@ramonclaudio/vexpo 0.1.3 → 0.1.5

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ramon Claudio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -3,73 +3,79 @@
 [![npm](https://img.shields.io/npm/v/@ramonclaudio/vexpo)](https://www.npmjs.com/package/@ramonclaudio/vexpo)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-Operational CLI for [vexpo](https://github.com/ramonclaudio/vexpo) projects: Expo + Convex + Better Auth + Resend, end-to-end iOS. Provisions the stack, validates every credential, keeps env values in sync across `.env.local` / Convex env / EAS env, and covers the last App Store Connect mile to a first ship: TestFlight delivery plus the privacy and accessibility labels Apple requires before review.
+The setup CLI for [vexpo](https://github.com/ramonclaudio/vexpo) projects (Expo + Convex + Better Auth + Resend, end-to-end iOS). It creates or links your Convex deployment, signs and rotates the Apple keys (the P8 dance), and keeps your env in sync everywhere. It covers the App Store Connect last mile to a first ship. EAS does the heavy lifting (builds, updates, submission), vexpo covers the setup around it.
 
-Scaffolded by [`create-vexpo`](https://www.npmjs.com/package/@ramonclaudio/create-vexpo) into your project's devDependencies. Invoke via `npx vexpo`.
+Scaffolded by [`create-vexpo`](https://www.npmjs.com/package/@ramonclaudio/create-vexpo) into your devDependencies. Run it with `npx vexpo`.
 
-## Design rule: don't reinvent EAS
-
-If `eas <subcommand>` is the canonical answer, the recipe is `npx eas <subcommand>`, not `vexpo`. This CLI only surfaces what `eas-cli` doesn't do: setup orchestration, cross-source drift detection, Apple SIWA work, and the last App Store Connect mile to a first ship. Scope test for any command: does it help an empty directory become a first shipped, authenticated, backed iOS app? Post-launch ops (customer reviews, IAP sandbox testing, release management) are out, that's `eas` and App Store Connect once you have users. Wrapping every `eas` command would add no value over `eas-cli` itself, expand the maintenance surface, and signal a lack of trust in the platform.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/ramonclaudio/vexpo/main/docs/assets/demo-doctor.gif" width="720" alt="vexpo doctor auth-checking every credential against the live services">
+</p>
 
 ## Setup
 
 ```
-vexpo lite                        Convex + Better Auth only, simulator-ready (60s)
-vexpo lite --new                  same + Convex signup walkthrough for first-time users
+vexpo lite                        Convex + Better Auth only, simulator-ready (~60s)
+vexpo lite --new                  same + Convex signup walkthrough for first-timers
 vexpo full                        full provisioning (Convex + Better Auth + Resend + Apple + EAS init + rebrand)
 vexpo full --new                  same + walks Apple/Convex/Expo/Resend signups
 vexpo full --skip-rebrand         full setup, skip the rebrand wizard
 
-vexpo doctor                      Cross-source drift detection
-vexpo doctor --json               Machine-readable output
-vexpo doctor --strict             Exit non-zero on any warn
-
-vexpo accounts                    Walk Apple/Expo/Convex/Resend signups (standalone)
-vexpo rebrand                     Replace template defaults with your identity
-vexpo review-account              Seed the App Review demo account on Convex
-vexpo convex                      Provision Convex deployment + write .env.local
-vexpo better-auth                 Set BETTER_AUTH_SECRET, SITE_URL, APP_NAME on Convex
-vexpo resend                      Provision Resend sending key + webhook, flip REQUIRE_EMAIL_VERIFICATION=true
-vexpo env push                    .env.local + .env.prod → Convex + EAS (one pass)
-vexpo env convex-key              Sync Convex deploy key + selector to EAS env (post-migration fix)
-vexpo adopt                       Finish a project created by `eas integrations:convex:connect`
-vexpo convex:migrate              Copy server-side Convex env from another deployment
-vexpo asc:connect                 Re-link the EAS project to its ASC app (standalone, wraps `eas integrations:asc:connect`)
+vexpo doctor                      cross-source drift detection
+vexpo doctor --json               machine-readable output
+vexpo doctor --strict             exit non-zero on any warn
+vexpo doctor --redact             mask identifying values (screenshots, issue reports)
+
+vexpo accounts                    walk Apple/Expo/Convex/Resend signups (standalone)
+vexpo rebrand                     replace template defaults with your identity
+vexpo review-account              seed the App Review demo account on Convex
+vexpo convex                      provision or connect a Convex deployment
+vexpo better-auth                 set SITE_URL, BETTER_AUTH_SECRET, APP_NAME on Convex
+vexpo resend                      provision Resend sending key + webhook, write to Convex env
+vexpo env push                    push .env.local + .env.prod to Convex + EAS env
+vexpo env convex-key              sync Convex deploy key + selector to EAS (post-migration fix)
+vexpo adopt                       finish a project created by `eas integrations:convex:connect`
+vexpo convex:migrate              copy server-side Convex env from another deployment
+vexpo asc:connect                 link the EAS project to its ASC app (wraps `eas integrations:asc:connect`)
 ```
 
 ## Apple
 
 ```
-vexpo apple asc-key               Validate ASC API key against /v1/apps
-vexpo apple credentials           Wraps `eas credentials:configure-build` with cached ASC env vars (skips Apple Developer login prompt)
-vexpo apple services-id           Detect SIWA Services ID + attach APPLE_ID_AUTH capability
-vexpo apple jwt                   Sign SIWA ES256 client_secret JWT (180-day expiry)
-vexpo apple jwt --rotate          Re-sign the JWT only
-vexpo apple eas-rotation-secrets  Push the 5 EAS production secrets the JWT cron needs
+vexpo apple asc-key               validate an ASC API key against /v1/apps
+vexpo apple asc-key --revalidate  re-check the cached key without re-prompting
+vexpo apple credentials           wrap `eas credentials:configure-build` with the cached ASC key
+vexpo apple services-id           detect SIWA Services ID + attach APPLE_ID_AUTH capability
+vexpo apple jwt                   sign the SIWA ES256 client_secret JWT (180-day expiry)
+vexpo apple jwt --rotate          re-sign the JWT only
+vexpo apple eas-rotation-secrets  push the 5 EAS production secrets the JWT cron needs
 ```
 
