@daemux/store-automator 0.10.6 → 0.10.8

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.6"
+    "version": "0.10.8"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.6",
+      "version": "0.10.8",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.6",
+  "version": "0.10.8",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.6",
+  "version": "0.10.8",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/fastlane/android/Fastfile.template

@@ -113,11 +113,9 @@ platform :android do
   end
 
   lane :sync_google_iap do
-    manage_google_iap(
-      json_key: ENV["GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH"],
-      package_name: ENV["PACKAGE_NAME"],
-      config_path: "#{ROOT_DIR}/fastlane/iap_config.json"
-    )
+    config_path = "#{ROOT_DIR}/fastlane/iap_config.json"
+    script = "#{ROOT_DIR}/scripts/sync_iap_android.py"
+    sh("python3", script, config_path) if File.exist?(config_path) && File.exist?(script)
   end
 
   lane :update_data_safety do

package/templates/fastlane/android/Pluginfile.template

@@ -1,4 +1,2 @@
-# fastlane-plugin-iap is not yet published.
-# IAP sync is handled gracefully in CI workflows (non-blocking).
-# Uncomment when the plugin is available:
-# gem "fastlane-plugin-iap", git: "https://github.com/daemux/fastlane-plugin-iap"
+# IAP sync is handled by scripts/sync_iap_android.py (direct Google Play API).
+# No fastlane plugins required for IAP management.

package/templates/fastlane/ios/Fastfile.template

@@ -110,10 +110,8 @@ platform :ios do
   end
 
   lane :sync_iap do
-    manage_iap(
-      api_key: asc_api_key,
-      app_id: ENV["BUNDLE_ID"],
-      config_path: "#{ROOT_DIR}/fastlane/iap_config.json"
-    )
+    config_path = "#{ROOT_DIR}/fastlane/iap_config.json"
+    script = "#{ROOT_DIR}/scripts/sync_iap_ios.py"
+    sh("python3", script, config_path) if File.exist?(config_path) && File.exist?(script)
   end
 end

package/templates/fastlane/ios/Pluginfile.template

@@ -1,4 +1,2 @@
-# fastlane-plugin-iap is not yet published.
-# IAP sync is handled gracefully in CI workflows (non-blocking).
-# Uncomment when the plugin is available:
-# gem "fastlane-plugin-iap", git: "https://github.com/daemux/fastlane-plugin-iap"
+# IAP sync is handled by scripts/sync_iap_ios.py (direct App Store Connect API).
+# No fastlane plugins required for IAP management.

