@daemux/store-automator 0.10.74 → 0.10.76

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.74"
+    "version": "0.10.76"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.74",
+      "version": "0.10.76",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.74",
+  "version": "0.10.76",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.74",
+  "version": "0.10.76",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/cfg_io.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+"""
+Tiny shared IO helpers for ios-native-testflight scripts.
+
+Kept deliberately minimal so that read_config.py and lookup_app_id.py can
+import without pulling in heavier dependencies (PyYAML, requests, PyJWT).
+"""
+
+from __future__ import annotations
+
+import sys
+
+
+def log(msg: str) -> None:
+    """Debug log to stderr (never contains .p8 contents)."""
+    print(msg, file=sys.stderr)
+
+
+def notice(msg: str) -> None:
+    """GitHub Actions workflow-command notice."""
+    print(f"::notice::{msg}")
+
+
+def fail(msg: str) -> str:
+    """Emit a GitHub Actions workflow-command error and exit 1."""
+    print(f"::error::{msg}", file=sys.stderr)
+    raise SystemExit(1)

package/templates/scripts/ci/ios-native/cfg_resolve.py

@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+"""
+Config loading + value-resolution helpers for ios-native-testflight.
+
+Pulled out of read_config.py to keep any single file under the 400-line /
+10-function project limits.
+
+Contents:
+    load_config         YAML loader (returns {} if missing)
+    emit                $GITHUB_ENV writer (handles multi-line via heredoc)
+    dig / pick          Safe nested dict access
+    pick_with_source    Flat-path-first, legacy-alias-second lookup
+    resolve             Apply input -> config -> auto -> default precedence
+    auto_project_glob   Repo-root *.xcodeproj / *.xcworkspace autodetect
+    as_str_bool         YAML bool -> "true"/"false"/None
+    find_p8             Locate ASC .p8 key in creds/
+    lookup_app_id_via_api  Subprocess helper — calls lookup_app_id.py
+"""
+
+from __future__ import annotations
+
+import os
+import re
+import sys
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+from cfg_io import fail, log, notice
+
+
+P8_RE = re.compile(
+    r"^AuthKey_([A-Z0-9]{8,10})(?:_Issuer_([0-9a-fA-F-]{36}))?\.p8$"
+)
+
+
+def load_config(workspace: Path, rel_path: str) -> dict:
+    """Load a YAML config from ``workspace/rel_path``. Returns {} if missing."""
+    cfg_path = workspace / rel_path
+    if not cfg_path.is_file():
+        notice(
+            f"{rel_path} not found at {cfg_path}; proceeding with inputs and defaults only"
+        )
+        return {}
+    try:
+        with cfg_path.open("r") as fh:
+            data = yaml.safe_load(fh)
+    except yaml.YAMLError as exc:
+        fail(f"failed to parse {rel_path}: {exc}")
+    if data is None:
+        return {}
+    if not isinstance(data, dict):
+        fail(f"{rel_path} root must be a mapping")
+    log(f"loaded config from {cfg_path}")
+    return data
+
+
+def emit(env_file: Path, name: str, value: str) -> None:
+    """Append NAME=VALUE (or multi-line NAME<<EOF ... EOF) to $GITHUB_ENV."""
+    if value is None:
+        value = ""
+    if "\n" in value:
+        delim = "EOF"
+        while delim in value:
+            delim += "X"
+        with env_file.open("a") as fh:
+            fh.write(f"{name}<<{delim}\n{value}\n{delim}\n")
+    else:
+        with env_file.open("a") as fh:
+            fh.write(f"{name}={value}\n")
+
+
+def dig(cfg: dict, *path: str, default: Any = None) -> Any:
+    """Safe nested .get across dict path. Returns default if any key missing."""
+    node: Any = cfg
+    for key in path:
+        if not isinstance(node, dict):
+            return default
+        node = node.get(key)
+        if node is None:
+            return default
+    return node
+
+
+def pick(cfg: dict, *paths: tuple) -> Any:
+    """Return the first non-None/non-empty value among a series of paths."""