-## App Store Connect (the last mile to a first ship)
+## App Store Connect
 
-TestFlight delivery, plus the privacy and accessibility labels Apple requires before a submission clears review. `eas-cli` hands a build to TestFlight and stops there.
+Picks up after `eas submit` hands a build to TestFlight: groups, testers, release notes, plus the privacy and accessibility labels Apple requires before review.
 
 ```
-vexpo testflight groups list                 List beta groups
-vexpo testflight groups create <name>        Create a beta group
-vexpo testflight groups view <id>            View a beta group + its testers
-vexpo testflight groups delete <id>          Delete a beta group
-vexpo testflight testers list                List beta testers
-vexpo testflight invite <email>              Add a tester + send invite
-vexpo testflight whats-new <buildId> <text>  Set "What's new" notes
-
-vexpo asc:privacy show [file]                Show the declared privacy nutrition label
-vexpo asc:privacy lint <file>                Validate privacy.config.json against Apple's enums
-vexpo asc:accessibility show                 Fetch the app's accessibility declarations
-vexpo asc:accessibility lint <file>          Validate accessibility.config.json against Apple's enums
+vexpo testflight groups list                 list beta groups
+vexpo testflight groups create <name>        create a beta group
+vexpo testflight groups view <id>            view a beta group + its testers
+vexpo testflight groups delete <id>          delete a beta group
+vexpo testflight testers list                list beta testers
+vexpo testflight invite <email>              add a tester + send a TestFlight invite
+vexpo testflight whats-new <buildId> <text>  set the "What's new" notes
+
+vexpo asc:privacy show [file]                show the declared privacy.config.json
+vexpo asc:privacy lint <file>                validate privacy.config.json against Apple's enums
+vexpo asc:accessibility show                 fetch the app's accessibility declarations
+vexpo asc:accessibility lint <file>          validate accessibility.config.json against Apple's enums
 ```
 
+## Design rule: don't reinvent EAS
+
+vexpo only covers what `eas-cli` doesn't: setup orchestration, cross-source drift detection, Apple SIWA work, and the last App Store Connect mile to a first ship. If `eas <subcommand>` is the canonical answer, run `npx eas <subcommand>`.
+
 ## What `vexpo` doesn't wrap
 
-For canonical EAS surface, use `eas` directly. Wrapping these would add no value over `eas-cli` itself.
+Reach for `eas` directly for the canonical platform surface.
 
 ```bash
 npx eas init                     # EAS project init
@@ -89,26 +95,23 @@ npx eas env [...]                # env:push, env:pull, env:get, env:delete, env:
 npx eas integrations:asc [...]   # status, connect, disconnect
 ```
 
-`vexpo full` orchestrates `eas init`, `eas env:push`, `eas credentials -p ios` (via `eas credentials:configure-build`), and `eas integrations:asc:connect` internally as setup steps. Only the ASC link step is also exposed standalone as `vexpo asc:connect` (re-link without re-running `full`); the rest are setup-only. The ASC API key flows through to both wizards via `EXPO_ASC_API_KEY_PATH` / `EXPO_ASC_KEY_ID` / `EXPO_ASC_ISSUER_ID` env vars pre-set from the cached `asc-key` state. These env vars set `AppStoreApi.defaultAuthenticationMode = API_KEY` inside eas-cli, so when the wizard reaches the Apple auth step during ASC key generation, it uses our cached key instead of prompting for Apple ID + password. The manual paste step doesn't auto-fill — the wizard skips it by auto-generating the key instead.
-
-Earlier vexpo versions passed `--api-key-id <apple-key-id>` to `integrations:asc:connect`. That flag matches against EAS's uploaded key resources, not Apple-side identifiers, so it failed with `No App Store Connect API key found with Apple key identifier ...` whenever the key hadn't been uploaded to EAS yet (the common case on fresh projects). The current orchestration drops the flag and relies on the env vars + the wizard's "Create new or use existing" prompt instead.
+`vexpo full` drives `eas init`, `eas env:push`, `eas credentials`, and the ASC link internally using the cached ASC key. Only the ASC link is also standalone, as `vexpo asc:connect`.
 
 ## Architecture
 
-- Commander-based command tree in `src/cli.ts`.
-- One file per top-level command in `src/commands/`. Each exports `run<Name>(options)` returning a numeric exit code.
-- `src/lib/eas-cli.ts` is the shared shell-out helper: `easJson<T>(argv)` parses `--json --non-interactive` output, `easSpawn(argv)` forwards stdio for interactive commands, `easText(argv)` returns raw streams.
-- Built with tsup → single ESM bundle in `dist/`. Node 20+.
+Commander tree in `src/cli.ts`, one file per top-level command in `src/commands/`. `src/lib/eas-cli.ts` shells out to `eas-cli`. Built with tsup to ESM, a `cli.js` entry plus shared chunks. Node 20+.
 
 ## Apple ASC API workarounds
 
-Apple changed several ASC API behaviors after the initial CLI release. The CLI handles each one:
+Apple changed several ASC API behaviors after the initial CLI release. The CLI handles each one.
 
-- `POST /v1/bundleIds` rejects `platform: "SERVICES"`. `services-id` walks the user through manual creation in the developer portal, then re-polls.
-- App bundle IDs report `platform: "UNIVERSAL"` for newer accounts. `findOrCreateBundleId` matches any non-SERVICES platform when looking up an App ID.
-- Relationship endpoints reject `limit`. `bundleIdCapabilities.list` fetches without pagination.
-- `filter[platform]=SERVICES` returns 400. `doctor`'s `services-id-exists` check filters by identifier alone.
+- `POST /v1/bundleIds` rejects `platform: "SERVICES"`. `services-id` walks you through manual creation in the developer portal, then re-polls.
+- App bundle IDs report `platform: "UNIVERSAL"` for newer accounts. The App ID lookup matches any non-SERVICES platform.
+- Relationship endpoints reject `limit`. The capability list fetches without pagination.
+- `filter[platform]=SERVICES` returns 400. `doctor` filters by identifier alone.
 
