@daemux/store-automator 0.10.61 → 0.10.63

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.61"
+    "version": "0.10.63"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.61",
+      "version": "0.10.63",
       "keywords": [
         "flutter",
         "app-store",

package/README.md

@@ -20,30 +20,46 @@ Plus CI/CD templates for GitHub Actions, Fastlane, web pages, and scripts.
 
 ## Installation
 
+**Project (default):** Full install into your Flutter project -- agents, CI/CD templates, MCP servers, and interactive setup:
+
 ```bash
 cd your-flutter-project
-npm install @daemux/store-automator@latest
+npx --yes @daemux/store-automator
 ```
 
-The postinstall script runs an interactive setup with five sections:
+The installer runs an interactive setup with five sections:
 
 1. **App Identity** -- App name, bundle ID, package name, SKU, Apple ID
-2. **Credentials** -- Guided steps for App Store Connect API key, Google Play service account, Android keystore, and Match code signing
+2. **Credentials** -- App Store Connect API key, Google Play service account, Android keystore, Match code signing
 3. **Store Settings** -- iOS categories/pricing, Android track/rollout, metadata languages
 4. **Web Settings** -- Domain, colors, company info, legal jurisdiction
-5. **MCP Tokens** -- Stitch and Cloudflare API keys (optional, press Enter to skip)
-
-All values are written to `ci.config.yaml`. The installer also:
+5. **MCP Tokens** -- Stitch and Cloudflare API keys (optional)
 
-- Configures `.mcp.json` with MCP servers (Playwright, mobile-mcp, Stitch, Cloudflare)
-- Installs `.claude/CLAUDE.md` with your app name and agent configurations
-- Copies CI/CD templates (Fastlane, scripts, web pages, GitHub Actions)
-- Configures `.claude/settings.json` with required env vars
-- Runs post-install guides for GitHub repo setup, secrets, and Firebase
+All values are written to `ci.config.yaml`. The installer also configures `.mcp.json`, installs `.claude/CLAUDE.md`, copies CI/CD templates, and configures `.claude/settings.json`.
 
 Re-running the installer reads existing `ci.config.yaml` values as defaults, so you can update individual fields without re-entering everything.
 
-## After Installation
+**Global (agents only):** Install the plugin into `~/.claude` for use across all projects, without touching the current directory:
+
+```bash
+npx --yes @daemux/store-automator --global
+```
+
+Global install:
+
+- Registers the marketplace and installs the plugin at user scope
+- Writes `~/.claude/CLAUDE.md` with agent configurations
+- Adds required env vars and statusLine to `~/.claude/settings.json`
+
+Global install does NOT:
+
+- Create `ci.config.yaml`, `fastlane/`, `scripts/`, `web/`, `Gemfile`, `.github/workflows/`, or any other project files
+- Write or modify `.mcp.json` in the current directory
+- Run any interactive prompts or post-install guides
+
+Use project install for any Flutter app you are actually publishing. Global install is for agent-only access from arbitrary directories.
+
+## After Installation _(project scope only)_
 
 1. Add any credential files not configured during the guided setup:
    - `creds/AuthKey.p8` -- Apple App Store Connect API key
@@ -52,7 +68,7 @@ Re-running the installer reads existing `ci.config.yaml` values as defaults, so
 2. Verify `ci.config.yaml` has all required values filled in
 3. Start Claude Code and use the agents
 
-## Manual Setup
+## Manual Setup _(project scope only)_
 
 If postinstall was skipped (CI environment), run manually:
 
@@ -240,19 +256,18 @@ web:
   google_play_url: ""                          # Filled after first Android publish
 ```
 
-## Usage
+## Uninstall
 
-### Global Install
+**Project uninstall:** Removes CI templates, `ci.config.yaml`, `.mcp.json` entries, `.claude/CLAUDE.md`, and settings from the current project. Marketplace files remain in `~/.claude/plugins/`.
 
 ```bash
-npx @daemux/store-automator -g
+npx --yes @daemux/store-automator --uninstall
 ```
 
-### Uninstall
+**Global uninstall:** Removes the plugin from `~/.claude` and clears the marketplace. Does NOT touch the current project's `ci.config.yaml`, CI templates, or `.mcp.json`.
 
