@capgo/cli 7.86.1 → 7.88.0

package/dist/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@capgo/cli",
   "type": "module",
-  "version": "7.86.1",
+  "version": "7.88.0",
   "description": "A CLI to upload to capgo servers",
   "author": "Martin martin@capgo.app",
   "license": "Apache 2.0",
@@ -91,8 +91,11 @@
     "@supabase/supabase-js": "^2.79.0",
     "@tanstack/intent": "^0.0.23",
     "@types/adm-zip": "^0.5.7",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^25.0.0",
+    "@types/node-forge": "^1.3.14",
     "@types/prettyjson": "^0.0.33",
+    "@types/react": "^18.3.28",
     "@types/tmp": "^0.2.6",
     "@vercel/ncc": "^0.38.4",
     "adm-zip": "^0.5.16",
@@ -111,5 +114,13 @@
     "typescript": "^5.9.3",
     "ws": "^8.18.3",
     "zod": "^4.3.6"
+  },
+  "dependencies": {
+    "@inkjs/ui": "^2.0.0",
+    "ink": "^5.2.1",
+    "ink-spinner": "^5.0.0",
+    "jsonwebtoken": "^9.0.3",
+    "node-forge": "^1.3.3",
+    "react": "^18.3.1"
   }
 }

package/dist/src/api/app.d.ts

@@ -2,6 +2,9 @@ import type { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../types/supabase.types';
 import { OrganizationPerm } from '../utils';
 export declare function checkAppExists(supabase: SupabaseClient<Database>, appid: string): Promise<boolean>;
+export type PendingOnboardingApp = Pick<Database['public']['Tables']['apps']['Row'], 'app_id' | 'name' | 'icon_url' | 'need_onboarding' | 'existing_app' | 'ios_store_url' | 'android_store_url'>;
+export declare function listPendingOnboardingApps(supabase: SupabaseClient<Database>, orgId: string): Promise<PendingOnboardingApp[]>;
+export declare function completePendingOnboardingApp(supabase: SupabaseClient<Database>, orgId: string, appId: string): Promise<void>;
 /**
  * Check multiple app IDs at once for batch validation (e.g., for suggestions)
  */

package/dist/src/api/channels.d.ts

@@ -277,15 +277,19 @@ export declare function findChannelDevices(supabase: SupabaseClient<Database>, a
         };
         apps: {
             Row: {
+                android_store_url: string | null;
                 app_id: string;
                 channel_device_count: number;
                 created_at: string | null;
                 default_upload_channel: string;
+                existing_app: boolean;
                 expose_metadata: boolean;
                 icon_url: string;
                 id: string | null;
+                ios_store_url: string | null;
                 last_version: string | null;
                 manifest_bundle_count: number;
+                need_onboarding: boolean;
                 name: string | null;
                 owner_org: string;
                 retention: number;
@@ -294,15 +298,19 @@ export declare function findChannelDevices(supabase: SupabaseClient<Database>, a
                 user_id: string | null;
             };
             Insert: {
+                android_store_url?: string | null;
                 app_id: string;
                 channel_device_count?: number;
                 created_at?: string | null;
                 default_upload_channel?: string;
+                existing_app?: boolean;
                 expose_metadata?: boolean;
                 icon_url: string;
                 id?: string | null;
+                ios_store_url?: string | null;
                 last_version?: string | null;
                 manifest_bundle_count?: number;
+                need_onboarding?: boolean;
                 name?: string | null;
                 owner_org: string;
                 retention?: number;
@@ -311,15 +319,19 @@ export declare function findChannelDevices(supabase: SupabaseClient<Database>, a
                 user_id?: string | null;
             };
             Update: {
+                android_store_url?: string | null;
                 app_id?: string;
                 channel_device_count?: number;
                 created_at?: string | null;
                 default_upload_channel?: string;
+                existing_app?: boolean;
                 expose_metadata?: boolean;
                 icon_url?: string;
                 id?: string | null;
+                ios_store_url?: string | null;
                 last_version?: string | null;
                 manifest_bundle_count?: number;
+                need_onboarding?: boolean;
                 name?: string | null;
                 owner_org?: string;
                 retention?: number;
@@ -3747,15 +3759,19 @@ export declare function delChannelDevices(supabase: SupabaseClient<Database>, ap
         };
         apps: {
             Row: {
+                android_store_url: string | null;
                 app_id: string;
                 channel_device_count: number;
                 created_at: string | null;
                 default_upload_channel: string;
+                existing_app: boolean;
                 expose_metadata: boolean;
                 icon_url: string;
                 id: string | null;
+                ios_store_url: string | null;
                 last_version: string | null;
                 manifest_bundle_count: number;
+                need_onboarding: boolean;
                 name: string | null;
                 owner_org: string;
                 retention: number;
@@ -3764,15 +3780,19 @@ export declare function delChannelDevices(supabase: SupabaseClient<Database>, ap
                 user_id: string | null;
             };
             Insert: {
+                android_store_url?: string | null;
                 app_id: string;
                 channel_device_count?: number;
                 created_at?: string | null;
                 default_upload_channel?: string;
+                existing_app?: boolean;
                 expose_metadata?: boolean;
                 icon_url: string;
                 id?: string | null;
+                ios_store_url?: string | null;
                 last_version?: string | null;
                 manifest_bundle_count?: number;
+                need_onboarding?: boolean;
                 name?: string | null;
                 owner_org: string;
                 retention?: number;
@@ -3781,15 +3801,19 @@ export declare function delChannelDevices(supabase: SupabaseClient<Database>, ap
                 user_id?: string | null;
             };
             Update: {
+                android_store_url?: string | null;
                 app_id?: string;
                 channel_device_count?: number;
                 created_at?: string | null;
                 default_upload_channel?: string;
+                existing_app?: boolean;
                 expose_metadata?: boolean;
                 icon_url?: string;
                 id?: string | null;
+                ios_store_url?: string | null;
                 last_version?: string | null;
                 manifest_bundle_count?: number;
+                need_onboarding?: boolean;
                 name?: string | null;
                 owner_org?: string;
                 retention?: number;

package/dist/src/app/list.d.ts

@@ -1,14 +1,18 @@
 import type { OptionsBase } from '../schemas/base';
 export declare function listAppInternal(options: OptionsBase, silent?: boolean): Promise<{
+    android_store_url: string | null;
     app_id: string;
     channel_device_count: number;
     created_at: string | null;
     default_upload_channel: string;
+    existing_app: boolean;
     expose_metadata: boolean;
     icon_url: string;
     id: string | null;
+    ios_store_url: string | null;
     last_version: string | null;
     manifest_bundle_count: number;
+    need_onboarding: boolean;
     name: string | null;
     owner_org: string;
     retention: number;
@@ -17,15 +21,19 @@ export declare function listAppInternal(options: OptionsBase, silent?: boolean):
     user_id: string | null;
 }[]>;
 export declare function listApp(options: OptionsBase): Promise<{
+    android_store_url: string | null;
     app_id: string;
     channel_device_count: number;
     created_at: string | null;
     default_upload_channel: string;
+    existing_app: boolean;
     expose_metadata: boolean;
     icon_url: string;
     id: string | null;
+    ios_store_url: string | null;
     last_version: string | null;
     manifest_bundle_count: number;
+    need_onboarding: boolean;
     name: string | null;
     owner_org: string;
     retention: number;

package/dist/src/build/onboarding/apple-api.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Generate a JWT for App Store Connect API authentication.
+ * Uses ES256 algorithm with the .p8 private key.
+ */
+export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string;
+/**
+ * Verify the API key works and try to detect the team ID from existing certificates.
+ * Throws on 401/403 with a user-friendly message.
+ */
+export declare function verifyApiKey(token: string): Promise<{
+    valid: true;
+    teamId: string;
+}>;
+/**
+ * List all iOS distribution certificates.
+ */
+export declare function listDistributionCerts(token: string): Promise<Array<{
+    id: string;
+    name: string;
+    serialNumber: string;
+    expirationDate: string;
+}>>;
+/**
+ * Revoke (delete) a certificate by ID.
+ */
+export declare function revokeCertificate(token: string, certId: string): Promise<void>;
+/**
+ * Error thrown when certificate limit is reached.
+ * Contains the existing certificates so the UI can ask the user which to revoke.
+ */
+export declare class CertificateLimitError extends Error {
+    readonly certificates: Array<{
+        id: string;
+        name: string;
+        serialNumber: string;
+        expirationDate: string;
+    }>;
+    constructor(certificates: Array<{
+        id: string;
+        name: string;
+        serialNumber: string;
+        expirationDate: string;
+    }>);
+}
+/**
+ * Create a distribution certificate using a CSR.
+ * Returns the certificate ID, base64 DER content, expiration date, and team ID.
+ *
+ * Throws CertificateLimitError if the limit is reached, so the UI can ask
+ * the user which certificate to revoke.
+ */
+export declare function createCertificate(token: string, csrPem: string): Promise<{
+    certificateId: string;
+    certificateContent: string;
+    expirationDate: string;
+    teamId: string;
+}>;
+/**
+ * Find an existing bundle ID or register a new one.
+ * Returns the Apple resource ID needed for profile creation.
+ */
+export declare function ensureBundleId(token: string, identifier: string): Promise<{
+    bundleIdResourceId: string;
+}>;
+/**
+ * Get the profile name we use for a given appId.
+ */
+export declare function getCapgoProfileName(appId: string): string;
+/**
+ * Find existing provisioning profiles matching our naming convention.
+ * Only returns profiles we created (named "Capgo <appId> AppStore").
+ */
+export declare function findCapgoProfiles(token: string, appId: string): Promise<Array<{
+    id: string;
+    name: string;
+    profileType: string;
+}>>;
+/**
+ * Delete a provisioning profile by ID.
+ */
+export declare function deleteProfile(token: string, profileId: string): Promise<void>;
+/**
+ * Create an App Store provisioning profile linking a certificate and bundle ID.
+ * Returns the base64 mobileprovision content.
+ *
+ * Throws a DuplicateProfileError if duplicate profiles exist, so the caller
+ * can ask the user whether to delete them and retry.
+ */
+export declare class DuplicateProfileError extends Error {
+    readonly profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>;
+    constructor(profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>);
+}
+export declare function createProfile(token: string, bundleIdResourceId: string, certificateId: string, appId: string): Promise<{
+    profileId: string;
+    profileName: string;
+    profileContent: string;
+    expirationDate: string;
+}>;

