@daemux/store-automator 0.10.79 → 0.10.81

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.79"
+    "version": "0.10.81"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.79",
+      "version": "0.10.81",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.79",
+  "version": "0.10.81",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.79",
+  "version": "0.10.81",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -7,26 +7,24 @@ Steps:
   1. Generate an RSA private key + CSR.
   2. Create a new Apple Distribution certificate from the CSR; if the per-team
      cap is hit (409), revoke the newest existing DISTRIBUTION cert and retry.
-  3. Enumerate PRODUCT_BUNDLE_IDENTIFIER for every signable target in the
-     Xcode project / workspace (main app + extensions).
+  3. Discover every signable native target in the Xcode project (main app +
+     extensions like Network Extensions, Widgets, WatchKit apps). SwiftPM
+     resource bundles are skipped — they can't be signed manually.
   4. Register each bundle ID on App Store Connect if missing.
   5. Create one IOS_APP_STORE provisioning profile per bundle ID, named
      ``CI-<bundle_id>``, linked to the new cert (deleting any stale profile
      with the same name so the reference matches the fresh cert).
   6. Install every profile into ``~/Library/MobileDevice/Provisioning Profiles/``.
-  7. Import cert + private key into a temporary keychain placed at the head of
+  7. Patch the pbxproj in place so each signable target's build settings
+     select manual signing + the matching CI profile. SwiftPM targets are
+     left alone — they keep their default automatic (no-sign) config.
+  8. Import cert + private key into a temporary keychain placed at the head of
      the user search list so codesign / xcodebuild can find it.
 
-Pairs with a temporary xcconfig that sets
-``PROVISIONING_PROFILE_SPECIFIER = CI-$(PRODUCT_BUNDLE_IDENTIFIER)``, which
-Xcode resolves per target at build time. This lets apps with Network
-Extensions (and any other aux targets) sign manually in CI without
-per-project pbxproj edits.
-
 Environment inputs:
   ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH - App Store Connect API key trio
-  PROJECT or WORKSPACE                    - Xcode project / workspace path
-  SCHEME, CONFIGURATION                   - Scheme + configuration to inspect
+  PROJECT                                 - Xcode project path (.xcodeproj)
+  TEAM_ID                                 - Apple developer team identifier
   RUNNER_TEMP                             - GitHub Actions temp dir
 
 Writes nothing to stdout that would leak secrets.
@@ -46,7 +44,11 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
-from profile_manager import discover_bundle_ids, provision_all_bundles
+from profile_manager import (
+    discover_signable_targets,
+    patch_project_signing,
+    provision_all_bundles,
+)
 
 
 def env(name: str) -> str:
@@ -61,7 +63,6 @@ def optional_env(name: str) -> str:
 
 
 def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
-    """Return (private_key, csr_payload_b64_bytes)."""
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     csr = (
         x509.CertificateSigningRequestBuilder()
@@ -83,7 +84,6 @@ def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
 
 
 def newest_distribution_cert_id(token: str) -> str | None:
-    """Return the ID of the most-recently-created DISTRIBUTION cert, or None."""
     data = get_json(
         "/certificates",
         token,
@@ -105,11 +105,6 @@ def newest_distribution_cert_id(token: str) -> str | None:
 
 
 def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
-    """Return (certificate_id, DER-encoded certificate bytes).
-
-    Apple enforces a per-team cap on active Distribution certs. If the POST
-    comes back 409, revoke the newest existing one and retry once.
-    """
     body = {
         "data": {
             "type": "certificates",
@@ -231,20 +226,26 @@ def main() -> None:
     issuer_id = env("ASC_ISSUER_ID")
     asc_key_path = env("ASC_KEY_PATH")
     runner_temp = env("RUNNER_TEMP")
+    team_id = env("TEAM_ID")
 
     project = optional_env("PROJECT")
     workspace = optional_env("WORKSPACE")
-    scheme = env("SCHEME")
-    configuration = env("CONFIGURATION")
-    if not project and not workspace:
+    if workspace and not project:
         raise SystemExit(
-            "prepare_signing: either PROJECT or WORKSPACE env var must be set"
+            "prepare_signing: WORKSPACE-only mode is not supported; the "
+            "underlying .xcodeproj must be passed via PROJECT so we can "
+            "patch its signing settings."
         )
+    if not project:
+        raise SystemExit("prepare_signing: PROJECT env var is required")
 
     token = make_jwt(key_id, issuer_id, asc_key_path)
 
