@capgo/cli 7.100.8 → 7.102.0

package/dist/keychain-export.swift

@@ -0,0 +1,351 @@
+// keychain-export.swift
+//
+// Capgo helper: export ONE iOS signing identity from the user's Keychain as a
+// PKCS#12 blob. Always emits a single line of JSON on stdout describing the
+// outcome — successful or otherwise — so the Node caller never has to parse
+// stderr or guess from exit codes.
+//
+// Usage:
+//   keychain-export --sha1 <40-hex-char-cert-sha1>
+//                   --output <path-to-output.p12>
+//                   --passphrase <wrap-passphrase-for-p12>
+//
+// JSON output (single line on stdout, ALWAYS emitted before exit):
+//
+//   Success:
+//     {"ok":true,"p12Path":"/tmp/x.p12","p12SizeBytes":4096,"identityName":"Apple Distribution: …"}
+//
+//   Failure:
+//     {"ok":false,"errorCode":"USER_DENIED","message":"…","osStatus":-128}
+//     {"ok":false,"errorCode":"NO_IDENTITY","message":"…"}
+//     {"ok":false,"errorCode":"INVALID_ARGS","message":"…"}
+//     {"ok":false,"errorCode":"EXPORT_FAILED","message":"…","osStatus":-12345}
+//     {"ok":false,"errorCode":"WRITE_FAILED","message":"…"}
+//     {"ok":false,"errorCode":"INTERNAL","message":"…"}
+//
+// Exit codes (still emitted for shell-style consumers):
+//   0 — success
+//   1 — generic / internal error
+//   2 — argument parsing error (INVALID_ARGS)
+//   3 — no identity matching the given SHA1 (NO_IDENTITY)
+//   4 — user denied macOS Keychain access (USER_DENIED)
+//
+// Why we use SecItemExport(.formatPKCS12) and accept the 2 prompts:
+//   Xcode-imported signing keys are non-extractable (kSecKeyExtractable=false).
+//   `SecKeyCopyExternalRepresentation` rejects them with
+//   CSSMERR_CSP_INVALID_KEYATTR_MASK. PKCS#12 wrapped export is the only
+//   non-GUI path that works on these keys. macOS asks the user twice on first
+//   run — once for "access" ACL, once for "export" ACL — but caches both
+//   "Always Allow" decisions, so subsequent runs are silent.
+//
+// Build:
+//   swiftc keychain-export.swift -framework Security -o keychain-export
+//
+// Tested on macOS 11+ (Swift 5.5+, CryptoKit available).
+
+import CryptoKit
+import Foundation
+import Security
+
+// MARK: - Output (always JSON on stdout, always before exit)
+
+/// JSON-escape a string for embedding in our hand-rolled JSON output. We
+/// avoid Foundation's JSONSerialization for output to keep the line shape
+/// fully predictable (one line, no spaces, ASCII only when possible).
+func jsonEscape(_ s: String) -> String {
+    var out = ""
+    out.reserveCapacity(s.count)
+    for scalar in s.unicodeScalars {
+        switch scalar {
+        case "\"": out += "\\\""
+        case "\\": out += "\\\\"
+        case "\n": out += "\\n"
+        case "\r": out += "\\r"
+        case "\t": out += "\\t"
+        case "\u{08}": out += "\\b"
+        case "\u{0C}": out += "\\f"
+        default:
+            if scalar.value < 0x20 {
+                out += String(format: "\\u%04x", scalar.value)
+            } else {
+                out.unicodeScalars.append(scalar)
+            }
+        }
+    }
+    return out
+}
+
+/// Emit a JSON line to stdout and exit. NEVER call exit() any other way.
