@daemux/store-automator 0.10.86 → 0.10.88

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.86"
+    "version": "0.10.88"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.86",
+      "version": "0.10.88",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.86",
+  "version": "0.10.88",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.86",
+  "version": "0.10.88",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/templates/github/IOS_NATIVE_CI_SETUP.md

@@ -1,28 +1,26 @@
 # iOS Native TestFlight CI — Setup Guide
 
-Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. One workflow, one config file, one credential file. All logic lives in the shared composite action `daemux/daemux-plugins/.github/actions/ios-native-testflight`.
+**Zero config.** Drop-in TestFlight automation for native Swift/SwiftUI iOS apps. Two files in your repo are all you need:
+
+1. `.github/workflows/deploy.yml` (18 lines, copied verbatim)
+2. `creds/AuthKey_<KEY_ID>_Issuer_<UUID>.p8` (your ASC API key)
+
+There is **no** `ci.config.yaml`. The composite action auto-detects your project, workspace, scheme, bundle id, team id, and App Store Connect numeric app id from the Xcode project + ASC API. To override any auto-detected value, pass it via the action's `with:` block in `deploy.yml`.
+
+All logic lives in the shared composite action `daemux/daemux-plugins/.github/actions/ios-native-testflight`.
 
 ## Prerequisites
 
 - **Private GitHub repo** (holds the ASC API key `.p8` file).
 - **Apple Developer Program** membership with an App Store Connect user that can create API keys.
 - **ASC API Key** with `App Manager` role, downloaded as `AuthKey_<KEY_ID>.p8` (Apple lets you download this exactly once).
-- Xcode project builds locally on macOS 15 / Xcode 16.
+- Xcode project builds locally on macOS 15 / Xcode 16+.
 
 ## Step 1 — Copy the workflow
 
 Copy `.github/workflows/deploy.yml` verbatim from this template. No edits required. It triggers on push to `main` and via `workflow_dispatch`.
 
-## Step 2 — Copy `ci.config.yaml`
-
-Copy `ios-native-ci.config.yaml.template` to your repo root as `ci.config.yaml`. Fill in:
-
-- `app.bundle_id` — REQUIRED (must match your App Store Connect app record).
-- `xcode.scheme` — REQUIRED (the shared scheme the CI should archive).
-
-Every other field has a sensible default. `xcode.project` auto-detects if there is exactly one `*.xcodeproj` at the repo root. `app.app_store_apple_id` is auto-discovered via the ASC API from the bundle id.
-
-## Step 3 — Drop in the ASC API key
+## Step 2 — Drop in the ASC API key
 
 Rename the downloaded key to include both the key id and the issuer uuid, then put it under `creds/`:
 
@@ -34,7 +32,7 @@ Example: `creds/AuthKey_5NBDY6YXJ6_Issuer_69a6de77-xxxx-xxxx-xxxx-xxxxxxxxxxxx.p
 
 The composite action parses the key id and issuer id from the filename — no GitHub secrets to configure.
 
-## Step 4 — Register the app in App Store Connect (one-time)
+## Step 3 — Register the app in App Store Connect (one-time)
 
 App Store Connect requires a human-in-the-loop 2FA step the first time. Either:
 
@@ -43,29 +41,53 @@ App Store Connect requires a human-in-the-loop 2FA step the first time. Either:
 
 Subsequent builds need neither — the ASC API key handles everything.
 
-## Step 5 — MARKETING_VERSION
+## Step 4 — MARKETING_VERSION
 
 Leave your Xcode project's `MARKETING_VERSION` at `1.0` initially. CI auto-rolls the marketing version forward (patch bump) whenever the prior version hits `READY_FOR_SALE` in App Store Connect. Until then, the pipeline keeps bumping the build number against the current marketing version.
 
-## Step 6 — Push to `main`
+## Step 5 — Push to `main`
 
 ```bash
-git add .github/workflows/deploy.yml ci.config.yaml creds/AuthKey_*.p8
+git add .github/workflows/deploy.yml creds/AuthKey_*.p8
 git commit -m "ci: add iOS TestFlight pipeline"
 git push origin main
 ```
 
 GitHub Actions triggers the workflow. On success, the build appears in TestFlight within 5–15 minutes (Apple processing delay).
 
+## Overrides (optional)
+
+If auto-detection picks the wrong value, pin it in `deploy.yml`:
+
+```yaml
+- uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main
+  with:
+    project: MyApp.xcodeproj           # if multiple .xcodeproj at root
+    workspace: MyApp.xcworkspace       # wins over project
+    scheme: MyApp                      # if multiple application schemes
+    configuration: Release             # default: Release
+    bundle-id: com.example.myapp       # if PRODUCT_BUNDLE_IDENTIFIER is wrong
+    team-id: ABCDE12345                # if your ASC key is multi-team
+    app-store-apple-id: '1234567890'   # to skip the ASC API lookup
+    app-store-whats-new: |
+      - New feature X
+      - Bug fixes
+    app-store-locale: en-US
+    uses-non-exempt-encryption: 'false'
+```
+
+Every input is optional. Omitted ones are auto-detected.
+
 ## Troubleshooting
 
 | Error | Likely Cause | Fix |
 |-------|--------------|-----|
 | `No ASC key found in creds/` | File missing or misnamed | Filename must match `AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8` exactly |
-| `No ASC app found for bundle <id>` | App not yet registered in ASC | Run Step 4 (create the app record) |
+| `Multiple ASC keys found in creds/` | More than one .p8 | Remove the unused one(s) — only a single key is supported |
+| `No ASC app found for bundle <id>` | App not yet registered in ASC | Run Step 3 (create the app record) |
 | `MARKETING_VERSION not set` | Missing in `.pbxproj` | Set `MARKETING_VERSION = 1.0;` in your target's build settings |
 | Apple refuses new version | Prior version not in `READY_FOR_SALE` | Let the existing version finish review, or manually bump `MARKETING_VERSION` in Xcode |
-| `Scheme not found` | Scheme not shared | In Xcode: Product → Scheme → Manage Schemes → tick "Shared", commit `*.xcscheme` |
+| `Scheme not found` | Scheme not shared, or auto-detect picked wrong one | In Xcode: Product → Scheme → Manage Schemes → tick "Shared", commit `*.xcscheme`. Or pass `scheme:` in the workflow `with:` block. |
 