 ```bash
-npx @daemux/store-automator -u         # project scope
-npx @daemux/store-automator -g -u      # global scope
+npx --yes @daemux/store-automator --global --uninstall
 ```
 
 ## Agents
@@ -269,7 +284,7 @@ Designs complete app UI screens, creates ASO-optimized store screenshots for all
 
 Reviews all metadata, screenshots, privacy policy, and IAP configuration against Apple and Google guidelines. Returns APPROVED or REJECTED with specific issues.
 
-## CI/CD Templates
+## CI/CD Templates _(project scope only)_
 
 The package installs these templates to your project:
 
@@ -282,7 +297,7 @@ The package installs these templates to your project:
 | `web/` | Marketing, privacy, terms, and support page templates |
 | `Gemfile` | Ruby gems for Fastlane |
 
-## Workflow
+## Workflow _(project scope only)_
 
 1. Install the package (interactive setup fills `ci.config.yaml`)
 2. Add any remaining credential files
@@ -291,7 +306,7 @@ The package installs these templates to your project:
 5. Use `appstore-reviewer` to verify compliance
 6. Push to GitHub -- GitHub Actions builds and publishes automatically
 
-## MCP Servers
+## MCP Servers _(project scope only)_
 
 The package configures these MCP servers in `.mcp.json`:
 
@@ -302,7 +317,7 @@ The package configures these MCP servers in `.mcp.json`:
 | stitch | AI design tool for screenshot generation | `STITCH_API_KEY` |
 | cloudflare | Cloudflare Pages deployment | `CLOUDFLARE_API_TOKEN` + Account ID |
 
-## Idempotency
+## Idempotency _(project scope only)_
 
 The installer is idempotent. Re-running it reads existing values from `ci.config.yaml` as defaults for each prompt. This means you can:
 

package/bin/cli.mjs

@@ -9,8 +9,6 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf8'));
 
-const notifier = updateNotifier({ pkg });
-
 const args = process.argv.slice(2);
 let scope = 'project';
 let action = 'install';
@@ -146,6 +144,13 @@ Examples:
   }
 }
 
+if (scope === 'user' && cliTokens.githubActions) {
+  console.error('Error: --github-actions and --global are mutually exclusive.');
+  console.error('  --global targets ~/.claude (no CI templates).');
+  console.error('  --github-actions targets a project repo. Pick one.');
+  process.exit(1);
+}
+
 if (cliTokens.githubActions) {
   const missing = [];
   if (!cliTokens.matchDeployKey) missing.push('--match-deploy-key');
@@ -163,7 +168,9 @@ if (cliTokens.githubActions) {
   }
 }
 
-notifier.notify();
+if (!isPostinstall) {
+  updateNotifier({ pkg }).notify();
+}
 
 try {
   if (action === 'uninstall') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.61",
+  "version": "0.10.63",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.61",
+  "version": "0.10.63",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/src/install.mjs

@@ -152,7 +152,39 @@ function printNextSteps(prompted) {
   }
 }
 
+async function withReadline(fn) {
+  const { createInterface } = await import('node:readline');
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    return await fn(rl);
+  } finally {
+    rl.close();
+  }
+}
+
+function configureScopedSettings(baseDir, packageDir, appName, scopeLabel) {
+  ensureDir(baseDir);
+  installClaudeMd(join(baseDir, 'CLAUDE.md'), packageDir, appName);
+  console.log(`Configuring ${scopeLabel} settings...`);
+  const settingsPath = join(baseDir, 'settings.json');
+  injectEnvVars(settingsPath);
+  injectStatusLine(settingsPath);
+}
+
+function printGlobalNote() {
+  console.log('');
+  console.log('Note: Global install registers the marketplace and installs ~/.claude/CLAUDE.md only.');
+  console.log('To generate CI/CD templates, MCP config, and ci.config.yaml, run `npx @daemux/store-automator` inside a project directory.');
+}
+
 export async function runInstall(scope, isPostinstall = false, cliTokens = {}) {
+  const isGlobal = scope === 'user';
+
+  if (isPostinstall && isGlobal) {
+    console.log('Skipping postinstall in global scope.');
+    return;
+  }
+
   checkClaudeCli();
 
   console.log('Installing/updating Daemux Store Automator...');