+    for path in paths:
+        val = dig(cfg, *path)
+        if val not in (None, ""):
+            return val
+    return None
+
+
+def pick_with_source(cfg: dict, flat: tuple, legacy: tuple) -> tuple[Any, str]:
+    """Return (value, source) — flat path wins; legacy alias as fallback."""
+    flat_val = dig(cfg, *flat)
+    if flat_val not in (None, ""):
+        return flat_val, "config"
+    legacy_val = dig(cfg, *legacy)
+    if legacy_val not in (None, ""):
+        return legacy_val, "config(legacy)"
+    return None, "config"
+
+
+def resolve(
+    input_val: str,
+    cfg_val: Any,
+    *,
+    cfg_source: str = "config",
+    auto_val: str = "",
+    default: str = "",
+) -> tuple[str, str]:
+    """Apply precedence: input > config > auto > default > empty."""
+    if input_val:
+        return input_val, "input"
+    if cfg_val not in (None, ""):
+        return str(cfg_val), cfg_source
+    if auto_val:
+        return auto_val, "auto-detect"
+    if default:
+        return default, "default"
+    return "", "empty"
+
+
+def auto_project_glob(workspace: Path, suffix: str) -> str:
+    """Return the single matching *suffix file at repo root, else empty."""
+    matches = sorted(workspace.glob(f"*{suffix}"))
+    if len(matches) == 1:
+        return matches[0].name
+    return ""
+
+
+def as_str_bool(val: Any) -> str | None:
+    """Normalize YAML bool / string / None to 'true'|'false'|None."""
+    if val is None:
+        return None
+    if isinstance(val, bool):
+        return "true" if val else "false"
+    s = str(val).strip().lower()
+    if s in ("true", "yes", "1"):
+        return "true"
+    if s in ("false", "no", "0"):
+        return "false"
+    return s  # let downstream validate
+
+
+def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
+    """Locate the ASC .p8 key. Returns (path, key_id, issuer_from_filename)."""
+    creds_dir = workspace / "creds"
+    matches = sorted(creds_dir.glob("AuthKey_*.p8"))
+    if not matches:
+        fail(
+            "No ASC key found. Place "
+            "AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8 in creds/."
+        )
+
+    parsed: list[tuple[Path, str, str | None]] = []
+    for p in matches:
+        m = P8_RE.match(p.name)
+        if not m:
+            log(f"skipping {p.name}: does not match AuthKey_<KEY_ID>[_Issuer_<UUID>].p8")
+            continue
+        parsed.append((p, m.group(1), m.group(2)))
+
+    if not parsed:
+        fail(
+            "Found .p8 file(s) in creds/ but none match the required naming "
+            "pattern AuthKey_<KEY_ID>[_Issuer_<UUID>].p8"
+        )
+
+    if len(parsed) == 1:
+        return parsed[0]
+
+    config_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
+    if not config_key_id:
+        names = ", ".join(p.name for p, _, _ in parsed)
+        fail(
+            f"Multiple ASC keys found in creds/ ({names}). "
+            "Set credentials.apple.key_id in ci.config.yaml to choose one."
+        )
+    for entry in parsed:
+        if entry[1] == config_key_id:
+            return entry
+    fail(
+        f"credentials.apple.key_id={config_key_id} did not match any .p8 in "
+        f"creds/ (found key_ids: {', '.join(k for _, k, _ in parsed)})"
+    )
+
+
+def lookup_app_id_via_api(bundle_id: str, scripts_dir: Path) -> str:
+    """Invoke lookup_app_id.py to resolve apple_id via ASC API."""
+    import subprocess
+
+    script = scripts_dir / "lookup_app_id.py"
+    if not script.is_file():
+        fail(f"lookup_app_id.py not found at {script}")
+    env = dict(os.environ)
+    env["BUNDLE_ID"] = bundle_id
+    result = subprocess.run(
+        [sys.executable, str(script)],
+        env=env,
+        capture_output=True,
+        text=True,
+    )
+    if result.returncode != 0:
+        sys.stderr.write(result.stderr)
+        fail(
+            f"No ASC app found for bundle {bundle_id}. "
+            "Run `fastlane create_app_ios` once manually to register the app."
+        )
+    return result.stdout.strip()

