@daemux/store-automator 0.10.76 → 0.10.78

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.76"
+    "version": "0.10.78"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.76",
+      "version": "0.10.78",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.76",
+  "version": "0.10.78",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.76",
+  "version": "0.10.78",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -1,26 +1,33 @@
 #!/usr/bin/env python3
 """
-Prepare iOS code signing on a fresh CI runner (automatic-signing variant).
+Prepare iOS code signing on a fresh CI runner (manual-signing variant).
 
-This script prepares ONLY the credentials Xcode needs to drive
-`-allowProvisioningUpdates` against the App Store Connect API:
+Steps:
 
-  1. Generate an RSA private key + CSR
+  1. Generate an RSA private key + CSR.
   2. Create a new Apple Distribution certificate from the CSR; if the per-team
      cap is hit (409), revoke the newest existing DISTRIBUTION cert and retry.
-  3. Import cert + private key into a dedicated temporary keychain and put
-     that keychain on the search list so codesign / xcodebuild can find it.
-
-Provisioning profile creation + installation is DELEGATED to xcodebuild via
-`-allowProvisioningUpdates` + ASC API auth. That path handles apps with any
-number of targets (Network Extensions, Widgets, WatchKit extensions, etc)
-without us having to know the full target graph up-front.
+  3. Enumerate PRODUCT_BUNDLE_IDENTIFIER for every signable target in the
+     Xcode project / workspace (main app + extensions).
+  4. Register each bundle ID on App Store Connect if missing.
+  5. Create one IOS_APP_STORE provisioning profile per bundle ID, named
+     ``CI-<bundle_id>``, linked to the new cert (deleting any stale profile
+     with the same name so the reference matches the fresh cert).
+  6. Install every profile into ``~/Library/MobileDevice/Provisioning Profiles/``.
+  7. Import cert + private key into a temporary keychain placed at the head of
+     the user search list so codesign / xcodebuild can find it.
+
+Pairs with a temporary xcconfig that sets
+``PROVISIONING_PROFILE_SPECIFIER = CI-$(PRODUCT_BUNDLE_IDENTIFIER)``, which
+Xcode resolves per target at build time. This lets apps with Network
+Extensions (and any other aux targets) sign manually in CI without
+per-project pbxproj edits.
 
 Environment inputs:
-  ASC_KEY_ID        - App Store Connect API key ID
-  ASC_ISSUER_ID     - App Store Connect API issuer ID
-  ASC_KEY_PATH      - Path to the .p8 private key file
-  RUNNER_TEMP       - GitHub Actions temp dir (for keychain + intermediates)
+  ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH - App Store Connect API key trio
+  PROJECT or WORKSPACE                    - Xcode project / workspace path
+  SCHEME, CONFIGURATION                   - Scheme + configuration to inspect
+  RUNNER_TEMP                             - GitHub Actions temp dir
 
 Writes nothing to stdout that would leak secrets.
 """
@@ -38,6 +45,7 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
+from profile_manager import discover_bundle_ids, provision_all_bundles
 
 
 def env(name: str) -> str:
@@ -47,6 +55,10 @@ def env(name: str) -> str:
     return val
 
 
+def optional_env(name: str) -> str:
+    return os.environ.get(name, "") or ""
+
+
 def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
     """Return (private_key, csr_payload_b64_bytes)."""
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
@@ -55,14 +67,13 @@ def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
         .subject_name(
             x509.Name(
                 [
-                    x509.NameAttribute(NameOID.COMMON_NAME, "ScudoVPN CI"),
+                    x509.NameAttribute(NameOID.COMMON_NAME, "Daemux CI"),
                     x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
                 ]
             )
         )
         .sign(private_key, hashes.SHA256())
     )
-    # Apple wants the CSR PEM base64 (without headers)
     csr_pem = csr.public_bytes(serialization.Encoding.PEM)
     csr_payload = b"".join(
         line for line in csr_pem.splitlines() if not line.startswith(b"-----")
@@ -85,8 +96,6 @@ def newest_distribution_cert_id(token: str) -> str | None:
     newest_exp = ""
     for cert in data.get("data", []):
         attrs = cert.get("attributes") or {}
-        # Use expirationDate as a proxy for creation time (cert expiration
-        # is exactly creation + 1 year for Apple Distribution certs).
         exp = attrs.get("expirationDate") or ""
         if exp > newest_exp:
             newest_exp = exp
@@ -94,17 +103,11 @@ def newest_distribution_cert_id(token: str) -> str | None:
     return newest_id
 
