionType === "DEVELOPMENT" ? "IOS_DEVELOPMENT" : "IOS_DISTRIBUTION";
-	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
+	const certificateType = DISTRIBUTION_TO_CERTIFICATE_TYPE[input.distributionType];
+	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
-	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
-	if (useDevices && deviceAscIds.length === 0) return yield* new GenerateFailedError({
+	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
+	if (useDevices && deviceIds.length === 0) return yield* new AppleIdGenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
 	});
-	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
-		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
-		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
-		bundleIdAscId,
-		certificateAscIds: [certAscId],
-		deviceAscIds
-	}).pipe(Effect.mapError(wrapAscError("apple-create-profile")))).profileContent);
-	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceAscIds) : void 0;
-	const profileBase64 = toBase64(profileBytes);
+	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
+	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
+		bundleId: bundleIdAscId,
+		certificates: [certAscId],
+		devices: deviceIds,
+		name: profileName,
+		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
+	}))).attributes;
+	if (profileContent === null) return yield* new AppleIdGenerateFailedError({
+		step: "extract-profile-content",
+		message: "Apple returned a profile with no content (likely expired/invalid)"
+	});
+	const profileBase64 = toBase64(fromBase64(profileContent));
+	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
 	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
 		profileBase64,
 		appleDistributionCertificateId: input.distributionCertificateId,
@@ -22896,7 +22517,7 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 		profileName: created.profileName,
 		validUntil: created.validUntil,
 		developerPortalIdentifier: created.developerPortalIdentifier,
-		/** Raw .mobileprovision bytes (base64) — callers can install directly without re-downloading. */
+		/** Raw .mobileprovision bytes (base64) — callers can install without re-downloading. */
 		profileBase64
 	};
 });
@@ -22915,7 +22536,7 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 */
 const autoProvisionExtensionProfile = (api, input) => Effect.gen(function* () {
 	const generated = yield* generateAndUploadProvisioningProfile(api, {
-		ascApiKeyId: input.ascApiKeyId,
+		context: yield* ascKeyRequestContext(api, input.ascApiKeyId),
 		distributionCertificateId: input.distributionCertificateId,
 		bundleIdentifier: input.bundleIdentifier,
 		distributionType: input.distributionType
@@ -23707,166 +23328,6 @@ const distributionCertChoice = (cert, teamLabel = cert.appleTeamId) => ({
 	label: `${cert.serialNumber.slice(0, 12)}… (team ${teamLabel}, exp ${isoDate(cert.validUntil)})`
 });
 
-//#endregion
-//#region src/lib/credentials-generator-apple-id.ts
-const DISTRIBUTION_TO_PROFILE_TYPE = {
-	APP_STORE: AppleUtils.ProfileType.IOS_APP_STORE,
-	AD_HOC: AppleUtils.ProfileType.IOS_APP_ADHOC,
-	DEVELOPMENT: AppleUtils.ProfileType.IOS_APP_DEVELOPMENT,
-	ENTERPRISE: AppleUtils.ProfileType.IOS_APP_INHOUSE
-};
-const DISTRIBUTION_TO_CERTIFICATE_TYPE = {
-	APP_STORE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	AD_HOC: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	ENTERPRISE: AppleUtils.CertificateType.IOS_DISTRIBUTION,
-	DEVELOPMENT: AppleUtils.CertificateType.IOS_DEVELOPMENT
-};
-var AppleIdGenerateFailedError = class extends Data.TaggedError("AppleIdGenerateFailedError") {};
-const CERT_LIMIT_PATTERN = /already have a current.*certificate|pending certificate request/iu;
-const messageOf = (cause) => cause instanceof Error ? cause.message : String(cause);
-const wrap = (step, run) => Effect.tryPromise({
-	try: run,
-	catch: (cause) => new AppleIdGenerateFailedError({
-		step,
-		message: messageOf(cause)
-	})
-});
-const wrapCertificateCreate = (run) => Effect.tryPromise({
-	try: run,
-	catch: (cause) => {
-		const message = messageOf(cause);
-		if (CERT_LIMIT_PATTERN.test(message)) return new CertificateLimitError({ message });
-		return new AppleIdGenerateFailedError({
-			step: "apple-create-certificate",
-			message
-		});
-	}
-});
-const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effect.gen(function* () {
-	const ctx = input.context;
-	const certificateType = input.certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
-	const result = yield* wrapCertificateCreate(async () => AppleUtils.createCertificateAndP12Async(ctx, { certificateType }));