package/templates/scripts/ci/ios-native/lookup_app_id.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+"""
+Resolve the App Store Connect numeric app id for a bundle id.
+
+Environment:
+    ASC_KEY_ID     - API key ID
+    ASC_ISSUER_ID  - API issuer ID
+    ASC_KEY_PATH   - Path to the .p8 key file
+    BUNDLE_ID      - Application bundle identifier
+
+Prints the app id to stdout on success. On 0 or >1 matches, exits 1 with a
+guidance message on stderr.
+"""
+
+from __future__ import annotations
+
+import os
+
+from asc_common import get_json, make_jwt
+from cfg_io import fail
+
+
+def env(name: str) -> str:
+    val = os.environ.get(name)
+    if not val:
+        fail(f"missing env var: {name}")
+    return val
+
+
+def main() -> None:
+    bundle_id = env("BUNDLE_ID")
+    token = make_jwt(env("ASC_KEY_ID"), env("ASC_ISSUER_ID"), env("ASC_KEY_PATH"))
+    data = get_json("/apps", token, params={"filter[bundleId]": bundle_id, "limit": "10"})
+    apps = data.get("data", [])
+    if not apps:
+        fail(
+            f"No ASC app found for bundleId={bundle_id}. "
+            "Run `fastlane create_app_ios` once manually to register the app, "
+            "or set app.app_store_apple_id in ci.config.yaml."
+        )
+    if len(apps) > 1:
+        ids = ", ".join(a.get("id", "?") for a in apps)
+        fail(
+            f"Multiple ASC apps match bundleId={bundle_id} (ids: {ids}). "
+            "Set app.app_store_apple_id in ci.config.yaml to disambiguate."
+        )
+    print(apps[0]["id"])
+
+
+if __name__ == "__main__":
+    main()

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -1,24 +1,25 @@
 #!/usr/bin/env python3
 """
-Prepare iOS code signing on a fresh CI runner.
+Prepare iOS code signing on a fresh CI runner (automatic-signing variant).
+
+This script prepares ONLY the credentials Xcode needs to drive
+`-allowProvisioningUpdates` against the App Store Connect API:
 
-Uses the App Store Connect API (auth via P8 key) to:
   1. Generate an RSA private key + CSR
   2. Create a new Apple Distribution certificate from the CSR; if the per-team
      cap is hit (409), revoke the newest existing DISTRIBUTION cert and retry.
-  3. Ensure a provisioning profile with a known name exists for the bundle ID,
-     linked to the new cert. If it exists, delete+recreate to refresh it.
-  4. Install the profile into ~/Library/MobileDevice/Provisioning Profiles/
-  5. Import cert + private key into a dedicated temporary keychain and put
+  3. Import cert + private key into a dedicated temporary keychain and put
      that keychain on the search list so codesign / xcodebuild can find it.
 
+Provisioning profile creation + installation is DELEGATED to xcodebuild via
+`-allowProvisioningUpdates` + ASC API auth. That path handles apps with any
+number of targets (Network Extensions, Widgets, WatchKit extensions, etc)
+without us having to know the full target graph up-front.
+
 Environment inputs:
   ASC_KEY_ID        - App Store Connect API key ID
   ASC_ISSUER_ID     - App Store Connect API issuer ID
   ASC_KEY_PATH      - Path to the .p8 private key file
-  TEAM_ID           - Apple developer team ID
-  BUNDLE_ID         - App bundle identifier
-  PROFILE_NAME      - Desired provisioning profile name
   RUNNER_TEMP       - GitHub Actions temp dir (for keychain + intermediates)
 
 Writes nothing to stdout that would leak secrets.
@@ -28,7 +29,6 @@ from __future__ import annotations
 
 import base64
 import os
-import plistlib
 import subprocess
 from pathlib import Path
 
@@ -136,68 +136,6 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
     return cert_id, cert_der
 