 ## Credential rotation
 

package/templates/scripts/ci/ios-native/auto_detect.py

@@ -0,0 +1,274 @@
+#!/usr/bin/env python3
+"""
+Xcode project / scheme / bundle_id auto-detection.
+
+Ported from gowalk-step/fastlane_standalone.sh — keeps us in Python (our
+ecosystem) while still shelling out to ``xcodebuild`` for the two queries
+only it can reliably answer:
+
+    ``xcodebuild -list -json``                  -> enumerate schemes
+    ``xcodebuild -showBuildSettings -json``     -> PRODUCT_TYPE + bundle id
+
+The detection lets ``ci.config.yaml`` become entirely optional: with just
+``creds/AuthKey_*.p8`` + the 18-line ``deploy.yml`` the pipeline can still
+figure out what to build.
+
+Rules (kept intentionally boring — if auto-detect is ambiguous we log a
+warning and return a deterministic choice, falling back to a clear
+``::error::`` only when truly nothing works):
+
+1. ``auto_detect_project(workspace)``
+   - Prefer a single ``*.xcworkspace`` at the repo root.
+   - Else a single ``*.xcodeproj``.
+   - When multiple ``.xcodeproj`` exist, prefer one matching the repo
+     basename, else alphabetically first (with a warning).
+
+2. ``auto_detect_scheme(workspace, project, workspace_file)``
+   - ``xcodebuild -list -json`` to enumerate schemes.
+   - For each scheme, ``-showBuildSettings -json`` and keep those whose
+     ``PRODUCT_TYPE == com.apple.product-type.application``.
+   - Single application scheme -> that one. Multiple: prefer repo-basename
+     match, else alphabetical first.
+
+3. ``auto_detect_bundle_id(workspace, project, workspace_file, scheme, configuration)``
+   - Read ``PRODUCT_BUNDLE_IDENTIFIER`` from the same ``-showBuildSettings``
+     invocation (cached from step 2 when possible).
+   - Reject unresolved variable references like ``$(PRODUCT_NAME)``.
+
+All xcodebuild invocations are cached per-process so repeated calls in the
+same ``read_config.py`` run don't re-shell.
+"""
+
+from __future__ import annotations
+
+import json
+import subprocess
+from pathlib import Path
+from typing import Optional
+
+from cfg_io import log, notice
+
+
+APP_PRODUCT_TYPE = "com.apple.product-type.application"
+# Timeouts (seconds) — xcodebuild can hang on missing toolchains or
+# package resolution. CI should fail fast rather than spin forever.
+LIST_TIMEOUT = 60
+SETTINGS_TIMEOUT = 120
+
+# Process-local caches keyed by (project, workspace_file) or
+# (project, workspace_file, scheme, configuration). Cleared between test
+# cases via ``_clear_caches`` but otherwise persist for the lifetime of
+# the read_config.py process.
+_list_cache: dict[tuple, Optional[list[str]]] = {}
+_settings_cache: dict[tuple, Optional[dict]] = {}
+
+
+def _clear_caches() -> None:
+    """Reset caches — used by tests. Not part of the public API."""
+    _list_cache.clear()
+    _settings_cache.clear()
+
+
+def auto_detect_project(workspace: Path) -> tuple[str, str]:
+    """Discover the repo-root Xcode project / workspace.
+
+    Returns ``(project, workspace_file)`` where exactly one is a non-empty
+    filename. ``("", "")`` means nothing was found.
+    """
+    workspaces = sorted(workspace.glob("*.xcworkspace"))
+    if workspaces:
+        picked = _pick_by_basename(workspaces, workspace, "xcworkspace")
+        log(f"auto-detect: workspace={picked.name}")
+        return "", picked.name
+
+    projects = sorted(workspace.glob("*.xcodeproj"))
+    if not projects:
+        return "", ""
+    picked = _pick_by_basename(projects, workspace, "xcodeproj")
+    log(f"auto-detect: project={picked.name}")
+    return picked.name, ""
+
+
+def _pick_by_basename(matches: list[Path], workspace: Path, label: str) -> Path:
+    """Pick the match whose name stem equals the repo basename, else first."""
+    if len(matches) == 1:
+        return matches[0]
+    repo_base = workspace.resolve().name.lower()
+    for match in matches:
+        if match.stem.lower() == repo_base:
+            return match
+    notice(
+        f"multiple *.{label} found; picking {matches[0].name} alphabetically. "
+        f"Set xcode.project in ci.config.yaml to disambiguate."
+    )
+    return matches[0]
+
+
+def _list_schemes(
+    workspace: Path, project: str, workspace_file: str
+) -> Optional[list[str]]:
+    """Run ``xcodebuild -list -json`` and return the schemes list (cached)."""
+    key = (project, workspace_file)
+    if key in _list_cache:
+        return _list_cache[key]
+
+    cmd = ["xcodebuild", "-list", "-json"]
+    if workspace_file:
+        cmd += ["-workspace", workspace_file]
+    elif project:
+        cmd += ["-project", project]
+    else:
+        _list_cache[key] = None
+        return None
+
+    try:
+        result = subprocess.run(
+            cmd, cwd=str(workspace), capture_output=True, text=True,
+            timeout=LIST_TIMEOUT,
+        )
+    except (OSError, subprocess.TimeoutExpired) as exc:
+        log(f"auto-detect: xcodebuild -list failed: {exc!r}")
+        _list_cache[key] = None
+        return None
+
+    if result.returncode != 0:
