@limrun/ui 0.9.0-rc.1 → 0.9.0-rc.2

package/src/hooks/use-device-install.ts

@@ -1,23 +1,40 @@
 import { useCallback, useEffect, useRef, useState } from 'react';
 import {
   closeDeviceRelayTarget,
+  createBundleIDRequest,
+  createDevelopmentProfileRequest,
+  downloadCertificateRequest,
+  downloadProfileRequest,
+  exportAppleCertificateP12,
   fetchLimbuildInfo,
+  findDevelopmentCertificatesRequest,
+  findBundleIDRequest,
+  findDeviceRequest,
+  findDevelopmentProfilesRequest,
+  generateAppleSigningKeyAndCSR,
   getPairRecord,
   getLatestSigningAssets,
   getReusableAppleSigningAssets,
   listTeamsRequest,
   parseProvisioningProfile,
+  parseProvisioningProfileBase64,
   profileContainsDevice,
   proxyProvisioningRequest,
+  putAppleGeneratedSigningAssets,
   putPairRecord,
   putSigningAssets,
+  registerDeviceRequest,
   requestUSBAccess as requestDeviceUSBAccess,
   startBrowserOwnedAppleIDLogin,
   startSignedDeviceBuild,
   startInstallRelay,
   startPairingRelay,
+  submitDevelopmentCSRRequest,
   watchBuildLogEvents,
   type AppleIDLoginResult,
+  type AppleDeveloperPortalDevice,
+  type AppleDeveloperPortalAppID,
+  type AppleDeveloperPortalResponse,
   type AppleDeveloperPortalTeam,
   type BuildLogLine,
   type DeviceInstallBuildStatus,
@@ -49,20 +66,31 @@ export type UseDeviceInstallResult = {
   buildStatus: DeviceInstallBuildStatus;
   appleSigningStatus: DeviceInstallAppleSigningStatus;
   appleTeams: AppleDeveloperPortalTeam[];
+  appleDevices: AppleDeveloperPortalDevice[];
+  appleAppIDs: AppleDeveloperPortalAppID[];
+  applePortalSummary?: ApplePortalSummary;
   selectedAppleTeamID?: string;
+  selectedAppleDeviceIDs: string[];
+  connectedAppleDeviceRegistered: boolean;
+  appleBundleID: string;
   buildLogPanelOpen: boolean;
   busyAction?: DeviceInstallBusyAction;
   error?: string;
   canBuild: boolean;
+  canPrepareAppleSigningAssets: boolean;
   canRequestUSBAccess: boolean;
   canPairBrowser: boolean;
   canInstall: boolean;
   setSigningFiles: (files: DeviceInstallSigningFiles) => void;
+  setAppleBundleID: (bundleID: string) => void;
+  setSelectedAppleDeviceIDs: (deviceIDs: string[]) => void;
   setBuildLogPanelOpen: (open: boolean) => void;
   startAppleIDLogin: (input: DeviceInstallAppleIDLoginInput) => Promise<void>;
   submitAppleTwoFactorCode: (code: string) => Promise<void>;
   setSelectedAppleTeamID: (teamID: string | undefined) => void;
-  clearAppleIDSession: () => Promise<void>;
+  clearAppleIDLogin: () => void;
+  registerConnectedAppleDevice: () => Promise<void>;
+  prepareAppleSigningAssets: () => Promise<void>;
   startDeviceBuild: () => Promise<void>;
   requestUSBAccess: () => Promise<void>;
   pairBrowser: () => Promise<void>;
@@ -76,6 +104,7 @@ export type DeviceInstallAppleSigningStatus =
   | 'two-factor-required'
   | 'authenticated'
   | 'preparing-assets'
+  | 'assets-ready'
   | 'using-cached-profile'
   | 'error';
 
@@ -96,6 +125,11 @@ export type DeviceInstallAppleIDLoginInput = {
   password: string;
 };
 