 
-def find_bundle_id(token: str, identifier: str) -> str:
-    data = get_json(
-        "/bundleIds",
-        token,
-        params={"filter[identifier]": identifier, "limit": "5"},
-    )
-    for item in data.get("data", []):
-        if item["attributes"]["identifier"] == identifier:
-            return item["id"]
-    raise SystemExit(f"bundle id {identifier!r} not found in ASC")
-
-
-def delete_profile_by_name(token: str, name: str) -> None:
-    data = get_json("/profiles", token, params={"limit": "200"})
-    for p in data.get("data", []):
-        if (p["attributes"].get("name") or "") == name:
-            pid = p["id"]
-            print(f"Deleting existing profile {pid} ({name})")
-            request("DELETE", f"/profiles/{pid}", token)
-
-
-def create_profile(
-    token: str, name: str, bundle_id_pk: str, cert_id: str
-) -> bytes:
-    body = {
-        "data": {
-            "type": "profiles",
-            "attributes": {
-                "name": name,
-                "profileType": "IOS_APP_STORE",
-            },
-            "relationships": {
-                "bundleId": {"data": {"type": "bundleIds", "id": bundle_id_pk}},
-                "certificates": {
-                    "data": [{"type": "certificates", "id": cert_id}]
-                },
-            },
-        }
-    }
-    resp = request("POST", "/profiles", token, json_body=body)
-    data = resp.json()["data"]
-    profile_content_b64 = data["attributes"]["profileContent"]
-    return base64.b64decode(profile_content_b64)
-
-
-def install_profile(profile_der: bytes) -> str:
-    """Write the .mobileprovision file and return its uuid."""
-    # Profile is CMS-signed plist; decode with `security cms` to read UUID.
-    profiles_dir = Path.home() / "Library/MobileDevice/Provisioning Profiles"
-    profiles_dir.mkdir(parents=True, exist_ok=True)
-    tmp_path = profiles_dir / "tmp.mobileprovision"
-    tmp_path.write_bytes(profile_der)
-    decoded = subprocess.check_output(
-        ["security", "cms", "-D", "-i", str(tmp_path)]
-    )
-    uuid = plistlib.loads(decoded)["UUID"]
-    final_path = profiles_dir / f"{uuid}.mobileprovision"
-    tmp_path.rename(final_path)
-    print(f"Installed provisioning profile {uuid} at {final_path}")
-    return uuid
-
-
 def write_p12(
     private_key: rsa.RSAPrivateKey, cert_der: bytes, out_path: Path, passwd: str
 ) -> None:
@@ -293,20 +231,16 @@ def main() -> None:
     key_id = env("ASC_KEY_ID")
     issuer_id = env("ASC_ISSUER_ID")
     asc_key_path = env("ASC_KEY_PATH")
-    bundle_id = env("BUNDLE_ID")
-    profile_name = env("PROFILE_NAME")
     runner_temp = env("RUNNER_TEMP")
 
     token = make_jwt(key_id, issuer_id, asc_key_path)
 
     private_key, csr_b64 = generate_key_and_csr()
-    cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
-
-    bundle_pk = find_bundle_id(token, bundle_id)
-    delete_profile_by_name(token, profile_name)
-    profile_der = create_profile(token, profile_name, bundle_pk, cert_id)
-    install_profile(profile_der)
+    _cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
 
+    # Provisioning profile(s) are created on-demand by xcodebuild via
+    # `-allowProvisioningUpdates` — we only need the signing identity
+    # (cert + private key) to be present in a keychain Xcode can see.
     p12_pass = "ci"
     p12_path = Path(runner_temp) / "cert.p12"
     write_p12(private_key, cert_der, p12_path, p12_pass)