 ## Repo
 
 [github.com/ramonclaudio/vexpo](https://github.com/ramonclaudio/vexpo)
+
+Working on the CLI itself? See [CONTRIBUTING.md](https://github.com/ramonclaudio/vexpo/blob/main/CONTRIBUTING.md).

package/dist/{chunk-PYXH4J77.js → chunk-3RDUQUJW.js}

@@ -19,19 +19,6 @@ async function detectPackageManager() {
 function dlx() {
   return process.versions.bun ? "bunx" : "npx";
 }
-function dlxFor(pm) {
-  switch (pm) {
-    case "bun":
-      return "bunx";
-    case "pnpm":
-      return "pnpm dlx";
-    case "yarn":
-      return "yarn dlx";
-    case "npm":
-    default:
-      return "npx";
-  }
-}
 function installCmdFor(pm) {
   switch (pm) {
     case "bun":
@@ -45,19 +32,6 @@ function installCmdFor(pm) {
       return "npm install";
   }
 }
-function runCmdFor(pm) {
-  switch (pm) {
-    case "bun":
-      return "bun run";
-    case "pnpm":
-      return "pnpm run";
-    case "yarn":
-      return "yarn";
-    case "npm":
-    default:
-      return "npm run";
-  }
-}
 function currentRuntime() {
   return process.versions.bun ? "bun" : "node";
 }
@@ -65,4 +39,4 @@ function currentRuntimeVersion() {
   return process.versions.bun ?? process.versions.node ?? "?";
 }
 
-export { currentRuntime, currentRuntimeVersion, detectPackageManager, dlx, dlxFor, installCmdFor, runCmdFor };
+export { currentRuntime, currentRuntimeVersion, detectPackageManager, dlx, installCmdFor };

package/dist/{chunk-QFP5R25M.js → chunk-5BTLX335.js}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { spawn as spawn$1, spawnSync as spawnSync$1 } from 'child_process';
+import { spawn as spawn$1 } from 'child_process';
 
 function spawn(argv, opts = {}) {
   const stdio = opts.stdio ?? [
@@ -25,24 +25,6 @@ function spawn(argv, opts = {}) {
     kill: (signal) => proc.kill(signal)
   };
 }
-function spawnSync(argv, opts = {}) {
-  const stdio = opts.stdio ?? [
-    opts.stdin ?? "inherit",
-    opts.stdout ?? "pipe",
-    opts.stderr ?? "pipe"
-  ];
-  const result = spawnSync$1(argv[0], argv.slice(1), {
-    stdio,
-    env: opts.env ? { ...process.env, ...opts.env } : process.env,
-    cwd: opts.cwd,
-    encoding: "utf8"
-  });
-  return {
-    code: result.status ?? (result.signal ? 1 : 0),
-    stdout: typeof result.stdout === "string" ? result.stdout : "",
-    stderr: typeof result.stderr === "string" ? result.stderr : ""
-  };
-}
 async function streamText(stream) {
   if (!stream) return "";
   const chunks = [];
@@ -56,7 +38,11 @@ async function run(argv, opts = {}) {
     stdin: opts.stdin ?? "ignore",
     stdout: "pipe",
     stderr: "pipe",
-    env: opts.env,
+    // run() exists to PARSE output. A FORCE_COLOR=1 in the caller's shell
+    // (CI, recordings) makes child CLIs wrap fields in ANSI codes and every
+    // regex parser downstream silently misses. Force color off; an explicit
+    // opts.env can still override.
+    env: { FORCE_COLOR: "0", NO_COLOR: "1", ...opts.env },
     cwd: opts.cwd
   });
   const [code, stdout, stderr] = await Promise.all([
@@ -67,4 +53,4 @@ async function run(argv, opts = {}) {
   return { code, stdout, stderr };
 }
 
-export { run, spawn, spawnSync, streamText };
+export { run, spawn, streamText };

package/dist/{chunk-VOL7YISA.js → chunk-BRSFTWP2.js}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { dlx } from './chunk-PYXH4J77.js';
-import { run } from './chunk-QFP5R25M.js';
+import { dlx } from './chunk-3RDUQUJW.js';
+import { run } from './chunk-5BTLX335.js';
 
 // src/lib/eas-cli.ts
 function compact(argv) {

package/dist/cli.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import { ensureLine, readOne, readAll, removeLines, ENV_FILE } from './chunk-3TT4CDAJ.js';
-import { ascStatus } from './chunk-VOL7YISA.js';
-import { dlx, detectPackageManager, installCmdFor } from './chunk-PYXH4J77.js';
-import { run, spawn } from './chunk-QFP5R25M.js';
+import { ascStatus } from './chunk-BRSFTWP2.js';
+import { dlx, detectPackageManager, installCmdFor } from './chunk-3RDUQUJW.js';
+import { run, spawn } from './chunk-5BTLX335.js';
 import { Command } from 'commander';
-import { readFile, access, writeFile, unlink, stat, mkdir, rename } from 'fs/promises';
+import { readFile, access, unlink, stat, mkdir, writeFile, rename } from 'fs/promises';
 import { createInterface } from 'readline/promises';
 import { homedir } from 'os';
 import { join } from 'path';
@@ -13,7 +13,7 @@ import { createSign } from 'crypto';
 