+export type ApplePortalSummary = {
+  certificateCount: number;
+  profileCount: number;
+};
+
 const initialStepStatuses: DeviceInstallStepStatuses = {
   build: 'idle',
   usb: 'idle',
@@ -119,7 +153,12 @@ export function useDeviceInstall({
   const [buildStatus, setBuildStatus] = useState<DeviceInstallBuildStatus>('idle');
   const [appleSigningStatus, setAppleSigningStatus] = useState<DeviceInstallAppleSigningStatus>('idle');
   const [appleTeams, setAppleTeams] = useState<AppleDeveloperPortalTeam[]>([]);
+  const [appleDevices, setAppleDevices] = useState<AppleDeveloperPortalDevice[]>([]);
+  const [appleAppIDs, setAppleAppIDs] = useState<AppleDeveloperPortalAppID[]>([]);
+  const [selectedAppleDeviceIDs, setSelectedAppleDeviceIDs] = useState<string[]>([]);
+  const [applePortalSummary, setApplePortalSummary] = useState<ApplePortalSummary | undefined>();
   const [selectedAppleTeamID, setSelectedAppleTeamID] = useState<string | undefined>();
+  const [appleBundleID, setAppleBundleID] = useState('');
   const [buildLogPanelOpen, setBuildLogPanelOpen] = useState(false);
   const [busyAction, setBusyAction] = useState<DeviceInstallBusyAction | undefined>();
   const [error, setError] = useState<string | undefined>();
@@ -128,7 +167,7 @@ export function useDeviceInstall({
   const relayRef = useRef<RelayClient | undefined>(undefined);
   const selectedDeviceRef = useRef<DeviceRelayTarget | undefined>(undefined);
   const stopBuildWatcherRef = useRef<(() => void) | undefined>(undefined);
-  const appleIDSessionRef = useRef<AppleIDLoginResult | undefined>(undefined);
+  const appleIDLoginRef = useRef<AppleIDLoginResult | undefined>(undefined);
 
   const log = useCallback((message: string, detail?: string) => {
     const line = detail ? `${message}\n${detail}` : message;
@@ -144,6 +183,15 @@ export function useDeviceInstall({
     setSigningAssets(undefined);
   }, []);
 
+  const selectedDeveloperTeamID = useCallback(() => {
+    return developerPortalTeamID(appleTeams.find((team) => appleTeamSelectionID(team) === selectedAppleTeamID));
+  }, [appleTeams, selectedAppleTeamID]);
+
+  const connectedAppleDevice = selectedDevice?.hello.serialNumber
+    ? appleDevices.find((device) => normalizeAppleUDID(device.deviceNumber) === normalizeAppleUDID(selectedDevice.hello.serialNumber))
+    : undefined;
+  const connectedAppleDeviceRegistered = !!connectedAppleDevice?.deviceId;
+
   useEffect(() => {
     selectedDeviceRef.current = selectedDevice;
   }, [selectedDevice]);
@@ -157,16 +205,19 @@ export function useDeviceInstall({
   useEffect(() => {
     return () => {
       stopBuildWatcherRef.current?.();
-      void appleIDSessionRef.current?.close();
+      void appleIDLoginRef.current?.close();
+      appleIDLoginRef.current = undefined;
       void cleanupDeviceAccess();
     };
   }, [cleanupDeviceAccess]);
 
   const resolveSigningAssetsForBuild = useCallback(async () => {
-    const info = apiUrl ? await fetchStoredBuildInfo(apiUrl, token).catch(() => undefined) : undefined;
-    if (info?.lastBuildConfig?.bundleId) {
+    const requestedBundleID = appleBundleID.trim();
+    const info = requestedBundleID ? undefined : apiUrl ? await fetchStoredBuildInfo(apiUrl, token).catch(() => undefined) : undefined;
+    const bundleID = requestedBundleID || info?.lastBuildConfig?.bundleId;
+    if (bundleID) {
       const cached = await getReusableAppleSigningAssets({
-        bundleID: info.lastBuildConfig.bundleId,
+        bundleID,
         deviceUDID: selectedDevice?.hello.serialNumber,
         teamID: selectedAppleTeamID,
       });
@@ -213,7 +264,7 @@ export function useDeviceInstall({
     setSigningAssets(storedAssets);
     log('Signing assets stored locally', storageBundleId);
     return storedAssets;
-  }, [apiUrl, log, selectedAppleTeamID, selectedDevice?.hello.serialNumber, signingFiles, token]);
+  }, [apiUrl, appleBundleID, log, selectedAppleTeamID, selectedDevice?.hello.serialNumber, signingFiles, token]);
 
