@daemux/store-automator 0.10.73 → 0.10.75

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.73"
+    "version": "0.10.75"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.73",
+      "version": "0.10.75",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.73",
+  "version": "0.10.75",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.73",
+  "version": "0.10.75",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/ci.config.yaml.template

@@ -57,3 +57,8 @@ web:
   jurisdiction: "State of California, United States"
   app_store_url: ""
   google_play_url: ""
+
+# -----------------------------------------------------------------------------
+# For native iOS apps (Swift/SwiftUI without Flutter), use
+# ios-native-ci.config.yaml.template instead of this file.
+# -----------------------------------------------------------------------------

package/templates/github/IOS_NATIVE_CI_SETUP.md

@@ -0,0 +1,80 @@
+# iOS Native TestFlight CI — Setup Guide
+
+Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. One workflow, one config file, one credential file. All logic lives in the shared composite action `daemux/daemux-plugins/.github/actions/ios-native-testflight`.
+
+## Prerequisites
+
+- **Private GitHub repo** (holds the ASC API key `.p8` file).
+- **Apple Developer Program** membership with an App Store Connect user that can create API keys.
+- **ASC API Key** with `App Manager` role, downloaded as `AuthKey_<KEY_ID>.p8` (Apple lets you download this exactly once).
+- Xcode project builds locally on macOS 15 / Xcode 16.
+
+## Step 1 — Copy the workflow
+
+Copy `.github/workflows/deploy.yml` verbatim from this template. No edits required. It triggers on push to `main` and via `workflow_dispatch`.
+
+## Step 2 — Copy `ci.config.yaml`
+
+Copy `ios-native-ci.config.yaml.template` to your repo root as `ci.config.yaml`. Fill in:
+
+- `app.bundle_id` — REQUIRED (must match your App Store Connect app record).
+- `xcode.scheme` — REQUIRED (the shared scheme the CI should archive).
+
+Every other field has a sensible default. `xcode.project` auto-detects if there is exactly one `*.xcodeproj` at the repo root. `app.app_store_apple_id` is auto-discovered via the ASC API from the bundle id.
+
+## Step 3 — Drop in the ASC API key
+
+Rename the downloaded key to include both the key id and the issuer uuid, then put it under `creds/`:
+
+```
+creds/AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8
+```
+
+Example: `creds/AuthKey_5NBDY6YXJ6_Issuer_69a6de77-xxxx-xxxx-xxxx-xxxxxxxxxxxx.p8`.
+
+The composite action parses the key id and issuer id from the filename — no GitHub secrets to configure.
+
+## Step 4 — Register the app in App Store Connect (one-time)
+
+App Store Connect requires a human-in-the-loop 2FA step the first time. Either:
+
+- Run `fastlane create_app_ios` locally with `APPLE_ID`, `BUNDLE_ID`, `APP_NAME` exported, or
+- Create the app manually in the App Store Connect web UI (My Apps → + → New App).
+
+Subsequent builds need neither — the ASC API key handles everything.
+
+## Step 5 — MARKETING_VERSION
+
+Leave your Xcode project's `MARKETING_VERSION` at `1.0` initially. CI auto-rolls the marketing version forward (patch bump) whenever the prior version hits `READY_FOR_SALE` in App Store Connect. Until then, the pipeline keeps bumping the build number against the current marketing version.
+
+## Step 6 — Push to `main`
+
+```bash
+git add .github/workflows/deploy.yml ci.config.yaml creds/AuthKey_*.p8
+git commit -m "ci: add iOS TestFlight pipeline"
+git push origin main
+```
+
+GitHub Actions triggers the workflow. On success, the build appears in TestFlight within 5–15 minutes (Apple processing delay).
+
+## Troubleshooting
+
+| Error | Likely Cause | Fix |
+|-------|--------------|-----|
+| `No ASC key found in creds/` | File missing or misnamed | Filename must match `AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8` exactly |
+| `No ASC app found for bundle <id>` | App not yet registered in ASC | Run Step 4 (create the app record) |
+| `MARKETING_VERSION not set` | Missing in `.pbxproj` | Set `MARKETING_VERSION = 1.0;` in your target's build settings |
+| Apple refuses new version | Prior version not in `READY_FOR_SALE` | Let the existing version finish review, or manually bump `MARKETING_VERSION` in Xcode |
+| `Scheme not found` | Scheme not shared | In Xcode: Product → Scheme → Manage Schemes → tick "Shared", commit `*.xcscheme` |
+
+## Credential rotation
+
+ASC API keys can be revoked at any time. Rotate via:
+
+```bash
+rm creds/AuthKey_OLD*.p8
+cp ~/Downloads/AuthKey_NEW_*.p8 creds/AuthKey_NEW_Issuer_<ISSUER_UUID>.p8
+git add creds/
+git commit -m "ci: rotate ASC API key"
+git push
+```

