@capgo/cli 8.0.0-alpha.4 → 8.0.0

package/dist/src/build/onboarding/app-verification.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Pure decision logic for the iOS "verify App Store app" onboarding step.
+ *
+ * No filesystem, network, or React access — every input (the local Release
+ * build ID, the remote App Store Connect apps, and the registered bundle IDs)
+ * is passed in so the module stays synchronous and unit-testable, mirroring
+ * `decideBuilderCtaSurface` / `shouldBlockIncompatibleUpload` in
+ * `cli/src/bundle/builder-cta.ts`.
+ *
+ * The single invariant the step enforces (always `app_store` mode): an App
+ * Store Connect app must exist whose `bundleId` equals the Release build ID.
+ */
+/**
+ * Classification of why (and whether) the verification invariant is met.
+ *
+ * - `exact-match`            — an ASC app's bundle ID == the Release build ID. Pass.
+ * - `wrong-build-id`         — apps exist but none match → likely a wrong build ID (Path A).
+ * - `no-app-identifier-exists` — no apps at all, but the identifier is already
+ *                              registered in the Developer portal (Path B; the
+ *                              ASC new-app form can select the existing id).
+ * - `no-app-unregistered`    — no apps at all and the identifier is not yet
+ *                              registered (Path B; register first, then create).
+ *
+ * `no-apps-in-account` is the umbrella for the `apps.length === 0` cases. We
+ * keep it in the union because the analytics/step layer surfaces it as a
+ * coarse result, but `classifyAppVerification` deliberately returns the finer
+ * registered/unregistered split because that distinction is what changes the
+ * actionable Path B wording ("identifier already exists" vs "will be
+ * registered"). The umbrella value is therefore never returned by the
+ * classifier itself.
+ */
+export type AppVerifyResult = 'exact-match' | 'wrong-build-id' | 'no-app-identifier-exists' | 'no-app-unregistered' | 'no-apps-in-account';
+/** Minimal shape of an App Store Connect app needed for verification. */
+export interface AscAppLike {
+    bundleId: string;
+    name: string;
+}
+export interface ClassifyAppVerificationInput {
+    /** The authoritative Release `PRODUCT_BUNDLE_IDENTIFIER` from the project. */
+    releaseBundleId: string;
+    /** Apps that actually exist in the user's App Store Connect account. */
+    apps: AscAppLike[];
+    /** Bundle IDs registered in the Apple Developer portal (diagnostic only). */
+    registeredBundleIds: string[];
+}
+export interface ClassifyAppVerificationResult {
+    result: AppVerifyResult;
+    /** The matched ASC app when `result === 'exact-match'`, else `null`. */
+    matchedApp: AscAppLike | null;
+}
+/**
+ * Pure classification of the verification invariant.
+ *
+ * 1. An app whose `bundleId === releaseBundleId` → `exact-match` (+ that app).
+ * 2. Otherwise, if any apps exist → `wrong-build-id` (the build signs an id that
+ *    matches none of the account's apps).
+ * 3. Otherwise (no apps), if `releaseBundleId` is already registered →
+ *    `no-app-identifier-exists`.
+ * 4. Otherwise (no apps, not registered) → `no-app-unregistered`.
+ */
+export declare function classifyAppVerification(input: ClassifyAppVerificationInput): ClassifyAppVerificationResult;
+/** Which resolution path the verification gate is enforcing. */
+export type GatePath = 'fix-build-id' | 'create-app';
+export interface EvaluateGateInput {
+    /** Whether the invariant now holds (re-checked live on each Continue). */
+    satisfied: boolean;
+    /** 1-based count of blocked Continue attempts so far. */
+    attempt: number;
+}
+export interface EvaluateGateResult {
+    /** Whether the user may proceed past the step. */
+    proceed: boolean;
+    /**
+     * How loud the (still-blocked) warning box should be. `0` when satisfied;
+     * otherwise the attempt count clamped to `3` so the escalation tops out
+     * instead of growing unbounded.
+     */
+    escalationLevel: number;
+}
+/**
+ * Pure gate decision. When the invariant is satisfied the user proceeds with no
+ * escalation; otherwise they are blocked and the escalation level is the attempt
+ * count capped at {@link MAX_ESCALATION_LEVEL} so the warning box can ramp its
+ * treatment without overflowing.
+ */
+export declare function evaluateGate(input: EvaluateGateInput): EvaluateGateResult;

