@daemux/store-automator 0.10.93 → 0.10.95

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "App Store & Google Play automation for Flutter apps",
-    "version": "0.10.93"
+    "version": "0.10.95"
   },
   "plugins": [
     {
       "name": "store-automator",
       "source": "./plugins/store-automator",
       "description": "3 agents for app store publishing: reviewer, meta-creator, media-designer",
-      "version": "0.10.93",
+      "version": "0.10.95",
       "keywords": [
         "flutter",
         "app-store",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daemux/store-automator",
-  "version": "0.10.93",
+  "version": "0.10.95",
   "description": "Full App Store & Google Play automation for Flutter apps with Claude Code agents",
   "type": "module",
   "bin": {

package/plugins/store-automator/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "store-automator",
-  "version": "0.10.93",
+  "version": "0.10.95",
   "description": "App Store & Google Play automation agents for Flutter app publishing",
   "author": {
     "name": "Daemux"

package/src/install.mjs

@@ -126,9 +126,32 @@ function mapPromptsToCiFields(prompted) {
   };
 }
 
-function printNextSteps(prompted) {
-  const missing = [];
+// Post-install printer for both modes. The Match-based flow lists
+// missing-credential next steps; the GitHub Actions native iOS flow
+// (no Match) prints the workflow-side requirements (push permissions,
+// paths-ignore, repo visibility) the composite action cannot
+// auto-configure. Co-located in one function so the iOS-native CI
+// install path adds zero new top-level functions to this file. Note:
+// the file currently has 14 top-level functions, above the 10-per-file
+// guideline; that pre-dates this PR (no functions added by the
+// cert-caching feature); refactor tracked separately.
+function printNextSteps(prompted, isGitHubActions = false) {
+  console.log('');
+
+  if (isGitHubActions) {
+    console.log('Next steps for the iOS native TestFlight pipeline:');
+    console.log('  1. Place your ASC API key at creds/AuthKey_<KEY_ID>_Issuer_<UUID>.p8');
+    console.log('  2. Set workflow permissions: contents: write, models: read');
+    console.log("  3. Add 'creds/**' to paths-ignore in your workflow trigger");
+    console.log('  4. Make the repo PRIVATE (creds/ holds cert.p12 + .p8)');
+    console.log('  5. Commit and push to your default branch — CI handles the rest');
+    console.log('');
+    console.log('See .github/IOS_NATIVE_CI_SETUP.md (or templates/github/IOS_NATIVE_CI_SETUP.md)');
+    console.log('for the full caching + renewal contract.');
+    return;
+  }
 
+  const missing = [];
   if (isPlaceholder(prompted.bundleId)) {
     missing.push('Set bundle ID in ci.config.yaml');
   }
@@ -142,16 +165,15 @@ function printNextSteps(prompted) {
     missing.push('Configure Match code signing (match_git_url, deploy key)');
   }
 
-  console.log('');
   if (missing.length === 0) {
     console.log('All configuration complete! Start Claude Code.');
-  } else {
-    console.log('Next steps:');
-    for (let i = 0; i < missing.length; i++) {
-      console.log(`  ${i + 1}. ${missing[i]}`);
-    }
-    console.log(`  ${missing.length + 1}. Start Claude Code`);
+    return;
+  }
+  console.log('Next steps:');
+  for (let i = 0; i < missing.length; i++) {
+    console.log(`  ${i + 1}. ${missing[i]}`);
   }
+  console.log(`  ${missing.length + 1}. Start Claude Code`);
 }
 
 async function withReadline(fn) {
@@ -277,6 +299,6 @@ export async function runInstall(scope, isPostinstall = false, cliTokens = {}) {
   if (isGlobal) {
     printGlobalNote();
   } else {
-    printNextSteps(prompted);
+    printNextSteps(prompted, isGitHubActions);
   }
 }

package/templates/github/IOS_NATIVE_CI_SETUP.md

@@ -100,3 +100,191 @@ git add creds/
 git commit -m "ci: rotate ASC API key"
 git push
 ```
+
+## Persistent signing identity
+
+On the **first** default-branch run, the action provisions an Apple
+Distribution certificate plus one provisioning profile per signable
+target and commits them back into `creds/`:
+
+```
+creds/
+  AuthKey_<KEY_ID>_Issuer_<UUID>.p8     # your ASC API key (you supply)
+  cert.p12                              # CI-managed: distribution cert + private key
+  cert.meta.json                        # CI-managed: cert id, NotAfter, p12 password
+  profiles.manifest.json                # CI-managed: cert id + per-bundle profile entries
+  profiles/<UUID>.mobileprovision       # CI-managed: one per signable bundle
+```
+
+Subsequent runs reuse the cached identity. CI re-creates only what changed:
+
+| Trigger | Action |
+|---------|--------|
+| Cert expires in <30 days | Regenerate cert + every profile, commit refreshed `creds/` |
+| Cert revoked on App Store Connect | Same as expiry (cache invalidated, fresh cert created) |
+| New signable target added | Generate just that bundle's profile, append to manifest |
+| Existing target removed | GC its `.mobileprovision` from disk + manifest |
+| Cert in 30–60 day window | `::warning::` in CI logs (no regeneration yet) |
+
+### Required workflow configuration
+
+The composite action commits back to your default branch. Your workflow
+MUST grant the right permissions and use a deep checkout:
+
+```yaml
+permissions:
+  contents: write   # required: action commits refreshed creds/
+  models: read      # required: AI metadata inference
+
+jobs:
+  deploy:
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0          # required: action rebases + pushes
+          persist-credentials: true
+```
+
+The `templates/github/workflows/deploy.yml` shipped with this template
+already does this — copy it verbatim.