package/templates/github/workflows/deploy.yml

@@ -0,0 +1,18 @@
+name: iOS Deploy
+on:
+  push:
+    branches: [main]
+    paths-ignore: ['**/*.md', '.gitignore']
+  workflow_dispatch:
+
+concurrency:
+  group: ios-deploy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: macos-15
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+      - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main

package/templates/ios-native-ci.config.yaml.template

@@ -0,0 +1,30 @@
+# iOS TestFlight CI configuration — read by daemux/daemux-plugins/.github/actions/ios-native-testflight
+# Place this at the repo root as ci.config.yaml.
+# Also place your ASC API key at creds/AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8
+
+app:
+  bundle_id: "com.example.myapp"         # REQUIRED
+  team_id: "ABCDE12345"                  # optional (used for manual signing)
+  app_store_apple_id: ""                 # optional — auto-discovered via ASC API by bundle_id
+
+xcode:
+  project: ""                            # auto-detected if exactly one *.xcodeproj at root
+  workspace: ""                          # wins over project when set
+  scheme: "MyApp"                        # REQUIRED — no safe auto-detect
+  configuration: "Release"               # default: Release
+  profile_name: ""                       # default: "<scheme> CI"
+
+ios:
+  uses_non_exempt_encryption: false      # false | true | "" to skip write
+
+testflight:
+  whats_new: |
+    - Improved performance
+    - Bug fixes
+    - Enhanced security
+  locale: "en-US"
+
+ci:
+  run_tests: false
+  test_command: ""                       # optional
+  test_destination: "platform=iOS Simulator,name=iPhone 15"

package/templates/scripts/ci/ios-native/cfg_io.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+"""
+Tiny shared IO helpers for ios-native-testflight scripts.
+
+Kept deliberately minimal so that read_config.py and lookup_app_id.py can
+import without pulling in heavier dependencies (PyYAML, requests, PyJWT).
+"""
+
+from __future__ import annotations
+
+import sys
+
+
+def log(msg: str) -> None:
+    """Debug log to stderr (never contains .p8 contents)."""
+    print(msg, file=sys.stderr)
+
+
+def notice(msg: str) -> None:
+    """GitHub Actions workflow-command notice."""
+    print(f"::notice::{msg}")
+
+
+def fail(msg: str) -> str:
+    """Emit a GitHub Actions workflow-command error and exit 1."""
+    print(f"::error::{msg}", file=sys.stderr)
+    raise SystemExit(1)