 // package.json
 var package_default = {
-  version: "0.1.3"};
+  version: "0.1.5"};
 function deploymentName(value) {
   if (!value) return void 0;
   const m = /^(?:dev|prod|preview):(.+)$/.exec(value);
@@ -470,7 +470,7 @@ async function askYesNo(question, defaultYes) {
   return raw === "y" || raw === "yes";
 }
 async function openUrlExternal(url) {
-  const { spawn: spawn2 } = await import('./proc-TEOPRZZ2.js');
+  const { spawn: spawn2 } = await import('./proc-L3ORJMPB.js');
   const cmd = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", "", url] : ["xdg-open", url];
   spawn2(cmd, { stdin: "ignore", stdout: "ignore", stderr: "ignore" });
 }
@@ -1228,7 +1228,7 @@ async function ensureIdentity(localEnv) {
       ok(`wrote EXPO_PUBLIC_APP_BUNDLE_ID=${bundleId}`);
     }
   } else {
-    nop(`EXPO_PUBLIC_APP_BUNDLE_ID already set (${bundleId})`);
+    ok(`EXPO_PUBLIC_APP_BUNDLE_ID=${bundleId} (from .env.local); syncing to Convex`);
   }
   if (!haveTeam) {
     if (!process.stdin.isTTY) {
@@ -1829,13 +1829,6 @@ function makeAscClient(creds) {
         };
         const res = await request("POST", "/v1/bundleIds", body);
         return res.data;
-      },
-      async get(id) {
-        const res = await request("GET", `/v1/bundleIds/${id}`);
-        return res.data;
-      },
-      async delete(id) {
-        await request("DELETE", `/v1/bundleIds/${id}`);
       }
     },
     bundleIdCapabilities: {
@@ -1864,80 +1857,17 @@ function makeAscClient(creds) {
           body
         );
         return res.data;
-      },
-      async delete(id) {
-        await request("DELETE", `/v1/bundleIdCapabilities/${id}`);
       }
     },
     apps: {
-      async list() {
-        return paginatedList("/v1/apps");
-      },
-      async get(id) {
-        const res = await request("GET", `/v1/apps/${id}`);
-        return res.data;
-      }
-    },
-    certificates: {
       async list(filter) {
         const query = {};
-        if (filter?.certificateType) query["filter[certificateType]"] = filter.certificateType;
-        return paginatedList("/v1/certificates", query);
-      },
-      async create(args) {
-        const body = {
-          data: {
-            type: "certificates",
-            attributes: {
-              csrContent: args.csrContent,
-              certificateType: args.certificateType
-            }
-          }
-        };
-        const res = await request("POST", "/v1/certificates", body);
-        return res.data;
+        if (filter?.bundleId) query["filter[bundleId]"] = filter.bundleId;
+        return paginatedList("/v1/apps", query);
       },
-      async delete(id) {
-        await request("DELETE", `/v1/certificates/${id}`);
-      }
-    },
-    profiles: {
-      async list(filter) {
-        const query = {};
-        if (filter?.profileType) query["filter[profileType]"] = filter.profileType;
-        if (filter?.name) query["filter[name]"] = filter.name;
-        return paginatedList("/v1/profiles", query);
-      },
-      async create(args) {
-        const body = {
-          data: {
-            type: "profiles",
-            attributes: { name: args.name, profileType: args.profileType },
-            relationships: {
-              bundleId: { data: { type: "bundleIds", id: args.bundleIdResourceId } },
-              certificates: {
-                data: args.certificateIds.map((id) => ({ type: "certificates", id }))
-              },
-              ...args.deviceIds && args.deviceIds.length > 0 ? {
-                devices: {
-                  data: args.deviceIds.map((id) => ({ type: "devices", id }))
-                }
-              } : {}
-            }
-          }
-        };
-        const res = await request("POST", "/v1/profiles", body);
+      async get(id) {
+        const res = await request("GET", `/v1/apps/${id}`);
         return res.data;
-      },
-      async delete(id) {
-        await request("DELETE", `/v1/profiles/${id}`);
-      }
-    },
-    devices: {
-      async list(filter) {
-        const query = {};
-        if (filter?.status) query["filter[status]"] = filter.status;
-        return paginatedList("/v1/devices", query);
       }
     }
   };
@@ -2367,6 +2297,36 @@ async function runServicesId(options2) {
     return 1;
   }
 }
+async function loadAscCreds2() {
+  const state = await load();
+  const rec = state.steps["asc-key"];
+  if (!rec?.outputs) return null;
+  const out = rec.outputs;
+  const issuerId = out.issuerId;
+  const keyId = out.keyId;
+  const rawPath = out.p8Path;
+  if (!issuerId || !keyId || !rawPath) return null;
+  const p8Path = expandTilde(rawPath);
+  if (!existsSync(p8Path)) return null;
+  return { issuerId, keyId, privateKey: { path: p8Path } };
+}
+async function ascBootstrap() {
+  const creds = await loadAscCreds2();
+  if (!creds) {
+    throw new Error("no cached ASC creds. run `vexpo apple asc-key` first");
+  }
+  const client = makeAscClient(creds);
+  const bundleId = await readOne("EXPO_PUBLIC_APP_BUNDLE_ID") ?? await readOne("APP_BUNDLE_ID") ?? void 0;
+  let ascAppId;
+  if (bundleId) {
+    try {
+      const apps = await client.paginatedList("/v1/apps", { "filter[bundleId]": bundleId }, 5);
+      ascAppId = apps[0]?.id;
+    } catch {
+    }
+  }
+  return { client, bundleId, ascAppId, creds };
+}
 
 // src/lib/eas-submit.ts
 function isObject(value) {
@@ -2402,6 +2362,16 @@ function withAscAppId(easJson, ascAppId) {
 }
 
 // src/commands/asc.ts
+async function ascAppExists(bundleId) {
+  const creds = await loadAscCreds2();
+  if (!creds) return "unknown";
+  try {
+    const apps = await makeAscClient(creds).apps.list({ bundleId });
+    return apps.length > 0 ? "proceed" : "defer";
+  } catch {
+    return "unknown";
+  }
+}
 async function loadAscFromState2() {
   const state = await load();
   const rec = state.steps["asc-key"];
@@ -2415,6 +2385,23 @@ async function loadAscFromState2() {
   if (!existsSync(p8Path)) return null;
   return { issuerId, keyId, p8Path };
 }
+async function syncAscAppIdToEasJson(ascAppId) {
+  if (!ascAppId || !existsSync("eas.json")) return;
+  try {
+    const before = await readFile("eas.json", "utf8");
+    const after = withAscAppId(before, ascAppId);
+    if (after !== before) {
+      await writeFile("eas.json", after);
+      ok(`wrote ascAppId ${BOLD}${ascAppId}${RESET} to eas.json submit profiles`);
+      note("commit this in your fork: non-interactive `eas submit` (CI) needs it");
+    } else {
+      nop("eas.json submit profiles already carry ascAppId");
+    }
+  } catch (err) {
+    yep(`couldn't write ascAppId to eas.json: ${err instanceof Error ? err.message : err}`);
+    note("non-interactive submit will need `ascAppId` set manually in eas.json");
+  }
+}
 async function runAscConnect(opts = {}) {
   section("ASC connect");
   if (!opts.force) {
@@ -2429,6 +2416,7 @@ async function runAscConnect(opts = {}) {
           bundleId: status.appStoreConnectApp.bundleIdentifier,
           connectedAt: (/* @__PURE__ */ new Date()).toISOString()
         });
+        await syncAscAppIdToEasJson(status.appStoreConnectApp.ascAppIdentifier);
         return 0;
       }
     } catch {
@@ -2449,6 +2437,15 @@ async function runAscConnect(opts = {}) {
     return 1;
   }
   ok(`bundle id: ${BOLD}${bundleId}${RESET}`);
+  if (await ascAppExists(bundleId) === "defer") {
+    yep("no App Store Connect app record for this bundle id yet, NOT connected");
+    note("the ASC app record only appears after the first `eas submit`. run:");
+    note(
+      `  ${BOLD}npx eas build -p ios --profile production --auto-submit-with-profile testflight${RESET}`
+    );
+    note("then re-run `npx vexpo asc:connect` to finish the EAS\u2194ASC link");
+    return 0;
+  }
   if (!process.stdin.isTTY) {
     bad("ASC connect needs a TTY: eas integrations:asc:connect can't run headless");
     note("run `vexpo asc:connect` in an interactive terminal to finish the EAS\u2194ASC link");
@@ -2485,55 +2482,15 @@ async function runAscConnect(opts = {}) {
     connectedAt: (/* @__PURE__ */ new Date()).toISOString()
   });
   if (existsSync("eas.json")) {
+    let postStatus = null;
     try {
-      const ascAppId = (await ascStatus()).appStoreConnectApp?.ascAppIdentifier;
-      if (ascAppId) {
-        const before = await readFile("eas.json", "utf8");
-        const after = withAscAppId(before, ascAppId);
-        if (after !== before) {
-          await writeFile("eas.json", after);
-          ok(`wrote ascAppId ${BOLD}${ascAppId}${RESET} to eas.json submit profiles`);
-          note("commit this in your fork: non-interactive `eas submit` (CI) needs it");
-        } else {
-          nop("eas.json submit profiles already carry ascAppId");
-        }
-      }
-    } catch (err) {
-      yep(`couldn't write ascAppId to eas.json: ${err instanceof Error ? err.message : err}`);
-      note("non-interactive submit will need `ascAppId` set manually in eas.json");
-    }
-  }
-  return 0;
-}
-async function loadAscCreds2() {
-  const state = await load();
-  const rec = state.steps["asc-key"];
-  if (!rec?.outputs) return null;
-  const out = rec.outputs;
-  const issuerId = out.issuerId;
-  const keyId = out.keyId;
-  const rawPath = out.p8Path;
-  if (!issuerId || !keyId || !rawPath) return null;
-  const p8Path = expandTilde(rawPath);
-  if (!existsSync(p8Path)) return null;
-  return { issuerId, keyId, privateKey: { path: p8Path } };
-}
-async function ascBootstrap() {
-  const creds = await loadAscCreds2();
-  if (!creds) {
-    throw new Error("no cached ASC creds. run `vexpo apple asc-key` first");
-  }
-  const client = makeAscClient(creds);
-  const bundleId = await readOne("EXPO_PUBLIC_APP_BUNDLE_ID") ?? await readOne("APP_BUNDLE_ID") ?? void 0;
-  let ascAppId;
-  if (bundleId) {
-    try {
-      const apps = await client.paginatedList("/v1/apps", { "filter[bundleId]": bundleId }, 5);
-      ascAppId = apps[0]?.id;
+      postStatus = await ascStatus();
     } catch {
+      postStatus = null;
     }
+    await syncAscAppIdToEasJson(postStatus?.appStoreConnectApp?.ascAppIdentifier);
   }
-  return { client, bundleId, ascAppId, creds };
+  return 0;
 }
 