package/dist/src/build/onboarding/apple-api.d.ts

@@ -0,0 +1,234 @@
+/**
+ * Generate a JWT for App Store Connect API authentication.
+ * Uses ES256 algorithm with the .p8 private key.
+ */
+export declare function generateJwt(keyId: string, issuerId: string, p8Content: string): string;
+export declare class AppleApiHttpError extends Error {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
+/**
+ * Verify the API key works and try to detect the team ID from existing certificates.
+ * Throws on 401/403 with a user-friendly message.
+ */
+export declare function verifyApiKey(token: string): Promise<{
+    valid: true;
+    teamId: string;
+}>;
+export interface AscDistributionCert {
+    id: string;
+    name: string;
+    serialNumber: string;
+    expirationDate: string;
+    /**
+     * Base64-encoded DER of the certificate. Populated when {@link listDistributionCerts}
+     * is called with `includeContent: true` — kept optional so existing callers don't pay
+     * the larger payload when they don't need it.
+     */
+    certificateContent?: string;
+}
+/**
+ * Why a local Keychain cert can't be used to ship builds.
+ *
+ * Concrete enumeration so the import-pick-identity UI can render a stable
+ * Reason column and so we can add specific guidance per reason (e.g.
+ * "managed" certs get a "can't sign locally" note, "not-visible" certs get
+ * a "Open Developer Portal to verify" note).
+ */
+export type CertAvailabilityReason = 'expired' | 'managed' | 'not-visible' | 'check-failed' | 'no-private-key';
+export interface CertAvailability {
+    available: boolean;
+    reason?: CertAvailabilityReason;
+    /** Short human-readable reason for display in the picker. */
+    reasonText?: string;
+    /** When available — Apple-side cert resource id for downstream API calls. */
+    appleCertId?: string;
+}
+/**
+ * Pure classifier: given a local cert + the result of an Apple-side lookup,
+ * decide whether it's usable for shipping builds and surface a short
+ * reasonText for the picker UI.
+ *
+ * Exported separately from the lookup function so we can unit-test the
+ * decision logic without mocking network calls. Callers compose:
+ *
+ *   const certId = await findCertIdBySha1(token, identity.sha1)
+ *     .catch(err => { lookupError = err; return null })
+ *   const availability = classifyCertAvailability({
+ *     localExpirationDate: identity.expirationDate,
+ *     appleCertId: certId,
+ *     lookupError,
+ *   })
+ *
+ * The `expired` and `managed` branches don't need a lookup — they're checked
+ * up-front from local metadata. Callers can pass null `appleCertId` without
+ * having run the lookup at all when those local-side conditions already
+ * disqualify the identity.
+ */
+export declare function classifyCertAvailability(args: {
+    localExpirationDate?: string;
+    isManaged?: boolean;
+    appleCertId: string | null;
+    lookupError?: unknown;
+}): CertAvailability;
+/**
+ * List all iOS distribution certificates.
+ *
+ * Set `includeContent: true` when you need to compute the cert's SHA1 for
+ * matching against a local Keychain identity ({@link findCertIdBySha1}).
+ */
+export declare function listDistributionCerts(token: string, options?: {
+    includeContent?: boolean;
+}): Promise<AscDistributionCert[]>;
+/**
+ * Compute the SHA1 hash of an ASC certificate's base64-DER content. Returns
+ * the lowercase 40-char hex string used elsewhere as the canonical identity
+ * key — matches the SHA1 reported by `security find-identity` on macOS.
+ *
+ * SECURITY NOTE on SHA1: this is NOT a security primitive. macOS itself
+ * reports code-signing identities as cert-DER SHA1 (via `security
+ * find-identity`), and we have to use the same hash to look up an Apple-side
+ * cert by its on-Mac counterpart. SHA1 here is a non-secret identifier, not
+ * a message digest protecting any data. CodeQL's "weak cryptographic
+ * algorithm" rule is suppressed for this reason.
+ */
+export declare function computeCertSha1(certificateContentBase64: string): string;
+/**
+ * Match a local Keychain identity (by its SHA1) against an Apple-side
+ * certificate and return the Apple certificate ID needed for profile
+ * creation. Returns null if no Apple-side cert matches the SHA1.
+ */
+export declare function findCertIdBySha1(token: string, sha1: string): Promise<string | null>;
+/**
+ * Like {@link findCertIdBySha1} but returns the full Apple-side cert
+ * record (id + name + expirationDate + serialNumber) when matched. Used
+ * by the eager batch validation so the picker / manual-portal-walkthrough
+ * step can surface concrete disambiguators (expiration date, last few
+ * chars of serial number — both visible in the Apple Developer Portal
+ * when the user clicks into a cert) that help the user pick the right