+
+`paths-ignore` for `creds/**` keeps the commit-back from re-triggering
+the workflow (the action's commit message also carries `[skip ci]` as a
+second-line defence).
+
+### `.gitignore` rules
+
+If your repo's `.gitignore` blocks `creds/`, the cached identity files
+MUST stay tracked. Either:
+
+**Option A (recommended):** drop `creds/` from `.gitignore` entirely.
+The whole directory is meant to be committed in this private repo.
+
+**Option B:** ignore the *contents* of `creds/` but un-ignore the
+specific files CI manages. Git cannot re-include a child once its
+parent directory is fully ignored, so the pattern MUST use `creds/*`
+(not `creds/`) and include a directory un-ignore for `profiles/`
+before the file un-ignore inside it:
+
+```
+creds/*
+!creds/cert.p12
+!creds/cert.meta.json
+!creds/profiles.manifest.json
+!creds/profiles/
+!creds/profiles/*
+!creds/AuthKey_*.p8
+```
+
+The action force-adds (`git add -f`) the cache files, but a workflow
+that pushes back to a `.gitignore`-blocked path will still surface a
+confusing diff in PRs. Un-ignoring up-front is cleaner.
+
+### Repo MUST stay private
+
+The `cert.p12` is now committed alongside the `.p8` ASC API key. Both
+grant the ability to sign and ship binaries under your team. **Make the
+repo private** (Settings → General → Danger Zone → Change visibility).
+The `p12_password` is intentionally `"ci"` — encryption-at-rest of the
+PKCS12 is decorative when the `.p8` sits next to it in plaintext.
+
+### Renewal cadence
+
+* **T-60 days from cert expiry:** CI logs
+  `::warning::Cert <id> expires in <N>d; auto-renew fires at 30d remaining`.
+  No action needed.
+* **T-30 days from cert expiry:** CI auto-regenerates the cert,
+  regenerates all profiles, commits refreshed `creds/`. Subsequent runs
+  use the new identity transparently.
+* **Manual revoke** (Apple Developer portal or `App Store Connect` UI):
+  the next CI run detects the dead cert via the alive-check API call,
+  invalidates the cache, and provisions fresh material.
+
+### Manual reset
+
+If you ever need to wipe the cache (debugging, suspected key compromise):
+
+```bash
+rm -f creds/cert.p12 creds/cert.meta.json creds/profiles.manifest.json
+rm -rf creds/profiles/
+git add -A creds/
+git commit -m "ci: reset signing cache"
+git push
+```
+
+The next CI run treats this as a cold-start and generates a fresh cert + profiles.
+
+## Auto-updates
+
+The action ships with a per-run autoupdate check. On every default-branch
+push, it queries npm for the latest `@daemux/swift-app-ci` version,
+compares against the locally vendored marker
+(`.github/actions/swift-app/.daemux-version`), and if newer, re-vendors
+via `npx --yes @daemux/swift-app-ci`. The refreshed action files
+(under `.github/actions/swift-app/`) are committed back alongside any
+cert refresh in a single combined commit. `.github/workflows/deploy.yml`
+is NEVER auto-committed — see "deploy.yml is not auto-updated" below.
+
+| Aspect | Behaviour |
+|--------|-----------|
+| Trigger | Every push to the default branch (PR / feature branch runs do nothing) |
+| Lag | One run — the *next* push after a new release picks up the update |
+| Suppression | `[skip ci]` in the commit subject + `paths-ignore` for `.github/actions/swift-app/**` |
+| Combined commit | One commit when cert refresh + autoupdate fire in the same run (subjects below) |
+| Failure mode | Non-fatal: a failed `npm view` or `npx` emits `::warning::` and the build continues |
+
+Commit subjects (all carry `[skip ci]`):
+
+- `ci: refresh signing identity in creds/` — cert/profile refresh only
+- `ci: autoupdate swift-app-ci` — vendored action update only
+- `ci: refresh signing identity + autoupdate swift-app-ci` — both in one run
+
+### `paths-ignore` requirement
+
+Your `deploy.yml` MUST include `.github/actions/swift-app/**` under
+`paths-ignore` to prevent the autoupdate commit-back from re-triggering
+the workflow. The shipped template already does this — copy it verbatim:
+
+```yaml
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '.gitignore'
+      - 'creds/**'
+      - '.github/actions/swift-app/**'
+```
+
+### deploy.yml is not auto-updated
+
+**deploy.yml is NOT auto-updated.** GitHub's `GITHUB_TOKEN` cannot
+push changes to workflow files (`.github/workflows/*.yml`) regardless
+of `contents: write` — this is a built-in safeguard against CI
+self-modification. When a new version of `@daemux/swift-app-ci`
+requires `deploy.yml` schema changes (e.g., new permissions, new
+paths-ignore entries), the action's release notes will call this out
+and you must run `npx --yes @daemux/swift-app-ci` manually once to
+sync your `deploy.yml`. Existing deploy.yml stays untouched on every
+auto-update cycle until you do.
+
+### Opt out
+
+Pin the vendored copy by passing `auto-update: 'false'`:
+
+```yaml
+- uses: ./.github/actions/swift-app
+  with:
+    auto-update: 'false'
+```
+
+### First-run bootstrap
+
+The autoupdate marker is written by `npx @daemux/swift-app-ci` itself.
+A repo that has never run the installer (e.g. an old hand-vendored
+copy) has no marker and the autoupdater will treat its current
+version as `""` — the very first run will then re-vendor against
+the latest published release, after which subsequent runs are
+incremental. If you want to skip even that first auto-bootstrap,
+either pass `auto-update: 'false'` or run `npx --yes
+@daemux/swift-app-ci` once locally to drop the marker yourself.

package/templates/github/workflows/deploy.yml

@@ -2,9 +2,24 @@ name: iOS Deploy
 on:
   push:
     branches: [main]
-    paths-ignore: ['**/*.md', '.gitignore']
+    # creds/ commit-back AND swift-app-ci autoupdate from the action
+    # would re-trigger the workflow. The commit messages carry [skip ci]
+    # but ignoring the paths is a belt-and-braces guard against trigger
+    # storms when [skip ci] is honored inconsistently across providers.
+    paths-ignore:
+      - '**/*.md'
+      - '.gitignore'
+      - 'creds/**'
+      - '.github/actions/swift-app/**'
   workflow_dispatch:
 
+# contents:write lets the action commit the refreshed signing identity
+# back to creds/ on default-branch runs. models:read keeps the AI
+# metadata phases working (GitHub Models inference).
+permissions:
+  contents: write
+  models: read
+
 concurrency:
   group: ios-deploy-${{ github.ref }}
   cancel-in-progress: true
@@ -15,4 +30,11 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          # full clone so the action can rebase + push refreshed creds/
+          # back onto the default branch without losing recent commits.
+          fetch-depth: 0
+          # required for the GITHUB_TOKEN to remain authenticated for the
+          # subsequent `git push` from the action.
+          persist-credentials: true
       - uses: daemux/daemux-plugins/.github/actions/ios-native-testflight@main

package/templates/scripts/ci/ios-native/autoupdate_check.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# Checks npm for newer @daemux/swift-app-ci, re-vendors via npx if newer.
+# Stages refreshed files for commit. Exits 0 on no-op or non-fatal failure.
+#
+# DESIGN DECISION (intentional, not a bug):
+# This script runs `npx --yes @daemux/swift-app-ci@<latest>` on every default-
+# branch CI run with `permissions: contents: write`. That means the consumer
+# repo trusts whatever code @daemux/swift-app-ci publishes to npm.
+#
+# Trust model — internally consistent with the rest of the action:
+#   - Consumers initially install via the same `npx --yes @daemux/swift-app-ci`
+#     command. They've already accepted the trust relationship.
+#   - The package is published from a private daemux-plugins repo via a
+#     dedicated GH Actions workflow with NPM_TOKEN. Compromise of that token
+#     would already be catastrophic regardless of this autoupdate path.
+#   - We pin to the exact version returned by `npm view` immediately above
+#     (`@$latest`) so the small TOCTOU window between view and exec can't
+#     swap a different version.
+#   - Consumers who want to pin can set `with: { auto-update: 'false' }` in
+#     their workflow.
+#
+# Hardening considered, not adopted:
+#   - `npm audit signatures` provenance check: requires npm to have published
+#     with --provenance, which the daemux publish workflow does not currently
+#     emit. Worth revisiting if/when daemux-plugins enables provenance.
+#   - Pinning to a fixed hash: defeats the autoupdate purpose.
+#   - Out-of-band verification (signed manifest): overkill for the threat
+#     model described above.
+set -euo pipefail
+
+VERSION_FILE=".github/actions/swift-app/.daemux-version"
+PKG="@daemux/swift-app-ci"
+
+current=""
+if [[ -f "$VERSION_FILE" ]]; then
+  current="$(tr -d '[:space:]' < "$VERSION_FILE")"
+fi
+
+if ! latest="$(npm view "$PKG" version 2>/dev/null)"; then
+  echo "::warning::autoupdate: failed to query npm for $PKG"
+  exit 0
+fi
+latest="$(printf '%s' "$latest" | tr -d '[:space:]')"
+
+if [[ -z "$latest" ]]; then
+  echo "::warning::autoupdate: empty version returned for $PKG"
+  exit 0
+fi
+
+if [[ "$current" == "$latest" ]]; then
+  echo "autoupdate: $PKG already at $latest"
+  exit 0
+fi
+
+echo "autoupdate: $PKG $current -> $latest; re-vendoring"
+
+if ! npx --yes "$PKG@$latest"; then
+  echo "::warning::autoupdate: npx $PKG@$latest failed"
+  exit 0
+fi
+
+git config user.name  >/dev/null 2>&1 || git config user.name  "github-actions[bot]"
+git config user.email >/dev/null 2>&1 || \
+  git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+# NOTE: We deliberately do NOT stage .github/workflows/deploy.yml here.
+# GITHUB_TOKEN cannot push workflow-file changes regardless of
+# `permissions: contents: write` (GH security policy: prevents CI from
+# modifying its own triggers). Consumer-side deploy.yml updates require
+# manual `npx --yes @daemux/swift-app-ci` by the user. Document this in
+# the action README and changelog when shipping a deploy.yml schema change.
+
+# Stage everything under the vendored action dir EXCEPT Python bytecode
+# caches. The action's own scripts run during this CI job and Python
+# generates `__pycache__/*.pyc` files inside scripts/ as a side effect of
+# importing them. Those caches are build artifacts of *this* run, not part
+# of the action distribution -- sweeping them into the autoupdate bot
+# commit is benign but noisy (every clean run emits a "refresh
+# __pycache__" diff). `git ls-files -mo` enumerates modified+other
+# (untracked) paths under the directory; we filter out anything matching
+# `/__pycache__/` or ending in `.pyc`, then feed the rest to `git add -f`.
+#
+# We deliberately do NOT pass `--exclude-standard`: that flag would make
+# ls-files honor the consumer's .gitignore at discovery time. If a
+# consumer ignores e.g. `.daemux-version` or any other autoupdate-managed
+# path, ls-files would silently drop it and the bot commit would never
+# refresh that file -- defeating the autoupdate. The matching `-f` on
+# `git add` already overrides .gitignore at staging time, so the only
+# files we want to filter are the bytecode caches above, which our
+# explicit grep handles deterministically.
+#
+# Empty-input guard: BSD xargs (default on macos-15 runners) does NOT
+# support `-r`/`--no-run-if-empty`, so on a clean tree where the grep
+# filter strips everything, piping an empty stream into `xargs git add`
+# would invoke `git add -f --` with no positional arguments. That exits
+# 129 ("Nothing specified, nothing added"), which `set -euo pipefail`
+# treats as fatal even though it's the no-op case we want. Capture to a
+# variable first and skip the xargs call when empty -- portable across
+# both BSD and GNU xargs.
+#
+# We deliberately do NOT pass `--directory`: with that flag, `git ls-files`
+# collapses any *new* untracked directory to a single entry (the directory
+# path itself), e.g. it would emit `.github/actions/swift-app/scripts/`
+# instead of enumerating its files. If such a collapsed parent contains
+# `__pycache__/` children, our grep would NOT match `__pycache__/` against
+# the parent path -- the directory entry would slip past the filter and
+# `git add -f <dir>` would recurse into it, dragging the bytecode caches
+# in with everything else. Without `--directory`, ls-files enumerates
+# every individual untracked file path so the grep filter sees each
+# `__pycache__/...` and `*.pyc` entry by name and strips it
+# deterministically.
+files="$(git ls-files -mo .github/actions/swift-app/ \
+  | grep -v -E '(/__pycache__/|\.pyc$)' || true)"
+if [[ -n "$files" ]]; then
+  printf '%s\n' "$files" \
+    | tr '\n' '\0' \
+    | xargs -0 git add -f -- 2>/dev/null || true
+fi
+echo "autoupdate: staged refreshed action files (deploy.yml not staged — see comment; __pycache__ excluded)"

package/templates/scripts/ci/ios-native/cert_factory.py

@@ -0,0 +1,190 @@
+#!/usr/bin/env python3
+"""
+Cert-creation primitives for the iOS native TestFlight action.
+
+Owns the cryptographic legwork (RSA key + CSR), Apple's per-team cert
+cap rotation (revoke OLDEST on 409), and PKCS12 serialisation. Split
+from ``prepare_signing.py`` so the orchestrator there stays focused on
+the load-or-regen control flow and the file count stays under the
+project's per-file limits.
+
+Nothing here touches the on-disk cache — callers receive raw bytes and
+hand them to ``creds_store`` for atomic persistence.
+"""
+
+from __future__ import annotations
+
+import base64
+import os
+import time
+
+from asc_common import get_json, request
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import pkcs12
+from cryptography.x509.oid import NameOID
+
+# Apple's cert revoke -> create pipeline is eventually consistent: a
+# DELETE on the per-team cap-blocking cert sometimes still shows up as
+# "active" to a follow-up POST for a second or two, returning a fresh
+# 409 even though we just freed a slot. Sleep then retry-with-backoff
+# rather than failing the whole CI run on a known-transient race.
+CERT_REVOKE_PROPAGATION_DELAY_SEC = float(
+    os.getenv("CERT_REVOKE_PROPAGATION_DELAY_SEC", "2.0")
+)
+CERT_POST_RETRIES_AFTER_REVOKE = int(
+    os.getenv("CERT_POST_RETRIES_AFTER_REVOKE", "2")
+)
+
+
+def generate_key_and_csr() -> tuple[rsa.RSAPrivateKey, bytes]:
+    """Generate a fresh 2048-bit RSA key + PEM CSR (base64 body only).
+
+    Returns the private key (kept in memory; the caller serialises it
+    into the PKCS12) and the CSR with PEM headers stripped, ready for
+    Apple's ``csrContent`` field.
+    """
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name(
+                [
+                    x509.NameAttribute(NameOID.COMMON_NAME, "Daemux CI"),
+                    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+                ]
+            )
+        )
+        .sign(private_key, hashes.SHA256())
+    )
+    csr_pem = csr.public_bytes(serialization.Encoding.PEM)
+    csr_payload = b"".join(
+        line for line in csr_pem.splitlines() if not line.startswith(b"-----")
+    )
+    return private_key, csr_payload
+
+
+def oldest_distribution_cert_id(token: str) -> str | None:
+    """Return the DISTRIBUTION cert with the EARLIEST expirationDate.
+
+    Apple caps each team at 2 distribution certs; when CI hits the cap
+    we must revoke one. Picking the OLDEST is the safest choice — the
+    NEWEST cert signed the most recent build that may still be in ASC
+    processing, and revoking that mid-processing produces ITMS-90035
+    ("signed with an ad-hoc certificate, not a distribution
+    certificate") on the prior run. Older certs have long since cleared
+    processing.
+    """
+    data = get_json(
+        "/certificates",
+        token,
+        params={
+            "limit": "200",
+            "sort": "-id",
+            "filter[certificateType]": "DISTRIBUTION",
+        },
+    )
+    oldest_id = None
+    oldest_exp: str | None = None
+    for cert in data.get("data", []):
+        attrs = cert.get("attributes") or {}
+        exp = attrs.get("expirationDate") or ""
+        if not exp:
+            continue
+        if oldest_exp is None or exp < oldest_exp:
+            oldest_exp = exp
+            oldest_id = cert["id"]
+    return oldest_id
+
+
+def _post_with_revoke_backoff(token: str, body: dict):
+    """POST a cert create after a revoke, tolerating ASC propagation lag.
+
+    Apple's DELETE -> POST pipeline is eventually consistent: a freshly
+    revoked cert may still count against the per-team cap for a brief
+    window, producing a spurious 409 on the immediate re-POST. Sleep
+    once for ``CERT_REVOKE_PROPAGATION_DELAY_SEC`` then retry up to
+    ``CERT_POST_RETRIES_AFTER_REVOKE`` times with exponential backoff.
+    The final attempt drops ``allow_status`` so a real 409 surfaces as
+    Apple's full body via ``request``'s SystemExit.
+    """
+    time.sleep(CERT_REVOKE_PROPAGATION_DELAY_SEC)
+    delay = CERT_REVOKE_PROPAGATION_DELAY_SEC
+    for attempt in range(CERT_POST_RETRIES_AFTER_REVOKE):
+        resp = request(
+            "POST", "/certificates", token, json_body=body, allow_status={409}
+        )
+        if resp.status_code != 409:
+            return resp
+        print(
+            f"Post-revoke 409 on attempt {attempt + 1}/"
+            f"{CERT_POST_RETRIES_AFTER_REVOKE}; "
+            f"sleeping {delay}s before final retry"
+        )
+        time.sleep(delay)
+        delay *= 2
+    # Final attempt without allow_status — let Apple's body surface via
+    # request()'s SystemExit if the cap is genuinely still hit.
+    return request("POST", "/certificates", token, json_body=body)
+
+
+def create_distribution_cert(token: str, csr_b64: str) -> tuple[str, bytes]:
+    """POST a CSR to ASC; return ``(cert_id, cert_der)``.
+
+    On 409 (per-team cap of 2 hit) revoke the OLDEST existing cert
+    (see :func:`oldest_distribution_cert_id` for why) and retry with
+    backoff to absorb Apple's revoke -> create propagation lag (see
+    :func:`_post_with_revoke_backoff`).
+    """
+    body = {
+        "data": {
+            "type": "certificates",
+            "attributes": {
+                "csrContent": csr_b64,
+                "certificateType": "DISTRIBUTION",
+            },
+        }
+    }
+    resp = request(
+        "POST", "/certificates", token, json_body=body, allow_status={409}
+    )
+    if resp.status_code == 409:
+        # Revoke the OLDEST cert, NOT the newest. The newest cert signed
+        # the previous build that may still be in ASC processing — revoking
+        # it during processing yields ITMS-90035 on the prior build.
+        # See oldest_distribution_cert_id() for the full rationale.
+        print("Distribution cert cap hit; revoking oldest existing cert")
+        target = oldest_distribution_cert_id(token)
+        if not target:
+            raise SystemExit(
+                "409 from cert create but no existing DISTRIBUTION cert "
+                "found to revoke"
+            )
+        request("DELETE", f"/certificates/{target}", token)
+        resp = _post_with_revoke_backoff(token, body)
+    data = resp.json()["data"]
+    cert_id = data["id"]
+    cert_der = base64.b64decode(data["attributes"]["certificateContent"])
+    print(f"Created DISTRIBUTION cert {cert_id}")
+    return cert_id, cert_der
+
+
+def serialize_p12(
+    private_key: rsa.RSAPrivateKey, cert_der: bytes, passwd: str
+) -> bytes:
+    """Return the PKCS12 bytes encrypted with ``passwd``.
+
+    Caller decides whether to write to disk via the cache layer or as a
+    transient artifact in ``$RUNNER_TEMP``.
+    """
+    cert = x509.load_der_x509_certificate(cert_der)
+    return pkcs12.serialize_key_and_certificates(
+        name=b"Daemux CI",
+        key=private_key,
+        cert=cert,
+        cas=None,
+        encryption_algorithm=serialization.BestAvailableEncryption(
+            passwd.encode()
+        ),
+    )