+        log(
+            f"auto-detect: xcodebuild -list returned {result.returncode}: "
+            f"{result.stderr.strip()}"
+        )
+        _list_cache[key] = None
+        return None
+
+    try:
+        data = json.loads(result.stdout)
+    except json.JSONDecodeError as exc:
+        log(f"auto-detect: xcodebuild -list produced invalid JSON: {exc!r}")
+        _list_cache[key] = None
+        return None
+
+    # Workspace output has {"workspace": {"schemes": [...]}}; project has
+    # {"project": {"schemes": [...]}}.
+    container = data.get("workspace") or data.get("project") or {}
+    schemes = container.get("schemes") or []
+    _list_cache[key] = list(schemes)
+    return _list_cache[key]
+
+
+def _show_build_settings(
+    workspace: Path,
+    project: str,
+    workspace_file: str,
+    scheme: str,
+    configuration: str,
+) -> Optional[dict]:
+    """Run ``xcodebuild -showBuildSettings -json`` and return buildSettings (cached)."""
+    key = (project, workspace_file, scheme, configuration or "Release")
+    if key in _settings_cache:
+        return _settings_cache[key]
+
+    cmd = ["xcodebuild", "-showBuildSettings", "-json", "-scheme", scheme]
+    if configuration:
+        cmd += ["-configuration", configuration]
+    if workspace_file:
+        cmd += ["-workspace", workspace_file]
+    elif project:
+        cmd += ["-project", project]
+    else:
+        _settings_cache[key] = None
+        return None
+
+    try:
+        result = subprocess.run(
+            cmd, cwd=str(workspace), capture_output=True, text=True,
+            timeout=SETTINGS_TIMEOUT,
+        )
+    except (OSError, subprocess.TimeoutExpired) as exc:
+        log(f"auto-detect: showBuildSettings({scheme!r}) failed: {exc!r}")
+        _settings_cache[key] = None
+        return None
+
+    if result.returncode != 0:
+        log(
+            f"auto-detect: showBuildSettings({scheme!r}) returned "
+            f"{result.returncode}: {result.stderr.strip()}"
+        )
+        _settings_cache[key] = None
+        return None
+
+    try:
+        data = json.loads(result.stdout)
+    except json.JSONDecodeError as exc:
+        log(f"auto-detect: showBuildSettings({scheme!r}) invalid JSON: {exc!r}")
+        _settings_cache[key] = None
+        return None
+
+    if not isinstance(data, list) or not data:
+        _settings_cache[key] = None
+        return None
+    settings = data[0].get("buildSettings") or {}
+    _settings_cache[key] = settings if isinstance(settings, dict) else None
+    return _settings_cache[key]
+
+
+def auto_detect_scheme(
+    workspace: Path, project: str, workspace_file: str
+) -> Optional[str]:
+    """Pick the single ``com.apple.product-type.application`` scheme."""
+    schemes = _list_schemes(workspace, project, workspace_file)
+    if not schemes:
+        return None
+
+    app_schemes: list[str] = []
+    for scheme in schemes:
+        settings = _show_build_settings(
+            workspace, project, workspace_file, scheme, "Release",
+        )
+        if not settings:
+            continue
+        if settings.get("PRODUCT_TYPE") == APP_PRODUCT_TYPE:
+            app_schemes.append(scheme)
+
+    if not app_schemes:
+        return None
+    if len(app_schemes) == 1:
+        log(f"auto-detect: scheme={app_schemes[0]}")
+        return app_schemes[0]
+
+    repo_base = workspace.resolve().name.lower()
+    for scheme in app_schemes:
+        if scheme.lower() == repo_base:
+            log(f"auto-detect: scheme={scheme} (basename match)")
+            return scheme
+
+    picked = sorted(app_schemes)[0]
+    notice(
+        f"multiple application schemes found ({', '.join(sorted(app_schemes))}); "
+        f"picking {picked} alphabetically. Set xcode.scheme in ci.config.yaml "
+        f"to disambiguate."
+    )
+    return picked
+
+
+def auto_detect_bundle_id(
+    workspace: Path,
+    project: str,
+    workspace_file: str,
+    scheme: str,
+    configuration: str,
+) -> Optional[str]:
+    """Extract ``PRODUCT_BUNDLE_IDENTIFIER`` for the given scheme/config."""
+    settings = _show_build_settings(
+        workspace, project, workspace_file, scheme, configuration or "Release",
+    )
+    if not settings:
+        return None
+    bundle = settings.get("PRODUCT_BUNDLE_IDENTIFIER")
+    if not bundle or not isinstance(bundle, str):
+        return None
+    # xcodebuild sometimes emits unresolved variable references when build
+    # settings depend on xcconfig files that aren't in the default context.
+    if "$(" in bundle or bundle.startswith("$") or "=" in bundle:
+        log(f"auto-detect: bundle_id {bundle!r} contains unresolved variable — rejecting")
+        return None
+    log(f"auto-detect: bundle_id={bundle}")
+    return bundle

package/templates/scripts/ci/ios-native/cfg_resolve.py

@@ -1,19 +1,15 @@
 #!/usr/bin/env python3
 """
-Config loading + value-resolution helpers for ios-native-testflight.
+Shared helpers for ios-native-testflight read_config.py.
 