   const startAppleIDLogin = useCallback(
     async ({ accountName, password }: DeviceInstallAppleIDLoginInput) => {
@@ -222,12 +273,21 @@ export function useDeviceInstall({
       setError(undefined);
       setAppleSigningStatus('authenticating');
       try {
-        await appleIDSessionRef.current?.close().catch(() => undefined);
+        await appleIDLoginRef.current?.close().catch(() => undefined);
         const session = await startBrowserOwnedAppleIDLogin({ limbuildApiUrl: apiUrl, token, accountName, password });
-        appleIDSessionRef.current = session;
+        appleIDLoginRef.current = session;
         if (!session.requiresTwoFactor) {
-          await session.finalize();
-          await refreshAppleTeams(apiUrl, session.appleSessionId, token, setAppleTeams, setSelectedAppleTeamID);
+          const accountSession = await session.finalize().catch(() => undefined);
+          const teamID = await refreshAppleTeams(
+            apiUrl,
+            session.appleSessionId,
+            token,
+            setAppleTeams,
+            setSelectedAppleTeamID,
+            accountSession?.body as AppleDeveloperPortalResponse | undefined,
+          );
+          await refreshAppleAppIDs(apiUrl, session.appleSessionId, token, teamID, setAppleAppIDs, setAppleBundleID);
+          await refreshApplePortalSummary(apiUrl, session.appleSessionId, token, teamID, setApplePortalSummary, log);
         }
         setAppleSigningStatus(session.requiresTwoFactor ? 'two-factor-required' : 'authenticated');
         log(
@@ -248,7 +308,7 @@ export function useDeviceInstall({
 
   const submitAppleTwoFactorCode = useCallback(
     async (code: string) => {
-      const session = appleIDSessionRef.current;
+      const session = appleIDLoginRef.current;
       if (!session) {
         throw new Error('Start Apple ID login before submitting a two-factor code.');
       }
@@ -256,9 +316,18 @@ export function useDeviceInstall({
       setError(undefined);
       try {
         await session.finishTwoFactor(code);
-        await session.finalize();
         if (apiUrl) {
-          await refreshAppleTeams(apiUrl, session.appleSessionId, token, setAppleTeams, setSelectedAppleTeamID);
+          const accountSession = await session.finalize().catch(() => undefined);
+          const teamID = await refreshAppleTeams(
+            apiUrl,
+            session.appleSessionId,
+            token,
+            setAppleTeams,
+            setSelectedAppleTeamID,
+            accountSession?.body as AppleDeveloperPortalResponse | undefined,
+          );
+          await refreshAppleAppIDs(apiUrl, session.appleSessionId, token, teamID, setAppleAppIDs, setAppleBundleID);
+          await refreshApplePortalSummary(apiUrl, session.appleSessionId, token, teamID, setApplePortalSummary, log);
         }
         setAppleSigningStatus('authenticated');
         log('Apple ID two-factor authentication accepted');
@@ -274,15 +343,165 @@ export function useDeviceInstall({
     [apiUrl, log, token],
   );
 
-  const clearAppleIDSession = useCallback(async () => {
-    await appleIDSessionRef.current?.close().catch(() => undefined);
-    appleIDSessionRef.current = undefined;
+  const clearAppleIDLogin = useCallback(() => {
+    void appleIDLoginRef.current?.close();
+    appleIDLoginRef.current = undefined;
     setAppleTeams([]);
+    setAppleDevices([]);
+    setAppleAppIDs([]);
+    setSelectedAppleDeviceIDs([]);
+    setApplePortalSummary(undefined);
     setSelectedAppleTeamID(undefined);
     setAppleSigningStatus('idle');
-    log('Apple ID session cleared');
+    log('Apple ID login state cleared');
   }, [log]);
 