@@ -160,102 +192,71 @@ export async function runInstall(scope, isPostinstall = false, cliTokens = {}) {
   const isGitHubActions = Boolean(cliTokens.githubActions);
   const nonInteractive = Boolean(process.env.npm_config_yes) || process.argv.includes('--postinstall');
   const projectDir = process.cwd();
-  const oldVersion = readMarketplaceVersion();
   const packageDir = getPackageDir();
+  const oldVersion = readMarketplaceVersion();
 
-  // 1. Copy plugin files + register marketplace
   copyPluginFiles(packageDir);
   clearCache();
   registerMarketplace();
   runClaudeInstall(scope);
-
   const newVersion = readMarketplaceVersion('unknown');
 
-  // 2. Install CI templates (creates ci.config.yaml if missing)
-  installCiTemplates(projectDir, packageDir);
-  installFirebaseTemplates(projectDir, packageDir);
-
-  // 3. Read current ci.config.yaml values
-  const currentConfig = readCiConfig(projectDir);
+  let prompted = {};
+  if (!isGlobal) {
+    installCiTemplates(projectDir, packageDir);
+    installFirebaseTemplates(projectDir, packageDir);
+    const currentConfig = readCiConfig(projectDir);
 
-  // 4. Run interactive prompts (or use CLI flags / skip in non-interactive)
-  let prompted;
-  if (isGitHubActions) {
-    prompted = {
-      bundleId: cliTokens.bundleId ?? '',
-      matchDeployKeyPath: cliTokens.matchDeployKey,
-      matchGitUrl: cliTokens.matchGitUrl,
-    };
-  } else if (nonInteractive) {
-    prompted = { ...cliTokens };
-  } else {
-    const { createInterface } = await import('node:readline');
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    try {
-      prompted = await promptAll(rl, cliTokens, currentConfig, projectDir);
-    } finally {
-      rl.close();
+    if (isGitHubActions) {
+      prompted = {
+        bundleId: cliTokens.bundleId ?? '',
+        matchDeployKeyPath: cliTokens.matchDeployKey,
+        matchGitUrl: cliTokens.matchGitUrl,
+      };
+    } else if (nonInteractive) {
+      prompted = { ...cliTokens };
+    } else {
+      prompted = await withReadline((rl) => promptAll(rl, cliTokens, currentConfig, projectDir));
     }
-  }
-
-  // 5. Write all prompted values to ci.config.yaml
-  const ciFields = mapPromptsToCiFields(prompted);
-  const wrote = writeCiFields(projectDir, ciFields);
-  if (wrote) console.log('Configuration written to ci.config.yaml');
-
-  if (prompted.matchDeployKeyPath || prompted.matchGitUrl) {
-    const wroteMatch = writeMatchConfig(projectDir, {
-      deployKeyPath: prompted.matchDeployKeyPath,
-      gitUrl: prompted.matchGitUrl,
-    });
-    if (wroteMatch) console.log('Match credentials written to ci.config.yaml');
-  }
 
-  // 6. Handle languages separately
-  if (prompted.languages) {
-    const langStr = Array.isArray(prompted.languages)
-      ? prompted.languages.join(',')
-      : prompted.languages;
-    if (writeCiLanguages(projectDir, langStr)) {
-      console.log('Languages updated in ci.config.yaml');
+    if (writeCiFields(projectDir, mapPromptsToCiFields(prompted))) {
+      console.log('Configuration written to ci.config.yaml');
     }
-  }
-
-  // 7. Configure MCP, CLAUDE.md, settings
-  if (!isGitHubActions) {
-    const servers = getMcpServers(prompted);
-    writeMcpJson(projectDir, servers);
-  }
 
-  const baseDir = scope === 'user'
-    ? join(homedir(), '.claude')
-    : join(process.cwd(), '.claude');
-
-  ensureDir(baseDir);
-
-  installClaudeMd(join(baseDir, 'CLAUDE.md'), packageDir, prompted.appName);
+    if (prompted.matchDeployKeyPath || prompted.matchGitUrl) {
+      const wroteMatch = writeMatchConfig(projectDir, {
+        deployKeyPath: prompted.matchDeployKeyPath,
+        gitUrl: prompted.matchGitUrl,
+      });
+      if (wroteMatch) console.log('Match credentials written to ci.config.yaml');
+    }
 
-  installGitHubActionsPath(projectDir, packageDir, prompted);
+    if (prompted.languages) {
+      const langStr = Array.isArray(prompted.languages) ? prompted.languages.join(',') : prompted.languages;
+      if (writeCiLanguages(projectDir, langStr)) {
+        console.log('Languages updated in ci.config.yaml');