-Pulled out of read_config.py to keep any single file under the 400-line /
-10-function project limits.
+Now that ci.config.yaml is gone, this module only contains the helpers
+that interact with the filesystem or App Store Connect — no YAML or
+config-precedence logic remains.
 
 Contents:
-    load_config         YAML loader (returns {} if missing)
     emit                $GITHUB_ENV writer (handles multi-line via heredoc)
-    dig / pick          Safe nested dict access
-    pick_with_source    Flat-path-first, legacy-alias-second lookup
-    resolve             Apply input -> config -> auto -> default precedence
-    auto_project_glob   Repo-root *.xcodeproj / *.xcworkspace autodetect
-    as_str_bool         YAML bool -> "true"/"false"/None
     find_p8             Locate ASC .p8 key in creds/
+    derive_team_if_empty  ASC API fallback for team_id
     lookup_app_id_via_api  Subprocess helper — calls lookup_app_id.py
 """
 
@@ -21,14 +17,12 @@ from __future__ import annotations
 
 import os
 import re
+import subprocess
 import sys
 from pathlib import Path
-from typing import Any
-
-import yaml
 
 from asc_common import make_jwt
-from cfg_io import fail, log, notice
+from cfg_io import fail, log
 from team_resolver import derive_team_id
 
 
@@ -37,27 +31,6 @@ P8_RE = re.compile(
 )
 
 
-def load_config(workspace: Path, rel_path: str) -> dict:
-    """Load a YAML config from ``workspace/rel_path``. Returns {} if missing."""
-    cfg_path = workspace / rel_path
-    if not cfg_path.is_file():
-        notice(
-            f"{rel_path} not found at {cfg_path}; proceeding with inputs and defaults only"
-        )
-        return {}
-    try:
-        with cfg_path.open("r") as fh:
-            data = yaml.safe_load(fh)
-    except yaml.YAMLError as exc:
-        fail(f"failed to parse {rel_path}: {exc}")
-    if data is None:
-        return {}
-    if not isinstance(data, dict):
-        fail(f"{rel_path} root must be a mapping")
-    log(f"loaded config from {cfg_path}")
-    return data
-
-
 def emit(env_file: Path, name: str, value: str) -> None:
     """Append NAME=VALUE (or multi-line NAME<<EOF ... EOF) to $GITHUB_ENV."""
     if value is None:
@@ -73,82 +46,12 @@ def emit(env_file: Path, name: str, value: str) -> None:
             fh.write(f"{name}={value}\n")
 
 
-def dig(cfg: dict, *path: str, default: Any = None) -> Any:
-    """Safe nested .get across dict path. Returns default if any key missing."""
-    node: Any = cfg
-    for key in path:
-        if not isinstance(node, dict):
-            return default
-        node = node.get(key)
-        if node is None:
-            return default
-    return node
-
-
-def pick(cfg: dict, *paths: tuple) -> Any:
-    """Return the first non-None/non-empty value among a series of paths."""
-    for path in paths:
-        val = dig(cfg, *path)
-        if val not in (None, ""):
-            return val
-    return None
-
-
-def pick_with_source(cfg: dict, flat: tuple, legacy: tuple) -> tuple[Any, str]:
-    """Return (value, source) — flat path wins; legacy alias as fallback."""
-    flat_val = dig(cfg, *flat)
-    if flat_val not in (None, ""):
-        return flat_val, "config"
-    legacy_val = dig(cfg, *legacy)
-    if legacy_val not in (None, ""):
-        return legacy_val, "config(legacy)"
-    return None, "config"
-
-
-def resolve(
-    input_val: str,
-    cfg_val: Any,
-    *,
-    cfg_source: str = "config",
-    auto_val: str = "",
-    default: str = "",
-) -> tuple[str, str]:
-    """Apply precedence: input > config > auto > default > empty."""
-    if input_val:
-        return input_val, "input"
-    if cfg_val not in (None, ""):
-        return str(cfg_val), cfg_source
-    if auto_val:
-        return auto_val, "auto-detect"
-    if default:
-        return default, "default"
-    return "", "empty"
-
-
-def auto_project_glob(workspace: Path, suffix: str) -> str:
-    """Return the single matching *suffix file at repo root, else empty."""
-    matches = sorted(workspace.glob(f"*{suffix}"))
-    if len(matches) == 1:
-        return matches[0].name
-    return ""
-
-
-def as_str_bool(val: Any) -> str | None:
-    """Normalize YAML bool / string / None to 'true'|'false'|None."""
-    if val is None:
-        return None
-    if isinstance(val, bool):
-        return "true" if val else "false"
-    s = str(val).strip().lower()
-    if s in ("true", "yes", "1"):
-        return "true"
-    if s in ("false", "no", "0"):
-        return "false"
-    return s  # let downstream validate
-
-
-def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
-    """Locate the ASC .p8 key. Returns (path, key_id, issuer_from_filename)."""
+def find_p8(workspace: Path) -> tuple[Path, str, str | None]:
+    """Locate the ASC .p8 key. Returns (path, key_id, issuer_from_filename).
+
+    If multiple keys are found we fail with an actionable message — there is
+    no longer a config-based disambiguation channel.
+    """
     creds_dir = workspace / "creds"
     matches = sorted(creds_dir.glob("AuthKey_*.p8"))
     if not matches:
@@ -170,23 +73,13 @@ def find_p8(workspace: Path, cfg: dict) -> tuple[Path, str, str | None]:
             "Found .p8 file(s) in creds/ but none match the required naming "
             "pattern AuthKey_<KEY_ID>[_Issuer_<UUID>].p8"
         )
-
     if len(parsed) == 1:
         return parsed[0]
 