+  const selectAppleTeam = useCallback(
+    (teamID: string | undefined) => {
+      setSelectedAppleTeamID(teamID);
+      setAppleAppIDs([]);
+      setAppleDevices([]);
+      setSelectedAppleDeviceIDs([]);
+      setApplePortalSummary(undefined);
+      setAppleBundleID('');
+      setSigningAssets(undefined);
+      const session = appleIDLoginRef.current;
+      if (!apiUrl || !session || !teamID) return;
+      const developerTeamID = developerPortalTeamID(appleTeams.find((team) => appleTeamSelectionID(team) === teamID));
+      if (!developerTeamID) return;
+      void (async () => {
+        try {
+          await refreshAppleAppIDs(apiUrl, session.appleSessionId, token, developerTeamID, setAppleAppIDs, setAppleBundleID);
+          await refreshApplePortalSummary(apiUrl, session.appleSessionId, token, developerTeamID, setApplePortalSummary, log);
+          if (selectedDeviceRef.current?.hello.serialNumber) {
+            await refreshAppleDevices({
+              apiUrl,
+              token,
+              appleSessionId: session.appleSessionId,
+              teamID: developerTeamID,
+              connectedUDID: selectedDeviceRef.current.hello.serialNumber,
+              setAppleDevices,
+              setSelectedAppleDeviceIDs,
+              log,
+            });
+          }
+        } catch (caught) {
+          const message = errorMessage(caught);
+          setError(message);
+          log('Apple team refresh failed', message);
+        }
+      })();
+    },
+    [apiUrl, appleTeams, log, token],
+  );
+
+  const registerConnectedAppleDevice = useCallback(async () => {
+    const teamID = selectedDeveloperTeamID();
+    if (!apiUrl || !appleIDLoginRef.current || !selectedDevice?.hello.serialNumber || !teamID) return;
+    setBusyAction('build');
+    setError(undefined);
+    try {
+      const normalizedUDID = normalizeAppleUDID(selectedDevice.hello.serialNumber);
+      const created = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+        apiUrl,
+        appleIDLoginRef.current.appleSessionId,
+        registerDeviceRequest({
+          deviceUDID: normalizedUDID,
+          teamID,
+          name: selectedDevice.hello.productName ?? 'Limrun iPhone',
+        }),
+        token,
+      );
+      assertApplePortalResponseOK(created.body, 'Apple device registration');
+      await refreshAppleDevices({
+        apiUrl,
+        token,
+        appleSessionId: appleIDLoginRef.current.appleSessionId,
+        teamID,
+        connectedUDID: selectedDevice.hello.serialNumber,
+        setAppleDevices,
+        setSelectedAppleDeviceIDs,
+        log,
+      });
+      log('Connected iPhone registered with Apple Developer', normalizedUDID);
+    } catch (caught) {
+      const message = errorMessage(caught);
+      setError(message);
+      log('Apple device registration failed', message);
+    } finally {
+      setBusyAction(undefined);
+    }
+  }, [apiUrl, log, selectedDeveloperTeamID, selectedDevice?.hello.productName, selectedDevice?.hello.serialNumber, token]);
+
+  const prepareAppleSigningAssets = useCallback(async () => {
+    if (!apiUrl || !appleIDLoginRef.current || !selectedDevice?.hello.serialNumber) return;
+    const bundleID = appleBundleID.trim();
+    if (!bundleID) {
+      throw new Error('Enter a bundle ID before preparing signing assets.');
+    }
+    if (!selectedAppleTeamID) {
+      throw new Error('Select an Apple Developer team before preparing signing assets.');
+    }
+    const teamID = selectedDeveloperTeamID();
+    if (!teamID) {
+      throw new Error('Selected Apple team does not include a Developer Portal team ID.');
+    }
+    if (selectedAppleDeviceIDs.length === 0) {
+      throw new Error('Select at least one Apple Developer device before preparing signing assets.');
+    }
+    if (!signingFiles.certificatePassword) {
+      throw new Error('Enter a .p12 password before preparing signing assets.');
+    }
+    setBusyAction('build');
+    setError(undefined);
+    setAppleSigningStatus('preparing-assets');
+    try {
+      const cached = await getReusableAppleSigningAssets({
+        bundleID,
+        deviceUDID: selectedDevice.hello.serialNumber,
+        teamID,
+      });
+      if (cached) {
+        setSigningAssets(cached);
+        setAppleSigningStatus('assets-ready');
+        log('Using cached Apple signing assets', bundleID);
+        return;
+      }
+      const assets = await prepareAppleSigningAssetsForDevice({
+        apiUrl,
+        token,
+        appleSessionId: appleIDLoginRef.current.appleSessionId,
+        teamID,
+        bundleID,
+        deviceUDID: selectedDevice.hello.serialNumber,
+        deviceIDs: selectedAppleDeviceIDs,
+        certificatePassword: signingFiles.certificatePassword,
+      });
+      setSigningAssets(assets);
+      setAppleSigningStatus('assets-ready');
+      log('Apple signing assets stored locally', `${bundleID} for ${selectedDevice.hello.serialNumber}`);
+    } catch (caught) {
+      const message = errorMessage(caught);
+      setError(message);
+      setAppleSigningStatus('error');
+      log('Apple signing asset preparation failed', message);
+    } finally {
+      setBusyAction(undefined);
+    }
+  }, [
+    apiUrl,
+    appleBundleID,
+    appleTeams,
+    log,
+    selectedAppleTeamID,
+    selectedAppleDeviceIDs,
+    selectedDeveloperTeamID,
+    selectedDevice?.hello.productName,
+    selectedDevice?.hello.serialNumber,
+    signingFiles.certificatePassword,
+    token,
+  ]);
+
   const startDeviceBuild = useCallback(async () => {
     if (!apiUrl) return;
     setBusyAction('build');
@@ -316,7 +535,7 @@ export function useDeviceInstall({
           setBuildStatus(status);
           if (status === 'succeeded') {
             setStepStatus('build', 'complete');
-            setCurrentStep('usb');
+            setCurrentStep(selectedDeviceRef.current ? (pairRecord ? 'install' : 'pair') : 'usb');
           } else if (status === 'failed' || status === 'cancelled') {
             setStepStatus('build', 'error');
           }
@@ -336,7 +555,7 @@ export function useDeviceInstall({
     } finally {
       setBusyAction(undefined);
     }
-  }, [apiUrl, log, resolveSigningAssetsForBuild, setStepStatus, token]);
+  }, [apiUrl, log, pairRecord, resolveSigningAssetsForBuild, setStepStatus, token]);
 
   const requestUSBAccess = useCallback(async () => {
     setBusyAction('usb');
@@ -357,6 +576,21 @@ export function useDeviceInstall({
         }
         setSigningAssets(storedSigningAssets);
       }
+      if (apiUrl && appleIDLoginRef.current) {
+        const teamID = selectedDeveloperTeamID();
+        if (teamID) {
+          await refreshAppleDevices({
+            apiUrl,
+            token,
+            appleSessionId: appleIDLoginRef.current.appleSessionId,
+            teamID,
+            connectedUDID: target.hello.serialNumber,
+            setAppleDevices,
+            setSelectedAppleDeviceIDs,
+            log,
+          });
+        }
+      }
       setStepStatus('usb', 'complete');
       setCurrentStep(storedPairRecord ? 'install' : 'pair');
       log(storedPairRecord ? 'Pair record found' : 'No pair record found', target.hello.serialNumber);
@@ -368,7 +602,7 @@ export function useDeviceInstall({
     } finally {
       setBusyAction(undefined);
     }
-  }, [cleanupDeviceAccess, log, setStepStatus]);
+  }, [apiUrl, cleanupDeviceAccess, log, selectedDeveloperTeamID, setStepStatus, token]);
 
   const pairBrowser = useCallback(async () => {
     if (!apiUrl || !selectedDevice) return;
@@ -452,20 +686,39 @@ export function useDeviceInstall({
     buildStatus,
     appleSigningStatus,
     appleTeams,
+    appleDevices,
+    appleAppIDs,
+    applePortalSummary,
     selectedAppleTeamID,
+    selectedAppleDeviceIDs,
+    connectedAppleDeviceRegistered,
+    appleBundleID,
     buildLogPanelOpen,
     busyAction,
     error,
-    canBuild: !!apiUrl && !busyAction,
-    canRequestUSBAccess: !busyAction && (buildStatus === 'succeeded' || stepStatuses.build === 'complete'),
+    canBuild: !!apiUrl && !busyAction && !!signingAssets,
+    canPrepareAppleSigningAssets:
+      !!apiUrl &&
+      !busyAction &&
+      !!appleIDLoginRef.current &&
+      !!selectedDevice &&
+      !!appleBundleID.trim() &&
+      !!selectedDeveloperTeamID() &&
+      selectedAppleDeviceIDs.length > 0 &&
+      !!signingFiles.certificatePassword,
+    canRequestUSBAccess: !busyAction && appleSigningStatus === 'authenticated' && !!appleBundleID.trim(),
     canPairBrowser: !!apiUrl && !busyAction && !!selectedDevice,
     canInstall: !!apiUrl && !busyAction && !!selectedDevice && !!pairRecord,
     setSigningFiles,
+    setAppleBundleID,
+    setSelectedAppleDeviceIDs,
     setBuildLogPanelOpen,
     startAppleIDLogin,
     submitAppleTwoFactorCode,
-    setSelectedAppleTeamID,
-    clearAppleIDSession,
+    setSelectedAppleTeamID: selectAppleTeam,
+    clearAppleIDLogin,
+    registerConnectedAppleDevice,
+    prepareAppleSigningAssets,
     startDeviceBuild,
     requestUSBAccess,
     pairBrowser,
@@ -484,29 +737,321 @@ async function refreshAppleTeams(
   token: string | undefined,
   setAppleTeams: (teams: AppleDeveloperPortalTeam[]) => void,
   setSelectedAppleTeamID: (teamID: string | undefined) => void,
+  accountSession?: AppleDeveloperPortalResponse,
 ) {
-  const response = await proxyProvisioningRequest<{
-    teams?: AppleDeveloperPortalTeam[];
-    availableProviders?: AppleDeveloperPortalTeam[];
-    provider?: AppleDeveloperPortalTeam;
-  }>(apiUrl, appleSessionId, listTeamsRequest(), token);
-  const teams = [
+  const response = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(apiUrl, appleSessionId, listTeamsRequest(), token);
+  assertApplePortalResponseOK(response.body, 'Apple Developer team list');
+  const teams = uniqueAppleTeams([
     ...(response.body?.teams ?? []),
-    ...(response.body?.availableProviders ?? []),
-    ...(response.body?.provider ? [response.body.provider] : []),
-  ];
+  ]);
+  void accountSession;
   setAppleTeams(teams);
-  const firstTeamID = teamIDFromPortalTeam(teams[0]);
-  if (firstTeamID) {
-    setSelectedAppleTeamID(firstTeamID);
+  const firstDeveloperTeam = teams.find((team) => developerPortalTeamID(team));
+  const firstSelectionID = appleTeamSelectionID(firstDeveloperTeam ?? teams[0]);
+  if (firstSelectionID) {
+    setSelectedAppleTeamID(firstSelectionID);
+  }
+  if (teams.length === 0) {
+    throw new Error('Apple Developer account did not return any teams or providers.');
   }
+  return teams.map(developerPortalTeamID).find((teamID) => !!teamID);
 }
 