package/templates/scripts/asc_iap_api.py

@@ -0,0 +1,215 @@
+"""
+App Store Connect IAP API layer.
+
+Low-level functions for interacting with the App Store Connect REST API
+for subscription groups and subscriptions.
+"""
+import sys
+import time
+
+try:
+    import jwt
+    import requests
+except ImportError:
+    import subprocess
+    subprocess.check_call(
+        [sys.executable, "-m", "pip", "install", "--break-system-packages", "PyJWT", "cryptography", "requests"],
+        stdout=subprocess.DEVNULL,
+    )
+    import jwt
+    import requests
+
+BASE_URL = "https://api.appstoreconnect.apple.com/v1"
+TIMEOUT = (10, 30)
+
+# ISO 8601 duration to App Store Connect subscription period mapping
+DURATION_MAP = {
+    "P1W": "ONE_WEEK",
+    "P1M": "ONE_MONTH",
+    "P2M": "TWO_MONTHS",
+    "P3M": "THREE_MONTHS",
+    "P6M": "SIX_MONTHS",
+    "P1Y": "ONE_YEAR",
+    "ONE_WEEK": "ONE_WEEK",
+    "ONE_MONTH": "ONE_MONTH",
+    "TWO_MONTHS": "TWO_MONTHS",
+    "THREE_MONTHS": "THREE_MONTHS",
+    "SIX_MONTHS": "SIX_MONTHS",
+    "ONE_YEAR": "ONE_YEAR",
+}
+
+
+def get_jwt_token(key_id: str, issuer_id: str, private_key: str) -> str:
+    """Generate a signed JWT for App Store Connect API authentication."""
+    payload = {
+        "iss": issuer_id,
+        "iat": int(time.time()),
+        "exp": int(time.time()) + 1200,
+        "aud": "appstoreconnect-v1",
+    }
+    return jwt.encode(payload, private_key, algorithm="ES256", headers={"kid": key_id})
+
+
+def get_app_id(headers: dict, bundle_id: str) -> str:
+    """Look up the App Store Connect app ID for the given bundle identifier."""
+    resp = requests.get(
+        f"{BASE_URL}/apps",
+        params={"filter[bundleId]": bundle_id},
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    resp.raise_for_status()
+    data = resp.json().get("data", [])
+    if not data:
+        print(f"ERROR: No app found for bundle ID '{bundle_id}'", file=sys.stderr)
+        sys.exit(1)
+    return data[0]["id"]
+
+
+def list_subscription_groups(headers: dict, app_id: str) -> list:
+    """List all existing subscription groups for the app."""
+    resp = requests.get(
+        f"{BASE_URL}/apps/{app_id}/subscriptionGroups",
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    resp.raise_for_status()
+    return resp.json().get("data", [])
+
+
+def create_subscription_group(headers: dict, app_id: str, reference_name: str) -> str:
+    """Create a subscription group and return its ID."""
+    resp = requests.post(
+        f"{BASE_URL}/subscriptionGroups",
+        json={
+            "data": {
+                "type": "subscriptionGroups",
+                "attributes": {"referenceName": reference_name},
+                "relationships": {
+                    "app": {"data": {"type": "apps", "id": app_id}}
+                },
+            }
+        },
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_errors(resp, f"create subscription group '{reference_name}'")
+        sys.exit(1)
+    group_id = resp.json()["data"]["id"]
+    print(f"  Created subscription group '{reference_name}' (ID: {group_id})")
+    return group_id
+
+
+def list_subscriptions_in_group(headers: dict, group_id: str) -> list:
+    """List all subscriptions within a subscription group."""
+    resp = requests.get(
+        f"{BASE_URL}/subscriptionGroups/{group_id}/subscriptions",
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    resp.raise_for_status()
+    return resp.json().get("data", [])
+
+
+def create_subscription(headers: dict, group_id: str, sub_config: dict) -> str:
+    """Create a subscription within a group and return its ID."""
+    duration = DURATION_MAP.get(sub_config["duration"], sub_config["duration"])
+    resp = requests.post(
+        f"{BASE_URL}/subscriptions",
+        json={
+            "data": {
+                "type": "subscriptions",
+                "attributes": {
+                    "productId": sub_config["product_id"],
+                    "name": sub_config["reference_name"],
+                    "subscriptionPeriod": duration,
+                    "groupLevel": sub_config.get("group_level", 1),
+                    "familySharable": sub_config.get("family_sharable", False),
+                    "reviewNote": sub_config.get("review_note", ""),
+                },
+                "relationships": {
+                    "group": {"data": {"type": "subscriptionGroups", "id": group_id}}
+                },
+            }
+        },
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_errors(resp, f"create subscription '{sub_config['product_id']}'")
+        sys.exit(1)
+    sub_id = resp.json()["data"]["id"]
+    print(f"    Created subscription '{sub_config['product_id']}' (ID: {sub_id})")
+    return sub_id
+
+
+def get_subscription_localizations(headers: dict, sub_id: str) -> list:
+    """Fetch existing localizations for a subscription."""
+    resp = requests.get(
+        f"{BASE_URL}/subscriptions/{sub_id}/subscriptionLocalizations",
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    resp.raise_for_status()
+    return resp.json().get("data", [])
+
+
+def create_localization(headers: dict, sub_id: str, locale: str, loc_data: dict) -> None:
+    """Create a new localization for a subscription."""
+    resp = requests.post(
+        f"{BASE_URL}/subscriptionLocalizations",
+        json={
+            "data": {
+                "type": "subscriptionLocalizations",
+                "attributes": {
+                    "locale": locale,
+                    "name": loc_data.get("name", ""),
+                    "description": loc_data.get("description", ""),
+                },
+                "relationships": {
+                    "subscription": {"data": {"type": "subscriptions", "id": sub_id}}
+                },
+            }
+        },
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_errors(resp, f"create localization '{locale}' for subscription {sub_id}")
+        return
+    print(f"      Created localization '{locale}'")
+
+
+def update_localization(headers: dict, loc_id: str, loc_data: dict) -> None:
+    """Update an existing subscription localization."""
+    resp = requests.patch(
+        f"{BASE_URL}/subscriptionLocalizations/{loc_id}",
+        json={
+            "data": {
+                "type": "subscriptionLocalizations",
+                "id": loc_id,
+                "attributes": {
+                    "name": loc_data.get("name", ""),
+                    "description": loc_data.get("description", ""),
+                },
+            }
+        },
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_errors(resp, f"update localization {loc_id}")
+        return
+    print(f"      Updated localization (ID: {loc_id})")
+
+
+def print_api_errors(resp, action: str) -> None:
+    """Print human-readable API error messages."""
+    try:
+        errors = resp.json().get("errors", [])
+        for err in errors:
+            detail = err.get("detail", err.get("title", "Unknown error"))
+            print(f"ERROR ({action}): {detail}", file=sys.stderr)
+    except (ValueError, KeyError):
+        print(f"ERROR ({action}): HTTP {resp.status_code} - {resp.text[:200]}", file=sys.stderr)

package/templates/scripts/check_google_play.py

@@ -51,7 +51,7 @@ def get_access_token(sa_path: str) -> str:
     resp = requests.post(
         "https://oauth2.googleapis.com/token",
         data={
-            "grant_type": "urn:ietf:params:oauth:grant_type:jwt-bearer",
+            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
             "assertion": signed,
         },
         timeout=TIMEOUT,

