@daemux/store-automator 0.10.85 → 0.10.86

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.85"
+    "version": "0.10.86"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.85",
+      "version": "0.10.86",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.85",
+  "version": "0.10.86",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.85",
+  "version": "0.10.86",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/ios-native-ci.config.yaml.template

@@ -4,7 +4,7 @@
 
 app:
   bundle_id: "com.example.myapp"         # REQUIRED
-  team_id: "ABCDE12345"                  # optional (used for manual signing)
+  team_id: "ABCDE12345"                  # optional — auto-derived from ASC API key when omitted
   app_store_apple_id: ""                 # optional — auto-discovered via ASC API by bundle_id
 
 xcode:

package/templates/scripts/ci/ios-native/cfg_resolve.py

@@ -27,7 +27,9 @@ from typing import Any
 
 import yaml
 
+from asc_common import make_jwt
 from cfg_io import fail, log, notice
+from team_resolver import derive_team_id
 
 
 P8_RE = re.compile(
@@ -188,6 +190,31 @@ def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
     )
 
 
+def derive_team_if_empty(
+    team_val: str,
+    team_src: str,
+    creds: dict,
+) -> tuple[str, str]:
+    """If team_val is empty, derive from ASC API; return (value, source).
+
+    Leaves non-empty team_val untouched. When derivation succeeds, source
+    becomes ``derived_from_asc_key`` so read_config.py can log it clearly.
+    When derivation returns empty, we preserve ("", "empty") so
+    prepare_signing.py's post-profile-install fallback kicks in.
+    """
+    if team_val:
+        return team_val, team_src
+    try:
+        token = make_jwt(creds["key_id"], creds["issuer_id"], creds["key_path"])
+    except (OSError, ValueError) as exc:
+        log(f"team derivation skipped: cannot sign ASC JWT ({exc!r})")
+        return "", "empty"
+    derived = derive_team_id(token)
+    if not derived:
+        return "", "empty"
+    return derived, "derived_from_asc_key"
+
+
 def lookup_app_id_via_api(bundle_id: str, scripts_dir: Path) -> str:
     """Invoke lookup_app_id.py to resolve apple_id via ASC API."""
     import subprocess

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -25,6 +25,9 @@ Environment inputs:
   ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH - App Store Connect API key trio
   PROJECT                                 - Xcode project path (.xcodeproj)
   TEAM_ID                                 - Apple developer team identifier
+                                            (optional; derived from the
+                                            installed provisioning profile
+                                            when empty)
   RUNNER_TEMP                             - GitHub Actions temp dir
 
 Writes nothing to stdout that would leak secrets.
@@ -223,7 +226,14 @@ def main() -> None:
     issuer_id = env("ASC_ISSUER_ID")
     asc_key_path = env("ASC_KEY_PATH")
     runner_temp = env("RUNNER_TEMP")
-    team_id = env("TEAM_ID")
+    # TEAM_ID is optional: the ASC API key is bound to one developer team,
+    # and every profile it issues inherits that team. provision_all_bundles
+    # returns that ``effective_team`` read straight from the installed
+    # profile's plist — which is the authoritative value Xcode will look
+    # for in DEVELOPMENT_TEAM. Upstream (read_config.py) also tries to
+    # derive team_id via GET-only ASC endpoints and pass it here as a
+    # convenience for logging and xcconfig patching.
+    team_id = optional_env("TEAM_ID")
 
     project = optional_env("PROJECT")
     workspace = optional_env("WORKSPACE")
@@ -258,7 +268,15 @@ def main() -> None:
     # target at archive time. If the ci.config.yaml team differs, warn and
     # use the profile's team as the source of truth.
     pbx_team = effective_team or team_id
-    if effective_team and effective_team != team_id:
+    if not pbx_team:
+        raise SystemExit(
+            "Unable to determine Apple developer team. The installed "
+            "provisioning profile did not expose a TeamIdentifier and no "
+            "TEAM_ID was provided. Set `app.team_id` in ci.config.yaml. "
+            "Find your team id at https://developer.apple.com/account -> "
+            "Membership (look for 'Team ID')."
+        )
+    if effective_team and team_id and effective_team != team_id:
         print(
             f"::warning::Config team {team_id} differs from ASC API key's "
             f"team {effective_team}; patching pbxproj with {effective_team} "

package/templates/scripts/ci/ios-native/read_config.py

@@ -57,6 +57,7 @@ from cfg_io import fail, log
 from cfg_resolve import (
     as_str_bool,
     auto_project_glob,
+    derive_team_if_empty,
     dig,
     emit,
     find_p8,
@@ -154,6 +155,18 @@ def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
     bundle = resolve(inp["BUNDLE_ID"], bundle_cfg, cfg_source=bundle_src)
     team = resolve(inp["TEAM_ID"], team_cfg, cfg_source=team_src)
 
+    # team_id is documented as optional because the ASC API key is bound to
+    # exactly one developer team. If input + config both empty, derive it
+    # via GET-only ASC endpoints (cert OU, then profile plist).
+    if not team[0]:
+        derived_val, derived_src = derive_team_if_empty(team[0], team[1], creds)
+        if derived_val:
+            log(
+                f"derived team_id={derived_val} from ASC key "
+                f"{creds['key_id']}"
+            )
+            team = (derived_val, derived_src)
+
     if inp["APP_STORE_APPLE_ID"]:
         apple = (inp["APP_STORE_APPLE_ID"], "input")
     elif apple_cfg not in (None, ""):

package/templates/scripts/ci/ios-native/team_resolver.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python3
+"""
+Derive the Apple developer team identifier from an App Store Connect API key.
+
+Why:
+    ``ci.config.yaml`` lists ``app.team_id`` as optional because the ASC API
+    key is always bound to exactly one team — so it's derivable. This module
+    implements that derivation via GET-only endpoints so the first CI run on
+    a fresh repo works without pre-seeding the team id.
+
+Strategy (GET-only, no resource creation):
+    1. ``GET /v1/certificates?limit=1&sort=-id`` — any Distribution /
+       Development cert carries the team id in its Subject's Organizational
+       Unit (OU) attribute. Most teams already have at least one.
+    2. If no certs exist: ``GET /v1/profiles?limit=1`` — the attached
+       ``profileContent`` (base64-encoded ``.mobileprovision``) contains the
+       ``TeamIdentifier`` array in its plist payload. Profiles are CMS-signed
+       in production, so we fall back to ``security cms -D`` when
+       ``plistlib.loads`` refuses the raw bytes. When ``security`` isn't
+       available (unit tests), the test substitutes its own plist.
+    3. If neither yields a team, return "" — the caller decides whether to
+       fail with an actionable message or defer to ``prepare_signing.py``'s
+       post-profile-install fallback.
+
+The returned team id is a 10-character alphanumeric string (Apple's format).
+"""
+
+from __future__ import annotations
+
+import base64
+import plistlib
+import subprocess
+from typing import Any
+
+from asc_common import get_json
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+
+
+def _team_from_cert_der(cert_der: bytes) -> str:
+    """Return OU attribute from the cert's Subject, or '' if absent/malformed."""
+    try:
+        cert = x509.load_der_x509_certificate(cert_der)
+    except (ValueError, TypeError):
+        return ""
+    ou_attrs = cert.subject.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)
+    if not ou_attrs:
+        return ""
+    value = ou_attrs[0].value
+    if isinstance(value, bytes):
+        value = value.decode(errors="replace")
+    return str(value).strip()
+
+
+def _team_from_asc_certificates(token: str) -> str:
+    """Try GET /certificates and parse OU from the first cert's DER."""
+    data = get_json(
+        "/certificates",
+        token,
+        params={"limit": "1", "sort": "-id"},
+    )
+    items = data.get("data", []) if isinstance(data, dict) else []
+    if not items:
+        return ""
+    first = items[0]
+    attrs = first.get("attributes") or {}
+    b64 = attrs.get("certificateContent")
+    if not b64:
+        return ""
+    try:
+        cert_der = base64.b64decode(b64)
+    except (ValueError, TypeError):
+        return ""
+    return _team_from_cert_der(cert_der)
+
+
+def _team_from_profile_plist(profile_bytes: bytes) -> str:
+    """Extract TeamIdentifier[0] from a mobileprovision plist payload."""
+    plist: Any
+    try:
+        plist = plistlib.loads(profile_bytes)
+    except (plistlib.InvalidFileException, ValueError, OSError):
+        # Real profiles are CMS-signed — strip the envelope via `security cms`.
+        try:
+            decoded = subprocess.check_output(
+                ["security", "cms", "-D", "-i", "/dev/stdin"],
+                input=profile_bytes,
+            )
+        except (subprocess.CalledProcessError, FileNotFoundError, OSError):
+            return ""
+        try:
+            plist = plistlib.loads(decoded)
+        except (plistlib.InvalidFileException, ValueError, OSError):
+            return ""
+    if not isinstance(plist, dict):
+        return ""
+    teams = plist.get("TeamIdentifier") or []
+    if isinstance(teams, list) and teams:
+        return str(teams[0]).strip()
+    return ""
+
+
+def _team_from_asc_profiles(token: str) -> str:
+    """Try GET /profiles and parse TeamIdentifier from the first profile's plist."""
+    data = get_json("/profiles", token, params={"limit": "1"})
+    items = data.get("data", []) if isinstance(data, dict) else []
+    if not items:
+        return ""
+    attrs = items[0].get("attributes") or {}
+    b64 = attrs.get("profileContent")
+    if not b64:
+        return ""
+    try:
+        profile_bytes = base64.b64decode(b64)
+    except (ValueError, TypeError):
+        return ""
+    return _team_from_profile_plist(profile_bytes)
+
+
+def derive_team_id(token: str) -> str:
+    """Derive the developer team id bound to the ASC API key.
+
+    Returns the 10-char team identifier, or "" when neither a certificate
+    nor a provisioning profile exposes it. Never raises on missing data;
+    only propagates network / auth failures from the underlying ASC client.
+    """
+    team = _team_from_asc_certificates(token)
+    if team:
+        return team
+    return _team_from_asc_profiles(token)