 // src/lib/asc-accessibility.ts
@@ -3167,6 +3124,9 @@ var ROUTING = {
   RESEND_TEST_MODE: {
     routes: (c) => [{ type: "convex", key: "RESEND_TEST_MODE", channel: c }]
   },
+  REQUIRE_EMAIL_VERIFICATION: {
+    routes: (c) => [{ type: "convex", key: "REQUIRE_EMAIL_VERIFICATION", channel: c }]
+  },
   APP_BUNDLE_ID: { routes: (c) => [{ type: "convex", key: "APP_BUNDLE_ID", channel: c }] },
   APPLE_CLIENT_ID: { routes: (c) => [{ type: "convex", key: "APPLE_CLIENT_ID", channel: c }] },
   APPLE_CLIENT_SECRET: {
@@ -3934,7 +3894,7 @@ async function verifyEas(ctx) {
             "eas",
             "asc-submit-id",
             `submit profile${missing.length === 1 ? "" : "s"} ${missing.join(", ")} missing ascAppId`,
-            "run `vexpo asc` to write it; non-interactive `eas submit` (CI) fails without it"
+            "run `vexpo asc:connect` to write it; non-interactive `eas submit` (CI) fails without it"
           )
         );
       } else if (existsSync("eas.json")) {
@@ -4078,7 +4038,7 @@ async function readContext(channel) {
         () => /* @__PURE__ */ new Map()
       ) : Promise.resolve(/* @__PURE__ */ new Map()),
       readAppConfigFacts(),
-      loadAscCreds3()
+      loadAscCreds2()
     ]
   );
   return {
@@ -4111,21 +4071,6 @@ async function readAppConfigFacts() {
     return {};
   }
 }
-async function loadAscCreds3() {
-  try {
-    const state = await load();
-    const rec = state.steps["asc-key"];
-    if (!rec?.outputs) return null;
-    const out = rec.outputs;
-    const issuerId = out.issuerId;
-    const keyId = out.keyId;
-    const p8Path = out.p8Path;
-    if (!issuerId || !keyId || !p8Path) return null;
-    return { issuerId, keyId, privateKey: { path: p8Path } };
-  } catch {
-    return null;
-  }
-}
 async function verifyAll(ctx) {
   const [files, convex, resend, apple2, eas] = await Promise.all([
     Promise.resolve(verifyFiles(ctx)),
@@ -4170,10 +4115,25 @@ function icon(severity) {
       return `${DIM}-${RESET}`;
   }
 }
+var REDACTIONS = [
+  [/https?:\/\/[a-z0-9-]+\.convex\.(cloud|site)[^\s]*/g, "https://<deployment>.convex.$1"],
+  [/\b[a-z]+-[a-z]+-\d{3}\b/g, "<deployment>"],
+  [/\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi, "<project-id>"],
+  [/\b[\w.+-]+@[\w-]+\.[\w.]+\b/g, "<email>"],
+  [/\b(?:[a-z0-9-]+\.){1,}[a-z]{2,}\b(?= verified)/g, "<domain>"],
+  [/\b(?:com|io|dev|app|net|org)(?:\.[a-z0-9-]+){2,}\b/gi, "<bundle-id>"],
+  [/\b[A-Z0-9]{10}\b/g, "<id>"],
+  [/(@)[\w-]+(\/)/g, "$1<owner>$2"]
+];
+function redactValue(text) {
+  let out = text;
+  for (const [re, sub] of REDACTIONS) out = out.replace(re, sub);
+  return out;
+}
 function categoryHeader(c) {
   return c.charAt(0).toUpperCase() + c.slice(1);
 }
-function printResults(checks) {
+function printResults(checks, redact) {
   const byCategory = /* @__PURE__ */ new Map();
   for (const c of checks) {
     if (!byCategory.has(c.category)) byCategory.set(c.category, []);
@@ -4186,8 +4146,9 @@ function printResults(checks) {
     section(categoryHeader(cat));
     const w = Math.max(...items.map((c) => c.name.length));
     for (const c of items) {
-      line(`  ${icon(c.severity)} ${BOLD}${c.name.padEnd(w)}${RESET}  ${c.message}`);
-      if (c.details) line(`       ${DIM}${c.details}${RESET}`);
+      const message = redact ? redactValue(c.message) : c.message;
+      line(`  ${icon(c.severity)} ${BOLD}${c.name.padEnd(w)}${RESET}  ${message}`);
+      if (c.details) line(`       ${DIM}${redact ? redactValue(c.details) : c.details}${RESET}`);
     }
   }
 }
@@ -4222,7 +4183,7 @@ async function runDoctor(options2) {
       process.stdout.write(JSON.stringify({ channel, summary, checks }, null, 2) + "\n");
     } else {
       section(`Verify (${channel})`);
-      printResults(checks);
+      printResults(checks, options2.redact === true);
       line();
       const parts = [
         `${GREEN}${summary.ok} ok${RESET}`,
@@ -4606,7 +4567,6 @@ async function runEnvPush(options2) {
       return 2;
     }
     ok("nothing to do. all source values match destinations");
-    await recordStep("accounts", { mode: "lite", verifiedAt: (/* @__PURE__ */ new Date()).toISOString() });
     return 0;
   }
   const prodConvexWrites = entries.some(
@@ -4651,12 +4611,6 @@ async function runEnvPush(options2) {
     return 1;
   }
   ok(`${appliedTotal} value${appliedTotal === 1 ? "" : "s"} synced`);
-  await recordStep("accounts", {
-    mode: "lite",
-    syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    sources: sources.map((s) => ({ path: s.path, channel: s.channel, keys: s.entries.size })),
-    applied: appliedTotal
-  });
   if (!options2.noVerify) {
     const haveProd = sources.some((s) => s.channel === "prod");
     const verifyChannels = haveProd ? ["dev", "prod"] : ["dev"];
@@ -4716,19 +4670,21 @@ function bundleSlug(value) {
   return value.toLowerCase().normalize("NFKD").replace(/[̀-ͯ]/g, "").replace(/[^a-z0-9]+/g, "").slice(0, 32);
 }
 async function promptInputs(overrides) {
-  if (!process.stdin.isTTY) fail("rebrand wizard needs a TTY");
-  line();
-  note(
-    `${DIM}4 prompts. Everything else is derived. Override any with flags or edit later.${RESET}`
-  );
-  line();
-  const appName2 = overrides.appName ?? (await ask(`  ${BOLD}App name${RESET} ${DIM}(e.g. Foobar)${RESET} > `)).trim();
+  const interactive = process.stdin.isTTY === true;
+  if (interactive) {
+    line();
+    note(
+      `${DIM}4 prompts. Everything else is derived. Override any with flags or edit later.${RESET}`
+    );
+    line();
+  }
+  const appName2 = overrides.appName ?? (interactive ? (await ask(`  ${BOLD}App name${RESET} ${DIM}(e.g. Foobar)${RESET} > `)).trim() : "");
   if (!appName2) fail("app name required");
   const defaultPkg = slug(appName2);
   const bundleHint = `com.${slug(appName2).replace(/-/g, "")}.${bundleSlug(defaultPkg)}`;
-  const bundleId = overrides.bundleId ?? ((await ask(`  ${BOLD}Bundle ID${RESET} ${DIM}[${bundleHint}]${RESET} > `)).trim() || bundleHint);
-  const ownerName = overrides.ownerName ?? ((await ask(`  ${BOLD}Your name${RESET} > `)).trim() || "Owner");
-  const reviewEmail = overrides.reviewEmail ?? (await ask(`  ${BOLD}Apple review contact email${RESET} > `)).trim();
+  const bundleId = overrides.bundleId ?? (interactive ? (await ask(`  ${BOLD}Bundle ID${RESET} ${DIM}[${bundleHint}]${RESET} > `)).trim() || bundleHint : bundleHint);
+  const ownerName = overrides.ownerName ?? (interactive ? (await ask(`  ${BOLD}Your name${RESET} > `)).trim() || "Owner" : "Owner");
+  const reviewEmail = overrides.reviewEmail ?? (interactive ? (await ask(`  ${BOLD}Apple review contact email${RESET} > `)).trim() : "");