-    config_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
-    if not config_key_id:
-        names = ", ".join(p.name for p, _, _ in parsed)
-        fail(
-            f"Multiple ASC keys found in creds/ ({names}). "
-            "Set credentials.apple.key_id in ci.config.yaml to choose one."
-        )
-    for entry in parsed:
-        if entry[1] == config_key_id:
-            return entry
+    names = ", ".join(p.name for p, _, _ in parsed)
     fail(
-        f"credentials.apple.key_id={config_key_id} did not match any .p8 in "
-        f"creds/ (found key_ids: {', '.join(k for _, k, _ in parsed)})"
+        f"Multiple ASC keys found in creds/ ({names}). Remove the unused "
+        "ones — only a single key is supported."
     )
 
 
@@ -217,8 +110,6 @@ def derive_team_if_empty(
 
 def lookup_app_id_via_api(bundle_id: str, scripts_dir: Path) -> str:
     """Invoke lookup_app_id.py to resolve apple_id via ASC API."""
-    import subprocess
-
     script = scripts_dir / "lookup_app_id.py"
     if not script.is_file():
         fail(f"lookup_app_id.py not found at {script}")

package/templates/scripts/ci/ios-native/read_config.py

@@ -1,38 +1,29 @@
 #!/usr/bin/env python3
 """
-Read ci.config.yaml + discover ASC API key in creds/, then emit derived CI
-environment variables to $GITHUB_ENV.
-
-Schema (flat — primary, canonical):
-    app.{bundle_id, team_id, app_store_apple_id}
-    xcode.{project, workspace, scheme, configuration, profile_name}
-    ios.{uses_non_exempt_encryption}
-    testflight.{whats_new, locale}
-    ci.{run_tests, test_command, test_destination}
-    credentials.apple.{key_id, issuer_id}  OR  asc.{key_id, issuer_id}
-
-Legacy aliases (accepted for back-compat, never preferred):
-    ios.native.{project, workspace, scheme, configuration, profile_name,
-                team_id, app_store_apple_id, uses_non_exempt_encryption,
-                whats_new, locale, run_tests, test_command, test_destination,
-                tests.{run, command, destination}}
-    app_store.locale (third-tier fallback only)
+Discover ASC API key in creds/ + auto-detect Xcode project/scheme/bundle,
+then emit derived CI environment variables to $GITHUB_ENV.
+
+There is NO config file. This script reads only:
+  - INPUT_* env vars (the composite action's `with:` overrides)
+  - creds/AuthKey_<KEY_ID>_Issuer_<UUID>.p8 (the only required file)
+  - the Xcode project (via auto_detect.py + xcodebuild)
+  - the App Store Connect API (for team_id and app_store_apple_id)
 
 Precedence for every CFG_* value:
-    1. Explicit action input (INPUT_* env var)
-    2. Flat-schema config value
-    3. Legacy ios.native.* alias
-    4. Auto-detected value (xcodeproj/xcworkspace glob) or built-in default
-    5. Empty string (composite action step applies its own default / skips)
+    1. INPUT_* env var (composite action input)
+    2. Auto-detected value (xcodebuild, ASC API, glob)
+    3. Built-in default ("Release", "false", "en-US", whatsNew boilerplate)
+    4. Empty string (downstream step skips or applies its own fallback)
 
-Built-in defaults (emitted when no config/input exists):
+Built-in defaults emitted when nothing else applies:
     CFG_CONFIGURATION=Release, CFG_USES_NON_EXEMPT=false,
-    CFG_RUN_TESTS=false, CFG_LOCALE=en-US, CFG_PROFILE_NAME="<scheme> CI".
-All other CFG_* fields emit empty and rely on action.yml-level fallbacks.
+    CFG_RUN_TESTS=false, CFG_LOCALE=en-US,
+    CFG_PROFILE_NAME="<scheme> CI", CFG_WHATS_NEW=<boilerplate>.
 
 The ASC .p8 key is located by globbing ``creds/AuthKey_*.p8`` with filename
-regex AuthKey_<KEY_ID>[_Issuer_<ISSUER_UUID>].p8. Multiple matches require
-``credentials.apple.key_id`` (or ``asc.key_id``) in config to disambiguate.
+regex AuthKey_<KEY_ID>[_Issuer_<ISSUER_UUID>].p8. If multiple match, we fail
+with an instruction to remove the unwanted one(s) — there is no longer a
+config-based disambiguation channel.
 
 Writes to $GITHUB_ENV:
     ASC_KEY_ID, ASC_ISSUER_ID, ASC_KEY_P8_PATH, ASC_KEY_P8,
@@ -53,19 +44,13 @@ from __future__ import annotations
 import os
 from pathlib import Path
 
+import auto_detect
 from cfg_io import fail, log
 from cfg_resolve import (
-    as_str_bool,
-    auto_project_glob,
     derive_team_if_empty,
-    dig,
     emit,
     find_p8,
-    load_config,
     lookup_app_id_via_api,
-    pick,
-    pick_with_source,
-    resolve,
 )
 
 
@@ -76,65 +61,83 @@ DEFAULT_WHATS_NEW = (
 )
 
 
-def emit_credentials(env_file: Path, cfg: dict, workspace: Path) -> dict:
+def _pick(input_val: str, *, auto_val: str = "", default: str = "") -> tuple[str, str]:
+    """Apply precedence: input > auto > default > empty."""
+    if input_val:
+        return input_val, "input"
+    if auto_val:
+        return auto_val, "auto-detect"
+    if default:
+        return default, "default"
+    return "", "empty"
+
+
+def emit_credentials(env_file: Path, workspace: Path) -> dict:
     """Discover .p8, derive ASC_KEY_ID / ISSUER / PATH, emit to env_file.
 