package/templates/scripts/ci/ios-native/cfg_resolve.py

@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+"""
+Config loading + value-resolution helpers for ios-native-testflight.
+
+Pulled out of read_config.py to keep any single file under the 400-line /
+10-function project limits.
+
+Contents:
+    load_config         YAML loader (returns {} if missing)
+    emit                $GITHUB_ENV writer (handles multi-line via heredoc)
+    dig / pick          Safe nested dict access
+    pick_with_source    Flat-path-first, legacy-alias-second lookup
+    resolve             Apply input -> config -> auto -> default precedence
+    auto_project_glob   Repo-root *.xcodeproj / *.xcworkspace autodetect
+    as_str_bool         YAML bool -> "true"/"false"/None
+    find_p8             Locate ASC .p8 key in creds/
+    lookup_app_id_via_api  Subprocess helper — calls lookup_app_id.py
+"""
+
+from __future__ import annotations
+
+import os
+import re
+import sys
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+from cfg_io import fail, log, notice
+
+
+P8_RE = re.compile(
+    r"^AuthKey_([A-Z0-9]{8,10})(?:_Issuer_([0-9a-fA-F-]{36}))?\.p8$"
+)
+
+
+def load_config(workspace: Path, rel_path: str) -> dict:
+    """Load a YAML config from ``workspace/rel_path``. Returns {} if missing."""
+    cfg_path = workspace / rel_path
+    if not cfg_path.is_file():
+        notice(
+            f"{rel_path} not found at {cfg_path}; proceeding with inputs and defaults only"
+        )
+        return {}
+    try:
+        with cfg_path.open("r") as fh:
+            data = yaml.safe_load(fh)
+    except yaml.YAMLError as exc:
+        fail(f"failed to parse {rel_path}: {exc}")
+    if data is None:
+        return {}
+    if not isinstance(data, dict):
+        fail(f"{rel_path} root must be a mapping")
+    log(f"loaded config from {cfg_path}")
+    return data
+
+
+def emit(env_file: Path, name: str, value: str) -> None:
+    """Append NAME=VALUE (or multi-line NAME<<EOF ... EOF) to $GITHUB_ENV."""
+    if value is None:
+        value = ""
+    if "\n" in value:
+        delim = "EOF"
+        while delim in value:
+            delim += "X"
+        with env_file.open("a") as fh:
+            fh.write(f"{name}<<{delim}\n{value}\n{delim}\n")
+    else:
+        with env_file.open("a") as fh:
+            fh.write(f"{name}={value}\n")
+
+
+def dig(cfg: dict, *path: str, default: Any = None) -> Any:
+    """Safe nested .get across dict path. Returns default if any key missing."""
+    node: Any = cfg
+    for key in path:
+        if not isinstance(node, dict):
+            return default
+        node = node.get(key)
+        if node is None:
+            return default
+    return node
+
+
+def pick(cfg: dict, *paths: tuple) -> Any:
+    """Return the first non-None/non-empty value among a series of paths."""
+    for path in paths:
+        val = dig(cfg, *path)
+        if val not in (None, ""):
+            return val
+    return None
+
+
+def pick_with_source(cfg: dict, flat: tuple, legacy: tuple) -> tuple[Any, str]:
+    """Return (value, source) — flat path wins; legacy alias as fallback."""
+    flat_val = dig(cfg, *flat)
+    if flat_val not in (None, ""):
+        return flat_val, "config"
+    legacy_val = dig(cfg, *legacy)
+    if legacy_val not in (None, ""):
+        return legacy_val, "config(legacy)"
+    return None, "config"
+
+
+def resolve(
+    input_val: str,
+    cfg_val: Any,
+    *,
+    cfg_source: str = "config",
+    auto_val: str = "",
+    default: str = "",
+) -> tuple[str, str]:
+    """Apply precedence: input > config > auto > default > empty."""
+    if input_val:
+        return input_val, "input"
+    if cfg_val not in (None, ""):
+        return str(cfg_val), cfg_source
+    if auto_val:
+        return auto_val, "auto-detect"
+    if default:
+        return default, "default"
+    return "", "empty"
+
+
+def auto_project_glob(workspace: Path, suffix: str) -> str:
+    """Return the single matching *suffix file at repo root, else empty."""
+    matches = sorted(workspace.glob(f"*{suffix}"))
+    if len(matches) == 1:
+        return matches[0].name
+    return ""
+
+
+def as_str_bool(val: Any) -> str | None:
+    """Normalize YAML bool / string / None to 'true'|'false'|None."""
+    if val is None:
+        return None
+    if isinstance(val, bool):
+        return "true" if val else "false"
+    s = str(val).strip().lower()
+    if s in ("true", "yes", "1"):
+        return "true"
+    if s in ("false", "no", "0"):
+        return "false"
+    return s  # let downstream validate
+
+
+def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
+    """Locate the ASC .p8 key. Returns (path, key_id, issuer_from_filename)."""
+    creds_dir = workspace / "creds"
+    matches = sorted(creds_dir.glob("AuthKey_*.p8"))
+    if not matches:
+        fail(
+            "No ASC key found. Place "
+            "AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8 in creds/."
+        )
+
+    parsed: list[tuple[Path, str, str | None]] = []
+    for p in matches:
+        m = P8_RE.match(p.name)
+        if not m:
+            log(f"skipping {p.name}: does not match AuthKey_<KEY_ID>[_Issuer_<UUID>].p8")
+            continue
+        parsed.append((p, m.group(1), m.group(2)))
+
+    if not parsed:
+        fail(
+            "Found .p8 file(s) in creds/ but none match the required naming "
+            "pattern AuthKey_<KEY_ID>[_Issuer_<UUID>].p8"
+        )
+
+    if len(parsed) == 1:
+        return parsed[0]
+
+    config_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
+    if not config_key_id:
+        names = ", ".join(p.name for p, _, _ in parsed)
+        fail(
+            f"Multiple ASC keys found in creds/ ({names}). "
+            "Set credentials.apple.key_id in ci.config.yaml to choose one."
+        )
+    for entry in parsed:
+        if entry[1] == config_key_id:
+            return entry
+    fail(
+        f"credentials.apple.key_id={config_key_id} did not match any .p8 in "
+        f"creds/ (found key_ids: {', '.join(k for _, k, _ in parsed)})"
+    )
+
+
+def lookup_app_id_via_api(bundle_id: str, scripts_dir: Path) -> str:
+    """Invoke lookup_app_id.py to resolve apple_id via ASC API."""
+    import subprocess
+
+    script = scripts_dir / "lookup_app_id.py"
+    if not script.is_file():
+        fail(f"lookup_app_id.py not found at {script}")
+    env = dict(os.environ)
+    env["BUNDLE_ID"] = bundle_id
+    result = subprocess.run(
+        [sys.executable, str(script)],
+        env=env,
+        capture_output=True,
+        text=True,
+    )
+    if result.returncode != 0:
+        sys.stderr.write(result.stderr)
+        fail(
+            f"No ASC app found for bundle {bundle_id}. "
+            "Run `fastlane create_app_ios` once manually to register the app."
+        )
+    return result.stdout.strip()