+      }
+    }
 
-  const scopeLabel = scope === 'user' ? 'global' : 'project';
-  console.log(`Configuring ${scopeLabel} settings...`);
-  const settingsPath = join(baseDir, 'settings.json');
-  injectEnvVars(settingsPath);
-  injectStatusLine(settingsPath);
+    if (!isGitHubActions) writeMcpJson(projectDir, getMcpServers(prompted));
+    installGitHubActionsPath(projectDir, packageDir, prompted);
 
-  // 8. Run post-install guides (interactive only)
-  if (!isGitHubActions && !nonInteractive) {
-    const { createInterface } = await import('node:readline');
-    const guideRl = createInterface({ input: process.stdin, output: process.stdout });
-    try {
-      const { runPostInstallGuides } = await import('./prompts/store-settings.mjs');
-      await runPostInstallGuides(guideRl, currentConfig);
-    } finally {
-      guideRl.close();
+    if (!isGitHubActions && !nonInteractive) {
+      await withReadline(async (rl) => {
+        const { runPostInstallGuides } = await import('./prompts/store-settings.mjs');
+        await runPostInstallGuides(rl, currentConfig);
+      });
     }
   }
 
-  // 9. Summary + dynamic next steps
+  const baseDir = isGlobal ? join(homedir(), '.claude') : join(projectDir, '.claude');
+  const appName = prompted.appName || (isGlobal ? 'your app' : undefined);
+  configureScopedSettings(baseDir, packageDir, appName, isGlobal ? 'global' : 'project');
+
   printSummary(scope, oldVersion, newVersion);
-  printNextSteps(prompted);
+  if (isGlobal) {
+    printGlobalNote();
+  } else {
+    printNextSteps(prompted);
+  }
 }

package/src/templates.mjs

@@ -55,7 +55,7 @@ export function installClaudeMd(targetPath, packageDir, appName) {
 
   let content = readFileSync(template, 'utf8');
   if (appName) {
-    content = content.replace(/\{APP_NAME\}/g, appName);
+    content = content.split('{APP_NAME}').join(appName);
   }
   writeFileSync(targetPath, content, 'utf8');
 }

package/src/uninstall.mjs

@@ -86,11 +86,15 @@ export async function runUninstall(scope) {
 
   runClaudeUninstall(scope);
 
+  let doneMessage;
   if (scope === 'user') {
     console.log('Removing marketplace...');
     rmSync(MARKETPLACE_DIR, { recursive: true, force: true });
     rmSync(CACHE_DIR, { recursive: true, force: true });
     unregisterMarketplace();
+    doneMessage = '\nDone! store-automator uninstalled globally.';
+  } else {
+    doneMessage = '\nDone! store-automator uninstalled from this project.\n\nNote: Marketplace files remain under ~/.claude/plugins/marketplaces.\nRun with --global --uninstall to remove marketplace completely.';
   }
 
   const isGlobal = scope === 'user';
@@ -98,15 +102,15 @@ export async function runUninstall(scope) {
   const scopeLabel = isGlobal ? 'global' : 'project';
 
   removeFileIfExists(join(baseDir, 'CLAUDE.md'), `${scopeLabel} CLAUDE.md`);
-  removeCiTemplates(process.cwd());
-  removeMcpServers(process.cwd());
+
+  if (!isGlobal) {
+    removeCiTemplates(process.cwd());
+    removeMcpServers(process.cwd());
+  }
 
   console.log(`Cleaning ${scopeLabel} settings...`);
   removeEnvVars(join(baseDir, 'settings.json'));
   removeStatusLine(join(baseDir, 'settings.json'));
 
-  console.log(isGlobal
-    ? '\nDone! store-automator uninstalled globally.'
-    : `\nDone! store-automator uninstalled from this project.\n\nNote: Marketplace files remain in ${MARKETPLACE_DIR}\nRun with --global --uninstall to remove marketplace completely.`
-  );
+  console.log(doneMessage);
 }

package/templates/github/workflows/ios-native-release.yml

@@ -0,0 +1,39 @@
+name: iOS Deploy
+
+# Native-Swift iOS release pipeline. Archives the app and uploads it to
+# TestFlight via the App Store Connect API.
+#
+# Required repository secrets:
+#   ASC_KEY_ID      App Store Connect API key id (e.g. "5NBDY6YXJ6")
+#   ASC_ISSUER_ID   App Store Connect API issuer id (uuid)
+#   ASC_KEY_P8      Full contents of the AuthKey_*.p8 file
+#
+# Edit the `with:` block below to match your project.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ios-deploy-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: macos-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main