     Returns {'key_id', 'issuer_id', 'key_path'} for downstream use.
     """
-    p8_path, key_id_from_file, issuer_from_file = find_p8(workspace, cfg)
+    p8_path, key_id_from_file, issuer_from_file = find_p8(workspace)
     try:
         p8_contents = p8_path.read_text()
     except OSError as exc:
         fail(f"cannot read {p8_path}: {exc}")
 
-    cfg_key_id = pick(cfg, ("credentials", "apple", "key_id"), ("asc", "key_id"))
-    cfg_issuer = pick(cfg, ("credentials", "apple", "issuer_id"), ("asc", "issuer_id"))
-    asc_key_id = cfg_key_id or key_id_from_file
-    asc_issuer = cfg_issuer or issuer_from_file
-    if not asc_issuer:
+    if not issuer_from_file:
         fail(
-            "ASC issuer id unknown: neither the filename contains _Issuer_<UUID> "
-            "nor credentials.apple.issuer_id is set in ci.config.yaml."
+            "ASC issuer id unknown: rename the .p8 to "
+            "AuthKey_<KEY_ID>_Issuer_<UUID>.p8 so the issuer id is in the filename."
         )
 
-    emit(env_file, "ASC_KEY_ID", str(asc_key_id))
-    emit(env_file, "ASC_ISSUER_ID", str(asc_issuer))
+    emit(env_file, "ASC_KEY_ID", str(key_id_from_file))
+    emit(env_file, "ASC_ISSUER_ID", str(issuer_from_file))
     emit(env_file, "ASC_KEY_P8_PATH", str(p8_path))
     emit(env_file, "ASC_KEY_P8", p8_contents)
-    log(f"ASC_KEY_ID={asc_key_id} (source: {'config' if cfg_key_id else 'filename'})")
-    log(f"ASC_ISSUER_ID={asc_issuer} (source: {'config' if cfg_issuer else 'filename'})")
+    log(f"ASC_KEY_ID={key_id_from_file} (source: filename)")
+    log(f"ASC_ISSUER_ID={issuer_from_file} (source: filename)")
     log(f"ASC_KEY_P8_PATH={p8_path}")
-    return {"key_id": str(asc_key_id), "issuer_id": str(asc_issuer), "key_path": str(p8_path)}
+    return {
+        "key_id": str(key_id_from_file),
+        "issuer_id": str(issuer_from_file),
+        "key_path": str(p8_path),
+    }
 
 
-def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
-    """Resolve project / workspace / scheme / configuration / profile_name."""
-    proj_cfg, proj_src = pick_with_source(cfg, ("xcode", "project"), ("ios", "native", "project"))
-    ws_cfg, ws_src = pick_with_source(cfg, ("xcode", "workspace"), ("ios", "native", "workspace"))
-    scheme_cfg, scheme_src = pick_with_source(cfg, ("xcode", "scheme"), ("ios", "native", "scheme"))
-    config_cfg, config_src = pick_with_source(
-        cfg, ("xcode", "configuration"), ("ios", "native", "configuration"),
-    )
-    profile_cfg, profile_src = pick_with_source(
-        cfg, ("xcode", "profile_name"), ("ios", "native", "profile_name"),
-    )
+def _detect_project_workspace(
+    workspace: Path,
+    project: tuple[str, str],
+    ws_val: tuple[str, str],
+) -> tuple[tuple[str, str], tuple[str, str]]:
+    """Run auto_detect.auto_detect_project when both are unset."""
+    if project[0] or ws_val[0]:
+        return project, ws_val
+    auto_proj, auto_ws = auto_detect.auto_detect_project(workspace)
+    if auto_ws:
+        return project, (auto_ws, "auto-detect")
+    if auto_proj:
+        return (auto_proj, "auto-detect"), ws_val
+    return project, ws_val
+
+
+def resolve_xcode(workspace: Path, inp: dict) -> dict:
+    """Resolve project / workspace / scheme / configuration / profile_name.
+
+    Inputs win; otherwise we shell out to xcodebuild via auto_detect.
+    """
+    project = _pick(inp["PROJECT"])
+    ws_val = _pick(inp["WORKSPACE"])
+    project, ws_val = _detect_project_workspace(workspace, project, ws_val)
+
+    configuration = _pick(inp["CONFIGURATION"], default="Release")
+
+    scheme = _pick(inp["SCHEME"])
+    if not scheme[0] and (project[0] or ws_val[0]):
+        detected = auto_detect.auto_detect_scheme(workspace, project[0], ws_val[0])
+        if detected:
+            scheme = (detected, "auto-detect")
 
-    project = resolve(
-        inp["PROJECT"], proj_cfg, cfg_source=proj_src,
-        auto_val=auto_project_glob(workspace, ".xcodeproj"),
-    )
-    ws_val = resolve(
-        inp["WORKSPACE"], ws_cfg, cfg_source=ws_src,
-        auto_val=auto_project_glob(workspace, ".xcworkspace"),
-    )
-    scheme = resolve(inp["SCHEME"], scheme_cfg, cfg_source=scheme_src)
-    configuration = resolve(
-        inp["CONFIGURATION"], config_cfg, cfg_source=config_src, default="Release",
-    )
     default_profile = f"{scheme[0]} CI" if scheme[0] else ""
-    profile_name = resolve(
-        inp["PROFILE_NAME"], profile_cfg, cfg_source=profile_src, default=default_profile,
-    )
+    profile_name = _pick(inp["PROFILE_NAME"], default=default_profile)
     return {
         "project": project,
         "workspace": ws_val,
@@ -144,113 +147,81 @@ def resolve_xcode(cfg: dict, workspace: Path, inp: dict) -> dict:
     }
 
 
-def resolve_app(cfg: dict, inp: dict, creds: dict, scripts_dir: Path) -> dict:
-    """Resolve bundle_id / team_id / app_store_apple_id (with ASC-API fallback)."""
-    bundle_cfg, bundle_src = pick_with_source(cfg, ("app", "bundle_id"), ("ios", "native", "bundle_id"))
-    team_cfg, team_src = pick_with_source(cfg, ("app", "team_id"), ("ios", "native", "team_id"))
-    apple_cfg, apple_src = pick_with_source(
-        cfg, ("app", "app_store_apple_id"), ("ios", "native", "app_store_apple_id"),
+def _detect_bundle(
+    bundle: tuple[str, str], workspace: Path, xcode: dict,
+) -> tuple[str, str]:
+    """Auto-detect PRODUCT_BUNDLE_IDENTIFIER when bundle is unresolved."""
+    if bundle[0] or not xcode.get("scheme"):
+        return bundle
+    detected = auto_detect.auto_detect_bundle_id(
+        workspace,
+        xcode.get("project", ""),
+        xcode.get("workspace", ""),
+        xcode["scheme"],
+        xcode.get("configuration", "Release"),
     )
+    if detected:
+        return detected, "auto-detect"
+    return bundle
 
-    bundle = resolve(inp["BUNDLE_ID"], bundle_cfg, cfg_source=bundle_src)
-    team = resolve(inp["TEAM_ID"], team_cfg, cfg_source=team_src)
 
-    # team_id is documented as optional because the ASC API key is bound to
-    # exactly one developer team. If input + config both empty, derive it
-    # via GET-only ASC endpoints (cert OU, then profile plist).
+def _resolve_apple_id(
+    inp: dict, bundle: tuple[str, str], creds: dict, scripts_dir: Path,
+) -> tuple[str, str]:
+    """Resolve App Store numeric app id: input -> ASC API lookup -> empty."""
+    if inp["APP_STORE_APPLE_ID"]:
+        return inp["APP_STORE_APPLE_ID"], "input"
+    if not bundle[0]:
+        return "", "empty"
+    os.environ["ASC_KEY_ID"] = creds["key_id"]
+    os.environ["ASC_ISSUER_ID"] = creds["issuer_id"]
+    os.environ["ASC_KEY_PATH"] = creds["key_path"]
+    return lookup_app_id_via_api(bundle[0], scripts_dir), "api-lookup"
+
+
+def resolve_app(
+    inp: dict,
+    creds: dict,
+    scripts_dir: Path,
+    *,
+    workspace: Path,
+    xcode: dict,
+) -> dict:
+    """Resolve bundle_id / team_id / app_store_apple_id."""
+    bundle = _pick(inp["BUNDLE_ID"])
+    bundle = _detect_bundle(bundle, workspace, xcode)
+
+    team = _pick(inp["TEAM_ID"])
     if not team[0]:
         derived_val, derived_src = derive_team_if_empty(team[0], team[1], creds)
         if derived_val:
-            log(
-                f"derived team_id={derived_val} from ASC key "
-                f"{creds['key_id']}"
-            )
+            log(f"derived team_id={derived_val} from ASC key {creds['key_id']}")
             team = (derived_val, derived_src)
 
-    if inp["APP_STORE_APPLE_ID"]:
-        apple = (inp["APP_STORE_APPLE_ID"], "input")
-    elif apple_cfg not in (None, ""):
-        apple = (str(apple_cfg), apple_src)
-    elif bundle[0]:
-        os.environ["ASC_KEY_ID"] = creds["key_id"]
-        os.environ["ASC_ISSUER_ID"] = creds["issuer_id"]
-        os.environ["ASC_KEY_PATH"] = creds["key_path"]
-        apple = (lookup_app_id_via_api(bundle[0], scripts_dir), "api-lookup")
-    else:
-        apple = ("", "empty")
+    apple = _resolve_apple_id(inp, bundle, creds, scripts_dir)
     return {"bundle_id": bundle, "team_id": team, "app_store_apple_id": apple}
 
 
-def resolve_testflight(cfg: dict, inp: dict) -> dict:
-    """Resolve whats_new / locale from testflight.* or legacy aliases."""
-    whats_cfg, whats_src = pick_with_source(
-        cfg, ("testflight", "whats_new"), ("ios", "native", "whats_new"),
-    )
-    locale_cfg, locale_src = pick_with_source(
-        cfg, ("testflight", "locale"), ("ios", "native", "locale"),
-    )
-    if locale_cfg in (None, ""):
-        alt = dig(cfg, "app_store", "locale")
-        if alt not in (None, ""):
-            locale_cfg, locale_src = alt, "config(legacy)"
+def resolve_testflight(inp: dict) -> dict:
+    """Resolve whats_new / locale from inputs, with built-in defaults."""
     return {
-        "whats_new": resolve(
-            inp["WHATS_NEW"], whats_cfg, cfg_source=whats_src, default=DEFAULT_WHATS_NEW,
-        ),
-        "locale": resolve(inp["LOCALE"], locale_cfg, cfg_source=locale_src, default="en-US"),
+        "whats_new": _pick(inp["WHATS_NEW"], default=DEFAULT_WHATS_NEW),
+        "locale": _pick(inp["LOCALE"], default="en-US"),
     }
 