-function teamIDFromPortalTeam(team?: AppleDeveloperPortalTeam) {
+function uniqueAppleTeams(teams: AppleDeveloperPortalTeam[]) {
+  const seen = new Set<string>();
+  const result: AppleDeveloperPortalTeam[] = [];
+  for (const team of teams) {
+    const id = appleTeamSelectionID(team);
+    const key = id ?? team.name ?? JSON.stringify(team);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    result.push(team);
+  }
+  return result;
+}
+
+async function refreshAppleAppIDs(
+  apiUrl: string,
+  appleSessionId: string,
+  token: string | undefined,
+  teamID: string | undefined,
+  setAppleAppIDs: (appIDs: AppleDeveloperPortalAppID[]) => void,
+  setAppleBundleID: (bundleID: string) => void,
+) {
+  if (!teamID) return;
+  const response = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    findBundleIDRequest({ bundleID: '', teamID }),
+    token,
+  );
+  assertApplePortalResponseOK(response.body, 'Apple bundle ID list');
+  const appIDs = response.body?.appIds ?? [];
+  setAppleAppIDs(appIDs);
+  const firstBundleID = bundleIDFromAppleAppID(appIDs[0]);
+  if (firstBundleID) {
+    setAppleBundleID(firstBundleID);
+  }
+}
+
+async function refreshApplePortalSummary(
+  apiUrl: string,
+  appleSessionId: string,
+  token: string | undefined,
+  teamID: string | undefined,
+  setApplePortalSummary: (summary: ApplePortalSummary | undefined) => void,
+  log: (message: string, detail?: string) => void,
+) {
+  const [certificates, profiles] = await Promise.all([
+    proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+      apiUrl,
+      appleSessionId,
+      findDevelopmentCertificatesRequest(teamID ?? ''),
+      token,
+    ),
+    proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+      apiUrl,
+      appleSessionId,
+      findDevelopmentProfilesRequest({ bundleID: '', teamID: teamID ?? '' }),
+      token,
+    ),
+  ]);
+  assertApplePortalResponseOK(certificates.body, 'Apple Developer certificate list');
+  assertApplePortalResponseOK(profiles.body, 'Apple Developer profile list');
+  const summary = {
+    certificateCount: certificates.body?.certRequests?.length ?? 0,
+    profileCount: profiles.body?.provisioningProfiles?.length ?? 0,
+  };
+  setApplePortalSummary(summary);
+  log(
+    'Apple Developer resources fetched',
+    `${summary.certificateCount} certificates, ${summary.profileCount} provisioning profiles`,
+  );
+}
+
+async function refreshAppleDevices({
+  apiUrl,
+  token,
+  appleSessionId,
+  teamID,
+  connectedUDID,
+  setAppleDevices,
+  setSelectedAppleDeviceIDs,
+  log,
+}: {
+  apiUrl: string;
+  token?: string;
+  appleSessionId: string;
+  teamID: string;
+  connectedUDID?: string;
+  setAppleDevices: (devices: AppleDeveloperPortalDevice[]) => void;
+  setSelectedAppleDeviceIDs: (deviceIDs: string[]) => void;
+  log: (message: string, detail?: string) => void;
+}) {
+  const response = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    findDeviceRequest({ deviceUDID: connectedUDID ?? '', teamID }),
+    token,
+  );
+  assertApplePortalResponseOK(response.body, 'Apple device list');
+  const devices = response.body?.devices ?? [];
+  setAppleDevices(devices);
+  const connected = devices.find((device) => normalizeAppleUDID(device.deviceNumber) === normalizeAppleUDID(connectedUDID));
+  if (connected?.deviceId) {
+    setSelectedAppleDeviceIDs([connected.deviceId]);
+    log('Connected iPhone found in Apple Developer devices', connected.name ?? connected.deviceNumber);
+  } else {
+    setSelectedAppleDeviceIDs([]);
+    log('Connected iPhone is not registered with Apple Developer', connectedUDID);
+  }
+}
+
+async function prepareAppleSigningAssetsForDevice({
+  apiUrl,
+  token,
+  appleSessionId,
+  teamID,
+  bundleID,
+  deviceUDID,
+  certificatePassword,
+  deviceIDs,
+}: {
+  apiUrl: string;
+  token?: string;
+  appleSessionId: string;
+  teamID: string;
+  bundleID: string;
+  deviceUDID: string;
+  deviceIDs: string[];
+  certificatePassword: string;
+}) {
+  const normalizedUDID = deviceUDID.replace(/-/g, '').replace(/[^a-fA-F0-9]/g, '');
+  const keyMaterial = await generateAppleSigningKeyAndCSR({
+    commonName: `Limrun ${bundleID}`,
+  });
+
+  const appIDID = await findOrCreateAppleBundleID({
+    apiUrl,
+    token,
+    appleSessionId,
+    teamID,
+    bundleID,
+  });
+
+  const certificateResponse = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    submitDevelopmentCSRRequest({ csrPEM: keyMaterial.csrPEM, teamID }),
+    token,
+  );
+  assertApplePortalResponseOK(certificateResponse.body, 'Apple Development certificate creation');
+  const certificateID =
+    stringField(certificateResponse.body?.certRequest, 'certificateId') ??
+    stringField(certificateResponse.body?.certRequest, 'certRequestId') ??
+    stringField(certificateResponse.body, 'certificateId') ??
+    stringField(certificateResponse.body, 'certRequestId');
+  if (!certificateID) {