   if (!reviewEmail) fail("review email required");
   const packageName = overrides.packageName ?? defaultPkg;
   const scheme2 = overrides.scheme ?? bundleSlug(packageName);
@@ -4759,6 +4715,20 @@ async function promptInputs(overrides) {
     expoOwner
   };
 }
+async function syncBundleId(bundleId) {
+  const env2 = await readAll();
+  const current = env2.get("EXPO_PUBLIC_APP_BUNDLE_ID");
+  if (current === bundleId) return;
+  if (current !== void 0) await removeLines(["EXPO_PUBLIC_APP_BUNDLE_ID"]);
+  await ensureLine("EXPO_PUBLIC_APP_BUNDLE_ID", bundleId);
+  ok(`wrote EXPO_PUBLIC_APP_BUNDLE_ID=${bundleId} to .env.local`);
+  if (env2.has("CONVEX_DEPLOYMENT")) {
+    await envSet("APP_BUNDLE_ID", bundleId);
+    ok(`Convex env: APP_BUNDLE_ID=${bundleId}`);
+  } else {
+    note("no Convex deployment yet; the next `vexpo convex` run carries APP_BUNDLE_ID");
+  }
+}
 async function backup(files, stamp) {
   const dir = `.rebrand-backup/${stamp}`;
   await mkdir(dir, { recursive: true });
@@ -4960,6 +4930,7 @@ async function runRebrand(options2) {
     await rewriteAppJson();
     await rewritePackageJson(inputs);
     await rewriteStoreConfig(inputs);
+    await syncBundleId(inputs.bundleId);
     if (inputs.expoOwner) {
       await ensureLine("EXPO_PUBLIC_EXPO_OWNER", inputs.expoOwner);
       ok(`wrote EXPO_PUBLIC_EXPO_OWNER=${inputs.expoOwner} to .env.local`);
@@ -5337,67 +5308,63 @@ async function runEas(options2) {
       ok(`signed in as ${BOLD}${who}${RESET}`);
     }
     let projectId = await resolveProjectId();
-    if (!options2.skipInit) {
-      if (projectId) {
-        ok(`EAS project linked: ${projectId}`);
-      } else {
-        const result = await init();
-        if (!result.ok) {
-          bad("eas init failed");
-          return 1;
+    if (projectId) {
+      ok(`EAS project linked: ${projectId}`);
+    } else {
+      const result = await init();
+      if (!result.ok) {
+        bad("eas init failed");
+        return 1;
+      }
+      projectId = result.projectId ?? null;
+      ok(`EAS project created: ${projectId}`);
+    }
+    const channels = ["development", "preview", "production"];
+    const createdChannels = await ensureChannels(channels);
+    if (createdChannels.length > 0) ok(`channels created: ${createdChannels.join(", ")}`);
+    else nop(`channels already exist (${channels.join(", ")})`);
+    const branches = ["development", "preview", "production"];
+    const createdBranches = await ensureBranches(branches);
+    if (createdBranches.length > 0) ok(`branches created: ${createdBranches.join(", ")}`);
+    else nop(`branches already exist (${branches.join(", ")})`);
+    if (await fileExists7(".env.local")) {
+      try {
+        const pushed = await pushEasRoutedKeys(".env.local", ["development"]);
+        if (pushed.length > 0) {
+          ok(
+            `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (development)`
+          );
+        } else {
+          nop(".env.local has no EAS-routed keys yet (run `vexpo convex` first)");
         }
-        projectId = result.projectId ?? null;
-        ok(`EAS project created: ${projectId}`);
+      } catch (err) {
+        bad(err instanceof Error ? err.message : String(err));
       }
-      const channels = ["development", "preview", "production"];
-      const createdChannels = await ensureChannels(channels);
-      if (createdChannels.length > 0) ok(`channels created: ${createdChannels.join(", ")}`);
-      else nop(`channels already exist (${channels.join(", ")})`);
-      const branches = ["development", "preview", "production"];
-      const createdBranches = await ensureBranches(branches);
-      if (createdBranches.length > 0) ok(`branches created: ${createdBranches.join(", ")}`);
-      else nop(`branches already exist (${branches.join(", ")})`);
-    }
-    if (!options2.skipEnv) {
-      if (await fileExists7(".env.local")) {
+    } else {
+      nop(".env.local missing. skipping development env push (run `vexpo convex` first)");
+    }
+    if (options2.withProd) {
+      const prodFile = await fileExists7(".env.prod") ? ".env.prod" : await fileExists7(".env.production") ? ".env.production" : null;
+      if (prodFile) {
         try {
-          const pushed = await pushEasRoutedKeys(".env.local", ["development"]);
+          const pushed = await pushEasRoutedKeys(prodFile, ["production", "preview"]);
           if (pushed.length > 0) {
             ok(
-              `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (development)`
+              `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (production, preview)`
             );
           } else {
-            nop(".env.local has no EAS-routed keys yet (run `vexpo convex` first)");
+            nop(`${prodFile} has no EAS-routed keys`);
           }
         } catch (err) {
           bad(err instanceof Error ? err.message : String(err));
         }
       } else {
-        nop(".env.local missing. skipping development env push (run `vexpo convex` first)");
+        nop("--with-prod set but no .env.prod or .env.production found");
       }
-      if (options2.withProd) {
-        const prodFile = await fileExists7(".env.prod") ? ".env.prod" : await fileExists7(".env.production") ? ".env.production" : null;
-        if (prodFile) {
-          try {
-            const pushed = await pushEasRoutedKeys(prodFile, ["production", "preview"]);
-            if (pushed.length > 0) {
-              ok(
-                `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (production, preview)`
-              );
-            } else {
-              nop(`${prodFile} has no EAS-routed keys`);
-            }
-          } catch (err) {
-            bad(err instanceof Error ? err.message : String(err));
-          }
-        } else {
-          nop("--with-prod set but no .env.prod or .env.production found");
-        }
-      }
-      note(
-        `server-side secrets route to Convex, not EAS. run ${BOLD}vexpo env push${RESET} to sync those`
-      );
     }
+    note(
+      `server-side secrets route to Convex, not EAS. run ${BOLD}vexpo env push${RESET} to sync those`
+    );
     if (projectId) {
       await recordStep("eas", {
         projectId,
@@ -5556,7 +5523,7 @@ async function liveCheckEas() {
 }
 async function liveCheckAscLink() {
   try {
-    const { ascStatus: ascStatus2 } = await import('./eas-integrations-2QVR45NE.js');
+    const { ascStatus: ascStatus2 } = await import('./eas-integrations-ZULIUD4T.js');
     const status = await ascStatus2();
     return status.status === "connected";
   } catch {