+ * row when multiple distribution certs are listed for the same team.
+ *
+ * Apple's API does NOT expose a "created by" field on certs (the portal
+ * UI shows it, but `/v1/certificates` doesn't return that column). The
+ * disambiguators we can give are expirationDate + serialNumber.
+ */
+export declare function findCertBySha1(token: string, sha1: string): Promise<AscDistributionCert | null>;
+/**
+ * List all provisioning profiles linked to a specific Apple-side certificate.
+ * Used by the import-flow no-match-recovery menu to surface profiles that
+ * exist on Apple but haven't been downloaded to the user's Mac.
+ */
+export interface AscProfileSummary {
+    id: string;
+    name: string;
+    profileType: string;
+    profileContent: string;
+    expirationDate: string;
+    bundleIdentifier: string;
+}
+export declare function listProfilesForCert(token: string, certificateId: string): Promise<AscProfileSummary[]>;
+/**
+ * Revoke (delete) a certificate by ID.
+ */
+export declare function revokeCertificate(token: string, certId: string): Promise<void>;
+/**
+ * Error thrown when certificate limit is reached.
+ * Contains the existing certificates so the UI can ask the user which to revoke.
+ */
+export declare class CertificateLimitError extends Error {
+    readonly certificates: AscDistributionCert[];
+    constructor(certificates: AscDistributionCert[]);
+}
+/**
+ * Create a distribution certificate using a CSR.
+ * Returns the certificate ID, base64 DER content, expiration date, and team ID.
+ *
+ * Throws CertificateLimitError if the limit is reached, so the UI can ask
+ * the user which certificate to revoke.
+ */
+export declare function createCertificate(token: string, csrPem: string): Promise<{
+    certificateId: string;
+    certificateContent: string;
+    expirationDate: string;
+    teamId: string;
+}>;
+/**
+ * Find an existing bundle ID or register a new one.
+ * Returns the Apple resource ID needed for profile creation.
+ */
+export declare function ensureBundleId(token: string, identifier: string): Promise<{
+    bundleIdResourceId: string;
+}>;
+/**
+ * An App Store Connect app record. Used by the iOS app-verification step to
+ * check whether an app exists whose `bundleId` matches the project's Release
+ * `PRODUCT_BUNDLE_IDENTIFIER`.
+ */
+export interface AscApp {
+    id: string;
+    bundleId: string;
+    name: string;
+}
+/**
+ * Parse a `GET /v1/apps` response into {@link AscApp} records. Tolerant of
+ * missing `data`, missing `attributes`, and missing individual fields — Apple
+ * omits attributes the API key isn't entitled to see rather than nulling them.
+ */
+export declare function parseAppsResponse(json: any): AscApp[];
+/**
+ * Parse a `GET /v1/bundleIds` response into the list of registered identifier
+ * strings, dropping any falsy entries (missing `attributes`/`identifier`).
+ */
+export declare function parseBundleIdsResponse(json: any): string[];
+/**
+ * List every App Store Connect app visible to the API key, following
+ * pagination. Uses the existing {@link ascFetch} — no separate fetch path.
+ */
+export declare function listApps(token: string): Promise<AscApp[]>;
+/**
+ * List every registered bundle ID identifier visible to the API key, following
+ * pagination. Uses the existing {@link ascFetch} — no separate fetch path.
+ */
+export declare function listBundleIds(token: string): Promise<string[]>;
+/**
+ * Get the profile name we use for a given appId.
+ */
+export declare function getCapgoProfileName(appId: string): string;
+/**
+ * Find existing provisioning profiles matching our naming convention.
+ * Only returns profiles we created (named "Capgo <appId> AppStore").
+ */
+export declare function findCapgoProfiles(token: string, appId: string): Promise<Array<{
+    id: string;
+    name: string;
+    profileType: string;
+}>>;
+/**
+ * Delete a provisioning profile by ID.
+ */
+export declare function deleteProfile(token: string, profileId: string): Promise<void>;
+/**
+ * Create an App Store provisioning profile linking a certificate and bundle ID.
+ * Returns the base64 mobileprovision content.
+ *
+ * Throws a DuplicateProfileError if duplicate profiles exist, so the caller
+ * can ask the user whether to delete them and retry.
+ */
+export declare class DuplicateProfileError extends Error {
+    readonly profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>;
+    constructor(profiles: Array<{
+        id: string;
+        name: string;
+        profileType: string;
+    }>);
+}
+export declare function createProfile(token: string, bundleIdResourceId: string, certificateId: string, appId: string): Promise<{
+    profileId: string;
+    profileName: string;
+    profileContent: string;
+    expirationDate: string;
+}>;