-	const metadata = yield* extractMetadataFromP12({
-		p12Base64: result.certificateP12,
-		password: result.password
-	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
-		step: "parse-p12",
-		message: cause.message
-	})));
-	const session = yield* openVaultSessionInteractive(api);
-	const envelopeMetadata = {
-		serialNumber: metadata.serialNumber,
-		appleTeamIdentifier: metadata.appleTeamId,
-		validFrom: metadata.validFrom,
-		validUntil: metadata.validUntil
-	};
-	const envelope = yield* sealForUpload({
-		session,
-		credentialType: "distribution-certificate",
-		metadata: envelopeMetadata,
-		secret: {
-			p12Base64: result.certificateP12,
-			p12Password: result.password
-		}
-	}).pipe(Effect.mapError((cause) => new AppleIdGenerateFailedError({
-		step: "encrypt-p12",
-		message: cause.message
-	})));
-	const created = yield* api.appleDistributionCertificates.upload({ payload: {
-		...toUploadEnvelope(envelope),
-		...envelopeMetadata,
-		...compact({
-			appleTeamName: toOptional(metadata.appleTeamName),
-			developerIdIdentifier: toOptional(metadata.developerIdIdentifier)
-		})
-	} });
-	return {
-		id: created.id,
-		serialNumber: metadata.serialNumber,
-		appleTeamId: created.appleTeamId,
-		appleTeamIdentifier: metadata.appleTeamId,
-		developerPortalIdentifier: result.certificate.id
-	};
-});
-const listDistributionCertsViaAppleId = (ctx, certificateType = "IOS_DISTRIBUTION") => Effect.gen(function* () {
-	const filter = certificateType === "IOS_DEVELOPMENT" ? AppleUtils.CertificateType.IOS_DEVELOPMENT : AppleUtils.CertificateType.IOS_DISTRIBUTION;
-	return (yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType: filter } } }))).map((entry) => ({
-		developerPortalIdentifier: entry.id,
-		serialNumber: entry.attributes.serialNumber,
-		displayName: entry.attributes.displayName,
-		expirationDate: entry.attributes.expirationDate
-	}));
-});
-const revokeDistributionCertViaAppleId = (ctx, developerPortalIdentifier) => wrap("apple-revoke-certificate", async () => AppleUtils.Certificate.deleteAsync(ctx, { id: developerPortalIdentifier }));
-const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* () {
-	const existing = yield* wrap("apple-find-bundle-id", async () => AppleUtils.BundleId.findAsync(ctx, { identifier: bundleIdentifier }));
-	if (existing !== null) return existing.id;
-	return (yield* wrap("apple-create-bundle-id", async () => AppleUtils.BundleId.createAsync(ctx, {
-		identifier: bundleIdentifier,
-		name: bundleIdentifier,
-		platform: AppleUtils.BundleIdPlatform.IOS
-	}))).id;
-});
-const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
-	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
-	const target = normalizeAppleSerial(serialNumber);
-	const match = certs.find((entry) => normalizeAppleSerial(entry.attributes.serialNumber) === target);
-	if (match === void 0) return yield* new AppleIdGenerateFailedError({
-		step: "match-apple-certificate",
-		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	});
-	return match.id;
-});
-const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
-	const devices = yield* wrap("apple-list-devices", async () => AppleUtils.Device.getAllIOSProfileDevicesAsync(ctx));
-	if (deviceIds === void 0) return devices.map((device) => device.id);
-	const allowed = new Set(deviceIds);
-	return devices.filter((device) => allowed.has(device.id)).map((device) => device.id);
-});
-const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.gen(function* () {
-	const ctx = input.context;
-	const cert = yield* api.appleDistributionCertificates.list().pipe(Effect.map(({ items }) => items.find((item) => item.id === input.distributionCertificateId)), Effect.flatMap((match) => match === void 0 ? Effect.fail(new AppleIdGenerateFailedError({
-		step: "load-distribution-certificate",
-		message: `Distribution certificate ${input.distributionCertificateId} not found`
-	})) : Effect.succeed(match)));
-	const certificateType = DISTRIBUTION_TO_CERTIFICATE_TYPE[input.distributionType];
-	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
-	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
-	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
-	if (useDevices && deviceIds.length === 0) return yield* new AppleIdGenerateFailedError({
-		step: "collect-devices",
-		message: "No registered devices to attach to the provisioning profile"
-	});
-	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
-	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
-		bundleId: bundleIdAscId,
-		certificates: [certAscId],
-		devices: deviceIds,
