@daemux/store-automator 0.10.82 → 0.10.83

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.82"
+    "version": "0.10.83"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.82",
+      "version": "0.10.83",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.82",
+  "version": "0.10.83",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.82",
+  "version": "0.10.83",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/scripts/ci/ios-native/pbxproj_editor.py

@@ -0,0 +1,218 @@
+#!/usr/bin/env python3
+"""
+Xcode ``project.pbxproj`` helpers.
+
+Parses native targets and patches their XCBuildConfiguration buildSettings
+blocks with manual signing values, while keeping the file's original
+OpenStep format (comments, ordering, the !$*UTF8*$! header) intact. SwiftPM
+and other non-native targets are ignored so their build settings stay on
+whatever defaults Xcode / SwiftPM picked.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import subprocess
+from pathlib import Path
+
+
+PROFILE_PREFIX = "CI-"
+
+# Product types that must be signed with a provisioning profile. App
+# extensions share the common ``com.apple.product-type.app-extension``
+# prefix (Message Filter, Widgets, NetworkExtension, WatchKit, etc).
+_SIGNABLE_PRODUCT_TYPES = {
+    "com.apple.product-type.application",
+    "com.apple.product-type.application.on-demand-install-capable",
+    "com.apple.product-type.application.watchapp2",
+    "com.apple.product-type.watchkit2-extension",
+}
+_SIGNABLE_PRODUCT_PREFIXES = (
+    "com.apple.product-type.app-extension",
+)
+
+_SIGNING_KEYS = {
+    "CODE_SIGN_STYLE": "Manual",
+    "CODE_SIGN_IDENTITY": '"Apple Distribution"',
+}
+_STRIP_KEYS = ("PROVISIONING_PROFILE",)
+
+_SETTING_LINE = re.compile(r"^(\s*)([A-Z_][A-Z0-9_]*)\s*=\s*(.+);\s*$")
+
+
+# --------------------------------------------------------------------------- #
+# Parsing                                                                     #
+# --------------------------------------------------------------------------- #
+
+def _load_pbxproj(project_path: str) -> dict:
+    pbx = Path(project_path) / "project.pbxproj"
+    out = subprocess.check_output(
+        ["plutil", "-convert", "json", "-o", "-", str(pbx)]
+    )
+    return json.loads(out)
+
+
+def _is_signable_product_type(product_type: str) -> bool:
+    if product_type in _SIGNABLE_PRODUCT_TYPES:
+        return True
+    return any(product_type.startswith(p) for p in _SIGNABLE_PRODUCT_PREFIXES)
+
+
+def _bundle_id_from_configs(objects: dict, config_ids: list[str]) -> str:
+    """Return the first non-empty bundle id across the given configs."""
+    for cid in config_ids:
+        cfg = objects.get(cid) or {}
+        settings = cfg.get("buildSettings") or {}
+        bid = (settings.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
+        if bid and "$(" not in bid and "${" not in bid:
+            return bid
+    return ""
+
+
+def discover_signable_targets(project_path: str) -> list[dict]:
+    """Return one entry per signable native target.
+
+    Each entry: ``{"name": str, "bundle_id": str, "config_ids": [str,...]}``
+    where ``config_ids`` is the list of XCBuildConfiguration UUIDs whose
+    ``buildSettings`` dict we need to patch (typically Debug + Release).
+    """
+    pbx = _load_pbxproj(project_path)
+    objects = pbx["objects"]
+    targets: list[dict] = []
+    for obj in objects.values():
+        if obj.get("isa") != "PBXNativeTarget":
+            continue
+        if not _is_signable_product_type(obj.get("productType") or ""):
+            continue
+        name = obj.get("name") or "<unknown>"
+        config_list = objects.get(obj.get("buildConfigurationList")) or {}
+        config_ids = list(config_list.get("buildConfigurations") or [])
+        bundle_id = _bundle_id_from_configs(objects, config_ids)
+        if not bundle_id:
+            print(f"skip target {name!r}: no PRODUCT_BUNDLE_IDENTIFIER")
+            continue
+        targets.append(
+            {"name": name, "bundle_id": bundle_id, "config_ids": config_ids}
+        )
+    if not targets:
+        raise SystemExit(
+            f"discover_signable_targets: no signable targets found in "
+            f"{project_path}"
+        )
+    return targets
+
+
+# --------------------------------------------------------------------------- #
+# Mutation                                                                    #
+# --------------------------------------------------------------------------- #
+
+def patch_project_signing(
+    project_path: str,
+    targets: list[dict],
+    team_id: str,
+) -> None:
+    """Set manual signing + per-target profile name for every target.
+
+    Edits the pbxproj as text so formatting (comments, ordering, header)
+    survives. Scope is strictly the XCBuildConfiguration blocks referenced
+    by the ``targets`` list. SwiftPM / resource-bundle configs stay put.
+    """
+    pbx_path = Path(project_path) / "project.pbxproj"
+    text = pbx_path.read_text(encoding="utf-8")
+    for target in targets:
+        profile_name = f"{PROFILE_PREFIX}{target['bundle_id']}"
+        for cid in target["config_ids"]:
+            text = _apply_signing_to_config(text, cid, team_id, profile_name)
+        print(
+            f"Patched {target['name']!r} -> {profile_name} "
+            f"(configs={len(target['config_ids'])})"
+        )
+    pbx_path.write_text(text, encoding="utf-8")
+    subprocess.check_call(["plutil", "-lint", str(pbx_path)])
+
+
+def _apply_signing_to_config(
+    text: str, config_id: str, team_id: str, profile_name: str
+) -> str:
+    start = text.find(f"\t\t{config_id} ")
+    if start < 0:
+        start = text.find(f"\t\t{config_id}\t")
+    if start < 0:
+        start = text.find(f"{config_id} = {{")
+    if start < 0:
+        raise SystemExit(
+            f"patch_project_signing: config {config_id} not found"
+        )
+    key = "buildSettings = {"
+    s_idx = text.find(key, start)
+    if s_idx < 0:
+        raise SystemExit(
+            f"patch_project_signing: buildSettings not found for {config_id}"
+        )
+    end = _match_brace(text, s_idx + len(key) - 1)
+    if end < 0:
+        raise SystemExit(
+            f"patch_project_signing: unbalanced buildSettings for {config_id}"
+        )
+    inner = text[s_idx + len(key): end]
+    patched = _patch_inner_settings(inner, team_id, profile_name)
+    return text[: s_idx + len(key)] + patched + text[end:]
+
+
+def _match_brace(text: str, open_idx: int) -> int:
+    """Return the index of the ``}`` that closes the ``{`` at ``open_idx``."""
+    depth = 0
+    i = open_idx
+    while i < len(text):
+        ch = text[i]
+        if ch == "{":
+            depth += 1
+        elif ch == "}":
+            depth -= 1
+            if depth == 0:
+                return i
+        i += 1
+    return -1
+
+
+def _patch_inner_settings(
+    inner: str, team_id: str, profile_name: str
+) -> str:
+    """Rewrite build-setting lines inside one buildSettings block."""
+    values = dict(_SIGNING_KEYS)
+    values["DEVELOPMENT_TEAM"] = team_id
+    values["PROVISIONING_PROFILE_SPECIFIER"] = f'"{profile_name}"'
+
+    lines = inner.splitlines(keepends=True)
+    emitted: set[str] = set()
+    out: list[str] = []
+    for line in lines:
+        m = _SETTING_LINE.match(line)
+        if not m:
+            out.append(line)
+            continue
+        indent, key_name = m.group(1), m.group(2)
+        if key_name in _STRIP_KEYS:
+            continue
+        if key_name in values:
+            out.append(f"{indent}{key_name} = {values[key_name]};\n")
+            emitted.add(key_name)
+            continue
+        out.append(line)
+
+    missing = [k for k in values if k not in emitted]
+    if missing:
+        indent = "\t\t\t\t"
+        for line in lines:
+            m = _SETTING_LINE.match(line)
+            if m:
+                indent = m.group(1)
+                break
+        tail = out[-1] if out else ""
+        new_lines = [f"{indent}{k} = {values[k]};\n" for k in missing]
+        if tail.strip() == "":
+            out = out[:-1] + new_lines + [tail]
+        else:
+            out = out + new_lines
+    return "".join(out)

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -44,11 +44,8 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
-from profile_manager import (
-    discover_signable_targets,
-    patch_project_signing,
-    provision_all_bundles,
-)
+from pbxproj_editor import discover_signable_targets, patch_project_signing
+from profile_manager import provision_all_bundles
 
 
 def env(name: str) -> str:
@@ -250,18 +247,37 @@ def main() -> None:
     private_key, csr_b64 = generate_key_and_csr()
     cert_id, cert_der = create_distribution_cert(token, csr_b64.decode())
 
-    mappings = provision_all_bundles(token, bundle_ids, cert_id)
+    mappings, effective_team = provision_all_bundles(token, bundle_ids, cert_id)
     print("Profile map:")
     for bid, pname, uuid in mappings:
         print(f"  {bid} -> {pname} ({uuid})")
 
-    patch_project_signing(project, targets, team_id)
+    # The ASC API key is bound to a single developer team. Every profile it
+    # issues lives in THAT team, so Xcode's DEVELOPMENT_TEAM setting must
+    # match it exactly — otherwise the profile can't be matched to the
+    # target at archive time. If the ci.config.yaml team differs, warn and
+    # use the profile's team as the source of truth.
+    pbx_team = effective_team or team_id
+    if effective_team and effective_team != team_id:
+        print(
+            f"::warning::Config team {team_id} differs from ASC API key's "
+            f"team {effective_team}; patching pbxproj with {effective_team} "
+            "(the team that actually issued the provisioning profiles)."
+        )
+    patch_project_signing(project, targets, pbx_team)
 
     # Persist mapping for downstream Export IPA step (ExportOptions.plist
-    # provisioningProfiles dict).
+    # provisioningProfiles dict). Store the effective team alongside so
+    # Export uses the same team Apple assigned to the profiles.
     map_path = Path(runner_temp) / "signing_map.json"
     map_path.write_text(
-        json.dumps({bid: pname for bid, pname, _ in mappings}, indent=2)
+        json.dumps(
+            {
+                "team_id": pbx_team,
+                "profiles": {bid: pname for bid, pname, _ in mappings},
+            },
+            indent=2,
+        )
     )
     print(f"Wrote signing map to {map_path}")
 

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -1,274 +1,46 @@
 #!/usr/bin/env python3
 """
-Provisioning profile + bundleId helpers for multi-target iOS projects.
+Provisioning profile lifecycle helpers for the iOS native TestFlight action.
 
-Handles:
+Talks to the App Store Connect API to:
 
-* Enumerating every PRODUCT_BUNDLE_IDENTIFIER used by signable targets in an
-  Xcode project. We parse ``project.pbxproj`` directly (via ``plutil -convert
-  json``) rather than rely on ``xcodebuild -showBuildSettings``, which only
-  covers what a given scheme builds. Parsing the pbxproj lets us find every
-  native app + extension target without tripping over SwiftPM resource
-  bundles (whose product types are not signable).
-* Ensuring each bundle ID is registered on App Store Connect.
-* Creating one IOS_APP_STORE provisioning profile per bundle ID, named
-  ``CI-<bundle_id>``, linked to the just-issued distribution cert. If a
-  profile with that name already exists, it is deleted first so we always
-  end up with a profile that references the fresh cert.
-* Installing every profile into the standard Xcode profile directory.
-* Patching the pbxproj in place so each signable target's build settings use
-  manual signing + the freshly-created profile. SwiftPM / resource bundle
-  targets (which cannot carry provisioning profiles) are left untouched.
+* Register a bundle ID if it doesn't exist yet (``ensure_bundle_id``).
+* Delete any stale profile with the same name and create a fresh one that
+  references the just-issued distribution cert (``delete_profile_by_name``,
+  ``create_profile``).
+* Install the resulting ``.mobileprovision`` into every Xcode profile
+  directory (Xcode 15 and Xcode 16+ use different paths).
 
-Kept separate from ``prepare_signing.py`` so both files stay well under the
-400-line cap.
+Xcode pbxproj editing lives in ``pbxproj_editor.py``; this file is
+ASC-facing only.
 """
 
 from __future__ import annotations
 
 import base64
-import json
 import plistlib
-import re
 import subprocess
 from pathlib import Path
 
 from asc_common import get_json, request
+from pbxproj_editor import PROFILE_PREFIX
 
 
-PROFILE_PREFIX = "CI-"
-
-# Xcode 16+ moved the canonical profile directory. Older Xcode releases used
-# ~/Library/MobileDevice/Provisioning Profiles/. We write to BOTH so the same
-# script works on macos-14 (Xcode 15) and macos-15 (Xcode 26).
+# Xcode 16+ moved the canonical profile directory. Older Xcode releases
+# used ~/Library/MobileDevice/Provisioning Profiles/. Write to BOTH so the
+# same script works on macos-14 (Xcode 15) and macos-15 (Xcode 26).
 _PROFILE_DIRS = [
     Path.home() / "Library/Developer/Xcode/UserData/Provisioning Profiles",
     Path.home() / "Library/MobileDevice/Provisioning Profiles",
 ]
 
-# Product types that must be signed with a provisioning profile. App
-# extensions share the common ``com.apple.product-type.app-extension`` prefix
-# (messages, widgets, NetworkExtension, WatchKit, etc).
-_SIGNABLE_PRODUCT_TYPES = {
-    "com.apple.product-type.application",
-    "com.apple.product-type.application.on-demand-install-capable",
-    "com.apple.product-type.application.watchapp2",
-    "com.apple.product-type.watchkit2-extension",
-}
-_SIGNABLE_PRODUCT_PREFIXES = (
-    "com.apple.product-type.app-extension",
-)
-
-
-# --------------------------------------------------------------------------- #
-# pbxproj parsing                                                             #
-# --------------------------------------------------------------------------- #
-
-def _load_pbxproj(project_path: str) -> dict:
-    pbx = Path(project_path) / "project.pbxproj"
-    out = subprocess.check_output(["plutil", "-convert", "json", "-o", "-", str(pbx)])
-    return json.loads(out)
-
-
-def _is_signable_product_type(product_type: str) -> bool:
-    if product_type in _SIGNABLE_PRODUCT_TYPES:
-        return True
-    return any(product_type.startswith(p) for p in _SIGNABLE_PRODUCT_PREFIXES)
-
-
-def discover_signable_targets(project_path: str) -> list[dict]:
-    """Return one entry per signable native target.
-
-    Each entry: ``{"name": str, "bundle_id": str, "config_ids": [str,...]}``
-    where ``config_ids`` is the list of XCBuildConfiguration UUIDs whose
-    ``buildSettings`` dict we need to patch (one per build configuration —
-    typically Debug + Release).
-    """
-    pbx = _load_pbxproj(project_path)
-    objects = pbx["objects"]
-    targets: list[dict] = []
-    for _obj_id, obj in objects.items():
-        if obj.get("isa") != "PBXNativeTarget":
-            continue
-        product_type = obj.get("productType") or ""
-        if not _is_signable_product_type(product_type):
-            continue
-        name = obj.get("name") or "<unknown>"
-        config_list_id = obj.get("buildConfigurationList")
-        config_list = objects.get(config_list_id) or {}
-        config_ids = list(config_list.get("buildConfigurations") or [])
-        bundle_id = _bundle_id_from_configs(objects, config_ids)
-        if not bundle_id:
-            print(f"skip target {name!r}: no PRODUCT_BUNDLE_IDENTIFIER")
-            continue
-        targets.append(
-            {"name": name, "bundle_id": bundle_id, "config_ids": config_ids}
-        )
-    if not targets:
-        raise SystemExit(
-            f"discover_signable_targets: no signable targets found in {project_path}"
-        )
-    return targets
-
-
-def _bundle_id_from_configs(objects: dict, config_ids: list[str]) -> str:
-    """Return the first non-empty bundle id across the given configs."""
-    for cid in config_ids:
-        cfg = objects.get(cid) or {}
-        settings = cfg.get("buildSettings") or {}
-        bid = (settings.get("PRODUCT_BUNDLE_IDENTIFIER") or "").strip()
-        if bid and "$(" not in bid and "${" not in bid:
-            return bid
-    return ""
-
-
-# --------------------------------------------------------------------------- #
-# pbxproj mutation                                                            #
-# --------------------------------------------------------------------------- #
-
-def patch_project_signing(
-    project_path: str,
-    targets: list[dict],
-    team_id: str,
-) -> None:
-    """Set manual signing + per-target profile name for every signable target.
-
-    The pbxproj stays in its original OpenStep format — Xcode is very
-    opinionated about that file and any conversion (to XML/JSON) risks
-    re-ordering keys or dropping comments. Instead, we edit the specific
-    ``XCBuildConfiguration`` blocks by their UUID and inject/replace the
-    handful of keys we care about. Targets outside ``targets`` (most
-    importantly SwiftPM / resource-bundle configs) are untouched.
-    """
-    pbx_path = Path(project_path) / "project.pbxproj"
-    text = pbx_path.read_text(encoding="utf-8")
-
-    for target in targets:
-        profile_name = f"{PROFILE_PREFIX}{target['bundle_id']}"
-        for cid in target["config_ids"]:
-            text = _apply_signing_to_config(text, cid, team_id, profile_name)
-        print(
-            f"Patched {target['name']!r} -> {profile_name} "
-            f"(configs={len(target['config_ids'])})"
-        )
-
-    pbx_path.write_text(text, encoding="utf-8")
-    # Sanity check — plutil -lint rejects malformed output so CI fails
-    # fast before ``xcodebuild`` tries (and mangles) the file.
-    subprocess.check_call(["plutil", "-lint", str(pbx_path)])
-
-
-def _apply_signing_to_config(
-    text: str, config_id: str, team_id: str, profile_name: str
-) -> str:
-    """Return ``text`` with the given XCBuildConfiguration's buildSettings
-    patched for manual signing. Raises ``SystemExit`` if the config block
-    can't be located (indicates a pbxproj format we don't understand).
-    """
-    start = text.find(f"\t\t{config_id} ")
-    if start < 0:
-        start = text.find(f"\t\t{config_id}\t")
-    if start < 0:
-        start = text.find(f"{config_id} = {{")
-    if start < 0:
-        raise SystemExit(
-            f"patch_project_signing: config {config_id} not found in pbxproj"
-        )
-    settings_key = "buildSettings = {"
-    s_idx = text.find(settings_key, start)
-    if s_idx < 0:
-        raise SystemExit(
-            f"patch_project_signing: buildSettings not found for {config_id}"
-        )
-    # Find matching closing '};' for buildSettings — brace-balance forward.
-    depth = 0
-    i = s_idx + len(settings_key) - 1  # position at the opening '{'
-    end = -1
-    while i < len(text):
-        ch = text[i]
-        if ch == "{":
-            depth += 1
-        elif ch == "}":
-            depth -= 1
-            if depth == 0:
-                end = i
-                break
-        i += 1
-    if end < 0:
-        raise SystemExit(
-            f"patch_project_signing: unbalanced buildSettings for {config_id}"
-        )
-    inner = text[s_idx + len(settings_key): end]
-    patched = _patch_inner_settings(inner, team_id, profile_name)
-    return text[: s_idx + len(settings_key)] + patched + text[end:]
-
-
-_SIGNING_KEYS = {
-    "CODE_SIGN_STYLE": "Manual",
-    "CODE_SIGN_IDENTITY": '"Apple Distribution"',
-}
-
-_STRIP_KEYS = ("PROVISIONING_PROFILE",)
-
-
-def _patch_inner_settings(
-    inner: str, team_id: str, profile_name: str
-) -> str:
-    """Rewrite build setting key/value lines inside one buildSettings block."""
-    # Always-set values
-    values = dict(_SIGNING_KEYS)
-    values["DEVELOPMENT_TEAM"] = team_id
-    values["PROVISIONING_PROFILE_SPECIFIER"] = f'"{profile_name}"'
-
-    lines = inner.splitlines(keepends=True)
-    emitted_keys: set[str] = set()
-    out: list[str] = []
-    # Each setting line looks like (whitespace-prefixed):
-    #   KEY = VALUE;
-    # We match leading indent, the key, `= `, the rest.
-    pattern = re.compile(r"^(\s*)([A-Z_][A-Z0-9_]*)\s*=\s*(.+);\s*$")
-
-    for line in lines:
-        m = pattern.match(line)
-        if not m:
-            out.append(line)
-            continue
-        indent, key, _old_value = m.group(1), m.group(2), m.group(3)
-        if key in _STRIP_KEYS:
-            # Drop these keys entirely.
-            continue
-        if key in values:
-            out.append(f"{indent}{key} = {values[key]};\n")
-            emitted_keys.add(key)
-            continue
-        out.append(line)
-
-    # Any key we wanted to set but didn't find — append just before close.
-    missing = [k for k in values if k not in emitted_keys]
-    if missing:
-        # Determine indent from the first KEY= line we can find, else use
-        # two tabs (the pbxproj default).
-        indent = "\t\t\t\t"
-        for line in lines:
-            m = pattern.match(line)
-            if m:
-                indent = m.group(1)
-                break
-        tail = out[-1] if out else ""
-        # Ensure we inject before the trailing whitespace on the last line.
-        new_lines = [f"{indent}{k} = {values[k]};\n" for k in missing]
-        if tail.strip() == "":
-            out = out[:-1] + new_lines + [tail]
-        else:
-            out = out + new_lines
-    return "".join(out)
-
 
 # --------------------------------------------------------------------------- #
 # ASC bundle ID registration                                                  #
 # --------------------------------------------------------------------------- #
 
 def ensure_bundle_id(token: str, identifier: str) -> str:
+    """Return the ASC primary key for ``identifier``; register if missing."""
     data = get_json(
         "/bundleIds",
         token,
@@ -306,6 +78,7 @@ def profile_name_for(bundle_id: str) -> str:
 
 
 def delete_profile_by_name(token: str, name: str) -> None:
+    """Delete every existing profile with the given name (paginated scan)."""
     deleted_any = False
     next_path: str | None = "/profiles?limit=200"
     while next_path:
@@ -348,7 +121,15 @@ def create_profile(
     return base64.b64decode(payload)
 
 
-def install_profile(profile_der: bytes) -> str:
+def install_profile(profile_der: bytes) -> tuple[str, str]:
+    """Install the raw profile into every Xcode-visible directory.
+
+    Returns ``(uuid, team_id)``. ``team_id`` is the team Apple assigned to
+    the profile — the effective team that Xcode expects to find in
+    ``DEVELOPMENT_TEAM``. It may differ from any team value in
+    ci.config.yaml; the ASC API key is bound to exactly one team and every
+    profile it issues inherits that team.
+    """
     primary = _PROFILE_DIRS[0]
     primary.mkdir(parents=True, exist_ok=True)
     tmp_path = primary / "tmp.mobileprovision"
@@ -359,6 +140,7 @@ def install_profile(profile_der: bytes) -> str:
     plist = plistlib.loads(decoded)
     uuid = plist["UUID"]
     team_ids = plist.get("TeamIdentifier") or []
+    team_id = team_ids[0] if team_ids else ""
     profile_name = plist.get("Name") or "<unknown>"
     final_name = f"{uuid}.mobileprovision"
     for directory in _PROFILE_DIRS:
@@ -366,10 +148,10 @@ def install_profile(profile_der: bytes) -> str:
         (directory / final_name).write_bytes(profile_der)
     tmp_path.unlink(missing_ok=True)
     print(
-        f"  profile {profile_name!r}: uuid={uuid} team={team_ids} "
+        f"  profile {profile_name!r}: uuid={uuid} team={team_id} "
         f"dirs={[str(d) for d in _PROFILE_DIRS]}"
     )
-    return uuid
+    return uuid, team_id
 
 
 # --------------------------------------------------------------------------- #
@@ -380,18 +162,24 @@ def provision_all_bundles(
     token: str,
     bundle_ids: list[str],
     cert_id: str,
-) -> list[tuple[str, str, str]]:
+) -> tuple[list[tuple[str, str, str]], str]:
     """Create + install a CI profile for each bundle id.
 
-    Returns a list of ``(bundle_id, profile_name, uuid)`` tuples.
+    Returns ``(mappings, team_id)`` where mappings is a list of
+    ``(bundle_id, profile_name, uuid)`` tuples and ``team_id`` is the
+    team Apple assigned to the profiles (shared — the ASC API key binds
+    every profile it issues to a single team).
     """
     results: list[tuple[str, str, str]] = []
+    effective_team = ""
     for bid in bundle_ids:
         name = profile_name_for(bid)
         bundle_pk = ensure_bundle_id(token, bid)
         delete_profile_by_name(token, name)
         profile_der = create_profile(token, name, bundle_pk, cert_id)
-        uuid = install_profile(profile_der)
+        uuid, team_id = install_profile(profile_der)
+        if team_id:
+            effective_team = team_id
         print(f"Installed provisioning profile {name} -> {uuid} ({bid})")
         results.append((bid, name, uuid))
-    return results
+    return results, effective_team