package/dist/src/build/onboarding/build-log.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Turn a raw streamed build-log chunk into clean display lines.
+ *
+ * Splits on `\n` AND bare `\r` (an in-place redraw becomes its own line rather
+ * than fusing with another), strips ANSI/escape/control bytes, trims trailing
+ * whitespace, and drops the empty element a trailing newline would add (interior
+ * blank lines — e.g. the intentional spacer before the first log line — are
+ * kept). A chunk may be a single line or several; callers spread the result.
+ */
+export declare function sanitizeBuildLogLines(chunk: string): string[];

package/dist/src/build/onboarding/bundle-id-detector.d.ts

@@ -0,0 +1,117 @@
+export type BundleIdSource = 'pbxproj-release' | 'pbxproj-debug' | 'pbxproj-fallback' | 'plist' | 'capacitor-config';
+export interface BundleIdCandidate {
+    value: string;
+    source: BundleIdSource;
+    /** Short human-readable label for the picker, e.g. "project.pbxproj (Release)". */
+    label: string;
+}
+export interface DetectedBundleIds {
+    /** PRODUCT_BUNDLE_IDENTIFIER from project.pbxproj, preferring Release config. */
+    pbxproj: BundleIdCandidate | null;
+    /**
+     * The Debug-config PRODUCT_BUNDLE_IDENTIFIER from project.pbxproj, when a
+     * literal value exists. Exposed for the awareness note only — never used to
+     * gate. Null when no Debug-config literal value is present.
+     */
+    debug: BundleIdCandidate | null;
+    /**
+     * Info.plist CFBundleIdentifier when it's a literal value (not the common
+     * `$(PRODUCT_BUNDLE_IDENTIFIER)` placeholder, which we drop because it
+     * adds nothing the pbxproj source doesn't already cover).
+     */
+    plist: BundleIdCandidate | null;
+    /** capacitor.config.ts/json's appId — always present (it's a required arg). */
+    capacitor: BundleIdCandidate;
+    /**
+     * The best-guess Apple-side bundle ID, picked in priority order:
+     * pbxproj-release > pbxproj-fallback > plist > capacitor. Returned for
+     * convenience so callers don't have to re-implement the precedence.
+     */
+    recommended: BundleIdCandidate;
+    /**
+     * True when the recommended value differs from capacitor.config.appId.
+     * Used by redirectIfMismatch to decide whether to adopt the Release id —
+     * when they match, capacitor.config.appId is already the build id.
+     */
+    mismatch: boolean;
+    /**
+     * True only when BOTH a Release-config and a Debug-config literal bundle id
+     * were found AND they differ. Drives the "Debug ≠ Release" awareness note;
+     * never gates. False when either value is missing or they match.
+     */
+    debugReleaseDiffer: boolean;
+    /**
+     * True when a Release-config PRODUCT_BUNDLE_IDENTIFIER was resolved from
+     * pbxproj. When false, the authoritative build ID could not be determined
+     * from Release and callers should warn/skip gating rather than gate on a
+     * Debug or plist fallback.
+     */
+    releaseResolved: boolean;
+    /**
+     * Deduplicated, ordered list of candidates ready to render as Select
+     * options. Empty list is impossible (capacitor is always included).
+     */
+    candidates: BundleIdCandidate[];
+}
+/**
+ * Parse `PRODUCT_BUNDLE_IDENTIFIER = "..."` lines from pbxproj content,
+ * returning the Release and Debug candidates separately.
+ *
+ * Release is authoritative: when ANY Release-config value exists, `release`
+ * is populated and `releaseResolved` is true. The Debug value (when present)
+ * is returned alongside via `debug` for the awareness note — it is never
+ * promoted to `release`.
+ *
+ * When no Release config exists, `release` is null and `releaseResolved` is
+ * false so callers can detect the no-Release case.
+ */
+export declare function parsePbxprojBundleIds(pbxprojContent: string): {
+    release: BundleIdCandidate | null;
+    debug: BundleIdCandidate | null;
+    releaseResolved: boolean;
+};
+/**
+ * Parse `PRODUCT_BUNDLE_IDENTIFIER = "..."` lines from pbxproj content.
+ * Returns the Release-config value if present, else the shortest non-Release
+ * value as a `pbxproj-fallback`. Returns null when no bundle id can be
+ * extracted.
+ *
+ * Release stays authoritative here: a Release value is never overridden by a
+ * Debug value. The no-Release fallback is preserved for backward
+ * compatibility — callers that need to distinguish "Release resolved" from
+ * "fell back to Debug" should use `parsePbxprojBundleIds` (or the
+ * `releaseResolved` flag on `detectIosBundleIds`).
+ *
+ * Looks like a re-implementation of pbxproj-parser.ts's resolveBundleId, but
+ * that one needs an XCConfigurationList id (it walks from a target). This
+ * one needs to work standalone given only the file contents — so it
+ * collects all PRODUCT_BUNDLE_IDENTIFIER values, groups by adjacent
+ * `name = Release`/`name = Debug` markers, and prefers Release. Less
+ * accurate for multi-target projects but good enough for the "what should
+ * we pre-fill" use case here.
+ */
+export declare function parsePbxprojBundleId(pbxprojContent: string): BundleIdCandidate | null;
+/**
+ * Parse Info.plist's CFBundleIdentifier from raw XML.
+ * Returns null when the file is empty, when CFBundleIdentifier is absent,
+ * or when it's a `$(PRODUCT_BUNDLE_IDENTIFIER)` variable reference (we drop
+ * the placeholder so the picker doesn't list a non-actionable option).
+ */
+export declare function parseInfoPlistBundleId(plistContent: string): BundleIdCandidate | null;
+/**
+ * Read project.pbxproj and Info.plist from the iOS dir and return all
+ * available bundle id candidates, plus the recommended one and a
+ * mismatch flag.
+ *
+ * Filesystem reads are best-effort — when either file is missing or
+ * unreadable, we silently skip that source. The capacitor candidate is
+ * always present.
+ */
+export declare function detectIosBundleIds(opts: {
+    /** Project root (typically `process.cwd()`). */
+    cwd: string;
+    /** Subdirectory under cwd holding the iOS project (typically "ios"). */
+    iosDir: string;
+    /** Bundle id read from capacitor.config.ts/json — always known. */
+    capacitorAppId: string;
+}): DetectedBundleIds;