-		name: profileName,
-		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
-	}))).attributes;
-	if (profileContent === null) return yield* new AppleIdGenerateFailedError({
-		step: "extract-profile-content",
-		message: "Apple returned a profile with no content (likely expired/invalid)"
-	});
-	const profileBytes = fromBase64(profileContent);
-	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
-	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
-		profileBase64: toBase64(profileBytes),
-		appleDistributionCertificateId: input.distributionCertificateId,
-		isManaged: true,
-		...compact({ deviceRosterHash: rosterHash })
-	} });
-	return {
-		id: created.id,
-		bundleIdentifier: created.bundleIdentifier,
-		distributionType: created.distributionType,
-		profileName: created.profileName,
-		validUntil: created.validUntil,
-		developerPortalIdentifier: created.developerPortalIdentifier
-	};
-});
-
 //#endregion
 //#region src/lib/credentials-generator-apns.ts
 const APNS_SERVICE_ID = "U27F4V844T";
@@ -24011,7 +23472,7 @@ const chooseIosSetupPath = (api) => Effect.gen(function* () {
 const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
-	const certs = yield* listDistributionCertsViaAppleId(ctx, "IOS_DISTRIBUTION");
+	const certs = yield* listDistributionCerts(ctx, "IOS_DISTRIBUTION");
 	if (certs.length === 0) return yield* new AppleIdGenerateFailedError({
 		step: "limit-recover",
 		message: "Apple says the certificate limit is hit but no existing certificates were returned."
@@ -24020,7 +23481,7 @@ const interactiveAppleIdCertLimitRecover = (ctx) => Effect.gen(function* () {
 		value: entry.developerPortalIdentifier,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName}, exp ${entry.expirationDate.slice(0, 10)})`
 	})), { required: true });
-	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCertViaAppleId(ctx, id), { concurrency: "inherit" });
+	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCert(ctx, id), { concurrency: "inherit" });
 	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
 const defaultApnsKeyName = () => `better-update APNs (${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)})`;
@@ -24056,7 +23517,7 @@ const createApnsKeyViaAppleId = (api, name) => Effect.gen(function* () {
 });
 const generateDistributionCertViaAppleIdInteractive = (api, ctx) => Effect.gen(function* () {
 	yield* Console.log("Generating distribution certificate via Apple ID...");
-	const generate = generateAndUploadDistributionCertificateViaAppleId(api, { context: ctx });
+	const generate = generateAndUploadDistributionCertificate(api, { context: ctx });
 	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveAppleIdCertLimitRecover(ctx).pipe(Effect.flatMap(() => generate))));
 });
 const GENERATE_NEW = "__generate__";
@@ -24100,7 +23561,7 @@ const setupIosViaAppleId = (api, input) => Effect.gen(function* () {
 	const cert = yield* chooseDistributionCertViaAppleId(api, ctx, session.teamId);
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
 	yield* Console.log("Generating provisioning profile via Apple ID...");
-	const profile = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+	const profile = yield* generateAndUploadProvisioningProfile(api, {
 		context: ctx,
 		distributionCertificateId: cert.id,
 		bundleIdentifier: input.bundleIdentifier,
@@ -24119,7 +23580,7 @@ const regenerateProvisioningProfileViaAppleId = (api, input) => Effect.gen(funct
 	const auth = yield* AppleAuth;
 	const session = yield* auth.ensureLoggedIn();
 	yield* Console.log("Regenerating provisioning profile via Apple ID...");
-	const created = yield* generateAndUploadProvisioningProfileViaAppleId(api, {
+	const created = yield* generateAndUploadProvisioningProfile(api, {
 		context: auth.buildRequestContext(session),
 		distributionCertificateId: input.distributionCertificateId,
 		bundleIdentifier: input.bundleIdentifier,
@@ -24137,22 +23598,17 @@ const regenerateProvisioningProfileViaAppleId = (api, input) => Effect.gen(funct
 const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log("Apple reports the certificate limit was hit (max 3 distribution certs per team).");
-	const certs = yield* listAppleCertificates(api, {
-		ascApiKeyId,
-		certificateType: "IOS_DISTRIBUTION"
-	});
+	const context = yield* ascKeyRequestContext(api, ascApiKeyId);
+	const certs = yield* listDistributionCerts(context, "IOS_DISTRIBUTION");
 	if (certs.length === 0) return yield* new MissingCredentialsError({
 		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
 		hint: "Try again later or check the Apple Developer portal."