+func emitSuccessAndExit(p12Path: String, p12SizeBytes: Int, identityName: String) -> Never {
+    let json = "{\"ok\":true,"
+        + "\"p12Path\":\"\(jsonEscape(p12Path))\","
+        + "\"p12SizeBytes\":\(p12SizeBytes),"
+        + "\"identityName\":\"\(jsonEscape(identityName))\""
+        + "}"
+    print(json)
+    exit(0)
+}
+
+func emitFailureAndExit(
+    code: Int32,
+    errorCode: String,
+    message: String,
+    osStatus: OSStatus? = nil
+) -> Never {
+    var json = "{\"ok\":false,"
+        + "\"errorCode\":\"\(jsonEscape(errorCode))\","
+        + "\"message\":\"\(jsonEscape(message))\""
+    if let s = osStatus {
+        json += ",\"osStatus\":\(s)"
+    }
+    json += "}"
+    print(json)
+    exit(code)
+}
+
+// MARK: - Top-level fatal handler
+//
+// If anything in main throws, traps, or hits an uncaught issue, we want to at
+// least emit a JSON line. Swift doesn't have an easy uncaught-exception hook,
+// so the pattern is: wrap all real work in do/catch + use guard everywhere
+// instead of force-unwrap. There are still ways to crash Swift (e.g. real
+// SIGSEGV from a corrupted heap), but in practice anything reachable from our
+// code is recoverable into a JSON failure line.
+
+enum KeychainExportError: Error {
+    case invalidArgs(String)
+    case noIdentity(String)
+    case userDenied(OSStatus, String)
+    case exportFailed(OSStatus, String)
+    case writeFailed(String)
+    case copyFailed(OSStatus, String)
+}
+
+extension KeychainExportError {
+    var errorCode: String {
+        switch self {
+        case .invalidArgs: return "INVALID_ARGS"
+        case .noIdentity: return "NO_IDENTITY"
+        case .userDenied: return "USER_DENIED"
+        case .exportFailed: return "EXPORT_FAILED"
+        case .writeFailed: return "WRITE_FAILED"
+        case .copyFailed: return "EXPORT_FAILED"
+        }
+    }
+    var exitCode: Int32 {
+        switch self {
+        case .invalidArgs: return 2
+        case .noIdentity: return 3
+        case .userDenied: return 4
+        default: return 1
+        }
+    }
+    var message: String {
+        switch self {
+        case let .invalidArgs(m), let .noIdentity(m), let .writeFailed(m): return m
+        case let .userDenied(_, m), let .exportFailed(_, m), let .copyFailed(_, m): return m
+        }
+    }
+    var osStatus: OSStatus? {
+        switch self {
+        case let .userDenied(s, _), let .exportFailed(s, _), let .copyFailed(s, _): return s
+        default: return nil
+        }
+    }
+}
+
+func emitFailureAndExit(_ error: KeychainExportError) -> Never {
+    emitFailureAndExit(
+        code: error.exitCode,
+        errorCode: error.errorCode,
+        message: error.message,
+        osStatus: error.osStatus
+    )
+}
+
+func describeStatus(_ status: OSStatus) -> String {
+    let secMessage = SecCopyErrorMessageString(status, nil) as String? ?? "(no description)"
+    return "\(secMessage) [OSStatus \(status)]"
+}
+
+// MARK: - Args
+
+struct Args {
+    var sha1Hex: String = ""
+    var outputPath: String = ""
+    var passphrase: String = ""
+}
+
+func parseArgs() throws -> Args {
+    var args = Args()
+    let cli = CommandLine.arguments
+    var i = 1
+    while i < cli.count {
+        let flag = cli[i]
+        i += 1
+        guard i < cli.count else {
+            throw KeychainExportError.invalidArgs("Missing value for \(flag)")
+        }
+        let value = cli[i]
+        i += 1
+        switch flag {
+        case "--sha1": args.sha1Hex = value.lowercased()
+        case "--output": args.outputPath = value
+        case "--passphrase": args.passphrase = value
+        default: throw KeychainExportError.invalidArgs("Unknown argument: \(flag)")
+        }
+    }
+    if args.sha1Hex.isEmpty {
+        throw KeychainExportError.invalidArgs("Required: --sha1 <40-hex-char-cert-sha1>")
+    }
+    if args.outputPath.isEmpty {
+        throw KeychainExportError.invalidArgs("Required: --output <path>")
+    }
+    if args.passphrase.isEmpty {
+        throw KeychainExportError.invalidArgs("Required: --passphrase <wrap-passphrase>")
+    }
+    if args.sha1Hex.count != 40 || args.sha1Hex.range(of: "^[0-9a-f]{40}$", options: .regularExpression) == nil {
+        throw KeychainExportError.invalidArgs("--sha1 must be 40 lowercase hex chars (got \"\(args.sha1Hex)\")")
+    }
+    return args
+}
+
+// MARK: - SHA1 of cert DER (matches `security find-identity` output)
+
+func sha1OfCertDer(_ cert: SecCertificate) -> String {
+    let derData = SecCertificateCopyData(cert) as Data
+    let hash = Insecure.SHA1.hash(data: derData)
+    return hash.map { String(format: "%02x", $0) }.joined()
+}
+
+func subjectName(of cert: SecCertificate) -> String {
+    var commonName: CFString?
