@daemux/store-automator 0.10.89 → 0.10.91

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.89"
+    "version": "0.10.91"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.89",
+      "version": "0.10.91",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.89",
+  "version": "0.10.91",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.89",
+  "version": "0.10.91",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/plugins/store-automator/agents/appstore-meta-creator.md

@@ -264,11 +264,8 @@ af, am, ar, hy-AM, az-AZ, eu-ES, be, bn-BD, bg, my-MM, ca, zh-HK, zh-CN, zh-TW,
    - South/Southeast Asian: hi, th, vi, id, ms, bn-BD, ta-IN, te-IN, ml-IN, mr-IN, kn-IN, gu, my-MM, km-KH, lo-LA, si-LK
    - Middle Eastern: ar, ar-SA, he, tr, fa, ur
    - Other: hu, el, et, lv, lt, ka-GE, hy-AM, az-AZ, kk, ky-KG, mn-MN, ne-NP, af, am, sw, zu, fil, is-IS, eu-ES, rm, pa
-3. Create a translation team using TeamCreate with 2-5 teammates:
-   - Each teammate handles 2-5 language groups (based on total languages configured)
-   - Teammate prompt includes: English source texts, target locale codes (Apple + Google variants), character limits per field, translation instructions
-   - Each teammate writes files directly to the correct locale directories
-4. Wait for all teammates to complete, then verify all languages are covered
+3. Translate each language group sequentially, writing files directly to the correct locale directories as you go. Use the English source texts, target locale codes (Apple + Google variants), and character limits per field for each group.
+4. After all groups are translated, verify every configured language has complete metadata files for both platforms.
 
 ### Translation Instructions for Sub-Agents
 

package/plugins/store-automator/agents/architect.md

@@ -138,48 +138,29 @@ If a `.tasks/` file path is provided, read ONLY that file for requirements.
 Scan the codebase for already-implemented items. Pick 3-5 UNIMPLEMENTED
 related requirements. Design only those. Report: "Batch: N of ~M remaining."
 
-## Team Composition Recommendation
+## Worktree Recommendation
 
-**MANDATORY section in your output.** The orchestrator uses this to create teams.
+For parallel development with overlapping file scopes, recommend git worktrees for isolation.
 
-After your architecture design, include this section:
+Include in your output when applicable:
 
 ```
-### Team Recommendations for Orchestrator
-
-**Files touched:** {count}
-
-#### Developer Team (Flutter)
-- **Teammates:** {N} (based on file count: 3-4 files → 2, 5-7 → 3, 8+ → 4)
-- **Teammate 1 scope:** Screens and widgets — {list of files}
-- **Teammate 2 scope:** Providers and repositories — {list of files}
-- **Teammate 3 scope:** Firebase/backend services — {list of files} (if applicable)
-- **Rationale:** {why this split works}
-
-#### Reviewer Team
-- **Teammates:** 2-3
-- **Reviewer 1 focus:** Dart code quality, patterns, maintainability — files: {list}
-- **Reviewer 2 focus:** Security, Firebase rules, data validation — files: {list}
-- **Reviewer 3 focus:** Performance, store compliance — files: {list} (if 5+ files)
-
-#### Tester Team
-- **Teammates:** 2-4
-- **Tester 1 focus:** Flutter unit and widget tests — {scope}
-- **Tester 2 focus:** Mobile UI testing (iOS) — {scope}
-- **Tester 3 focus:** Mobile UI testing (Android) — {scope} (if applicable)
-
-#### App Designer Team (if design stage applies)
-- **Teammates:** 2-3
-- **Designer 1 scope:** App screen designs — {deliverables}
-- **Designer 2 scope:** Store screenshots — {deliverables}
-- **Designer 3 scope:** Web page design — {deliverables} (if applicable)
-
-**TEAM EXCEPTION:** If task touches <3 files, output: "Files touched: {N} — below team threshold, single agents recommended."
+### Worktree Strategy (if parallel development needed)
+
+**Recommended:** YES | NO
+
+**Rationale:** {why worktrees help or why they are unnecessary}
+
+**Worktree layout (if YES):**
+- `worktree/{name-1}` — {scope, files, branch purpose}
+- `worktree/{name-2}` — {scope, files, branch purpose}
+
+**Merge order:** {which worktree merges first, to minimize conflicts}
 ```
 
-Include concrete file assignments. The orchestrator will use this to create `TeamCreate` with the exact scopes you specify.
+Skip this section when a single developer suffices or file scopes do not overlap.
 
 ## Output Footer
 ```
-NEXT: product-manager(PRE) to validate approach and team composition before implementation
+NEXT: product-manager(PRE) to validate approach before implementation
 ```

package/plugins/store-automator/hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/sync-claude-md.sh",
+            "timeout": 10
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/store-automator/hooks/sync-claude-md.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+trap 'exit 0' ERR
+set -uo pipefail
+
+TARGET="$HOME/.claude/CLAUDE.md"
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-}"
+[[ -n "$PLUGIN_ROOT" ]] || exit 0
+TEMPLATE="$PLUGIN_ROOT/templates/CLAUDE.md.template"
+PLUGIN_JSON="$PLUGIN_ROOT/.claude-plugin/plugin.json"
+
+[[ -f "$TEMPLATE" && -f "$PLUGIN_JSON" ]] || exit 0
+
+version=$(grep -o '"version": *"[^"]*"' "$PLUGIN_JSON" | head -1 | cut -d'"' -f4)
+[[ -n "$version" ]] || exit 0
+
+marker="<!-- daemux-store-automator@${version} -->"
+
+if [[ -f "$TARGET" ]] && grep -Fq "$marker" "$TARGET"; then
+  exit 0
+fi
+
+mkdir -p "$(dirname "$TARGET")"
+touch "$TARGET"
+
+tmp=$(mktemp)
+{
+  printf '<!-- BEGIN daemux-store-automator -->\n'
+  printf '%s\n' "$marker"
+  cat "$TEMPLATE"
+  printf '\n<!-- END daemux-store-automator -->\n'
+} > "$tmp"
+
+# Replace the existing sentinel block if present; otherwise append
+if grep -q 'BEGIN daemux-store-automator' "$TARGET"; then
+  awk -v block_file="$tmp" '
+    BEGIN {
+      while ((getline line < block_file) > 0) {
+        block = block (block ? "\n" : "") line
+      }
+      close(block_file)
+    }
+    /<!-- BEGIN daemux-store-automator -->/ { in_block=1; print block; next }
+    /<!-- END daemux-store-automator -->/   { in_block=0; next }
+    !in_block { print }
+  ' "$TARGET" > "$TARGET.new"
+elif [[ -s "$TARGET" ]]; then
+  { cat "$TARGET"; printf '\n'; cat "$tmp"; } > "$TARGET.new"
+else
+  cp "$tmp" "$TARGET.new"
+fi
+
+mv "$TARGET.new" "$TARGET"
+rm -f "$tmp"
+exit 0

package/{templates → plugins/store-automator/templates}/CLAUDE.md.template

@@ -1,3 +1,5 @@
+<!-- This block is managed by the daemux-store-automator plugin. Edits inside the sentinels will be overwritten on plugin update. Customize outside the sentinels. -->
+
 # {APP_NAME} - Development Standards
 
 ## Project Overview
@@ -195,39 +197,6 @@ devops (standalone)
 architect → product-manager(PRE) → app-designer → developer(flutter) → simplifier → reviewer → tester(flutter) → tester(mobile-ui) → appstore-meta-creator → appstore-reviewer → product-manager(POST) → devops(deploy)
 ```
 
-#### Team Size Annotations
-
-Flows above use single agents by default. For tasks touching 3+ files, apply team sizes:
-
-| Files Touched | Team Size |
-|--------------|-----------|
-| 1-2 files | Single agent (no team) |
-| 3-4 files | 2 teammates |
-| 5-7 files | 3 teammates |
-| 8+ files | 4 teammates |
-
-**Team-annotated flows** (apply when task scope exceeds 2 files):
-
-##### Standard Flow (with teams)
-```
-architect{T:2} → product-manager(PRE) → developer{T:2-4} → simplifier → reviewer{T:2} → tester{T:2} → product-manager(POST) → [devops]
-```
-
-##### Flutter Flow (with teams)
-```
-architect{T:2} → product-manager(PRE) → [app-designer{T:2-3}] → developer(flutter){T:2-4} → simplifier → reviewer{T:2-3} → tester(flutter){T:2} → tester(mobile-ui){T:2} → product-manager(POST) → [devops(deploy)]
-```
-
-##### Backend Flow (with teams)
-```
-architect{T:2} → product-manager(PRE) → developer(backend){T:2-4} → simplifier → reviewer{T:2} → tester(backend){T:2} → product-manager(POST) → [devops(deploy)]
-```
-
-##### Full Publishing Flow (with teams)
-```
-architect{T:2} → product-manager(PRE) → app-designer{T:2-3} → developer(flutter){T:2-4} → simplifier → reviewer{T:2-3} → tester(flutter){T:2} → tester(mobile-ui){T:2} → appstore-meta-creator{T:2-5} → appstore-reviewer → product-manager(POST) → devops(deploy)
-```
-
 ### Agents Reference
 
 | Agent | When to use |
@@ -323,90 +292,6 @@ iOS: create app record locally first (`fastlane create_app_ios` + `upload_privac
 ### Phase 7: Ongoing Updates
 Push to main. GitHub Actions detects changes and uploads modified assets. Version auto-incremented.
 
----
-## FOR ORCHESTRATORS ONLY
-**If you are a TEAMMATE, skip to "For Teammates" section below.**
----
-
-### Agent Teams (MANDATORY by default)
-
-**Teams are the DEFAULT for most workflow stages.** Single-agent is the exception, not the norm.
-
-#### Mandatory Team Stages
-
-These stages MUST use teams unless the task touches fewer than 3 files:
-
-| Stage | Default Size | Split Strategy |
-|-------|-------------|----------------|
-| architect | 2 | Split by concern: structure/patterns vs integration/data-flow |
-| developer | 2-4 | Split by file group: screens/widgets vs providers/repos vs Firebase/backend |
-| reviewer | 2-3 | Split by focus: Dart quality vs security+Firebase rules vs performance+store compliance |
-| tester | 2-4 | Split by type: flutter unit/widget vs mobile-ui iOS vs mobile-ui Android vs web |
-| app-designer | 2-3 | Split by deliverable: app screens vs store screenshots vs web page |
-| appstore-meta-creator | 2-5 | Split by language group: each teammate handles 2-5 languages grouped by similarity |
-
-#### Single-Agent Stages (exceptions)
-
-These stages stay single-agent — teams add no value:
-
-| Stage | Reason |
-|-------|--------|
-| simplifier | Works on same files developer just touched — no parallelism possible |
-| product-manager | Single evaluation checkpoint — multiple perspectives don't help |
-| devops | Single deployment target — cannot parallelize |
-| appstore-reviewer | Single compliance evaluation — one holistic review needed |
-
-#### Team Size Triggers
-
-| Files Touched | Team Size |
-|--------------|-----------|
-| 1-2 files | Single agent — TEAM EXCEPTION |
-| 3-4 files | 2 teammates |
-| 5-7 files | 3 teammates |
-| 8+ files | 4 teammates |
-
-**Team Enforcement (MANDATORY):**
-If `TEAMS:` output includes any stage using teams, you MUST call `TeamCreate` before spawning agents for that stage. Spawning agents via `Task` without `team_name` does NOT count as using teams. Violation = workflow non-compliance.
-
-**When creating a team:**
-
-```
-Create agent team with [N] teammates, all using Opus model:
-- [role-1]: [Specific responsibility and task details]
-- [role-2]: [Specific responsibility and task details]
-- [role-3]: [Specific responsibility and task details]
-...
-
-Spawn each teammate with detailed prompt including:
-- Their specific role and responsibilities
-- The task details
-- How to coordinate with other teammates
-```
-
-**Guidelines:**
-- Use 2-10 teammates per stage
-- Always specify Opus model for all teammates
-- Assign distinct, non-overlapping scopes to each teammate
-- Include full instructions in spawn prompts (don't reference external files)
-- One team at a time - dissolve before next stage
-- Assign 5-6 tasks per teammate
-
----
-## FOR TEAMMATES ONLY
-**If you are the ORCHESTRATOR, skip this section.**
----
-
-### Teammate Instructions
-
-**Ignore orchestration workflows above.**
-
-1. Your spawn prompt contains your full instructions
-2. Message teammates directly to coordinate
-3. Focus only on your assigned scope
-4. Complete your work, let team dissolve
-
----
-
 ### Large Task Protocol
 
 For tasks with 5+ requirements:
@@ -433,8 +318,6 @@ TASK TYPE: [flutter/backend/design/metadata/database/infra/standard]
 RECOMMENDED FLOW:
 <copy the EXACT flow from Agent Flows section - include ALL agents with [optional] ones>
 
-TEAMS: [MANDATORY — list team stages with sizes. Single-agent exceptions: list which stages and why. "NO" only valid for tasks <3 files]
-
 DEPLOYMENT: [AVAILABLE - deployment configured | NOT CONFIGURED - workflow ends at product-manager(POST)]
 
 TASK TRACKING: ALWAYS use TaskCreate/TaskUpdate/TaskList tools for multi-step tasks (3+ steps)

package/src/templates.mjs

@@ -93,7 +93,13 @@ function composeNewFileContent(existing, wrappedBlock) {
 }
 
 export function installClaudeMd(targetPath, packageDir, appName) {
-  const template = join(packageDir, 'templates', 'CLAUDE.md.template');
+  const template = join(
+    packageDir,
+    'plugins',
+    'store-automator',
+    'templates',
+    'CLAUDE.md.template',
+  );
   if (!existsSync(template)) return;
   const targetExists = existsSync(targetPath);
   const action = targetExists ? 'Updating' : 'Installing';

package/templates/scripts/ci/ios-native/prepare_signing.py

@@ -83,7 +83,31 @@ def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
     return private_key, csr_payload
 
 
-def newest_distribution_cert_id(token: str) -> str | None:
+def oldest_distribution_cert_id(token: str) -> str | None:
+    """Return the DISTRIBUTION cert with the EARLIEST expiration date.
+
+    Apple's per-team distribution-cert cap is 2. When CI hits the cap we
+    must revoke one to make room for a fresh cert. We deliberately pick
+    the OLDEST cert (earliest expirationDate) because:
+
+      * Each CI run signs an IPA, uploads it to ASC, and that build then
+        spends minutes-to-hours in App Store Connect's processing
+        pipeline. Processing re-validates the binary's leaf cert against
+        Apple's current cert state. A revoked cert during processing
+        produces ITMS-90035 ("invalid signature ... signed with an ad-hoc
+        certificate, not a distribution certificate") and rejects the
+        build that was already accepted at upload time.
+
+      * The NEWEST cert is, by construction, the one that signed the most
+        recent build — i.e. the build that is right now in ASC processing
+        and most exposed to the revocation race. Revoking it (the prior
+        behavior) reliably broke the build the previous CI run produced.
+
+      * The OLDEST cert is the one most likely to be from a build whose
+        ASC processing has long since completed (each CI run only adds
+        builds; processing finishes in minutes). Revoking it is the
+        safest choice.
+    """
     data = get_json(
         "/certificates",
         token,
@@ -93,15 +117,17 @@ def newest_distribution_cert_id(token: str) -> str | None:
             "filter[certificateType]": "DISTRIBUTION",
         },
     )
-    newest_id = None
-    newest_exp = ""
+    oldest_id = None
+    oldest_exp: str | None = None
     for cert in data.get("data", []):
         attrs = cert.get("attributes") or {}
         exp = attrs.get("expirationDate") or ""
-        if exp > newest_exp:
-            newest_exp = exp
-            newest_id = cert["id"]
-    return newest_id
+        if not exp:
+            continue
+        if oldest_exp is None or exp < oldest_exp:
+            oldest_exp = exp
+            oldest_id = cert["id"]
+    return oldest_id
 
 
 def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
@@ -118,8 +144,12 @@ def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
         "POST", "/certificates", token, json_body=body, allow_status={409}
     )
     if resp.status_code == 409:
-        print("Distribution cert cap hit; revoking newest existing cert")
-        target = newest_distribution_cert_id(token)
+        # Revoke the OLDEST cert, NOT the newest. The newest cert signed
+        # the previous build that may still be in ASC processing — revoking
+        # it during processing yields ITMS-90035 on the prior build.
+        # See oldest_distribution_cert_id() for the full rationale.
+        print("Distribution cert cap hit; revoking oldest existing cert")
+        target = oldest_distribution_cert_id(token)
         if not target:
             raise SystemExit(
                 "409 from cert create but no existing DISTRIBUTION cert "

package/templates/scripts/ci/ios-native/set_app_store_whats_new.py

@@ -78,8 +78,31 @@ def _log(msg: str) -> None:
     print(msg, file=sys.stderr)
 
 
-def _patch_localization(token: str, localization_id: str, whats_new: str) -> None:
-    request(
+def _patch_localization(
+    token: str, localization_id: str, whats_new: str
+) -> bool:
+    """PATCH a single localization's whatsNew. Returns True on success,
+    False when Apple reports the localization is locked (409 STATE_ERROR).
+
+    Apple returns 409 STATE_ERROR ("Attribute 'whatsNew' cannot be edited
+    at this time") on individual localizations even when the parent
+    appStoreVersion's appStoreState is in the editable allow-list checked
+    upstream. This happens when the per-localization state is locked
+    independently (e.g. submitted, in-review at the localization level,
+    or transitioning) -- a race the version-level state check at the top
+    of main() cannot see.
+
+    Without this allow-list, asc_common.request() raises SystemExit on
+    the 409, which the script's top-level try/except cannot swallow
+    (SystemExit is explicitly re-raised). The whole CI run then fails
+    at exit code 1 even though the IPA upload already succeeded.
+
+    Other non-2xx statuses (auth, 5xx, malformed payloads, real ASC
+    outages) are NOT in the allow-list and continue to fail loud --
+    asc_common.request() retries 5xx automatically and SystemExits on
+    everything else.
+    """
+    resp = request(
         "PATCH",
         f"/appStoreVersionLocalizations/{localization_id}",
         token,
@@ -90,7 +113,17 @@ def _patch_localization(token: str, localization_id: str, whats_new: str) -> Non
                 "attributes": {"whatsNew": whats_new},
             }
         },
+        allow_status={409},
     )
+    if resp.status_code == 409:
+        _warn(
+            f"appStoreVersionLocalization {localization_id} returned 409 "
+            f"STATE_ERROR (locked); whatsNew not patched for this "
+            f"localization. Other localizations and the rest of the run "
+            f"continue."
+        )
+        return False
+    return True
 
 
 def _create_localization(
@@ -155,18 +188,26 @@ def _update_all_localizations(
         return 1
 
     count = 0
+    skipped = 0
     for item in entries:
         loc_id = item.get("id") or ""
         loc = (item.get("attributes") or {}).get("locale") or "?"
         if not loc_id:
             _warn(f"skipping localization without id: {item!r}")
             continue
-        _patch_localization(token, loc_id, whats_new)
+        if _patch_localization(token, loc_id, whats_new):
+            _log(
+                f"PATCHed appStoreVersionLocalization {loc_id} whatsNew "
+                f"for {version} ({loc})"
+            )
+            count += 1
+        else:
+            skipped += 1
+    if skipped:
         _log(
-            f"PATCHed appStoreVersionLocalization {loc_id} whatsNew "
-            f"for {version} ({loc})"
+            f"whatsNew skipped for {skipped} locked localization(s) "
+            f"(see warnings above)"
         )
-        count += 1
     return count