 	});
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
-		value: entry.id,
-		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
+		value: entry.developerPortalIdentifier,
+		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName || entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
 	})), { required: true });
-	yield* Effect.forEach(toRevoke, (id) => revokeAppleCertificate(api, {
-		ascApiKeyId,
-		developerPortalIdentifier: id
-	}), { concurrency: "inherit" });
+	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCert(context, id), { concurrency: "inherit" });
 	yield* Console.log(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
 const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
@@ -24165,8 +23621,8 @@ const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
 	})));
-	yield* Console.log("Generating CSR and requesting certificate from Apple...");
-	const generate = generateAndUploadDistributionCertificate(api, { ascApiKeyId: ascKeyId });
+	yield* Console.log("Requesting a distribution certificate from Apple...");
+	const generate = generateAndUploadDistributionCertificate(api, { context: yield* ascKeyRequestContext(api, ascKeyId) });
 	return yield* generate.pipe(Effect.catchTag("CertificateLimitError", () => interactiveCertLimitRecover(api, ascKeyId).pipe(Effect.flatMap(() => generate))));
 });
 const chooseIosCertificateId = (api) => Effect.gen(function* () {
@@ -24219,7 +23675,7 @@ const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
 const generateProvisioningProfileForBundle = (api, input, ctx) => Effect.gen(function* () {
 	yield* Console.log("Generating provisioning profile via App Store Connect API...");
 	return (yield* generateAndUploadProvisioningProfile(api, {
-		ascApiKeyId: ctx.ascKeyId,
+		context: yield* ascKeyRequestContext(api, ctx.ascKeyId),
 		distributionCertificateId: ctx.certId,
 		bundleIdentifier: input.bundleIdentifier,
 		distributionType: ctx.distributionType
@@ -24400,7 +23856,7 @@ const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
 	});
 	yield* Console.log("Regenerating provisioning profile via App Store Connect API...");
 	const created = yield* generateAndUploadProvisioningProfile(api, {
-		ascApiKeyId: config.ascApiKeyId,
+		context: yield* ascKeyRequestContext(api, config.ascApiKeyId),
 		distributionCertificateId: config.appleDistributionCertificateId,
 		bundleIdentifier: input.bundleIdentifier,
 		distributionType
@@ -28397,8 +27853,10 @@ const androidMenu = (ctx) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/credentials-generator-asc-key.ts
 const toUserRole = (role) => role === "APP_MANAGER" ? AppleUtils.UserRole.APP_MANAGER : AppleUtils.UserRole.ADMIN;
+const ASC_API_KEY_NICKNAME_MAX_LENGTH = 30;
+const clampAscApiKeyNickname = (nickname) => nickname.slice(0, ASC_API_KEY_NICKNAME_MAX_LENGTH);
 /** Default nickname shown in App Store Connect → Users and Access → Integrations. */
-const defaultAscApiKeyNickname = () => `[better-update] ${(/* @__PURE__ */ new Date()).toISOString()}`;
+const defaultAscApiKeyNickname = () => `[better-update] ${Date.now().toString(36)}`;
 const ASC_KEY_NOT_READY_PATTERN = /no resource of type|resource does not exist/iu;
 const ASC_KEY_DOWNLOAD_RETRY = Schedule.exponential("1 second", 2).pipe(Schedule.intersect(Schedule.recurs(6)));
 const downloadAscKeyWithRetry = (key) => Effect.tryPromise({
@@ -28432,7 +27890,7 @@ const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
 const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function* () {
 	const ctx = input.context;
 	const key = yield* wrap("apple-create-asc-key", async () => AppleUtils.ApiKey.createAsync(ctx, {
-		nickname: input.nickname,
+		nickname: clampAscApiKeyNickname(input.nickname),
 		allAppsVisible: true,
 		roles: [toUserRole(input.role)],
 		keyType: AppleUtils.ApiKeyType.PUBLIC_API
@@ -28460,7 +27918,8 @@ const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function
 		return {
 			id: (yield* api.ascApiKeys.upload({ payload: {
 				...toUploadEnvelope(envelope),