@@ -5575,16 +5542,20 @@ async function liveCheckRotationSecrets() {
     "CONVEX_DEPLOY_KEY"
   ].every((k) => eas.has(k));
 }
+var LOCAL_ENV_LITE_CORE = [
+  "CONVEX_DEPLOYMENT",
+  "EXPO_PUBLIC_CONVEX_URL",
+  "EXPO_PUBLIC_CONVEX_SITE_URL",
+  "EXPO_PUBLIC_SITE_URL",
+  "EXPO_PUBLIC_APP_BUNDLE_ID"
+];
+var LOCAL_ENV_TEAM_ID = "EXPO_PUBLIC_APPLE_TEAM_ID";
+function classifyLocalEnv(env2) {
+  if (!LOCAL_ENV_LITE_CORE.every((k) => env2.has(k))) return "missing";
+  return env2.has(LOCAL_ENV_TEAM_ID) ? "ok" : "partial";
+}
 async function liveCheckLocalEnv() {
-  const env2 = await readAll();
-  return [
-    "CONVEX_DEPLOYMENT",
-    "EXPO_PUBLIC_CONVEX_URL",
-    "EXPO_PUBLIC_CONVEX_SITE_URL",
-    "EXPO_PUBLIC_SITE_URL",
-    "EXPO_PUBLIC_APP_BUNDLE_ID",
-    "EXPO_PUBLIC_APPLE_TEAM_ID"
-  ].every((k) => env2.has(k));
+  return classifyLocalEnv(await readAll());
 }
 async function stepPrerequisites() {
   section("Prerequisites");
@@ -5605,12 +5576,17 @@ async function stepPrerequisites() {
 async function stepProbe() {
   section("Probe");
   const installOk = await nodeModulesPresent();
-  const localOk = await liveCheckLocalEnv();
-  const convex = localOk ? await envMap() : /* @__PURE__ */ new Map();
+  const localEnvState = await liveCheckLocalEnv();
+  const convexLive = localEnvState !== "missing";
+  const convex = convexLive ? await envMap() : /* @__PURE__ */ new Map();
   const rows = /* @__PURE__ */ new Map();
   rows.set("accounts", await shouldRun("accounts", async () => true));
   rows.set("rebrand", await shouldRun("rebrand", async () => false));
-  rows.set("convex", { step: "convex", label: "convex", status: localOk ? "live" : "missing" });
+  rows.set("convex", {
+    step: "convex",
+    label: "convex",
+    status: convexLive ? "live" : "missing"
+  });
   rows.set("better-auth", await shouldRun("better-auth", () => liveCheckBetterAuth(convex)));
   rows.set("resend", await shouldRun("resend", () => liveCheckResend(convex)));
   rows.set("asc-key", await shouldRun("asc-key", async () => false));
@@ -5631,9 +5607,8 @@ async function stepProbe() {
   line(
     `  ${BOLD}${"node_modules".padEnd(w)}${RESET}  ${installOk ? `${GREEN}ok${RESET}` : `${RED}missing${RESET}`}`
   );
-  line(
-    `  ${BOLD}${".env.local".padEnd(w)}${RESET}  ${localOk ? `${GREEN}ok${RESET}` : `${RED}missing${RESET}`}`
-  );
+  const localEnvMark = localEnvState === "ok" ? `${GREEN}ok${RESET}` : localEnvState === "partial" ? `${YELLOW}partial (lite)${RESET}` : `${RED}missing${RESET}`;
+  line(`  ${BOLD}${".env.local".padEnd(w)}${RESET}  ${localEnvMark}`);
   for (const [key, row] of rows) {
     const label = key === "convex" ? "Convex / .env.local" : key === "better-auth" ? "Better Auth" : key === "resend" ? "Resend" : key === "asc-key" ? "ASC API key" : key === "apple-services-id" ? "Sign In Services ID" : key === "apple-sign-in" ? "Sign In JWT" : key === "apple-credentials" ? "EAS iOS credentials" : key === "apple-asc-link" ? "EAS \u2194 ASC link" : key === "apple-eas-rotation-secrets" ? "EAS rotation secrets" : key === "eas" ? "EAS project + env" : key === "rebrand" ? "Rebrand" : key === "accounts" ? "Accounts" : key;
     line(`  ${BOLD}${label.padEnd(w)}${RESET}  ${mark(row.status)}`);
@@ -5643,7 +5618,7 @@ async function stepProbe() {
   );
   const needs = /* @__PURE__ */ new Map();
   for (const [k, row] of rows) needs.set(k, row.status === "missing");
-  return { rows, needs, install: !installOk, localEnv: localOk };
+  return { rows, needs, install: !installOk, localEnv: localEnvState };
 }
 async function describePhase(step, probe) {
   const status = probe.rows.get(step)?.status;
@@ -6096,13 +6071,13 @@ async function runStep(name, state) {
   }
   if (state) completed.push(state);
 }
-async function maybeRunStep(name, prompt, state) {
+async function maybeRunStep(name, prompt, state, defaultYes = true) {
   if (!process.stdin.isTTY) {
     nop(`non-TTY: skipping ${name} (run \`${name}\` later)`);
     if (state) skipped.push(state);
     return;
   }
-  if (!await askYesNo(prompt, true)) {
+  if (!await askYesNo(prompt, defaultYes)) {
     nop(`skipped ${name} (run \`${name}\` later)`);
     if (state) skipped.push(state);
     return;
@@ -6124,7 +6099,7 @@ function printShipNextSteps() {
 }
 async function stepExpoDoctor() {
   section("expo-doctor");
-  const { dlx: dlx2 } = await import('./pkg-manager-PU7UPAID.js');
+  const { dlx: dlx2 } = await import('./pkg-manager-DOOC6W2C.js');
   const { code, stdout, stderr } = await run([dlx2(), "expo-doctor"]);
   if (stdout.trim()) process.stderr.write(stdout);
   if (stderr.trim()) process.stderr.write(stderr);
@@ -6370,8 +6345,9 @@ async function runSetup(opts) {
         nop("vexpo apple services-id cached");
       }
       const status = probe.rows.get("apple-sign-in")?.status;
-      const prompt = status === "live" || status === "cached" ? "Apple Sign In is configured, rotate the JWT now?" : "Sign the Apple Sign In JWT now?";
-      await maybeRunStep("vexpo apple jwt", prompt, "apple-sign-in");
+      const healthy = status === "live" || status === "cached";
+      const prompt = healthy ? "Apple Sign In is configured, rotate the JWT now?" : "Sign the Apple Sign In JWT now?";
+      await maybeRunStep("vexpo apple jwt", prompt, "apple-sign-in", !healthy);
       if (options.force || probe.needs.get("apple-eas-rotation-secrets")) {
         await maybeRunStep(
           "vexpo apple eas-rotation-secrets",
@@ -6488,7 +6464,7 @@ program.command("rebrand").description("Replace template defaults with your fork
 program.command("review-account").description("Seed the App Review demo account on Convex.").option("--email <email>", "override demo email").option("--password <password>", "override demo password").option("--name <name>", "override demo display name", "App Review").option("--username <username>", "optional username").action((options2) => exitWith(runReviewAccount(options2)));
 program.command("doctor").description(
   "Cross-source drift detection. Auth-checks every credential, confirms IDs match across `.env.local`, Convex env, EAS env, `app.config.ts`. No eas-cli equivalent."
-).option("--channel <channel>", "dev | prod", "dev").option("--json", "machine-readable output", false).option("--strict", "exit non-zero on any warn", false).action((options2) => {
+).option("--channel <channel>", "dev | prod", "dev").option("--json", "machine-readable output", false).option("--strict", "exit non-zero on any warn", false).option("--redact", "mask identifying values (for screenshots and issue reports)", false).action((options2) => {
   exitWith(runDoctor(options2));
 });
 program.command("adopt").description(