package/templates/scripts/ci/ios-native/lookup_app_id.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+"""
+Resolve the App Store Connect numeric app id for a bundle id.
+
+Environment:
+    ASC_KEY_ID     - API key ID
+    ASC_ISSUER_ID  - API issuer ID
+    ASC_KEY_PATH   - Path to the .p8 key file
+    BUNDLE_ID      - Application bundle identifier
+
+Prints the app id to stdout on success. On 0 or >1 matches, exits 1 with a
+guidance message on stderr.
+"""
+
+from __future__ import annotations
+
+import os
+
+from asc_common import get_json, make_jwt
+from cfg_io import fail
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        fail(f"missing env var: {name}")
+    return val
+
+
+def main() -> None:
+    bundle_id = env("BUNDLE_ID")
+    token = make_jwt(env("ASC_KEY_ID"), env("ASC_ISSUER_ID"), env("ASC_KEY_PATH"))
+    data = get_json("/apps", token, params={"filter[bundleId]": bundle_id, "limit": "10"})
+    apps = data.get("data", [])
+    if not apps:
+        fail(
+            f"No ASC app found for bundleId={bundle_id}. "
+            "Run `fastlane create_app_ios` once manually to register the app, "
+            "or set app.app_store_apple_id in ci.config.yaml."
+        )
+    if len(apps) > 1:
+        ids = ", ".join(a.get("id", "?") for a in apps)
+        fail(
+            f"Multiple ASC apps match bundleId={bundle_id} (ids: {ids}). "
+            "Set app.app_store_apple_id in ci.config.yaml to disambiguate."
+        )
+    print(apps[0]["id"])
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/read_config.py