+        with:
+          project: MyApp.xcodeproj
+          scheme: MyApp
+          bundle-id: com.example.myapp
+          team-id: ABCDE12345
+          app-store-apple-id: "1234567890"
+        env:
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
+          ASC_KEY_P8: ${{ secrets.ASC_KEY_P8 }}

package/templates/scripts/ci/ios-native/next_build_number.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+"""
+Query App Store Connect for the highest-numbered build (across all states,
+all platforms) for this app and print `<highest + 1>` to stdout.
+
+If no builds exist yet, print 1.
+
+Environment:
+  ASC_KEY_ID           - API key ID
+  ASC_ISSUER_ID        - API issuer ID
+  ASC_KEY_PATH         - Path to the .p8 key file
+  APP_STORE_APPLE_ID   - App Store numeric app id
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import time
+
+import jwt
+import requests
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        raise SystemExit(f"missing env var: {name}")
+    return val
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
+
+    with open(key_path) as f:
+        key = f.read()
+
+    now = int(time.time())
+    token = jwt.encode(
+        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
+        key,
+        algorithm="ES256",
+        headers={"kid": key_id, "typ": "JWT"},
+    )
+
+    # Sort by -version requests highest version first; limit 200 is plenty.
+    url = (
+        "https://api.appstoreconnect.apple.com/v1/builds"
+        f"?filter[app]={app_id}&sort=-version&limit=200"
+    )
+    resp = requests.get(url, headers={"Authorization": f"Bearer {token}"})
+    if resp.status_code >= 400:
+        print(f"ASC builds list failed: {resp.status_code}\n{resp.text[:500]}", file=sys.stderr)
+        raise SystemExit(1)
+
+    highest = 0
+    for b in resp.json().get("data", []):
+        ver = b.get("attributes", {}).get("version")
+        try:
+            n = int(ver)
+        except (TypeError, ValueError):
+            continue
+        if n > highest:
+            highest = n
+
+    print(highest + 1)
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/next_marketing_version.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+"""
+Compute the next CFBundleShortVersionString for this app.
+
+Strategy:
+  * Look at all existing pre-release (TestFlight) and App Store versions.
+  * Take the highest semantic-version triple and bump its patch component.
+  * If no versions exist yet, return 1.0.0.
+
+Prints the chosen version to stdout.
+
+Environment:
+  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH, APP_STORE_APPLE_ID
+"""
+
+from __future__ import annotations
+
+import os
+import re
+import sys
+import time
+
+import jwt
+import requests
+
+
+def env(name: str) -> str:
+    v = os.environ.get(name)
+    if not v:
+        raise SystemExit(f"missing env var: {name}")
+    return v
+
+
+SEM_RE = re.compile(r"^(\d+)\.(\d+)(?:\.(\d+))?$")
+
+
+def parse_sem(v: str) -> tuple[int, int, int] | None:
+    m = SEM_RE.match(v or "")
+    if not m:
+        return None
+    major = int(m.group(1))
+    minor = int(m.group(2))
+    patch = int(m.group(3) or 0)
+    return major, minor, patch
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    key_path = env("ASC_KEY_PATH")
+    app_id = env("APP_STORE_APPLE_ID")
+
+    with open(key_path) as f:
+        key = f.read()
+    now = int(time.time())
+    token = jwt.encode(
+        {"iss": issuer_id, "iat": now, "exp": now + 600, "aud": "appstoreconnect-v1"},
+        key,
+        algorithm="ES256",
+        headers={"kid": key_id, "typ": "JWT"},
+    )
+    headers = {"Authorization": f"Bearer {token}"}
+
+    highest: tuple[int, int, int] = (0, 0, 0)
+
+    for endpoint, field in (
+        (f"/v1/apps/{app_id}/preReleaseVersions?limit=200", "version"),
+        (f"/v1/apps/{app_id}/appStoreVersions?limit=200", "versionString"),
+    ):
+        url = f"https://api.appstoreconnect.apple.com{endpoint}"
+        resp = requests.get(url, headers=headers)