package/templates/scripts/ci/ios-native/read_config.py

@@ -0,0 +1,289 @@
+#!/usr/bin/env python3
+"""
+Read ci.config.yaml + discover ASC API key in creds/, then emit derived CI
+environment variables to $GITHUB_ENV.
+
+Schema (flat — primary, canonical):
+    app.{bundle_id, team_id, app_store_apple_id}
+    xcode.{project, workspace, scheme, configuration, profile_name}
+    ios.{uses_non_exempt_encryption}
+    testflight.{whats_new, locale}
+    ci.{run_tests, test_command, test_destination}
+    credentials.apple.{key_id, issuer_id}  OR  asc.{key_id, issuer_id}
+
+Legacy aliases (accepted for back-compat, never preferred):
+    ios.native.{project, workspace, scheme, configuration, profile_name,
+                team_id, app_store_apple_id, uses_non_exempt_encryption,
+                whats_new, locale, run_tests, test_command, test_destination,
+                tests.{run, command, destination}}
+    app_store.locale (third-tier fallback only)
+
+Precedence for every CFG_* value:
+    1. Explicit action input (INPUT_* env var)
+    2. Flat-schema config value
+    3. Legacy ios.native.* alias
+    4. Auto-detected value (xcodeproj/xcworkspace glob) or built-in default
+    5. Empty string (composite action step applies its own default / skips)
+
+Built-in defaults (emitted when no config/input exists):
+    CFG_CONFIGURATION=Release, CFG_USES_NON_EXEMPT=false,
+    CFG_RUN_TESTS=false, CFG_LOCALE=en-US, CFG_PROFILE_NAME="<scheme> CI".
+All other CFG_* fields emit empty and rely on action.yml-level fallbacks.
+
+The ASC .p8 key is located by globbing ``creds/AuthKey_*.p8`` with filename
+regex AuthKey_<KEY_ID>[_Issuer_<ISSUER_UUID>].p8. Multiple matches require
+``credentials.apple.key_id`` (or ``asc.key_id``) in config to disambiguate.
+
+Writes to $GITHUB_ENV:
+    ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_P8_PATH, ASC_KEY_P8,
+    CFG_PROJECT, CFG_WORKSPACE, CFG_SCHEME, CFG_CONFIGURATION,
+    CFG_BUNDLE_ID, CFG_TEAM_ID, CFG_APP_STORE_APPLE_ID, CFG_PROFILE_NAME,
+    CFG_USES_NON_EXEMPT, CFG_WHATS_NEW, CFG_LOCALE,
+    CFG_RUN_TESTS, CFG_TEST_COMMAND, CFG_TEST_DESTINATION
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+from cfg_io import fail, log
+from cfg_resolve import (
+    as_str_bool,
+    auto_project_glob,
+    dig,
+    emit,
+    find_p8,
+    load_config,
+    lookup_app_id_via_api,
+    pick,
+    pick_with_source,
+    resolve,
+)
+
+
+DEFAULT_WHATS_NEW = (
+    "- Improved performance: faster, smoother app experience\n"
+    "- Bug fixes: minor issues resolved for seamless use\n"
+    "- Enhanced security: updated to protect your data\n"
+)
+
+
+def emit_credentials(env_file: Path, cfg: dict, workspace: Path) -> dict:
+    """Discover .p8, derive ASC_KEY_ID / ISSUER / PATH, emit to env_file.
+
+    Returns {'key_id', 'issuer_id', 'key_path'} for downstream use.
+    """
+    p8_path, key_id_from_file, issuer_from_file = find_p8(workspace, cfg)
+    try:
+        p8_contents = p8_path.read_text()
+    except OSError as exc:
+        fail(f"cannot read {p8_path}: {exc}")
+
+    cfg_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
+    cfg_issuer = pick(cfg, ("credentials", "apple", "issuer_id"), ("asc", "issuer_id"))
+    asc_key_id = cfg_key_id or key_id_from_file
+    asc_issuer = cfg_issuer or issuer_from_file
+    if not asc_issuer:
+        fail(
+            "ASC issuer id unknown: neither the filename contains _Issuer_<UUID> "
+            "nor credentials.apple.issuer_id is set in ci.config.yaml."
+        )
+
+    emit(env_file, "ASC_KEY_ID", str(asc_key_id))
+    emit(env_file, "ASC_ISSUER_ID", str(asc_issuer))
+    emit(env_file, "ASC_KEY_P8_PATH", str(p8_path))
+    emit(env_file, "ASC_KEY_P8", p8_contents)
+    log(f"ASC_KEY_ID={asc_key_id} (source: {'config' if cfg_key_id else 'filename'})")
+    log(f"ASC_ISSUER_ID={asc_issuer} (source: {'config' if cfg_issuer else 'filename'})")
+    log(f"ASC_KEY_P8_PATH={p8_path}")