package/templates/scripts/ci/android/check-readiness.sh

@@ -86,6 +86,29 @@ if [ "$READY" != "true" ]; then
   echo "  4. Upload at least one AAB manually for the first release"
   echo "  5. Grant the service account access to the app"
   echo ""
+  echo "::warning title=Google Play Not Ready::App setup incomplete. See job summary for missing steps."
+  if [ -n "${GITHUB_STEP_SUMMARY:-}" ]; then
+    cat >> "$GITHUB_STEP_SUMMARY" << SUMMARY
+## :warning: Google Play Not Ready for Automation
+
+The app **$PACKAGE_NAME** is not yet configured for automated publishing.
+
+### Missing steps:
+$MISSING_STEPS
+
+### How to fix:
+
+1. Go to [Google Play Console](https://play.google.com/console)
+2. Ensure the app (\`$PACKAGE_NAME\`) has been manually created
+3. Complete the **Store listing** (description, graphics, screenshots)
+4. Complete the **Content rating** questionnaire
+5. Complete **Pricing & distribution** settings
+6. Upload at least one AAB manually for the first release
+7. Grant the service account access to the app under **Users & permissions**
+
+> Once all steps are completed, re-run this workflow and Google Play readiness will pass.
+SUMMARY
+  fi
   echo "Google Play is NOT ready. CI cannot proceed."
   exit 1
 else

package/templates/scripts/ci/android/sync-iap.sh

@@ -1,11 +1,14 @@
 #!/usr/bin/env bash
-# Requires link-fastlane.sh and install-fastlane.sh to have run first (workflow steps).
+# Syncs Android IAPs to Google Play via direct API calls (Python script).
+# Requires read-config.sh to have been sourced (provides PROJECT_ROOT, credentials, etc.).
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/../common/read-config.sh"
 source "$SCRIPT_DIR/../common/ci-notify.sh"
 
+echo "=== Android IAP Sync ==="
+
 # --- Check Google Play readiness ---
 if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
   echo "ERROR: Google Play not ready. Cannot sync IAPs." >&2
@@ -18,12 +21,6 @@ if [ ! -f "$IAP_CONFIG" ]; then
   ci_skip "No Android IAP config file found"
 fi
 
-# --- Check if IAP plugin is available ---
-cd "$APP_ROOT/android"
-if ! bundle exec gem list fastlane-plugin-iap --installed >/dev/null 2>&1; then
-  ci_skip "fastlane-plugin-iap not installed"
-fi
-
 # --- Hash-based change detection ---
 STATE_DIR="$PROJECT_ROOT/.ci-state"
 mkdir -p "$STATE_DIR"
@@ -47,12 +44,19 @@ if [ ! -f "$SA_FULL_PATH" ]; then
   exit 1
 fi
 
-# --- Sync IAP via Fastlane ---
+# --- Run IAP sync via Python ---
+SYNC_SCRIPT="$PROJECT_ROOT/scripts/sync_iap_android.py"
+
+if [ ! -f "$SYNC_SCRIPT" ]; then
+  echo "ERROR: sync_iap_android.py not found at $SYNC_SCRIPT" >&2
+  exit 1
+fi
+
 echo "Syncing Android IAP configuration..."
 
+SA_JSON="$SA_FULL_PATH" \
 PACKAGE_NAME="$PACKAGE_NAME" \
-GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH="$SA_FULL_PATH" \
-bundle exec fastlane sync_google_iap
+python3 "$SYNC_SCRIPT" "$IAP_CONFIG"
 
 # --- Update hash on success ---
 echo "$HASH" > "$STATE_FILE"

package/templates/scripts/ci/android/upload-binary.sh

@@ -15,12 +15,15 @@ if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
 
   AAB_DIR="$APP_ROOT/build/app/outputs/bundle/release"
   AAB_FILE=$(find "$AAB_DIR" -name "*.aab" -type f 2>/dev/null | head -1)
+  AAB_INFO=""
   if [ -n "$AAB_FILE" ]; then
+    AAB_INFO="Built AAB: $AAB_FILE ($(du -h "$AAB_FILE" | cut -f1))"
     echo ""
-    echo "Built AAB: $AAB_FILE ($(du -h "$AAB_FILE" | cut -f1))"
+    echo "$AAB_INFO"
   else
+    AAB_INFO="No AAB found. Run build.sh first."
     echo ""
-    echo "No AAB found. Run build.sh first."
+    echo "$AAB_INFO"
   fi
 
   echo ""
@@ -32,6 +35,28 @@ if [ "${GOOGLE_PLAY_READY:-false}" != "true" ]; then
   echo "  5. Complete the release form and roll out"
   echo ""
   echo "After the first manual upload, subsequent releases will be automated."
+  echo "::warning title=Manual AAB Upload Required::First release must be uploaded manually. See job summary for instructions."
+  if [ -n "${GITHUB_STEP_SUMMARY:-}" ]; then
+    cat >> "$GITHUB_STEP_SUMMARY" << SUMMARY
+## :warning: Manual AAB Upload Required - First Release
+
+Google Play is not ready for automated binary uploads. This is expected for the first release.
+
+**$AAB_INFO**
+
+### How to upload manually:
+
+1. Go to [Google Play Console](https://play.google.com/console)
+2. Select your app (\`$PACKAGE_NAME\`)
+3. Navigate to **Release > Testing > Internal testing** (or your target track)
+4. Click **Create new release**
+5. Upload the AAB file built by CI
+6. Fill in release notes
+7. Complete the release form and click **Start rollout**
+
+> After the first manual upload, all subsequent binary uploads will be fully automated by CI.
+SUMMARY
+  fi
   exit 1
 fi
 