-				...metadata
+				...metadata,
+				roles: [input.role]
 			} })).id,
 			issuerId
 		};
@@ -28761,8 +28220,9 @@ const generateNewIosDistributionCert = (ctx) => Effect.gen(function* () {
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
 	})));
-	yield* Console.log("Generating CSR and requesting certificate from Apple...");
-	const created = yield* generateAndUploadDistributionCertificate(ctx.api, { ascApiKeyId: ascKeyId });
+	yield* Console.log("Requesting a distribution certificate from Apple...");
+	const context = yield* ascKeyRequestContext(ctx.api, ascKeyId);
+	const created = yield* generateAndUploadDistributionCertificate(ctx.api, { context });
 	yield* Console.log("Distribution certificate generated.");
 	yield* printKeyValue([
 		["ID", created.id],
@@ -30545,7 +30005,7 @@ const ascKeyCommand = defineCommand({
 		},
 		nickname: {
 			type: "string",
-			description: "Nickname shown in App Store Connect (defaults to a timestamped name)"
+			description: "Nickname shown in App Store Connect (defaults to a timestamped name; Apple caps it at 30 chars, longer values are truncated)"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
@@ -30796,7 +30256,7 @@ const pushKeyCommand$1 = defineCommand({
 const GENERATE_EXIT_EXTRAS = {
 	CredentialValidationError: 2,
 	BuildFailedError: 6,
-	GenerateFailedError: 6,
+	AppleIdGenerateFailedError: 6,
 	CertificateLimitError: 6
 };
 const ensureNonEmpty = (value, label) => value === void 0 || value.trim().length === 0 ? Effect.fail(new CredentialValidationError({ message: `Missing --${label}` })) : Effect.succeed(value);
@@ -30906,12 +30366,13 @@ const distributionCertificateCommand$1 = defineCommand({
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const api = yield* apiClient;
 		const certificateType = args.type === "development" ? "IOS_DEVELOPMENT" : "IOS_DISTRIBUTION";
-		yield* printHuman("Generating CSR and requesting certificate from Apple...");
+		yield* printHuman("Requesting a distribution certificate from Apple...");
+		const context = yield* ascKeyRequestContext(api, args["asc-key-id"]);
 		const attempt = generateAndUploadDistributionCertificate(api, {
-			ascApiKeyId: args["asc-key-id"],
+			context,
 			certificateType
 		});
-		const created = yield* attempt.pipe(Effect.catchTag("CertificateLimitError", () => handleCertLimitInteractive(api, args["asc-key-id"], certificateType).pipe(Effect.flatMap(() => attempt))));
+		const created = yield* attempt.pipe(Effect.catchTag("CertificateLimitError", () => handleCertLimitInteractive(context, certificateType).pipe(Effect.flatMap(() => attempt))));
 		yield* printHuman("Distribution certificate generated and stored.");
 		yield* printHumanKeyValue([
 			["ID", created.id],
@@ -30925,22 +30386,16 @@ const distributionCertificateCommand$1 = defineCommand({
 		json: "value"
 	})
 });
-const handleCertLimitInteractive = (api, ascApiKeyId, certificateType) => Effect.gen(function* () {
+const handleCertLimitInteractive = (context, certificateType) => Effect.gen(function* () {
 	yield* printHuman("");
 	yield* printHuman("Apple reports the certificate limit was hit (max 3 distribution certs).");
-	const certs = yield* listAppleCertificates(api, {
-		ascApiKeyId,
-		certificateType
-	});
+	const certs = yield* listDistributionCerts(context, certificateType);
 	if (certs.length === 0) return yield* new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." });
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
-		value: entry.id,
-		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
+		value: entry.developerPortalIdentifier,
+		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName || entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
 	})), { required: true });
-	yield* Effect.forEach(toRevoke, (id) => revokeAppleCertificate(api, {
-		ascApiKeyId,
-		developerPortalIdentifier: id
-	}), { concurrency: "inherit" });
+	yield* Effect.forEach(toRevoke, (id) => revokeDistributionCert(context, id), { concurrency: "inherit" });