+    let status = SecCertificateCopyCommonName(cert, &commonName)
+    if status == errSecSuccess, let cn = commonName as String? { return cn }
+    return SecCertificateCopySubjectSummary(cert) as String? ?? "(unknown)"
+}
+
+// MARK: - Find identity by cert SHA1
+
+func findIdentityBySha1(_ targetSha1: String) throws -> (SecIdentity, String) {
+    let query: [String: Any] = [
+        kSecClass as String: kSecClassIdentity,
+        kSecReturnRef as String: true,
+        kSecMatchLimit as String: kSecMatchLimitAll,
+    ]
+    var result: CFTypeRef?
+    let status = SecItemCopyMatching(query as CFDictionary, &result)
+    if status == errSecItemNotFound {
+        throw KeychainExportError.noIdentity(
+            "No identity with cert SHA1 \(targetSha1) found (keychain has no identities at all)."
+        )
+    }
+    if status != errSecSuccess {
+        throw KeychainExportError.copyFailed(status, "SecItemCopyMatching(identities) failed: \(describeStatus(status))")
+    }
+    guard let identities = result as? [SecIdentity] else {
+        throw KeychainExportError.copyFailed(0, "SecItemCopyMatching returned an unexpected type")
+    }
+
+    for identity in identities {
+        var maybeCert: SecCertificate?
+        let copyStatus = SecIdentityCopyCertificate(identity, &maybeCert)
+        if copyStatus != errSecSuccess { continue }
+        guard let cert = maybeCert else { continue }
+        if sha1OfCertDer(cert) == targetSha1 {
+            return (identity, subjectName(of: cert))
+        }
+    }
+    throw KeychainExportError.noIdentity(
+        "No identity with cert SHA1 \(targetSha1) found in any keychain in your default search list."
+    )
+}
+
+// MARK: - Export to PKCS#12
+
+func exportIdentityAsPkcs12(_ identity: SecIdentity, passphrase: String) throws -> Data {
+    // CFString must outlive the SecItemExport call. Holding `cfPass` in a
+    // local keeps it alive for the duration of this function.
+    let cfPass: CFString = passphrase as CFString
+    var keyParams = SecItemImportExportKeyParameters()
+    keyParams.version = UInt32(SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION)
+    keyParams.passphrase = Unmanaged.passUnretained(cfPass)
+
+    var exportedData: CFData?
+    let status = withUnsafePointer(to: &keyParams) { paramsPtr in
+        SecItemExport(
+            identity,
+            .formatPKCS12,
+            SecItemImportExportFlags(rawValue: 0),
+            paramsPtr,
+            &exportedData
+        )
+    }
+
+    // Treat user-denied / canceled distinctly so the caller can offer retry
+    // vs. fall back to a different path. -128 is errSecUserCanceled (raw
+    // value not always present in Swift's enum on older SDKs, hence direct
+    // comparison).