package/dist/src/build/onboarding/ci-secrets.d.ts

@@ -0,0 +1,87 @@
+import type { BuildCredentials } from '../../schemas/build.js';
+export type CiSecretProvider = 'github' | 'gitlab';
+export interface CiSecretEntry {
+    key: string;
+    value: string;
+    masked: boolean;
+}
+export interface CiSecretTarget {
+    provider: CiSecretProvider;
+    label: string;
+    cli: 'gh' | 'glab';
+}
+export interface CiSecretDiscovery {
+    targets: CiSecretTarget[];
+    setup: CiSecretSetupAdvice[];
+    notes: string[];
+}
+export interface CiSecretSetupAdvice {
+    target: CiSecretTarget;
+    reason: 'not-installed' | 'not-authenticated';
+    message: string;
+    commands: string[];
+}
+interface CommandRunOptions {
+    input?: string;
+}
+export interface CommandRunResult {
+    status: number | null;
+    stdout: string;
+    stderr: string;
+    error?: Error;
+}
+export type CommandRunner = (command: string, args: string[], options?: CommandRunOptions) => CommandRunResult;
+/**
+ * Async runner. Used by the wizard so spawned `gh` / `glab` calls don't block
+ * the Node event loop — without this, `ink-spinner`'s animation freezes for
+ * the entire duration of every shell-out, which feels like the wizard has hung.
+ *
+ * Tests can pass either a sync (CommandRunner) or async runner — every helper
+ * that calls runner.* does so via `await` so a sync runner returning a plain
+ * result still works (Promise.resolve coerces it).
+ */
+export type AsyncCommandRunner = (command: string, args: string[], options?: CommandRunOptions) => CommandRunResult | Promise<CommandRunResult>;
+export declare function runCommand(command: string, args: string[], options?: CommandRunOptions): CommandRunResult;
+/**
+ * Non-blocking shell-out. Mirrors `runCommand`'s shape but uses `spawn` so
+ * the Node event loop is free to tick spinners and process input while gh /
+ * glab work. Default for any wizard-side helper that needs to render UI
+ * during the call.
+ */
+export declare function runCommandAsync(command: string, args: string[], options?: CommandRunOptions): Promise<CommandRunResult>;
+export declare function createCiSecretEntries(credentials: Partial<BuildCredentials>, apiKey?: string): CiSecretEntry[];
+export declare function detectCiSecretTargets(runner?: CommandRunner): CiSecretDiscovery;
+export declare function getCiSecretTargetLabel(target: CiSecretTarget | null | undefined): string;
+/**
+ * Resolve the concrete `owner/repo` (GitHub) or `group/project` (GitLab) the
+ * `gh` / `glab` CLI will target from the current working directory.
+ *
+ * Returns null when the CLI can't determine the repo (e.g. cwd is not a git
+ * repo, multiple remotes with no `gh-resolved` config, auth scopes missing).
+ *
+ * The wizard MUST show this string to the user and require explicit
+ * confirmation before any `gh secret set` / `glab variable set` runs — those
+ * commands silently overwrite without backup, so the user has to know which
+ * repo they're about to mutate.
+ */
+export declare function getCiSecretRepoLabel(target: CiSecretTarget, runner?: CommandRunner): string | null;
+/**
+ * Non-blocking variant of `getCiSecretRepoLabel`. Identical logic, but