+    throw new Error('Apple certificate creation did not return a certificate ID.');
+  }
+
+  const downloadedCertificate = await proxyProvisioningRequest(
+    apiUrl,
+    appleSessionId,
+    downloadCertificateRequest(certificateID, teamID),
+    token,
+  );
+  if (downloadedCertificate.status < 200 || downloadedCertificate.status >= 300 || !downloadedCertificate.rawBodyBase64) {
+    throw new Error(`Apple certificate download failed: HTTP ${downloadedCertificate.status}`);
+  }
+  const certificateP12Base64 = exportAppleCertificateP12({
+    privateKeyPKCS8Base64: keyMaterial.privateKeyPKCS8Base64,
+    certificateBase64: downloadedCertificate.rawBodyBase64,
+    password: certificatePassword,
+    friendlyName: `Apple Development ${bundleID}`,
+  });
+
+  const profileName = `Limrun ${bundleID}`;
+  const profileResponse = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    createDevelopmentProfileRequest({
+      bundleID,
+      teamID,
+      appIDID,
+      certificateID,
+      deviceIDs,
+      name: profileName,
+    }),
+    token,
+  );
+  assertApplePortalResponseOK(profileResponse.body, 'Apple provisioning profile creation');
+  const profileID =
+    stringField(profileResponse.body?.provisioningProfile, 'provisioningProfileId') ??
+    stringField(profileResponse.body, 'provisioningProfileId');
+  if (!profileID) {
+    throw new Error('Apple provisioning profile creation did not return a profile ID.');
+  }
+
+  const downloadedProfile = await proxyProvisioningRequest(
+    apiUrl,
+    appleSessionId,
+    downloadProfileRequest(profileID, teamID),
+    token,
+  );
+  if (downloadedProfile.status < 200 || downloadedProfile.status >= 300 || !downloadedProfile.rawBodyBase64) {
+    throw new Error(`Apple provisioning profile download failed: HTTP ${downloadedProfile.status}`);
+  }
+  const provisioningProfileBase64 = downloadedProfile.rawBodyBase64;
+  const profile = parseProvisioningProfileBase64(provisioningProfileBase64);
+
+  return putAppleGeneratedSigningAssets({
+    bundleID,
+    deviceUDID: normalizedUDID,
+    teamID,
+    certificateID,
+    certificateP12Base64,
+    certificatePassword,
+    provisioningProfileBase64,
+    profile,
+  });
+}
+
+async function findOrCreateAppleBundleID({
+  apiUrl,
+  token,
+  appleSessionId,
+  teamID,
+  bundleID,
+}: {
+  apiUrl: string;
+  token?: string;
+  appleSessionId: string;
+  teamID: string;
+  bundleID: string;
+}) {
+  const existing = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    findBundleIDRequest({ bundleID, teamID }),
+    token,
+  );
+  assertApplePortalResponseOK(existing.body, 'Apple bundle ID lookup');
+  const found = existing.body?.appIds?.find((app) => stringField(app, 'identifier') === bundleID || stringField(app, 'bundleId') === bundleID);
+  const foundID = stringField(found, 'appIdId') ?? stringField(found, 'appId');
+  if (foundID) return foundID;
+
+  const created = await proxyProvisioningRequest<AppleDeveloperPortalResponse>(
+    apiUrl,
+    appleSessionId,
+    createBundleIDRequest({ bundleID, teamID, name: bundleID }),
+    token,
+  );
+  assertApplePortalResponseOK(created.body, 'Apple bundle ID creation');
+  const createdID =
+    stringField(created.body?.appId, 'appIdId') ??
+    stringField(created.body?.appId, 'appId') ??
+    stringField(created.body, 'appIdId') ??
+    stringField(created.body, 'appId');
+  if (!createdID) {
+    throw new Error('Apple bundle ID creation did not return an App ID.');
+  }
+  return createdID;
+}
+
+function assertApplePortalResponseOK(response: AppleDeveloperPortalResponse | undefined, label: string) {
+  if (!response) {
+    throw new Error(`${label} returned an empty response.`);
+  }
+  if (response.resultCode !== undefined && response.resultCode !== 0) {
+    throw new Error(`${label} failed: ${response.userString ?? response.resultString ?? response.resultCode}`);
+  }
+}
+
+function stringField(record: Record<string, unknown> | undefined, key: string) {
+  const value = record?.[key];
+  if (typeof value === 'string') return value;
+  if (typeof value === 'number' || typeof value === 'boolean') return String(value);
+  return undefined;
+}
+
+function normalizeAppleUDID(udid?: string) {
+  return (udid ?? '').replace(/-/g, '').replace(/[^a-fA-F0-9]/g, '').toUpperCase();
+}
+
+function appleTeamSelectionID(team?: AppleDeveloperPortalTeam) {
   const value = team?.teamId ?? team?.providerId ?? team?.publicProviderId;
   return value === undefined || value === '' ? undefined : String(value);
 }
 
+function developerPortalTeamID(team?: AppleDeveloperPortalTeam) {
+  return team?.teamId && team.teamId !== '' ? team.teamId : undefined;
+}
+
+function bundleIDFromAppleAppID(appID?: AppleDeveloperPortalAppID) {
+  return appID?.identifier || appID?.bundleId || undefined;
+}
+
 async function fileToBase64(file: File) {
   const buffer = await file.arrayBuffer();
   let binary = '';