@capgo/cli 7.87.0 → 7.88.0

package/dist/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@capgo/cli",
   "type": "module",
-  "version": "7.87.0",
+  "version": "7.88.0",
   "description": "A CLI to upload to capgo servers",
   "author": "Martin martin@capgo.app",
   "license": "Apache 2.0",
@@ -91,8 +91,11 @@
     "@supabase/supabase-js": "^2.79.0",
     "@tanstack/intent": "^0.0.23",
     "@types/adm-zip": "^0.5.7",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^25.0.0",
+    "@types/node-forge": "^1.3.14",
     "@types/prettyjson": "^0.0.33",
+    "@types/react": "^18.3.28",
     "@types/tmp": "^0.2.6",
     "@vercel/ncc": "^0.38.4",
     "adm-zip": "^0.5.16",
@@ -111,5 +114,13 @@
     "typescript": "^5.9.3",
     "ws": "^8.18.3",
     "zod": "^4.3.6"
+  },
+  "dependencies": {
+    "@inkjs/ui": "^2.0.0",
+    "ink": "^5.2.1",
+    "ink-spinner": "^5.0.0",
+    "jsonwebtoken": "^9.0.3",
+    "node-forge": "^1.3.3",
+    "react": "^18.3.1"
   }
 }

package/dist/src/build/onboarding/apple-api.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Generate a JWT for App Store Connect API authentication.
+ * Uses ES256 algorithm with the .p8 private key.
+ */
+export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string;
+/**
+ * Verify the API key works and try to detect the team ID from existing certificates.
+ * Throws on 401/403 with a user-friendly message.
+ */
+export declare function verifyApiKey(token: string): Promise<{
+    valid: true;
+    teamId: string;
+}>;
+/**
+ * List all iOS distribution certificates.
+ */
+export declare function listDistributionCerts(token: string): Promise<Array<{
+    id: string;
+    name: string;
+    serialNumber: string;
+    expirationDate: string;
+}>>;
+/**
+ * Revoke (delete) a certificate by ID.
+ */
+export declare function revokeCertificate(token: string, certId: string): Promise<void>;
+/**
+ * Error thrown when certificate limit is reached.
+ * Contains the existing certificates so the UI can ask the user which to revoke.
+ */
+export declare class CertificateLimitError extends Error {
+    readonly certificates: Array<{
+        id: string;
+        name: string;
+        serialNumber: string;
+        expirationDate: string;
+    }>;
+    constructor(certificates: Array<{
+        id: string;
+        name: string;
+        serialNumber: string;
+        expirationDate: string;
+    }>);
+}
+/**
+ * Create a distribution certificate using a CSR.
+ * Returns the certificate ID, base64 DER content, expiration date, and team ID.
+ *
+ * Throws CertificateLimitError if the limit is reached, so the UI can ask
+ * the user which certificate to revoke.
+ */
+export declare function createCertificate(token: string, csrPem: string): Promise<{
+    certificateId: string;
+    certificateContent: string;
+    expirationDate: string;
+    teamId: string;
+}>;
+/**
+ * Find an existing bundle ID or register a new one.
+ * Returns the Apple resource ID needed for profile creation.
+ */
+export declare function ensureBundleId(token: string, identifier: string): Promise<{
+    bundleIdResourceId: string;
+}>;
+/**
+ * Get the profile name we use for a given appId.
+ */
+export declare function getCapgoProfileName(appId: string): string;
+/**
+ * Find existing provisioning profiles matching our naming convention.
+ * Only returns profiles we created (named "Capgo <appId> AppStore").
+ */
+export declare function findCapgoProfiles(token: string, appId: string): Promise<Array<{
+    id: string;
+    name: string;
+    profileType: string;
+}>>;
+/**
+ * Delete a provisioning profile by ID.
+ */
+export declare function deleteProfile(token: string, profileId: string): Promise<void>;
+/**
+ * Create an App Store provisioning profile linking a certificate and bundle ID.
+ * Returns the base64 mobileprovision content.
+ *
+ * Throws a DuplicateProfileError if duplicate profiles exist, so the caller
+ * can ask the user whether to delete them and retry.
+ */
+export declare class DuplicateProfileError extends Error {
+    readonly profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>;
+    constructor(profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>);
+}
+export declare function createProfile(token: string, bundleIdResourceId: string, certificateId: string, appId: string): Promise<{
+    profileId: string;
+    profileName: string;
+    profileContent: string;
+    expirationDate: string;
+}>;