 
-def revoke_cert(token: str, cert_id: str) -> None:
-    print(f"Revoking distribution cert {cert_id}")
-    request("DELETE", f"/certificates/{cert_id}", token)
-
-
 def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
     """Return (certificate_id, DER-encoded certificate bytes).
 
     Apple enforces a per-team cap on active Distribution certs. If the POST
-    comes back 409 (already have one or pending), revoke the newest existing
-    one and retry once. This is the CI-owned cert from a prior run.
+    comes back 409, revoke the newest existing one and retry once.
     """
     body = {
         "data": {
@@ -126,12 +129,11 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
                 "409 from cert create but no existing DISTRIBUTION cert "
                 "found to revoke"
             )
-        revoke_cert(token, target)
+        request("DELETE", f"/certificates/{target}", token)
         resp = request("POST", "/certificates", token, json_body=body)
     data = resp.json()["data"]
     cert_id = data["id"]
-    cert_content_b64 = data["attributes"]["certificateContent"]
-    cert_der = base64.b64decode(cert_content_b64)
+    cert_der = base64.b64decode(data["attributes"]["certificateContent"])
     print(f"Created DISTRIBUTION cert {cert_id}")
     return cert_id, cert_der
 
@@ -141,7 +143,7 @@ def write_p12(
 ) -> None:
     cert = x509.load_der_x509_certificate(cert_der)
     p12 = pkcs12.serialize_key_and_certificates(
-        name=b"ScudoVPN CI",
+        name=b"Daemux CI",
         key=private_key,
         cert=cert,
         cas=None,
@@ -153,7 +155,6 @@ def write_p12(
 
 
 def _create_keychain(keychain_path: str, keychain_pass: str) -> None:
-    """Delete any stale keychain at this path, then create + unlock a fresh one."""
     subprocess.run(
         ["security", "delete-keychain", keychain_path],
         check=False,
@@ -173,18 +174,16 @@ def _create_keychain(keychain_path: str, keychain_pass: str) -> None:
 def _import_p12(
     keychain_path: str, keychain_pass: str, p12_path: Path, p12_pass: str
 ) -> None:
-    """Import p12 into the keychain and authorize codesign to use the key."""
     subprocess.check_call(
         [
             "security", "import", str(p12_path),
             "-P", p12_pass,
-            "-A",  # allow any app to read (simplest for CI)
+            "-A",
             "-t", "cert",
             "-f", "pkcs12",
             "-k", keychain_path,
         ]
     )
-    # Allow codesign to use the key without prompts (modern macOS)
     subprocess.check_call(
         [
             "security", "set-key-partition-list",
@@ -197,7 +196,6 @@ def _import_p12(
 
 
 def _prepend_to_user_search_list(keychain_path: str) -> None:
-    """Put `keychain_path` at the head of the user search list + make it default."""
     existing = subprocess.check_output(
         ["security", "list-keychains", "-d", "user"]
     ).decode()
@@ -233,14 +231,28 @@ def main() -> None:
     asc_key_path = env("ASC_KEY_PATH")
     runner_temp = env("RUNNER_TEMP")
 
+    project = optional_env("PROJECT")
+    workspace = optional_env("WORKSPACE")
+    scheme = env("SCHEME")
+    configuration = env("CONFIGURATION")
+    if not project and not workspace:
+        raise SystemExit(
+            "prepare_signing: either PROJECT or WORKSPACE env var must be set"
+        )
+
     token = make_jwt(key_id, issuer_id, asc_key_path)
 
+    bundle_ids = discover_bundle_ids(project, workspace, scheme, configuration)
+    print(f"Bundle ids to provision ({len(bundle_ids)}): {bundle_ids}")
+
     private_key, csr_b64 = generate_key_and_csr()
-    _cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
+    cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
+
+    mappings = provision_all_bundles(token, bundle_ids, cert_id)
+    print("Profile map:")
+    for bid, pname, uuid in mappings:
+        print(f"  {bid} -> {pname} ({uuid})")
 