package/templates/scripts/ci/android/upload-metadata.sh

@@ -58,6 +58,29 @@ if [ $FASTLANE_EXIT -ne 0 ]; then
   # published.  This resolves after the first manual release via the Play
   # Console, so we warn instead of failing the workflow.
   if echo "$FASTLANE_OUTPUT" | grep -qi "draft app"; then
+    echo "::warning title=Google Play Draft App::First manual release required. See job summary for instructions."
+    if [ -n "${GITHUB_STEP_SUMMARY:-}" ]; then
+      cat >> "$GITHUB_STEP_SUMMARY" << 'SUMMARY'
+## :warning: Google Play Draft App - Manual Action Required
+
+Metadata upload could not be committed because the app is still in **draft state** on Google Play.
+
+### How to fix:
+
+1. Go to [Google Play Console](https://play.google.com/console)
+2. Select your app
+3. Navigate to **Release > Production** (or **Internal testing**)
+4. Click **Create new release**
+5. The AAB was already uploaded by CI -- select it
+6. Fill in release notes
+7. Complete **Store listing** (description, screenshots -- already uploaded by CI)
+8. Complete **Content rating** questionnaire
+9. Complete **Pricing & distribution** settings
+10. Click **Review release** then **Start rollout**
+
+> After the first manual release, all subsequent CI metadata uploads will commit successfully without this error.
+SUMMARY
+    fi
     ci_skip "App is in draft status — manual first release required on Google Play Console"
   fi
   exit $FASTLANE_EXIT

package/templates/scripts/ci/ios/sync-iap.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
-# Requires link-fastlane.sh and install-fastlane.sh to have run first (workflow steps).
+# Syncs iOS IAPs to App Store Connect via direct API calls (Python script).
+# Requires read-config.sh to have been sourced (provides PROJECT_ROOT, credentials, etc.).
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -15,15 +16,6 @@ if [ ! -f "$IAP_CONFIG" ]; then
   ci_skip "No iOS IAP config file found"
 fi
 
-# --- Check if IAP plugin is available ---
-cd "$APP_ROOT/ios"
-
-if ! bundle exec gem list fastlane-plugin-iap --installed >/dev/null 2>&1; then
-  ci_skip "fastlane-plugin-iap not installed"
-fi
-
-echo "fastlane-plugin-iap is installed. Proceeding with sync."
-
 # --- Hash-based change detection ---
 CURRENT_HASH=$(shasum -a 256 "$IAP_CONFIG" | cut -d' ' -f1)
 
@@ -41,26 +33,30 @@ else
   echo "No cached hash found. First run — will sync IAPs."
 fi
 
-# --- Set up App Store Connect API key ---
+# --- Set up App Store Connect API credentials ---
 P8_FULL_PATH="$PROJECT_ROOT/$P8_KEY_PATH"
 if [ ! -f "$P8_FULL_PATH" ]; then
   echo "ERROR: P8 key file not found at $P8_FULL_PATH" >&2
   exit 1
 fi
 
-export APP_STORE_CONNECT_API_KEY_KEY_ID="$APPLE_KEY_ID"
-export APP_STORE_CONNECT_API_KEY_ISSUER_ID="$APPLE_ISSUER_ID"
-export APP_STORE_CONNECT_API_KEY_KEY="$(cat "$P8_FULL_PATH")"
-export APP_STORE_CONNECT_API_KEY_IS_KEY_CONTENT_BASE64="false"
+export APP_STORE_CONNECT_KEY_IDENTIFIER="$APPLE_KEY_ID"
+export APP_STORE_CONNECT_ISSUER_ID="$APPLE_ISSUER_ID"
+export APP_STORE_CONNECT_PRIVATE_KEY="$(cat "$P8_FULL_PATH")"
+export BUNDLE_ID="$BUNDLE_ID"
 
 echo "ASC API key configured (Key ID: $APPLE_KEY_ID)"
 
-# --- Run IAP sync ---
-echo "Syncing IAPs to App Store Connect..."
+# --- Run IAP sync via Python ---
+SYNC_SCRIPT="$PROJECT_ROOT/scripts/sync_iap_ios.py"
 
-FASTLANE_API_KEY_PATH="$P8_FULL_PATH" \
-BUNDLE_ID="$BUNDLE_ID" \
-bundle exec fastlane sync_iap
+if [ ! -f "$SYNC_SCRIPT" ]; then
+  echo "ERROR: sync_iap_ios.py not found at $SYNC_SCRIPT" >&2
+  exit 1
+fi
+
+echo "Syncing IAPs to App Store Connect..."
+python3 "$SYNC_SCRIPT" "$IAP_CONFIG"
 