-    bundle_ids = discover_bundle_ids(project, workspace, scheme, configuration)
-    print(f"Bundle ids to provision ({len(bundle_ids)}): {bundle_ids}")
+    targets = discover_signable_targets(project)
+    bundle_ids = sorted({t["bundle_id"] for t in targets})
+    print(f"Signable targets ({len(targets)}):")
+    for t in targets:
+        print(f"  - {t['name']} -> {t['bundle_id']} ({len(t['config_ids'])} configs)")
 
     private_key, csr_b64 = generate_key_and_csr()
     cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
@@ -254,9 +255,10 @@ def main() -> None:
     for bid, pname, uuid in mappings:
         print(f"  {bid} -> {pname} ({uuid})")
 
-    # Persist the bundle_id -> profile_name map so later steps (exportArchive)
-    # can build ExportOptions.plist's `provisioningProfiles` dict without
-    # re-deriving it. JSON keeps it trivial to parse from bash/python.
+    patch_project_signing(project, targets, team_id)
+
+    # Persist mapping for downstream Export IPA step (ExportOptions.plist
+    # provisioningProfiles dict).
     map_path = Path(runner_temp) / "signing_map.json"
     map_path.write_text(
         json.dumps({bid: pname for bid, pname, _ in mappings}, indent=2)

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -5,14 +5,20 @@ Provisioning profile + bundleId helpers for multi-target iOS projects.
 Handles:
 
 * Enumerating every PRODUCT_BUNDLE_IDENTIFIER used by signable targets in an
-  Xcode project / workspace (main app + extensions like Network Extensions,
-  Widgets, WatchKit apps, etc).
+  Xcode project. We parse ``project.pbxproj`` directly (via ``plutil -convert
+  json``) rather than rely on ``xcodebuild -showBuildSettings``, which only
+  covers what a given scheme builds. Parsing the pbxproj lets us find every
+  native app + extension target without tripping over SwiftPM resource
+  bundles (whose product types are not signable).
 * Ensuring each bundle ID is registered on App Store Connect.
 * Creating one IOS_APP_STORE provisioning profile per bundle ID, named
   ``CI-<bundle_id>``, linked to the just-issued distribution cert. If a
   profile with that name already exists, it is deleted first so we always
   end up with a profile that references the fresh cert.
 * Installing every profile into the standard Xcode profile directory.
+* Patching the pbxproj in place so each signable target's build settings use
+  manual signing + the freshly-created profile. SwiftPM / resource bundle
+  targets (which cannot carry provisioning profiles) are left untouched.
 
 Kept separate from ``prepare_signing.py`` so both files stay well under the
 400-line cap.
@@ -23,6 +29,7 @@ from __future__ import annotations
 import base64
 import json
 import plistlib
+import re
 import subprocess
 from pathlib import Path
 
@@ -32,62 +39,222 @@ from asc_common import get_json, request
 PROFILE_PREFIX = "CI-"
 PROFILES_DIR = Path.home() / "Library/MobileDevice/Provisioning Profiles"
 
+# Product types that must be signed with a provisioning profile. App
+# extensions share the common ``com.apple.product-type.app-extension`` prefix
+# (messages, widgets, NetworkExtension, WatchKit, etc).
+_SIGNABLE_PRODUCT_TYPES = {
+    "com.apple.product-type.application",
+    "com.apple.product-type.application.on-demand-install-capable",
+    "com.apple.product-type.application.watchapp2",
+    "com.apple.product-type.watchkit2-extension",
+}
+_SIGNABLE_PRODUCT_PREFIXES = (
+    "com.apple.product-type.app-extension",
+)
+
 