+    if status == errSecAuthFailed || status == errSecUserCanceled || status == -128 {
+        throw KeychainExportError.userDenied(
+            status,
+            "macOS Keychain access was denied by the user. \(describeStatus(status))"
+        )
+    }
+    if status != errSecSuccess {
+        throw KeychainExportError.exportFailed(
+            status,
+            "SecItemExport failed: \(describeStatus(status))"
+        )
+    }
+    guard let data = exportedData else {
+        throw KeychainExportError.exportFailed(0, "SecItemExport returned nil data with success status")
+    }
+
+    // Keep cfPass alive past the call — Unmanaged.passUnretained doesn't
+    // bump the retain count; the Security framework relies on us holding it.
+    _ = cfPass
+    return data as Data
+}
+
+// MARK: - Disk write
+
+func writeP12(_ data: Data, to path: String) throws {
+    do {
+        try data.write(to: URL(fileURLWithPath: path), options: .atomic)
+    } catch {
+        throw KeychainExportError.writeFailed(
+            "Failed to write P12 to \(path): \(error.localizedDescription)"
+        )
+    }
+    // Best-effort 0600 chmod. Non-fatal if it fails.
+    do {
+        try FileManager.default.setAttributes(
+            [.posixPermissions: NSNumber(value: Int16(0o600))],
+            ofItemAtPath: path
+        )
+    } catch {
+        FileHandle.standardError.write(
+            Data("warning: could not chmod 0600 on \(path): \(error.localizedDescription)\n".utf8)
+        )
+    }
+}
+
+// MARK: - Main
+
+do {
+    let args = try parseArgs()
+    let (identity, identityName) = try findIdentityBySha1(args.sha1Hex)
+    let p12 = try exportIdentityAsPkcs12(identity, passphrase: args.passphrase)
+    try writeP12(p12, to: args.outputPath)
+    emitSuccessAndExit(p12Path: args.outputPath, p12SizeBytes: p12.count, identityName: identityName)
+} catch let error as KeychainExportError {
+    emitFailureAndExit(error)
+} catch {
+    // Any other Swift error (Foundation throw, etc.) lands here.
+    emitFailureAndExit(
+        code: 1,
+        errorCode: "INTERNAL",
+        message: "Unhandled error: \(error.localizedDescription)"
+    )
+}

package/dist/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@capgo/cli",
   "type": "module",
-  "version": "7.100.8",
+  "version": "7.102.0",
   "description": "A CLI to upload to capgo servers",
   "author": "Martin martin@capgo.app",
   "license": "Apache 2.0",
@@ -88,8 +88,10 @@
     "test:version-detection:setup": "./test/fixtures/setup-test-projects.sh",
     "test:platform-paths": "bun test/test-platform-paths.mjs",
     "test:payload-split": "bun test/test-payload-split.mjs",
+    "test:macos-signing": "bun test/test-macos-signing.mjs",
+    "test:apple-api-import-helpers": "bun test/test-apple-api-import-helpers.mjs",
     "test:manifest-path-encoding": "bun test/test-manifest-path-encoding.mjs",
-    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:credentials && bun run test:credentials-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding",
+    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:credentials && bun run test:credentials-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:apple-api-import-helpers",
     "test:build-platform-selection": "bun test/test-build-platform-selection.mjs"
   },
   "dependencies": {

package/dist/src/build/mobileprovision-parser.d.ts

@@ -4,5 +4,32 @@ export interface MobileprovisionInfo {
     applicationIdentifier: string;
     bundleId: string;
 }
+/**
+ * Detail returned by {@link parseMobileprovisionDetailed} — extends
+ * {@link MobileprovisionInfo} with team/expiry/profile-type metadata and the
+ * SHA1 of each developer certificate embedded in the profile.
+ *
+ * The SHA1 list enables matching a profile against a Keychain identity
+ * returned by `security find-identity` (which reports identities by the same
+ * SHA1 hash).