 	yield* printHuman(`Revoked ${toRevoke.length} certificate(s); retrying generation...`);
 });
 const provisioningProfileCommand = defineCommand({
@@ -30984,7 +30439,7 @@ const provisioningProfileCommand = defineCommand({
 		const api = yield* apiClient;
 		const deviceIds = parseDeviceIds(args["device-ids"]);
 		const created = yield* generateAndUploadProvisioningProfile(api, {
-			ascApiKeyId: args["asc-key-id"],
+			context: yield* ascKeyRequestContext(api, args["asc-key-id"]),
 			distributionCertificateId: args["cert-id"],
 			bundleIdentifier: args.bundle,
 			distributionType: args.distribution,
@@ -31547,7 +31002,6 @@ const resolveType = (raw, available) => Effect.gen(function* () {
 //#region src/commands/credentials/revoke.ts
 const REVOKE_EXIT_EXTRAS = {
 	CredentialValidationError: 2,
-	GenerateFailedError: 6,
 	AppleIdGenerateFailedError: 6,
 	AppleAuthError: 4,
 	InteractiveProhibitedError: 4
@@ -33051,7 +32505,12 @@ const APPLE_DEVICE_CLASS = {
 	MAC: "MAC"
 };
 const toDeviceClass = (raw) => raw === null ? "UNKNOWN" : APPLE_DEVICE_CLASS[raw] ?? "UNKNOWN";
-const ascErrorMessage = (error) => error._tag === "AscApiError" ? error.message : `Apple request failed: ${String(error.cause)}`;
+const toAppleDevice = (device) => ({
+	id: device.id,
+	udid: device.attributes.udid,
+	name: device.attributes.name,
+	deviceClass: device.attributes.deviceClass
+});
 const LIST_LIMIT = 100;
 /**
 * Resolve which ASC key authenticates the sync and which internal team it
@@ -33129,13 +32588,8 @@ const syncDeviceCommand = defineCommand({
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const api = yield* apiClient;
 		const target = yield* resolveTarget(api, args);
-		const creds = yield* fetchAscCredentials(api, target.ascApiKeyId);
-		const ascCreds = {
-			keyId: creds.keyId,
-			issuerId: creds.issuerId,
-			p8Pem: creds.p8Pem
-		};
-		const appleDevices = yield* listDevices(ascCreds);
+		const ctx = buildTokenRequestContext(yield* fetchAscCredentials(api, target.ascApiKeyId));
+		const appleDevices = (yield* wrapConnect("apple-list-devices", async () => AppleUtils.Device.getAsync(ctx))).map(toAppleDevice);
 		const local = yield* listAllLocalDevices(api, target.appleTeamId);
 		const localUdids = new Set(local.map((device) => device.identifier.toLowerCase()));
 		const pushed = [];
@@ -33144,14 +32598,15 @@ const syncDeviceCommand = defineCommand({
 			const appleUdids = new Set(appleDevices.map((device) => device.udid.toLowerCase()));
 			const toPush = local.filter((device) => !appleUdids.has(device.identifier.toLowerCase()));
 			for (const device of toPush) {
-				const result = yield* Effect.either(createDevice(ascCreds, {
+				const result = yield* Effect.either(wrapConnect("apple-create-device", async () => AppleUtils.Device.createAsync(ctx, {
 					name: device.name,
-					udid: device.identifier
-				}));
-				if (Either.isRight(result)) pushed.push(result.right);
+					udid: device.identifier,
+					platform: AppleUtils.BundleIdPlatform.IOS
+				})));
+				if (Either.isRight(result)) pushed.push(toAppleDevice(result.right));
 				else pushFailures.push({
 					identifier: device.identifier,
-					message: ascErrorMessage(result.left)
+					message: result.left.message
 				});
 			}
 		}
@@ -35553,6 +35008,66 @@ const statusCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/application/submit-asc-app.ts
+/**
+* Resolve (and, with consent, create) the App Store Connect app record a `submit`
+* needs for TestFlight config. EAS's `ensureAppExists` equivalent: look the app up
+* headlessly via the vault `.p8` (no Apple login when it already exists), and only
+* when it's missing fall back to an interactive `App.createAsync` from the Apple ID
+* cookie session. The resolved `ascAppId` is persisted to `eas.json` for reuse.
+*
+* Returns the app id, or `null` when none could be resolved — non-interactive runs,
+* a declined prompt, or any failure (login/create/network) degrade to `null` so the
+* caller queues the submission with guidance rather than crashing.