 # --------------------------------------------------------------------------- #
-# Bundle ID discovery                                                         #
+# pbxproj parsing                                                             #
 # --------------------------------------------------------------------------- #
 
-def discover_bundle_ids(
-    project: str,
-    workspace: str,
-    scheme: str,
-    configuration: str,
-) -> list[str]:
-    """Return the sorted, de-duplicated list of signable bundle IDs.
-
-    Uses ``xcodebuild -showBuildSettings -json`` which returns one settings
-    dictionary per target in the dependency graph for the given scheme. We
-    keep every ``PRODUCT_BUNDLE_IDENTIFIER`` that looks real (non-empty,
-    not a placeholder, contains at least one dot).
+def _load_pbxproj(project_path: str) -> dict:
+    pbx = Path(project_path) / "project.pbxproj"
+    out = subprocess.check_output(["plutil", "-convert", "json", "-o", "-", str(pbx)])
+    return json.loads(out)
+
+
+def _is_signable_product_type(product_type: str) -> bool:
+    if product_type in _SIGNABLE_PRODUCT_TYPES:
+        return True
+    return any(product_type.startswith(p) for p in _SIGNABLE_PRODUCT_PREFIXES)
+
+
+def discover_signable_targets(project_path: str) -> list[dict]:
+    """Return one entry per signable native target.
+
+    Each entry: ``{"name": str, "bundle_id": str, "config_ids": [str,...]}``
+    where ``config_ids`` is the list of XCBuildConfiguration UUIDs whose
+    ``buildSettings`` dict we need to patch (one per build configuration —
+    typically Debug + Release).
     """
-    proj_args = ["-workspace", workspace] if workspace else ["-project", project]
-    cmd = [
-        "xcodebuild",
-        *proj_args,
-        "-scheme", scheme,
-        "-configuration", configuration,
-        "-showBuildSettings",
-        "-json",
-    ]
-    result = subprocess.run(
-        cmd, capture_output=True, text=True, check=True,
-    )
-    settings_list = json.loads(result.stdout or "[]")
-    found: set[str] = set()
-    for entry in settings_list:
-        attrs = entry.get("buildSettings") or {}
-        bundle_id = (attrs.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
-        if _is_real_bundle_id(bundle_id):
-            found.add(bundle_id)
-    if not found:
+    pbx = _load_pbxproj(project_path)
+    objects = pbx["objects"]
+    targets: list[dict] = []
+    for _obj_id, obj in objects.items():
+        if obj.get("isa") != "PBXNativeTarget":
+            continue
+        product_type = obj.get("productType") or ""
+        if not _is_signable_product_type(product_type):
+            continue
+        name = obj.get("name") or "<unknown>"
+        config_list_id = obj.get("buildConfigurationList")
+        config_list = objects.get(config_list_id) or {}
+        config_ids = list(config_list.get("buildConfigurations") or [])
+        bundle_id = _bundle_id_from_configs(objects, config_ids)
+        if not bundle_id:
+            print(f"skip target {name!r}: no PRODUCT_BUNDLE_IDENTIFIER")
+            continue
+        targets.append(
+            {"name": name, "bundle_id": bundle_id, "config_ids": config_ids}
+        )
+    if not targets:
         raise SystemExit(
-            "discover_bundle_ids: no PRODUCT_BUNDLE_IDENTIFIER values found "
-            f"for scheme {scheme!r} (configuration={configuration!r})"
+            f"discover_signable_targets: no signable targets found in {project_path}"
         )
-    return sorted(found)
+    return targets
+
+
+def _bundle_id_from_configs(objects: dict, config_ids: list[str]) -> str:
+    """Return the first non-empty bundle id across the given configs."""
+    for cid in config_ids:
+        cfg = objects.get(cid) or {}
+        settings = cfg.get("buildSettings") or {}
+        bid = (settings.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
+        if bid and "$(" not in bid and "${" not in bid:
+            return bid
+    return ""
 