+        if resp.status_code >= 400:
+            print(
+                f"ASC GET {endpoint} failed: {resp.status_code}\n{resp.text[:500]}",
+                file=sys.stderr,
+            )
+            raise SystemExit(1)
+        for item in resp.json().get("data", []):
+            v = item.get("attributes", {}).get(field)
+            parsed = parse_sem(v)
+            if parsed and parsed > highest:
+                highest = parsed
+
+    if highest == (0, 0, 0):
+        print("1.0.0")
+        return
+
+    major, minor, patch = highest
+    print(f"{major}.{minor}.{patch + 1}")
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -0,0 +1,361 @@
+#!/usr/bin/env python3
+"""
+Prepare iOS code signing on a fresh CI runner.
+
+Uses the App Store Connect API (auth via P8 key) to:
+  1. Generate an RSA private key + CSR
+  2. Revoke any previously-created CI Apple Distribution certs (marker match)
+  3. Create a new Apple Distribution certificate from the CSR
+  4. Ensure a provisioning profile with a known name exists for the bundle ID,
+     linked to the new cert. If it exists, delete+recreate to refresh it.
+  5. Install the profile into ~/Library/MobileDevice/Provisioning Profiles/
+  6. Import cert + private key into a dedicated temporary keychain and put
+     that keychain on the search list so codesign / xcodebuild can find it.
+
+Environment inputs:
+  ASC_KEY_ID        - App Store Connect API key ID
+  ASC_ISSUER_ID     - App Store Connect API issuer ID
+  ASC_KEY_PATH      - Path to the .p8 private key file
+  TEAM_ID           - Apple developer team ID
+  BUNDLE_ID         - App bundle identifier
+  PROFILE_NAME      - Desired provisioning profile name
+  RUNNER_TEMP       - GitHub Actions temp dir (for keychain + intermediates)
+
+Writes nothing to stdout that would leak secrets.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+import jwt
+import requests
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
+
+ASC_BASE = "https://api.appstoreconnect.apple.com/v1"
+CERT_MARKER = "ScudoVPN-CI"
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        raise SystemExit(f"missing env var: {name}")
+    return val
+
+
+def make_jwt(key_id: str, issuer_id: str, key_path: str) -> str:
+    with open(key_path, "r") as f:
+        key = f.read()
+    now = int(time.time())
+    payload = {
+        "iss": issuer_id,
+        "iat": now,
+        "exp": now + 600,
+        "aud": "appstoreconnect-v1",
+    }
+    return jwt.encode(
+        payload, key, algorithm="ES256", headers={"kid": key_id, "typ": "JWT"}
+    )
+
+
+def api(method: str, path: str, token: str, **kwargs) -> requests.Response:
+    url = path if path.startswith("http") else f"{ASC_BASE}{path}"
+    headers = kwargs.pop("headers", {})
+    headers["Authorization"] = f"Bearer {token}"
+    if "json" in kwargs:
+        headers["Content-Type"] = "application/json"
+    resp = requests.request(method, url, headers=headers, **kwargs)
+    if resp.status_code >= 400:
+        raise SystemExit(
+            f"ASC API {method} {path} failed: {resp.status_code}\n{resp.text[:2000]}"
+        )
+    return resp
+
+
+def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes, bytes]:
+    """Return (private_key, private_key_pem, csr_der)."""
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name(
+                [
+                    x509.NameAttribute(NameOID.COMMON_NAME, "ScudoVPN CI"),
+                    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+                ]
+            )
+        )
+        .sign(private_key, hashes.SHA256())
+    )
+    priv_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    # Apple wants the CSR PEM base64 (without headers)
+    csr_pem = csr.public_bytes(serialization.Encoding.PEM)
+    csr_payload = b"".join(
+        line for line in csr_pem.splitlines() if not line.startswith(b"-----")
+    )
+    return private_key, priv_pem, csr_payload
+
+
+def newest_distribution_cert_id(token: str) -> str | None:
+    """Return the ID of the most-recently-created DISTRIBUTION cert, or None."""