+*/
+const DEFAULT_LOCALE = "en-US";
+/** Apple's documented `App.createAsync` rejections → an actionable hint. */
+const APP_CREATE_HINTS = {
+	APP_CREATE_INSUFFICIENT_ROLE: "your Apple ID needs the \"App Manager\" or \"Admin\" role for this provider to create apps",
+	APP_CREATE_BUNDLE_ID_NOT_REGISTERED: "register the bundle id in your Apple Developer account first (a build or `credentials` run does this)",
+	APP_CREATE_NAME_UNAVAILABLE: "that app name is already taken on the App Store — choose another",
+	APP_CREATE_NAME_INVALID: "the app name contains invalid characters"
+};
+/** Best-effort: write the resolved id back to eas.json so the next run reuses it. */
+const persist$1 = (input, ascAppId) => setSubmitProfileAscAppId(input.projectRoot, input.profileName, ascAppId).pipe(Effect.flatMap((path) => printHuman(`Saved ascAppId to ${path} (submit profile "${input.profileName}") for reuse.`)), Effect.catchAll((error) => printHuman(`Note: could not write ascAppId to eas.json (${error.message}). Add it manually to reuse it.`)));
+const createApp = (cookieCtx, name, input) => wrapConnect("apple-create-app", async () => AppleUtils.App.createAsync(cookieCtx, compact({
+	name,
+	bundleId: input.bundleIdentifier,
+	sku: input.sku ?? input.bundleIdentifier,
+	primaryLocale: input.primaryLocale ?? DEFAULT_LOCALE,
+	companyName: input.companyName,
+	platforms: [AppleUtils.Platform.IOS]
+}))).pipe(Effect.mapError((error) => {
+	const hint = Object.entries(APP_CREATE_HINTS).find(([code]) => error.message.includes(code));
+	return hint === void 0 ? error : new AppleConnectError({
+		step: error.step,
+		message: `${error.message} — ${hint[1]}.`
+	});
+}));
+const ensureAscAppForSubmit = (input) => Effect.gen(function* () {
+	const ctx = buildTokenRequestContext(input.credentials);
+	const existing = yield* wrapConnect("apple-find-app", async () => AppleUtils.App.findAsync(ctx, { bundleId: input.bundleIdentifier }));
+	if (existing !== null) {
+		yield* persist$1(input, existing.id);
+		return existing.id;
+	}
+	if (!(yield* InteractiveMode).allow) {
+		yield* printHuman(`No App Store Connect app exists for bundle id ${input.bundleIdentifier}. Set ascAppId in the eas.json submit profile, or re-run interactively to create it.`);
+		return null;
+	}
+	if (!(yield* promptConfirm(`No App Store Connect app exists for bundle id ${input.bundleIdentifier}. Create it now from your Apple ID?`, { initialValue: true }))) return null;
+	const name = input.appName ?? (yield* promptText("App name (as shown on the App Store)", { placeholder: input.bundleIdentifier }));
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const cookieCtx = auth.buildRequestContext(session);
+	yield* printHuman("Creating the App Store Connect app via your Apple ID...");
+	const app = yield* createApp(cookieCtx, name, input);
+	yield* printHuman(`Created App Store Connect app "${name}" (${app.id}).`);
+	yield* persist$1(input, app.id);
+	return app.id;
+}).pipe(Effect.catchAll((error) => printHuman(`Could not resolve or create the App Store Connect app (${messageOf(error)}). The submission was queued — set ascAppId in eas.json and re-run.`).pipe(Effect.as(null))));
+
 //#endregion
 //#region src/application/submit-asc-key.ts
 const ROLE_CHOICES = [{
@@ -35689,6 +35204,79 @@ const buildAndroidCreatePayload = (androidProfile) => {
 		rollout: androidProfile.rollout
 	});
 };
+/**
+* Run the iOS upload branch: resolve upload auth (stored key, app-specific
+* password, or an interactively-created ASC key), decrypt the `.p8` once, resolve
+* (or create) the ASC app for TestFlight config, then upload via `altool`.
+* Returns `false` when the submission was only queued (no client upload ran).