 # --- Update hash on success ---
 echo "$CURRENT_HASH" > "$STATE_FILE"

package/templates/scripts/gplay_iap_api.py

@@ -0,0 +1,189 @@
+"""
+Google Play IAP API layer.
+
+Low-level functions for interacting with the Android Publisher API
+for subscriptions, base plans, and offers.
+"""
+import json
+import sys
+import time
+
+try:
+    import jwt
+    import requests
+except ImportError:
+    import subprocess
+    subprocess.check_call(
+        [sys.executable, "-m", "pip", "install", "--break-system-packages", "PyJWT", "cryptography", "requests"],
+        stdout=subprocess.DEVNULL,
+    )
+    import jwt
+    import requests
+
+API_BASE = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications"
+TIMEOUT = (10, 30)
+
+# ISO 8601 duration mapping (normalize to ISO 8601 for Google Play)
+DURATION_MAP = {
+    "ONE_WEEK": "P1W",
+    "ONE_MONTH": "P1M",
+    "TWO_MONTHS": "P2M",
+    "THREE_MONTHS": "P3M",
+    "SIX_MONTHS": "P6M",
+    "ONE_YEAR": "P1Y",
+}
+
+# Regions version required by the API
+REGIONS_VERSION = {"version": "2022/02"}
+
+
+def get_access_token(sa_path: str) -> str:
+    """Obtain an OAuth2 access token using the service account credentials."""
+    with open(sa_path, "r", encoding="utf-8") as fh:
+        sa = json.load(fh)
+    now = int(time.time())
+    payload = {
+        "iss": sa["client_email"],
+        "scope": "https://www.googleapis.com/auth/androidpublisher",
+        "aud": "https://oauth2.googleapis.com/token",
+        "iat": now,
+        "exp": now + 3600,
+    }
+    signed = jwt.encode(payload, sa["private_key"], algorithm="RS256")
+    resp = requests.post(
+        "https://oauth2.googleapis.com/token",
+        data={"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion": signed},
+        timeout=TIMEOUT,
+    )
+    resp.raise_for_status()
+    return resp.json()["access_token"]
+
+
+def list_subscriptions(headers: dict, package_name: str) -> dict:
+    """List all existing subscriptions. Returns a dict keyed by productId."""
+    resp = requests.get(
+        f"{API_BASE}/{package_name}/subscriptions",
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if resp.status_code == 404:
+        return {}
+    resp.raise_for_status()
+    if not resp.text.strip():
+        return {}
+    subs = resp.json().get("subscriptions", [])
+    return {s["productId"]: s for s in subs}
+
+
+def normalize_duration(duration: str) -> str:
+    """Normalize duration to ISO 8601 format accepted by Google Play."""
+    return DURATION_MAP.get(duration, duration)
+
+
+def build_price(price_str: str, currency: str = "USD") -> dict:
+    """Build a Money object from a decimal price string like '9.99'."""
+    parts = price_str.split(".")
+    units = parts[0]
+    nanos = 0
+    if len(parts) > 1:
+        frac = parts[1].ljust(9, "0")[:9]
+        nanos = int(frac)
+    return {"currencyCode": currency, "units": units, "nanos": nanos}
+
+
+def currency_to_region(currency: str) -> str:
+    """Map common currency codes to region codes."""
+    mapping = {
+        "USD": "US",
+        "EUR": "DE",
+        "GBP": "GB",
+        "JPY": "JP",
+        "CAD": "CA",
+        "AUD": "AU",
+    }
+    return mapping.get(currency, "")
+
+
+def create_subscription(headers: dict, package_name: str, product_id: str, body: dict) -> dict:
+    """Create a new subscription via the API."""
+    resp = requests.post(
+        f"{API_BASE}/{package_name}/subscriptions",
+        params={"productId": product_id, "regionsVersion.version": REGIONS_VERSION["version"]},
+        json=body,
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_error(resp, f"create subscription '{product_id}'")
+        return {}
+
+    print(f"    Created subscription '{product_id}'")
+    return resp.json()
+
+
+def update_subscription(headers: dict, package_name: str, product_id: str, body: dict) -> dict:
+    """Update an existing subscription via the API."""
+    resp = requests.patch(
+        f"{API_BASE}/{package_name}/subscriptions/{product_id}",
+        params={
+            "updateMask": "listings",
+            "regionsVersion.version": REGIONS_VERSION["version"],
+        },
+        json=body,
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_error(resp, f"update subscription '{product_id}'")
+        return {}
+
+    print(f"    Updated subscription '{product_id}'")
+    return resp.json()
+
+
+def activate_base_plan(headers: dict, package_name: str, product_id: str, base_plan_id: str) -> bool:
+    """Activate a base plan for a subscription."""
+    resp = requests.post(
+        f"{API_BASE}/{package_name}/subscriptions/{product_id}/basePlans/{base_plan_id}:activate",
+        headers=headers,
+        json={},
+        timeout=TIMEOUT,
+    )
+    if not resp.ok:
+        print_api_error(resp, f"activate base plan '{base_plan_id}'")
+        return False
+    print(f"      Activated base plan '{base_plan_id}'")
+    return True
+
+
+def create_intro_offer(
+    headers: dict, package_name: str, product_id: str, base_plan_id: str, offer_id: str, body: dict
+) -> bool:
+    """Create an introductory offer (free trial) for a base plan."""
+    resp = requests.post(
+        f"{API_BASE}/{package_name}/subscriptions/{product_id}"
+        f"/basePlans/{base_plan_id}/offers",
+        params={"offerId": offer_id, "regionsVersion.version": REGIONS_VERSION["version"]},
+        json=body,
+        headers=headers,
+        timeout=TIMEOUT,
+    )
+    if resp.status_code == 409:
+        print(f"      Intro offer '{offer_id}' already exists")
+        return True
+    if not resp.ok:
+        print_api_error(resp, f"create intro offer for '{product_id}'")
+        return False
+
+    print(f"      Created intro offer '{offer_id}'")
+    return True
+
+
+def print_api_error(resp, action: str) -> None:
+    """Print human-readable API error messages."""
+    try:
+        error_data = resp.json()
+        message = error_data.get("error", {}).get("message", resp.text[:200])
+        print(f"ERROR ({action}): {message}", file=sys.stderr)
+    except (ValueError, KeyError):
+        print(f"ERROR ({action}): HTTP {resp.status_code} - {resp.text[:200]}", file=sys.stderr)

package/templates/scripts/sync_iap_android.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Sync Android In-App Purchases to Google Play via the Android Publisher API.
+
+Reads iap_config.json and creates/updates subscriptions with base plans and offers.
+Idempotent: safe to run repeatedly -- existing resources are skipped or updated.
+
+Required env vars:
+  SA_JSON       - Path to Google service account JSON file
+  PACKAGE_NAME  - Android package name (e.g. com.example.app)
+
+Usage:
+  python3 sync_iap_android.py <path/to/iap_config.json>
+"""
+import json
+import os
+import sys
+
+from gplay_iap_api import (
+    activate_base_plan,
+    build_price,
+    create_intro_offer,
+    create_subscription,
+    currency_to_region,
+    get_access_token,
+    list_subscriptions,
+    normalize_duration,
+    update_subscription,
+)
+
+
+def _build_base_plan(sub_config: dict) -> dict:
+    """Build a base plan object from subscription config."""
+    duration = normalize_duration(sub_config["duration"])
+    prices = sub_config.get("prices", {})
+    usd_price = prices.get("USD", sub_config.get("price_tier", "0"))
+    eur_price = prices.get("EUR", usd_price)
+
+    regional_configs = []
+    for currency, amount in prices.items():
+        region = currency_to_region(currency)
+        if region:
+            regional_configs.append({
+                "regionCode": region,
+                "newSubscriberAvailability": True,
+                "price": build_price(amount, currency),
+            })
+
+    return {
+        "basePlanId": sub_config["product_id"].replace(".", "-").replace("_", "-"),
+        "autoRenewingBasePlanType": {
+            "billingPeriodDuration": duration,
+            "gracePeriodDuration": "P3D",
+            "resubscribeState": "RESUBSCRIBE_STATE_ACTIVE",
+            "legacyCompatible": True,
+        },
+        "regionalConfigs": regional_configs,
+        "otherRegionsConfig": {
+            "usdPrice": build_price(usd_price, "USD"),
+            "eurPrice": build_price(eur_price, "EUR"),
+            "newSubscriberAvailability": True,
+        },
+    }
+
+
+def _build_listings(sub_config: dict) -> list:
+    """Build localized listings from subscription config."""
+    localizations = sub_config.get("localizations", {})
+    listings = []
+
+    if localizations:
+        for lang_code, loc_data in localizations.items():
+            listings.append({
+                "languageCode": lang_code,
+                "title": loc_data.get("name", sub_config["reference_name"]),
+                "description": loc_data.get("description", ""),
+                "benefits": loc_data.get("benefits", []),
+            })
+    else:
+        listings.append({
+            "languageCode": "en-US",
+            "title": sub_config["reference_name"],
+            "description": sub_config.get("description", ""),
+            "benefits": [],
+        })
+
+    return listings
+
+
+def _build_subscription_body(sub_config: dict, package_name: str) -> dict:
+    """Build the full subscription request body."""
+    return {
+        "packageName": package_name,
+        "productId": sub_config["product_id"],
+        "basePlans": [_build_base_plan(sub_config)],
+        "listings": _build_listings(sub_config),
+    }
+
+
+def _build_intro_offer_body(sub_config: dict) -> dict:
+    """Build the introductory offer request body from subscription config."""
+    intro = sub_config["introductory_offer"]
+    offer_type = intro.get("type", "FREE")
+    duration = normalize_duration(intro.get("duration", "P1W"))
+
+    phases = [{"recurrenceCount": intro.get("periods", 1), "duration": duration}]
+
+    if offer_type in ("FREE", "FREE_TRIAL"):
+        phases[0]["regionalConfigs"] = [
+            {"regionCode": "US", "price": build_price("0", "USD")}
+        ]
+    else:
+        price = intro.get("price", "0")
+        phases[0]["regionalConfigs"] = [
+            {"regionCode": "US", "price": build_price(price, "USD")}
+        ]
+
+    offer_id = f"{sub_config['product_id'].replace('.', '-').replace('_', '-')}-intro"
+    return {
+        "offerId": offer_id,
+        "phases": phases,
+        "targeting": {
+            "acquisitionRule": {
+                "scope": {"thisSubscription": {}}
+            }
+        },
+        "regionalConfigs": [{"regionCode": "US", "newSubscriberAvailability": True}],
+    }
+
+
+def sync_subscription(headers: dict, package_name: str, sub_config: dict, existing: dict) -> dict:
+    """Sync a single subscription: create if missing, update if exists."""
+    product_id = sub_config["product_id"]
+    print(f"\n  Processing subscription: {product_id}")
+    body = _build_subscription_body(sub_config, package_name)
+
+    if product_id in existing:
+        update_subscription(headers, package_name, product_id, body)
+        return {"product_id": product_id, "action": "updated"}
+
+    result = create_subscription(headers, package_name, product_id, body)
+    if not result:
+        return {"product_id": product_id, "action": "failed"}
+
+    base_plan_id = product_id.replace(".", "-").replace("_", "-")
+    activate_base_plan(headers, package_name, product_id, base_plan_id)
+
+    if sub_config.get("introductory_offer"):
+        offer_body = _build_intro_offer_body(sub_config)
+        offer_id = f"{product_id.replace('.', '-').replace('_', '-')}-intro"
+        create_intro_offer(headers, package_name, product_id, base_plan_id, offer_id, offer_body)
+
+    return {"product_id": product_id, "action": "created"}
+
+
+def validate_env() -> tuple:
+    """Validate required environment variables. Returns (sa_path, package_name)."""
+    sa_json = os.environ.get("SA_JSON", "")
+    package_name = os.environ.get("PACKAGE_NAME", "")
+
+    if not sa_json or not package_name:
+        print("ERROR: SA_JSON and PACKAGE_NAME env vars are required", file=sys.stderr)
+        sys.exit(1)
+
+    if not os.path.isfile(sa_json):
+        print(f"ERROR: Service account file not found: {sa_json}", file=sys.stderr)
+        sys.exit(1)
+
+    return sa_json, package_name
+
+
+def load_iap_config(config_path: str) -> dict:
+    """Load and validate the IAP config file."""
+    if not os.path.isfile(config_path):
+        print(f"ERROR: IAP config file not found: {config_path}", file=sys.stderr)
+        sys.exit(1)
+
+    with open(config_path, "r", encoding="utf-8") as f:
+        config = json.load(f)
+
+    if not config.get("subscription_groups"):
+        print("WARNING: No subscription_groups found in config", file=sys.stderr)
+
+    return config
+
+
+def main() -> None:
+    if len(sys.argv) < 2:
+        print(f"Usage: {sys.argv[0]} <path/to/iap_config.json>", file=sys.stderr)
+        sys.exit(1)
+
+    config_path = sys.argv[1]
+    sa_json, package_name = validate_env()
+
+    access_token = get_access_token(sa_json)
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "Content-Type": "application/json",
+    }
+
+    config = load_iap_config(config_path)
+    print(f"Package: {package_name}")
+
+    existing = list_subscriptions(headers, package_name)
+    print(f"Found {len(existing)} existing subscription(s)")
+
+    results = []
+    for group in config.get("subscription_groups", []):
+        group_name = group.get("reference_name", group.get("group_name", "Unknown"))
+        print(f"\nProcessing group: {group_name}")
+        for sub_config in group.get("subscriptions", []):
+            result = sync_subscription(headers, package_name, sub_config, existing)
+            results.append(result)
+
+    print(f"\n{json.dumps({'synced_subscriptions': results}, indent=2)}")
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/sync_iap_ios.py

