@capgo/cli 7.122.6 → 7.122.7

package/dist/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@capgo/cli",
   "type": "module",
-  "version": "7.122.6",
+  "version": "7.122.7",
   "description": "A CLI to upload to capgo servers",
   "author": "Martin martin@capgo.app",
   "license": "Apache 2.0",
@@ -105,8 +105,9 @@
     "test:payload-split": "bun test/test-payload-split.mjs",
     "test:macos-signing": "bun test/test-macos-signing.mjs",
     "test:apple-api-import-helpers": "bun test/test-apple-api-import-helpers.mjs",
+    "test:bundle-id-detector": "bun test/test-bundle-id-detector.mjs",
     "test:manifest-path-encoding": "bun test/test-manifest-path-encoding.mjs",
-    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:fail-on-incompatible && bun run test:credentials && bun run test:credentials-validation && bun run test:android-service-account-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:ci-secrets && bun run test:android-onboarding-progress && bun run test:onboarding-telemetry && bun run test:v2-event-migration && bun run test:analytics && bun run test:analytics-error-category && bun run test:analytics-org-resolver && bun run test:supabase-perf && bun run test:mcp-analytics && bun run test:app-created-source && bun run test:doctor-analytics && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-progress && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:apple-api-import-helpers && bun run test:ai-log-capture && bun run test:ai-analyze-flow && bun run test:ai-render-markdown && bun run test:ai-onboarding-mode && bun run test:ai-fit && bun run test:platform-layout && bun run test:frame-fit && bun run test:onboarding-min-size && bun run test:min-size-gate && bun run test:shell-size-gate && bun run test:build-log-sanitize && bun run test:build-output-viewport && bun run test:diff-viewer-viewport && bun run test:build-complete-exit",
+    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:fail-on-incompatible && bun run test:credentials && bun run test:credentials-validation && bun run test:android-service-account-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:ci-secrets && bun run test:android-onboarding-progress && bun run test:onboarding-telemetry && bun run test:v2-event-migration && bun run test:analytics && bun run test:analytics-error-category && bun run test:analytics-org-resolver && bun run test:supabase-perf && bun run test:mcp-analytics && bun run test:app-created-source && bun run test:doctor-analytics && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-progress && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:apple-api-import-helpers && bun run test:bundle-id-detector && bun run test:ai-log-capture && bun run test:ai-analyze-flow && bun run test:ai-render-markdown && bun run test:ai-onboarding-mode && bun run test:ai-fit && bun run test:platform-layout && bun run test:frame-fit && bun run test:onboarding-min-size && bun run test:min-size-gate && bun run test:shell-size-gate && bun run test:build-log-sanitize && bun run test:build-output-viewport && bun run test:diff-viewer-viewport && bun run test:build-complete-exit",
     "test:build-platform-selection": "bun test/test-build-platform-selection.mjs",
     "test:ai-log-capture": "bun test/test-ai-log-capture.mjs",
     "test:ai-analyze-flow": "bun test/test-ai-analyze-flow.mjs",
@@ -130,7 +131,8 @@
     "jsonwebtoken": "^9.0.3",
     "node-forge": "^1.4.0",
     "qrcode": "^1.5.4",
-    "react": "^19.2.6"
+    "react": "^19.2.6",
+    "string-width": "^8.2.1"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^9.0.0",

package/dist/src/build/onboarding/apple-api.d.ts

@@ -3,6 +3,10 @@
  * Uses ES256 algorithm with the .p8 private key.
  */
 export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string;
+export declare class AppleApiHttpError extends Error {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
 /**
  * Verify the API key works and try to detect the team ID from existing certificates.
  * Throws on 401/403 with a user-friendly message.
@@ -23,6 +27,50 @@ export interface AscDistributionCert {
      */
     certificateContent?: string;
 }
+/**
+ * Why a local Keychain cert can't be used to ship builds.
+ *
+ * Concrete enumeration so the import-pick-identity UI can render a stable
+ * Reason column and so we can add specific guidance per reason (e.g.
+ * "managed" certs get a "can't sign locally" note, "not-visible" certs get
+ * a "Open Developer Portal to verify" note).
+ */
+export type CertAvailabilityReason = 'expired' | 'managed' | 'not-visible' | 'check-failed' | 'no-private-key';
+export interface CertAvailability {
+    available: boolean;
+    reason?: CertAvailabilityReason;
+    /** Short human-readable reason for display in the picker. */
+    reasonText?: string;
+    /** When available — Apple-side cert resource id for downstream API calls. */
+    appleCertId?: string;
+}
+/**
+ * Pure classifier: given a local cert + the result of an Apple-side lookup,
+ * decide whether it's usable for shipping builds and surface a short
+ * reasonText for the picker UI.
+ *
+ * Exported separately from the lookup function so we can unit-test the
+ * decision logic without mocking network calls. Callers compose:
+ *
+ *   const certId = await findCertIdBySha1(token, identity.sha1)
+ *     .catch(err => { lookupError = err; return null })
+ *   const availability = classifyCertAvailability({
+ *     localExpirationDate: identity.expirationDate,
+ *     appleCertId: certId,
+ *     lookupError,
+ *   })
+ *
+ * The `expired` and `managed` branches don't need a lookup — they're checked
+ * up-front from local metadata. Callers can pass null `appleCertId` without
+ * having run the lookup at all when those local-side conditions already
+ * disqualify the identity.
+ */
+export declare function classifyCertAvailability(args: {
+    localExpirationDate?: string;
+    isManaged?: boolean;
+    appleCertId: string | null;
+    lookupError?: unknown;
+}): CertAvailability;
 /**
  * List all iOS distribution certificates.
  *
@@ -51,6 +99,20 @@ export declare function computeCertSha1(certificateContentBase64: string): strin
  * creation. Returns null if no Apple-side cert matches the SHA1.
  */
 export declare function findCertIdBySha1(token: string, sha1: string): Promise<string | null>;
+/**
+ * Like {@link findCertIdBySha1} but returns the full Apple-side cert
+ * record (id + name + expirationDate + serialNumber) when matched. Used
+ * by the eager batch validation so the picker / manual-portal-walkthrough
+ * step can surface concrete disambiguators (expiration date, last few
+ * chars of serial number — both visible in the Apple Developer Portal
+ * when the user clicks into a cert) that help the user pick the right
+ * row when multiple distribution certs are listed for the same team.
+ *
+ * Apple's API does NOT expose a "created by" field on certs (the portal
+ * UI shows it, but `/v1/certificates` doesn't return that column). The
+ * disambiguators we can give are expirationDate + serialNumber.
+ */
+export declare function findCertBySha1(token: string, sha1: string): Promise<AscDistributionCert | null>;
 /**
  * List all provisioning profiles linked to a specific Apple-side certificate.
  * Used by the import-flow no-match-recovery menu to surface profiles that

package/dist/src/build/onboarding/bundle-id-detector.d.ts

@@ -0,0 +1,74 @@
+export type BundleIdSource = 'pbxproj-release' | 'pbxproj-fallback' | 'plist' | 'capacitor-config';
+export interface BundleIdCandidate {
+    value: string;
+    source: BundleIdSource;
+    /** Short human-readable label for the picker, e.g. "project.pbxproj (Release)". */
+    label: string;
+}
+export interface DetectedBundleIds {
+    /** PRODUCT_BUNDLE_IDENTIFIER from project.pbxproj, preferring Release config. */
+    pbxproj: BundleIdCandidate | null;
+    /**
+     * Info.plist CFBundleIdentifier when it's a literal value (not the common
+     * `$(PRODUCT_BUNDLE_IDENTIFIER)` placeholder, which we drop because it
+     * adds nothing the pbxproj source doesn't already cover).
+     */
+    plist: BundleIdCandidate | null;
+    /** capacitor.config.ts/json's appId — always present (it's a required arg). */
+    capacitor: BundleIdCandidate;
+    /**
+     * The best-guess Apple-side bundle ID, picked in priority order:
+     * pbxproj-release > pbxproj-fallback > plist > capacitor. Returned for
+     * convenience so callers don't have to re-implement the precedence.
+     */
+    recommended: BundleIdCandidate;
+    /**
+     * True when the recommended value differs from capacitor.config.appId.
+     * Used by the confirm-app-id step to decide whether to surface a question
+     * at all — when they match, nothing's worth asking about.
+     */
+    mismatch: boolean;
+    /**
+     * Deduplicated, ordered list of candidates ready to render as Select
+     * options. Empty list is impossible (capacitor is always included).
+     */
+    candidates: BundleIdCandidate[];
+}
+/**
+ * Parse `PRODUCT_BUNDLE_IDENTIFIER = "..."` lines from pbxproj content.
+ * Returns the Release-config value if present, else the first non-Release
+ * value. Returns null when no bundle id can be extracted.
+ *
+ * Looks like a re-implementation of pbxproj-parser.ts's resolveBundleId, but
+ * that one needs an XCConfigurationList id (it walks from a target). This
+ * one needs to work standalone given only the file contents — so it
+ * collects all PRODUCT_BUNDLE_IDENTIFIER values, groups by adjacent
+ * `name = Release`/`name = Debug` markers, and prefers Release. Less
+ * accurate for multi-target projects but good enough for the "what should
+ * we pre-fill" use case here.
+ */
+export declare function parsePbxprojBundleId(pbxprojContent: string): BundleIdCandidate | null;
+/**
+ * Parse Info.plist's CFBundleIdentifier from raw XML.
+ * Returns null when the file is empty, when CFBundleIdentifier is absent,
+ * or when it's a `$(PRODUCT_BUNDLE_IDENTIFIER)` variable reference (we drop
+ * the placeholder so the picker doesn't list a non-actionable option).
+ */
+export declare function parseInfoPlistBundleId(plistContent: string): BundleIdCandidate | null;
+/**
+ * Read project.pbxproj and Info.plist from the iOS dir and return all
+ * available bundle id candidates, plus the recommended one and a
+ * mismatch flag.
+ *
+ * Filesystem reads are best-effort — when either file is missing or
+ * unreadable, we silently skip that source. The capacitor candidate is
+ * always present.
+ */
+export declare function detectIosBundleIds(opts: {
+    /** Project root (typically `process.cwd()`). */
+    cwd: string;
+    /** Subdirectory under cwd holding the iOS project (typically "ios"). */
+    iosDir: string;
+    /** Bundle id read from capacitor.config.ts/json — always known. */
+    capacitorAppId: string;
+}): DetectedBundleIds;

package/dist/src/build/onboarding/file-picker.d.ts

@@ -25,6 +25,16 @@ export declare function openSaveFilePicker(opts: SaveFilePickerOptions): Promise
  * Accepts .jks, .keystore, and .p12 extensions.
  */
 export declare function openKeystorePicker(): Promise<string | null>;
+/**
+ * Open the macOS native file picker filtered to .mobileprovision files.
+ * Returns the selected path, or null if the user cancelled.
+ *
+ * Used by the no-match-recovery "Use a .mobileprovision file from disk"
+ * option — covers users who have a profile downloaded somewhere outside
+ * Xcode's standard provisioning-profile directories (e.g. a downloads
+ * folder, an artifact from another machine, a shared team archive).
+ */
+export declare function openMobileprovisionPicker(): Promise<string | null>;
 /**
  * Open the macOS native file picker filtered to Google Play service account
  * JSON files. Used by the Android onboarding "import existing SA" path.

package/dist/src/build/onboarding/macos-signing.d.ts

@@ -86,6 +86,37 @@ export declare function scanProvisioningProfiles(homeDirOverride?: string): Prom
  * Pure function — no I/O.
  */
 export declare function matchIdentitiesToProfiles(identities: readonly SigningIdentity[], profiles: readonly DiscoveredProfile[]): IdentityProfileMatch[];
+/**
+ * Compare a provisioning profile's bundle id against the app's concrete bundle
+ * id, honoring Apple's wildcard syntax. The mobileprovision parser leaves the
+ * asterisk in place after stripping the team-id prefix, so a wildcard profile
+ * arrives here as either the bare `*` (matches everything the team owns) or a
+ * suffix wildcard like `com.example.*` (matches `com.example.<anything>`).
+ *
+ * Exported so the file-picker validation in the Ink UI can reuse the same
+ * matching rule as `filterProfilesForApp` — otherwise a wildcard
+ * `.mobileprovision` picked manually would be hard-rejected even though the
+ * underlying profile is valid for the current app.
+ */
+export declare function bundleIdMatches(profileBundleId: string, appId: string): boolean;
+/**
+ * Filter profiles that are actually usable for a given Capacitor app + iOS
+ * distribution mode. Used by the import-existing flow to detect dead-end
+ * situations where an identity has profiles for a different app or the wrong
+ * distribution mode — in which case the no-match-recovery menu can offer
+ * "fetch / create via Apple" instead of dropping the user at an empty picker.
+ *
+ * `importDistribution` is null/undefined when the user hasn't picked yet —
+ * in that case any profileType is accepted.
+ *
+ * Bundle-id comparison goes through {@link bundleIdMatches} so wildcard
+ * profiles (the norm for ad_hoc/enterprise teams that share one profile
+ * across many apps) are accepted alongside literal-equality matches. Apple
+ * never issues wildcard `app_store` profiles in practice, so when the caller
+ * pins `importDistribution = 'app_store'` the conjunction naturally drops
+ * any ad_hoc/enterprise wildcards that happen to be installed.
+ */
+export declare function filterProfilesForApp(profiles: readonly DiscoveredProfile[], appId: string, importDistribution: 'app_store' | 'ad_hoc' | null | undefined): DiscoveredProfile[];
 /**
  * Generate a cryptographically random passphrase suitable for wrapping the
  * exported PKCS#12. 32 bytes of entropy → 64-char hex string.

package/dist/src/build/onboarding/types.d.ts

@@ -16,12 +16,52 @@ export interface OnboardingResult {
     /** Present only when outcome === 'completed'. */
     summary?: OnboardingCompletionSummary;
 }
-export type OnboardingStep = 'welcome' | 'platform-select' | 'adding-platform' | 'credentials-exist' | 'backing-up' | 'setup-method-select' | 'import-scanning' | 'import-distribution-mode' | 'import-pick-identity' | 'import-pick-profile' | 'import-no-match-recovery' | 'import-fetching-profile' | 'import-create-profile-only' | 'import-export-warning' | 'import-compiling-helper' | 'import-exporting' | 'api-key-instructions' | 'p8-method-select' | 'input-p8-path' | 'input-key-id' | 'input-issuer-id' | 'verifying-key' | 'creating-certificate' | 'cert-limit-prompt' | 'revoking-certificate' | 'creating-profile' | 'duplicate-profile-prompt' | 'deleting-duplicate-profiles' | 'saving-credentials' | 'detecting-ci-secrets' | 'ci-secrets-setup' | 'ci-secrets-target-select' | 'ask-ci-secrets' | 'checking-ci-secrets' | 'confirm-ci-secret-overwrite' | 'uploading-ci-secrets' | 'ci-secrets-failed' | 'ask-github-actions-setup' | 'confirm-secrets-push' | 'ask-export-env' | 'exporting-env' | 'confirm-env-export-overwrite' | 'overwrite-and-export-env' | 'pick-package-manager' | 'pick-build-script' | 'pick-build-script-custom' | 'preview-workflow-file' | 'view-workflow-diff' | 'writing-workflow-file' | 'ask-build' | 'requesting-build' | 'ai-analysis-prompt' | 'ai-analysis-running' | 'ai-analysis-result' | 'ai-analysis-result-scroll' | 'build-complete' | 'no-platform' | 'error';
+export type OnboardingStep = 'welcome' | 'resume-prompt' | 'platform-select' | 'adding-platform' | 'credentials-exist' | 'backing-up' | 'setup-method-select' | 'confirm-app-id' | 'import-scanning' | 'import-distribution-mode' | 'import-pick-identity' | 'import-pick-profile' | 'import-validating-all-certs' | 'import-checking-apple-cert' | 'import-no-match-recovery' | 'import-portal-explanation' | 'import-provide-profile-path' | 'import-create-profile-only' | 'import-export-warning' | 'import-compiling-helper' | 'import-exporting' | 'api-key-instructions' | 'p8-method-select' | 'input-p8-path' | 'input-key-id' | 'input-issuer-id' | 'verifying-key' | 'creating-certificate' | 'cert-limit-prompt' | 'revoking-certificate' | 'creating-profile' | 'duplicate-profile-prompt' | 'deleting-duplicate-profiles' | 'saving-credentials' | 'detecting-ci-secrets' | 'ci-secrets-setup' | 'ci-secrets-target-select' | 'ask-ci-secrets' | 'checking-ci-secrets' | 'confirm-ci-secret-overwrite' | 'uploading-ci-secrets' | 'ci-secrets-failed' | 'ask-github-actions-setup' | 'confirm-secrets-push' | 'ask-export-env' | 'exporting-env' | 'confirm-env-export-overwrite' | 'overwrite-and-export-env' | 'pick-package-manager' | 'pick-build-script' | 'pick-build-script-custom' | 'preview-workflow-file' | 'view-workflow-diff' | 'writing-workflow-file' | 'ask-build' | 'requesting-build' | 'ai-analysis-prompt' | 'ai-analysis-running' | 'ai-analysis-result' | 'ai-analysis-result-scroll' | 'build-complete' | 'no-platform' | 'error';
 export type OnboardingErrorCategory = 'apple_api_unauthorized' | 'apple_api_rate_limited' | 'cert_limit_reached' | 'profile_creation_failed' | 'p8_invalid' | 'keychain_no_identities' | 'keychain_export_failed' | 'keychain_helper_compile_failed' | 'profile_no_match' | 'profile_read_failed' | 'unknown';
 export interface ApiKeyData {
     keyId: string;
     issuerId: string;
 }
+/**
+ * Per-identity result of the eager Apple-side validation run. Populated by
+ * the `import-validating-all-certs` step useEffect, consumed by the two-
+ * table picker in `import-pick-identity`. Kept here (alongside the Step
+ * type) so the renderer and the validation logic share a single shape.
+ */
+export interface EnrichedIdentityAvailability {
+    /** True when Apple's API returned a SHA1 match for this identity. */
+    available: boolean;
+    /**
+     * Stable reason code for unavailable identities. Drives the per-reason
+     * detail rendering in the unavailable table (e.g. notice about the
+     * Apple-managed signing constraint, or about private-key-missing).
+     */
+    reason?: 'expired' | 'managed' | 'not-visible' | 'check-failed' | 'no-private-key';
+    /** One-line summary shown in the Reason column of the unavailable table. */
+    reasonText?: string;
+    /** When available — Apple-side cert resource id, reused downstream. */
+    appleCertId?: string;
+    /**
+     * Apple-side cert name as returned by /v1/certificates. Useful when
+     * the local Keychain name differs from the portal name (e.g. multiple
+     * "iOS Distribution" certs in the same team — the portal column says
+     * exactly which one).
+     */
+    appleCertName?: string;
+    /**
+     * ISO timestamp from Apple's expiration field. Shown in the manual-
+     * portal walkthrough so the user can tell which row to click when
+     * multiple certs are listed.
+     */
+    appleCertExpirationDate?: string;
+    /**
+     * Full serial number from Apple. The portal shows it in the cert
+     * detail view; surfacing the last 8 chars here gives the user a
+     * concrete disambiguator without leaking the full 40-byte serial
+     * into the terminal.
+     */
+    appleCertSerialNumber?: string;
+}
 export interface CertificateData {
     certificateId: string;
     expirationDate: string;
@@ -64,6 +104,28 @@ export interface OnboardingProgress {
      * Only meaningful when `setupMethod === 'import-existing'`.
      */
     importDistribution?: 'app_store' | 'ad_hoc';
+    /**
+     * When set, the user explicitly confirmed an iOS bundle id different from
+     * `capacitor.config.appId`. Used for Apple-side operations (cert lookup,
+     * profile filtering, `ensureBundleId`, `createProfile`) and as the key in
+     * the provisioning_map. The progress-file key and Capgo SaaS API calls
+     * still use `appId` so existing build commands continue to find these
+     * credentials without forcing the user to edit `capacitor.config`.
+     *
+     * Persisted so the confirm-app-id step doesn't re-ask on resume — once
+     * confirmed, the override sticks unless the configuration context (see
+     * `iosBundleIdContextAppId`) changes between CLI runs.
+     */
+    iosBundleIdOverride?: string;
+    /**
+     * Snapshot of `config.appId` at the time the user confirmed the
+     * `iosBundleIdOverride`. On the next run we compare this to the current
+     * `config.appId`; if it changed (user renamed the app, added/removed a
+     * dev-tunnel suffix, etc.) the saved override is stale and we re-ask
+     * via the confirm-app-id step. Without this we'd silently keep using a
+     * bundle id the user already moved on from.
+     */
+    iosBundleIdContextAppId?: string;
     completedSteps: {
         apiKeyVerified?: ApiKeyData;
         certificateCreated?: CertificateData;

package/dist/src/build/onboarding/ui/app.d.ts

@@ -1,7 +1,25 @@
 import type { FC } from 'react';
 import type { OnboardingProgress, OnboardingResult } from '../types.js';
 interface AppProps {
+    /**
+     * Capgo lookup key (progress files, saved credentials, Capgo SaaS build
+     * API). Resolved by `getAppId()`, which prefers
+     * `config.plugins.CapacitorUpdater.appId` over `config.appId` so dev-tunnel
+     * sandboxes can override the Capgo-side identifier without renaming the
+     * iOS bundle. Do NOT use for Apple-side operations — see
+     * `iosBundleIdInitial`.
+     */
     appId: string;
+    /**
+     * Default value for the iOS bundle ID used for Apple-side operations
+     * (cert lookup, profile filtering, ensureBundleId, createProfile, and the
+     * provisioning_map key). Sourced from `config.appId` directly — what
+     * `cap sync` writes into project.pbxproj's PRODUCT_BUNDLE_IDENTIFIER.
+     * The user can override at the `confirm-app-id` step when pbxproj and
+     * config.appId disagree. command.ts falls back to `appId` if config.appId
+     * is missing, so this prop is always a valid string.
+     */
+    iosBundleIdInitial: string;
     initialProgress: OnboardingProgress | null;
     /** Resolved iOS directory from capacitor.config (defaults to 'ios') */
     iosDir: string;

package/dist/src/build/onboarding/ui/components.d.ts

@@ -6,6 +6,36 @@ export declare const Divider: FC<{
 export declare const BOX_HEADER_ROWS = 5;
 export declare const COMPACT_HEADER_ROWS = 1;
 export declare const WIZARD_PADDING_ROWS = 2;
+/**
+ * Minimal in-house Table component. Auto-sizes each column to the widest
+ * value (header or any row cell) up to `maxColumnWidth`, truncates with
+ * an ellipsis when a cell exceeds that width, and renders box-drawing
+ * borders.
+ *
+ * Why inline instead of `ink-table`: the published `ink-table@3.1.0` is
+ * CommonJS and modern `ink` (v5+) is ESM with top-level await, so bundling
+ * fails. This component is the small subset of ink-table's API we need
+ * (rows of plain string cells) without the compat headache.
+ *
+ * The `data` rows must share a single key order so columns line up — we
+ * derive the column list from the first row's keys.
+ *
+ * `cellColor` runs per-cell and returns an Ink color name (or undefined
+ * for default). Used by the available/unavailable-certs tables to colour
+ * the status column green/red while keeping Name/Team dim.
+ */
+export interface TableProps {
+    data: Record<string, string>[];
+    /** Hard cap on column width before truncation. Default 50. */
+    maxColumnWidth?: number;
+    /** Optional per-cell color function. */
+    cellColor?: (column: string, value: string, rowIndex: number) => string | undefined;
+    /** Optional per-cell dim flag (defaults to false). */
+    cellDim?: (column: string, value: string, rowIndex: number) => boolean;
+    /** Padding inside each cell (left/right). Default 1. */
+    cellPadding?: number;
+}
+export declare const Table: FC<TableProps>;
 export declare const SpinnerLine: FC<{
     text: string;
 }>;
@@ -29,8 +59,40 @@ export declare const AiResultBanner: FC<{
  */
 export declare const FilteredTextInput: FC<{
     placeholder?: string;
+    /**
+     * Blacklist of characters to strip from input. Each char in this string is
+     * removed from the buffer after every keystroke. Used for casual filtering
+     * (e.g. stripping `=` from env-var values).
+     */
     filter?: string;
+    /**
+     * Whitelist regex matched per-character. Anything not matching is dropped.
+     * Takes precedence over `filter` when both are set. Used when the field has
+     * a tight format (Apple Key ID is exactly 10 alphanumeric chars; Issuer ID
+     * is a UUID; etc.) so users can't even type invalid characters.
+     */
+    allowedPattern?: RegExp;
+    /**
+     * Hard cap on input length. Extra characters past the cap are dropped
+     * silently (paste-safe). Pair with `allowedPattern` for known-format fields
+     * — e.g. Apple Key ID has `maxLength=10` so a paste of "Key ID: KDTXMK292V"
+     * truncates to the first 10 valid chars after filtering.
+     */
+    maxLength?: number;
+    /**
+     * Post-filter transform applied to the entire buffer after each keystroke.
+     * Most common use: `(s) => s.toUpperCase()` for fields that are case-
+     * insensitive but conventionally uppercase. Runs after filter + maxLength.
+     */
+    transform?: (value: string) => string;
     mask?: boolean;
+    /**
+     * Pre-fills the input. Used when the user is editing an already-entered
+     * value (e.g. fixing a typo in their ASC Key ID / Issuer ID after a
+     * verifying-key failure) so they don't have to retype everything.
+     * Backspace works normally to delete from the pre-filled value.
+     */
+    initialValue?: string;
     onSubmit: (value: string) => void;
 }>;
 export declare const Header: FC<{