+ */
+export interface MobileprovisionDetail extends MobileprovisionInfo {
+    /** Apple Team ID (10-char alphanumeric) — empty string if not present */
+    teamId: string;
+    /** ISO timestamp string from the profile's ExpirationDate, or empty string */
+    expirationDate: string;
+    /** High-level profile type derived from the profile's flags */
+    profileType: 'app_store' | 'ad_hoc' | 'development' | 'enterprise' | 'unknown';
+    /** SHA1 (40-char lowercase hex) of each DeveloperCertificate embedded in the profile */
+    certificateSha1s: string[];
+}
 export declare function parseMobileprovision(filePath: string): MobileprovisionInfo;
 export declare function parseMobileprovisionFromBase64(base64Content: string): MobileprovisionInfo;
+/**
+ * Parse a mobileprovision file and return enriched metadata including:
+ *   - team ID
+ *   - expiration date
+ *   - profile type (app_store / ad_hoc / development / enterprise)
+ *   - SHA1 of each embedded developer certificate (used for cert↔profile matching)
+ */
+export declare function parseMobileprovisionDetailed(filePath: string): MobileprovisionDetail;

package/dist/src/build/onboarding/apple-api.d.ts

@@ -11,15 +11,60 @@ export declare function verifyApiKey(token: string): Promise<{
     valid: true;
     teamId: string;
 }>;
+export interface AscDistributionCert {
+    id: string;
+    name: string;
+    serialNumber: string;
+    expirationDate: string;
+    /**
+     * Base64-encoded DER of the certificate. Populated when {@link listDistributionCerts}
+     * is called with `includeContent: true` — kept optional so existing callers don't pay
+     * the larger payload when they don't need it.
+     */
+    certificateContent?: string;
+}
 /**
  * List all iOS distribution certificates.
+ *
+ * Set `includeContent: true` when you need to compute the cert's SHA1 for
+ * matching against a local Keychain identity ({@link findCertIdBySha1}).
+ */
+export declare function listDistributionCerts(token: string, options?: {
+    includeContent?: boolean;
+}): Promise<AscDistributionCert[]>;
+/**
+ * Compute the SHA1 hash of an ASC certificate's base64-DER content. Returns
+ * the lowercase 40-char hex string used elsewhere as the canonical identity
+ * key — matches the SHA1 reported by `security find-identity` on macOS.
+ *
+ * SECURITY NOTE on SHA1: this is NOT a security primitive. macOS itself
+ * reports code-signing identities as cert-DER SHA1 (via `security
+ * find-identity`), and we have to use the same hash to look up an Apple-side
+ * cert by its on-Mac counterpart. SHA1 here is a non-secret identifier, not
+ * a message digest protecting any data. CodeQL's "weak cryptographic
+ * algorithm" rule is suppressed for this reason.
+ */
+export declare function computeCertSha1(certificateContentBase64: string): string;
+/**
+ * Match a local Keychain identity (by its SHA1) against an Apple-side
+ * certificate and return the Apple certificate ID needed for profile
+ * creation. Returns null if no Apple-side cert matches the SHA1.
+ */
+export declare function findCertIdBySha1(token: string, sha1: string): Promise<string | null>;
+/**
+ * List all provisioning profiles linked to a specific Apple-side certificate.
+ * Used by the import-flow no-match-recovery menu to surface profiles that
+ * exist on Apple but haven't been downloaded to the user's Mac.
  */
-export declare function listDistributionCerts(token: string): Promise<Array<{
+export interface AscProfileSummary {
     id: string;
     name: string;
-    serialNumber: string;
+    profileType: string;
+    profileContent: string;
     expirationDate: string;
-}>>;
+    bundleIdentifier: string;
+}
+export declare function listProfilesForCert(token: string, certificateId: string): Promise<AscProfileSummary[]>;
 /**
  * Revoke (delete) a certificate by ID.
  */
@@ -29,18 +74,8 @@ export declare function revokeCertificate(token: string, certId: string): Promis
  * Contains the existing certificates so the UI can ask the user which to revoke.
  */
 export declare class CertificateLimitError extends Error {
-    readonly certificates: Array<{
-        id: string;
-        name: string;
-        serialNumber: string;
-        expirationDate: string;
-    }>;
-    constructor(certificates: Array<{
-        id: string;
-        name: string;
-        serialNumber: string;
-        expirationDate: string;
-    }>);
+    readonly certificates: AscDistributionCert[];
+    constructor(certificates: AscDistributionCert[]);
 }
 /**
  * Create a distribution certificate using a CSR.

package/dist/src/build/onboarding/macos-signing.d.ts

@@ -0,0 +1,159 @@
+import type { MobileprovisionDetail } from '../mobileprovision-parser.js';
+/** Standard locations Xcode writes provisioning profiles into. */
+export declare const PROVISIONING_PROFILE_DIRS: readonly ["Library/Developer/Xcode/UserData/Provisioning Profiles", "Library/MobileDevice/Provisioning Profiles"];
+export type IdentityType = 'distribution' | 'development' | 'unknown';
+export interface SigningIdentity {
+    /** SHA1 hash of the certificate, lowercase 40-char hex */
+    sha1: string;
+    /** Full identity string from `security find-identity` (e.g. "Apple Distribution: Acme Corp (XYZ123ABCD)") */
+    name: string;
+    /** Best-effort classification from the name prefix */
+    type: IdentityType;
+    /** Human-readable team name extracted from the identity string */
+    teamName: string;
+    /** Apple Team ID (10-char alphanumeric) extracted from the identity string */
+    teamId: string;
+}
+export interface DiscoveredProfile extends MobileprovisionDetail {
+    /** Absolute path to the .mobileprovision file */
+    path: string;
+}
+export interface IdentityProfileMatch {
+    identity: SigningIdentity;
+    /** Profiles whose embedded developer certs include this identity's SHA1 */
+    profiles: DiscoveredProfile[];
+}
+export interface ExportedP12 {
+    /** Base64-encoded PKCS#12 blob containing the chosen identity's cert + private key */
+    base64: string;
+    /** Auto-generated passphrase used to wrap the export */
+    passphrase: string;
+}
+export declare class MacOSSigningError extends Error {
+    readonly cause?: unknown | undefined;
+    constructor(message: string, cause?: unknown | undefined);
+}
+export declare class NotMacOSError extends MacOSSigningError {
+    constructor();
+}
+/** Returns `true` when running on macOS (Darwin). */
+export declare function isMacOS(): boolean;
+/**
+ * Run a subprocess and capture stdout/stderr/exit-code.
+ *
+ * Public so tests can inject a fake runner via the optional argument on
+ * higher-level functions. Not intended for downstream callers.
+ */
+export interface SecurityRunResult {
+    stdout: string;
+    stderr: string;
+    code: number | null;
+}
+export type SecurityRunner = (args: readonly string[]) => Promise<SecurityRunResult>;
+/**
+ * Parse the human-readable output of `security find-identity -v -p codesigning`.
+ * Each line looks like:
+ *   `  1) <SHA1> "Apple Distribution: Acme Corp (XYZ123ABCD)"`
+ *
+ * Exported so unit tests can verify parsing without spawning a subprocess.
+ */
+export declare function parseFindIdentityOutput(stdout: string): SigningIdentity[];
+/**
+ * List all code-signing identities visible in the user's default Keychain.
+ * Read-only — does NOT trigger any Keychain access prompt.
+ *
+ * @param runner Optional injection point for testing. Pass a fake to avoid
+ *               spawning the real `/usr/bin/security` binary.
+ */
+export declare function listSigningIdentities(runner?: SecurityRunner): Promise<SigningIdentity[]>;
+/**
+ * Scan all standard Xcode provisioning-profile directories under the user's
+ * home and return parsed metadata for every readable `.mobileprovision`.
+ *
+ * Read-only — pure filesystem reads, no Keychain interaction.
+ *
+ * Files that fail to parse are silently skipped (a teammate's malformed
+ * profile shouldn't break the whole listing).
+ *
+ * @param homeDirOverride Optional override for HOME, used in tests.
+ */
+export declare function scanProvisioningProfiles(homeDirOverride?: string): Promise<DiscoveredProfile[]>;
+/**
+ * Given a list of identities and profiles, return one match entry per
+ * identity, populated with profiles whose embedded developer certs include
+ * that identity's SHA1.
+ *
+ * Pure function — no I/O.
+ */
+export declare function matchIdentitiesToProfiles(identities: readonly SigningIdentity[], profiles: readonly DiscoveredProfile[]): IdentityProfileMatch[];
+/**
+ * Generate a cryptographically random passphrase suitable for wrapping the
+ * exported PKCS#12. 32 bytes of entropy → 64-char hex string.
+ */
+export declare function generateP12Passphrase(): string;
+/**
+ * Output shape from the Swift helper's stdout — always emitted as one line of
+ * JSON regardless of success or failure. See keychain-export.swift for the
+ * source of truth.
+ */
+interface SwiftHelperResult {
+    ok: boolean;
+    p12Path?: string;
+    p12SizeBytes?: number;
+    identityName?: string;
+    errorCode?: 'INVALID_ARGS' | 'NO_IDENTITY' | 'USER_DENIED' | 'EXPORT_FAILED' | 'WRITE_FAILED' | 'INTERNAL';
+    message?: string;
+    osStatus?: number;
+}
+/**
+ * Returns true if the Swift helper is already cached at the version-keyed
+ * tmp path. Lets the UI decide whether to show a "compiling…" step or skip
+ * straight to the export step (the cached case is effectively instant).
+ *
+ * Sync + cheap (single existsSync). Safe to call from a React onChange
+ * handler.
+ */
+export declare function isHelperCached(): boolean;
+/**
+ * Pre-compile the Swift helper without doing anything else. Used by the UI
+ * to show an explicit "compiling helper" step before the export, so the user
+ * isn't left staring at a spinner that says "look for the macOS dialog"
+ * while we silently build a binary.
+ *
+ * Returns the path to the compiled binary (same as `ensureSwiftHelper`).
+ */
+export declare function precompileSwiftHelper(): Promise<string>;
+export interface ExportP12Options {
+    /**
+     * Pre-resolved Swift helper binary path. Used in tests to inject a fake
+     * binary; in production this is computed automatically.
+     */
+    helperPathOverride?: string;
+}
+/**
+ * Export the chosen identity from the user's Keychain as a base64'd PKCS#12.
+ *
+ * Triggers exactly TWO macOS Keychain prompts on the user's first run for
+ * a given identity (one for "access" ACL, one for "export" ACL). Both
+ * decisions are cached when the user clicks "Always Allow", so subsequent
+ * runs against the same identity from the same binary are silent.
+ *
+ * Internally calls the bundled Swift helper (compiled on first use to the
+ * OS temp folder via `swiftc`). The helper uses Security framework's
+ * `SecItemExport(.formatPKCS12)` — the only Apple-supported path that works
+ * on Xcode-imported (non-extractable) signing keys.
+ *
+ * @param targetSha1 SHA1 of the identity to export (from {@link listSigningIdentities})
+ * @param options    See {@link ExportP12Options}
+ */
+export declare function exportP12FromKeychain(targetSha1: string, options?: ExportP12Options): Promise<ExportedP12>;
+/**
+ * Parse the helper's JSON output. Tolerates: extra whitespace, trailing
+ * newline, BOM. Throws a clear error if the output is unparsable — that
+ * indicates the helper crashed without emitting JSON, which our Swift code
+ * tries hard to never do (see keychain-export.swift's top-level catch).
+ *
+ * Exported for tests.
+ */
+export declare function parseHelperJson(stdout: string, stderr: string, exitCode: number | null): SwiftHelperResult;
+export {};

package/dist/src/build/onboarding/progress.d.ts

@@ -15,5 +15,9 @@ export declare function deleteProgress(appId: string, baseDir?: string): Promise
 /**
  * Determine the first incomplete step based on saved progress.
  * Returns the step to resume from.
+ *
+ * Branches on `setupMethod` so the import flow doesn't accidentally resume
+ * into the create-new path's `creating-certificate` step (which would trigger
+ * the Apple 3-cert-limit error for users at the limit).
  */
 export declare function getResumeStep(progress: OnboardingProgress | null): OnboardingStep;