-    # Provisioning profile(s) are created on-demand by xcodebuild via
-    # `-allowProvisioningUpdates` — we only need the signing identity
-    # (cert + private key) to be present in a keychain Xcode can see.
     p12_pass = "ci"
     p12_path = Path(runner_temp) / "cert.p12"
     write_p12(private_key, cert_der, p12_path, p12_pass)

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Provisioning profile + bundleId helpers for multi-target iOS projects.
+
+Handles:
+
+* Enumerating every PRODUCT_BUNDLE_IDENTIFIER used by signable targets in an
+  Xcode project / workspace (main app + extensions like Network Extensions,
+  Widgets, WatchKit apps, etc).
+* Ensuring each bundle ID is registered on App Store Connect.
+* Creating one IOS_APP_STORE provisioning profile per bundle ID, named
+  ``CI-<bundle_id>``, linked to the just-issued distribution cert. If a
+  profile with that name already exists, it is deleted first so we always
+  end up with a profile that references the fresh cert.
+* Installing every profile into the standard Xcode profile directory.
+
+Kept separate from ``prepare_signing.py`` so both files stay well under the
+400-line cap.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import plistlib
+import subprocess
+from pathlib import Path
+
+from asc_common import get_json, request
+
+
+PROFILE_PREFIX = "CI-"
+PROFILES_DIR = Path.home() / "Library/MobileDevice/Provisioning Profiles"
+
+
+# --------------------------------------------------------------------------- #
+# Bundle ID discovery                                                         #
+# --------------------------------------------------------------------------- #
+
+def discover_bundle_ids(
+    project: str,
+    workspace: str,
+    scheme: str,
+    configuration: str,
+) -> list[str]:
+    """Return the sorted, de-duplicated list of signable bundle IDs.
+
+    Uses ``xcodebuild -showBuildSettings -json`` which returns one settings
+    dictionary per target in the dependency graph for the given scheme. We
+    keep every ``PRODUCT_BUNDLE_IDENTIFIER`` that looks real (non-empty,
+    not a placeholder, contains at least one dot).
+    """
+    proj_args = ["-workspace", workspace] if workspace else ["-project", project]
+    cmd = [
+        "xcodebuild",
+        *proj_args,
+        "-scheme", scheme,
+        "-configuration", configuration,
+        "-showBuildSettings",
+        "-json",
+    ]
+    result = subprocess.run(
+        cmd, capture_output=True, text=True, check=True,
+    )
+    settings_list = json.loads(result.stdout or "[]")
+    found: set[str] = set()
+    for entry in settings_list:
+        attrs = entry.get("buildSettings") or {}
+        bundle_id = (attrs.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
+        if _is_real_bundle_id(bundle_id):
+            found.add(bundle_id)
+    if not found:
+        raise SystemExit(
+            "discover_bundle_ids: no PRODUCT_BUNDLE_IDENTIFIER values found "
+            f"for scheme {scheme!r} (configuration={configuration!r})"
+        )
+    return sorted(found)
+
+
+def _is_real_bundle_id(value: str) -> bool:
+    if not value:
+        return False
+    if "$(" in value or "${" in value:
+        return False
+    if "." not in value:
+        return False
+    # Xcode emits these when a target has no explicit identifier.
+    if value.lower().startswith("com.apple."):
+        return False
+    return True
+
+
+# --------------------------------------------------------------------------- #
+# ASC bundle ID registration                                                  #
+# --------------------------------------------------------------------------- #
+
+def ensure_bundle_id(token: str, identifier: str) -> str:
+    """Return the ASC primary key for ``identifier``; register if missing."""
+    data = get_json(
+        "/bundleIds",
+        token,
+        params={"filter[identifier]": identifier, "limit": "5"},
+    )
+    for item in data.get("data", []):
+        if item["attributes"]["identifier"] == identifier:
+            return item["id"]
+    return _register_bundle_id(token, identifier)
+
+
+def _register_bundle_id(token: str, identifier: str) -> str:
+    body = {
+        "data": {
+            "type": "bundleIds",
+            "attributes": {
+                "identifier": identifier,
+                "name": identifier.replace(".", "-"),
+                "platform": "IOS",
+            },
+        }
+    }
+    resp = request("POST", "/bundleIds", token, json_body=body)
+    bundle_pk = resp.json()["data"]["id"]
+    print(f"Registered new bundle id {identifier!r} (pk={bundle_pk})")
+    return bundle_pk
+
+
+# --------------------------------------------------------------------------- #
+# Profile lifecycle                                                           #
+# --------------------------------------------------------------------------- #
+
+def profile_name_for(bundle_id: str) -> str:
+    """Return the deterministic CI profile name for a bundle id."""
+    return f"{PROFILE_PREFIX}{bundle_id}"
+
+
+def delete_profile_by_name(token: str, name: str) -> None:
+    """Delete every existing profile with the given name (paginated scan)."""
+    deleted_any = False
+    next_path: str | None = "/profiles?limit=200"
+    while next_path:
+        data = get_json(next_path, token)
+        for p in data.get("data", []):
+            if (p["attributes"].get("name") or "") == name:
+                pid = p["id"]
+                print(f"Deleting stale profile {pid} ({name})")
+                request("DELETE", f"/profiles/{pid}", token)
+                deleted_any = True
+        next_link = (data.get("links") or {}).get("next")
+        if not next_link:
+            break
+        # Convert absolute next URL to path component the helper expects.
+        idx = next_link.find("/v1")
+        next_path = next_link[idx + len("/v1"):] if idx >= 0 else None
+    if not deleted_any:
+        print(f"No existing profile named {name!r}")
+
+
+def create_profile(
+    token: str, name: str, bundle_pk: str, cert_id: str
+) -> bytes:
+    """Create an IOS_APP_STORE profile and return its raw (CMS-signed) bytes."""
+    body = {
+        "data": {
+            "type": "profiles",
+            "attributes": {
+                "name": name,
+                "profileType": "IOS_APP_STORE",
+            },
+            "relationships": {
+                "bundleId": {"data": {"type": "bundleIds", "id": bundle_pk}},
+                "certificates": {
+                    "data": [{"type": "certificates", "id": cert_id}]
+                },
+            },
+        }
+    }
+    resp = request("POST", "/profiles", token, json_body=body)
+    payload = resp.json()["data"]["attributes"]["profileContent"]
+    return base64.b64decode(payload)
+
+
+def install_profile(profile_der: bytes) -> str:
+    """Write the .mobileprovision into Xcode's profile dir; return UUID."""
+    PROFILES_DIR.mkdir(parents=True, exist_ok=True)
+    tmp_path = PROFILES_DIR / "tmp.mobileprovision"
+    tmp_path.write_bytes(profile_der)
+    decoded = subprocess.check_output(
+        ["security", "cms", "-D", "-i", str(tmp_path)]
+    )
+    uuid = plistlib.loads(decoded)["UUID"]
+    final_path = PROFILES_DIR / f"{uuid}.mobileprovision"
+    tmp_path.rename(final_path)
+    return uuid
+
+
+# --------------------------------------------------------------------------- #
+# Orchestration                                                               #
+# --------------------------------------------------------------------------- #
+
+def provision_all_bundles(
+    token: str,
+    bundle_ids: list[str],
+    cert_id: str,
+) -> list[tuple[str, str, str]]:
+    """Create + install a CI profile for each bundle id.
+
+    Returns a list of ``(bundle_id, profile_name, uuid)`` tuples in input
+    order so callers can log the full mapping.
+    """
+    results: list[tuple[str, str, str]] = []
+    for bid in bundle_ids:
+        name = profile_name_for(bid)
+        bundle_pk = ensure_bundle_id(token, bid)
+        delete_profile_by_name(token, name)
+        profile_der = create_profile(token, name, bundle_pk, cert_id)
+        uuid = install_profile(profile_der)
+        print(f"Installed provisioning profile {name} -> {uuid} ({bid})")
+        results.append((bid, name, uuid))
+    return results