@@ -0,0 +1,289 @@
+#!/usr/bin/env python3
+"""
+Read ci.config.yaml + discover ASC API key in creds/, then emit derived CI
+environment variables to $GITHUB_ENV.
+
+Schema (flat — primary, canonical):
+    app.{bundle_id, team_id, app_store_apple_id}
+    xcode.{project, workspace, scheme, configuration, profile_name}
+    ios.{uses_non_exempt_encryption}
+    testflight.{whats_new, locale}
+    ci.{run_tests, test_command, test_destination}
+    credentials.apple.{key_id, issuer_id}  OR  asc.{key_id, issuer_id}
+
+Legacy aliases (accepted for back-compat, never preferred):
+    ios.native.{project, workspace, scheme, configuration, profile_name,
+                team_id, app_store_apple_id, uses_non_exempt_encryption,
+                whats_new, locale, run_tests, test_command, test_destination,
+                tests.{run, command, destination}}
+    app_store.locale (third-tier fallback only)
+
+Precedence for every CFG_* value:
+    1. Explicit action input (INPUT_* env var)
+    2. Flat-schema config value
+    3. Legacy ios.native.* alias
+    4. Auto-detected value (xcodeproj/xcworkspace glob) or built-in default
+    5. Empty string (composite action step applies its own default / skips)
+
+Built-in defaults (emitted when no config/input exists):
+    CFG_CONFIGURATION=Release, CFG_USES_NON_EXEMPT=false,
+    CFG_RUN_TESTS=false, CFG_LOCALE=en-US, CFG_PROFILE_NAME="<scheme> CI".
+All other CFG_* fields emit empty and rely on action.yml-level fallbacks.
+
+The ASC .p8 key is located by globbing ``creds/AuthKey_*.p8`` with filename
+regex AuthKey_<KEY_ID>[_Issuer_<ISSUER_UUID>].p8. Multiple matches require
+``credentials.apple.key_id`` (or ``asc.key_id``) in config to disambiguate.
+
+Writes to $GITHUB_ENV:
+    ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_P8_PATH, ASC_KEY_P8,
+    CFG_PROJECT, CFG_WORKSPACE, CFG_SCHEME, CFG_CONFIGURATION,
+    CFG_BUNDLE_ID, CFG_TEAM_ID, CFG_APP_STORE_APPLE_ID, CFG_PROFILE_NAME,
+    CFG_USES_NON_EXEMPT, CFG_WHATS_NEW, CFG_LOCALE,
+    CFG_RUN_TESTS, CFG_TEST_COMMAND, CFG_TEST_DESTINATION
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+from cfg_io import fail, log
+from cfg_resolve import (
+    as_str_bool,
+    auto_project_glob,
+    dig,
+    emit,
+    find_p8,
+    load_config,
+    lookup_app_id_via_api,
+    pick,
+    pick_with_source,
+    resolve,
+)
+
+
+DEFAULT_WHATS_NEW = (
+    "- Improved performance: faster, smoother app experience\n"
+    "- Bug fixes: minor issues resolved for seamless use\n"
+    "- Enhanced security: updated to protect your data\n"
+)
+
+
+def emit_credentials(env_file: Path, cfg: dict, workspace: Path) -> dict:
+    """Discover .p8, derive ASC_KEY_ID / ISSUER / PATH, emit to env_file.
+
+    Returns {'key_id', 'issuer_id', 'key_path'} for downstream use.
+    """
+    p8_path, key_id_from_file, issuer_from_file = find_p8(workspace, cfg)
+    try:
+        p8_contents = p8_path.read_text()
+    except OSError as exc:
+        fail(f"cannot read {p8_path}: {exc}")
+
+    cfg_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
+    cfg_issuer = pick(cfg, ("credentials", "apple", "issuer_id"), ("asc", "issuer_id"))
+    asc_key_id = cfg_key_id or key_id_from_file
+    asc_issuer = cfg_issuer or issuer_from_file
+    if not asc_issuer:
+        fail(
+            "ASC issuer id unknown: neither the filename contains _Issuer_<UUID> "
+            "nor credentials.apple.issuer_id is set in ci.config.yaml."
+        )
+
+    emit(env_file, "ASC_KEY_ID", str(asc_key_id))
+    emit(env_file, "ASC_ISSUER_ID", str(asc_issuer))
+    emit(env_file, "ASC_KEY_P8_PATH", str(p8_path))
+    emit(env_file, "ASC_KEY_P8", p8_contents)
+    log(f"ASC_KEY_ID={asc_key_id} (source: {'config' if cfg_key_id else 'filename'})")
+    log(f"ASC_ISSUER_ID={asc_issuer} (source: {'config' if cfg_issuer else 'filename'})")
+    log(f"ASC_KEY_P8_PATH={p8_path}")
+    return {"key_id": str(asc_key_id), "issuer_id": str(asc_issuer), "key_path": str(p8_path)}
+
+
+def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
+    """Resolve project / workspace / scheme / configuration / profile_name."""
+    proj_cfg, proj_src = pick_with_source(cfg, ("xcode", "project"), ("ios", "native", "project"))
+    ws_cfg, ws_src = pick_with_source(cfg, ("xcode", "workspace"), ("ios", "native", "workspace"))
+    scheme_cfg, scheme_src = pick_with_source(cfg, ("xcode", "scheme"), ("ios", "native", "scheme"))
+    config_cfg, config_src = pick_with_source(
+        cfg, ("xcode", "configuration"), ("ios", "native", "configuration"),
+    )
+    profile_cfg, profile_src = pick_with_source(
+        cfg, ("xcode", "profile_name"), ("ios", "native", "profile_name"),
+    )
+
+    project = resolve(
+        inp["PROJECT"], proj_cfg, cfg_source=proj_src,
+        auto_val=auto_project_glob(workspace, ".xcodeproj"),
+    )
+    ws_val = resolve(
+        inp["WORKSPACE"], ws_cfg, cfg_source=ws_src,
+        auto_val=auto_project_glob(workspace, ".xcworkspace"),
+    )
+    scheme = resolve(inp["SCHEME"], scheme_cfg, cfg_source=scheme_src)
+    configuration = resolve(
+        inp["CONFIGURATION"], config_cfg, cfg_source=config_src, default="Release",
+    )
+    default_profile = f"{scheme[0]} CI" if scheme[0] else ""
+    profile_name = resolve(
+        inp["PROFILE_NAME"], profile_cfg, cfg_source=profile_src, default=default_profile,
+    )
+    return {
+        "project": project,
+        "workspace": ws_val,
+        "scheme": scheme,
+        "configuration": configuration,
+        "profile_name": profile_name,
+    }
+
+
+def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
+    """Resolve bundle_id / team_id / app_store_apple_id (with ASC-API fallback)."""
+    bundle_cfg, bundle_src = pick_with_source(cfg, ("app", "bundle_id"), ("ios", "native", "bundle_id"))
+    team_cfg, team_src = pick_with_source(cfg, ("app", "team_id"), ("ios", "native", "team_id"))
+    apple_cfg, apple_src = pick_with_source(
+        cfg, ("app", "app_store_apple_id"), ("ios", "native", "app_store_apple_id"),
+    )
+
+    bundle = resolve(inp["BUNDLE_ID"], bundle_cfg, cfg_source=bundle_src)
+    team = resolve(inp["TEAM_ID"], team_cfg, cfg_source=team_src)
+
+    if inp["APP_STORE_APPLE_ID"]:
+        apple = (inp["APP_STORE_APPLE_ID"], "input")
+    elif apple_cfg not in (None, ""):
+        apple = (str(apple_cfg), apple_src)
+    elif bundle[0]:
+        os.environ["ASC_KEY_ID"] = creds["key_id"]
+        os.environ["ASC_ISSUER_ID"] = creds["issuer_id"]
+        os.environ["ASC_KEY_PATH"] = creds["key_path"]
+        apple = (lookup_app_id_via_api(bundle[0], scripts_dir), "api-lookup")
+    else:
+        apple = ("", "empty")
+    return {"bundle_id": bundle, "team_id": team, "app_store_apple_id": apple}
+
+
+def resolve_testflight(cfg: dict, inp: dict) -> dict:
+    """Resolve whats_new / locale from testflight.* or legacy aliases."""
+    whats_cfg, whats_src = pick_with_source(
+        cfg, ("testflight", "whats_new"), ("ios", "native", "whats_new"),
+    )
+    locale_cfg, locale_src = pick_with_source(
+        cfg, ("testflight", "locale"), ("ios", "native", "locale"),
+    )
+    if locale_cfg in (None, ""):
+        alt = dig(cfg, "app_store", "locale")
+        if alt not in (None, ""):
+            locale_cfg, locale_src = alt, "config(legacy)"
+    return {
+        "whats_new": resolve(
+            inp["WHATS_NEW"], whats_cfg, cfg_source=whats_src, default=DEFAULT_WHATS_NEW,
+        ),
+        "locale": resolve(inp["LOCALE"], locale_cfg, cfg_source=locale_src, default="en-US"),
+    }
+
+
+def resolve_tests(cfg: dict, inp: dict) -> dict:
+    """Resolve run_tests / test_command / test_destination from ci.* or legacy."""
+    run_flat = dig(cfg, "ci", "run_tests")
+    run_legacy = dig(cfg, "ios", "native", "run_tests")
+    if run_legacy is None:
+        run_legacy = dig(cfg, "ios", "native", "tests", "run")
+    run_cfg, run_src = (run_flat, "config") if run_flat is not None else (run_legacy, "config(legacy)")
+
+    cmd_flat = dig(cfg, "ci", "test_command")
+    cmd_legacy = dig(cfg, "ios", "native", "test_command") or dig(cfg, "ios", "native", "tests", "command")
+    cmd_cfg, cmd_src = (
+        (cmd_flat, "config") if cmd_flat not in (None, "") else (cmd_legacy, "config(legacy)")
+    )
+
+    dest_flat = dig(cfg, "ci", "test_destination")
+    dest_legacy = (
+        dig(cfg, "ios", "native", "test_destination")
+        or dig(cfg, "ios", "native", "tests", "destination")
+    )
+    dest_cfg, dest_src = (
+        (dest_flat, "config") if dest_flat not in (None, "") else (dest_legacy, "config(legacy)")
+    )
+
+    return {
+        "run_tests": resolve(
+            inp["RUN_TESTS"], as_str_bool(run_cfg), cfg_source=run_src, default="false",
+        ),
+        "test_command": resolve(inp["TEST_COMMAND"], cmd_cfg, cfg_source=cmd_src),
+        "test_destination": resolve(inp["TEST_DESTINATION"], dest_cfg, cfg_source=dest_src),
+    }
+
+
+def resolve_ios(cfg: dict, inp: dict) -> dict:
+    """Resolve ios.uses_non_exempt_encryption (flat) with legacy fallback."""
+    val_flat = dig(cfg, "ios", "uses_non_exempt_encryption")
+    # Flat lookup can accidentally return the legacy 'native' sub-dict; ignore.
+    if isinstance(val_flat, dict):
+        val_flat = None
+    val_legacy = dig(cfg, "ios", "native", "uses_non_exempt_encryption")
+    if val_flat is not None:
+        raw, src = val_flat, "config"
+    elif val_legacy is not None:
+        raw, src = val_legacy, "config(legacy)"
+    else:
+        raw, src = None, "config"
+    return {
+        "uses_non_exempt": resolve(
+            inp["USES_NON_EXEMPT"], as_str_bool(raw), cfg_source=src, default="false",
+        )
+    }
+
+
+def collect_inputs() -> dict:
+    """Read all INPUT_* env vars the composite action passes in."""
+    names = (
+        "PROJECT", "WORKSPACE", "SCHEME", "CONFIGURATION", "PROFILE_NAME",
+        "BUNDLE_ID", "TEAM_ID", "APP_STORE_APPLE_ID",
+        "USES_NON_EXEMPT", "WHATS_NEW", "LOCALE",
+        "RUN_TESTS", "TEST_COMMAND", "TEST_DESTINATION",
+    )
+    return {name: os.environ.get(f"INPUT_{name}", "") for name in names}
+
+
+def main() -> None:
+    workspace = Path(os.environ.get("GITHUB_WORKSPACE", "."))
+    scripts_dir = Path(__file__).resolve().parent
+    env_file_path = os.environ.get("GITHUB_ENV")
+    if not env_file_path:
+        fail("GITHUB_ENV not set; this script must run inside a GitHub Actions step")
+    env_file = Path(env_file_path)
+
+    cfg = load_config(workspace, os.environ.get("CONFIG_PATH", "ci.config.yaml"))
+    inputs = collect_inputs()
+
+    creds = emit_credentials(env_file, cfg, workspace)
+    xc = resolve_xcode(cfg, workspace, inputs)
+    app = resolve_app(cfg, inputs, creds, scripts_dir)
+    tf = resolve_testflight(cfg, inputs)
+    ios = resolve_ios(cfg, inputs)
+    tests = resolve_tests(cfg, inputs)
+
+    derived = [
+        ("CFG_PROJECT", xc["project"]),
+        ("CFG_WORKSPACE", xc["workspace"]),
+        ("CFG_SCHEME", xc["scheme"]),
+        ("CFG_CONFIGURATION", xc["configuration"]),
+        ("CFG_BUNDLE_ID", app["bundle_id"]),
+        ("CFG_TEAM_ID", app["team_id"]),
+        ("CFG_APP_STORE_APPLE_ID", app["app_store_apple_id"]),
+        ("CFG_PROFILE_NAME", xc["profile_name"]),
+        ("CFG_USES_NON_EXEMPT", ios["uses_non_exempt"]),
+        ("CFG_WHATS_NEW", tf["whats_new"]),
+        ("CFG_LOCALE", tf["locale"]),
+        ("CFG_RUN_TESTS", tests["run_tests"]),
+        ("CFG_TEST_COMMAND", tests["test_command"]),
+        ("CFG_TEST_DESTINATION", tests["test_destination"]),
+    ]
+    for name, (value, src) in derived:
+        emit(env_file, name, value)
+        shown = value if name != "CFG_WHATS_NEW" else value.replace("\n", " / ")
+        log(f"{name}={shown!r} (source: {src})")
+
+
+if __name__ == "__main__":
+    main()

package/templates/github/workflows/ios-native-release.yml

@@ -1,66 +0,0 @@
-name: iOS Deploy
-
-# Native-Swift iOS release pipeline. On PRs and non-main branches, runs the
-# simulator test suite (build-only, no signing). On push to main, runs tests,
-# archives the app, and uploads to TestFlight via the App Store Connect API.
-#
-# Required repository secrets (for upload, main branch only):
-#   ASC_KEY_ID      App Store Connect API key id (e.g. "5NBDY6YXJ6")
-#   ASC_ISSUER_ID   App Store Connect API issuer id (uuid)
-#   ASC_KEY_P8      Full contents of the AuthKey_*.p8 file
-#
-# Edit the `with:` blocks below to match your project.
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  workflow_dispatch:
-
-concurrency:
-  group: ios-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  # PRs and non-main pushes: build + test only, no signing or upload.
-  build-and-test:
-    if: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main') }}
-    runs-on: macos-latest
-    timeout-minutes: 45
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main
-        with:
-          project: MyApp.xcodeproj
-          scheme: MyApp
-          bundle-id: com.example.myapp
-          team-id: ABCDE12345
-          app-store-apple-id: "1234567890"
-          run-tests: "true"
-          archive: "false"
-          upload: "false"
-
-  # Main branch: test + archive + upload to TestFlight.
-  deploy:
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
-    runs-on: macos-latest
-    timeout-minutes: 60
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main
-        with:
-          project: MyApp.xcodeproj
-          scheme: MyApp
-          bundle-id: com.example.myapp
-          team-id: ABCDE12345
-          app-store-apple-id: "1234567890"
-          run-tests: "true"
-          archive: "true"
-          upload: "true"
-        env:
-          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
-          ASC_ISSUER_ID: ${{ secrets.ASC_ISSUER_ID }}
-          ASC_KEY_P8: ${{ secrets.ASC_KEY_P8 }}