 
-def _is_real_bundle_id(value: str) -> bool:
-    if not value:
-        return False
-    if "$(" in value or "${" in value:
-        return False
-    if "." not in value:
-        return False
-    # Xcode emits these when a target has no explicit identifier.
-    if value.lower().startswith("com.apple."):
-        return False
-    return True
+# --------------------------------------------------------------------------- #
+# pbxproj mutation                                                            #
+# --------------------------------------------------------------------------- #
+
+def patch_project_signing(
+    project_path: str,
+    targets: list[dict],
+    team_id: str,
+) -> None:
+    """Set manual signing + per-target profile name for every signable target.
+
+    The pbxproj stays in its original OpenStep format — Xcode is very
+    opinionated about that file and any conversion (to XML/JSON) risks
+    re-ordering keys or dropping comments. Instead, we edit the specific
+    ``XCBuildConfiguration`` blocks by their UUID and inject/replace the
+    handful of keys we care about. Targets outside ``targets`` (most
+    importantly SwiftPM / resource-bundle configs) are untouched.
+    """
+    pbx_path = Path(project_path) / "project.pbxproj"
+    text = pbx_path.read_text(encoding="utf-8")
+
+    for target in targets:
+        profile_name = f"{PROFILE_PREFIX}{target['bundle_id']}"
+        for cid in target["config_ids"]:
+            text = _apply_signing_to_config(text, cid, team_id, profile_name)
+        print(
+            f"Patched {target['name']!r} -> {profile_name} "
+            f"(configs={len(target['config_ids'])})"
+        )
+
+    pbx_path.write_text(text, encoding="utf-8")
+    # Sanity check — plutil -lint rejects malformed output so CI fails
+    # fast before ``xcodebuild`` tries (and mangles) the file.
+    subprocess.check_call(["plutil", "-lint", str(pbx_path)])
+
+
+def _apply_signing_to_config(
+    text: str, config_id: str, team_id: str, profile_name: str
+) -> str:
+    """Return ``text`` with the given XCBuildConfiguration's buildSettings
+    patched for manual signing. Raises ``SystemExit`` if the config block
+    can't be located (indicates a pbxproj format we don't understand).
+    """
+    start = text.find(f"\t\t{config_id} ")
+    if start < 0:
+        start = text.find(f"\t\t{config_id}\t")
+    if start < 0:
+        start = text.find(f"{config_id} = {{")
+    if start < 0:
+        raise SystemExit(
+            f"patch_project_signing: config {config_id} not found in pbxproj"
+        )
+    settings_key = "buildSettings = {"
+    s_idx = text.find(settings_key, start)
+    if s_idx < 0:
+        raise SystemExit(
+            f"patch_project_signing: buildSettings not found for {config_id}"
+        )
+    # Find matching closing '};' for buildSettings — brace-balance forward.
+    depth = 0
+    i = s_idx + len(settings_key) - 1  # position at the opening '{'
+    end = -1
+    while i < len(text):
+        ch = text[i]
+        if ch == "{":
+            depth += 1
+        elif ch == "}":
+            depth -= 1
+            if depth == 0:
+                end = i
+                break
+        i += 1
+    if end < 0:
+        raise SystemExit(
+            f"patch_project_signing: unbalanced buildSettings for {config_id}"
+        )
+    inner = text[s_idx + len(settings_key): end]
+    patched = _patch_inner_settings(inner, team_id, profile_name)
+    return text[: s_idx + len(settings_key)] + patched + text[end:]
+
+
+_SIGNING_KEYS = {
+    "CODE_SIGN_STYLE": "Manual",
+    "CODE_SIGN_IDENTITY": '"Apple Distribution"',
+}
+
+_STRIP_KEYS = ("PROVISIONING_PROFILE",)
+
+
+def _patch_inner_settings(
+    inner: str, team_id: str, profile_name: str
+) -> str:
+    """Rewrite build setting key/value lines inside one buildSettings block."""
+    # Always-set values
+    values = dict(_SIGNING_KEYS)
+    values["DEVELOPMENT_TEAM"] = team_id
+    values["PROVISIONING_PROFILE_SPECIFIER"] = f'"{profile_name}"'
+
+    lines = inner.splitlines(keepends=True)
+    emitted_keys: set[str] = set()
+    out: list[str] = []
+    # Each setting line looks like (whitespace-prefixed):
+    #   KEY = VALUE;
+    # We match leading indent, the key, `= `, the rest.
+    pattern = re.compile(r"^(\s*)([A-Z_][A-Z0-9_]*)\s*=\s*(.+);\s*$")
+
+    for line in lines:
+        m = pattern.match(line)
+        if not m:
+            out.append(line)
+            continue
+        indent, key, _old_value = m.group(1), m.group(2), m.group(3)
+        if key in _STRIP_KEYS:
+            # Drop these keys entirely.
+            continue
+        if key in values:
+            out.append(f"{indent}{key} = {values[key]};\n")
+            emitted_keys.add(key)
+            continue
+        out.append(line)
+
+    # Any key we wanted to set but didn't find — append just before close.
+    missing = [k for k in values if k not in emitted_keys]
+    if missing:
+        # Determine indent from the first KEY= line we can find, else use
+        # two tabs (the pbxproj default).
+        indent = "\t\t\t\t"
+        for line in lines:
+            m = pattern.match(line)
+            if m:
+                indent = m.group(1)
+                break
+        tail = out[-1] if out else ""
+        # Ensure we inject before the trailing whitespace on the last line.
+        new_lines = [f"{indent}{k} = {values[k]};\n" for k in missing]
+        if tail.strip() == "":
+            out = out[:-1] + new_lines + [tail]
+        else:
+            out = out + new_lines
+    return "".join(out)
 