+    resp = api(
+        "GET",
+        "/certificates?limit=200&sort=-id&filter[certificateType]=DISTRIBUTION",
+        token,
+    )
+    newest_id = None
+    newest_exp = ""
+    for cert in resp.json().get("data", []):
+        attrs = cert.get("attributes") or {}
+        # Use expirationDate as a proxy for creation time (cert expiration
+        # is exactly creation + 1 year for Apple Distribution certs).
+        exp = attrs.get("expirationDate") or ""
+        if exp > newest_exp:
+            newest_exp = exp
+            newest_id = cert["id"]
+    return newest_id
+
+
+def revoke_cert(token: str, cert_id: str) -> None:
+    print(f"Revoking distribution cert {cert_id}")
+    api("DELETE", f"/certificates/{cert_id}", token)
+
+
+def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
+    """Return (certificate_id, DER-encoded certificate bytes).
+
+    Apple enforces a per-team cap on active Distribution certs. If the POST
+    comes back 409 (already have one or pending), revoke the newest existing
+    one and retry once. This is the CI-owned cert from a prior run.
+    """
+    body = {
+        "data": {
+            "type": "certificates",
+            "attributes": {
+                "csrContent": csr_b64,
+                "certificateType": "DISTRIBUTION",
+            },
+        }
+    }
+    url = f"{ASC_BASE}/certificates"
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json",
+    }
+    resp = requests.post(url, headers=headers, json=body)
+    if resp.status_code == 409:
+        print("Distribution cert cap hit; revoking newest existing cert")
+        target = newest_distribution_cert_id(token)
+        if not target:
+            raise SystemExit(
+                "409 from cert create but no existing DISTRIBUTION cert "
+                "found to revoke"
+            )
+        revoke_cert(token, target)
+        resp = requests.post(url, headers=headers, json=body)
+    if resp.status_code >= 400:
+        raise SystemExit(
+            f"ASC API POST /certificates failed: {resp.status_code}\n"
+            f"{resp.text[:2000]}"
+        )
+    data = resp.json()["data"]
+    cert_id = data["id"]
+    cert_content_b64 = data["attributes"]["certificateContent"]
+    cert_der = base64.b64decode(cert_content_b64)
+    print(f"Created DISTRIBUTION cert {cert_id}")
+    return cert_id, cert_der
+
+
+def find_bundle_id(token: str, identifier: str) -> str:
+    resp = api(
+        "GET", f"/bundleIds?filter[identifier]={identifier}&limit=5", token
+    )
+    for item in resp.json().get("data", []):
+        if item["attributes"]["identifier"] == identifier:
+            return item["id"]
+    raise SystemExit(f"bundle id {identifier!r} not found in ASC")
+
+
+def delete_profile_by_name(token: str, name: str) -> None:
+    resp = api("GET", "/profiles?limit=200", token)
+    for p in resp.json().get("data", []):
+        if (p["attributes"].get("name") or "") == name:
+            pid = p["id"]
+            print(f"Deleting existing profile {pid} ({name})")
+            api("DELETE", f"/profiles/{pid}", token)
+
+
+def create_profile(
+    token: str, name: str, bundle_id_pk: str, cert_id: str
+) -> bytes:
+    body = {
+        "data": {
+            "type": "profiles",
+            "attributes": {
+                "name": name,
+                "profileType": "IOS_APP_STORE",
+            },
+            "relationships": {
+                "bundleId": {"data": {"type": "bundleIds", "id": bundle_id_pk}},
+                "certificates": {
+                    "data": [{"type": "certificates", "id": cert_id}]
+                },
+            },
+        }
+    }
+    resp = api("POST", "/profiles", token, json=body)
+    data = resp.json()["data"]
+    profile_content_b64 = data["attributes"]["profileContent"]
+    return base64.b64decode(profile_content_b64)
+
+
+def install_profile(profile_der: bytes) -> str:
+    """Write the .mobileprovision file and return its uuid."""
+    # Extract UUID from profile (it's CMS-signed plist)