+ * `await`s the runner so the event loop can tick during the gh/glab call —
+ * lets Ink spinners actually animate during the resolution.
+ */
+export declare function getCiSecretRepoLabelAsync(target: CiSecretTarget, runner?: AsyncCommandRunner): Promise<string | null>;
+export declare function listExistingCiSecretKeys(target: CiSecretTarget, keys: string[], runner?: CommandRunner): string[];
+/** Non-blocking variant of `listExistingCiSecretKeys`. */
+export declare function listExistingCiSecretKeysAsync(target: CiSecretTarget, keys: string[], runner?: AsyncCommandRunner): Promise<string[]>;
+export declare function uploadCiSecrets(target: CiSecretTarget, entries: CiSecretEntry[], existingKeys?: string[], runner?: CommandRunner): void;
+/**
+ * Non-blocking variant of `uploadCiSecrets`. Calls `onProgress(current, total,
+ * keyName)` before every `gh secret set` / `glab variable set` so the wizard
+ * can render "Pushing N of M: <KEY>…" instead of a frozen spinner.
+ *
+ * Pushes are still sequential — gh/glab don't have a bulk-set API, and
+ * parallelising would risk rate limits + makes failure semantics ambiguous.
+ */
+export declare function uploadCiSecretsAsync(target: CiSecretTarget, entries: CiSecretEntry[], existingKeys?: string[], runner?: AsyncCommandRunner, onProgress?: (current: number, total: number, keyName: string) => void): Promise<void>;
+export {};

package/dist/src/build/onboarding/command.d.ts

@@ -0,0 +1,6 @@
+export interface OnboardingBuilderOptions {
+    apikey?: string;
+    platform?: string;
+    supaHost?: string;
+}
+export declare function onboardingBuilderCommand(options?: OnboardingBuilderOptions): Promise<void>;

package/dist/src/build/onboarding/csr.d.ts

@@ -0,0 +1,33 @@
+export interface CsrResult {
+    csrPem: string;
+    privateKeyPem: string;
+}
+export interface P12Result {
+    p12Base64: string;
+}
+/**
+ * Generate a 2048-bit RSA key pair and a Certificate Signing Request.
+ * The CSR is what Apple needs to create a distribution certificate.
+ * The private key must be kept to later create the .p12 file.
+ */
+export declare function generateCsr(): CsrResult;
+/**
+ * Create a PKCS#12 (.p12) file from Apple's certificate response and the private key.
+ *
+ * @param certificateContentBase64 - The `certificateContent` field from Apple's
+ *   POST /v1/certificates response (base64-encoded DER certificate)
+ * @param privateKeyPem - The PEM-encoded private key from generateCsr()
+ * @param password - Optional password for the .p12 file (defaults to DEFAULT_P12_PASSWORD)
+ */
+/**
+ * Extract the Apple team ID from a certificate's subject OU field.
+ * More reliable than parsing the certificate name string.
+ */
+export declare function extractTeamIdFromCert(certificateContentBase64: string): string;
+/**
+ * Default P12 password. node-forge P12 with empty password is incompatible
+ * with macOS `security import` (MAC verification fails). Using a known
+ * non-empty password avoids this issue.
+ */
+export declare const DEFAULT_P12_PASSWORD = "capgo";
+export declare function createP12(certificateContentBase64: string, privateKeyPem: string, password?: string): P12Result;