+    return {"key_id": str(asc_key_id), "issuer_id": str(asc_issuer), "key_path": str(p8_path)}
+
+
+def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
+    """Resolve project / workspace / scheme / configuration / profile_name."""
+    proj_cfg, proj_src = pick_with_source(cfg, ("xcode", "project"), ("ios", "native", "project"))
+    ws_cfg, ws_src = pick_with_source(cfg, ("xcode", "workspace"), ("ios", "native", "workspace"))
+    scheme_cfg, scheme_src = pick_with_source(cfg, ("xcode", "scheme"), ("ios", "native", "scheme"))
+    config_cfg, config_src = pick_with_source(
+        cfg, ("xcode", "configuration"), ("ios", "native", "configuration"),
+    )
+    profile_cfg, profile_src = pick_with_source(
+        cfg, ("xcode", "profile_name"), ("ios", "native", "profile_name"),
+    )
+
+    project = resolve(
+        inp["PROJECT"], proj_cfg, cfg_source=proj_src,
+        auto_val=auto_project_glob(workspace, ".xcodeproj"),
+    )
+    ws_val = resolve(
+        inp["WORKSPACE"], ws_cfg, cfg_source=ws_src,
+        auto_val=auto_project_glob(workspace, ".xcworkspace"),
+    )
+    scheme = resolve(inp["SCHEME"], scheme_cfg, cfg_source=scheme_src)
+    configuration = resolve(
+        inp["CONFIGURATION"], config_cfg, cfg_source=config_src, default="Release",
+    )
+    default_profile = f"{scheme[0]} CI" if scheme[0] else ""
+    profile_name = resolve(
+        inp["PROFILE_NAME"], profile_cfg, cfg_source=profile_src, default=default_profile,
+    )
+    return {
+        "project": project,
+        "workspace": ws_val,
+        "scheme": scheme,
+        "configuration": configuration,
+        "profile_name": profile_name,
+    }
+
+
+def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
+    """Resolve bundle_id / team_id / app_store_apple_id (with ASC-API fallback)."""
+    bundle_cfg, bundle_src = pick_with_source(cfg, ("app", "bundle_id"), ("ios", "native", "bundle_id"))
+    team_cfg, team_src = pick_with_source(cfg, ("app", "team_id"), ("ios", "native", "team_id"))
+    apple_cfg, apple_src = pick_with_source(
+        cfg, ("app", "app_store_apple_id"), ("ios", "native", "app_store_apple_id"),
+    )
+
+    bundle = resolve(inp["BUNDLE_ID"], bundle_cfg, cfg_source=bundle_src)
+    team = resolve(inp["TEAM_ID"], team_cfg, cfg_source=team_src)
+
+    if inp["APP_STORE_APPLE_ID"]:
+        apple = (inp["APP_STORE_APPLE_ID"], "input")
+    elif apple_cfg not in (None, ""):
+        apple = (str(apple_cfg), apple_src)
+    elif bundle[0]:
+        os.environ["ASC_KEY_ID"] = creds["key_id"]
+        os.environ["ASC_ISSUER_ID"] = creds["issuer_id"]
+        os.environ["ASC_KEY_PATH"] = creds["key_path"]
+        apple = (lookup_app_id_via_api(bundle[0], scripts_dir), "api-lookup")
+    else:
+        apple = ("", "empty")
+    return {"bundle_id": bundle, "team_id": team, "app_store_apple_id": apple}
+
+
+def resolve_testflight(cfg: dict, inp: dict) -> dict:
+    """Resolve whats_new / locale from testflight.* or legacy aliases."""
+    whats_cfg, whats_src = pick_with_source(
+        cfg, ("testflight", "whats_new"), ("ios", "native", "whats_new"),
+    )
+    locale_cfg, locale_src = pick_with_source(
+        cfg, ("testflight", "locale"), ("ios", "native", "locale"),
+    )
+    if locale_cfg in (None, ""):
+        alt = dig(cfg, "app_store", "locale")
+        if alt not in (None, ""):
+            locale_cfg, locale_src = alt, "config(legacy)"
+    return {
+        "whats_new": resolve(
+            inp["WHATS_NEW"], whats_cfg, cfg_source=whats_src, default=DEFAULT_WHATS_NEW,
+        ),
+        "locale": resolve(inp["LOCALE"], locale_cfg, cfg_source=locale_src, default="en-US"),
+    }
+
+
+def resolve_tests(cfg: dict, inp: dict) -> dict:
+    """Resolve run_tests / test_command / test_destination from ci.* or legacy."""
+    run_flat = dig(cfg, "ci", "run_tests")
+    run_legacy = dig(cfg, "ios", "native", "run_tests")
+    if run_legacy is None:
+        run_legacy = dig(cfg, "ios", "native", "tests", "run")