 
 # --------------------------------------------------------------------------- #
@@ -95,7 +262,6 @@ def _is_real_bundle_id(value: str) -> bool:
 # --------------------------------------------------------------------------- #
 
 def ensure_bundle_id(token: str, identifier: str) -> str:
-    """Return the ASC primary key for ``identifier``; register if missing."""
     data = get_json(
         "/bundleIds",
         token,
@@ -129,12 +295,10 @@ def _register_bundle_id(token: str, identifier: str) -> str:
 # --------------------------------------------------------------------------- #
 
 def profile_name_for(bundle_id: str) -> str:
-    """Return the deterministic CI profile name for a bundle id."""
     return f"{PROFILE_PREFIX}{bundle_id}"
 
 
 def delete_profile_by_name(token: str, name: str) -> None:
-    """Delete every existing profile with the given name (paginated scan)."""
     deleted_any = False
     next_path: str | None = "/profiles?limit=200"
     while next_path:
@@ -148,7 +312,6 @@ def delete_profile_by_name(token: str, name: str) -> None:
         next_link = (data.get("links") or {}).get("next")
         if not next_link:
             break
-        # Convert absolute next URL to path component the helper expects.
         idx = next_link.find("/v1")
         next_path = next_link[idx + len("/v1"):] if idx >= 0 else None
     if not deleted_any:
@@ -158,7 +321,6 @@ def delete_profile_by_name(token: str, name: str) -> None:
 def create_profile(
     token: str, name: str, bundle_pk: str, cert_id: str
 ) -> bytes:
-    """Create an IOS_APP_STORE profile and return its raw (CMS-signed) bytes."""
     body = {
         "data": {
             "type": "profiles",
@@ -180,7 +342,6 @@ def create_profile(
 
 
 def install_profile(profile_der: bytes) -> str:
-    """Write the .mobileprovision into Xcode's profile dir; return UUID."""
     PROFILES_DIR.mkdir(parents=True, exist_ok=True)
     tmp_path = PROFILES_DIR / "tmp.mobileprovision"
     tmp_path.write_bytes(profile_der)
@@ -204,8 +365,7 @@ def provision_all_bundles(
 ) -> list[tuple[str, str, str]]:
     """Create + install a CI profile for each bundle id.
 
-    Returns a list of ``(bundle_id, profile_name, uuid)`` tuples in input
-    order so callers can log the full mapping.
+    Returns a list of ``(bundle_id, profile_name, uuid)`` tuples.
     """
     results: list[tuple[str, str, str]] = []
     for bid in bundle_ids: