@daemux/store-automator 0.10.85 → 0.10.87

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.85"
+    "version": "0.10.87"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.85",
+      "version": "0.10.87",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.85",
+  "version": "0.10.87",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.85",
+  "version": "0.10.87",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/github/IOS_NATIVE_CI_SETUP.md

@@ -1,6 +1,8 @@
 # iOS Native TestFlight CI — Setup Guide
 
-Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. One workflow, one config file, one credential file. All logic lives in the shared composite action `daemux/daemux-plugins/.github/actions/ios-native-testflight`.
+Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. One workflow, one credential file — and optionally a config file. All logic lives in the shared composite action `daemux/daemux-plugins/.github/actions/ios-native-testflight`.
+
+**As of v0.18.0, `ci.config.yaml` is entirely optional.** With just `creds/AuthKey_*.p8` at the repo root and the 18-line `deploy.yml`, CI auto-detects your project, workspace, scheme, bundle id, team id, and App Store Connect app id. Add a `ci.config.yaml` only when you need to override auto-detection (e.g., multiple `.xcodeproj` at root, a non-application scheme, a pinned configuration).
 
 ## Prerequisites
 
@@ -13,14 +15,16 @@ Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. One workflow, o
 
 Copy `.github/workflows/deploy.yml` verbatim from this template. No edits required. It triggers on push to `main` and via `workflow_dispatch`.
 
-## Step 2 — Copy `ci.config.yaml`
+## Step 2 — (Optional) Copy `ci.config.yaml`
 
-Copy `ios-native-ci.config.yaml.template` to your repo root as `ci.config.yaml`. Fill in:
+**Skip this step entirely** unless you need to override auto-detection. The CI figures out sane defaults for every field from your Xcode project.
 
-- `app.bundle_id` — REQUIRED (must match your App Store Connect app record).
-- `xcode.scheme` — REQUIRED (the shared scheme the CI should archive).
+If you want explicit control, copy `ios-native-ci.config.yaml.template` to your repo root as `ci.config.yaml` and set just the fields you want to pin:
 
-Every other field has a sensible default. `xcode.project` auto-detects if there is exactly one `*.xcodeproj` at the repo root. `app.app_store_apple_id` is auto-discovered via the ASC API from the bundle id.
+- `xcode.project` — if you have multiple `*.xcodeproj` at the repo root.
+- `xcode.scheme` — if you have multiple application-type schemes.
+- `app.bundle_id` — if auto-detect picks the wrong one (rare).
+- Everything else has a sensible default.
 
 ## Step 3 — Drop in the ASC API key
 
@@ -49,6 +53,16 @@ Leave your Xcode project's `MARKETING_VERSION` at `1.0` initially. CI auto-rolls
 
 ## Step 6 — Push to `main`
 
+Minimal (no config file):
+
+```bash
+git add .github/workflows/deploy.yml creds/AuthKey_*.p8
+git commit -m "ci: add iOS TestFlight pipeline"
+git push origin main
+```
+
+With an optional config file:
+
 ```bash
 git add .github/workflows/deploy.yml ci.config.yaml creds/AuthKey_*.p8
 git commit -m "ci: add iOS TestFlight pipeline"

package/templates/ios-native-ci.config.yaml.template

@@ -1,16 +1,29 @@
-# iOS TestFlight CI configuration — read by daemux/daemux-plugins/.github/actions/ios-native-testflight
-# Place this at the repo root as ci.config.yaml.
-# Also place your ASC API key at creds/AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8
+# iOS TestFlight CI configuration — OPTIONAL
+#
+# This file is entirely OPTIONAL. Omit it to let CI auto-detect everything
+# from your Xcode project:
+#
+#   - xcode.project      -> glob *.xcodeproj / *.xcworkspace at repo root
+#   - xcode.scheme       -> pick the single application-type scheme
+#   - app.bundle_id      -> PRODUCT_BUNDLE_IDENTIFIER from xcodebuild
+#   - app.team_id        -> derived from your ASC API key
+#   - app.app_store_apple_id -> looked up via ASC API by bundle_id
+#
+# Set any subset of values below to override auto-detection. All fields are
+# optional; only add what you need to disambiguate or pin.
+#
+# Consumed by daemux/daemux-plugins/.github/actions/ios-native-testflight.
+# Required regardless: creds/AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8
 
 app:
-  bundle_id: "com.example.myapp"         # REQUIRED
-  team_id: "ABCDE12345"                  # optional (used for manual signing)
-  app_store_apple_id: ""                 # optional — auto-discovered via ASC API by bundle_id
+  bundle_id: "com.example.myapp"         # optional — auto-detected from xcodebuild
+  team_id: "ABCDE12345"                  # optional — auto-derived from ASC API key
+  app_store_apple_id: ""                 # optional — auto-discovered via ASC API
 
 xcode:
-  project: ""                            # auto-detected if exactly one *.xcodeproj at root
-  workspace: ""                          # wins over project when set
-  scheme: "MyApp"                        # REQUIRED — no safe auto-detect
+  project: ""                            # optional — auto-detected (*.xcodeproj at root)
+  workspace: ""                          # optional — wins over project when set
+  scheme: "MyApp"                        # optional — auto-picks application-type scheme
   configuration: "Release"               # default: Release
   profile_name: ""                       # default: "<scheme> CI"
 

package/templates/scripts/ci/ios-native/auto_detect.py

@@ -0,0 +1,274 @@
+#!/usr/bin/env python3
+"""
+Xcode project / scheme / bundle_id auto-detection.
+
+Ported from gowalk-step/fastlane_standalone.sh — keeps us in Python (our
+ecosystem) while still shelling out to ``xcodebuild`` for the two queries
+only it can reliably answer:
+
+    ``xcodebuild -list -json``                  -> enumerate schemes
+    ``xcodebuild -showBuildSettings -json``     -> PRODUCT_TYPE + bundle id
+
+The detection lets ``ci.config.yaml`` become entirely optional: with just
+``creds/AuthKey_*.p8`` + the 18-line ``deploy.yml`` the pipeline can still
+figure out what to build.
+
+Rules (kept intentionally boring — if auto-detect is ambiguous we log a
+warning and return a deterministic choice, falling back to a clear
+``::error::`` only when truly nothing works):
+
+1. ``auto_detect_project(workspace)``
+   - Prefer a single ``*.xcworkspace`` at the repo root.
+   - Else a single ``*.xcodeproj``.
+   - When multiple ``.xcodeproj`` exist, prefer one matching the repo
+     basename, else alphabetically first (with a warning).
+
+2. ``auto_detect_scheme(workspace, project, workspace_file)``
+   - ``xcodebuild -list -json`` to enumerate schemes.
+   - For each scheme, ``-showBuildSettings -json`` and keep those whose
+     ``PRODUCT_TYPE == com.apple.product-type.application``.
+   - Single application scheme -> that one. Multiple: prefer repo-basename
+     match, else alphabetical first.
+
+3. ``auto_detect_bundle_id(workspace, project, workspace_file, scheme, configuration)``
+   - Read ``PRODUCT_BUNDLE_IDENTIFIER`` from the same ``-showBuildSettings``
+     invocation (cached from step 2 when possible).
+   - Reject unresolved variable references like ``$(PRODUCT_NAME)``.
+
+All xcodebuild invocations are cached per-process so repeated calls in the
+same ``read_config.py`` run don't re-shell.
+"""
+
+from __future__ import annotations
+
+import json
+import subprocess
+from pathlib import Path
+from typing import Optional
+
+from cfg_io import log, notice
+
+
+APP_PRODUCT_TYPE = "com.apple.product-type.application"
+# Timeouts (seconds) — xcodebuild can hang on missing toolchains or
+# package resolution. CI should fail fast rather than spin forever.
+LIST_TIMEOUT = 60
+SETTINGS_TIMEOUT = 120
+
+# Process-local caches keyed by (project, workspace_file) or
+# (project, workspace_file, scheme, configuration). Cleared between test
+# cases via ``_clear_caches`` but otherwise persist for the lifetime of
+# the read_config.py process.
+_list_cache: dict[tuple, Optional[list[str]]] = {}
+_settings_cache: dict[tuple, Optional[dict]] = {}
+
+
+def _clear_caches() -> None:
+    """Reset caches — used by tests. Not part of the public API."""
+    _list_cache.clear()
+    _settings_cache.clear()
+
+
+def auto_detect_project(workspace: Path) -> tuple[str, str]:
+    """Discover the repo-root Xcode project / workspace.
+
+    Returns ``(project, workspace_file)`` where exactly one is a non-empty
+    filename. ``("", "")`` means nothing was found.
+    """
+    workspaces = sorted(workspace.glob("*.xcworkspace"))
+    if workspaces:
+        picked = _pick_by_basename(workspaces, workspace, "xcworkspace")
+        log(f"auto-detect: workspace={picked.name}")
+        return "", picked.name
+
+    projects = sorted(workspace.glob("*.xcodeproj"))
+    if not projects:
+        return "", ""
+    picked = _pick_by_basename(projects, workspace, "xcodeproj")
+    log(f"auto-detect: project={picked.name}")
+    return picked.name, ""
+
+
+def _pick_by_basename(matches: list[Path], workspace: Path, label: str) -> Path:
+    """Pick the match whose name stem equals the repo basename, else first."""
+    if len(matches) == 1:
+        return matches[0]
+    repo_base = workspace.resolve().name.lower()
+    for match in matches:
+        if match.stem.lower() == repo_base:
+            return match
+    notice(
+        f"multiple *.{label} found; picking {matches[0].name} alphabetically. "
+        f"Set xcode.project in ci.config.yaml to disambiguate."
+    )
+    return matches[0]
+
+
+def _list_schemes(
+    workspace: Path, project: str, workspace_file: str
+) -> Optional[list[str]]:
+    """Run ``xcodebuild -list -json`` and return the schemes list (cached)."""
+    key = (project, workspace_file)
+    if key in _list_cache:
+        return _list_cache[key]
+
+    cmd = ["xcodebuild", "-list", "-json"]
+    if workspace_file:
+        cmd += ["-workspace", workspace_file]
+    elif project:
+        cmd += ["-project", project]
+    else:
+        _list_cache[key] = None
+        return None
+
+    try:
+        result = subprocess.run(
+            cmd, cwd=str(workspace), capture_output=True, text=True,
+            timeout=LIST_TIMEOUT,
+        )
+    except (OSError, subprocess.TimeoutExpired) as exc:
+        log(f"auto-detect: xcodebuild -list failed: {exc!r}")
+        _list_cache[key] = None
+        return None
+
+    if result.returncode != 0:
+        log(
+            f"auto-detect: xcodebuild -list returned {result.returncode}: "
+            f"{result.stderr.strip()}"
+        )
+        _list_cache[key] = None
+        return None
+
+    try:
+        data = json.loads(result.stdout)
+    except json.JSONDecodeError as exc:
+        log(f"auto-detect: xcodebuild -list produced invalid JSON: {exc!r}")
+        _list_cache[key] = None
+        return None
+
+    # Workspace output has {"workspace": {"schemes": [...]}}; project has
+    # {"project": {"schemes": [...]}}.
+    container = data.get("workspace") or data.get("project") or {}
+    schemes = container.get("schemes") or []
+    _list_cache[key] = list(schemes)
+    return _list_cache[key]
+
+
+def _show_build_settings(
+    workspace: Path,
+    project: str,
+    workspace_file: str,
+    scheme: str,
+    configuration: str,
+) -> Optional[dict]:
+    """Run ``xcodebuild -showBuildSettings -json`` and return buildSettings (cached)."""
+    key = (project, workspace_file, scheme, configuration or "Release")
+    if key in _settings_cache:
+        return _settings_cache[key]
+
+    cmd = ["xcodebuild", "-showBuildSettings", "-json", "-scheme", scheme]
+    if configuration:
+        cmd += ["-configuration", configuration]
+    if workspace_file:
+        cmd += ["-workspace", workspace_file]
+    elif project:
+        cmd += ["-project", project]
+    else:
+        _settings_cache[key] = None
+        return None
+
+    try:
+        result = subprocess.run(
+            cmd, cwd=str(workspace), capture_output=True, text=True,
+            timeout=SETTINGS_TIMEOUT,
+        )
+    except (OSError, subprocess.TimeoutExpired) as exc:
+        log(f"auto-detect: showBuildSettings({scheme!r}) failed: {exc!r}")
+        _settings_cache[key] = None
+        return None
+
+    if result.returncode != 0:
+        log(
+            f"auto-detect: showBuildSettings({scheme!r}) returned "
+            f"{result.returncode}: {result.stderr.strip()}"
+        )
+        _settings_cache[key] = None
+        return None
+
+    try:
+        data = json.loads(result.stdout)
+    except json.JSONDecodeError as exc:
+        log(f"auto-detect: showBuildSettings({scheme!r}) invalid JSON: {exc!r}")
+        _settings_cache[key] = None
+        return None
+
+    if not isinstance(data, list) or not data:
+        _settings_cache[key] = None
+        return None
+    settings = data[0].get("buildSettings") or {}
+    _settings_cache[key] = settings if isinstance(settings, dict) else None
+    return _settings_cache[key]
+
+
+def auto_detect_scheme(
+    workspace: Path, project: str, workspace_file: str
+) -> Optional[str]:
+    """Pick the single ``com.apple.product-type.application`` scheme."""
+    schemes = _list_schemes(workspace, project, workspace_file)
+    if not schemes:
+        return None
+
+    app_schemes: list[str] = []
+    for scheme in schemes:
+        settings = _show_build_settings(
+            workspace, project, workspace_file, scheme, "Release",
+        )
+        if not settings:
+            continue
+        if settings.get("PRODUCT_TYPE") == APP_PRODUCT_TYPE:
+            app_schemes.append(scheme)
+
+    if not app_schemes:
+        return None
+    if len(app_schemes) == 1:
+        log(f"auto-detect: scheme={app_schemes[0]}")
+        return app_schemes[0]
+
+    repo_base = workspace.resolve().name.lower()
+    for scheme in app_schemes:
+        if scheme.lower() == repo_base:
+            log(f"auto-detect: scheme={scheme} (basename match)")
+            return scheme
+
+    picked = sorted(app_schemes)[0]
+    notice(
+        f"multiple application schemes found ({', '.join(sorted(app_schemes))}); "
+        f"picking {picked} alphabetically. Set xcode.scheme in ci.config.yaml "
+        f"to disambiguate."
+    )
+    return picked
+
+
+def auto_detect_bundle_id(
+    workspace: Path,
+    project: str,
+    workspace_file: str,
+    scheme: str,
+    configuration: str,
+) -> Optional[str]:
+    """Extract ``PRODUCT_BUNDLE_IDENTIFIER`` for the given scheme/config."""
+    settings = _show_build_settings(
+        workspace, project, workspace_file, scheme, configuration or "Release",
+    )
+    if not settings:
+        return None
+    bundle = settings.get("PRODUCT_BUNDLE_IDENTIFIER")
+    if not bundle or not isinstance(bundle, str):
+        return None
+    # xcodebuild sometimes emits unresolved variable references when build
+    # settings depend on xcconfig files that aren't in the default context.
+    if "$(" in bundle or bundle.startswith("$") or "=" in bundle:
+        log(f"auto-detect: bundle_id {bundle!r} contains unresolved variable — rejecting")
+        return None
+    log(f"auto-detect: bundle_id={bundle}")
+    return bundle

package/templates/scripts/ci/ios-native/cfg_resolve.py

@@ -27,7 +27,9 @@ from typing import Any
 
 import yaml
 
+from asc_common import make_jwt
 from cfg_io import fail, log, notice
+from team_resolver import derive_team_id
 
 
 P8_RE = re.compile(
@@ -188,6 +190,31 @@ def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
     )
 
 
+def derive_team_if_empty(
+    team_val: str,
+    team_src: str,
+    creds: dict,
+) -> tuple[str, str]:
+    """If team_val is empty, derive from ASC API; return (value, source).
+
+    Leaves non-empty team_val untouched. When derivation succeeds, source
+    becomes ``derived_from_asc_key`` so read_config.py can log it clearly.
+    When derivation returns empty, we preserve ("", "empty") so
+    prepare_signing.py's post-profile-install fallback kicks in.
+    """
+    if team_val:
+        return team_val, team_src
+    try:
+        token = make_jwt(creds["key_id"], creds["issuer_id"], creds["key_path"])
+    except (OSError, ValueError) as exc:
+        log(f"team derivation skipped: cannot sign ASC JWT ({exc!r})")
+        return "", "empty"
+    derived = derive_team_id(token)
+    if not derived:
+        return "", "empty"
+    return derived, "derived_from_asc_key"
+
+
 def lookup_app_id_via_api(bundle_id: str, scripts_dir: Path) -> str:
     """Invoke lookup_app_id.py to resolve apple_id via ASC API."""
     import subprocess

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -25,6 +25,9 @@ Environment inputs:
   ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_PATH - App Store Connect API key trio
   PROJECT                                 - Xcode project path (.xcodeproj)
   TEAM_ID                                 - Apple developer team identifier
+                                            (optional; derived from the
+                                            installed provisioning profile
+                                            when empty)
   RUNNER_TEMP                             - GitHub Actions temp dir
 
 Writes nothing to stdout that would leak secrets.
@@ -223,7 +226,14 @@ def main() -> None:
     issuer_id = env("ASC_ISSUER_ID")
     asc_key_path = env("ASC_KEY_PATH")
     runner_temp = env("RUNNER_TEMP")
-    team_id = env("TEAM_ID")
+    # TEAM_ID is optional: the ASC API key is bound to one developer team,
+    # and every profile it issues inherits that team. provision_all_bundles
+    # returns that ``effective_team`` read straight from the installed
+    # profile's plist — which is the authoritative value Xcode will look
+    # for in DEVELOPMENT_TEAM. Upstream (read_config.py) also tries to
+    # derive team_id via GET-only ASC endpoints and pass it here as a
+    # convenience for logging and xcconfig patching.
+    team_id = optional_env("TEAM_ID")
 
     project = optional_env("PROJECT")
     workspace = optional_env("WORKSPACE")
@@ -258,7 +268,15 @@ def main() -> None:
     # target at archive time. If the ci.config.yaml team differs, warn and
     # use the profile's team as the source of truth.
     pbx_team = effective_team or team_id
-    if effective_team and effective_team != team_id:
+    if not pbx_team:
+        raise SystemExit(
+            "Unable to determine Apple developer team. The installed "
+            "provisioning profile did not expose a TeamIdentifier and no "
+            "TEAM_ID was provided. Set `app.team_id` in ci.config.yaml. "
+            "Find your team id at https://developer.apple.com/account -> "
+            "Membership (look for 'Team ID')."
+        )
+    if effective_team and team_id and effective_team != team_id:
         print(
             f"::warning::Config team {team_id} differs from ASC API key's "
             f"team {effective_team}; patching pbxproj with {effective_team} "

package/templates/scripts/ci/ios-native/read_config.py

@@ -53,10 +53,12 @@ from __future__ import annotations
 import os
 from pathlib import Path
 
+import auto_detect
 from cfg_io import fail, log
 from cfg_resolve import (
     as_str_bool,
     auto_project_glob,
+    derive_team_if_empty,
     dig,
     emit,
     find_p8,
@@ -106,8 +108,49 @@ def emit_credentials(env_file: Path, cfg: dict, workspace: Path) -> dict:
     return {"key_id": str(asc_key_id), "issuer_id": str(asc_issuer), "key_path": str(p8_path)}
 
 
+def _auto_detect_bundle_if_empty(
+    bundle: tuple[str, str],
+    workspace: Path | None,
+    xcode: dict | None,
+) -> tuple[str, str]:
+    """Call auto_detect_bundle_id only when bundle is unresolved."""
+    if bundle[0] or workspace is None or xcode is None or not xcode.get("scheme"):
+        return bundle
+    detected = auto_detect.auto_detect_bundle_id(
+        workspace,
+        xcode.get("project", ""),
+        xcode.get("workspace", ""),
+        xcode["scheme"],
+        xcode.get("configuration", "Release"),
+    )
+    if detected:
+        return detected, "auto-detect"
+    return bundle
+
+
+def _auto_detect_project_workspace(
+    workspace: Path,
+    project: tuple[str, str],
+    ws_val: tuple[str, str],
+) -> tuple[tuple[str, str], tuple[str, str]]:
+    """Run auto_detect.auto_detect_project when both are unset; return the pair."""
+    if project[0] or ws_val[0]:
+        return project, ws_val
+    auto_proj, auto_ws = auto_detect.auto_detect_project(workspace)
+    if auto_ws:
+        return project, (auto_ws, "auto-detect")
+    if auto_proj:
+        return (auto_proj, "auto-detect"), ws_val
+    return project, ws_val
+
+
 def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
-    """Resolve project / workspace / scheme / configuration / profile_name."""
+    """Resolve project / workspace / scheme / configuration / profile_name.
+
+    Falls back to ``auto_detect`` (glob + xcodebuild -list + showBuildSettings)
+    when neither input nor config nor the older single-suffix glob finds a
+    value. This is what lets ``ci.config.yaml`` be omitted entirely.
+    """
     proj_cfg, proj_src = pick_with_source(cfg, ("xcode", "project"), ("ios", "native", "project"))
     ws_cfg, ws_src = pick_with_source(cfg, ("xcode", "workspace"), ("ios", "native", "workspace"))
     scheme_cfg, scheme_src = pick_with_source(cfg, ("xcode", "scheme"), ("ios", "native", "scheme"))
@@ -126,10 +169,18 @@ def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
         inp["WORKSPACE"], ws_cfg, cfg_source=ws_src,
         auto_val=auto_project_glob(workspace, ".xcworkspace"),
     )
-    scheme = resolve(inp["SCHEME"], scheme_cfg, cfg_source=scheme_src)
+    project, ws_val = _auto_detect_project_workspace(workspace, project, ws_val)
+
     configuration = resolve(
         inp["CONFIGURATION"], config_cfg, cfg_source=config_src, default="Release",
     )
+
+    scheme = resolve(inp["SCHEME"], scheme_cfg, cfg_source=scheme_src)
+    if not scheme[0] and (project[0] or ws_val[0]):
+        detected = auto_detect.auto_detect_scheme(workspace, project[0], ws_val[0])
+        if detected:
+            scheme = (detected, "auto-detect")
+
     default_profile = f"{scheme[0]} CI" if scheme[0] else ""
     profile_name = resolve(
         inp["PROFILE_NAME"], profile_cfg, cfg_source=profile_src, default=default_profile,
@@ -143,8 +194,21 @@ def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
     }
 
 
-def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
-    """Resolve bundle_id / team_id / app_store_apple_id (with ASC-API fallback)."""
+def resolve_app(
+    cfg: dict,
+    inp: dict,
+    creds: dict,
+    scripts_dir: Path,
+    *,
+    workspace: Path | None = None,
+    xcode: dict | None = None,
+) -> dict:
+    """Resolve bundle_id / team_id / app_store_apple_id (with ASC-API fallback).
+
+    When ``workspace`` and ``xcode`` are passed and bundle_id is unset from
+    both input and config, we call ``auto_detect_bundle_id`` to ask
+    xcodebuild for ``PRODUCT_BUNDLE_IDENTIFIER``.
+    """
     bundle_cfg, bundle_src = pick_with_source(cfg, ("app", "bundle_id"), ("ios", "native", "bundle_id"))
     team_cfg, team_src = pick_with_source(cfg, ("app", "team_id"), ("ios", "native", "team_id"))
     apple_cfg, apple_src = pick_with_source(
@@ -152,8 +216,21 @@ def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
     )
 
     bundle = resolve(inp["BUNDLE_ID"], bundle_cfg, cfg_source=bundle_src)
+    bundle = _auto_detect_bundle_if_empty(bundle, workspace, xcode)
     team = resolve(inp["TEAM_ID"], team_cfg, cfg_source=team_src)
 
+    # team_id is documented as optional because the ASC API key is bound to
+    # exactly one developer team. If input + config both empty, derive it
+    # via GET-only ASC endpoints (cert OU, then profile plist).
+    if not team[0]:
+        derived_val, derived_src = derive_team_if_empty(team[0], team[1], creds)
+        if derived_val:
+            log(
+                f"derived team_id={derived_val} from ASC key "
+                f"{creds['key_id']}"
+            )
+            team = (derived_val, derived_src)
+
     if inp["APP_STORE_APPLE_ID"]:
         apple = (inp["APP_STORE_APPLE_ID"], "input")
     elif apple_cfg not in (None, ""):
@@ -264,7 +341,11 @@ def main() -> None:
 
     creds = emit_credentials(env_file, cfg, workspace)
     xc = resolve_xcode(cfg, workspace, inputs)
-    app = resolve_app(cfg, inputs, creds, scripts_dir)
+    xc_values = {k: v[0] for k, v in xc.items()}
+    app = resolve_app(
+        cfg, inputs, creds, scripts_dir,
+        workspace=workspace, xcode=xc_values,
+    )
     tf = resolve_testflight(cfg, inputs)
     ios = resolve_ios(cfg, inputs)
     tests = resolve_tests(cfg, inputs)

package/templates/scripts/ci/ios-native/team_resolver.py

@@ -0,0 +1,130 @@
+#!/usr/bin/env python3
+"""
+Derive the Apple developer team identifier from an App Store Connect API key.
+
+Why:
+    ``ci.config.yaml`` lists ``app.team_id`` as optional because the ASC API
+    key is always bound to exactly one team — so it's derivable. This module
+    implements that derivation via GET-only endpoints so the first CI run on
+    a fresh repo works without pre-seeding the team id.
+
+Strategy (GET-only, no resource creation):
+    1. ``GET /v1/certificates?limit=1&sort=-id`` — any Distribution /
+       Development cert carries the team id in its Subject's Organizational
+       Unit (OU) attribute. Most teams already have at least one.
+    2. If no certs exist: ``GET /v1/profiles?limit=1`` — the attached
+       ``profileContent`` (base64-encoded ``.mobileprovision``) contains the
+       ``TeamIdentifier`` array in its plist payload. Profiles are CMS-signed
+       in production, so we fall back to ``security cms -D`` when
+       ``plistlib.loads`` refuses the raw bytes. When ``security`` isn't
+       available (unit tests), the test substitutes its own plist.
+    3. If neither yields a team, return "" — the caller decides whether to
+       fail with an actionable message or defer to ``prepare_signing.py``'s
+       post-profile-install fallback.
+
+The returned team id is a 10-character alphanumeric string (Apple's format).
+"""
+
+from __future__ import annotations
+
+import base64
+import plistlib
+import subprocess
+from typing import Any
+
+from asc_common import get_json
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+
+
+def _team_from_cert_der(cert_der: bytes) -> str:
+    """Return OU attribute from the cert's Subject, or '' if absent/malformed."""
+    try:
+        cert = x509.load_der_x509_certificate(cert_der)
+    except (ValueError, TypeError):
+        return ""
+    ou_attrs = cert.subject.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)
+    if not ou_attrs:
+        return ""
+    value = ou_attrs[0].value
+    if isinstance(value, bytes):
+        value = value.decode(errors="replace")
+    return str(value).strip()
+
+
+def _team_from_asc_certificates(token: str) -> str:
+    """Try GET /certificates and parse OU from the first cert's DER."""
+    data = get_json(
+        "/certificates",
+        token,
+        params={"limit": "1", "sort": "-id"},
+    )
+    items = data.get("data", []) if isinstance(data, dict) else []
+    if not items:
+        return ""
+    first = items[0]
+    attrs = first.get("attributes") or {}
+    b64 = attrs.get("certificateContent")
+    if not b64:
+        return ""
+    try:
+        cert_der = base64.b64decode(b64)
+    except (ValueError, TypeError):
+        return ""
+    return _team_from_cert_der(cert_der)
+
+
+def _team_from_profile_plist(profile_bytes: bytes) -> str:
+    """Extract TeamIdentifier[0] from a mobileprovision plist payload."""
+    plist: Any
+    try:
+        plist = plistlib.loads(profile_bytes)
+    except (plistlib.InvalidFileException, ValueError, OSError):
+        # Real profiles are CMS-signed — strip the envelope via `security cms`.
+        try:
+            decoded = subprocess.check_output(
+                ["security", "cms", "-D", "-i", "/dev/stdin"],
+                input=profile_bytes,
+            )
+        except (subprocess.CalledProcessError, FileNotFoundError, OSError):
+            return ""
+        try:
+            plist = plistlib.loads(decoded)
+        except (plistlib.InvalidFileException, ValueError, OSError):
+            return ""
+    if not isinstance(plist, dict):
+        return ""
+    teams = plist.get("TeamIdentifier") or []
+    if isinstance(teams, list) and teams:
+        return str(teams[0]).strip()
+    return ""
+
+
+def _team_from_asc_profiles(token: str) -> str:
+    """Try GET /profiles and parse TeamIdentifier from the first profile's plist."""
+    data = get_json("/profiles", token, params={"limit": "1"})
+    items = data.get("data", []) if isinstance(data, dict) else []
+    if not items:
+        return ""
+    attrs = items[0].get("attributes") or {}
+    b64 = attrs.get("profileContent")
+    if not b64:
+        return ""
+    try:
+        profile_bytes = base64.b64decode(b64)
+    except (ValueError, TypeError):
+        return ""
+    return _team_from_profile_plist(profile_bytes)
+
+
+def derive_team_id(token: str) -> str:
+    """Derive the developer team id bound to the ASC API key.
+
+    Returns the 10-char team identifier, or "" when neither a certificate
+    nor a provisioning profile exposes it. Never raises on missing data;
+    only propagates network / auth failures from the underlying ASC client.
+    """
+    team = _team_from_asc_certificates(token)
+    if team:
+        return team
+    return _team_from_asc_profiles(token)