package/dist/src/build/onboarding/command.d.ts

@@ -0,0 +1 @@
+export declare function onboardingCommand(): Promise<void>;

package/dist/src/build/onboarding/csr.d.ts

@@ -0,0 +1,33 @@
+export interface CsrResult {
+    csrPem: string;
+    privateKeyPem: string;
+}
+export interface P12Result {
+    p12Base64: string;
+}
+/**
+ * Generate a 2048-bit RSA key pair and a Certificate Signing Request.
+ * The CSR is what Apple needs to create a distribution certificate.
+ * The private key must be kept to later create the .p12 file.
+ */
+export declare function generateCsr(): CsrResult;
+/**
+ * Create a PKCS#12 (.p12) file from Apple's certificate response and the private key.
+ *
+ * @param certificateContentBase64 - The `certificateContent` field from Apple's
+ *   POST /v1/certificates response (base64-encoded DER certificate)
+ * @param privateKeyPem - The PEM-encoded private key from generateCsr()
+ * @param password - Optional password for the .p12 file (defaults to DEFAULT_P12_PASSWORD)
+ */
+/**
+ * Extract the Apple team ID from a certificate's subject OU field.
+ * More reliable than parsing the certificate name string.
+ */
+export declare function extractTeamIdFromCert(certificateContentBase64: string): string;
+/**
+ * Default P12 password. node-forge P12 with empty password is incompatible
+ * with macOS `security import` (MAC verification fails). Using a known
+ * non-empty password avoids this issue.
+ */
+export declare const DEFAULT_P12_PASSWORD = "capgo";
+export declare function createP12(certificateContentBase64: string, privateKeyPem: string, password?: string): P12Result;

package/dist/src/build/onboarding/file-picker.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Returns true if we're on macOS and can use the native file picker.
+ */
+export declare function canUseFilePicker(): boolean;
+/**
+ * Open the macOS native file picker dialog filtered to .p8 files.
+ * Returns the selected file path, or null if the user cancelled.
+ * Non-blocking — uses async execFile so Ink spinners keep animating.
+ */
+export declare function openFilePicker(): Promise<string | null>;

package/dist/src/build/onboarding/progress.d.ts

@@ -0,0 +1,19 @@
+import type { OnboardingProgress, OnboardingStep } from './types.js';
+/**
+ * Load onboarding progress for an app. Returns null if no progress file exists.
+ */
+export declare function loadProgress(appId: string, baseDir?: string): Promise<OnboardingProgress | null>;
+/**
+ * Save onboarding progress. Creates the onboarding directory if needed.
+ * File is written with mode 0o600, directory with 0o700.
+ */
+export declare function saveProgress(appId: string, progress: OnboardingProgress, baseDir?: string): Promise<void>;
+/**
+ * Delete the progress file for an app (called on successful completion).
+ */
+export declare function deleteProgress(appId: string, baseDir?: string): Promise<void>;
+/**
+ * Determine the first incomplete step based on saved progress.
+ * Returns the step to resume from.
+ */
+export declare function getResumeStep(progress: OnboardingProgress | null): OnboardingStep;