+    # Use `security cms -D -i <path>` to decode.
+    profiles_dir = Path.home() / "Library/MobileDevice/Provisioning Profiles"
+    profiles_dir.mkdir(parents=True, exist_ok=True)
+    tmp_path = profiles_dir / "tmp.mobileprovision"
+    tmp_path.write_bytes(profile_der)
+    decoded = subprocess.check_output(
+        ["security", "cms", "-D", "-i", str(tmp_path)]
+    )
+    import plistlib
+
+    plist = plistlib.loads(decoded)
+    uuid = plist["UUID"]
+    final_path = profiles_dir / f"{uuid}.mobileprovision"
+    tmp_path.rename(final_path)
+    print(f"Installed provisioning profile {uuid} at {final_path}")
+    return uuid
+
+
+def write_p12(
+    private_key: rsa.RSAPrivateKey, cert_der: bytes, out_path: Path, passwd: str
+) -> None:
+    cert = x509.load_der_x509_certificate(cert_der)
+    from cryptography.hazmat.primitives.serialization import pkcs12
+
+    p12 = pkcs12.serialize_key_and_certificates(
+        name=b"ScudoVPN CI",
+        key=private_key,
+        cert=cert,
+        cas=None,
+        encryption_algorithm=serialization.BestAvailableEncryption(
+            passwd.encode()
+        ),
+    )
+    out_path.write_bytes(p12)
+
+
+def setup_keychain(p12_path: Path, p12_pass: str) -> str:
+    runner_temp = env("RUNNER_TEMP")
+    keychain_path = os.path.join(runner_temp, "ci.keychain-db")
+    keychain_pass = "ci"
+    # Remove stale
+    subprocess.run(
+        ["security", "delete-keychain", keychain_path],
+        check=False,
+        capture_output=True,
+    )
+    subprocess.check_call(
+        ["security", "create-keychain", "-p", keychain_pass, keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "set-keychain-settings", "-lut", "21600", keychain_path]
+    )
+    subprocess.check_call(
+        ["security", "unlock-keychain", "-p", keychain_pass, keychain_path]
+    )
+    # Import the p12
+    subprocess.check_call(
+        [
+            "security",
+            "import",
+            str(p12_path),
+            "-P",
+            p12_pass,
+            "-A",  # allow any app to read (simplest for CI)
+            "-t",
+            "cert",
+            "-f",
+            "pkcs12",
+            "-k",
+            keychain_path,
+        ]
+    )
+    # Allow codesign to use the key without prompts (modern macOS)
+    subprocess.check_call(
+        [
+            "security",
+            "set-key-partition-list",
+            "-S",
+            "apple-tool:,apple:,codesign:",
+            "-s",
+            "-k",
+            keychain_pass,
+            keychain_path,
+        ]
+    )
+    # Add to default search list (in addition to login + System)
+    existing = subprocess.check_output(
+        ["security", "list-keychains", "-d", "user"]
+    ).decode()
+    existing_list = [
+        line.strip().strip('"')
+        for line in existing.splitlines()
+        if line.strip()
+    ]
+    new_list = [keychain_path] + [
+        k for k in existing_list if k != keychain_path
+    ]
+    subprocess.check_call(
+        ["security", "list-keychains", "-d", "user", "-s", *new_list]
+    )
+    subprocess.check_call(
+        ["security", "default-keychain", "-s", keychain_path]
+    )
+    print(f"Keychain ready: {keychain_path}")
+    return keychain_path
+
+
+def main() -> None:
+    key_id = env("ASC_KEY_ID")
+    issuer_id = env("ASC_ISSUER_ID")
+    asc_key_path = env("ASC_KEY_PATH")
+    bundle_id = env("BUNDLE_ID")
+    profile_name = env("PROFILE_NAME")
+    runner_temp = env("RUNNER_TEMP")
+
+    token = make_jwt(key_id, issuer_id, asc_key_path)
+
+    private_key, priv_pem, csr_b64 = generate_key_and_csr()
+    cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
+
+    bundle_pk = find_bundle_id(token, bundle_id)
+    delete_profile_by_name(token, profile_name)
+    profile_der = create_profile(token, profile_name, bundle_pk, cert_id)
+    install_profile(profile_der)
+
+    p12_pass = "ci"
+    p12_path = Path(runner_temp) / "cert.p12"
+    write_p12(private_key, cert_der, p12_path, p12_pass)
+    setup_keychain(p12_path, p12_pass)
+
+
+if __name__ == "__main__":
+    main()