 
-def resolve_tests(cfg: dict, inp: dict) -> dict:
-    """Resolve run_tests / test_command / test_destination from ci.* or legacy."""
-    run_flat = dig(cfg, "ci", "run_tests")
-    run_legacy = dig(cfg, "ios", "native", "run_tests")
-    if run_legacy is None:
-        run_legacy = dig(cfg, "ios", "native", "tests", "run")
-    run_cfg, run_src = (run_flat, "config") if run_flat is not None else (run_legacy, "config(legacy)")
-
-    cmd_flat = dig(cfg, "ci", "test_command")
-    cmd_legacy = dig(cfg, "ios", "native", "test_command") or dig(cfg, "ios", "native", "tests", "command")
-    cmd_cfg, cmd_src = (
-        (cmd_flat, "config") if cmd_flat not in (None, "") else (cmd_legacy, "config(legacy)")
-    )
-
-    dest_flat = dig(cfg, "ci", "test_destination")
-    dest_legacy = (
-        dig(cfg, "ios", "native", "test_destination")
-        or dig(cfg, "ios", "native", "tests", "destination")
-    )
-    dest_cfg, dest_src = (
-        (dest_flat, "config") if dest_flat not in (None, "") else (dest_legacy, "config(legacy)")
-    )
-
+def resolve_tests(inp: dict) -> dict:
+    """Resolve run_tests / test_command / test_destination from inputs."""
     return {
-        "run_tests": resolve(
-            inp["RUN_TESTS"], as_str_bool(run_cfg), cfg_source=run_src, default="false",
-        ),
-        "test_command": resolve(inp["TEST_COMMAND"], cmd_cfg, cfg_source=cmd_src),
-        "test_destination": resolve(inp["TEST_DESTINATION"], dest_cfg, cfg_source=dest_src),
+        "run_tests": _pick(inp["RUN_TESTS"], default="false"),
+        "test_command": _pick(inp["TEST_COMMAND"]),
+        "test_destination": _pick(inp["TEST_DESTINATION"]),
     }
 
 
-def resolve_ios(cfg: dict, inp: dict) -> dict:
-    """Resolve ios.uses_non_exempt_encryption (flat) with legacy fallback."""
-    val_flat = dig(cfg, "ios", "uses_non_exempt_encryption")
-    # Flat lookup can accidentally return the legacy 'native' sub-dict; ignore.
-    if isinstance(val_flat, dict):
-        val_flat = None
-    val_legacy = dig(cfg, "ios", "native", "uses_non_exempt_encryption")
-    if val_flat is not None:
-        raw, src = val_flat, "config"
-    elif val_legacy is not None:
-        raw, src = val_legacy, "config(legacy)"
-    else:
-        raw, src = None, "config"
-    return {
-        "uses_non_exempt": resolve(
-            inp["USES_NON_EXEMPT"], as_str_bool(raw), cfg_source=src, default="false",
-        )
-    }
+def resolve_ios(inp: dict) -> dict:
+    """Resolve ios.uses_non_exempt_encryption from inputs."""
+    return {"uses_non_exempt": _pick(inp["USES_NON_EXEMPT"], default="false")}
 
 
 def collect_inputs() -> dict:
@@ -272,15 +243,17 @@ def main() -> None:
         fail("GITHUB_ENV not set; this script must run inside a GitHub Actions step")
     env_file = Path(env_file_path)
 
-    cfg = load_config(workspace, os.environ.get("CONFIG_PATH", "ci.config.yaml"))
     inputs = collect_inputs()
-
-    creds = emit_credentials(env_file, cfg, workspace)
-    xc = resolve_xcode(cfg, workspace, inputs)
-    app = resolve_app(cfg, inputs, creds, scripts_dir)
-    tf = resolve_testflight(cfg, inputs)
-    ios = resolve_ios(cfg, inputs)
-    tests = resolve_tests(cfg, inputs)
+    creds = emit_credentials(env_file, workspace)
+    xc = resolve_xcode(workspace, inputs)
+    xc_values = {k: v[0] for k, v in xc.items()}
+    app = resolve_app(
+        inputs, creds, scripts_dir,
+        workspace=workspace, xcode=xc_values,
+    )
+    tf = resolve_testflight(inputs)
+    ios = resolve_ios(inputs)
+    tests = resolve_tests(inputs)
 
     derived = [
         ("CFG_PROJECT", xc["project"]),
@@ -305,9 +278,7 @@ def main() -> None:
 
     # Persist whatsNew to a file under $RUNNER_TEMP so downstream steps can
     # read raw multi-line content without any GitHub Actions ${{ }} YAML
-    # interpolation mangling embedded newlines. CFG_WHATS_NEW still carries
-    # the same content for backward compatibility; the file is the source
-    # of truth.
+    # interpolation mangling embedded newlines.
     whats_new_value = tf["whats_new"][0]
     runner_temp = os.environ.get("RUNNER_TEMP") or str(workspace)
     whats_new_path = Path(runner_temp) / "whats_new.txt"

package/templates/ios-native-ci.config.yaml.template

@@ -1,30 +0,0 @@
-# iOS TestFlight CI configuration — read by daemux/daemux-plugins/.github/actions/ios-native-testflight
-# Place this at the repo root as ci.config.yaml.
-# Also place your ASC API key at creds/AuthKey_<KEY_ID>_Issuer_<ISSUER_UUID>.p8
-
-app:
-  bundle_id: "com.example.myapp"         # REQUIRED
-  team_id: "ABCDE12345"                  # optional — auto-derived from ASC API key when omitted
-  app_store_apple_id: ""                 # optional — auto-discovered via ASC API by bundle_id
-
-xcode:
-  project: ""                            # auto-detected if exactly one *.xcodeproj at root
-  workspace: ""                          # wins over project when set
-  scheme: "MyApp"                        # REQUIRED — no safe auto-detect
-  configuration: "Release"               # default: Release
-  profile_name: ""                       # default: "<scheme> CI"
-
-ios:
-  uses_non_exempt_encryption: false      # false | true | "" to skip write
-
-testflight:
-  whats_new: |
-    - Improved performance
-    - Bug fixes
-    - Enhanced security
-  locale: "en-US"
-
-ci:
-  run_tests: false
-  test_command: ""                       # optional
-  test_destination: "platform=iOS Simulator,name=iPhone 15"