package/dist/src/build/onboarding/ui/shell.d.ts

@@ -6,6 +6,15 @@ export declare function useTerminalSize(): {
 };
 export interface OnboardingShellProps {
     appId: string;
+    /**
+     * iOS-side bundle id default — sourced from `config.appId` (top-level), which
+     * is what `cap sync` writes into `PRODUCT_BUNDLE_IDENTIFIER`. Distinct from
+     * `appId` above, which `getAppId()` may resolve to
+     * `config.plugins.CapacitorUpdater.appId` (a Capgo lookup key — wrong for
+     * Apple signing). Threaded down to the iOS OnboardingApp; the Android app
+     * ignores it.
+     */
+    iosBundleIdInitial: string;
     iosDir: string;
     androidDir: string;
     apikey?: string;

package/dist/src/build/onboarding/ui/steps/ios-import.d.ts

@@ -3,6 +3,30 @@ export interface SelectOption {
     label: string;
     value: string;
 }
+/**
+ * Why the wizard ended up on the no-match recovery menu. Drives the Alert
+ * + hint copy in `ImportNoMatchRecoveryStep` so each route gets accurate
+ * context — previously the screen claimed "no profile linked to this cert"
+ * even when the parent had just logged "Apple linked them to X" (cases 3
+ * and 4 below). Set by the parent right before each setStep call; absent
+ * (undefined) is treated as the legacy `no-profile-on-disk` default for
+ * back-compat with call sites that haven't been audited yet.
+ *
+ *   - 'no-profile-on-disk'        : identity picked, no usable on-disk
+ *                                   profile, and no ASC key to query Apple.
+ *   - 'apple-no-cert-match'       : findCertIdBySha1 returned null — Apple
+ *                                   doesn't recognize this cert.
+ *   - 'apple-no-profiles-linked'  : Apple has the cert but zero profiles
+ *                                   linked to it.
+ *   - 'apple-bundle-mismatch'     : Apple has profiles but none target the
+ *                                   current app's bundle id.
+ *   - 'apple-distribution-mismatch': Apple has profiles for this bundle id
+ *                                   but none in the requested distribution
+ *                                   mode (app_store vs ad_hoc).
+ *   - 'apple-other'               : catch-all when none of the specific
+ *                                   filters above explain the empty result.
+ */
+export type NoMatchReason = 'no-profile-on-disk' | 'apple-no-cert-match' | 'apple-no-profiles-linked' | 'apple-bundle-mismatch' | 'apple-distribution-mismatch' | 'apple-other';
 export declare const ImportScanningStep: FC;
 export interface ImportDistributionModeStepProps {
     dense?: boolean;
@@ -28,11 +52,19 @@ export declare const ImportPickProfileStep: FC<ImportPickProfileStepProps>;
 export interface ImportNoMatchRecoveryStepProps {
     identityName: string;
     options: SelectOption[];
+    /**
+     * Why the wizard ended up here. Optional for back-compat — undefined
+     * renders the legacy `no-profile-on-disk` wording.
+     */
+    reason?: NoMatchReason;
+    /** Concrete iOS bundle id; used by the bundle-mismatch + distribution-mismatch alerts. */
+    appId?: string;
+    /** Active distribution mode; used by the distribution-mismatch alert. */
+    importDistribution?: 'app_store' | 'ad_hoc' | null;
     dense?: boolean;
     onChange: (value: string) => void;
 }
 export declare const ImportNoMatchRecoveryStep: FC<ImportNoMatchRecoveryStepProps>;
-export declare const ImportFetchingProfileStep: FC;
 export declare const ImportCreateProfileOnlyStep: FC;
 export interface ImportExportWarningStepProps {
     identityName: string;