@@ -0,0 +1,163 @@
+#!/usr/bin/env python3
+"""
+Sync iOS In-App Purchases to App Store Connect via the REST API.
+
+Reads iap_config.json and creates/updates subscription groups and subscriptions.
+Idempotent: safe to run repeatedly -- existing resources are skipped or updated.
+
+Required env vars:
+  APP_STORE_CONNECT_KEY_IDENTIFIER  - Key ID from App Store Connect
+  APP_STORE_CONNECT_ISSUER_ID       - Issuer ID from App Store Connect
+  APP_STORE_CONNECT_PRIVATE_KEY     - Contents of the P8 key file
+  BUNDLE_ID                         - App bundle identifier
+
+Usage:
+  python3 sync_iap_ios.py <path/to/iap_config.json>
+"""
+import json
+import os
+import sys
+
+from asc_iap_api import (
+    create_localization,
+    create_subscription,
+    create_subscription_group,
+    get_app_id,
+    get_jwt_token,
+    get_subscription_localizations,
+    list_subscription_groups,
+    list_subscriptions_in_group,
+    update_localization,
+)
+
+
+def find_or_create_group(headers: dict, app_id: str, reference_name: str, existing_groups: list) -> str:
+    """Find an existing subscription group by reference name or create a new one."""
+    for group in existing_groups:
+        if group["attributes"]["referenceName"] == reference_name:
+            group_id = group["id"]
+            print(f"  Subscription group '{reference_name}' already exists (ID: {group_id})")
+            return group_id
+    return create_subscription_group(headers, app_id, reference_name)
+
+
+def find_or_create_subscription(headers: dict, group_id: str, sub_config: dict, existing_subs: list) -> str:
+    """Find an existing subscription by product ID or create a new one."""
+    product_id = sub_config["product_id"]
+    for sub in existing_subs:
+        if sub["attributes"]["productId"] == product_id:
+            sub_id = sub["id"]
+            print(f"    Subscription '{product_id}' already exists (ID: {sub_id})")
+            return sub_id
+    return create_subscription(headers, group_id, sub_config)
+
+
+def set_subscription_localization(headers: dict, sub_id: str, locale: str, loc_data: dict) -> None:
+    """Create or update a localization for a subscription."""
+    existing = get_subscription_localizations(headers, sub_id)
+    for loc in existing:
+        if loc["attributes"]["locale"] == locale:
+            update_localization(headers, loc["id"], loc_data)
+            return
+    create_localization(headers, sub_id, locale, loc_data)
+
+
+def sync_subscription_group(headers: dict, app_id: str, group_config: dict, existing_groups: list) -> dict:
+    """Sync a single subscription group and its subscriptions. Returns sync result."""
+    ref_name = group_config.get("reference_name", group_config.get("group_name", ""))
+    if not ref_name:
+        print("WARNING: Subscription group missing reference_name, skipping", file=sys.stderr)
+        return {"group": ref_name, "status": "skipped", "subscriptions": []}
+
+    print(f"\nProcessing subscription group: {ref_name}")
+    group_id = find_or_create_group(headers, app_id, ref_name, existing_groups)
+
+    existing_subs = list_subscriptions_in_group(headers, group_id)
+    sub_results = []
+
+    for sub_config in group_config.get("subscriptions", []):
+        sub_id = find_or_create_subscription(headers, group_id, sub_config, existing_subs)
+        _sync_subscription_localizations(headers, sub_id, sub_config)
+        sub_results.append({"product_id": sub_config["product_id"], "id": sub_id})
+
+    return {"group": ref_name, "group_id": group_id, "subscriptions": sub_results}
+
+
+def _sync_subscription_localizations(headers: dict, sub_id: str, sub_config: dict) -> None:
+    """Sync localizations for a subscription from its config."""
+    localizations = sub_config.get("localizations", {})
+    if not localizations:
+        return
+    for locale, loc_data in localizations.items():
+        set_subscription_localization(headers, sub_id, locale, loc_data)
+
+
+def validate_env() -> tuple:
+    """Validate required environment variables. Returns (key_id, issuer_id, private_key, bundle_id)."""
+    key_id = os.environ.get("APP_STORE_CONNECT_KEY_IDENTIFIER", "")
+    issuer_id = os.environ.get("APP_STORE_CONNECT_ISSUER_ID", "")
+    private_key = os.environ.get("APP_STORE_CONNECT_PRIVATE_KEY", "")
+    bundle_id = os.environ.get("BUNDLE_ID", "")
+
+    missing = []
+    if not key_id:
+        missing.append("APP_STORE_CONNECT_KEY_IDENTIFIER")
+    if not issuer_id:
+        missing.append("APP_STORE_CONNECT_ISSUER_ID")
+    if not private_key:
+        missing.append("APP_STORE_CONNECT_PRIVATE_KEY")
+    if not bundle_id:
+        missing.append("BUNDLE_ID")
+
+    if missing:
+        print(f"ERROR: Missing required environment variables: {', '.join(missing)}", file=sys.stderr)
+        sys.exit(1)
+
+    return key_id, issuer_id, private_key, bundle_id
+
+
+def load_iap_config(config_path: str) -> dict:
+    """Load and validate the IAP config file."""
+    if not os.path.isfile(config_path):
+        print(f"ERROR: IAP config file not found: {config_path}", file=sys.stderr)
+        sys.exit(1)
+
+    with open(config_path, "r", encoding="utf-8") as f:
+        config = json.load(f)
+
+    if not config.get("subscription_groups"):
+        print("WARNING: No subscription_groups found in config", file=sys.stderr)
+
+    return config
+
+
+def main() -> None:
+    if len(sys.argv) < 2:
+        print(f"Usage: {sys.argv[0]} <path/to/iap_config.json>", file=sys.stderr)
+        sys.exit(1)
+
+    config_path = sys.argv[1]
+    key_id, issuer_id, private_key, bundle_id = validate_env()
+
+    token = get_jwt_token(key_id, issuer_id, private_key)
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json",
+    }
+
+    config = load_iap_config(config_path)
+    app_id = get_app_id(headers, bundle_id)
+    print(f"App ID: {app_id} (Bundle: {bundle_id})")
+
+    existing_groups = list_subscription_groups(headers, app_id)
+    results = []
+
+    for group_config in config.get("subscription_groups", []):
+        result = sync_subscription_group(headers, app_id, group_config, existing_groups)
+        results.append(result)
+
+    print(f"\n{json.dumps({'synced_groups': results}, indent=2)}")
+
+
+if __name__ == "__main__":
+    main()