package/dist/src/build/onboarding/diff-utils.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Line-by-line diff utilities for the workflow-file preview viewer.
+ *
+ * Uses a textbook longest-common-subsequence algorithm. O(m·n) time/space
+ * which is fine for the workflow-file scale we expect (≤200 lines either
+ * side); no dep needed.
+ */
+export type DiffKind = 'add' | 'del' | 'eq';
+export interface DiffLine {
+    kind: DiffKind;
+    text: string;
+}
+/**
+ * Compute a line-level diff between `before` and `after`.
+ *
+ * Returns an ordered list of lines where:
+ *   - `kind: 'eq'`  → present in both, unchanged
+ *   - `kind: 'add'` → present only in `after` (will be added by the write)
+ *   - `kind: 'del'` → present only in `before` (will be removed by the write)
+ *
+ * When `before` is the empty string, every line in `after` is returned as
+ * `add` — the natural "new file" rendering.
+ */
+export declare function diffLines(before: string, after: string): DiffLine[];

package/dist/src/build/onboarding/env-export.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Build-onboarding helper to write a single-platform .env file with the build
+ * credentials the user just saved. Used on the "No to GitHub Actions setup, but
+ * yes to .env export" branch of the wizard.
+ *
+ * Reuses the renderer from `build credentials manage` so the file format
+ * (section comments, .gitignore reminder, provisioning-map base64 fallback)
+ * stays identical between the two paths.
+ */
+import type { BuildCredentials } from '../../schemas/build.js';
+export interface EnvExportOpts {
+    appId: string;
+    platform: 'ios' | 'android';
+    credentials: Partial<BuildCredentials>;
+    /** Default false — onboarding writes into the global store, not local. */
+    local?: boolean;
+    /** If absent, defaults to `<cwd>/.env.capgo.<appId>.<platform>`. */
+    targetPath?: string;
+    /** When true, write even if the file already exists. */
+    overwrite?: boolean;
+}
+export type EnvExportResult = {
+    kind: 'written';
+    path: string;
+    fieldCount: number;
+} | {
+    kind: 'exists';
+    path: string;
+} | {
+    kind: 'empty';
+};
+/**
+ * Resolve where the .env file should land for the given app + platform. Pure —
+ * callable before deciding to actually write, so the wizard can show the path
+ * in a confirm prompt without committing to write yet.
+ */
+export declare function defaultExportPath(appId: string, platform: 'ios' | 'android'): string;
+/**
+ * Write the credentials to a .env file. Caller is responsible for deciding
+ * whether the user has consented (no prompts in here — pure file I/O so the
+ * Ink wizard owns the UX).
+ *
+ * Returns `kind: 'exists'` if the target file is already present and
+ * `overwrite` was not set — caller can prompt the user and retry.
+ */
+export declare function exportCredentialsToEnv(opts: EnvExportOpts): EnvExportResult;

package/dist/src/build/onboarding/error-categories.d.ts

@@ -0,0 +1,13 @@
+import type { AndroidOnboardingErrorCategory } from './android/types.js';
+import type { OnboardingErrorCategory, OnboardingStep } from './types.js';
+export declare function mapIosOnboardingError(error: unknown, failedStep?: OnboardingStep): OnboardingErrorCategory;
+export declare function mapAndroidOnboardingError(error: unknown): AndroidOnboardingErrorCategory;
+/**
+ * Map a `ValidationResult.kind` from the SA-import validation module onto an
+ * AndroidOnboardingErrorCategory so PostHog `Builder Onboarding Step` events
+ * for `sa-json-validation-failed` carry an actionable failure dimension.
+ *
+ * Kept here (alongside `mapAndroidOnboardingError`) so the full SA-error
+ * taxonomy lives in one place.
+ */
+export declare function mapSaValidationKindToCategory(kind: 'shape-error' | 'token-error' | 'no-app-access' | 'network-error'): AndroidOnboardingErrorCategory;