package/dist/src/build/onboarding/types.d.ts

@@ -0,0 +1,37 @@
+export type Platform = 'ios' | 'android';
+export type OnboardingStep = 'welcome' | 'platform-select' | 'credentials-exist' | 'backing-up' | 'api-key-instructions' | 'p8-method-select' | 'input-p8-path' | 'input-key-id' | 'input-issuer-id' | 'verifying-key' | 'creating-certificate' | 'cert-limit-prompt' | 'revoking-certificate' | 'creating-profile' | 'duplicate-profile-prompt' | 'deleting-duplicate-profiles' | 'saving-credentials' | 'ask-build' | 'requesting-build' | 'build-complete' | 'no-platform' | 'error';
+export interface ApiKeyData {
+    keyId: string;
+    issuerId: string;
+}
+export interface CertificateData {
+    certificateId: string;
+    expirationDate: string;
+    teamId: string;
+    p12Base64: string;
+}
+export interface ProfileData {
+    profileId: string;
+    profileName: string;
+    profileBase64: string;
+}
+export interface OnboardingProgress {
+    platform: Platform;
+    appId: string;
+    startedAt: string;
+    /** Path to the .p8 file on disk (content is NOT stored, only the path) */
+    p8Path?: string;
+    /** Partial input — saved incrementally so resume works mid-flow */
+    keyId?: string;
+    issuerId?: string;
+    completedSteps: {
+        apiKeyVerified?: ApiKeyData;
+        certificateCreated?: CertificateData;
+        profileCreated?: ProfileData;
+    };
+    /** Temporary — wiped after .p12 creation */
+    _privateKeyPem?: string;
+}
+/** Maps each step to a progress percentage (0-100) */
+export declare const STEP_PROGRESS: Record<OnboardingStep, number>;
+export declare function getPhaseLabel(step: OnboardingStep): string;

package/dist/src/build/onboarding/ui/app.d.ts

@@ -0,0 +1,10 @@
+import type { FC } from 'react';
+import type { OnboardingProgress } from '../types.js';
+interface AppProps {
+    appId: string;
+    initialProgress: OnboardingProgress | null;
+    /** Resolved iOS directory from capacitor.config (defaults to 'ios') */
+    iosDir: string;
+}
+declare const OnboardingApp: FC<AppProps>;
+export default OnboardingApp;

package/dist/src/build/onboarding/ui/components.d.ts

@@ -0,0 +1,25 @@
+import type { FC } from 'react';
+export declare const Divider: FC<{
+    width?: number;
+}>;
+export declare const SpinnerLine: FC<{
+    text: string;
+}>;
+export declare const SuccessLine: FC<{
+    text: string;
+    detail?: string;
+}>;
+export declare const ErrorLine: FC<{
+    text: string;
+}>;
+/**
+ * Custom TextInput that filters out specific characters (e.g. '=').
+ * @inkjs/ui's TextInput is uncontrolled and can't filter keystrokes,
+ * so we build a minimal one with Ink's useInput.
+ */
+export declare const FilteredTextInput: FC<{
+    placeholder?: string;
+    filter?: string;
+    onSubmit: (value: string) => void;
+}>;
+export declare const Header: FC;

package/dist/src/build/request.d.ts

@@ -26,6 +26,21 @@
  * - Use `build credentials clear` to remove saved credentials
  */
 import type { BuildOptionsPayload, BuildRequestOptions, BuildRequestResult } from '../schemas/build';
+/**
+ * Callback interface for build logging.
+ * Allows callers (like the onboarding UI) to capture log output
+ * without stdout/stderr interception hacks.
+ */
+export interface BuildLogger {
+    info: (msg: string) => void;
+    error: (msg: string) => void;
+    warn: (msg: string) => void;
+    success: (msg: string) => void;
+    /** Called with build log lines streamed from the builder */
+    buildLog: (msg: string) => void;
+    /** Called with upload progress percentage (0-100) */
+    uploadProgress: (percent: number) => void;
+}
 export type { BuildCredentials, BuildRequestOptions, BuildRequestResponse, BuildRequestResult } from '../schemas/build';
 /**
  * Extract native node_modules roots that contain platform folders.
@@ -74,5 +89,5 @@ export declare function splitPayload(mergedCredentials: Record<string, string |
     buildOptions: BuildOptionsPayload;
     buildCredentials: Record<string, string>;
 };
-export declare function requestBuildInternal(appId: string, options: BuildRequestOptions, silent?: boolean): Promise<BuildRequestResult>;
+export declare function requestBuildInternal(appId: string, options: BuildRequestOptions, silent?: boolean, logger?: BuildLogger): Promise<BuildRequestResult>;
 export declare function requestBuildCommand(appId: string, options: BuildRequestOptions): Promise<void>;