+    run_cfg, run_src = (run_flat, "config") if run_flat is not None else (run_legacy, "config(legacy)")
+
+    cmd_flat = dig(cfg, "ci", "test_command")
+    cmd_legacy = dig(cfg, "ios", "native", "test_command") or dig(cfg, "ios", "native", "tests", "command")
+    cmd_cfg, cmd_src = (
+        (cmd_flat, "config") if cmd_flat not in (None, "") else (cmd_legacy, "config(legacy)")
+    )
+
+    dest_flat = dig(cfg, "ci", "test_destination")
+    dest_legacy = (
+        dig(cfg, "ios", "native", "test_destination")
+        or dig(cfg, "ios", "native", "tests", "destination")
+    )
+    dest_cfg, dest_src = (
+        (dest_flat, "config") if dest_flat not in (None, "") else (dest_legacy, "config(legacy)")
+    )
+
+    return {
+        "run_tests": resolve(
+            inp["RUN_TESTS"], as_str_bool(run_cfg), cfg_source=run_src, default="false",
+        ),
+        "test_command": resolve(inp["TEST_COMMAND"], cmd_cfg, cfg_source=cmd_src),
+        "test_destination": resolve(inp["TEST_DESTINATION"], dest_cfg, cfg_source=dest_src),
+    }
+
+
+def resolve_ios(cfg: dict, inp: dict) -> dict:
+    """Resolve ios.uses_non_exempt_encryption (flat) with legacy fallback."""
+    val_flat = dig(cfg, "ios", "uses_non_exempt_encryption")
+    # Flat lookup can accidentally return the legacy 'native' sub-dict; ignore.
+    if isinstance(val_flat, dict):
+        val_flat = None
+    val_legacy = dig(cfg, "ios", "native", "uses_non_exempt_encryption")
+    if val_flat is not None:
+        raw, src = val_flat, "config"
+    elif val_legacy is not None:
+        raw, src = val_legacy, "config(legacy)"
+    else:
+        raw, src = None, "config"
+    return {
+        "uses_non_exempt": resolve(
+            inp["USES_NON_EXEMPT"], as_str_bool(raw), cfg_source=src, default="false",
+        )
+    }
+
+
+def collect_inputs() -> dict:
+    """Read all INPUT_* env vars the composite action passes in."""
+    names = (
+        "PROJECT", "WORKSPACE", "SCHEME", "CONFIGURATION", "PROFILE_NAME",
+        "BUNDLE_ID", "TEAM_ID", "APP_STORE_APPLE_ID",
+        "USES_NON_EXEMPT", "WHATS_NEW", "LOCALE",
+        "RUN_TESTS", "TEST_COMMAND", "TEST_DESTINATION",
+    )
+    return {name: os.environ.get(f"INPUT_{name}", "") for name in names}
+
+
+def main() -> None:
+    workspace = Path(os.environ.get("GITHUB_WORKSPACE", "."))
+    scripts_dir = Path(__file__).resolve().parent
+    env_file_path = os.environ.get("GITHUB_ENV")
+    if not env_file_path:
+        fail("GITHUB_ENV not set; this script must run inside a GitHub Actions step")
+    env_file = Path(env_file_path)
+
+    cfg = load_config(workspace, os.environ.get("CONFIG_PATH", "ci.config.yaml"))
+    inputs = collect_inputs()
+
+    creds = emit_credentials(env_file, cfg, workspace)
+    xc = resolve_xcode(cfg, workspace, inputs)
+    app = resolve_app(cfg, inputs, creds, scripts_dir)
+    tf = resolve_testflight(cfg, inputs)
+    ios = resolve_ios(cfg, inputs)
+    tests = resolve_tests(cfg, inputs)
+
+    derived = [
+        ("CFG_PROJECT", xc["project"]),
+        ("CFG_WORKSPACE", xc["workspace"]),
+        ("CFG_SCHEME", xc["scheme"]),
+        ("CFG_CONFIGURATION", xc["configuration"]),
+        ("CFG_BUNDLE_ID", app["bundle_id"]),
+        ("CFG_TEAM_ID", app["team_id"]),
+        ("CFG_APP_STORE_APPLE_ID", app["app_store_apple_id"]),
+        ("CFG_PROFILE_NAME", xc["profile_name"]),
+        ("CFG_USES_NON_EXEMPT", ios["uses_non_exempt"]),
+        ("CFG_WHATS_NEW", tf["whats_new"]),
+        ("CFG_LOCALE", tf["locale"]),
+        ("CFG_RUN_TESTS", tests["run_tests"]),
+        ("CFG_TEST_COMMAND", tests["test_command"]),
+        ("CFG_TEST_DESTINATION", tests["test_destination"]),
+    ]
+    for name, (value, src) in derived:
+        emit(env_file, name, value)
+        shown = value if name != "CFG_WHATS_NEW" else value.replace("\n", " / ")
+        log(f"{name}={shown!r} (source: {src})")
+
+
+if __name__ == "__main__":
+    main()