package/dist/src/build/onboarding/command.d.ts

@@ -0,0 +1 @@
+export declare function onboardingCommand(): Promise<void>;

package/dist/src/build/onboarding/csr.d.ts

@@ -0,0 +1,33 @@
+export interface CsrResult {
+    csrPem: string;
+    privateKeyPem: string;
+}
+export interface P12Result {
+    p12Base64: string;
+}
+/**
+ * Generate a 2048-bit RSA key pair and a Certificate Signing Request.
+ * The CSR is what Apple needs to create a distribution certificate.
+ * The private key must be kept to later create the .p12 file.
+ */
+export declare function generateCsr(): CsrResult;
+/**
+ * Create a PKCS#12 (.p12) file from Apple's certificate response and the private key.
+ *
+ * @param certificateContentBase64 - The `certificateContent` field from Apple's
+ *   POST /v1/certificates response (base64-encoded DER certificate)
+ * @param privateKeyPem - The PEM-encoded private key from generateCsr()
+ * @param password - Optional password for the .p12 file (defaults to DEFAULT_P12_PASSWORD)
+ */
+/**
+ * Extract the Apple team ID from a certificate's subject OU field.
+ * More reliable than parsing the certificate name string.
+ */
+export declare function extractTeamIdFromCert(certificateContentBase64: string): string;
+/**
+ * Default P12 password. node-forge P12 with empty password is incompatible
+ * with macOS `security import` (MAC verification fails). Using a known
+ * non-empty password avoids this issue.
+ */
+export declare const DEFAULT_P12_PASSWORD = "capgo";
+export declare function createP12(certificateContentBase64: string, privateKeyPem: string, password?: string): P12Result;

package/dist/src/build/onboarding/file-picker.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Returns true if we're on macOS and can use the native file picker.
+ */
+export declare function canUseFilePicker(): boolean;
+/**
+ * Open the macOS native file picker dialog filtered to .p8 files.
+ * Returns the selected file path, or null if the user cancelled.
+ * Non-blocking — uses async execFile so Ink spinners keep animating.
+ */
+export declare function openFilePicker(): Promise<string | null>;

package/dist/src/build/onboarding/progress.d.ts

@@ -0,0 +1,19 @@
+import type { OnboardingProgress, OnboardingStep } from './types.js';
+/**
+ * Load onboarding progress for an app. Returns null if no progress file exists.
+ */
+export declare function loadProgress(appId: string, baseDir?: string): Promise<OnboardingProgress | null>;
+/**
+ * Save onboarding progress. Creates the onboarding directory if needed.
+ * File is written with mode 0o600, directory with 0o700.
+ */
+export declare function saveProgress(appId: string, progress: OnboardingProgress, baseDir?: string): Promise<void>;
+/**
+ * Delete the progress file for an app (called on successful completion).
+ */
+export declare function deleteProgress(appId: string, baseDir?: string): Promise<void>;
+/**
+ * Determine the first incomplete step based on saved progress.
+ * Returns the step to resume from.
+ */
+export declare function getResumeStep(progress: OnboardingProgress | null): OnboardingStep;