+*/
+const submitIosBranch = (params) => Effect.gen(function* () {
+	const { api, iosProfile, iosConfig } = params;
+	const auth = resolveIosUploadAuth({
+		appleId: iosProfile?.appleId,
+		ascApiKeyId: iosProfile?.ascApiKeyId,
+		hasAppSpecificPassword: hasAppleAppSpecificPassword()
+	}) ?? (yield* Effect.gen(function* () {
+		const resolvedKeyId = yield* ensureAscApiKeyForSubmit({
+			api,
+			projectRoot: params.projectRoot,
+			profileName: params.profile
+		});
+		return resolvedKeyId === null ? null : {
+			kind: "asc-api-key",
+			ascApiKeyId: resolvedKeyId
+		};
+	}));
+	if (auth === null) {
+		yield* printHuman("iOS submission queued. Add ascApiKeyId to the eas.json submit profile, or set appleId + the EXPO_APPLE_APP_SPECIFIC_PASSWORD env var, to enable client-side altool upload.");
+		return false;
+	}
+	const groups = iosProfile?.groups ?? [];
+	const wantsConfig = needsTestFlightConfig({
+		whatToTest: params.whatToTest,
+		groups
+	});
+	const ascCredentials = yield* resolveAscUploadCredentials({
+		api,
+		auth,
+		ascApiKeyId: iosProfile?.ascApiKeyId,
+		wantsConfig
+	});
+	if (auth.kind === "asc-api-key" && ascCredentials === null) {
+		yield* printHuman("iOS submission queued — the ASC API key could not be prepared for upload.");
+		return false;
+	}
+	let resolvedAscAppId = iosProfile?.ascAppId;
+	if (wantsConfig && resolvedAscAppId === void 0 && ascCredentials !== null) resolvedAscAppId = toOptional(yield* ensureAscAppForSubmit({
+		credentials: ascCredentials,
+		projectRoot: params.projectRoot,
+		profileName: params.profile,
+		bundleIdentifier: iosConfig.bundleIdentifier,
+		appName: iosProfile?.appName,
+		sku: iosProfile?.sku,
+		companyName: iosProfile?.companyName,
+		primaryLocale: iosProfile?.language
+	}));
+	yield* printHuman(auth.kind === "app-specific-password" ? "Running xcrun altool upload (Apple ID app-specific password)..." : "Running xcrun altool upload (ASC API key)...");
+	yield* runIosSubmit({
+		api,
+		submissionId: params.submissionId,
+		archive: {
+			source: params.archive.archiveSource,
+			value: params.archive.archiveUrl
+		},
+		auth,
+		ascCredentials,
+		config: {
+			bundleIdentifier: iosConfig.bundleIdentifier,
+			ascAppId: resolvedAscAppId,
+			language: iosProfile?.language,
+			whatToTest: params.whatToTest,
+			groups
+		}
+	});
+	return true;
+});
 const runFlow = (api, projectId, args) => Effect.gen(function* () {
 	const iosConfig = buildIosCreatePayload(args.easProfile.ios, args.whatToTest);
 	const androidConfig = buildAndroidCreatePayload(args.easProfile.android);
@@ -35706,44 +35294,16 @@ const runFlow = (api, projectId, args) => Effect.gen(function* () {
 	});
 	yield* printHuman(`Submission created: ${submission.id} (${submission.status})`);
 	if (args.platform === "ios" && iosConfig !== void 0) {
-		const iosProfile = args.easProfile.ios;
-		const auth = resolveIosUploadAuth({
-			appleId: iosProfile?.appleId,
-			ascApiKeyId: iosProfile?.ascApiKeyId,
-			hasAppSpecificPassword: hasAppleAppSpecificPassword()
-		}) ?? (yield* Effect.gen(function* () {
-			const resolvedKeyId = yield* ensureAscApiKeyForSubmit({
-				api,
-				projectRoot: args.projectRoot,
-				profileName: args.profile
-			});
-			return resolvedKeyId === null ? null : {
-				kind: "asc-api-key",
-				ascApiKeyId: resolvedKeyId
-			};
-		}));
-		if (auth === null) {
-			yield* printHuman("iOS submission queued. Add ascApiKeyId to the eas.json submit profile, or set appleId + the EXPO_APPLE_APP_SPECIFIC_PASSWORD env var, to enable client-side altool upload.");
-			return submission;
-		}
-		yield* printHuman(auth.kind === "app-specific-password" ? "Running xcrun altool upload (Apple ID app-specific password)..." : "Running xcrun altool upload (ASC API key)...");
-		yield* runIosSubmit({
+		if (!(yield* submitIosBranch({
 			api,
 			submissionId: submission.id,
-			archive: {
-				source: args.archive.archiveSource,
-				value: args.archive.archiveUrl
-			},
-			auth,
-			ascApiKeyId: auth.kind === "asc-api-key" ? auth.ascApiKeyId : iosProfile?.ascApiKeyId,
-			config: {
-				bundleIdentifier: iosConfig.bundleIdentifier,
-				ascAppId: iosProfile?.ascAppId,
-				language: iosProfile?.language,
-				whatToTest: args.whatToTest,
-				groups: iosProfile?.groups ?? []
-			}
-		});
+			projectRoot: args.projectRoot,
+			profile: args.profile,
+			archive: args.archive,
+			whatToTest: args.whatToTest,
+			iosProfile: args.easProfile.ios,
+			iosConfig
+		}))) return submission;
 	}
 	if (args.platform === "android" && args.easProfile.android !== void 0) {
 		yield* printHuman("Uploading bundle to Google Play locally...");