package/dist/eas-integrations-ZULIUD4T.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+export { ascStatus } from './chunk-BRSFTWP2.js';
+import './chunk-3RDUQUJW.js';
+import './chunk-5BTLX335.js';

package/dist/{pkg-manager-PU7UPAID.js → pkg-manager-DOOC6W2C.js}

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-export { currentRuntime, currentRuntimeVersion, detectPackageManager, dlx, dlxFor, installCmdFor, runCmdFor } from './chunk-PYXH4J77.js';
+export { currentRuntime, currentRuntimeVersion, detectPackageManager, dlx, installCmdFor } from './chunk-3RDUQUJW.js';

package/dist/proc-L3ORJMPB.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export { run, spawn, streamText } from './chunk-5BTLX335.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ramonclaudio/vexpo",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Operational CLI for vexpo projects: setup orchestration, drift detection, env sync, Apple JWT signing, ASC API integration.",
   "keywords": [
     "apple-sign-in",

package/dist/eas-integrations-2QVR45NE.js

@@ -1,4 +0,0 @@
-#!/usr/bin/env node
-export { ascStatus } from './chunk-VOL7YISA.js';
-import './chunk-PYXH4J77.js';
-import './chunk-QFP5R25M.js';

package/dist/proc-TEOPRZZ2.js

@@ -1,2 +0,0 @@
-#!/usr/bin/env node
-export { run, spawn, spawnSync, streamText } from './chunk-QFP5R25M.js';