package/dist/src/build/onboarding/types.d.ts

@@ -0,0 +1,37 @@
+export type Platform = 'ios' | 'android';
+export type OnboardingStep = 'welcome' | 'platform-select' | 'credentials-exist' | 'backing-up' | 'api-key-instructions' | 'p8-method-select' | 'input-p8-path' | 'input-key-id' | 'input-issuer-id' | 'verifying-key' | 'creating-certificate' | 'cert-limit-prompt' | 'revoking-certificate' | 'creating-profile' | 'duplicate-profile-prompt' | 'deleting-duplicate-profiles' | 'saving-credentials' | 'ask-build' | 'requesting-build' | 'build-complete' | 'no-platform' | 'error';
+export interface ApiKeyData {
+    keyId: string;
+    issuerId: string;
+}
+export interface CertificateData {
+    certificateId: string;
+    expirationDate: string;
+    teamId: string;
+    p12Base64: string;
+}
+export interface ProfileData {
+    profileId: string;
+    profileName: string;
+    profileBase64: string;
+}
+export interface OnboardingProgress {
+    platform: Platform;
+    appId: string;
+    startedAt: string;
+    /** Path to the .p8 file on disk (content is NOT stored, only the path) */
+    p8Path?: string;
+    /** Partial input — saved incrementally so resume works mid-flow */
+    keyId?: string;
+    issuerId?: string;
+    completedSteps: {
+        apiKeyVerified?: ApiKeyData;
+        certificateCreated?: CertificateData;
+        profileCreated?: ProfileData;
+    };
+    /** Temporary — wiped after .p12 creation */
+    _privateKeyPem?: string;
+}
+/** Maps each step to a progress percentage (0-100) */
+export declare const STEP_PROGRESS: Record<OnboardingStep, number>;
+export declare function getPhaseLabel(step: OnboardingStep): string;

package/dist/src/build/onboarding/ui/app.d.ts

@@ -0,0 +1,10 @@
+import type { FC } from 'react';
+import type { OnboardingProgress } from '../types.js';
+interface AppProps {
+    appId: string;
+    initialProgress: OnboardingProgress | null;
+    /** Resolved iOS directory from capacitor.config (defaults to 'ios') */
+    iosDir: string;
+}
+declare const OnboardingApp: FC<AppProps>;
+export default OnboardingApp;

package/dist/src/build/onboarding/ui/components.d.ts

@@ -0,0 +1,25 @@
+import type { FC } from 'react';
+export declare const Divider: FC<{
+    width?: number;
+}>;
+export declare const SpinnerLine: FC<{
+    text: string;
+}>;
+export declare const SuccessLine: FC<{
+    text: string;
+    detail?: string;
+}>;
+export declare const ErrorLine: FC<{
+    text: string;
+}>;
+/**
+ * Custom TextInput that filters out specific characters (e.g. '=').
+ * @inkjs/ui's TextInput is uncontrolled and can't filter keystrokes,
+ * so we build a minimal one with Ink's useInput.
+ */
+export declare const FilteredTextInput: FC<{
+    placeholder?: string;
+    filter?: string;
+    onSubmit: (value: string) => void;
+}>;
+export declare const Header: FC;

package/dist/src/build/request.d.ts

@@ -26,6 +26,21 @@
  * - Use `build credentials clear` to remove saved credentials
  */
 import type { BuildOptionsPayload, BuildRequestOptions, BuildRequestResult } from '../schemas/build';
+/**
+ * Callback interface for build logging.
+ * Allows callers (like the onboarding UI) to capture log output
+ * without stdout/stderr interception hacks.
+ */
+export interface BuildLogger {
+    info: (msg: string) => void;
+    error: (msg: string) => void;
+    warn: (msg: string) => void;
+    success: (msg: string) => void;
+    /** Called with build log lines streamed from the builder */
+    buildLog: (msg: string) => void;
+    /** Called with upload progress percentage (0-100) */
+    uploadProgress: (percent: number) => void;
+}
 export type { BuildCredentials, BuildRequestOptions, BuildRequestResponse, BuildRequestResult } from '../schemas/build';
 /**
  * Extract native node_modules roots that contain platform folders.
@@ -74,5 +89,5 @@ export declare function splitPayload(mergedCredentials: Record<string, string |
     buildOptions: BuildOptionsPayload;
     buildCredentials: Record<string, string>;
 };
-export declare function requestBuildInternal(appId: string, options: BuildRequestOptions, silent?: boolean): Promise<BuildRequestResult>;
+export declare function requestBuildInternal(appId: string, options: BuildRequestOptions, silent?: boolean, logger?: BuildLogger): Promise<BuildRequestResult>;
 export declare function requestBuildCommand(appId: string, options: BuildRequestOptions): Promise<void>;